Preview only show first 10 pages with watermark. For full document please download

Lab Validation Report

Rating
Date

November 2018
Size

1.3MB
Views

6,665
Categories

Computers & electronics Data storage Data storage devices Disk arrays

Transcript

Lab Validation Report CyberArk Privileged Account Security Intuitive, Agile, and Scalable Privileged Account Management By Vinny Choinski, Senior Lab Analyst April 2014 © 2014 by The Enterprise Strategy Group, Inc. All Rights Reserved. Lab Validation: CyberArk Privileged Account Security 2 Contents Introduction .................................................................................................................................................. 3 Background ............................................................................................................................................................... 3 Privileged Account Security ...................................................................................................................................... 4 ESG Lab Validation ........................................................................................................................................ 5 Securing Your Environment ...................................................................................................................................... 5 Ease of Use ............................................................................................................................................................... 8 Solution Scalability.................................................................................................................................................. 11 ESG Lab Validation Highlights ..................................................................................................................... 14 Issues to Consider ....................................................................................................................................... 14 The Bigger Truth ......................................................................................................................................... 15 Appendix ..................................................................................................................................................... 16 ESG Lab Reports The goal of ESG Lab reports is to educate IT professionals about data center technology products for companies of all types and sizes. ESG Lab reports are not meant to replace the evaluation process that should be conducted before making purchasing decisions, but rather to provide insight into these emerging technologies. Our objective is to go over some of the more valuable feature/functions of products, show how they can be used to solve real customer problems and identify any areas needing improvement. ESG Lab's expert third-party perspective is based on our own hands-on testing as well as on interviews with customers who use these products in production environments. This ESG Lab report was sponsored by CyberArk. All trademark names are property of their respective companies. Information contained in this publication has been obtained by sources The Enterprise Strategy Group (ESG) considers to be reliable but is not warranted by ESG. This publication may contain opinions of ESG, which are subject to change from time to time. This publication is copyrighted by The Enterprise Strategy Group, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of The Enterprise Strategy Group, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact ESG Client Relations at 508.482.0188. © 2014 by The Enterprise Strategy Group, Inc. All Rights Reserved. Lab Validation: CyberArk Privileged Account Security 3 Introduction This ESG Lab validation report documents hands-on testing of the CyberArk Privileged Account Security Solution. The report focuses on leveraging the CyberArk Solution to enable an agile, intuitive, policy-based infrastructure capable of managing privileged access to critical assets to improve your security posture. Background As an IT professional, what keeps you awake at night? If securing privileged account access is not at the top of your list, it should be because privileged accounts are often used as part of sophisticated cyber-attacks conducted by organized criminals, nation states, and hackers. Cyber-attacks like advanced persistent threats (APTs) and malicious insiders take advantage of informal processes, weak security controls, and monitoring limitations to target administrator accounts, compromise their systems, and gain access to valuable IT assets. In fact, when respondents to an ESG survey were asked if they believe their organizations had been the target of a previous APT attack, 59% said they were certain or fairly certain they had been targeted.1 Also, IT trends such as service-oriented architectures (SOA), mobile devices/BYOD, and cloud computing, which open enterprise IT to additional threats, are likely to make enterprises even more vulnerable to attacks moving forward. Figure 1. Belief that Organization Has Been Targeted by APTs Based upon what you know about APTs, do you believe your organization has been the target of a previous APT attack? (Percent of respondents, N=244) No, we are fairly certain we have not been targeted, 11% Yes, we are certain we have been targeted, 20% Unlikely, we don’t believe we have been targeted but it is possible, 30% Likely, we are fairly certain we have been targeted, 39% Source: Enterprise Strategy Group, 2014. 