1 Hitachi ID Privileged Access Manager...Slide Presentation 5.2 Connect to IT assets and manage...

1 Hitachi ID Privileged Access Manager

Temporary, secure and accountable privilege elevation.

2 Agenda

• Corporate• Privilege management challenges• Hitachi ID Privileged Access Manager features• Technology• Implementation• Differentiation• Discussion / next steps

3 Corporate

© 2020 Hitachi ID Systems, Inc. All rights reserved. 1

http://Hitachi.com/

Slide Presentation

3.1 Hitachi ID corporate overview

Hitachi ID delivers access governanceand identity administration solutionsto organizations globally.Hitachi ID IAM solutions are used by Fortune500companies to secure access to systemsin the enterprise and in the cloud.

• Founded as M-Tech in 1992.• A division of Hitachi, Ltd. since 2008.• Over 1200 customers.• More than 14M+ licensed users.• Offices in North America, Europe and

APAC.• Global partner network.

3.2 Representative customers


Slide Presentation

3.3 Hitachi ID Suite

4 Privilege management challenges

4.1 Passwords to privileged accounts

Challenges Solutions

• Shared accounts with elevated privileges.• Static passwords:

– Long window of opportunity forattackers.

• Passwords known to many people:

– No accountability for use.– Departed workers still have access?

• Randomize passwords:

– No longer shared or static.

• Store values in a vault:

– Control access to accounts bylimiting access to passwords.


Slide Presentation

4.2 Accountability for admins


• Who used this account?• What changes were made?• Was use of the access reasonable?• Did anything break?• Was security compromised?

• Personally identify users prior to access.• Require strong, multi-factor

authentication.• Authorize access:

– Pre-approved for system admins.– One-time approval for infrequent

users.

• Audit activity:

– Access event.– Session recording.

4.3 Grant access only temporarily


• Granting permanent access increasesrisks:

– Abuse.– Accidents.– Malware.

• Better to grant access:

– On-demand.– For short periods.– Only when required.

• Randomize passwords after use.• Launch sessions and inject current

credentials.• Do not disclose passwords to users:

– Users can’t share what they don’tknow.


Slide Presentation

4.4 Multiple ways to grant access


• Different tasks call for different tools.• Alternatives to the standard mechanism:

– Shared accounts.– Randomized passwords in a vault.– SSO with password injection.

• Grant multiple credentials at once.

• Multiple types of access disclosure.• Group sets:

– Temporarily grant one or more groupmemberships.

– Elevate rights of an existing,personal ID.

• SSH trust:

– Temporary trust relationship.– Add user’s public SSH key to

privileged account’s.ssh/authorized_keys file.

• Account sets:

– Check out multiple accounts at once.– Named accounts or search results.– Single request, single approval.– Launch multiple logins.– Run script across accounts (SIMD).

4.5 Scaling up: many assets, types


• Admin accounts on every asset.• Windows, Unix, Linux, network device,

hardware monitor, laptops, databases,apps, midrange, mainframe, ...

• On-premises and cloud.• Fixed and moveable/personal assets.• Number of assets = 2X or 3X head-count.• Security is only as good as the weakest

link.

• Connectors to various kinds of systems.• Auto-discovery to find them.• Import rules to manage them.


Slide Presentation

4.6 Connectivity challenges


• 3 communication paths:

– User to PAM.– PAM to managed system.– User to managed system.

• Each path could be blocked:

– Systems behind firewalls or NAT.– Unroutable addresses.– DNS names that do not resolve.– Laptops move and get powered

down.

• PAM to endpoint:

– Direct connection.– PAM to proxy, proxy to endpoint.

• User to endpoint:

– Direct to target (launch admin UI,inject creds).

– RDP to proxy, any protocol to target.– HTML5 to proxy, SSH or RDP to

target.

• Endpoint to PAM:

– Local service calls home.– Suitable for laptops, VMs.

User

Managedendpoint

PAMserver

?

?

?

4.7 High availability / minimal down-time


• Consider what happens in a physicaldisaster:

– Vault recovery time delays recoveryof all other services.

• Have to recover the vault first:

– Cannot afford delays in vaultrecovery.

• Human intervention in recovery would addtoo much delay.

• The system must survive disasters.• Requirements:

– Real-time data replication.– Geographically distributed.– Active-active architecture.


Slide Presentation

4.8 Non-human users of privileged accounts


• Service accounts are used to runprocesses.

