BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Controlling User Accounts and Regulatory Compliance

Posted July 15, 2013    Morey Haber

PCI DSS Requirement 8 requires that organizations must be able to identify and log all user and administrative access to information systems and applications containing credit card and personally identifiable information. In addition, environments must also have a unique ID for every individual that will have computer access to these systems.  This simple requirement can be a daunting task for any organization to implement if they have a combination of authentication stores to manage across Windows, Linux, UNIX, and OS X. And, the verification process or checks and balances needed to manage this requirement can also stymy an organization if local accounts exist, as well. To handle this requirement, and implement best practices within any organization, BeyondTrust has a unique platform built around assessments, policy, and reporting to manage this requirement end to end.

First, BeyondTrust offers Retina in discover mode for all of our privileged identity solutions. Whether it is PowerBroker UNIX and Linux, PowerBroker for Windows, or PowerBroker PasswordSafe, Retina can discover all of the user accounts within your environment and document their membership. Below is a sample from the Retina CS Threat Management Console that illustrates this for a single host:

voyager.user-accounts

 

Next, we must find a way to manage multiple authentication stores. For this problem, the simplest method is actually the best method; consolidate them to one directory. In most organizations, Microsoft Active Directory (AD) is the primary vehicle for user account management. However, managing accounts and systems across platforms with AD is not a trivial function and native operating system tools are just flat out lacking to properly meet the requirements. BeyondTrust, however, has a solution for this in the form of PowerBroker Identity Services.

PowerBroker Identity Services allows you to integrate your Linux, UNIX, and Mac OS X servers with Microsoft Active Directory. The solution allows all of your assets, regardless of platform to be managed by computer and user in one central location; Active Directory. Non-Windows systems joined to the domain, appear as assets in AD, and allow users to authenticate locally via AD for system resources. This allows users to manage with their unique traits on those systems too. This is illustrated below:

linuxserversproperties

 

This solves the problem of multiple authentication stores and ensures system access can be controlled to individual user credentials. This coupled with the auditing capabilities of Retina ensures that no generic or rogue accounts exist either. Next, we need to solve the final problem; logging, reporting, and verification of credentialed access. BeyondTrust solves this problem with PowerBroker UNIX and Linux and/or PowerBroker for Windows. These two Privileged Identity Management (PIM) solutions allow for administrative control to systems and applications, and log all of their data to the Retina CS Threat Management Console for reporting to meet the final requirement. To illustrate this, below is a screenshot from Retina CS that provides details regarding the user, application, and privileges granted:

retinacs-smartgroups

This translates into a wide variety of reports can that manage PCI requirements directly for the issues at hand; especially for non-Windows systems:

reports-database

 

compliance-reports-inactive-users

BeyondTrust has a unique capability to solve the requirements within the PCI DSS and many other regulatory compliance initiatives. The simple collection, monitoring, and verification of user accounts, systems, and applications can be a monumental task if the environment uses multiple platforms, authentication services, and has multiple administrators to manage operations. The technology we offer can do this and so much more including vulnerability management and password vaulting to ensure strict control of administrative and system access. For more information, please click here. Our technology has the answers to your information technology questions.

Tags:
, , , , , , , , , , ,

Additional articles

PowerBroker Password Safe Password Age Report

Reshaping Privileged Password Management with Password Safe 5.2

Posted July 21, 2014    Martin Cannard

Today, we’re pleased to unveil the latest edition of our privileged password management solution, PowerBroker Password Safe. I’ll start with a brief intro of what’s new and then tell you a little about the driving factors behind Password Safe development. New features for mitigating password risk and ensuring accountability enterprise-wide Here’s the 10,000-foot overview of…

Tags:
, , ,
PowerBroker for Windows tamper protection

PowerBroker for Windows 6.6 Tamper Protection

Posted July 18, 2014    Morey Haber

I have a bone to pick: Stopping an administrator from performing an action on a system is futile endeavor. As an administrator, there is always a way to circumvent a solution’s from tampered protection. Really! By default, Windows administrators have unrestricted access to the system – and even though an application, hardened configuration, or group policy…

Tags:
, ,
PowerBroker for Windows can be configured to automatically identify the end user’s language preference

Implementing Least Privilege Around the World with PowerBroker for Windows

Posted July 17, 2014    Morey Haber

BeyondTrust recognizes that international, multilingual businesses have unique operating challenges, especially when it comes to implementing enterprise software. PowerBroker for Windows is a least-privilege solution often deployed across thousands of systems spanning multiple geographies and protecting users of diverse backgrounds. Earlier this year, PowerBroker for Windows introduces new data privacy features for EMEA and APAC,…

Tags:
, ,