1 Source: ESG Research Report, U.S. Advanced Persistent Threat Analysis, November 2011. © 2014 by The Enterprise Strategy Group, Inc. All Rights Reserved. Lab Validation: CyberArk Privileged Account Security 4 Privileged Account Security CyberArk Privileged Account Security is a unified group of products that, when combined, provide a complete, secure solution for operating systems, databases, applications, hypervisors, network devices, security appliances, and more. When leveraged by IT organizations, the solution can help implement formal processes, strengthen security control, detect threats, and improve monitoring and auditing of the overall environment. Figure 2. CyberArk Solution Overview The CyberArk Privileged Account Security Solution is built on the CyberArk Shared Technology Platform delivering enterprise-class security, scalability, and high availability on a single, unified platform. The ability to seamlessly integrate products into the platform solution provides an end-to-end solution with consolidated management, policy controls, enterprise integration, and reporting capabilities. Key products in the solution include:     Enterprise Password Vault enables organizations to automatically secure, manage, change, and log all activities associated with privileged account credentials. Application Identity Manager provides a management solution that can address the challenges of hardcoded application-to-application credentials, Windows Service accounts, and encryption keys. The solution eliminates the need to store credentials in scripts or configuration files. Privileged Session Manager enables organizations to control and monitor privileged access to sensitive systems and devices without divulging credentials to the end-user. Privileged Session Manager blocks malware and provides privileged session recording with text logging and DVR-like playback, with eventspecific detail. On-Demand Privileges Manager allows privileged users to use administrative commands from their native Windows and UNIX session while eliminating unneeded root access or admin rights. This secure, enterpriseready sudo-like solution provides unified and correlated logging of all super-user activity. © 2014 by The Enterprise Strategy Group, Inc. All Rights Reserved. Lab Validation: CyberArk Privileged Account Security  5 Privileged Threat Analytics identifies previously undetectable malicious privileged user activity. By applying patented analytic algorithms to a rich set of privileged account behavioral data, the solution produces highly accurate and immediately actionable intelligence, allowing incident response teams to disrupt and respond directly to the attack. 2 ESG Lab Validation ESG Lab performed hands-on evaluation and testing of the Privileged Account Security Solution at a CyberArk facility in Newton, Massachusetts. Testing was designed to demonstrate how the CyberArk Solution can help organizations secure, protect, and manage the full lifecycle of privileged accounts. ESG also assessed a number of product characteristics such as ease of use, intuitive management, and the ability to scale the solution to meet the demands of a growing and changing organization. Securing Your Environment This section of the validation report is an exploration of how the CyberArk Solution can be leveraged by an organization to automate and strengthen privileged account security. It is intended to demonstrate the CyberArk Privileged Account Security process and the policy-based engine and interface that are used to manage it. ESG Lab Testing To get testing underway, ESG Lab sat down with CyberArk subject matter experts for a whiteboard session review of the architecture. The Lab, with vault administrative credentials, then logged into a clustered environment and explored the layout and configuration. As shown in Figure 3, CyberArk provided The Lab with access to the vault file system structure and to the location where encrypted passwords are stored. ESG Lab used Notepad to open one of the previously generated password files and demonstrate the effect of the AES 256 password encryption as shown in the enlarged circle in the upper right side of the figure. The bottom of Figure 3 shows how the Privileged Session Manager product makes a connection to a Windows server in the test environment. Here, the IT administrator makes a request through Privileged Session Manager to connect to the Windows server. The request, in a proprietary format, is sent to the secure Digital Vault. The vault then delivers the encrypted password to the Windows target and the privileged session to the Windows server is established. Figure 3. CyberArk Vault Overview 2 Privileged Threat Analytics was not included in this ESG Lab validation. © 2014 by The Enterprise Strategy Group, Inc. All Rights Reserved. Lab Validation: CyberArk Privileged Account Security 6 Next, ESG Lab explored the management interface. We reviewed the configuration options available for customizing a Master Policy including Privileged Access Workflows, Password Management, Session Management, and Audit settings. As shown