Securing the Enterprise s Cloud Assets on Amazon Web Services (AWS)

Size: px
Start display at page:

Download "Securing the Enterprise s Cloud Assets on Amazon Web Services (AWS)"

Transcription

1 Securing the Enterprise s Cloud Assets on Amazon Web Services (AWS)

2 Table of Contents Securing the Enterprise s Cloud Assets 3 Amazon Web Services and CyberArk 4 Securing the Enterprise s AWS Environments with CyberArk Privileged Account Security 6 Overview 6 1. Identifying and Securing Cloud Assets 7 Discovery of AWS Assets 7 Securing and Monitoring Interactive Access to the AWS Management Console and APIs 8 Securing and Monitoring Access to AWS EC2 Instances Automating Provisioning Processes 12 Managing AWS API Keys 12 Provisioning Processes 13 AWS Auto Scaling of Applications and Securing Credentials Automating Deployment of the CyberArk Environment 16 Accept 17 Summary 18 Cyber-Ark Software Ltd. cyberark.com 2

3 Securing the Enterprise s Cloud Assets Enterprises embark on a cloud journey for a variety of reasons some companies are native cloud, or all-in cloud from the start. More typically, while an increasing number of enterprises have embraced Cloud-First strategies, and in some cases Automation-First strategies, large enterprises migrate segments of their business over time to the cloud. CyberArk s goal is to Large enterprises may initially adopt cloud to support on-demand computing for enable enterprises to applications, such as big data analytics which may require significant compute and storage resources, but only intermittently. Other enterprises are driven by cost protect their cloud savings, in some cases entirely eliminating the need to operate physical data centers, assets by providing and gaining increased efficiency. Others are driven at least in part by the increased powerful solutions for availability of their applications and the overall reliability of cloud-based solutions. securing privileged But, cloud has a lot more to offer than cost savings. Enterprises with the highest accounts and levels of cloud adoption, typically, not only completely re-architect their applications, credentials at each but also take advantage of automation to streamline their entire development and deployment process. They adopt DevOps processes and continuous integration (CI) stage of the journey. and continuous delivery/deployment (CD) pipelines with the objective of more nimbly meeting customer and business needs. Regardless of where enterprises are in their cloud journey, CyberArk s goal is to enable enterprises to protect their cloud assets by providing powerful solutions for securing privileged accounts and credentials at each stage of the journey. Most important, with CyberArk enterprises can consistently enforce security policies regardless of their different compute environments, delivery pipelines and automation tools. Additionally, CyberArk s cloud automation tools simplify and accelerate the deployment of CyberArk solutions in the public cloud. Robust security is a critical requirement for organizations. However, in recent years, questioning the security of cloud environments has become less of a concern to large enterprises as they recognize that with the right approach, cloud environments can be highly secure. But it is critical to recognize that security in the cloud is a shared responsibility between the public cloud vendor and the enterprise. AWS goes to great efforts to ensure the security OF the cloud infrastructure, including the compute, storage and networking resources as well as the physical infrastructure. However, each of the public cloud vendors are very clear that security in the cloud is a shared responsibility, and that the enterprise, as the application owner, is responsible for protecting their applications, data, the OS and other enterprise infrastructure, as well as other assets running IN the cloud. So in summary, everything above the hypervisor or equivalent layer is the responsibility of the enterprise. Cyber-Ark Software Ltd. cyberark.com 3

4 Customer Data Applications Identity Access Mgmt OS Network Firewall Client Side Encryption Network Protection Server Side Encryption Compute Storage Networking Customer / Enterprise Security IN the Cloud Security OF the Cloud Public Cloud Management Console Global Infrastructure / Regions Physical Infrastructure Cloud Security is a Shared Responsibility Additionally, when organizations use any public cloud vendor, including AWS, the organization accesses the entire cloud infrastructure through the cloud vendor s management console for AWS this is the AWS Management Console. The console is accessed by both human users and scripts, APIs and other non-human users. This management console is incredibly powerful and holds the keys to the cloud kingdom, even more so than for the on-premises admin consoles. For example, the management console enables set up and configuration of the entire cloud infrastructure allocating resources, setting up applications and compute instances, and determining the regions and Availability Zones that the apps run in. The console is also used to set up all the security parameters, enabling which users have access, their level of access, etc. It also handles all the billing, and is used to make purchases from the AWS Marketplace. The console is clearly a very attractive target for attackers and must be protected at all costs. Amazon Web Services and CyberArk Amazon Web Services (AWS) is widely recognized as a leading provider of public cloud services, offering organizations of all sizes a highly reliable, scalable, low-cost infrastructure platform in the cloud. AWS has grown dramatically since its inception just over 10 years ago, and today, AWS serves several hundreds of thousands of businesses in some 190 countries, and operates data centers around the globe. For customers, the AWS platform offers a broad and ever-increasing array of capabilities and computing resources, including various compute and storage resources as well as many other services. For example, the Amazon EC2 (Elastic Compute Cloud), and S3 (Simple Storage Service), are widely used. Within each service there is a broad range of sub-services available, such as graphics intensive, burstable, high I/O, as well as general purpose compute resources -- and similarly for storage. Various databases, networking and some basic security services are also offered as well as tools to build and develop applications. In addition to internal AWS capabilities, AWS also offers enterprise-focused solutions from third-party vendors like CyberArk. Cyber-Ark Software Ltd. cyberark.com 4

5 AWS is an important partner for CyberArk, and CyberArk s priority is to help to ensure that large enterprises can more fully secure and protect their cloud assets running on AWS. CyberArk has worked closely with AWS at the technical level to ensure that our offerings are optimized for AWS and meet both the AWS architectural requirements, as well as CyberArk s Security Fundamentals for Privileged Account Security. Today, CyberArk serves a growing group of enterprise customers that are using CyberArk solutions to help protect and secure their cloud assets running on AWS. The configurations and customer needs can vary significantly depending on the customers business objectives. For example, in some cases customers run the primary and disaster recovery CyberArk vaults on AWS, while in others a hybrid environment is used. CyberArk continues to expand its AWSfocused capabilities, and today, for example, a complete CyberArk environment can be set up on AWS in a matter of minutes using CyberArk cloud automation tools. Additionally, CyberArk has various integrations with AWS. For example, some customers taking advantage of ondemand computing using AWS Auto Scaling have integrated with CyberArk to help ensure privileged accounts and credentials are immediately secured when new application instances are created. CyberArk s technical teams around the globe have developed deep expertise by working closely with enterprises on their AWS cloud journey, as they move from evaluation, to deployment and into production. In some cases customers have shut down their data centers and migrated completely to the cloud, relying on CyberArk solutions to help ensure the security of their on-premises, hybrid, and all-in cloud environments. CyberArk works with, and offers solutions and guidance to, enterprises at each stage of their cloud journey from evaluating security needs during an initial migration to helping ensure the enhanced security of a large enterprise embracing a Cloud-First strategy. For additional information about AWS refer to Cyber-Ark Software Ltd. cyberark.com 5

6 Securing the Enterprise s AWS Environments with CyberArk Privileged Account Security Overview This document, comprising three sections, describes how enterprises can achieve the highest level of security for their AWS environments by implementing CyberArk Privileged Account Security Solutions. 1. Identifying and Securing Cloud Assets Describes how the CyberArk Privileged Account Security Solution discovers AWS assets and secures them. CyberArk solutions help enterprises ensure that only authorized users are permitted to access these assets and that all access is monitored and recorded so as to provide a full audit trail. Discovering AWS assets via CyberArk Discovery & Audit (DNA) Securing and monitoring access to the AWS Management Console Securing and monitoring access to AWS EC2 instances Implementing a Jump Server for accessing the AWS environment 2. Automating Provisioning Processes Describes how CyberArk solutions can automate provisioning processes, then replace embedded API keys and allow scripts to run to better protect AWS keys or other credentials. Managing AWS API keys Provisioning processes Auto scaling applications and securing credentials 3. Automating Deployment of the CyberArk Environment Describes, how by using CyberArk s cloud automation tools, the complete CyberArk Privileged Account Security environment can be automatically deployed on AWS in minutes. Cyber-Ark Software Ltd. cyberark.com 6

