Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
2
granted according to established This solution is also deployed on
policies with appropriate approvals; a secure, hardened appliance and
that all actions are fully audited and when combined with Privileged
tracked; and that passwords are Password Manager, it can completely
changed immediately upon their return. hide the account password from the
privileged user.
Privileged Password Manager also
eliminates the security exposure posed Privilege Manager for Sudo
by embedded privileged passwords Privilege Manager for Sudo enhances
required for applications to talk to sudo with a central policy server that Dell PAM solutions
each other or to database by replacing
these hardcoded passwords with
enables centralized management
of sudo and the sudoers policy file,
substantially automate
programmatic calls that dynamically
retrieve the account credential.
as well as centralized reporting on privileged account
sudoers access rights and activities.
Privileged Password Manager is It also performs keystroke logging, management to help
deployed on a secure, hardened
appliance
complete with search and playback ensure compliance
capabilities, for in-depth auditing and
Privileged Session Manager
compliance requirements. Privilege with ISO 27001
Manager for Sudo is part of Dell
Privileged Session Manager enables Privileged Access Suite for Unix.
control objectives and
authorized trusted workforce members industry best practices.
to issue privileged access for a specific Meeting ISO 27001 requirements
period or session to administrators, with Dell PAM solutions
remote vendors and high-risk users —
This chart on the following pages
with full recording and replay for
provides a detailed mapping of ISO/
auditing and compliance. It provides
IEC 27001:2013 controls to the
a single point of control from which
capabilities of Dell privileged account
trusted workforce members can
management solutions. You can use
authorize connections, limit access to
this mapping to proactively identify and
specific resources, allow only certain
address gaps in your ISO compliance
commands to be run, view active
with Dell PAM solutions.
connections, record all activity, alert if
connections exceed pre-set time limits,
and terminate connections.
3
ISO/IEC 27001:2013 controls from Annex A
No. Control name How Dell PAM solutions help
A.6.2.2 Teleworking (remote Organizations allowing remote access need a policy that restricts remote access
access) privileges. Privileged Password Manager can restrict unauthorized remote IP ad-
dresses for API and CLI sessions. Privileged Password Manager, Privileged Session
Manager and Privilege Manager for Sudo automatically generate randomized pass-
words to reduce the risk of pass-the-hash, credential harvesting and other exploits
that are often associated with remote access. And Privileged Session Manager also
protects against viruses, malware and other dangerous items that may exist on a
remote user’s system because it proxies all sessions to target resources. In addition,
it records all actions users perform.
A.7.2.1 Management Deploying Privileged Password Manager and Privileged Session Manager
responsibilities provides an excellent way for management to demonstrate its support of the
organization’s information security policies, procedures and controls.
A.7.3.1 Termination or change of Privileged Password Manager, Privileged Session Manager and Privilege
employment responsibilities Manager for Sudo can quickly terminate access privileges to sensitive information
and reduce or remove access to system accounts — even if a user has multiple
identities from holding different roles over many years with the organization.
A.8.1.1 Inventory of assets Privileged Password Manager and Privileged Session Manager can
automatically discover all systems in your organization’s directory and export a list
of active systems associated with the appliance, in either Excel or CSV format.
A.8.1.2 Ownership of assets Privileged Password Manager, Privileged Session Manager and Privilege
Manager for Sudo can ensure that only asset owners or those authorized by
asset owners can grant access privileges to specific assets.
A.8.1.3 Acceptable use of assets Privileged Password Manager, Privileged Session Manager and Privilege
Manager for Sudo can enforce a policy requiring that access privileges be granted
to only those areas, applications and functions required for assigned tasks.
A.8.2.2 Labeling of information Once an information classification scheme has been adopted and information
assets have been labeled per the scheme, you can configure the corresponding
privileged access request and approval requirements that are based on the scheme
into various procedural workflows in Privileged Password Manager.
A.9.1.1 Access control policy Privileged Password Manager and Privileged Session Manager can enforce
every logical access control identified in the “implementation guidance” and
“other information” provided for access control policies in ISO 27002:2013,
section 9.1.1.
A.9.1.2 Access to networks and Privileged Password Manager and Privileged Session Manager can enforce
network services every logical access control identified in the implementation guidance provided
for policies on the use of networks and network services in ISO 27002:2013,
section 9.1.2.
A.9.2.1 User registration and Privileged Password Manager and Privileged Session Manager provide
de-registration organizations with a ready-made framework designed to support:
A.9.2.2 User access provisioning • A formal user registration and de-registration process to enable
assignment of access rights
A.9.2.3 Management of privileged
access rights • A formal user access provisioning process to assign or revoke access rights
A.9.2.4 Management of secret for all user types to all systems and services
authentication information
• A full-featured model for the complete management and review of
of users
access rights
A.9.2.5 Review of user access
rights Features include the assignment of unique user IDs; the means to adjust or
revoke system access privileges across a variety of platforms in a timely manner
A.9.2.6 Removal or adjustment for users who have changed roles or have left the organization; and the assured
of access rights elimination of redundant user IDs across multiple platforms through a secure,
centralized repository for user credentials.
