1 Privileged Access Management Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications Hitachi ID Privileged Access Manager 2 Agenda • • • • Hitachi ID corporate overview. Hitachi ID Suite overview. Securing administrative passwords with Hitachi ID Privileged Access Manager. Animated demonstration. © 2015 Hitachi ID Systems, Inc. All rights reserved. 1 Slide Presentation 3 Hitachi ID Corporate Overview Hitachi ID delivers access governance and identity administration solutions to organizations globally. Hitachi ID solutions are used by Fortune 500 companies to secure access to systems in the enterprise and in the cloud. • • • • • Founded as M-Tech in 1992. A division of Hitachi, Ltd. since 2008. Over 1200 customers. More than 14M+ licensed users. Offices in North America, Europe and APAC. • Partners globally. © 2015 Hitachi ID Systems, Inc. All rights reserved. 2 Slide Presentation 4 Representative Customers 5 Hitachi ID Suite © 2015 Hitachi ID Systems, Inc. All rights reserved. 3 Slide Presentation 6 Securing Privileged Accounts Thousands of IT assets: Who has the keys to the kingdom? • Servers, network devices, databases and applications: • Every IT asset has sensitive passwords: – Administrator passwords: Used to manage each system. – Service passwords: Provide security context to service programs. – Application: Allows one application to connect to another. – Numerous. – High value. – Heterogeneous. • Workstations: – Mobile – dynamic IPs. – Powered on or off. – Direct-attached or firewalled. • • • • Do these passwords ever change? Plaintext in configuration files? Who knows these passwords? (ex-staff?) Audit: who did what? 7 Project Drivers Organizations need to secure their most sensitive passwords: Compliance: • Pass regulatory audits. • Compliance should be sustainable. Security: • Eliminate static passwords on sensitive accounts. • Create accountability for admin work. Cost: • Efficient process to regularly change privileged passwords. • Simple and effective deactivation for former administrators. Flexibility: • Grant temporary admin access. • Emergencies, production migrations, workload peaks, etc. © 2015 Hitachi ID Systems, Inc. All rights reserved. 4 Slide Presentation 8 Participants in PAM Hitachi ID Privileged Access Manager works by randomizing privileged passwords and connecting people and programs to privileged accounts as needed: Privileged accounts Get new, random passwords daily or at the desired frequency. IT Users Must sign into HiPAM when they need to sign into administrator accounts. Services Are automatically updated with new passwords values. Applications Use the HiPAM API instead of embedded passwords. Security officers Define policies regarding who can connect to which privileged account. Auditors Monitor access requests and privileged login sessions. 9 HiPAM Impact Feature Impact Benefit Randomize passwords daily Eliminate static, shared passwords. Disconnect former IT staff. Controlled disclosure Control who can see passwords. The right users and programs can access privileged accounts, others cannot. Logging & Reporting Monitor password disclosure. Accountability. Faster troubleshooting. Encryption Secure passwords in storage and transit. Physical compromise does not expose passwords. Replication Passwords stored on multiple servers, in different sites. Survive server crashes and site disasters. © 2015 Hitachi ID Systems, Inc. All rights reserved. 5 Slide Presentation 10 Understand and Manage the Risks A privileged access management (PAM) system becomes the sole repository of the most important credentials. Risk Disclosure Description Mitigation • Compromised vault → security disaster. • Encrypted vault. • Strong authentication. • Flexible authorization. Data Loss • Destroyed vault → IT disaster. • Replicate the vault. Non-availability • Offline vault → IT service interruption. • One vault in each of 2+ sites. Customers must test failure conditions before purchase! 