StorageGuard can utilize various enterprise access control solutions for authenticating and collecting configuration data from scanned systems. If your organization is using access control solutions for password management or for privileges management, StorageGuard can be configured to seamlessly use them as part of the standard scan. This article describe several common integration points with enterprise access control solutions.
CyberArk
StorageGuard integrates with the following components of the Privileged Account Security Solution Suite:
- Enterprise Password Vault
- Application Identity Manager
Once configured, StorageGuard can will CyberArk Java API to obtain on-demand the credentials for a target system in scope. The credentials are queried only when the scan is triggered and are never saved to the file system.
To configure StorageGuard to use CyberArk:
- Install the CyberArk Application Password Provider (AIM) agent on StorageGuard master server.
- Create StorageGuard Credential objects with the Cyber Ark type.
Additional details could be found in the following article: StorageGuard Integration with CyberArk
CA Privileged Access Manager
StorageGuard can integrate with the Password Manager of CA Privileged Access Manager. Once configured, StorageGuard can will CA Java API to obtain on-demand the credentials for a target system in scope. The credentials are queried only when the scan is triggered and are never saved to the file system.
To configure StorageGuard to use CA Privileged Access Manager:
- Install the CSPM client on StorageGuard master server.
- Create StorageGuard Credential objects with the Cloakware type.
NOTE: This product is also known as Cloakware Password Authority / Xceedium Xsuite.
One Identity Privileged Access Suite for Unix
StorageGuard can use One Identity Privileged Access Suite for Unix to run required read-only commands with elevated permissions.
To configure StorageGuard to use One Identity Privileged Access Suite for Unix:
- Configure One Identity Privileged Access Suite for Unix to allow the scan user account to run the required commands.
- Create an StorageGuard sudo object with the appropriate pmrun path, and include the sudo object in the connectivity policy that will be used for scanning.
NOTES:
- This product is also known as Quest Privilege Manager for UNIX / PassGo UPM.
- Similarly, StorageGuard can also be integrated with BeyondTrust Powerbroker, FoxT BoKS ServerControl (Keon), Centrify DirectAuthorize (DZDO) and other commercial tools for privilege management.
Linux / Unix sudo
StorageGuard can use the free Unix / Linux sudo program to run required read-only commands with elevated permissions.
To configure StorageGuard to use sudo:
- Configure the sudoers file on the target host as appropriate to run the required read only commands, with "NOPASSWD".
- Create an StorageGuard sudo object with the appropriate sudo path, and include it in the connectivity policy that will be used for scanning. If the requiretty option is enabled on the target host sudoers file, set PTY to Yes.
NOTES:
- StorageGuard has pre-configured sudo objects for Linux and Unix configured with the default sudo paths.
- Similarly StorageGuard can be integrated with other native tools such as super, Solaris pfexec, RBAC and more.
Comments
0 comments
Please sign in to leave a comment.