A.9.3.1 Use of secret authentication By automatically generating randomized passwords, Privileged Password
information Manager helps organizations keep authentication information confidential
by eliminating the need to remember passwords or record them in an
unsecure manner.
4
ISO/IEC 27001:2013 controls from Annex A
No. Control name How Dell PAM solutions help
A.9.4.1 Information access Privileged Password Manager, Privileged Session Manager and Privilege
restriction Manager for Sudo can all restrict access to sensitive information (and system
functions that could potentially provide such access) per your organization’s
access control policy. Specifically, these solutions enable you to carefully
manage privileged access and grant access to privileged information via an
access request/approval workflow.
A.9.4.2 Secure log-on procedures Privileged Password Manager and Privileged Session Manager support a wide
variety of secure log-on procedures that meet the requirements of section 9.4.2.
A.9.4.3 Password management Privileged Password Manager, Privileged Session Manager and Privilege
system Manager for Sudo provide a centralized, secure password vault and password
request workflow for authorizing and managing privileged user access controls.
A.9.4.4 Use of privileged utility
They also enable you to grant and log temporary use of privileged utility
programs
programs across a variety of database and operating system platforms.
A.9.4.5 Access control to program Privileged Password Manager, Privileged Session Manager and Privilege
source code Manager for Sudo can ensure that support personnel do not have unrestricted
access to program source libraries and that developers do not have unrestricted
access to the live operating environment. Also, Privileged Session Manager can
record all session activities and Privilege Manager for Sudo can record all
commands run during a session. These detailed records of authorized privilege
activities can be used to review break/fix situations when emergency access to
source code was needed.
A.10.1.1 Policy on the use of All data stored in Privileged Password Manager and Privileged Session Manager
cryptographic controls is encrypted in storage and in transit. All connections to remote systems are
proxied through the appliance, ensuring a secure single access point.
A.11.2.4 Equipment maintenance Privileged Password Manager and Privileged Session Manager include an
intrusion switch that detects when the appliance’s cover is opened.
A.11.2.5 Removal of assets
A.11.2.6 Security of equipment and
assets off-premises
A.11.2.8 Unattended user
equipment
A.12.1.1 Documented operating By enabling you to grant temporary access for a particular task and automatically
procedures revoking it on schedule, Privileged Session Manager and Privilege Manager for
Sudo can support and record documented routine operating procedures such as
computer startup, shutdown, and backup, as well as non-routine procedures in
which emergency access is required for a particular situation and reviewed later
for proper accountability.
A.12.1.2 Change management Changes management is a foundational control for keeping unauthorized
changes out of production operating environments. Privileged Password Man-
ager, Privileged Session Manager and Privilege Manager for Sudo can enforce
change approval processes in both development and production environments.
In addition, these tools are ideal for emergencies, when quick (but controlled)
changes are required to resolve an incident.
A.12.1.3 Capacity management Session logs can be archived to external storage to ensure that physical
resources on the Privileged Password Manager and Privileged Session Manager
appliances are not exhausted.
A.12.1.4 Separation of development, Privileged Password Manager, Privileged Session Manager and Privilege
testing and operational Manager for Sudo can implement and enforce the privileged access authorization
environments aspects of separating operational, testing, and development environments.
A.12.2.1 Controls against malware Privileged Password Manager, Privileged Session Manager and Privilege
Manager for Sudo all greatly reduce the risk of malware spreading in your
network. For example, these solutions can restrict, manage and monitor activities
in which malicious software is known to infect a network, such as new software
downloads, automated software updates and unauthorized software installations.
5
ISO/IEC 27001:2013 controls from Annex A
No. Control name How Dell PAM solutions help
A.12.3.1 Information backup By enabling you to grant temporary access for a particular task and automatically
revoking it on schedule, Privileged Session Manager and Privilege Manager for
Sudo can provide secure access to backup files, as well as manage and record
both scheduled and unscheduled backup procedures.
A.12.4.1 Event logging Privileged Password Manager and Privileged Session Manager protect logging
facilities and log information in at least three ways:
A.12.4.2 Protection of log
information • By permitting only authorized administrators to access them
A.12.4.3 Administrator and operator • By creating its own record of sensitive privileged sessions to supplement
logs the information contained in event logs
In addition, the appliance has its own database event log, logon security log,
firewall log, Proc log (which collects information on cluster replication, software
updates, batch processing and system services), alert log and archive log. It
also gives you the option of securely replicating system admin, user activity and
failed login events to a non-destructive syslog server.
A.12.4.4 Clock synchronization Privileged Password Manager supports Network Time Protocol (NTP) to ensure
that clocks across all Dell devices are synchronized with a trusted time source.
A.12.5.1 Installation of software on Privileged Password Manager, Privileged Session Manager and Privilege
operational systems Manager for Sudo can reduce technical vulnerabilities, such as unauthorized
software downloads and installations, by enabling authorized administrators
A.12.6.1 Management of technical
to ensure that all appropriate reviews, analysis, testing and production update
vulnerabilities
scheduling is performed before software is installed.