7 1. Identifying and Securing Cloud Assets Discovery of AWS Assets In a dynamic, constantly changing environment where EC2 instances spin up and down regularly, it is not only hard for administrators to keep track of the current servers and their key pairs, but also challenging to determine, from a security perspective, which are most vulnerable and need to be prioritized. Additionally, when administrators need to delegate permissions and create new IAM (Identity and Access Management) users for different roles in the organization, it can be challenging to track and identify the users who can mistakenly cause harm, such as the privileged users of the AWS Management Console. So before starting a privileged account security project, it is important to assess the risk and understand the status of the privileged accounts across the complete, and likely dynamic, cloud environment. Understanding these risks is a foundational step to help build an effective program to mitigate these risks. CyberArk s Discovery and Audit (DNA) utility is designed to scan privileged accounts from different sources, such as Active Directory, Linux systems, and AWS environments. Note, DNA is an agentless scanner that leverages the AWS API to access the AWS console and discover privileged IAM users and their access keys. DNA discovers existing EC2 instances, no matter what their state, which indicates the potential number of local privileged accounts. If AWS Inspector is also used, DNA s integration with AWS Inspector enables the security risk on each of the EC2 instances to be determined. Additionally, when provided with proper credentials, DNA can be used to scan the EC2 instances for privileged accounts, CyberArk Application Identity Manager accounts and access keys. DNA also detects AWS EC2 Key pairs that are used to encrypt-decrypt EC2 instance login information. This information enables DNA to track the number of entities that can potentially create EC2 instances. The following example demonstrates how DNA provides privilege risk assessment to an AWS environment. Cyber-Ark Software Ltd. cyberark.com 7

8 Securing and Monitoring Interactive Access to the AWS Management Console and APIs AWS administrators use the AWS Management Console or API access (e.g., PowerShell) to interactively administer the AWS platform. Unauthorized or uncontrolled access to the console or through APIs could lead to shutdown of the entire cloud environment, data exfiltration, etc. The risk of these and other serious breaches make it essential for enterprises to secure and monitor any and all potential access paths. For example, unsecured access to the AWS Management Console may lead to the following security risks: Takeover of the administrator endpoint and hijacking of credentials used to access the cloud administrative interfaces. Lack of controls may allow insiders, as well as attackers, to mistakenly or maliciously access the cloud administrative interfaces and cause damage. Lack of sufficient monitoring of cloud administrative access prevents security teams from analyzing the impact of a human error or breach. AWS Identity and Access Management (IAM) enables organizations to securely control user access to AWS services and resources. Using IAM, teams can create and manage AWS users and groups and use permissions to allow or deny access to AWS resources (similarly to role-based access in Active Directory). CyberArk recommends that organizations use AWS Identity and Access Management (IAM) to securely control user access to AWS services and resources. Specifically these AWS privileged accounts should be on-boarded into the CyberArk Vault, so that access to cloud administrative interfaces are controlled and monitored, as detailed below. By defining AWS privileged users in the CyberArk solution (directly or through Active Directory) and using CyberArk Privileged Session Manager to access the AWS Management Console, organizations can take steps to prevent users from knowing the password they use to access the AWS Management Console and, more important, reduce the risk of these sensitive passwords reaching the user s potentially compromised endpoint when they connect. Additionally, when using CyberArk Privileged Session Manager, the system is designed to prevent the user from logging in without auditing and recording user activity during the session. The privileged user s password can also be scheduled to automatically rotate. The following chart shows a controlled session for accessing the AWS Management Console. Cyber-Ark Software Ltd. cyberark.com 8

9 * * * * * Securing the Enterprise s Cloud Assets on Amazon Web Services (AWS) Whenever a maintenance activity needs to be done on AWS production instances and AWS CLI (Command Line Interface), or PowerShell access is required by an IT administrator, CyberArk Privileged Session Manager will open the CLI or PowerShell console without the user seeing or knowing the AWS access and secret key. CyberArk Privileged Session Manager can be further leveraged for delegating AWS permissions by integrating with AWS Security Token Service (STS) to automatically generate a role-based and/or policy-based temporary session for the AWS Management Console or for API access. The CyberArk solution integrates with AWS STS to allow an administrator to configure accounts with specific AWS roles and/or policies. Once connected to the AWS Management Console or for API access, end users will assume that specific AWS role and policy and will be able to perform only authorized operations on the AWS platform. Sessions can be recorded and set up so as to only be valid for a certain period of time. In addition, all active sessions can be monitored by security teams in real time, and even terminated in case of suspected misusage or potential attack. AWS Users IT Infrastructure 1 User authenticates to CyberArk Portal 2 Request temporary AWS access credentials CyberArk Portal Amazon Security Token Service 3 Receive temporary AWS token AWS Admin 4 User receives temporary role-based access AWS Management Console Instances Cyber-Ark Software Ltd. cyberark.com 9

10 Lastly, it is known that in most cases the entry point of an attack is the endpoint, and once an attacker (or an insider) manages to take over an endpoint, the attacker will look for privileged credentials in order to move laterally. In the case of cloud administrative consoles, the cached AWS console credentials and browser session are targets. Therefore, it is also essential to protect the endpoint themselves, and make sure that the browser caches and credential stores are protected. CyberArk Endpoint Privilege Manager is designed to allow organizations to secure credential stores on the endpoint (including browsers), in addition to removing redundant admin rights and usage of unwanted applications. Summary and benefits: Control interactive access to cloud console Secure and vault AWS root and IAM privileged account Automatic password rotation of AWS root and IAM privileged accounts Establish access workflows to AWS privileged accounts (e.g., approval, ticketing, strong authentication) Provide isolation of interactive cloud sessions and prevent credentials from reaching the endpoint Monitor cloud privileged sessions Delegate AWS root access and leverage AWS STS integration Secure credentials on endpoints accessing AWS consoles Securing and Monitoring Access to AWS EC2 Instances Protecting and controlling access to machines (instances) deployed on AWS is an important security requirement. Once a privileged account is securely stored in the Vault, IT admins can access the AWS instance using CyberArk Privileged Session Manager without exposing the privileged account credentials (root, administrator, etc.) or SSH keys. This seamless access improves ease of use for admins, as well as security for the organization. For example, CyberArk Privileged Session Manager is designed to securely obtain the privileged account password from the CyberArk Enterprise Password Vault and transparently open an RDP session to the target Windows machine while recording the full session in the background and providing detailed audit records of users activities. The connections secured by Privileged Session Manager can be established through the intuitive web portal (Password Vault Web Access, PVWA) or directly from any client application or tool used for connecting to Windows servers, allowing IT administrators to maintain their standard workflows while benefiting from isolation and monitoring of the privileged activity. The CyberArk Privileged Session Manager SSH Proxy will do the same for Linux-based machines by transparently passing the privileged account password, SSH key or any other credentials. End users continue working with their native clients (e.g., Putty, SSH console) to connect to target systems, preventing a change to the existing workflow, while maintaining high security and audit levels. CyberArk Privileged Session Manager helps organizations ensure that all accesses to the AWS instances are passed through the organization s security workflow (for example, a request for specific approval may be required for any access to sensitive instances), and also protect against credential theft by malware and key loggers that can potentially infect the client machines. Cyber-Ark Software Ltd. cyberark.com 10

11 Here is an example of how user Mike can initiate an SSH session to an AWS Linux machine using the Privileged Session Manager SSH Proxy. Mike types the command with his username, the target machine user name, target machine address and the SSH proxy address. Mike will need to authenticate himself to the Vault (which he could do using his Active Directory credentials, personal SSH key or alternatively via two-factor authentication). In this example, once authenticated, if Mike is authorized to access the target AWS server, the proxy will invoke the session by transparently transferring the SSH private key to the target machine. Note that in addition to being able to connect to the remote machine without exposing the private key, Mike is also being monitored and recorded. Every activity Mike does on the target machine, including commands and keystrokes typed, will be recorded and audited. The captured audit is securely stored in the vault to help prevent Mike or any other user from tampering with the audit trail and destroying evidence. 1 [root@localhost ~]# ssh mike@ec2-user@ec compute-1.amazonaws.com@ mike@ec2-user@ec2-54-@ s password: 3 Last login: Sun Apr 6 05:10: from This session is being recorded 6 7 The server s host key is not cached. You have no guarantee that the server is the computer you think it is. 8 The server s rsa2 key fingerprint is: 9 ssh-rsa 2048 ee:76:92:4b:d1:f2:03:60:db:6e:8f:95:88:83:e0:45 10 If you trust this host, enter y to add the key to PuTTY s cache and carry on connecting. 11 If you want to carry on connecting just once, without adding the key to the cache, 12 enter n. 13 If you do not trust this host, press Return to abandon the connection Store key in cache? (y/n) y 16 Using username ec2-user. 17 Last login: Sun Apr 6 08:10: from [ec2-user@ip ~]$ Implementing a Jump Server for Accessing the AWS environment Amazon Virtual Private Cloud (Amazon VPC) enables organizations to provision a logically isolated section of the Amazon Web Services (AWS) Cloud to launch AWS resources in a virtual network defined by the organization. Additionally, organizations can create a Virtual Private Network (VPN) connection between the corporate datacenter and VPC, thereby leveraging the AWS cloud as an extension of the corporate datacenter. By connecting the VPC to the corporate network, the VPC is hosted behind the corporate firewall. For security purposes, to reduce the size of the attack surface and secure assets on AWS, a common security best practice is to limit RDP and/or SSH access to instances through a bastion host or a proxy (jump) server. The server can be located outside the organization s firewall or DMZ and used to establish a VPN connection to the AWS cloud, preventing a VPC connection directly into the organization network. Any allowed access to AWS instances can be restricted to only come from that proxy server. Also, organizations may only allow outbound communication from the organizational environment to the AWS cloud. CyberArk Privileged Session Manager is designed to serve as such a gateway solution, allowing the organization to achieve this network segregation in a secure way and at a minimal cost. The gateway is designed to be hardened and audited regularly with tamper-resistant audit logs and session monitoring for audit integrity. It can be configured to be the only access point to the cloud environment; hence firewall rules can now be more restrictive and manageable since no other device/user should be accessing the cloud other than the CyberArk Privileged Session Manager gateway. Cyber-Ark Software Ltd. cyberark.com 11

12 The CyberArk Privileged Session Manager invokes a shadow session to the end device to increase security. This is a different session than the one the end user is opening from his or her workstation. The system is designed so that any malware that found its way to the end user workstation cannot propagate to the target server. 2. Automating Provisioning Processes Managing AWS API Keys With automation, organizations are able to leverage the dynamic capabilities of the cloud. Scripts leveraging AWS APIs for scaling, such as for provisioning new AWS instances or containers, or de-provisioning AWS instances are commonly used for automation. A best practice is to ensure that requests for AWS resources require credentials so as to ensure applications, etc. have permission to access the resource. To enable programmatic requests, AWS requires the requesting application, user, etc. to pass their access keys (an access key and secret access key). These API keys are typically spread in automation scripts and orchestration servers, sometimes hardcoded in the code itself or embedded in configuration files. These API keys are actually the keys of the cloud kingdom, and could enable unrestricted access to AWS and allow operations such as stop/start servers, wipe entire workloads or dump content of an instance. Moreover, these keys are all too frequently static and unchanged, which further increases the risk of key compromise. Consequently, the risks to the organization of unmanaged API keys is high. To help ensure the security of automated provisioning processes CyberArk s approach of securing API keys consists of the following steps: Discover and enumerate the keys using CyberArk Discovery and Audit. Onboard and secure these keys in the vault. Remove the embedded API keys by using CyberArk Application Identity Manager to securely retrieve the API keys from the AWS scripts, allowing scripts to run without risk of compromised AWS access and secret keys. Additionally, security administrators can sign the applications and scripts that use the AWS critical credentials to help prevent tampering. CyberArk Application Identity Manager is designed to strongly authenticate applications to detect tampering. If the software determines that a signed application has been tampered with it will not give that application the vaulted credentials. Periodically rotate the access keys taking advantage of the CyberArk Enterprise Password Vault. Benefits: Provide a complete view of API keys used in the enterprise s AWS environment Secure API keys in the vault, and allow only authorized users / applications to access them Remove embedded API keys from scripts Assure ongoing rotation of API keys to increase security posture and help meet compliance requirements Cyber-Ark Software Ltd. cyberark.com 12

13 Provisioning Processes When a new instance is provisioned within AWS, whether it is a Windows or Linux machine, it includes unmanaged privileged accounts. The CyberArk Privileged Account Security Solution exposes an extensive API for storing and securing these privileged accounts in the digital vault. This API can be integrated with cloud automation/orchestration tools like Puppet, Chef, etc. as part of the provisioning processes, and assures that the privileged accounts of the newly provisioned instance, or container, will be securely stored in the vault. The same API can be implemented to remove passwords from the Vault when the instance is removed. As noted previously, another common challenge is the elimination of hard coded and visible credentials from applications and scripts that utilize the AWS API. CyberArk Application Identity Manager can enable developers to remove the embedded AWS access key and secret key and retrieve them programmatically from the digital vault. The following shows an example of a PowerShell script that programmatically provisions a new Windows machine on AWS infrastructure, automatically stores the account credentials in the digital vault using RESTful API calls and starts managing the administrator account based on the organization security policy. Similar code can be used in Puppet module, Chef recipe or any other automation tools. 1 ########################################################## 2 # A function to check the instance status 3 ########################################################## 4 function WaitForState ($instanceid, $desiredstate) { 5 while ($true) 6 { 7 $a = Get-EC2Instance -Instance $instanceid 8 $state = $a.instances[0].state.name 9 if ($state -eq $desiredstate) 10 { 11 break; 12 } 13 $(Get-Date) Current State = $state, Waiting for Desired State=$desiredstate 14 Sleep -Seconds 5 15 } 16 } 17 ########################################################## 18 # Get AWS credentials from CyberArk Vault using CyberArk AIM 19 # Note: Any changes to the script done after the script has been signed to the Vault will cause this call to fail. 20 ########################################################## 21 $CAOutput = C:\CyberArk\ApplicationPasswordSdk\CLIPasswordSDK.exe GetPassword /p AppDescs. AppId= AWSConnect /p Query= Safe=AWS;Object=AWS Keys /o PassProps.userName,Password 22 ########################################################## 23 if ($CAOutput -eq $null){ 24 Write-Host Failed to get AWS Keys from CyberArk Vault 25 } 26 else { 27 # AWS authentication using access and secret key 28 $AWSAccessKey = $CAOutput.Split(, )[0] 29 $AWSSecretKey = $CAOutput.Split(, )[1] 30 Initialize-AWSDefaults -AccessKey $AWSAccessKey -SecretKey $AWSSecretKey -Region us-east-1 31 Cyber-Ark Software Ltd. cyberark.com 13

14 32 #Start creating new instance in AWS 33 $a = Get-EC2ImageByName -Names WINDOWS_2012_BASE 34 $imageid = $a.imageid 35 $a = New-EC2Instance -ImageId $imageid -MinCount 1 -MaxCount 1 -InstanceType t1.micro -KeyName WindowsKey 36 $instanceid = $a.instances[0].instanceid 37 New Instance is being created: $instanceid 38 WaitForState $instanceid Running 39 $a = Get-EC2Instance -Instance $instanceid 40 $publicdns = $a.instances[0].publicdnsname Wait for the new instance ($instanceid) password to become available 43 $password = $null 44 # Wait until the password is available. According to AWS this could be up to 30 minutes. 45 # Catch all the exceptions not a good idea for a production code. 46 # Get key for pwd decryption from CyberArk Vault using CyberArk AIM. 47 $AWSDecryptKey = C:\CyberArk\ApplicationPasswordSdk\CLIPasswordSDK.exe GetPassword /p AppDescs. AppId= AWSConnect /p Query= Safe=AWS;Object=AWS Windows Password Key /o Password 48 $KeyFilePath = C:\CyberArk\POC\WinPwdKey.pem 49 $AWSDecryptKey >> $KeyFilePath 50 while ($password -eq $null) 51 { 52 try 53 { 54 $password = Get-EC2PasswordData -InstanceId $instanceid -PemFile $KeyFilePath -Decrypt 55 } 56 catch 57 { 58 $(Get-Date) Waiting for PasswordData to be available 59 Sleep -Seconds } 61 } 62 Remove-Item $KeyFilePath Got the password... Start creating account in the Vault $loginuri = CyberArkAuthenticationService.svc/logon 67 $logoffuri = CyberArkAuthenticationService.svc/logoff 68 $createaccounturi = Account $logoninfo 71 $logoninfo.username = myapp 72 # Get the API login password from CyberArk Vault using CyberArk AIM. 73 $logoninfo.password = C:\CyberArk\ApplicationPasswordSdk\CLIPasswordSDK.exe GetPassword /p AppDescs.AppId= AWSConnect /p Query= Safe=AWS;Object=myAppPwd /o Password #account parameters 76 $newaccounts 77 $newaccount 78 $newaccount.safe = AWS Cyber-Ark Software Ltd. cyberark.com 14

