ELIMINATE SECURITY BLIND SPOTS WITH THE VENAFI AGENT

Similar documents
Venafi Server Agent Agent Overview

IMPLEMENTING A SOLUTION FOR ASSURING KEYS AND CERTIFICATES

Venafi Platform. Architecture 1 Architecture Basic. Professional Services Venafi. All Rights Reserved.

SSH Product Overview

Comodo Certificate Manager

SYMANTEC DATA CENTER SECURITY

Security in Bomgar Remote Support

IBM Tivoli Directory Server

Security Configuration Assessment (SCA)

Axway Validation Authority Suite

Best Practices in Securing a Multicloud World

SHA-1 to SHA-2. Migration Guide

Enterprise Guest Access

IBM Secure Proxy. Advanced edge security for your multienterprise. Secure your network at the edge. Highlights

Lessons from the Human Immune System Gavin Hill, Director Threat Intelligence

How-to Guide: Tenable Nessus for Microsoft Azure. Last Updated: April 03, 2018

the SWIFT Customer Security

Alliance Key Manager A Solution Brief for Partners & Integrators

HALO IN ACTION COMPLIANCE DON T LET LEGACY SECURITY TOOLS HOLD UP PCI COMPLIANCE IN THE CLOUD. Automated PCI compliance anytime, anywhere.

Cybersecurity with Automated Certificate and Password Management for Surveillance

Security Challenges: Integrating Apple Computers into Windows Environments

Exposing The Misuse of The Foundation of Online Security

How-to Guide: Tenable.io for Microsoft Azure. Last Updated: November 16, 2018

BMC Remedyforce Discovery and Client Management. Frequently asked questions

VSP18 Venafi Security Professional

Community Edition Getting Started Guide. July 25, 2018

Alliance Key Manager A Solution Brief for Technical Implementers

Continuously Discover and Eliminate Security Risk in Production Apps

VSP16. Venafi Security Professional 16 Course 04 April 2016

IBM SmartCloud Notes Security

How to Secure Your Cloud with...a Cloud?

ForeScout CounterACT. Continuous Monitoring and Mitigation. Real-time Visibility. Network Access Control. Endpoint Compliance.

Tenable for Palo Alto Networks

M2M / IoT Security. Eurotech`s Everyware IoT Security Elements Overview. Robert Andres

Mapping BeyondTrust Solutions to

Imperva Incapsula Website Security

Comprehensive Database Security

SailPoint IdentityIQ Integration with the BeyondInsight Platform. Providing Complete Visibility and Auditing of Identities

MQ Jumping... Or, move to the front of the queue, pass go and collect 200

PCI DSS Compliance. White Paper Parallels Remote Application Server

AppDefense Getting Started. VMware AppDefense

Configuration and Day 2 Operations First Published On: Last Updated On:

Forescout. Configuration Guide. Version 2.4

Christopher Covert. Principal Product Manager Enterprise Solutions Group. Copyright 2016 Symantec Endpoint Protection Cloud

IBM Proventia Management SiteProtector Sample Reports

Discover SUSE Manager

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Cyber Hygiene: Uncool but necessary. Automate Endpoint Patching to Mitigate Security Risks

Tenable.io for Thycotic

Intel Active Management Technology Overview

epldt Web Builder Security March 2017

IBM. Migration Cookbook. Migrating from License Metric Tool and Tivoli Asset Discovery for Distributed 7.5 to License Metric Tool 9.