in Figure 4, highlighted in the red callout box, the Lab set a value of 30 for the change password interval and a value of one for the password verification interval. With these settings, any target device under management will automatically have its password changed every 30 days and passwords will be validated daily. Figure 4. Policy Management Interface Next, ESG Lab activated the “allow EPV transparent connections” or the “click to connect” feature. This feature allows users to click on an icon from within their home view and make a connection to a target server or device they want to manage. This feature will be explained in more detail in a subsequent section of this document. ESG Lab then activated the “record and save session activity” rule, available with the Privileged Session Manager product, in the sessions management section of the interface. This feature instructs the CyberArk Solution to store a record of all privileged session activity. The audit section allows the administrator to set an interval for keeping the record. Here, ESG Lab set a value of 90, which means that a keystroke text log or video of the session will be stored for 90 days. The Lab also chose to leave the “requires users to specify reason for access” rule active. This rule is set “active” by default. It requires users to specify the reason before access is granted. It should be noted that exceptions can be easily set up for any of the rules described in this section. This provides great agility to the Master Policy schema. Rules can be set and enforced for the majority of target devices in the base Master Policy configuration and exceptions can be created to tune up or down the security level for individual devices or groups of devices. © 2014 by The Enterprise Strategy Group, Inc. All Rights Reserved. Lab Validation: CyberArk Privileged Account Security 7 ESG Lab next explored the effect to the end-user of applying one of the rules we previously configured via the management interface. As shown in Figure 5, the Lab captured the user experience when session recording is active. Here, the Lab logged into the web interface as one of the test users defined in our validation environment. We used the “click to connect” feature to run an SSH session to a Linux server listed in the accounts screen. At the beginning of the session, the CyberArk Solution displays a temporary message to the user letting him or her know that the session is being recorded. After the temporary warning message is displayed, the session will continue just like a typical connection session. Figure 5. Session Recording Why This Matters Securing privileged accounts is essential because they protect the most valuable assets of the enterprise. Organizations are beginning to understand this; ESG research indicates that large organizations are taking more steps to bolster the security and oversight of privileged accounts.3 Where you store credentials—and how you distribute them—makes a difference. In addition, a security plan is only as good as your ability to easily and continuously execute it. ESG Lab validated that the CyberArk Solution can provide a highly secure method for storing and distributing credentials. The CyberArk Solution eliminates the credentialing process for IT professionals, enabling them to complete their tasks without the risk of accidentally breaching security. Credential generation, rotation, encryption, and distribution can all be automated with CyberArk Privileged Account Security. Extensive and granular audit of privileged account usage, segregation of duties and enforcement of privileged account workflows specific to the organization provide a high level of security. 3 Source: ESG Research Brief, Deployment of Privileged User Access Controls at Enterprise Organizations, September 2012. © 2014 by The Enterprise Strategy Group, Inc. All Rights Reserved. Lab Validation: CyberArk Privileged Account Security 8 Ease of Use This section of the lab validation report is intended to demonstrate the ease-of-use of the CyberArk Privileged Account Security Solution. It focuses on the experience of an end-user and covers some of the common tasks that an IT professional might conduct on a regular basis. It also examines how those tasks are completed via the CyberArk Solution interface. ESG Lab Testing ESG Lab began ease-of-use testing by logging into the web-based user interface. The Lab used the favorites view under the accounts list, as shown in Figure 6 to review some of the target devices that test user John has permission to access. As shown in the lower right of Figure 6, the Lab used the “click to connect” feature to launch a remote desktop session for the active directory server dc1. The “click to connect” feature made the remote desktop connection to the server without even asking the user to supply a password. The vault server supplied the password because John was an approved user. With CyberArk, users can create easy-to-manage views like favorites, recently accessed, locked accounts, and new accounts. Then, directly from the view screen, a user can connect to the targets he or she needs to manage without having to enter or manage a password. Figure 6. User Account View Privileged access workflows can also be quickly identified from this interface. This is demonstrated by the padlock icon