15 79 $newaccount.platformid = WinServerLocal 80 $newaccount.address = $publicdns 81 $newaccount.username = administrator 82 $newaccount.password = $password 83 $newaccount.accountname = $instanceid 84 #$properties 85 #[ 86 # { 87 # Key : Port, 88 # Value : # } 90 #] #$newaccount.properties=$properties 93 $newaccounts.account = $newaccount #login to the Vault 96 $result = Invoke-RestMethod -Method Post -Uri $loginuri -ContentType application/json -Body (ConvertTo-Json($logonInfo)) 97 $logontoken = $result.cyberarklogonresult 98 Vault login successfully 99 $headers Authorization = $logontoken } #create the account in the Vault 102 $result = Invoke-RestMethod -Method Post -Uri $createaccounturi -headers $headers -ContentType application/json -Body (ConvertTo-Json($newAccounts)) 103 Account created successfully #logoff from the Vault 106 $result = Invoke-RestMethod -Method Post -Uri $logoffuri -headers $headers -ContentType application/json -Body (ConvertTo-Json($logonInfo)) 107 Vault logoff successfully finish provisioning instance in AWS and the privileged account $instanceid, $publicdns in CyberArk Vault # Clear AWS credentials 112 Clear-AWSDefaults 113 } The following shows an example of how to store a Linux account with an SSH key in the digital vault. 1./accountuploader -VaultFile /etc/opt/carkpsmp/vault/vault.ini -CredFile admin.cred -SafeName AWS -KeyFile mylinuxkey.pem -DeviceType Operating System -PolicyId UnixSSHKeys -Address ec compute-1.amazonaws.com -UserName ec2-user Cyber-Ark Software Ltd. cyberark.com 15

16 AWS Auto Scaling of Applications and Securing Credentials AWS Auto Scaling helps maintain application availability and allows scaling EC2 capacity up or down automatically, ensuring the application is running on the desired number of EC2 instances. When an application leverages the CyberArk Application Identity Manager Credential Provider (an agent based solution), it needs to automatically deploy a new agent whenever a new EC2 instance of the application starts. This can be achieved by an organization installing the Credential Provider software on the Amazon Machine Image (AMI), and registering it to the vault during runtime when the new instance comes up. CyberArk provides sample code for integrating with AWS Auto Scaling group via SQS (Simple Queue Service). Any new instance with the Credential Provider that spawns up is automatically and securely registered in the vault from a central location. This integration allows applications running in an Auto Scaling environment to dynamically adjust to their capacity needs, while maintaining a high level of security by leveraging the CyberArk Digital Vault to access, rotate and secure privilege credentials according to an organization s policy. 3. Automating Deployment of the CyberArk Environment Simplicity and agility are fundamental requirements in cloud migration, and IT, security and DevOps leaders want to use automation tools to rapidly and securely deploy and run CyberArk Privileged Account Security solutions so as to help protect the enterprise s cloud assets. Specifically, they want to use automation tools so they can rapidly deploy CyberArk to help control, automate, audit and analyze the privileges and credentials associated with their AWS Management Consoles as well as the credentials and passwords used by their applications, data and other assets in their AWS environments. Using CyberArk cloud automation tools, in just a few minutes, with a single click, administrators can automatically deploy and establish the complete CyberArk Privileged Account Security environment in their previously configured AWS environment, so that it is quickly available to start securing the enterprise s cloud assets. The standard deployment architecture leverages AWS Privileged Account Security best practices, including separate AWS Availability Zones for the primary and disaster recovery vaults, as well as a using a dedicated AWS account for the CyberArk solution, thus ensuring that the vaults are both independent from each other, and the cloud assets being secured. The cloud automation tools include CyberArk AMIs (Amazon Machine Images) and CloudFormation templates. Of course automating the deployment of the CyberArk environment is just part of the story. Additionally, CyberArk provides a reference architecture which describes the recommendations and best practices for a CyberArk Privileged Account Security environment, which is based on the most common use cases. This covers for example the guidance and best practices on where and how to place the different CyberArk components within the enterprise s overall AWS cloud architecture. The standard CyberArk environment can be quickly deployed in minutes and can support a broad range of workflows and configurations. Alternatively, for customers with more demanding requirements, customers can customize and build their own AMIs using the automation building blocks from CyberArk. In each case, automation, reference architectures and agile deployment approaches can help accelerate privileged account projects to secure the enterprise s cloud-based assets. Cyber-Ark Software Ltd. cyberark.com 16

17 The following shows a screenshot of CyberArk s CloudFormation template User Interface for setting up a Privileged Account Security environment: Accept Cyber-Ark Software Ltd. cyberark.com 17

18 Summary CyberArk solutions enable enterprises to protect their cloud assets by providing powerful solutions for securing privileged accounts and credentials at each stage of their cloud journey. CyberArk offers several powerful integrations with AWS so an organization can increase the security of its cloud assets, including integration with AWS Security Token Service, and AWS Inspector. CyberArk s cloud automation tools also simplify and accelerate the deployment of CyberArk solutions in the public cloud, enabling enterprises to set up the complete CyberArk environment in just a few minutes. Another important consideration, for protecting an enterprise s cloud assets, is that a significant number of organizations don t use just one cloud provider, but for various reasons use multiple cloud providers business flexibility, multiple business lines, prior acquisitions, geographic coverage, etc. Additionally, enterprises may have legacy, on-premises or hybrid environments, in which case the same IT administrators may be accessing and managing multiple compute, DevOps tools, and automation environments. CISOs and IT leaders typically want, as a best practice, to be able to enforce the same security policies across the entire enterprise regardless of their compute environments, delivery pipelines and automation tools. Consistent Enterprise-Wide Security Policies Admin Consoles Management Consoles Private Cloud SaaS (Software as a Service) IaaS / PaaS Compute Environments On Premises DevOps Tools Admin Consoles (DevOps Tools) Single Vault Enables Consistent Enforcement of Security Policies To implement this best practice, enterprises typically want to manage user credentials and access permissions with a single solution. Whether your organization has fully embraced cloud or is just starting the journey, it is essential to implement robust privilege management policies to protect your cloud assets. CyberArk has the solutions, resources and cloud expertise to help an enterprise protect and secure the keys to your cloud kingdom. For additional information visit cyberark.com/cloud Cyber-Ark Software Ltd. cyberark.com 18

19 Copyright CyberArk Software. All rights reserved. No portion of this publication may be reproduced in any form or by any means without the express written consent of CyberArk Software. CyberArk, the CyberArk logo and other trade or service names appearing above are registered trademarks (or trademarks) of CyberArk Software in the U.S. and other jurisdictions. Any other trade and service names are the property of their respective owners. U.S., Doc # 160 CyberArk believes the information in this document is accurate as of its publication date. The information is provided without any express, statutory, or implied warranties and is subject to change without notice. THIS PUBLICATION IS FOR INFORMATIONAL PURPOSES ONLY AND IS PROVIDED AS IS WITH NO WARRANTIES WHATSOEVER WHETHER EXPRESSED OR IMPLIED, INCLUDING WARRANTY OF MERCHANTABILITY, FITNESS FOR ANY PARTICULAR PURPOSE, NON-INFRINGEMENT OR OTHERWISE. IN NO EVENT SHALL CYBERARK BE LIABLE FOR ANY DAMAGES WHATSOEVER, AND IN PARTICULAR CYBERARK SHALL NOT BE LIABLE FOR DIRECT, SPECIAL, INDIRECT, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, OR DAMAGES FOR LOST PROFITS, LOSS OF REVENUE OR LOSS OF USE, COST OF REPLACEMENT GOODS, LOSS OR DAMAGE TO DATA ARISING FROM USE OF OR IN RELIANCE ON THIS PUBLICATION, EVEN IF CYBERARK HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. CyberArk Software Ltd. cyberark.com

Securing the Enterprise s Cloud Workloads on Microsoft Azure

Securing the Enterprise s Cloud Workloads on Microsoft Azure Securing the Enterprise s Cloud Workloads on Microsoft Azure Table of Contents Securing the Enterprise s Cloud Workloads on Microsoft Azure...3 Microsoft Azure and CyberArk...5 Using CyberArk to Secure

More information

6 Key Use Cases for Securing Your Organization s Cloud Workloads. 6 Key Use Cases for Securing Your Organization s Cloud Workloads

6 Key Use Cases for Securing Your Organization s Cloud Workloads. 6 Key Use Cases for Securing Your Organization s Cloud Workloads 6 Key Use Cases for Securing Your Organization s Cloud Workloads 1 6 Key Use Cases for Securing Your Organization s Cloud Workloads Table of Contents Introduction: The Continuing Rise of Cloud Adoption

More information

Privileged Account Security: A Balanced Approach to Securing Unix Environments

Privileged Account Security: A Balanced Approach to Securing Unix Environments Privileged Account Security: A Balanced Approach to Securing Unix Environments Table of Contents Introduction 3 Every User is a Privileged User 3 Privileged Account Security: A Balanced Approach 3 Privileged

More information

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF) Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF) A Guide to Leveraging Privileged Account Security to Assist with SWIFT CSCF Compliance Table of Contents Executive Summary...

