Trending Articles by Product Updates

Explore news about company updates and events

Achieve PCI DSS v3.2.1 Compliance with Spectra PAM

The Payment Card Industry Data Security Standard (PCI DSS) has for the reason of protecting cardholder data mandated taking preventive measures to secure privileged account access and passwords. Organizations holding customer credit card details must be compliant with the PCI DSS v3.2.1 (in effect since May 2018) around clauses of privileged access as highlighted below. Sectona with its flagship Privileged Access Management Product Spectra helps organizations achieve compliance around privileged and administrative account access with confidence. Clause 2 of PCI DSS Compliance Frameworks speaks about changing the vendor supplied default credentials, using strong encryption methods for data privacy and a secure password management approach. How Spectra PAM helps you adhere to this clause? Spectra PAM has a robust password vault which uses a 3-step approach to password management (rotation, verification, reconciliation) for all vendor-supplied default accounts. All the passwords are stored in the vault in an encrypted format. Going one step further, as a value add, Spectra leverages its strong discovery module that helps with an automated discovery of all the privileged accounts (including vendor default accounts) across OS & databases and vaults the credentials within its secure vault. Tip: Sectona Research Team has simplified this for organizations by identifying all the vendor-supplied accounts across a wide range of applications and systems. To read more, visit Clause 7 of PCI DSS Compliance Framework speaks about implementing strong access control measures for restricting access to cardholder data on need to know basis. It states that access should be limited to only those personnel whose job requires access to cardholder data. Access to such critical databases should be provided only on prior approval and need-to-know basis. How Spectra PAM helps you comply with this clause? Spectra Server Access and User Access Policies can be configured while granting access to critical data for users. Policies can be defined on a ‘need-to-know, need-to-access’ basis & enforce restrictions on what can be accessed, by whom, when, for what & for how long to ensure only necessary privileges are granted to users. With Spectra’s Workflow module, access to users can be granted only post approval from authorized approver(s). Up to 15 levels of approvals and multiple approvers at each level can be configured for better flexibility. As value add, access to the growing remote & third-0party user base can also be controlled with Spectra’s remote privileged & privileged session collaboration capabilities. Clause 8 of the compliance framework requires identification and authentication for each user taking access to system components. These users can be both internal and third-party vendor users. Use of multi factor authentication for granting access to users and session management like session lock out after specific time duration, setting complex password policies etc. How Spectra PAM can help you achieve compliance with this clause? Spectra PAM has deep integrations with Active Directory for automated user access policy fetching or policy driven attribute-based grouping for faster provisioning of access to internal & remote users. Privilege session management policies can be configured for third-party vendor access from within the network & remotely by defining hybrid access mechanisms based on user role, mode of access & location of access. Spectra PAM has integrations for MFA, wherein second level of authentication and verification for all users can be configured. Additionally, to isolate privileged sessions from third-party vendor access, Spectra PAM has unique Cross-Platform Hybrid Access capabilities that allows users to access via virtualized browser-based sessions or via jump server. Tip: One of our customers had similar requirements for access control mechanism. Don’t forget to read how Spectra PAM was able to meet the needs of the customer, visit  Clause 10 of the compliance speaks about tracking and monitoring all access taken to network resources and cardholder data. It states that for each privileged session, logs should be generated, they should be stored in tamper proof format and should be available for audit. The logs should capture all the activities performed in the session by root or administrator user and users having access to cardholder data. With Spectra’s Session Recording module, logs are generated for all the sessions that are accessed in both text/video format. These logs are stored in an encrypted format and are tamper proof. These logs are accessible only to the authorized personnel. Apart from logs generation, Spectra has a built-in advanced risk scoring and threat analytics engine. Spectra has a library of high-risk events executed within a session and based on the user access & profiling; a composite risk score is generated. This aids in identifying & interpreting high risk privileged sessions. Sectona Research Team has made a comprehensive document stating the above clauses and is available for reading on website here if you wish to read the PCI DSS V3.2.1 Compliance document, it can be downloaded here To know more about a list of high priority privileged use cases, refer to this document here
Shruti Kulkarni February 14, 2020