TECHNICAL DESCRIPTION

EXECUTIVE VIEW. One Identity SafeGuard 2.0. KuppingerCole Report

white paper SMS Authentication: 10 Things to Know Before You Buy

WHITE PAPER Cloud FastPath: A Highly Secure Data Transfer Solution

Transforming Security from Defense in Depth to Comprehensive Security Assurance

ForeScout CounterACT. Configuration Guide. Version 5.0

Securing VMware NSX MAY 2014

GLOBALPROTECT. Key Usage Scenarios and Benefits. Remote Access VPN Provides secure access to internal and cloud-based business applications

SoftLayer Security and Compliance:

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

Tenable for McAfee epolicy Orchestrator

Portnox CORE. On-Premise. Technology Introduction AT A GLANCE. Solution Overview

Advanced Security Tester Course Outline

The Convergence of Security and Compliance

VMware vcenter Configuration Manager Administration Guide vcenter Configuration Manager 5.7

DreamFactory Security Guide

Qualys Cloud Platform (VM, PC) v8.x Release Notes

Inventory File Data with Snap Enterprise Data Replicator (Snap EDR)

McAfee Network Security Platform 8.3

Security in the Privileged Remote Access Appliance

Cisco Network Admission Control (NAC) Solution

Privileged Account Security: A Balanced Approach to Securing Unix Environments

Adding value to your MS customers

Industrial Defender ASM. for Automation Systems Management

Threat Intelligence to enhance Cyber Resiliency KEVIN ALBANO GLOBAL THREAT INTELLIGENCE LEAD IBM X-FORCE INCIDENT RESPONSE AND INTELLIGENCE SERVICES

Cisco Wide Area Application Services: Secure, Scalable, and Simple Central Management

Red Hat CloudForms 4.6

Device Discovery for Vulnerability Assessment: Automating the Handoff

Tenable for McAfee epolicy Orchestrator

GUIDE. MetaDefender Kiosk Deployment Guide

Common Services Platform Collector Overview

SQL Server Solutions GETTING STARTED WITH. SQL Secure

NGFW Security Management Center

O365 Solutions. Three Phase Approach. Page 1 34

Exam : Title : Security Solutions for Systems Engineers. Version : Demo

Veritas Provisioning Manager

BUILDING SECURITY INTO YOUR DATA CENTER MODERNIZATION STRATEGY

IBM BigFix Compliance PCI Add-on Version 9.5. Payment Card Industry Data Security Standard (PCI DSS) User's Guide IBM

Cisco ISE Features. Cisco Identity Services Engine Administrator Guide, Release 1.4 1

Realizing the Value of Standardized and Automated Database Management SOLUTION WHITE PAPER

McAfee epolicy Orchestrator

Web Application Firewall Getting Started Guide. September 7, 2018

F5 BIG-IQ Centralized Management: Device. Version 5.3

Deployment Guide. Best Practices for CounterACT Deployment: Guest Management

PROVIDING YOU LOG INFRASTRUCTURE LOG COLLECTION SOLUTIONS TO BUILD A SECURE, FLEXIBLE AND RELIABLE

Datacenter Security: Protection Beyond OS LifeCycle

Introduction. Deployment Models. IBM Watson on the IBM Cloud Security Overview

Symbols. Numerics I N D E X

Transcription:

ELIMINATE SECURITY BLIND SPOTS WITH THE VENAFI AGENT less discovery can t find all keys and certificates

Key and certificate management is no longer just an IT function. So it cannot be treated the same way IT generally thinks about installing applications, servers, and services. When deploying security within any environment, one choice that always comes up is whether to deploy an agent-based or agentless solution. There are positives and negatives to both approaches. This white paper aims to help you choose which method will best protect the foundation of your security, keys and certificates, based on the problem and level of security you want to solve for. This is a significant issue that impacts most global 5000: 54% don t have visibility into where all their keys and certificates are many of which are not network discoverable. less Key and Certificate Discovery Is Not Enough Most organizations prefer agentless security platforms, services, and solutions because they typically require less configuration, less administration, and have minimal impact on system resources. For network discovery, most tend to believe that agentless discovery meets their requirements to secure keys and certificates. However, the problem they are solving for has changed. The problem is not a simple PKI management issue: where are all of my keys and certificates and how many do I have? The problem is now a security issue where attackers are using encryption to hide their malicious activities within your traffic. Key and certificate management is no longer just an IT function. So it cannot be treated the same way IT generally thinks about installing applications, servers, and services. It has become a security program, and as such, it requires continuous monitoring, compliance, and regulation. This does not mean that IT security teams need to install and maintain an agent that is burdensome and system resource intensive. Rather, the ideal discovery agent will have minimal system impact, be discreet, reliable, and agile enough so that it can be installed anywhere. At the same time, it should be robust enough to leverage automation, receive updates, and enforce polices from the management platform. Venafi and less Discovery The Venafi Trust Protection Platform features agentless discovery that provides a very comprehensive view into your encryption posture to help you eliminate any security blind spots that are caused by unknown or rogue keys and certificates. Consistent monitoring and discovery for network discoverable keys and certificates helps eliminate a majority of these blind spots. However, there are still some locations where keys and certificates cannot be found with agentless discovery. The Venafi agent is a client/server application that works within the Venafi Trust Protection Platform to provide constant visibility into the blind spots where agentless discovery cannot see. The Venafi agent Page 2 of 5 I ELIMINATE SECURITY BLIND SPOTS WITH THE VENAFI AGENT