More information

CyberArk Privileged Threat Analytics

CyberArk Privileged Threat Analytics CyberArk Privileged Threat Analytics Table of Contents The New Security Battleground: Inside Your Network 3 Privileged account security 3 Collect the right data 4 Detect critical threats 5 Alert on critical

More information

Securing Amazon Web Services (AWS) EC2 Instances with Dome9. A Whitepaper by Dome9 Security, Ltd.

Securing Amazon Web Services (AWS) EC2 Instances with Dome9. A Whitepaper by Dome9 Security, Ltd. Securing Amazon Web Services (AWS) EC2 Instances with Dome9 A Whitepaper by Dome9 Security, Ltd. Amazon Web Services (AWS) provides business flexibility for your company as you move to the cloud, but new

More information

NIST Revision 2: Guide to Industrial Control Systems (ICS) Security

NIST Revision 2: Guide to Industrial Control Systems (ICS) Security NIST 800-82 Revision 2: Guide to Industrial Control Systems (ICS) Security How CyberArk can help meet the unique security requirements of Industrial Control Systems Table of Contents Executive Summary

More information

Best Practices in Securing a Multicloud World

Best Practices in Securing a Multicloud World Best Practices in Securing a Multicloud World Actions to take now to protect data, applications, and workloads We live in a multicloud world. A world where a multitude of offerings from Cloud Service Providers

More information

HALO IN ACTION COMPLIANCE DON T LET LEGACY SECURITY TOOLS HOLD UP PCI COMPLIANCE IN THE CLOUD. Automated PCI compliance anytime, anywhere.

HALO IN ACTION COMPLIANCE DON T LET LEGACY SECURITY TOOLS HOLD UP PCI COMPLIANCE IN THE CLOUD. Automated PCI compliance anytime, anywhere. HALO IN ACTION COMPLIANCE DON T LET LEGACY SECURITY TOOLS HOLD UP PCI COMPLIANCE IN THE CLOUD Automated PCI compliance anytime, anywhere. THE PROBLEM Online commercial transactions will hit an estimated

More information

AWS Reference Design Document

AWS Reference Design Document AWS Reference Design Document Contents Overview... 1 Amazon Web Services (AWS), Public Cloud and the New Security Challenges... 1 Security at the Speed of DevOps... 2 Securing East-West and North-South

More information

Privilege Security & Next-Generation Technology. Morey J. Haber Chief Technology Officer

Privilege Security & Next-Generation Technology. Morey J. Haber Chief Technology Officer Privilege Security & Next-Generation Technology Morey J. Haber Chief Technology Officer mhaber@beyondtrust.com Agenda The Next-Gen Threat Landscape o Infomatics, Breaches & the Attack Chain o Securing

More information

SECURING AWS ACCESS WITH MODERN IDENTITY SOLUTIONS

SECURING AWS ACCESS WITH MODERN IDENTITY SOLUTIONS WHITE PAPER SECURING AWS ACCESS WITH MODERN IDENTITY SOLUTIONS The Challenges Of Securing AWS Access and How To Address Them In The Modern Enterprise Executive Summary When operating in Amazon Web Services

More information

Security Fundamentals for your Privileged Account Security Deployment

Security Fundamentals for your Privileged Account Security Deployment Security Fundamentals for your Privileged Account Security Deployment February 2016 Copyright 1999-2016 CyberArk Software Ltd. All rights reserved. CAVSEC-PASSF-0216 Compromising privileged accounts is

More information

SOLUTION BRIEF RSA SECURID SUITE ACCELERATE BUSINESS WHILE MANAGING IDENTITY RISK

SOLUTION BRIEF RSA SECURID SUITE ACCELERATE BUSINESS WHILE MANAGING IDENTITY RISK RSA SECURID SUITE ACCELERATE BUSINESS WHILE MANAGING IDENTITY RISK KEY BENEFITS AT A GLANCE Ensure your journey to the cloud is secure and convenient, without compromising either. Drive business agility

More information

SYMANTEC DATA CENTER SECURITY

SYMANTEC DATA CENTER SECURITY SYMANTEC DATA CENTER SECURITY SYMANTEC UNIFIED SECURITY STRATEGY Users Cyber Security Services Monitoring, Incident Response, Simulation, Adversary Threat Intelligence Data Threat Protection Information

More information

Cisco Cloud Services Router 1000V and Amazon Web Services CASE STUDY

Cisco Cloud Services Router 1000V and Amazon Web Services CASE STUDY Cisco Cloud Services Router 1000V and Amazon Web Services CASE STUDY CASE STUDY ADOBE 2 About Adobe Adobe Systems provides digital media and marketing solutions to customers around the world including

More information

Completing your AWS Cloud SECURING YOUR AMAZON WEB SERVICES ENVIRONMENT

Completing your AWS Cloud SECURING YOUR AMAZON WEB SERVICES ENVIRONMENT Completing your AWS Cloud SECURING YOUR AMAZON WEB SERVICES ENVIRONMENT Introduction Amazon Web Services (AWS) provides Infrastructure as a Service (IaaS) cloud offerings for organizations. Using AWS,

More information

Title: Planning AWS Platform Security Assessment?

Title: Planning AWS Platform Security Assessment? Title: Planning AWS Platform Security Assessment? Name: Rajib Das IOU: Cyber Security Practices TCS Emp ID: 231462 Introduction Now-a-days most of the customers are working in AWS platform or planning

More information

DEFINING SECURITY FOR TODAY S CLOUD ENVIRONMENTS. Security Without Compromise

DEFINING SECURITY FOR TODAY S CLOUD ENVIRONMENTS. Security Without Compromise DEFINING SECURITY FOR TODAY S CLOUD ENVIRONMENTS Security Without Compromise CONTENTS INTRODUCTION 1 SECTION 1: STRETCHING BEYOND STATIC SECURITY 2 SECTION 2: NEW DEFENSES FOR CLOUD ENVIRONMENTS 5 SECTION

More information

the SWIFT Customer Security

the SWIFT Customer Security TECH BRIEF Mapping BeyondTrust Solutions to the SWIFT Customer Security Controls Framework Privileged Access Management and Vulnerability Management Table of ContentsTable of Contents... 2 Purpose of This

More information

AZURE CLOUD SECURITY GUIDE: 6 BEST PRACTICES. To Secure Azure and Hybrid Cloud Environments

AZURE CLOUD SECURITY GUIDE: 6 BEST PRACTICES. To Secure Azure and Hybrid Cloud Environments AZURE CLOUD SECURITY GUIDE: 6 BEST PRACTICES To Secure Azure and Hybrid Cloud Environments Introduction Cloud is at the core of every successful digital transformation initiative. With cloud comes new

More information

AUTOMATE THE DEPLOYMENT OF SECURE DEVELOPER VPCs

AUTOMATE THE DEPLOYMENT OF SECURE DEVELOPER VPCs AUTOMATE THE DEPLOYMENT OF SECURE DEVELOPER VPCs WITH PALO ALTO NETWORKS AND REAN CLOUD 1 INTRODUCTION EXECUTIVE SUMMARY Organizations looking to provide developers with a free-range development environment

More information

5 OAuth Essentials for API Access Control

5 OAuth Essentials for API Access Control 5 OAuth Essentials for API Access Control Introduction: How a Web Standard Enters the Enterprise OAuth s Roots in the Social Web OAuth puts the user in control of delegating access to an API. This allows

More information

Securing Your Amazon Web Services Virtual Networks

Securing Your Amazon Web Services Virtual Networks Securing Your Amazon Web Services s IPS security for public cloud deployments It s no surprise that public cloud infrastructure has experienced fast adoption. It is quick and easy to spin up a workload,

More information

AWS Administration. Suggested Pre-requisites Basic IT Knowledge

AWS Administration. Suggested Pre-requisites Basic IT Knowledge Course Description Amazon Web Services Administration (AWS Administration) course starts your Cloud Journey. If you are planning to learn Cloud Computing and Amazon Web Services in particular, then this

More information

Managing and Auditing Organizational Migration to the Cloud TELASA SECURITY

Managing and Auditing Organizational Migration to the Cloud TELASA SECURITY Managing and Auditing Organizational Migration to the Cloud 1 TELASA SECURITY About Me Brian Greidanus bgreidan@telasasecurity.com 18+ years of security and compliance experience delivering consulting

More information

INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.1 SUCCESS AKAMAI SOLUTIONS BRIEF INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.

INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.1 SUCCESS AKAMAI SOLUTIONS BRIEF INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3. INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.1 SUCCESS Protect Critical Enterprise Applications and Cardholder Information with Enterprise Application Access Scope and Audience This guide is for

More information

STRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview

STRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview STRATEGIC WHITE PAPER Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview Abstract Cloud architectures rely on Software-Defined Networking

More information

Getting Started with AWS Security

Getting Started with AWS Security Getting Started with AWS Security Tomas Clemente Sanchez Senior Consultant Security, Risk and Compliance September 21st 2017 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Move

More information

Centrify Identity Services for AWS

Centrify Identity Services for AWS F R E Q U E N T L Y A S K E D Q U E S T I O N S Centrify Identity Services for AWS Service Description and Capabilities What is included with Centrify Identity Services for AWS? Centrify Identity Services

More information

Partner Center: Secure application model

Partner Center: Secure application model Partner Center: Secure application model The information provided in this document is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including

More information

How CyberArk can help mitigate security vulnerabilities in Industrial Control Systems

How CyberArk can help mitigate security vulnerabilities in Industrial Control Systems How CyberArk can help mitigate security vulnerabilities in Industrial Control Systems Table of Contents Introduction 3 Industrial Control Systems Security Vulnerabilities 3 Prolific Use of Administrative

More information

Christopher Covert. Principal Product Manager Enterprise Solutions Group. Copyright 2016 Symantec Endpoint Protection Cloud

Christopher Covert. Principal Product Manager Enterprise Solutions Group. Copyright 2016 Symantec Endpoint Protection Cloud Christopher Covert Principal Product Manager Enterprise Solutions Group Copyright 2016 Symantec Endpoint Protection Cloud THE PROMISE OF CLOUD COMPUTING We re all moving from challenges like these Large

More information

SailPoint IdentityIQ Integration with the BeyondInsight Platform. Providing Complete Visibility and Auditing of Identities

SailPoint IdentityIQ Integration with the BeyondInsight Platform. Providing Complete Visibility and Auditing of Identities SailPoint IdentityIQ Integration with the BeyondInsight Platform Providing Complete Visibility and Auditing of Identities Table of Contents Executive Summary... 3 Identity and Access Management... 5 BeyondTrust

More information

RSA Solution Brief. The RSA Solution for VMware. Key Manager RSA. RSA Solution Brief

RSA Solution Brief. The RSA Solution for VMware. Key Manager RSA. RSA Solution Brief RSA Solution Brief The RSA Solution for VMware View: Managing Securing the the Lifecycle Virtual of Desktop Encryption Environment Keys with RSA Key Manager RSA Solution Brief 1 According to the Open Security

More information

Borderless security engineered for your elastic hybrid cloud. Kaspersky Hybrid Cloud Security. #truecybersecurity

Borderless security engineered for your elastic hybrid cloud. Kaspersky Hybrid Cloud Security.  #truecybersecurity Borderless security engineered for your elastic hybrid cloud Kaspersky Hybrid Cloud Security www.kaspersky.com #truecybersecurity Borderless security engineered for your hybrid cloud environment Data

More information

Cloud security 2.0: Joko nyt pilveen voi luottaa?

Cloud security 2.0: Joko nyt pilveen voi luottaa? Cloud security 2.0: Joko nyt pilveen voi luottaa? www.nordcloud.com 11 04 2017 Helsinki 2 Teemu Lehtonen Senior Cloud architect, Security teemu.lehtonen@nordcloud.com +358 40 6329445 Nordcloud Finland

More information

Puppet on the AWS Cloud

Puppet on the AWS Cloud Puppet on the AWS Cloud Quick Start Reference Deployment AWS Quick Start Reference Team March 2016 This guide is also available in HTML format at http://docs.aws.amazon.com/quickstart/latest/puppet/. Contents

More information

Architecting for Greater Security in AWS

Architecting for Greater Security in AWS Architecting for Greater Security in AWS Jonathan Desrocher Security Solutions Architect, Amazon Web Services. Guy Tzur Director of Ops, Totango. 2015, Amazon Web Services, Inc. or its affiliates. All

More information

Integrated Access Management Solutions. Access Televentures

Integrated Access Management Solutions. Access Televentures Integrated Access Management Solutions Access Televentures Table of Contents OVERCOMING THE AUTHENTICATION CHALLENGE... 2 1 EXECUTIVE SUMMARY... 2 2 Challenges to Providing Users Secure Access... 2 2.1

More information

CLOUD WORKLOAD SECURITY

CLOUD WORKLOAD SECURITY SOLUTION OVERVIEW CLOUD WORKLOAD SECURITY Bottom line: If you re in IT today, you re already in the cloud. As technology becomes an increasingly important element of business success, the adoption of highly

More information

Data Protection for Virtualized Environments

Data Protection for Virtualized Environments Technology Insight Paper Data Protection for Virtualized Environments IBM Spectrum Protect Plus Delivers a Modern Approach By Steve Scully, Sr. Analyst February 2018 Modern Data Protection for Virtualized

More information

McAfee Public Cloud Server Security Suite

McAfee Public Cloud Server Security Suite McAfee Public Cloud Server Security Suite Comprehensive security for AWS and Azure cloud workloads As enterprises shift their data center strategy to include and often lead with public cloud server instances,

More information

CPM. Quick Start Guide V2.4.0

CPM. Quick Start Guide V2.4.0 CPM Quick Start Guide V2.4.0 1 Content 1 Introduction... 3 Launching the instance... 3 CloudFormation... 3 CPM Server Instance Connectivity... 3 2 CPM Server Instance Configuration... 4 CPM Server Configuration...

More information

TIBCO Cloud Integration Security Overview

TIBCO Cloud Integration Security Overview TIBCO Cloud Integration Security Overview TIBCO Cloud Integration is secure, best-in-class Integration Platform as a Service (ipaas) software offered in a multi-tenant SaaS environment with centralized

More information

McAfee epolicy Orchestrator

McAfee epolicy Orchestrator McAfee epolicy Orchestrator Centrally get, visualize, share, and act on security insights Security management requires cumbersome juggling between tools and data. This puts the adversary at an advantage

More information

EXECUTIVE VIEW. One Identity SafeGuard 2.0. KuppingerCole Report

EXECUTIVE VIEW. One Identity SafeGuard 2.0. KuppingerCole Report KuppingerCole Report EXECUTIVE VIEW by Martin Kuppinger August 2017 One Identity SafeGuard 2.0 One Identity SafeGuard 2.0 is a re-architected, modular solution for Privilege Management, supporting both

More information

ALIENVAULT USM FOR AWS SOLUTION GUIDE

ALIENVAULT USM FOR AWS SOLUTION GUIDE ALIENVAULT USM FOR AWS SOLUTION GUIDE Summary AlienVault Unified Security Management (USM) for AWS is a unified security platform providing threat detection, incident response, and compliance management

More information

Managing Your Privileged Identities: The Choke Point of Advanced Attacks

Managing Your Privileged Identities: The Choke Point of Advanced Attacks Managing Your Privileged Identities: The Choke Point of Advanced Attacks Shirief Nosseir EMEA Alliances Director Identity & API Management Tuesday, 16 May 2017 Agenda Why Privileged Access Management Why

More information

Hackproof Your Cloud Responding to 2016 Threats

Hackproof Your Cloud Responding to 2016 Threats Hackproof Your Cloud Responding to 2016 Threats Aaron Klein, CloudCheckr Tuesday, June 30 th 2016 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Changing Your Perspective Moving

More information

Look Who s Hiring! AWS Solution Architect AWS Cloud TAM

Look Who s Hiring! AWS Solution Architect   AWS Cloud TAM Look Who s Hiring! AWS Solution Architect https://www.amazon.jobs/en/jobs/362237 AWS Cloud TAM https://www.amazon.jobs/en/jobs/347275 AWS Principal Cloud Architect (Professional Services) http://www.reqcloud.com/jobs/701617/?k=wxb6e7km32j+es2yp0jy3ikrsexr