A.12.6.2 Restrictions on software
installation
A.12.7.1 Information systems audit Many organizations have core business applications with their own native
controls auditing features. However, because organizations usually store and access
sensitive information on and from many systems, they need audit controls that
operate outside these systems.
Privileged Password Manager, Privileged Session Manager and Privilege
Manager for Sudo can provide audit teams with timed, recorded, scope-bounded,
read-only privileges to session recordings, enabling them to audit privileged
activities in many information systems that contain or provide access to sensitive
information. Privileged activities can be audited by user and by system.
A.13.1.1 Network controls Privileged Session Manager and Privilege Manager for Sudo can enforce
privileged access policies, monitor and record privileged activities on both servers
and network devices to ensure that controls are consistently applied across the
information processing infrastructure. For example, Privilege Manager for Sudo
can ensure that script files that include embedded sudo commands are
compatible across all Unix-based systems. In addition, all access to and from
the Privileged Session Manager appliance, which provides the central console
for these tools, is encrypted.
A.13.1.2 Security of network Privilege Manager for Sudo can ensure that all services requiring network access
services by network service providers are properly authorized and permitted only within
the access limitations of your organization’s network services agreements.
A.13.1.3 Segregation in networks Network segregation is a standard security control for isolating logical groups of
servers and users who have similar trust levels or who are working at the same
location or in the same department. This prevents network users from having
access to all devices in the organization’s network from those who generally do
not have a need to know.
Privileged Password Manager, Privileged Session Manager and Privilege
Manager for Sudo are designed to work with popular methods of network
segregation, such as subnets, Windows domains and AD forests, to support
multiple types of network segregation, such as location-specific, department-
specific or domain-specific sets of access controls.
6
Conclusion About the author
When used to manage privileged Joe Grettenberger has over 27 years
access to an organization’s systems of experience as an IT assurance
and underlying platforms that store professional, including eight years of
or protect the integrity of sensitive technology auditing experience in
data, Privileged Password Manager, both the public and private sectors. He
Privileged Session Manager, and is certified as an information systems
Privilege Manager for Sudo enable auditor (CISA) and compliance & ethics
organizations to automate a professional (CCEP), and has served
substantial number of ISO 27001 clients for over seven years as an IT
Annex A’s reference controls for governance and risk management
protecting unauthorized access to consultant covering a wide range of IT
virtually all systems within the ISMS assurance issues within the regulatory,
scope. In short, Dell privileged legal, and industry compliance space.
account management solutions
can help you achieve, maintain and Grettenberger has held IT audit,
demonstrate compliance with many assurance and advisory positions at
ISO 27001 controls by helping you a number of organizations, including
manage the use of administrative Modern Compliance Solutions, Quest
privileges, restricting access based Software, Vintela, Center 7, Franklin
on need-to-know and recording the Covey and SAIC. He started his own
activities performed in all controlled consulting practice in 2008. He was
environments by users using a recent participant in the Internet
privileged accounts. Moreover, by Security Alliance initiative to promote
addressing multiple foundational cross-industry IT security standards,
controls and automating everyday and he has participated in several
tasks, these solutions will further your other standard-setting best practice
organization’s broader security goals initiatives, including serving on
and deliver a sound return the SunTone Architecture Council
on investment. and chairing the MSP Association’s
Best Practice Committee. www.
To learn more about Dell PAM solutions, compliancecollaborators.com
please visit software.dell.com/
solutions/privileged-management.
7
For More Information
© 2015 Dell, Inc. ALL RIGHTS RESERVED. This document IMPLIED OR STATUTORY WARRANTY RELATING TO ITS
contains proprietary information protected by copyright. No PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE
part of this document may be reproduced or transmitted IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR
in any form or by any means, electronic or mechanical, A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO
including photocopying and recording for any purpose EVENT SHALL DELL BE LIABLE FOR ANY DIRECT, INDIRECT,
without the written permission of Dell, Inc. (“Dell”). CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL
DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES
Dell, Dell Software, the Dell Software logo and products — FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS
as identified in this document — are registered trademarks OF INFORMATION) ARISING OUT OF THE USE OR INABILITY
of Dell, Inc. in the U.S.A. and/or other countries. All other TO USE THIS DOCUMENT, EVEN IF DELL HAS BEEN ADVISED
trademarks and registered trademarks are property of their OF THE POSSIBILITY OF SUCH DAMAGES. Dell makes no
respective owners. representations or warranties with respect to the accuracy or
completeness of the contents of this document and reserves
The information in this document is provided in connection the right to make changes to specifications and product
with Dell products. No license, express or implied, by descriptions at any time without notice. Dell does not make
estoppel or otherwise, to any intellectual property right any commitment to update the information contained in
is granted by this document or in connection with the this document.
sale of Dell products. EXCEPT AS SET FORTH IN DELL’S
TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE
AGREEMENT FOR THIS PRODUCT, DELL ASSUMES NO
LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS,
Dell Software
5 Polaris Way
Aliso Viejo, CA 92656
www.dellsoftware.com
TechBrief-ISO/IEC-27001-Compliance-US-AC-26688