||Development | Test/Stage | Prod
|1. Asset Discovery & Inventory
||Provide continuous discovery of assets across physical, virtual and cloud environments.
||Retina will perform discovery and inventory of container instances, libraries and more, ensuring that only properly configured and approved images are available and used in your environment. This is a roadmap item slated for a Q4 release.
|2. Vulnerability Management
||Provide continuous vulnerability assessment and remediation guidance of the infrastructure and code/builds across physical, virtual and cloud environments.
||Retina will scan container instances and libraries, options for offline image scanning, start/stop image scanning, image integrity tracking and more. This is a Q4 roadmap item. Future enhancements will include container/image integrity checking and inheritance tracking to ensure that deployed and runtime images have not been altered from their approved base templates.
|3. Configuration Compliance
||Provide continuous configuration and hardening baseline scanning across servers and code/builds across physical, virtual and cloud deployed assets. Ensure configurations are consistent and properly hardened across the entire devops lifecycle.
||Retina automates and streamlines auditing and reporting against industry configuration guidelines and best practices from FDCC, NIST, STIGS, USGCB, CIS and Microsoft. The benchmark library includes over 75 benchmarks with new benchmarks being added on a regular basis. Support for custom benchmarks is also provided.
|4. Accountability Over Shared Accounts
||Control and audit access to shared accounts and ensure that all audited activity is associated with a unique identity. This would include developer access to source control, devops tools, test servers, production builds, etc. Ensure that all passwords are properly managed and rotated across the devops environment.
||PowerBroker Password Safe provides the enterprise password management functionality. The base price includes several additional capabilities including an API to provision assets into the system for management. In the devops use case the team would typically include an API call when provisioning these assets to ensure that they can be managed once deployed into the environment.
|5. Eliminate Hardcoded Passwords
||Control scripts, files, code, embedded application credentials and hard-coded passwords to close back doors to critical systems. This includes removing hardcoded passwords in devops tool configurations, build scripts, code files, test builds, production builds, and more.
||PowerBroker Password Safe provides the enterprise password management functionality. The base price includes several additional capabilities including an Application to Application API to eliminate hard coded passwords. The API is supported by a service that can be scaled out. There is no limitation or licensing restrictions on the number of API caches that are needed to enable the level of performance and flexibility the devops process requires.
|6. Enforce Appropriate Credentials Use
||Eliminate administrator privileges on end-user machines, securely store privileged account credentials, require a simple workflow process for check-out, and monitor privileged sessions. IT organizations can limit lateral movement in the case of a compromise and provide a secure audit trail for forensic purposes.
||PowerBroker Password Safe provides the enterprise password management functionality.
|7. Segment Networks
||Group assets, including application and resource servers, into logical units that do not trust one another. Segmenting the network reduces the “line of sight” access that attackers must have into internal systems. For access that needs to cross the trust zones, utilize a secured jump server with multi-factor authentication, adaptive access authorization, and session monitoring. Segment access based on context of the user, role, application and data being requested.
||PowerBroker Password Safe provides the enterprise password management functionality. The base price includes the session management capability which can be used to segment networks and enforce privilege governance across sessions.
|8. Privilege Management
||Developers and testers may be restricted in their access to development, management and production systems while still being granted the required permissions to appropriately build machines and images, and deploy, configure and remediate production issues on machines and images.
||PowerBroker for Unix & Linux, PowerBroker for Windows, PowerBroker for Mac
|9. Privilege Management – Desktop/Dev Machines, Desktop/QA Machines, Desktop/Admin Machines
||Define pre-approved or whitelisted files and executables, limiting the opportunity for attackers to exploit insecure applications.
||PowerBroker Windows, PowerBroker for Mac
While using our Password Management solution alongside Session Management (which is included in our base password management price), we find that most customers looking for additional controls and visibility that go beyond whitelisting/ blacklisting commands options for a more industrial strength privilege management solutions for the devops environment.
|10. Privilege Management & Isolation – Docker/ Containers
||Developers may be restricted in their access to systems and specific container templates and runtime access to container on systems while still being granted rights needed to code, build, test, verify and manage application components.
||PowerBroker for Unix & Linux will implement a container and microservice authorization plug-in, ACA network and file/services in PB Server. This roadmap item will provide the ability to delegate access to runtime containers without exposing access to the host system. Note that these policies exist within PBUL and wrap the “code” as opposed to require specific access calls etc. to be coded into each application/ component.