• Scripts and applications use embeddedpasswords to connect to databases andother services.

• These accounts also have high privilege.• Non-human account passwords may be:

– Plaintext, static or well-known

• Discover service accounts.• Randomize and vault passwords;

– Inject new passwords into servicesubscribers.

• Expose an API to retrieve passwords.

– Fingerprint applications toauthenticate them.


Slide Presentation

4.9 Strong authentication


• Authorized users could be hacked.• Malware installed on their PCs.• Passwords compromised.• An attacker could leverage PAM to

expand the reach of their compromise.

• Require two-factor authentication (2FA) atPAM login.

• If no 2FA solution is in place, use oneprovided with Hitachi ID PrivilegedAccess Manager.

• Mobile app scans QR code challenge onPC screen.

• Protect against key-loggers, compromisedpasswords.

5 Privileged Access Manager features


Slide Presentation

5.1 Infrastructure auto discovery

Discovery, onboarding and classification must be automated in order to scale up:

1. List systems • AD• LDAP• CSV file• SQL or SQLite DB

2. Target systems • Rules: manage?(yes/no)

• Rules: selectconnectioncredentials.

3. Probe systems • List accounts,groups andservices.

• Massiveparallelism isessential here.

4. Manage systems • Rules: whichpolicies to apply?

5. Manage accounts • Rules: whichaccounts tomanage?

• Rules: whichpolicies to apply?

• Import, classify, probe up to 10,000 systems and 500,000 accounts per hour.• 100% policy driven – no scripts.


Slide Presentation

5.2 Connect to IT assets and manage access

Discover accounts, groups and services. Randomize passwords.

5.3 Identify and authenticate users

• Identify users using an existing directory:

– AD– LDAP– Any other system/app/DB will work.

• Combine existing credentials:

– Passwords (AD, LDAP, etc.).– Tokens (OTP).– Smart cards (PKI).– PIN (SMS to mobile or personal e-mail).– Smart phone app (iOS or Android, included).

• Step up authentication based on context:

– Vendor access?– Off-site, off-hours or personal device?– User with rights to many systems?


Slide Presentation

5.4 Authorizing access to privileged accounts

Two models: permanent and one-time.

Permanent ACL One-time request Concurrency control

• Pre-authorized userscan launch an adminsession any time.

• Access control model:

– Users ... belong to– User groups ... are

assigned ACLs to– Managed system

policies ... whichcontain

– Devices andapplications

• Also used for APIclients.

• Request access for anyuser to connect to anyaccount.

• Approvals workflowwith:

– Dynamic routing.– Parallel approvals.– N of M authorizers.– Auto-reminders.– Escalation.– Delegation.

• Coordinate adminchanges by limitingnumber of peopleconnected to the sameaccount:

– Can be >1.– Notify each admin

of the others.

• Ensure accountability ofwho had access to anaccount at a given time.

5.5 Access disclosure mechanisms

Launch session (SSO) • Launch RDP, SSH,vSphere, SQL Studio, ...

• Extensible (launch anyCLI).

• Password is hidden.• Convenient (SSO).

Temporary entitlement • Group membership (AD,Windows, SQL, etc.).

• SSH trust(.ssh/authorized_keys).

• Native logging showsactual user.

Copy buffer integration • Inject password into copybuffer.

• Clear after N seconds.

• Flexible (secondaryconnections, open-endedtooling).

Display • Show the password in theUI.

• Clear after N seconds.

• Useful at the physicalserver console.


Slide Presentation

5.6 Account sets

What is an account set? Using account sets

• A saved search.• Returns managed accounts on managed

systems.• Example: search on OS, subnet, login ID.• Can also include accounts, systems

individually.

• Check out multiple accounts at once:

– e.g., all systems requiring a patch.– e.g., all systems supporting an n-tier

app.

• Launch multiple login sessions at once:

– RDP, SSH, vSphere, SQL Studio,Toad, etc.

• Push commands to run on all checked outsystems, accounts:

– Retrieve status from end systems.– Make configuration changes.– Apply patches.

5.7 Options for launching login sessions

Real-world constraints Login options

• Is the managed system reachable fromthe user’s PC?

– Firewalls, NAT.– Name resolution problems.– Unroutable addresses.– Off-site users (e.g., vendors).

• What admin tool does the user want?

– MSTSC - RDP,– PuTTY, SecureCRT, etc. - SSH,– DBA tools,– Hypervisor admin tools, etc.

