1 Hitachi ID Privileged Access Manager Technology

Product design and network architecture required for a scalable, reliable and functionalprivileged access management system.

2 Problem definition

2.1 Securing privileged accounts

Thousands of IT assets: Who has the keys to the kingdom?

• Servers, network devices, databases andapplications:

– Numerous.– High value.– Heterogeneous.

• Workstations:

– Mobile – dynamic IPs.– Powered on or off.– Direct-attached or firewalled.

• Every IT asset has sensitive passwords:

– Administrator passwords:Used to manage each system.

– Service passwords:Provide security context to serviceprograms.

– Application:Allows one application to connect toanother.

• Do these passwords ever change?• Plaintext in configuration files?• Who knows these passwords? (ex-staff?)• Who made what changes, when and why?

© 2020 Hitachi ID Systems, Inc. All rights reserved. 1

Slide Presentation

2.2 Types of privileged accounts

There are three types of privileged accounts, each with unique requirements:

Interactiveadministrator

Embedded Windows service

Examples • Root - Unix/Linux• Administrator -

Windows• SA - SQL Server

• Databases• Directories• Web services

• SCM• Scheduled jobs• IIS components

Requirements • Single sign-on• Session capture• Concurrency

control

• Secure API• Caching• Client-side key

management

• Subscriberdiscovery

• Fault tolerantnotification

• Deliberateonboarding

3 Functional approach

© 2020 Hitachi ID Systems, Inc. All rights reserved. 2

Slide Presentation

3.1 Securing administrator accounts

© 2020 Hitachi ID Systems, Inc. All rights reserved. 3

Slide Presentation

3.2 Embedded passwords in apps and scripts

© 2020 Hitachi ID Systems, Inc. All rights reserved. 4

Slide Presentation

3.3 Windows service account passwords

4 Technical requirements

© 2020 Hitachi ID Systems, Inc. All rights reserved. 5

Slide Presentation

4.1 Safe and reliable

• Loss of password data would be catastrophic.• Temporary loss of access to password data would be a major service interruption.• The system, in aggregate, must survive:

– Hardware faults (e.g., disk crash, PSU fried, etc.).– Network faults (e.g., router misconfigured, cable cut, etc.).– Physical disasters (e.g., fire, flood, etc. outage).

• When faced with a fault, the system should remain accessible and operationalwithout human intervention .

– Human intervention adds hours of delay to recovery.– See service interruption above.

• Reliably inject new passwords into Windows service infrastructure.

– Failure to notify will trigger an outage.

• Fault tolerant replacement for embedded passwords.

– App that cannot reach the vault also cannot reach its back-end DB.

4.2 Functional

• Randomize passwords.• Encrypt storage.• Pre-authorized access policy.• One-time access request workflow.• Limit concurrent access.• Audit access (meta data, forensics).• Single sign-on where feasible.• Temporary privilege escalation (group memberships, SSH trust).• Reports and dashboards (activity, history, patterns, etc.).

4.3 Manageable

• Not practical to manually onboard thousands of systems.• Onboarding automation:

– Discover systems (multiple data types - AD, LDAP, CSV, etc.).– Classify systems (rules).– Probe systems - find accounts, groups, services.– Classify accounts (rules).– Automatically apply policy.

• Off-boarding automation / archive vault:

– Retired systems.– Deleted accounts.– Accounts that are no longer privileged.

© 2020 Hitachi ID Systems, Inc. All rights reserved. 6

Slide Presentation

4.4 Connected

• Pre-built connectors:

– OS: Windows, Unix, Linux, z/OS, iSeries, ...– DB: Oracle, Microsoft, IBM, MySQL, ...– App: SAP, PeopleSoft, Oracle, Siebel, ...– Network devices: Cisco, Juniper, F5, Avaya, 3Com, ...– Hardware: iLO, DRAC, IBM RSA, ...– Hypervisors: ESXi/vSphere, vCloud, Xen, KVM, ...– SaaS: Salesforce.com, O365, Google, WebEx, ...– IaaS: AWS, vCloud, OpenStack, ...

• Extensible integrations:

– SSH, Telnet, HTTP(S), TN3270, TN5250, SOAP, REST, WMI, CLI, SQL, LDAP(S), ...

• Network path:

– Personal/mobile endpoints (laptops, BYOD) – DHCP, NAT, firewall, sporadic connection.– Endpoints in DMZs – firewalls , cannot resolve hostname, no route.

4.5 Scalable

Privileged accounts: Users:

• Configured.• Passwords

randomizeddaily.

• Concurrentlychecked out.

• Probed daily.

• 2,000,000• 1,000,000

• 1,000

• 100,000

•PAM login pro-files.