New features added to Spectra

Dashboard Data is power. Data generated at run-time data is even more powerful as it enables the CISO to make quicker decisions. Keeping that in mind, Sectona now provides a dashboard that gives a running information about all the assets, accounts and users that Spectra PAM manages. This also includes the session activity and the health of the PAM system. The dashboard not only answers essential questions, but also reveals trends that let the PAM administrator gain important insights to analyze faster and make critical decisions. You can quickly find answers to your most pertinent questions: Out of all the accounts that are managed, how many accounts are synced? How many accounts were accessed more than a month ago? How many users log in through Windows Authentication vs. Sectona authentication? How many workflow activities were approved vs. rejected? Host header injection mitigation When a browser sends a request to the web server, the request has a field named 'Host Header' in it which has the requested domain as its value. Many times the physical server which hosts this particular web application also has many other web applications running on it or it may have virtual hosts, some of which may be running web applications inside them. Host header makes it possible for this server to serve different content based on the domain inside this header. If a user specifies an invalid Host Header, most web servers are configured to either return an error message or to pass the unrecognized host header to the first virtual host in the list. Therefore, it’s possible to send requests with unrecognized host headers to the first virtual host. Web cache poisoning and Password reset poisoning are two attacks that happen due to this Host Header injection. SpectraPAM can now mitigate the Host Header injection attack. Manually on-boarding accounts When we run Account discovery, the accounts get on-boarded to PAM by having their passwords reset. For some administrative accounts it is not advisable to reset their passwords. For those cases, Sectona now gives the option to manually onboard the accounts. This gives the flexibility to the PAM administrator by letting the accounts be discovered by Spectra PAM yet the administrator has the option to add the discovered account to the PAM system manually.  
Siddhesh Shetye August 10, 2019

Sectona Announces Spectra PAM 2.0 Release, Enabling Enterprises to Automate and Monitor Better

Sectona, the Privileged Access Management OEM, announced the version 2.0 release of its flagship product Spectra Privileged Access Management Solution a solution which provides organizations of any size with privileged session management, password automation, privileged task management and server privilege management. This release covers load balancing, high availability, log forwarding to SIEM Solution and network discovery. New Inclusions: Minimize CPU Consumption with Spectra’s Application Load Balancing In Spectra  2.0, when a replica for PAM is created to manage the load/traffic of users accessing Spectra application, few parameters like CPU Consumption are set. When that limit is approached, PAM application communicates with the load balancer to divert incoming traffic to the replica PAM application thereby keeping CPU consumption and concurrency in check.   Leverage Built-In Replication & High Availability Like Application load balancing, a built-in replica of Spectra Vault is created in HA, which is in continuous sync with the Primary Vault. In failover scenario, control is switched to the failover Spectra Secondary Vault automatically and all the changes made during this duration are recorded and noted down by the vault. These changes are synced with Spectra Primary Vault at regular intervals. Such built-in replication is achieved due to Spectra’s Embedded Vault and helps minimize manual intervention and data loss.   Introducing Maker Checker to review creation of new users, accounts and assets Through the maker checker feature in Spectra 2.0, you can now monitor and review creating, updating and deleting of any asset, account and users within Spectra.   Integration with Splunk for SIEM & Log Forwarding A very common scenario we have observed is that the PAM syslogs are forwarded to SIEM placed on log server. This is done usually to store all the logs together on a separate server which is dedicated only to log storage. While Spectra 2.0 supports integration with other SIEM solutions, the latest addition to its exhaustive integration list is Splunk.   Inventorize Network Devices within your Environment on to Spectra with SNMP Discovery Spectra readily supports discovery across OS, AD, VMWare, Hyper-V, AWS & Azure With Spectra 2.0, you can now schedule or manually trigger an SNMP Discovery scan as well to discover and automatically onboard network devices within your infrastructure   Authenticate via ADFS for added security Along with AD Authentication, Spectra now supports ADFS Authentication as well using SAML Protocol. The benefit of using SAML Protocol is that it is more secure in terms of taking access with an additional layer of security added.   What's Enhanced: Auto on-boarding privileged accounts along with their dependencies Earlier only privileged accounts were on boarded, from Spectra 2.0 on wards, the dependencies (if any) are also discovered and on boarded Account password verification and reconciliation Earlier only the passwords were rotated, from Spectra 2.0 on wards, the passwords are verified, reconciled and rotated again (if any missed). AWS console (Token based) access type Earlier only browser-based access to AWS console with username & credentials were allowed. Spectra 2.0 on wards, with deep API integrations, it is possible to allow AWS console token-based access through Spectra for better control and flexibility. To sum up, Spectra, with this release has made significant additions and improvements to its previous version solidifying its robustness and capabilities. Watch out this space for future releases and product updates.  
Shruti Kulkarni January 21, 2019