• User’s device type?• Session recording required?

• Direct connection:

– Windows client required.– IE + ActiveX.– FF, Chrome, Opera + extension.– Single-use EXE.

• Indirect via proxy:

– Windows proxy:

* Connect to proxy using RDP.* Sign into proxy first.* Next, sign into HiPAM.* Launch any admin tool.

– HTML5 proxy:

* Sign into HiPAM first.* Launch HTML5 session in

browser tab.* Proxy connects to endpoint with

SSH, RDP.


Slide Presentation

5.8 Direct login from user endpoint

5.9 Login session via VDI proxy


Slide Presentation

5.10 SSH or RDP session via HTML5 proxy


Slide Presentation

5.11 Session monitoring

Scalable, detailed, tamper-proof recording of administrator sessions:

Record Store/Playback Searchable Secure

• Full screen.• App window.• UI meta data.• Process meta

data.• Keyboard.• Copy buffer.• Webcam.

• Structured datain DB.

• Video onfilesystem.

• MPEG4 video.• PNG webcam

snaps.• XML meta data.

• Meta data (who,when,from-where,to-where,duration, ...).

• Session content(keywords).

• Right to search.• Right to

playback.• ACLs.• Workflow

approvals.

• Multiple sensors:

– IE + ActiveX– FF, Chrome or Opera + browser extension– HTML5 proxy

• 10 kbyte/s per active session; 100 active sessions/server.


Slide Presentation

5.12 Windows service account passwords

Periodically change service account passwords without triggering service faults:

Discovery: • Accounts (local and domain), services, dependencies.

White listing • Which accounts to manage?• Is the list of discovered subscribers complete?• When/how often to randomize password?• Inject new password before/after/both?• Restart service?• Notify owner?

Notification • Multiple subscriber types – SCM, IIS, DCOM, Scheduler.• Before/after password change.

Fault tolerant • Check subscriber availability before password change.• Retry notification if first attempt fails.


Slide Presentation

5.13 Service account management process

Review, configure

Probe managed

endpoints

App owners

Notify subscribers

of new password

Managed

endpoints

List of managed

systemsServices

Discovered

Service

accounts

Service

accounts

Services

Managed

Randomize

passwords

Notify


Slide Presentation

5.14 Replacing embedded passwords

Applications and scripts can fetch passwords from the credential vault, on demand:

Open / portable: • HiPAM exposes an API over SOAP/HTTPS.• Client libraries provided for Windows, .NET, Linux, Unix, Java.

Secure: • SOAP API authenticates each caller with one-time password(OTP) + IP address.

• Each client has its own ID, which defines accessible credentials.• The client library fingerprints the calling app, command-line args,

config files to generate encryption keys.• App changes, which may be malicious, require re-authorizing

access.

Reliable: • Library caches passwords, manages the OTP.

Scalable / fast: • Caching reduces server load and impact of packet latency.

Simple / convenient: • GetPassword( "config.xml", errorBuf, sizeof(errorBuf), 0,"systemID", "accountID",argc, argv, NULL,passwordBuf, sizeof(passwordBuf) )