• Activesessions.

• 200,000• 1,000

Network path: PAM nodes:

• User→PAMsystem→[proxy?]→managed sys-tem.

• Direct, local. • Copies ofvault.

• Concurrentlyactive.

• 10• 10

© 2020 Hitachi ID Systems, Inc. All rights reserved. 7

Slide Presentation

5 Unique capabilities

5.1 Active-active replication

Avoid data loss and service interruption:Multiple copies of the vault in different cities.

• Real-time data replication.• Fault-tolerant.• Bandwidth efficient, latency

tolerant.• Best practice: multiple

servers in multiple datacenters.

• Active/active.• Load balanced.

5.2 Access disclosure mechanisms

Launch session (SSO) • Launch RDP, SSH,vSphere, SQL Studio, ...

• Extensible (launch anyCLI).

• Password is hidden.• Convenient (SSO).

Temporary entitlement • Group membership (AD,Windows, SQL, etc.).

• SSH trust(.ssh/authorized_keys).

• Native logging showsactual user.

Copy buffer integration • Inject password into copybuffer.

• Clear after N seconds.

• Flexible (secondaryconnections, open-endedtooling).

Display • Show the password in theUI.

• Clear after N seconds.

• Useful at the physicalserver console.

© 2020 Hitachi ID Systems, Inc. All rights reserved. 8

Slide Presentation

5.3 Local workstation service

Problems LWS Solution

• Laptops move around:

– Changing location.– Dynamic IP address.– Disconnected, powered down.– Firewalled, NAT.

• In some organizations, the network issegmented:

– DNS names do not resolve globally.– Servers on one network cannot

connect to those in another.

• Optional "local agent".

– Available for Windows, Linux.– Main use case: laptops.

• Periodically calls home.

– Rather than PAM servers trying tofind / connect to the managedendpoint.

• Eliminates routing, firewall, nameresolution issues.

• Very easy to deploy.

– Just push out an MSI package.– Current record: onboard 30,000

systems/week for 3 consecutiveweeks.

• Extremely scalable.

5.4 Windows service account passwords

Periodically change service account passwords without triggering service faults:

Discovery: • Accounts (local and domain), services, dependencies.

White listing • Which accounts to manage?• Is the list of discovered subscribers complete?• When/how often to randomize password?• Inject new password before/after/both?• Restart service?• Notify owner?

Notification • Multiple subscriber types – SCM, IIS, DCOM, Scheduler.• Before/after password change.

Fault tolerant • Check subscriber availability before password change.• Retry notification if first attempt fails.

© 2020 Hitachi ID Systems, Inc. All rights reserved. 9

Slide Presentation

5.5 Replacing embedded passwords

Applications and scripts can fetch passwords from the credential vault, on demand:

Open / portable: • HiPAM exposes an API over SOAP/HTTPS.• Client libraries provided for Windows, .NET, Linux, Unix, Java.

Secure: • SOAP API authenticates each caller with one-time password(OTP) + IP address.

• Each client has its own ID, which defines accessible credentials.• The client library fingerprints the calling app, command-line args,

config files to generate encryption keys.• App changes, which may be malicious, require re-authorizing

access.

Reliable: • Library caches passwords, manages the OTP.

Scalable / fast: • Caching reduces server load and impact of packet latency.

Simple / convenient: • GetPassword( "config.xml", errorBuf, sizeof(errorBuf), 0,"systemID", "accountID",argc, argv, NULL,passwordBuf, sizeof(passwordBuf) )

5.6 Suspend/resume VMs

Business driver Suspend/resume

• VMs incur cost only when running.• More running VMs → higher cost:

– On-premise hypervisor: higherCapEx to buy capacity.

– IaaS: higher OpEx to lease capacity.

• Some workloads are dynamic:

– Training, demos, POCs, QA systems,spare capacity in web farms, ...

• Users are undisciplined:

– Forget to shut down when done.– Wasted capacity.

• How to "fix" user behaviour?

• Use the Hitachi ID Privileged AccessManager workflow:

– Check-out VMs when needed.– Check-in when done or time expired.– Access controls (who controls which

machines?).– Audit, reporting.

• Semantics:

– Check-out → power on.– Check-in → suspend.

• Connectors:

– AWS, vSphere.– Coming soon: Xen, OpenStack, ...

© 2020 Hitachi ID Systems, Inc. All rights reserved. 10

Slide Presentation

5.7 Robust workflow

Individual authorizers are slow and unreliable.Special care is required to get fast, reliable replies:

• Concurrent invitations to multiple users.• Approval by N < M users.• Automatic reminders.• Escalation to replace non-responsive users.• Early escalation if users are known to be out-of-office.• Scheduled, approved delegation of responsibility.