More information

Introduction to Cloud Computing

Introduction to Cloud Computing You will learn how to: Build and deploy cloud applications and develop an effective implementation strategy Leverage cloud vendors Amazon EC2 and Amazon S3 Exploit Software as a Service (SaaS) to optimize

More information

SECURE, FLEXIBLE ON-PREMISE STORAGE WITH EMC SYNCPLICITY AND EMC ISILON

SECURE, FLEXIBLE ON-PREMISE STORAGE WITH EMC SYNCPLICITY AND EMC ISILON White Paper SECURE, FLEXIBLE ON-PREMISE STORAGE WITH EMC SYNCPLICITY AND EMC ISILON Abstract This white paper explains the benefits to the extended enterprise of the on-premise, online file sharing storage

More information

Are You Sure Your AWS Cloud Is Secure? Alan Williamson Solution Architect at TriNimbus

Are You Sure Your AWS Cloud Is Secure? Alan Williamson Solution Architect at TriNimbus Are You Sure Your AWS Cloud Is Secure? Alan Williamson Solution Architect at TriNimbus 1 60 Second AWS Security Review 2 AWS Terminology Identity and Access Management (IAM) - AWS Security Service to manage

More information

Secure Access & SWIFT Customer Security Controls Framework

Secure Access & SWIFT Customer Security Controls Framework Secure Access & SWIFT Customer Security Controls Framework SWIFT Financial Messaging Services SWIFT is the world s leading provider of secure financial messaging services. Their services are used and trusted

More information

Five Essential Capabilities for Airtight Cloud Security

Five Essential Capabilities for Airtight Cloud Security Five Essential Capabilities for Airtight Cloud Security SECURITY IN THE CLOUD REQUIRES NEW CAPABILITIES It is no secret; security and compliance are at the top of the list of concerns tied to cloud adoption.

More information

Installation Guide Revision B. McAfee Cloud Workload Security 5.0.0

Installation Guide Revision B. McAfee Cloud Workload Security 5.0.0 Installation Guide Revision B McAfee Cloud Workload Security 5.0.0 COPYRIGHT Copyright 2018 McAfee, LLC TRADEMARK ATTRIBUTIONS McAfee and the McAfee logo, McAfee Active Protection, epolicy Orchestrator,

More information

Adopting Modern Practices for Improved Cloud Security. Cox Automotive - Enterprise Risk & Security

Adopting Modern Practices for Improved Cloud Security. Cox Automotive - Enterprise Risk & Security Adopting Modern Practices for Improved Cloud Security Cox Automotive - Enterprise Risk & Security 1 About Cox Automotive Cox Automotive is a leading provider of products and services that span the automotive

More information

Control-M and Payment Card Industry Data Security Standard (PCI DSS)

Control-M and Payment Card Industry Data Security Standard (PCI DSS) Control-M and Payment Card Industry Data Security Standard (PCI DSS) White paper PAGE 1 OF 16 Copyright BMC Software, Inc. 2016 Contents Introduction...3 The Need...3 PCI DSS Related to Control-M...4 Control-M

More information

Introduction. The Safe-T Solution

Introduction. The Safe-T Solution Secure Application Access Product Brief Contents Introduction 2 The Safe-T Solution 3 How It Works 3 Capabilities 4 Benefits 5 Feature List 6 6 Introduction As the world becomes much more digital and global,

More information

McAfee Cloud Workload Security Product Guide

McAfee Cloud Workload Security Product Guide Revision B McAfee Cloud Workload Security 5.1.0 Product Guide (McAfee epolicy Orchestrator) COPYRIGHT Copyright 2018 McAfee, LLC TRADEMARK ATTRIBUTIONS McAfee and the McAfee logo, McAfee Active Protection,

More information

DATA SHEET AlienVault USM Anywhere Powerful Threat Detection and Incident Response for All Your Critical Infrastructure

DATA SHEET AlienVault USM Anywhere Powerful Threat Detection and Incident Response for All Your Critical Infrastructure DATA SHEET AlienVault USM Anywhere Powerful Threat Detection and Incident Response for All Your Critical Infrastructure AlienVault USM Anywhere accelerates and centralizes threat detection, incident response,

More information

ForeScout CounterACT. (AWS) Plugin. Configuration Guide. Version 1.3

ForeScout CounterACT. (AWS) Plugin. Configuration Guide. Version 1.3 ForeScout CounterACT Hybrid Cloud Module: Amazon Web Services (AWS) Plugin Version 1.3 Table of Contents Amazon Web Services Plugin Overview... 4 Use Cases... 5 Providing Consolidated Visibility... 5 Dynamic

More information

AKAMAI WHITE PAPER. Enterprise Application Access Architecture Overview

AKAMAI WHITE PAPER. Enterprise Application Access Architecture Overview AKAMAI WHITE PAPER Enterprise Application Access Architecture Overview Enterprise Application Access Architecture Overview 1 Providing secure remote access is a core requirement for all businesses. Though

More information

PCI DSS Compliance. White Paper Parallels Remote Application Server

PCI DSS Compliance. White Paper Parallels Remote Application Server PCI DSS Compliance White Paper Parallels Remote Application Server Table of Contents Introduction... 3 What Is PCI DSS?... 3 Why Businesses Need to Be PCI DSS Compliant... 3 What Is Parallels RAS?... 3

More information

Next Generation Privilege Identity Management

Next Generation Privilege Identity Management White Paper Next Generation Privilege Identity Management Nowadays enterprise IT teams are focused on adopting and supporting newer devices, applications and platforms to address business needs and keep

More information

HySecure Quick Start Guide. HySecure 5.0

HySecure Quick Start Guide. HySecure 5.0 HySecure Quick Start Guide HySecure 5.0 Last Updated: 25 May 2017 2012-2017 Propalms Technologies Private Limited. All rights reserved. The information contained in this document represents the current

More information

Optimizing Pulse Secure Access Suite with Pulse Secure Virtual Application Delivery Controller solution

Optimizing Pulse Secure Access Suite with Pulse Secure Virtual Application Delivery Controller solution DATASHEET Optimizing Pulse Secure Access Suite with Pulse Secure Virtual Application Delivery Controller solution Features & Benefits Best-in-class VPN and vadc solutions A single point of access for all

More information

Cisco Cloud Application Centric Infrastructure

Cisco Cloud Application Centric Infrastructure Cisco Cloud Application Centric Infrastructure About Cisco cloud application centric infrastructure Cisco Cloud Application Centric Infrastructure (Cisco Cloud ACI) is a comprehensive solution for simplified

More information

How Security Policy Orchestration Extends to Hybrid Cloud Platforms

How Security Policy Orchestration Extends to Hybrid Cloud Platforms How Security Policy Orchestration Extends to Hybrid Cloud Platforms Reducing complexity also improves visibility when managing multi vendor, multi technology heterogeneous IT environments www.tufin.com

More information

IT infrastructure layers requiring Privileged Identity Management

IT infrastructure layers requiring Privileged Identity Management White Paper IT infrastructure layers requiring Privileged Identity Management Abstract Much of today s IT infrastructure is structured as different layers of devices (virtual and physical) and applications.

More information

25 Best Practice Tips for architecting Amazon VPC

25 Best Practice Tips for architecting Amazon VPC 25 Best Practice Tips for architecting Amazon VPC 25 Best Practice Tips for architecting Amazon VPC Amazon VPC is one of the most important feature introduced by AWS. We have been using AWS from 2008 and

More information

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES BEST PRACTICES FOR IDENTITY FEDERATION IN AWS E-BOOK

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES BEST PRACTICES FOR IDENTITY FEDERATION IN AWS E-BOOK EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES BEST PRACTICES FOR IDENTITY FEDERATION IN AWS 03 EXECUTIVE OVERVIEW 05 INTRODUCTION 07 MORE CLOUD DEPLOYMENTS MEANS MORE ACCESS 09 IDENTITY FEDERATION IN

More information

Cato Cloud. Software-defined and cloud-based secure enterprise network. Solution Brief

Cato Cloud. Software-defined and cloud-based secure enterprise network. Solution Brief Cato Cloud Software-defined and cloud-based secure enterprise network Solution Brief Legacy WAN and Security Appliances are Incompatible with the Modern Enterprise Cato Networks: Software-defined and Cloud-based

More information

WHITE PAPER Cloud FastPath: A Highly Secure Data Transfer Solution

WHITE PAPER Cloud FastPath: A Highly Secure Data Transfer Solution WHITE PAPER Cloud FastPath: A Highly Secure Data Transfer Solution Tervela helps companies move large volumes of sensitive data safely and securely over network distances great and small. We have been

More information

The Latest EMC s announcements

The Latest EMC s announcements The Latest EMC s announcements Copyright 2014 EMC Corporation. All rights reserved. 1 TODAY S BUSINESS CHALLENGES Cut Operational Costs & Legacy More Than Ever React Faster To Find New Growth Balance Risk

More information

Risk Intelligence. Quick Start Guide - Data Breach Risk

Risk Intelligence. Quick Start Guide - Data Breach Risk Risk Intelligence Quick Start Guide - Data Breach Risk Last Updated: 19 September 2018 --------------------------- 2018 CONTENTS Introduction 1 Data Breach Prevention Lifecycle 2 Choosing a Scan Deployment

More information

BYOD: BRING YOUR OWN DEVICE.