Slide Presentation

5.15 API to securely retrieve credentials

Application

ID + Password

Native protocol of

the service --

possibly secure

Encrypted,

replicated,

audited,

access controlled

and authenticated

Periodically

randomize

passwordsSOAP/HTTPS - OTP, fetch password

Cached

password, OTP

Script or

Application

API

wrapper

library

Privileged

Access

Manager

Credential

vault

Database,

API or service

Application user,

password

HTTPS

Various protocols


Slide Presentation

6 Recorded Demos

6.1 Request privileged account

Animation: ../../pics/camtasia/suite11/hipam-request-password.mp4

6.2 Approve one-time access

Animation: ../../pics/camtasia/suite11/hipam-approve-request.mp4

6.3 Launch approved RDP to Windows

Animation: ../../pics/camtasia/suite11/hipam-launch-rdp-approved-request.mp4

6.4 Request and launch PuTTY to Linux

Animation: ../../pics/camtasia/v10/hipam-linux-preauth.mp4

6.5 Request, approve and play recording

Animation: ../../pics/camtasia/suite11/hipam-view-playback-nb.mp4

6.6 Report on requests for privileged access

Animation: ../../pics/camtasia/v10/hipam-admin-reports.mp4

6.7 Password display

Animation: ../../pics/camtasia/v9/pw-disp-scaled-1/pw-disp-scaled-1.mp4

7 Technology


Slide Presentation

7.1 Fault-tolerant architecture

User

HTTPS

Load

balancer

Credential

vault

Credential

vault

Hitachi ID Privileged

Access Manager

Hitachi ID Privileged

Access Manager

Replication

TCP/IP + AES

TCP/IP

+ AES

Proxy

Managed

endpoints

LDAP/S,

NTLM

SSH,

TCP/IP + AES

Windows

server or DC

Unix, Linux

Firewall

Site A

Site B

Site C

TCP/IP + AES

HTTPS

Various protocols


Slide Presentation

7.2 Active-active replication

Avoid data loss and service interruption:Multiple copies of the vault in different cities.

• Real-time data replication.• Fault-tolerant.• Bandwidth efficient, latency

tolerant.• Best practice: multiple

servers in multiple datacenters.

• Active/active.• Load balanced.

7.3 BYOD access to on-premises IAM system

The challenge Hitachi ID Mobile Access

• Users want access on their phones.• Phone on the Internet, IAM on-prem.• Don’t want attackers probing IAM from

Internet.

• Install + activate iOS, Android app.• Proxy service on DMZ or cloud.• IAM, phone both call the proxy - no

firewall changes.• IAM not visible on Internet.

Outbound connections only

DMZ Private corporate

network

Personal

device

FirewallFirewall

Internet

(3)

Message passing system

(1)

Worker thread:

“Give me an HTTP

request”

(2)

HTTPS request:

“Includes userID,

deviceID”

IAM server

Cloud

proxy


Slide Presentation

7.4 Included connectors

Directories: Databases: Server OS – X86/IA64: Server OS – Unix: Server OS – Mainframe:

Active Directory and AzureAD; any LDAP; NIS/NIS+ andeDirectory.

Oracle; SAP ASE and HANA;SQL Server; DB2/UDB;Hyperion; Caché; MySQL;OLAP and ODBC.

Windows: NT thru 2016; Linuxand *BSD.

Solaris, AIX and HP-UX. RAC/F, ACF/2 and TopSecret.

Server OS – Midrange: ERP, CRM and other apps: Messaging & collaboration: Smart cards and 2FA: Access managers / SSO:

iSeries (OS400); OpenVMSand HPE/Tandem NonStop.

Oracle EBS; SAP ECC andR/3; JD Edwards; PeopleSoft;Salesforce.com; Concur;Business Objects and Epic.

Microsoft Exchange, Lync andOffice 365; LotusNotes/Domino; Google Apps;Cisco WebEx, Call Managerand Unity.

Any RADIUS service or SAMLIdP; Duo Security; RSASecurID; SafeWord; Vasco;ActivIdentity andSchlumberger.

CA SiteMinder; IBM SecurityAccess Manager; Oracle AM;RSA Access Manager andImprivata OneSign.

Help desk / ITSM: PC filesystem encryption: Server health monitoring: HR / HCM: Extensible / scriptable:

ServiceNow; BMC Remedy,RemedyForce and Footprints;JIRA; HPE Service Manager;CA Service Desk; AxiosAssyst; Ivanti HEAT;Symantec Altiris; Track-It!; MSSCS Manager and Cherwell.

Microsoft BitLocker; McAfee;Symantec EndpointEncryption and PGP;CheckPoint and SophosSafeGuard.

HP iLO, Dell DRAC and IBMRSA.

WorkDay; PeopleSoft HR;SAP HCM andSuccessFactors.

CSV files; SCIM; SSH;Telnet/TN3270/TN5250;HTTP(S); SQL; LDAP;PowerShell and Python.

Hypervisors and IaaS: Mobile management: Network devices: Filesystems and content: SIEM:

AWS; vSphere and ESXi. BlackBerry Enterprise Serverand MobileIron.

Cisco IOS PIX and ASA;Juniper JunOS andScreenOS; F5 BigIP; HPProcurve; Brocade Fabric OSand CheckPointSecurePlatform.

Windows/CIFS/DFS;SharePoint; Samba; HitachiContent Platform and HCPAnywhere; Box.com andTwitter.

Splunk; ArcSight; RSAEnvision and QRadar. AnySIEM supporting SYSLOG orWindows events.

Management & inventory:

Qualys; McAfee ePO andMVM; Cisco ACS;ServiceNow ITAM; HPUCMDB; Hitachi HiTrack.

