Hitachi ID Privileged Access Manager: Randomize and control disclosure of privileged passwords

Click here to load reader

  • date post

  • Category


  • view

  • download


Embed Size (px)


Hitachi ID Privileged Access Manager: Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications. Securing access to administrator, embedded and service accounts.

Transcript of Hitachi ID Privileged Access Manager: Randomize and control disclosure of privileged passwords

  • 1.1 Hitachi ID Privileged Access ManagerManaging the User LifecycleAcross On-Premises andCloud-Hosted ApplicationsSecuring access to administrator, embedded and service accounts.2 Agenda Hitachi ID corporate overview. ID Management Suite overview. Securing administrative passwords with Hitachi ID Privileged Access Manager. Animated demonstration. 2012 Hitachi ID Systems, Inc.. All rights reserved. 1

2. Slide Presentation3 Hitachi ID Corporate Overview Hitachi ID is a leading provider of identity and access management solutions. Founded as M-Tech in 1992. A division of Hitachi, Ltd. since 2008. Over 900 customers. More than 11M+ licensed users. Ofces in North America, Europe and APAC. Partners globally.4 Representative Hitachi ID Customers 2012 Hitachi ID Systems, Inc.. All rights reserved. 2 3. Slide Presentation5 ID Management Suite6 Securing Privileged AccountsThousands of IT assets: Who has the keys to the kingdom? Servers, network devices, databases and Every IT asset has sensitive passwords: applications: Administrator passwords: Numerous. Used to manage each system. High value. Service passwords: Heterogeneous.Provide security context to service Workstations: programs. Application: Mobile dynamic IPs. Allows one application to connect to Powered on or off.another. Direct-attached or rewalled. Do these passwords ever change? Who knows these passwords? (ex-staff?) Audit: who did what? 2012 Hitachi ID Systems, Inc.. All rights reserved. 3 4. Slide Presentation7 Project DriversOrganizations need to secure their most sensitive passwords: Compliance: Pass regulatory audits. Compliance should be sustainable. Security: Eliminate static passwords on sensitive accounts. Create accountability for admin work. Cost: Efcient process to regularly change privileged passwords. Simple and effective deactivation for former administrators. Flexibility: Grant temporary admin access. Emergencies, production migrations, workload peaks, etc.8 Participants in PAMHitachi ID Privileged Access Manager works by randomizing privileged passwords and connectingpeople and programs to privileged accounts as needed: Privileged Get new, random passwords daily or at the desired frequency. accounts IT Users Must sign into HiPAM when they need to sign into administrator accounts. Services Are automatically updated with new passwords values. Applications Use the HiPAM API instead of embedded passwords. Security Dene policies regarding who can connect to which privileged account. ofcers Auditors Monitor access requests and privileged login sessions. 2012 Hitachi ID Systems, Inc.. All rights reserved. 4 5. Slide Presentation9 HiPAM ImpactFeature ImpactBenetRandomize passwords daily Eliminate static, sharedDisconnect former IT staff.passwords.Controlled disclosure Control who can see The right users and programspasswords.can access privileged accounts,others cannot.Logging & Reporting Monitor password disclosure.Accountability.Faster troubleshooting.EncryptionSecure passwords in storage Physical compromise does notand transit.expose passwords.Replication Passwords stored on multipleSurvive server crashes and siteservers, in different sites.disasters.10 Understand and Manage the RisksA privileged access management (PAM) system becomes the sole repository of the most importantcredentials. Risk Description Mitigation Disclosure Compromised vault Encrypted vault. security disaster. Strong authentication. Flexible authorization. Data Loss Destroyed vault Replicate the vault. IT disaster. Non-availability Ofine vault One vault in each of 2+ sites. IT service interruption.Customers must test failure conditions before purchase! 2012 Hitachi ID Systems, Inc.. All rights reserved. 5 6. Slide Presentation11 Randomizing PasswordsPush Periodically (e.g., between 3AM and 4AM).random passwords to When users check passwords back When users want a specic password. On urgent termination. Suitable for servers and PCs on the corporate network.Pull Periodically.initiated by user devices: Random time-of-day. Opportunistically, when connectivity is available. Suitable for home PCs and on-the-road laptops. 2012 Hitachi ID Systems, Inc.. All rights reserved. 6 7. Slide Presentation12 Authorizing Access to Privileged AccountsTwo models: permanent and one-time. Permanent ACL One-time request Concurrency control Pre-authorized users Request access for any Coordinate admin can launch an adminuser to connect to anychanges by limiting session any time.account.number of people Access control model: Approvals workow connected to the samewith: account: Users ... belong to User groups ... areDynamic routing. Can be >1. assigned ACLs to Parallel approvals. Notify each admin Managed system N of M authorizers. of the others. policies ... which Auto-reminders. Ensure accountability of containEscalation.who had access to an Devices andDelegation.account at a given time. applications Also used for API clients. 