on the far left in the last entry in the favorites list. This icon lets the user know that if for some reason he or she needs to have a hard copy of the password, a request will need to be submitted to the vault administrator. The “My Requests” tab in the left pane of the views screen allows the user to monitor the status of any requests. In this case, the blue zero on the right of the tab indicates that there are no requests pending. © 2014 by The Enterprise Strategy Group, Inc. All Rights Reserved. Lab Validation: CyberArk Privileged Account Security 9 ESG Lab took a more detailed look at the privileged access workflow process. To explore this feature, the Lab leveraged a server on an isolated network. To access and manage the server, an administrator had to use a physically connected console that required the password to be manually entered. As shown in Figure 7, we walked through each step of the password request procedure. First, the Lab logged into the user interface, clicked on the workflow icon from the favorites view, and submitted a request for a password. Bullet one in Figure 7 shows the detail of the request from the vault administrator’s interface. It includes the reason (e.g., system in isolated network) that the request is being made. Bullets two, three, and four show the status of request as it moves through the process. Step two shows the password locked, step three shows the request in process, and step four shows that access has been granted. Step five, the final step, displays the password for a short period of time and allows the requester to copy the password to a file for later use. It should be noted that the solution provides options to automatically change the password after the written password request tasks have been completed. Figure 7. Access Workflow Finally, the Lab validated that the CyberArk Solution can be leveraged to securely manage and automate application credentials. Figure 8 shows how an organization can use the CyberArk Application Identity Manager to migrate from a hard-coded password configuration to an automated secure environment. The top of Figure 8 shows a typical hard-coded application script that is far too common in most environments. Here, the script presents a security risk because the password is contained in the script text in readable format. The bottom of Figure 8 shows how an application script can be configured to let the CyberArk Digital Vault supply the password. With the CyberArk Solution, the automation that is available for user accounts, which includes options like password rotation and password verification, can also be leveraged for application credentials. For actual testing, ESG Lab used two simple ftp scripts that were designed to connect to a server, download a file, and display the content of that file. Next, a password was set for the ftp account using the CyberArk Enterprise Password Vault. A request was then submitted to retrieve a written copy of the password from the Digital Vault and the password was then hard coded into the first script. © 2014 by The Enterprise Strategy Group, Inc. All Rights Reserved. Lab Validation: CyberArk Privileged Account Security 10 The second script was configured to automatically retrieve the key from the CyberArk Digital Vault using CyberArk Application Identity Manager. Then, because all passwords were in sync, ESG Lab was able to successfully execute both scripts. Next, Enterprise Password Vault was used to automatically change the ftp account password on the FTP server. The Lab again executed both scripts. This time, the hard-coded script failed to execute and the script that leveraged the automatic Application Identity Manager process ran successfully. Figure 8. Application Integration Overview Why This Matters Delivering the optimal end-user and administration experience is an essential task for every IT deployment project. Solid, feature-rich solutions can be quickly discarded from the selection process simply because they are difficult to use and manage. Disruption to an organization’s daily workflow can be difficult to overcome. The success or failure of the project can hinge on the ability to smoothly integrate a solution into a production environment. ESG Lab validated that the CyberArk Privileged Account Security Solution was easy to install, manage, and use. The user interface offers clean, crisp, intuitive views of the assets that can be managed and enables connection to those assets right from the user accounts screen. It removes the burden of password management while simplifying the connection process for users, applications, and administrators. © 2014 by The Enterprise Strategy Group, Inc. All Rights Reserved. Lab Validation: CyberArk Privileged Account Security 11 Solution Scalability A stagnant IT infrastructure is usually a sign of a larger problem for an organization. A healthy environment is always evolving and is in a constant state of growth or change. To meet ever-changing demands, an IT solution in these types of ecosystems must be manageable, adaptable, and scalable. This section of the validation report is an exploration of how the CyberArk Solution addresses the challenges of management, change, and scale and can help an organization coordinate its privileged account security requirements. ESG Lab Testing ESG Lab started