BYOD: BRING YOUR OWN DEVICE. white paper BYOD: BRING YOUR OWN DEVICE. On-BOaRDING and Securing DEVICES IN YOUR Corporate NetWORk PrepaRING YOUR NetWORk to MEEt DEVICE DEMaND The proliferation of smartphones and tablets brings increased

More information

Deploy Symantec Cloud Workload Protection for Storage

Deploy Symantec Cloud Workload Protection for Storage Deploy Symantec Cloud Workload Protection for Storage An additional layer of protection for your data stored in Amazon S3 Copyright 2018. Symantec or its affiliates. All rights reserved. Copyright 2018.

More information

Defining Security for an AWS EKS deployment

Defining Security for an AWS EKS deployment Defining Security for an AWS EKS deployment Cloud-Native Security www.aporeto.com Defining Security for a Kubernetes Deployment Kubernetes is an open-source orchestrator for automating deployment, scaling,

More information

Automating the Top 20 CIS Critical Security Controls

Automating the Top 20 CIS Critical Security Controls 20 Automating the Top 20 CIS Critical Security Controls SUMMARY It s not easy being today s CISO or CIO. With the advent of cloud computing, Shadow IT, and mobility, the risk surface area for enterprises

More information

Product Guide Revision B. McAfee Cloud Workload Security 5.0.0

Product Guide Revision B. McAfee Cloud Workload Security 5.0.0 Product Guide Revision B McAfee Cloud Workload Security 5.0.0 COPYRIGHT Copyright 2018 McAfee, LLC TRADEMARK ATTRIBUTIONS McAfee and the McAfee logo, McAfee Active Protection, epolicy Orchestrator, McAfee

More information

ForeScout CounterACT. Continuous Monitoring and Mitigation. Real-time Visibility. Network Access Control. Endpoint Compliance.

ForeScout CounterACT. Continuous Monitoring and Mitigation. Real-time Visibility. Network Access Control. Endpoint Compliance. Real-time Visibility Network Access Control Endpoint Compliance Mobile Security ForeScout CounterACT Continuous Monitoring and Mitigation Rapid Threat Response Benefits Rethink IT Security Security Do

More information

HPE Digital Learner AWS Certified SysOps Administrator (Intermediate) Content Pack

HPE Digital Learner AWS Certified SysOps Administrator (Intermediate) Content Pack Content Pack data sheet HPE Digital Learner AWS Certified SysOps Administrator (Intermediate) Content Pack HPE Content Pack number Content Pack length Content Pack category Learn more CP017 20 Hours Category

More information

Securing Your Most Sensitive Data

Securing Your Most Sensitive Data Software-Defined Access Securing Your Most Sensitive Data Company Overview Digital Growth Means Digital Threats Digital technologies offer organizations unprecedented opportunities to innovate their way

More information

ALERT LOGIC LOG MANAGER & LOG REVIEW

ALERT LOGIC LOG MANAGER & LOG REVIEW SOLUTION OVERVIEW: ALERT LOGIC LOG MANAGER & LOG REVIEW CLOUD-POWERED LOG MANAGEMENT AS A SERVICE Simplify Security and Compliance Across All Your IT Assets. Log management is an essential infrastructure

More information

Google Identity Services for work

Google Identity Services for work INTRODUCING Google Identity Services for work One account. All of Google Enter your email Next Online safety made easy We all care about keeping our data safe and private. Google Identity brings a new

More information

A10 HARMONY CONTROLLER

A10 HARMONY CONTROLLER DATA SHEET A10 HARMONY CONTROLLER AGILE MANAGEMENT, AUTOMATION, ANALYTICS FOR MULTI-CLOUD ENVIRONMENTS PLATFORMS A10 Harmony Controller provides centralized agile management, automation and analytics for

More information

ARCHITECTING WEB APPLICATIONS FOR THE CLOUD: DESIGN PRINCIPLES AND PRACTICAL GUIDANCE FOR AWS

ARCHITECTING WEB APPLICATIONS FOR THE CLOUD: DESIGN PRINCIPLES AND PRACTICAL GUIDANCE FOR AWS ARCHITECTING WEB APPLICATIONS FOR THE CLOUD: DESIGN PRINCIPLES AND PRACTICAL GUIDANCE FOR AWS Dr Adnene Guabtni, Senior Research Scientist, NICTA/Data61, CSIRO Adnene.Guabtni@csiro.au EC2 S3 ELB RDS AMI

More information

Data Breach Risk Scanning and Reporting

Data Breach Risk Scanning and Reporting Data Breach Risk Scanning and Reporting 2017. SolarWinds. All rights reserved. All product and company names herein may be trademarks of their respective owners. The information and content in this document

More information

Securing Your Microsoft Azure Virtual Networks

Securing Your Microsoft Azure Virtual Networks Securing Your Microsoft Azure Virtual Networks IPS security for public cloud deployments It s no surprise that public cloud infrastructure has experienced fast adoption. It is quick and easy to spin up

More information

Best Practices in Securing Your Customer Data in Salesforce, Force.com & Chatter

Best Practices in Securing Your Customer Data in Salesforce, Force.com & Chatter White Paper Best Practices in Securing Your Customer Data in Salesforce, Force.com & Chatter Overcoming Security, Privacy & Compliance Concerns 333 W. San Carlos Street San Jose, CA 95110 Table of Contents

More information

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM OVERVIEW The Verizon 2016 Data Breach Investigations Report highlights that attackers are regularly outpacing the defenders.

More information

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT RSA ARCHER IT & SECURITY RISK MANAGEMENT INTRODUCTION Organizations battle growing security challenges by building layer upon layer of defenses: firewalls, antivirus, intrusion prevention systems, intrusion

More information

Security & Compliance in the AWS Cloud. Vijay Rangarajan Senior Cloud Architect, ASEAN Amazon Web

Security & Compliance in the AWS Cloud. Vijay Rangarajan Senior Cloud Architect, ASEAN Amazon Web Security & Compliance in the AWS Cloud Vijay Rangarajan Senior Cloud Architect, ASEAN Amazon Web Services @awscloud www.cloudsec.com #CLOUDSEC Security & Compliance in the AWS Cloud TECHNICAL & BUSINESS

More information

CLOUD SECURITY CRASH COURSE

CLOUD SECURITY CRASH COURSE CLOUD SECURITY CRASH COURSE ADDRESSING REAL WORLD CONCERNS Joel Friedman, CTSO ABOUT ME Name: Joel Friedman Title: Chief Technology & Security Officer of Datapipe Certifications: CISSP, CISA, CISM, CRISC,

More information

Dell One Identity Cloud Access Manager 8.0. Overview

Dell One Identity Cloud Access Manager 8.0. Overview Dell One Identity Cloud Access Manager 8.0 2015 Dell Inc. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide is furnished under

More information

Introduction to Amazon Cloud & EC2 Overview

Introduction to Amazon Cloud & EC2 Overview Introduction to Amazon Cloud & EC2 Overview 2015 Amazon Web Services, Inc. and its affiliates. All rights served. May not be copied, modified, or distributed in whole or in part without the express consent

More information

Layer Security White Paper

Layer Security White Paper Layer Security White Paper Content PEOPLE SECURITY PRODUCT SECURITY CLOUD & NETWORK INFRASTRUCTURE SECURITY RISK MANAGEMENT PHYSICAL SECURITY BUSINESS CONTINUITY & DISASTER RECOVERY VENDOR SECURITY SECURITY

More information

Security & Compliance in the AWS Cloud. Amazon Web Services

Security & Compliance in the AWS Cloud. Amazon Web Services Security & Compliance in the AWS Cloud Amazon Web Services Our Culture Simple Security Controls Job Zero AWS Pace of Innovation AWS has been continually expanding its services to support virtually any

More information