The Venafi agent continuously monitors for any changes to your SSL/TLS keys and certificates and SSH keys on any supported system in your network. continuously monitors for any changes to your SSL/TLS keys and certificates and SSH keys on any supported system in your network. The Venafi agent is installed on local systems where it performs scheduled protection for encryption assets found in designated keystores and directories that are not network discoverable. In addition, the Venafi agent enforces SSH security policies, adds and removes access keys, and ensures the reliable rotation of both user and authorized SSH keys. The agent enables you to change SSH source restrictions, forced commands and other key options to harden your SSH security and enforce customized SSH policies. The chart below compares use cases where either an agent-based or agentless approach is best suited to the discovery of keys and certificates. AGENTLESS DISCOVERY Any Network facing based TLS/ SSL Keys Any Network facing SSH servers Network Appliances SSH Keys on Linux, HPUX, AIX, Solaris (credential to log in the box using SSH required) AGENT-BASED DISCOVERY Certificates using TLS protocols that are not discoverable Certificates where SNI is being used Certificates that are being used for client authentication PEM Store PKCS12 Store PB7 Store Java Key Store CMS Key Store iplanet Keystore SSH Keys on Linux, HPUX, AIX, Solaris SSH Keys on Windows SSH Key Usage Monitoring How Lightweight Is the Venafi? The Venafi agent only requires 40 MB of free disk space, 30 of it for the software, and only 10 MB to queue data to be sent to the Trust Protection Platform server. The agent utilization profile (both memory and CPU) is impacted by the number of keys and certificates on a system. The only requirement for ports to be opened is 443 back to the Trust Protection Platform server. The agent supports Linux, Solaris, HPUX, AIX, and Windows. The agent was designed to minimize both CPU usage and overall system resource impact. For example, the agent has a feature called Randomization that randomizes the times the agent communicates with the server or performs a scan on a host system. The Randomization feature will reduce the impact on a host s virtual hypervisor with multiple guest systems running on it. Page 3 of 5 I ELIMINATE SECURITY BLIND SPOTS WITH THE VENAFI AGENT

