e-dmz products overview

Solution Overview

BestRegulatory Compliance

Solution

BestPassword Management

Solution

Mach 2010

Company Overview• Founded in 2001

• Compliance Driven Security Solutions for….– Shared Account/Service Account Password Management (SAPM*)– Remote Vendor Access– Developer Access to Production– Superuser Privilege Management (SUPM*)

• Proven Solutions Deployed Across ALL Market Verticals– Over 350 installations world-wide including…

• 4 of top 10 Forbes Ranked Enterprises• 3 of top 5 Largest Financial Services• Leading enterprises in Manufacturing, Financial, Services, Telecommunications,

Pharmaceutical/Chemical, Healthcare and more..• SC Awards 2010 “Best Regulatory Compliance Solution” Finalist

• Privately Held Profitable w/Organic Growth– Headquartered in Delaware– R&D Center in Raleigh NC– 7x24x365 eDMZ Support Operations– World-wide Partnerships

* Gartner defined terms & markets

Introducing TPAM

• Total Privileged Access Management (TPAM) Suite– A product Suite designed to solve security and compliance issues associated with

privileged users and privileged access– Modular design allows flexibility to grow

• Start with required base modules• Add additional modules as needs change

Introducing TPAM

• TPAM is built on either or Password Auto Repository™ (PAR) or eGuardPost™ base appliances

• From either platform you can enable additional modules as needed– Buy what you need today– Expand if needed in the future

Privileged Password Management

• Privileged Accounts are typically UBIQUITOUS

• Unlike “User” accounts, no individual association– Many times have known default passwords

• Privileged Accounts exist in every system, network device, database, etc.

• Privileged Accounts have extensive ACCESS and CONTROL– Many times full system access and control– Configuration and audit controls

• Regulatory and Compliance AUDIT ISSUES– Privileged/Shared/Service/Application account management growing audit area– What was acceptable yesterday is NOT accepted today

Issues and Challenges

Privileged Password Management

Enterprise Requirement

• Secure

• Dual release control• Change Controls

• Enterprise Integration

TPAM Suite/PPM Module

• Extensive built-in security– Password encrypted via RSA Bsafe– Full Disk encryption via Guardian Edge– Embedded hardware firewall– Purpose built appliance

• Dual or more release controls• Extensive configurable change control

– Time based (every X days)– Last-use based– Force change

• Extensive integration with– Strong authentication solutions– Active Directory– Ticketing systems

Privileged Password Management

Enterprise Requirement

• Effective workflow

• Ease of deployment & integration

TPAM Suite/PPM Module• TPAM Workflow values

– Web-base client access– Role-based– Dual authorization controls– eMail based notifications– Robust small screen support– Robust CLI/API

• Installed & configure in one day– Drop-in appliance– Client/agentless deployment– Tight integration w/AD– Import via .csv– Full API/CLI– Audit, SNMP, Syslog

Small screen support example

Privileged Password Management

Enterprise Requirement

• Individual Accountability

TPAM Suite/PPM Module

• Assured via PPM– Configuration options to limit

password release to one admin at a time.

– Last-use change control assures unique passwords each release

– Dual authorization controls

PPM delivers individualaccountability to shared

admin and other accounts

Workflow – Password Request

Initiate PasswordRequest

Filter & Select Account(s)

Enter Date/Time/Duration/ReasonPassword is needed

Optional ticket field. Can be active (check ticket) or passive.

Retrieve Password

Workflow – Small Screen

Hyperlink Format

Initiate Request

Filter Request or view most recent

Select Password. Quick Request automatically

submits with default reason “Request from mobile

device”

Enter ticket number (if required) and submit to

get password

Password retrieved from handheld.