its scalability testing with a review of the software components that make up the CyberArk Solution and the infrastructure options available for deploying those components. Figure 9 shows the modular design of the CyberArk software components via the block diagram view on the left and an overview of the deployment options via the architecture view to the right. At the heart of the solution is the CyberArk Shared Technology Platform, which includes the Secure Digital Vault, Master Policy Engine, and Discovery Engine. The CyberArk Shared Technology Platform allows customers to deploy a single infrastructure and expand the solution to meet expanding business requirements. Software products like Enterprise Password Vault, Privileged Session Manager, Application Identity Manager, and On-Demand Privileges Manager are then layered into the environment to increase security controls around valued assets. Figure 9. Block Diagram and Architecture Overview The whole solution can be deployed on a single server; or, as shown by the architecture diagram on the right side of Figure 9, each component of the platform can be distributed based on the needs of the organization. The modular design of the solution facilitates easy scale for DR, HA, and performance as well as flexibility to deploy in segregated networks. The lower middle of the architecture view shows the Digital Vault installed on a highly available Microsoft cluster. Then, as shown to the left and right of the cluster, the vault can be replicated offsite to meet disaster recovery or remote office scalability requirements. Above the cluster and connected via the LAN are a number of component servers. The solution can be deployed on a dedicated server or on multiple dedicated servers as the environment grows and performance requirements increase. © 2014 by The Enterprise Strategy Group, Inc. All Rights Reserved. Lab Validation: CyberArk Privileged Account Security 12 Centralized management and monitoring are also critical elements to solution scalability. ESG Lab explored the monitoring and search capabilities of the CyberArk Privileged Account Security Solution. As shown in Figure 10, the Lab used the monitoring tab to review the available search features and the search procedure. Prior to running a search, we logged into a Red Hat Linux server through a session managed by CyberArk Privileged Session Manager and as an administrator named Paul, we completed a number of administrator tasks. The Lab then ran the “history –c” command to erase the activity of our user session. Figure 10. Solution Monitoring and Search Next, the Lab logged back into the management interface, and as shown in the upper left side of Figure 10, we conducted a search across the full environment for any instance of the “history -c” command being run. The search quickly returned two responses to our request. The Lab selected the one that corresponded by time stamp to the recent user activity we conducted. We used the Privileged Session Manager feature of the CyberArk Solution to make our connection to the Linux server and because of this we found that all the key stroke activity was captured in both video and text format. As shown in the lower right side of Figure 10, the Lab used the video option to play back the clear history activity of our session. © 2014 by The Enterprise Strategy Group, Inc. All Rights Reserved. Lab Validation: CyberArk Privileged Account Security 13 Lastly, as shown in Figure 11, ESG Lab used the platform management view located under the administration tab in the management interface to display a subset of the comprehensive list of platforms the CyberArk Solution supports. This not only demonstrates the ability to scale the security solution because of the exhaustive list of supported platforms, but also helps with scalability through simplified management. From this view, a vault administrator can create platform groups with account groups and group members who can perform management tasks at a platform-specific level. Figure 11. Platform Management Why This Matters As organizations grow and change, they must be able to scale their security infrastructures quickly and easily to ensure adequate protection. The ability to react to specific growth and to scale only those resources required to meet that growth can be key. Centralized monitoring and management are also required to ensure that IT can keep up and maintain security as the enterprise grows. ESG Lab validated that the CyberArk Privileged Account Security Solution can be scaled at a very granular level. Because of its modular design, each component can be scaled independently as demand dictates. The master policy concept built into the management interface, along with the ability to quickly monitor and search the entire solution for suspicious activity, facilitates efficient scalability and helps make increasing the number of platforms under management easy. © 2014 by The Enterprise Strategy Group, Inc. All Rights Reserved. Lab Validation: CyberArk Privileged Account Security 14 ESG Lab Validation Highlights  ESG Lab was pleased that the core of the solution was architected with strong security and availability features. We actually navigated the vault layout to confirm encryption and just trying to take a look inside the files proved challenging even with administrator-level access to our test bed environment.  