BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Controlling User Accounts and Regulatory Compliance

Posted July 15, 2013    Morey Haber

PCI DSS Requirement 8 requires that organizations must be able to identify and log all user and administrative access to information systems and applications containing credit card and personally identifiable information. In addition, environments must also have a unique ID for every individual that will have computer access to these systems.  This simple requirement can be a daunting task for any organization to implement if they have a combination of authentication stores to manage across Windows, Linux, UNIX, and OS X. And, the verification process or checks and balances needed to manage this requirement can also stymy an organization if local accounts exist, as well. To handle this requirement, and implement best practices within any organization, BeyondTrust has a unique platform built around assessments, policy, and reporting to manage this requirement end to end.

First, BeyondTrust offers Retina in discover mode for all of our privileged identity solutions. Whether it is PowerBroker UNIX and Linux, PowerBroker for Windows, or PowerBroker PasswordSafe, Retina can discover all of the user accounts within your environment and document their membership. Below is a sample from the Retina CS Threat Management Console that illustrates this for a single host:

voyager.user-accounts

 

Next, we must find a way to manage multiple authentication stores. For this problem, the simplest method is actually the best method; consolidate them to one directory. In most organizations, Microsoft Active Directory (AD) is the primary vehicle for user account management. However, managing accounts and systems across platforms with AD is not a trivial function and native operating system tools are just flat out lacking to properly meet the requirements. BeyondTrust, however, has a solution for this in the form of PowerBroker Identity Services.

PowerBroker Identity Services allows you to integrate your Linux, UNIX, and Mac OS X servers with Microsoft Active Directory. The solution allows all of your assets, regardless of platform to be managed by computer and user in one central location; Active Directory. Non-Windows systems joined to the domain, appear as assets in AD, and allow users to authenticate locally via AD for system resources. This allows users to manage with their unique traits on those systems too. This is illustrated below:

linuxserversproperties

 

This solves the problem of multiple authentication stores and ensures system access can be controlled to individual user credentials. This coupled with the auditing capabilities of Retina ensures that no generic or rogue accounts exist either. Next, we need to solve the final problem; logging, reporting, and verification of credentialed access. BeyondTrust solves this problem with PowerBroker UNIX and Linux and/or PowerBroker for Windows. These two Privileged Identity Management (PIM) solutions allow for administrative control to systems and applications, and log all of their data to the Retina CS Threat Management Console for reporting to meet the final requirement. To illustrate this, below is a screenshot from Retina CS that provides details regarding the user, application, and privileges granted:

retinacs-smartgroups

This translates into a wide variety of reports can that manage PCI requirements directly for the issues at hand; especially for non-Windows systems:

reports-database

 

compliance-reports-inactive-users

BeyondTrust has a unique capability to solve the requirements within the PCI DSS and many other regulatory compliance initiatives. The simple collection, monitoring, and verification of user accounts, systems, and applications can be a monumental task if the environment uses multiple platforms, authentication services, and has multiple administrators to manage operations. The technology we offer can do this and so much more including vulnerability management and password vaulting to ensure strict control of administrative and system access. For more information, please click here. Our technology has the answers to your information technology questions.

Tags:
, , , , , , , , , , , ,

Additional articles

powerbroker-for-mac-diagram-small

PowerBroker for Mac: A Least-Privileged Apple a Day…

Posted July 27, 2015    Jason Silva

BeyondTrust PowerBroker for Mac reduces the risk of privilege misuse by enabling standard users on Mac OS X to perform administrative tasks successfully without entering elevated credentials.

Tags:
, ,
PrivilegedAccountManagement

On Demand Webinar – Now is the time for Privileged Account Management

Posted July 24, 2015    BeyondTrust Software

In this webinar, SANS Instructor and Founder of Voodoo Security, Dave Shackleford, will revisit several hacking and breach scenarios that involved privileged accounts, and use these as examples while discussing tools and tactics to get this problem under control once and for all.

Tags:
, ,
dave-shackleford-headshot

Privileged Account Management: The Time is Now

Posted July 22, 2015    Dave Shackleford

There’s plenty of problems we don’t have great options for in InfoSec today. Malware is a pain point that keeps evolving rapidly. 0-day exploits are tough to prepare for. Privileged account management? We got this. We know the root causes, we know how it manifests, we know how to get it under control effectively, and there are great technology solutions that are enterprise-class.

Tags:
, ,