* Small screen support configured on a per user basis

Application Password Management

• Embedded/Hard-coded passwords represent an often “hidden” exposure– Accounts/passwords known to programmers– Back-door accounts

• Application requirements can vary widely– Continuous A2A connectivity– Transaction A2A connectivity

Issues and Challenges

Application Password Management

Enterprise Requirement

• Replace Embedded Passwords

• Support “High Demand” transaction type applications

TPAM Suite/APM Module

• Full API/CLI – C/C++– Java– .NET– Perl

• PAR Cache– Add-on capability– Available as Cache appliance or VM– Supports central or distributed needs– Over 500 requests/second

Privileged Session Management

• Compliance often drives the need to know WHAT was done during certain privileged or sensitive access – do you need to know exactly what as done by:– Remote Vendors?– Outsourced service providers?– Developers granted access to production systems?– Fire-call activities?– Users or admins accessing sensitive resources or applications (Financial/Sox servers, HR,

etc.)

• Certain access demands higher audit and control

• Need to restrict direct resource access

Issues and Challenges

Privileged Session Management

Enterprise Requirement

• Fine grain access control

• Connection controls

• Session Audit

TPAM Solution/PSM Module

• User control point– Limits resource view based on role

• Full control over connections– Dual authorization controls– Session time limits– Alarm notification session overrun– Manual session termination options

• Unmatched session audit– Audit/log all connection requests,

approvals– FULL session recording with DVR

replay

Privileged Session Management

Enterprise Requirement

• Strong Audit

TPAM Suite/PSM Module

• Unmatched session audit– Audit/log all connection requests,

approvals– FULL session recording with DVR

replay

DVR Style Replay Control

Full Session Recording andReplay of ALL activities

Workflow – Session Request

Request a session connection

Select from a list of systems and accounts the specific user has

authorization to request connections too.

Enter date/time/duration of connection request. Can request for future date/time to allow advanced approval if under dual authorization

control.

Once connection approved (or auto approved) simply

CONNECT!

Workflow – Session Request

Connection proxy created to selected

System and Account

User connected and performs required work

Session can be configured for interactive or auto-login

EVERY action on the target system will be recorded (Keystrokes, mouse, links, etc.)

If user session extends beyond requested time, configurable alert notifications of session overrun can be sent

Active sessions can be manually terminated by authorized administrators

Workflow – Session Replay

Session recordings are kept local or can be automatically archived. Stored sessions can be searched based on date,

system, account, user and/or ticket number

Once selected, REPLAY SESSION will retrieve session and replay.

Workflow - Session Replay

DVR- Style controls allow control of replay of Recorded sessions.

All session activity is recorded and viewableVia session replay. Recording are NOT AVI

type files – recording size is compressed and VERY manageable.

Privileged Command Management

• Strong compliance need to restrict Superuser privilege access– Need to grant superuser rights without full superuser control

• Need to restrict what remote vendors or services providers can do

• Reduction in staff driving a need to “do more with less”– Need to delegate certain privileged functions without granting total privileged control

• Need support across both Unix and Windows platforms

Issues and Challenges

Privileged Command Management

Enterprise Requirement

• Superuser Privilege Management (SUPM)

• Support multi-platform environments

TPAM Solution/PCM Module

• SUPM Values– Command level access controls– No ability to execute outside of

command limit– Record all activity

• TPAM supports PCM for:– Unix– Windows– Others (coming in future release)

Session Restricted to Single Command(this example Computer Management)

No other Windows functions available

Workflow – Command Management

Commands are added via the Privileged Command Management Tool.

Workflow – Command Limited Session

Same workflow as normal session request.

Same workflow as normal session request

Session is to back-end target/account (Windows A3/e22egp) via PCM, user session is established and user is placed into the specific “command”.

In this example, Computer Management.

No access to other target commands, menu’s, etc. is allowed. The session will only exist within the context of

the specific command (eg. Computer Management). Once the user exits the command, the session is

immediately terminated.

Workflow – Command Limited Session

TPAM Summary

Deployment Overview

Deployment Options

• Central deployment of all TPAM management functions– Configuration– Release controls– Change controls– Audit

Central TPAM Deployment

Deployment Options

• Business Unit/Geographical control• License flexibility – can support central or BU license purchase

agreements

De-centralized TPAM Management

Deployment Options

• Central configuration control and audit• Distributed (local) password check/change via DPA

– Only require SSH from PAR to PAR DPA– All check/change connectivity (SSH, RDP, etc.) internal to the datacenter/location*

Distributed Privileged Password Management

Sample Customers

Sample Customers