Privileged account security often starts with the creation of written policies and procedures that can be very difficult to enforce and prone to errors if managed manually. The CyberArk Master Policy schema can help solve these challenges. ESG Lab was able to easily convert our written test policies to actionable tasks and run them automatically and as scheduled with the solution.  The Lab validated that the solution was in fact easy to use. The interface provides each user with a customizable landing page where views of systems can be grouped and displayed. From the view page, a system administrator can scroll to the desired system and simply click to connect. The CyberArk Digital Vault will provide a password and a connection session will be started.  ESG Lab validated that organizations can get started with the CyberArk solution on a single server deployment. As your environment grows or you expand the solution to cover more of your environment, components can be moved to their own dedicated server. The vault server can be clustered and replicated to meet availability and disaster recovery requirements. Issues to Consider  CyberArk Privileged Account Security is a solution that helps put written privileged account security processes and procedures into action. It automates and enforces security. However, once an organization puts an access control workflow in place, IT staff must be ready to review, approve, or deny any access request in a timely fashion in order to not impact normal business operations.  Understanding corporate culture and management style is an important element when implementing any major new IT initiative, especially when the new solution changes the way IT professionals access the systems required to do their jobs. Proper people planning is important, and the goal is to make sure that IT staff understands that these changes are for process automation and risk mitigation and not a personal indictment of any individuals or groups. © 2014 by The Enterprise Strategy Group, Inc. All Rights Reserved. Lab Validation: CyberArk Privileged Account Security 15 The Bigger Truth We see it in the news on a far too regular basis: another security breach, and more data or personal information stolen. These high-profile stories have motivated many organizations to review and strengthen their security policies and procedures. In fact, ESG research indicates that over the last few years, many organizations have already implemented strong password management and multi-factor authentication, and are monitoring privileged user behavior.4 Are these types of security efforts enough? What if the efforts require manual user intervention to enforce and manage? Can they be counted on? ESG Lab explored the benefits of securing an environment with the CyberArk Privileged Account Security Solution. The solution provides a highly available, secure platform for storing privileged passwords with a policy-based management engine that automates tasks such as scheduled password rotation, password checking, session recording, and others. We found the solution provided an easy-to-use intuitive interface for both end-users and administrators. The ability to create access workflows makes the solution agile while maintaining automation, and the modular design allows an organization to start small and scale as an environment grows, such as from a department-level deployment to a full enterprise configuration. ESG Lab believes the CyberArk Solution can truly help an organization strengthen the security process for privileged accounts and the assets they protect while keeping the environment flexible, agile, and easy to use. 4 Source: ESG Research Brief, Deployment of Privileged User Access Controls at Enterprise Organizations, September 2012. © 2014 by The Enterprise Strategy Group, Inc. All Rights Reserved. Lab Validation: CyberArk Privileged Account Security Appendix Table 1. ESG Lab Test Bed CyberArk Components Privileged Account Security Solution Enterprise Password Vault Central Policy Manager (version 8.1) Password Vault Web Access (version 8.0) Privileged Session Manager (version 8.0) Application Identity Manager (version 4.5) Disaster Recovery Vault Server Hardware Standalone Vault Server Standalone DR Vault Server PVWA and CPM Server Privileged Session Manager Server Privileged Session Manager SSH Proxy Server (1) Quad core Intel Processor 8Gb RAM 2X 80 SAS Drives RAID Controller 1 Gb Network Adaptor (1) Quad core Intel Processor 8Gb RAM 2X 80 SAS Drives RAID Controller 1 Gb Network Adaptor (1) Quad core Intel Processor 8Gb RAM 2X 80 SAS Drives RAID Controller 1 Gb Network Adaptor (1) Quad core Intel Processor 8Gb RAM 2X 80 SAS Drives RAID Controller 1 Gb Network Adaptor (1) Quad core Intel Processor 8Gb RAM 2X 80 SAS Drives RAID Controller 1 Gb Network Adaptor Supporting Software Windows Windows Windows Windows Microsoft Red Hat 2008 R2 SP1 (64-bit) .NET Framework 3.5 SP1 IIS 7.5 Internet Explorer 8.0, 9.0 Remote Desktop Services (RDS) Red Hat Linux 5.6 0r 6.6 (64-bit) © 2014 by The Enterprise Strategy Group, Inc. All Rights Reserved. 16 20 Asylum Street | Milford, MA 01757 | Tel: 508.482.0188 Fax: 508.482.0218 | www.esg-global.com

Lab Validation Report

Rating

Date

Size

Views

Categories

Share

Transcript