Security Cow | Next-generation bastion machine, a privileged identity bank for data centers
Release time:
2019.04.25 | Source:
Security Cow
On April 11, the Palladium National Channel Partner Conference was held in Hangzhou.
From 2005, Palladium, who invented and focused on the fortress machine, to Palladium, who focused on IAM (Identity Access Management) in 2018, the product gene of "not following the trend, not impetuous, and not blindly following" is still the product gene of this 14-year security company. Important connotation.
Security issues are not only technical, but also historical reasons, human weaknesses, and costs. Safety and management must be integrated together.
——Chen Yun, General Manager of Palladium
Chen Yun's interpretation of the above passage is that the weakness of human nature refers to weak passwords, which are about the control of accounts and permissions; for cost considerations, at least the heart of the enterprise-the database, must be targeted for protection; For enterprise data centers, security must be ensured under the premise of ensuring low-cost, flexible, and stable operation and maintenance. At the same time, a large amount of log data can be used for analysis to assist in the management and automation of operation and maintenance and security work. These are the four directions that Chen Yun thinks. In these four directions, from the perspective of the brand, only the bastion machine remains in Palladium, and the rest of IAM, database security, and log analysis are in Palladium.
"In the second half of this year, Palladium will officially become a wholly-owned subsidiary of Palladium."
It is not difficult to see that Palladium, the main player of IAM, will become an important strategic direction after Chen Yun, which is the future.
But what is interesting is that for Palladium, the fortress is not the past. Palladium believes that the fortress machine will develop into a unified security management platform that is independent and data center and account-centric. More importantly, the fortress machine must be able to connect with the automated operation and maintenance platform and automated equipment, and become the necessary channel for all access to data center assets.
Based on this, at this conference, in addition to communicating its channels and sales strategy, Palladium also released an important product-the next generation of bastion machine (PAM), to meet the era of automated operation and maintenance, enterprise data center account management And channel control needs.
Build a privileged account "bank" for the data center
Palladium's technical director Wang Feng said that the problems faced by traditional bastion machines and the change in the positioning of bastion machines in the data center are important reasons for the release of the next generation of bastion machines.
In general, traditional bastion machines face the following dilemmas:
o Cannot support large concurrency and cluster expansion;
o Cannot support the use of privileged accounts on the automation platform, and cannot cooperate with the process operation and maintenance of ITSM (IT service management), CMDB (configuration management database) and other systems;
o Cannot support operation and maintenance and access control on the mobile terminal;
o Cannot support visual authorization;
o Unable to automatically collect account information.
Palladium believes that the next-generation fortress machine, namely the privileged account management center, is to become the "privileged identity bank" of the data center, it must realize the automatic operation and maintenance platform through the programmable API to ensure its access to assets; At the same time, for the security of privileged accounts, active security assessment and convenient management can be carried out; combined with the management and control of data upload/download channels, a secure closed loop can be realized.
As the pioneer of the traditional bastion machine, from a technical perspective, Wang Feng believes that Palladium’s important advantages or thresholds have two points. One is the maturity and stability of the bastion machine itself, which is reflected in the ability to deploy super-large clusters. reflect.
"Our bank has many customers, and they value the reliability of the fortress machine very much."
The second point is the security of the fortress itself.
According to Wang Feng, Palladium’s fortress machine is the first choice of OEMs for many ICT manufacturers, especially for export to overseas markets. Not only because of its performance and capabilities, but also in terms of safety, Palladium has also put a lot of effort into it.
"Foreign markets pay special attention to the security of the bastion machine itself. At the beginning, we spent a year and a half of our research and development energy in the security reinforcement of the product. We support 8-10 identity authentication modes. At the same time, we regard the bastion machine as a For back-end applications, there is a complete set of security enhancement solutions, including WAF for bastion machines, whitelisting of parameters and URLs, and a security monitoring system for bastion machine databases."
Whether it is maturity and stability, or security, these are difficult to achieve in a short time for open source fortresses.
"The bastion machine will not do operation and maintenance automation, that is not a field we are familiar with. However, for the current hot automated operation and maintenance platform, the high-level customers are also distrustful, so from the customer level, they will be happy to promote these platforms and bastion machines. The docking. A unified account security system, especially for customers who are already using bastion machines, is an important layer of security."
In addition, regarding the relationship between the bastion host and IAM, Wang Feng believes that the bastion host is limited by the bandwidth of the operation and maintenance agreement, and pays more attention to the access of the operation and maintenance personnel. IAM is an identity system that covers all business lines. It can be said that the bastion is IAM's A sub-module. However, the bastion host's control of identity and authority, as well as the audit and monitoring of access behavior (which is also the content of 4A), can be traced back to natural persons and can be expanded even more. This demand does exist.
"At present, most of the client government agencies of our IAM program. For example, the Social Security Bureau, the district government, etc. Although their identity construction is lagging behind and there are a large number of old systems, our IAM program is plug-in and does not need to be developed and docked with these systems. At the same time, it has its own security attributes, and there are many scene function switches to choose from, so it is very suitable for them."
Safety Bull Review:
The fortress machine is already a very mature product, but the current pain points and the direction of customer needs are also very clear. As the leader of the domestic bastion machine brand, it is more in line with customer demand scenarios and trends for automation and mobile operation and maintenance, and better completes the transition mission from bastion machine to IAM. It is Palladium's release of the "next generation of bastion machine". Two important meanings. From the perspective of brand strategy, it is also corresponding and clear. Palladium has become an important brand of domestic fortress machines. Combining with the important domestic compliance market demand, this is difficult to discard, but besides that, around the database and identity and not limited to privileged accounts, IAM is the broader future .