11 Randomizing Passwords Push random passwords to systems: • • • • Periodically (e.g., between 3AM and 4AM). When users check passwords back in. When users want a specific password. On urgent termination. • Suitable for servers and PCs on the corporate network. Pull initiated by user devices: • Periodically. • Random time-of-day. • Opportunistically, when connectivity is available. • Suitable for off-site laptops, systems in a DMZ. © 2015 Hitachi ID Systems, Inc. All rights reserved. 6 Slide Presentation 12 Authorizing Access to Privileged Accounts Two models: permanent and one-time. Permanent ACL • Pre-authorized users can launch an admin session any time. • Access control model: – Users ... belong to – User groups ... are assigned ACLs to – Managed system policies ... which contain – Devices and applications One-time request • Request access for any user to connect to any account. • Approvals workflow with: – – – – – – Dynamic routing. Parallel approvals. N of M authorizers. Auto-reminders. Escalation. Delegation. Concurrency control • Coordinate admin changes by limiting number of people connected to the same account: – Can be >1. – Notify each admin of the others. • Ensure accountability of who had access to an account at a given time. • Also used for API clients. © 2015 Hitachi ID Systems, Inc. All rights reserved. 7 Slide Presentation 13 Fault-Tolerant Architecture HitachiID Privileged Access Manager Site A Crypto keys in registry User Admin Workstation Password Vault 010101 101001 100101 LDAP/S, NTLM HTTPS Load Balancer Windows server or DC SSH, TCP/IP+AES Replication TCP/IP + AES Unix, Linux TCP/IP +AES Password Vault 010101 101001 100101 Firewall Proxy Various Target Systems Crypto keys in registry HitachiID Privileged Access Manager Site B © 2015 Hitachi ID Systems, Inc. All rights reserved. Site C 8 Slide Presentation 14 Included Connectors Many integrations to target systems included in the base price: Directories: Any LDAP, AD, WinNT, NDS, eDirectory, NIS/NIS+. Servers: Windows NT, 2000, 2003, 2008[R2], 2012, Samba, Novell, SharePoint. Databases: Oracle, Sybase, SQL Server, DB2/UDB, Informix, Progress, ODBC, Oracle Hyperion EPM Shared Services, Cache. Unix: Linux, Solaris, AIX, HPUX, 24 more variants. Mainframes, Midrange: z/OS: RACF, ACF2, TopSecret. iSeries, OpenVMS. HDD Encryption: McAfee, CheckPoint, BitLocker, PGP. ERP: JDE, Oracle eBiz, PeopleSoft, PeopleSoft HR, SAP R/3 and ECC 6, Siebel, Business Objects. Collaboration: Lotus Notes, iNotes, Exchange, GroupWise, BlackBerry ES. Tokens, Smart Cards: RSA SecurID, SafeWord, RADIUS, ActivIdentity, Schlumberger. WebSSO: CA Siteminder, IBM TAM, Oracle AM, RSA Access Manager. Help Desk: ServiceNow, BMC Remedy, SDE, HP SM, CA Unicenter, Assyst, HEAT, Altiris, Clarify, RSA Envision, Track-It!, MS System Center Service Manager Cloud/SaaS: WebEx, Google Apps, MS Office 365, Success Factors, Salesforce.com, SOAP (generic). © 2015 Hitachi ID Systems, Inc. All rights reserved. 9 Slide Presentation 15 Types of Privileged Accounts Administrator Embedded Service Definition: • Interactive logins. • Client tools: PuTTY, RDP, SQL Studio, etc. • May be used at a physical console. • One application connects to another. • DB logins, web services, etc. • Interactive logins for troubleshooting. • Run service programs with limited rights. • Windows requires a password! Challenges: • • • • • Authenticating apps prior to password disclosure. • Caching, key management. • Avoiding service interruption due to failed notification: Access control. Audit/accountability. Single sign-on. Session capture. 16 Infrastructure Auto-Discovery Find and classify systems, services, groups, accounts: List systems • From Hitachi IT Operations Analyzer. • From AD, LDAP (computers). • From text file (IT inventory). • Extensible: DNS, IP port scan. Evaluate import rules • Manage this system? • Attach system to this policy? • Choose initial ID/password. • Manage this account? • Un manage this system? Probe systems • • • • • • Local accounts. Security groups. Group memberships. Services. Local svc accounts. Domain svc accounts. • Hitachi ID Privileged Access Manager can find, probe, classify and load 10,000 systems/hour. • Normally executed every 24 hours. • 100% policy driven - no scripts. © 2015 Hitachi ID Systems, Inc. All rights reserved. 10 Slide Presentation 17 Alternatives to PW display Launch session (SSO) • Launch RDP, SSH, vSphere, SQL Studio, ... • Extensible (just add a CLI). • Password is hidden. • Convenient (SSO). Temporary entitlement • Group membership (AD, Windows, SQL, etc.). • SSH trust (.ssh/authorized_keys). • Entry in /etc/sudoers files. • Native logging shows actual user. • Convenient for platform admins. Copy buffer integration • Inject password into copy buffer. • Clear after N seconds. • Flexible (secondary connections, open-ended tooling). • Convenient. Display • Show the password in the UI. • Clear after N seconds. • Useful at the physical server console. © 2015 Hitachi ID Systems, Inc. All rights reserved. 11 Slide Presentation 18 Test Safety Features To prevent a security or an IT operations disaster, a privileged password management system must be built for safety first: Unauthorized disclosure • Passwords must be encrypted, both in storage and transmissions. • Access controls should determine who can see which passwords. • Workflow should allow for one-off disclosure. • Audit logs should record everything. Data loss, Service Disruption • Replicate all data – a server crash should be harmless. • Replication must be real time, just like password changes. • Replication must span physical locations, to allow for site disasters (fire, flood, wire cut). • These features are mandatory. • Failure is not an option. • Ask Hitachi ID for an evaluation guide. • Evaluate products on multiple, replicated servers. • Turn off one server in mid-operation. • Inspect database contents and sniff network traffic. © 2015 Hitachi ID Systems, Inc. All rights reserved. 12 Slide Presentation 19 HiPAM Unique Technology Multi-master, active-active • Trivial to setup, no cost, zero effort to recover from disaster. • Geographically distributed: maximum safety. Not just passwords • Temporary group elevation, SSH trust relationships. • Suspend/resume VM (lower cost of cloud!). Robust workflow • Reminders, escalation, delegation, concurrent invitations. • Not limited to "two keys" scenario. Control groups • Manage AD, LDAP groups that determine who has access. • Requests, approvals, SoD policy, certification, reports. Single product, not "suite" • • • • Credential vault. Password randomization. Access control policies. Session monitoring, playback. • Service account passwords. • Embedded passwords. • 110, extensible connectors. 20 Request one-time access Animation: ../../pics/camtasia/v82/hipam-request-access/hipam-request-access.cam 21 Approve one-time access Animation: ../../pics/camtasia/v82/hipam-approve-request/hipam-approve-request.cam © 2015 Hitachi ID Systems, Inc. All rights reserved. 13 Slide Presentation 22 Launch one-time session using a privileged account Animation: ../../pics/camtasia/v82/hipam-privileged-login-session/hipam-privileged-login-session.cam 23 Request, approve, play recording Animation: ../../pics/camtasia/v82/hipam-view-playback/hipam-view-playback.cam 24 Report on requests for privileged access Animation: ../../pics/camtasia/hipam-71/hipam-06-admin-reports.cam 25 HiPAM: PuTTY to Linux Animation: ../../pics/camtasia/pam-linux-preauth/pam-linux-preauth.cam 26 Activate Mobile Access Animation: ../../pics/camtasia/v9/enable-mobile-device-1/enable-mobile-device-1.mp4 © 2015 Hitachi ID Systems, Inc. All rights reserved. 14 Slide Presentation 27 Password display Animation: ../../pics/camtasia/v9/pw-disp-scaled-1/pw-disp-scaled-1.mp4 28 Account set checkout Animation: ../../pics/camtasia/v9/account-set-checkout-1/account-set-checkout-1.mp4 29 Summary Hitachi ID Privileged Access Manager secures privileged accounts: • • • • • Eliminate static, shared passwords to privileged accounts. Built-in encryption, replication, geo-diversity for the credential vault. Authorized users can launch sessions without knowing or typing a password. Infrequent users can request, be authorized for one-time access. Strong authentication, authorization and audit throughout the process. Learn more at Hitachi-ID.com/Privileged-Access-Manager 500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: [email protected] www.Hitachi-ID.com Date: May 14, 2015 File: PRCS:pres
© Copyright 2024