2012 Hitachi ID Systems, Inc.. All rights reserved. 7 8. Slide Presentation13 Fault-Tolerant ArchitectureHitachi ID Site APrivileged Access Manager Crypto keys in registry 010101 Password101001 Vault 100101LDAP/S,Windows User NTLM server or DCHTTPSAdminLoadWorkstation BalancerSSH,TCP/IP+AESReplicationTCP/IP + AES Unix, LinuxTCP/IP+AESVariousTarget Password010101Firewall Systems Vault 101001 100101Proxy Crypto keys in registryHitachi IDPrivileged Access ManagerSite BSite C 2012 Hitachi ID Systems, Inc.. All rights reserved. 8 9. Slide Presentation14 Included ConnectorsMany integrations to target systems included in the base price:Directories: Servers: Databases:Any LDAP, AD, WinNT, NDS,Windows NT, 2000, 2003,Oracle, Sybase, SQL Server,eDirectory, NIS/NIS+.2008, Samba, Novell, DB2/UDB, Informix, ODBC. SharePoint.Unix:Mainframes, Midrange:HDD Encryption:Linux, Solaris, AIX, HPUX, 24z/OS: RACF, ACF2,McAfee, CheckPoint.more.TopSecret. iSeries, OpenVMS.ERP: Collaboration: Tokens, Smart Cards:JDE, Oracle eBiz, PeopleSoft,Lotus Notes, Exchange, RSA SecurID, SafeWord,SAP R/3 and ECC 6, Siebel, GroupWise, BlackBerry ES.RADIUS, ActivIdentity,Business Objects. Schlumberger.WebSSO:Help Desk: Cloud/SaaS:CA Siteminder, IBM TAM,BMC Remedy, SDE, HP SM,WebEx, Google Apps,Oracle AM, RSA AccessCA Unicenter, Assyst, HEAT,, SOAPManager. Altiris, Track-It! (generic).15 Application and Service AccountsUnattended Services,programsScheduled Tasks,on WindowsIIS Anonymous Access, etc. Run in the context of a named user. Are started with that users ID and password. Hitachi ID Privileged Access Manager updates the appropriate OScomponent after every password change.Applications Eliminate embedded passwords via secure API to the vault. API authentication using one time passcode + client IP. 2012 Hitachi ID Systems, Inc.. All rights reserved. 9 10. Slide Presentation16 Infrastructure Auto-DiscoveryFind and classify systems, services, groups, accounts:List systemsEvaluate import rulesProbe systems From AD, LDAP Manage this system? Local accounts. (computers). Attach system to this Security groups. From text lepolicy? Group memberships. (IT inventory). Choose initial Services. Extensible:ID/password. Local svc accounts. DNS, IP port scan. Manage this account? Domain svc accounts. Un manage thissystem? Hitachi ID Privileged Access Manager can nd, probe, classify and load 10,000 systems/hour. Normally executed every 24 hours. 100% policy driven - no scripts. 2012 Hitachi ID Systems, Inc.. All rights reserved.10 11. Slide Presentation17 Alternatives to Displaying PasswordsLaunch session (SSO) Launch RDP, SSH, etc. Password not disclosed at from Hitachi ID Privileged all. Access Manager web UI. User is connected directly Plug-ins for additionalwithout further proxy. programs/protocols.Temporary ACL change Place users AD account in No password involved. a local security group Native logging references (Windows). the users own account. Place users public SSH key in .ssh/authorized_keys le (Unix). Manipulate /etc/sudoers les (Unix).Copy Place password in users Allows user to paste the OS copy buffer.password into an e-mail, Clear buffer after N text, le, etc. seconds. Password not directlydisclosed.Display Reveal the cleartext value Appropriate for managing of password on screen. off-line, console login Clear display after Ndevices. seconds. 2012 Hitachi ID Systems, Inc.. All rights reserved.11 12. Slide Presentation18 Test Safety FeaturesTo prevent a security or an IT operations disaster, a privileged password management system must bebuilt for safety rst: Unauthorized Passwords must be encrypted, both in storage and disclosure transmissions. Access controls should determine who can see whichpasswords. Workow should allow for one-off disclosure. Audit logs should record everything. Data loss, Replicate all data a server crash should be harmless. Service Disruption Replication must be real time, just like password changes. Replication must span physical locations, to allow for sitedisasters (re, ood, wire cut). These features are mandatory. Evaluate products on multiple, replicated Failure is not an option.servers. Ask Hitachi ID for an evaluation guide. Turn off one server in mid-operation. Inspect database contents and sniffnetwork trafc. 2012 Hitachi ID Systems, Inc.. All rights reserved.12 13. Slide Presentation19 HiPAM Unique TechnologyMulti-master Built-in replication easy to setup and no extra cost. Geographically distributed for maximum safety. All nodes active: efcient and scalable.Connectors Over 110 connectors, out of the box. Also supports mobile devices.Workow Dynamic routing to multiple authorizers. Built-in reminders, escalation, delegation.AD/LDAP Manage groups that authorize access.groups Requests, approvals, SoD policy, certication, reports.Session Record keystrokes, video, webcam, more.monitor Workow controls search, playback.SSO Launch RDP, SSH, SQL, vSphere and m