5.8 Group management

The need Included features

• Most organizations define access controlpolicies based on AD group membership.

• Are users assigned the right groups?• Adequate controls for approval,

recertification, SoD, deactivation?• The answers are often unsatisfactory ...

• Portal to request membership changes.• Robust approvals workflow.• SoD between (incompatible) groups.• Recertification of membership.• Automatically assign groups to matching

users.• Detect, respond to out-of-band changes.• Reports on groups, membership, change

history.

5.9 Adaptive Authentication

• An authentication chain is a definedseries of steps.

• Special type:interactively choose a chain.

• Special type:programmatically limit available chains.

• Risk-analysis:VPN? admin user?

� � �� � �� � �� � � � � � � � � � � �� � � � � � � � � �� ��� � � � � � � � � � � �� �� � � � �� � � � �� ��

� � � � ! " ! �� � # �� $ � � ! �% &� � � '� ! () $� ! � �� ! ( * & + ,&� � � '� ! () �% � ! � �- . � � � � �� � �/ 0 & &� � � �� ( �) �� ( & , 1 �� ) 2 ) 3 ) �% � ! � � - . � � � � �� � �) � 2 4 � � � � ! � �� �

© 2020 Hitachi ID Systems, Inc. All rights reserved. 11

Slide Presentation

5.10 Included connectors

Many integrations to target systems included in the base price:

Directories:Any LDAP, AD, WinNT, NDS,eDirectory, NIS/NIS+.

Servers:Windows NT, 2000, 2003,2008, 2008[R2], 2012[R2],Samba, Novell, SharePoint.

Databases:Oracle, SQL Server,DB2/UDB, Informix, Sybase,ODBC.

Unix:Linux, Solaris, AIX, HPUX, 24additional variants.

Mainframes, Midrange:z/OS: RACF, ACF2,TopSecret. iSeries,OpenVMS.

ERP:JDE, Oracle eBiz, PeopleSoft,SAP R/3 and ECC 6, Siebel,Business Objects.

WebSSO:CA Siteminder, IBM TAM,Oracle AM, RSA AccessManager.

Help Desk:ServiceNow, BMC Remedy,SDE, HP SM, CA Unicenter,Assyst, HEAT, Altiris,Track-It!, others...

Cloud/SaaS:WebEx, Google Apps, MSOffice 365, Success Factors,Salesforce.com, SOAP(generic).

Scriptable:SSH, Telnet, TN3270, HTTP(S), SQL, LDAP, command-line.

6 Differentiators

© 2020 Hitachi ID Systems, Inc. All rights reserved. 12

Slide Presentation

6.1 HiPAM advantages (technical)

HiPAM Competitors

• Multi-master, active-active. • Hot standby, "offline" mode.

• 2FA for everyone, no extra cost. • Either purchase a separate 2FA systemor rely on AD passwords.

• BYOD access, including approvals. • Fire up your laptop, sign into the VPN.

• Single sign-on. • Re-authenticate for every privilegedsession.

• Check-out multiple accounts in onerequest.

• One account at a time.

• Temporary privilege elevation. • Only password display/injection.

• Secure laptops (mobile, NAT, firewalled). • Endpoints not really supported.

• Direct connect, HTML5, RDP+launchproxy.

• Only via proxy.

• Proxy servers to integrate with remotesystems.

• Extra cost (more appliances?).

• Run any admin tool, with any protocol. • Can only launch RDP, SSH.

6.2 HiPAM advantages (commercial)

HiPAM Competitors

• Manage groups that control access policy. • A separate IAM system.

• Proxy servers to integrate with remotesystems.

• Extra cost (more appliances?).

• Secure Windows service acct passwords. • Separate product.

• Secure API replaces embeddedpasswords.

• Separate product.

• Session recording included. • Separate product.

• Over 120 connectors included. • Some connectors cost more.

• Unlimited users. • Fee per user.

© 2020 Hitachi ID Systems, Inc. All rights reserved. 13

Slide Presentation

7 Summary

Hitachi ID Privileged Access Manager secures privileged accounts:

• Eliminate static, shared passwords to privileged accounts.• Built-in encryption, replication, geo-diversity for the credential vault.• Authorized users can launch sessions without knowing or typing a password.• Infrequent users can request, be authorized for one-time access.• Strong authentication, authorization and audit throughout the process.

Learn more at hitachi-id.com/privileged-access-manager

hitachi-id.com

500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 E-Mail: sales@hitachi-id.com

Date: 2020-03-23 | 2020-03-23 File: PRCS:pres