With an agent, you avoid having a single device perform hundreds of tasks. Instead, you have hundreds of devices performing a few tasks each. Once the agent performs its initial discovery and submission of discovered certificates and keys to the Trust Protection Platform server, in subsequent updates it will only submit data that has changed to the server. The times when the agent is actively performing scanning or remediation operations is centrally configurable (e.g., hourly, daily, weekly, monthly, time of day, etc.). This gives administrators complete control of the operating footprint of the agent. Using the Venafi can also reduce the amount of work required to configure and manage trust between Trust Protection Platform and the agent-enabled devices where you plan to deploy certificates. This is especially true if you do not use similar configurations across devices where you want to install certificates. As certificates are discovered, Trust Protection Platform creates the necessary objects so that it can manage the discovered certificates almost immediately, regardless of their configuration. The agent-based method also helps with load distribution because installed Server s use the system resources on the devices where they are installed as opposed to an agentless approach, where all of the work performed is on the Trust Protection Platform server. With an agent, you avoid having a single device perform hundreds of tasks. Instead, you have hundreds of devices performing a few tasks each. Venafi Benefits GROUPING Allows you to logically group agent-enabled devices so that you can easily assign different configurations to those devices within each group. Grouping devices also lets you more easily delegate groups to other administrators to coordinate and complete various types of work. NO REQUIREMENT FOR CREDENTIALS Eliminates the challenge of managing multiple credentials. less technologies, in some cases, require administrative credentials for agentless discovery. This makes it challenging to find the correct people to get the credentials, and then keep those credentials in sync when credentials are changed. With the Venafi agent installed it is easier because the server agent runs as a system service/daemon with administrative access. The connection back to the Venafi Trust Protection Platform is protected leveraging TLS encryption/authentication that includes a rolling code that changes on every agent check-in. With the Venafi agent, administrators do not need to worry about gathering and managing credentials, because the authentication between the platform and the agents is automatic once they register. WORK ASSIGNMENT BY GROUP Lets you define group membership rules for each agent group. Rules allow you to specify criteria that determines which systems become members Page 4 of 5 I ELIMINATE SECURITY BLIND SPOTS WITH THE VENAFI AGENT

Venafi helps you eliminate blind spots No single discovery method will help you locate all of our keys and certificates. And any key or certificate that you don t know represents a blind spot in your security that hackers could leverage to infiltrate your business. The Venafi Trust Protection Platform helps you maintain visibility and control of all your keys and certificates with both agentless and agent-based protection. So you can leverage the approach that works best in your business: lightweight agentless for your network-based keys and certificates, and agent-based protection for keys and certificates that are not network discoverable. ABOUT VENAFI Venafi is the market-leading cybersecurity company that secures and protects keys and certificates so they can t be used by bad guys in attacks. Venafi provides the Immune System for the Internet, constantly assessing which keys and certificates are trusted, protecting those that should be trusted, and fixing or blocking those that are not. 2016 Venafi, Inc. All rights reserved. Venafi and the Venafi logo are trademarks of Venafi, Inc. Part Number: 160603-WP-Venafi- of which groups. Work can then be configured and assigned to the systems within each group. There are several different types of work that can be configured within agent groups, including agent registration, SSH configuration, certificate discovery, and agent upgrades. For example, you might assign agent registration work to one group and SSH configuration work to another group; or you could assign all work types to one or more agent groups. Additional Features Discover SSH encryption assets located on the file system, rotate authorized keys and user keys for SSH, and utilizes client REST API(s) over HTTPS. In addition, the agent can be used to audit key usage by gathering information from SSH server logs. Example Scenarios CONSIDERATION If you have a Unix or Linux system and you need CMS (GSK), JKS, PEM, or PKCS#12 If you have a network appliance like F5 Big-IP LTM, Citrix NetScaler, A10 vthunder, IBM DataPower, etc. If you have a Windows system and you need CMS (GSK), JKS, PEM, or PKCS#12 If your security policy does not allow exposing sudo/root credentials to remote systems for SSH key scanning Strict Network restrictions (and associated architecture) If Trust Protection Platform is able to connect to a device on which you plan to install a certificate but the device cannot contact Trust Protection Platform If you have strict restrictions on SSH access to the device (e.g. all external connections to the device are workflow enforced) Devices have dissimilar configurations (use many different management credentials, keystore locations vary from server to server, etc.) Your servers cannot have software installed Device operating system version is not supported by the Venafi You want to perform routine scanning of trust assets on all of your devices RECOMMENDATION or less Depending on which method best fits your organization less less If a device cannot connect to the Trust Protection Platform, then an agent would not function. During less certificate installation, Trust Protection Platform initiates the network connection. less less Page 5 of 5 I ELIMINATE SECURITY BLIND SPOTS WITH THE VENAFI AGENT

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback