Public Cloud Security DataSheet

Securing your Public Cloud Data

You have moved your applications and by definition your data into “The Cloud”. Now whether or not it is considered at a site in which an external vendor has privilege access to your data or you are in a situation in which you are storing data on a cloud device or

So what are the options:

Harden Systems?



Access Control?

Many of the lessons we have learned from traditional security can be applied to the Public Cloud. The Public Cloud has an inherent security risk, however with a little common sense these risks can be greatly reduced.  You must find a way to extend your security framework into the cloud.  This can be done with CA ControlMinder.

If you are using “The Cloud” to store your data how do you know your data has not been moved or copied?  Storage of data is shared with other users, and there are risks of data bleeding and residual data spillage from one virtual workspace to another.

Data privacy is the public cloud has inherent risks. As storage is provisioned or retired your sensitive data can still be accessible. To further complicate matters, many applications don’t handle end-to-end encryption in the public cloud well.

Most public cloud providers do not provide any sort of protection in the cloud. Here is an excerpt from Amazon’s Cloud Services:

Other Security and Backup. You are responsible for properly configuring and using the Service Offerings and taking your own steps to maintain appropriate security, protection and backup of Your Content, which may include the use of encryption technology to protect Your Content from unauthorized access and routine archiving Your Content.

How can you mitigate your risk? The simple answer is encrypt everything in the public cloud and use some basic security best practices.

Enable End-point Protection and Server Hardening with CA ControlMinder.

The core elements of CA ControlMinder are the secure, hardened agents that integrate natively with the operating system to enforce and audit the granular policies required to meet compliance mandates.  End-point agents are available for all the major operating systems, including all leading Linux, UNIXand Windows versions.  It also natively supports most virtualization platforms, including VMware ESX, Solaris 10 Zones and LDOMs, Microsoft Hyper-V, IBM VIO and AIX LPAR, HP-UX VPAR, Linux Xen and Mainframe x/VM—protecting both the hypervisor layer and the guest operating systems that run on them.  The latest list of supported systems can be found on the CA Support website.



Cross-Platform Server Protection

Many organizations deploy a diverse server infrastructure including Windows, Linux and UNIX systems. CA ControlMinder enables consistent, integrated management and enforcement of access security policies across all of these environments. The advanced policy architecture provides a single interface through which policies can be administered and distributed to Windows and UNIX subscribers at the same time. Consolidated management of Linux, UNIX and Windows servers decreases the amount of administrative work required and improves the system administrator efficiency, thus saving management cost.

Fine-Graind Access Control

CA ControlMinder is an independent security enforcement solution, which means it does not rely on the underlying operating system to enforce server access control policies. By operating at the system level, CA ControlMinder monitors and regulates all access to system resources, including those originating from domain or local system administrators. These fine-grained access enforcement capabilities act to regulate, delegate and contain domain administrators or any other account in the IT environment and provide:

  • Impersonation control. CA ControlMinder controls surrogate user delegation capabilities to reduce the exposure of unauthorized users running applications with enhanced privileges and achieve accountability of shared account activity. For example, an administrator could assume another person’s identity profile to change a file’s access control list (ACL) attributes without any accountability for their actions. CA ControlMinder protects on multiple levels by first limiting those who use Run-As and the UNIX “su” command and preserving the original user ID even after surrogate actions, ensuring user access records in audit logs show the original account. This allows users to login using their own ID and safely change their profile to a privileged account without loss of accountability.
  • Superuser (administrator/root) containment. The root account is a significant source of vulnerability because it allows applications or users to assume a more powerful level of privilege than may be needed. CA ControlMinder inspects all relevant incoming requests at the system level, and enforces authorization based on the defined rules and policies. Not even the privileged root account can bypass this level of control. Thus, all privileged users become managed users and are accountable for their activities on the system.
  • Role-based access control. Best practice dictates that each administrator has sufficient privileges to perform his or her job functions and no more. By providing a sophisticated role-based access control environment, administrators are unable to share an administrator password and potentially take advantage of its associated privileges. By default, CA ControlMinder provides popular administrative and auditing roles that can be customized and expanded to meet the needs of your IT organization.
  • Fine-grained enforcement. Native operating systems (Linux, UNIX, and Windows) offer limited capabilities to granularly and effectively delegate certain system administration rights to less powerful user accounts. CA ControlMinder provides fine-grained enforcement and regulates access based on many criteria including network attributes, time of day, calendar or access program. Features include:

Operating System Hardening

A critical layer to the defense-in-depth strategy is protecting the OS against unauthorized external access or penetration. CA ControlMinder offers several external security measures to add an additional layer of security for your servers.

  • File and directory controls. Files and directories form the backbone of operating systems and any compromise can lead to denial of service and unexpected downtime. CA ControlMinder provides powerful wildcard and program access options that simplify file-level policy management. CA ControlMinder can enforce change control on critical file and directory systems, which increases data integrity and confidentiality. File-level protection is available for all types of files including text files, directories, program files, device files, symbolic links, NFS mounted files and Windows shares.
  • Trusted program execution. To prevent the operating environment from being tainted by malware, particularly Trojans, CA ControlMinder provides first-line trusted program protection. Sensitive resources can be marked as trusted and these files and programs will then be monitored and CA ControlMinder will block execution should the program be modified by malware. Changes to trusted resources can be limited to specific users or user groups to further reduce the likelihood of unexpected change.
  • Windows registry protection. The Windows registry is a clear target for hackers and malicious users because the centralized database contains operating system parameters, including those that control device drivers, configuration details and hardware, environment and security settings. CA ControlMinder provides registry protection through the support of rules that can block administrators from changing or tampering with the registry settings. CA ControlMinder can protect registry keys from deletion and their corresponding values from modification.
  • Windows services protection. CA ControlMinder provides enhanced protection to limit the authorized administrators that can start, modify or stop critical Windows services. This protects against denial of service of production applications like Database, Web, File and Print, which are all controlled as services on Windows. It is essential to protect these services from unauthorized access.
  • Application jailing. CA ControlMinder allows accepted actions to be defined for high-risk applications. Any behavior that exceeds these bounds will be restricted by an application jailing function. For example, an ACL can be built based on a logical ID which owns Oracle processes and services so its jailed behavior prohibits it from any actions besides starting Oracle DBMS services.

Unix/Linux Keyboard Logger

CA ControlMinder can restrict regular and sensitive user actions and can even track sessions of selective users, but what if you want to record everything done on a sensitive user’s session? The CA ControlMinder KBL feature gives you that option. KBL lies between the shell and the terminal / keyboard and captures whatever is typed in on the keyboard (input) and what is displayed on the terminal (output).

You can enable KBL simply by changing the audit mode of the administrator/user for whom you want to capture keyboard activity.

In addition the the following, CA ControlMinder can uniquely provide Privileged user access auditing and reporting using CA User Activity Reporting.

CA User Activity Reporting

Compliance means that you have the correct policies in place, and that those policies are deployed, but most importantly, that you can provide proof of being compliant with both corporate policies and regulatory standards, while accounting for any deviations from the policy. In order to prove compliance, server resource protection solutions must generate reports to substantiate password policies, entitlement levels and segregation of duties. A CA User Activity Reporting license is included with CA ControlMinder that lets you view the security status of users, groups and resources by gathering data from each end-point across the enterprise, aggregating it into a central location, analyzing the results against the corporate policy and then finally generating a report. This CA User Activity Reporting license is limited to collecting and reporting on CA ControlMinder events; if broader reporting capabilities are desired a full User Activity Reporting Module license must be acquired.

Out-of-the-box, the CA ControlMinder reporting service comes with more than 60 standard reports detailing information on entitlements and the current status of (and deviation from) deployed policies as part of the default product installation. They provide immediate value by complementing existing event-based auditing to monitor compliance requirements and highlight existing discrepancies. The standard reports include:

Policy management reports

Wordpress SEO Plugin by SEOPressor