7.5 Integration with custom apps

• Hitachi ID Privileged Access Manager easily integrates with custom, vertical and hosted applicationsusing flexible agents .

• Each flexible agent connects to a class of applications:

– API bindings (C, C++, Java, COM, ActiveX, MQ Series).– Telnet / TN3270 / TN5250 / sessions with TLS or SSL.– SSH sessions.– HTTP(S) administrative interfaces.– Web services.– Win32 and Unix command-line administration programs.– SQL scripts.– Custom LDAP attributes.

• Integration takes a few hours to a few days.• Fixed cost service available from Hitachi ID.


Slide Presentation

7.6 Device integrations

HiPAM can be used to manage access to devices, including:

• Cisco / IOS.• Juniper JunOS.• F5 / BigIP.• Dell DRAC cards.• HP iLO cards.• IBM RSA cards.• Deep integration with Cisco ACS (TACACS+, RADIUS).• Extensible via scripted SSH, Telnet, HTTP(S) sessions.

8 Implementation

8.1 Hitachi ID professional services

• Hitachi ID offers a complete range of services relating to Hitachi ID Privileged Access Manager,including:

– Needs analysis and solution design.– Fixed price system deployment.– Project planning.– Roll-out management, including maximizing user adoption.– Ongoing system monitoring.– Training.

• Services are based on extensive experience with the Hitachi ID solution delivery process.• The Hitachi ID professional services team is highly technical and have years of experience deploying

IAM solutions.• Hitachi ID partners with integrators that also offer business process and system design services to

mutual customers.• All implementation services are fixed price:

– Solution design.– Statement of work.


Slide Presentation

8.2 ID Express - Privileged Access

• Pre-configured integrations, logic to expedite deployment.• Users identified, authorized via AD domain.• 2FA for all logins (smart phone app, SMS/PIN, e-mail PIN).• Randomize, control access to admin passwords.• One-time access approved via members of AD groups.• Risk scores applied to access requests, to highlight the unusual.• Session recording, playback, approval workflows pre-configured.• Infrastructure for discovering, managing Windows service account passwords.• Infrastructure for replacing embedded passwords in apps, scripts.

9 Differentiation

9.1 HiPAM advantages (technical)

HiPAM Competitors

• Multi-master, active-active. • Hot standby, "offline" mode.

• 2FA for everyone, no extra cost. • Either purchase a separate 2FA systemor rely on AD passwords.

• BYOD access, including approvals. • Fire up your laptop, sign into the VPN.

• Single sign-on. • Re-authenticate for every privilegedsession.

• Check-out multiple accounts in onerequest.

• One account at a time.

• Temporary privilege elevation. • Only password display/injection.

• Secure laptops (mobile, NAT, firewalled). • Endpoints not really supported.

• Direct connect, HTML5, RDP+launchproxy.

• Only via proxy.

• Proxy servers to integrate with remotesystems.

• Extra cost (more appliances?).

• Run any admin tool, with any protocol. • Can only launch RDP, SSH.


Slide Presentation

9.2 HiPAM advantages (commercial)

HiPAM Competitors

• Manage groups that control access policy. • A separate IAM system.

• Proxy servers to integrate with remotesystems.

• Extra cost (more appliances?).

• Secure Windows service acct passwords. • Separate product.

• Secure API replaces embeddedpasswords.

• Separate product.

• Session recording included. • Separate product.

• Over 120 connectors included. • Some connectors cost more.

• Unlimited users. • Fee per user.

10 Summary

Hitachi ID Privileged Access Manager secures privileged accounts:

• Eliminate static, shared passwords to privileged accounts.• Built-in encryption, replication, geo-diversity for the credential vault.• Authorized users can launch sessions without knowing or typing a password.• Infrequent users can request, be authorized for one-time access.• Strong authentication, authorization and audit throughout the process.

Learn more at hitachi-id.com/privileged-access-manager

hitachi-id.com

500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 E-Mail: [email protected]

Date: 2020-03-23 | 2020-03-23 File: PRCS:pres

https://hitachi-id.com/privileged-access-manager/

https://Hitachi-ID.com

1 Hitachi ID Privileged Access Manager...Slide Presentation 5.2 Connect to IT assets and manage...

Documents

Transcript of 1 Hitachi ID Privileged Access Manager...Slide Presentation 5.2 Connect to IT assets and manage...