1 Privileged Access Management 2 Agenda

1 Privileged Access Management
Managing the User Lifecycle
Across On-Premises and
Cloud-Hosted Applications
Hitachi ID Privileged Access Manager
2 Agenda
•
•
•
•
Hitachi ID corporate overview.
Hitachi ID Suite overview.
Securing administrative passwords with Hitachi ID Privileged Access Manager.
Animated demonstration.
© 2015 Hitachi ID Systems, Inc. All rights reserved.
1
Slide Presentation
3 Hitachi ID Corporate Overview
Hitachi ID delivers access governance
and identity administration solutions
to organizations globally.
Hitachi ID solutions are used by Fortune 500
companies to secure access to systems
in the enterprise and in the cloud.
•
•
•
•
•
Founded as M-Tech in 1992.
A division of Hitachi, Ltd. since 2008.
Over 1200 customers.
More than 14M+ licensed users.
Offices in North America, Europe and
APAC.
• Partners globally.
© 2015 Hitachi ID Systems, Inc. All rights reserved.
2
Slide Presentation
4 Representative Customers
5 Hitachi ID Suite
© 2015 Hitachi ID Systems, Inc. All rights reserved.
3
Slide Presentation
6 Securing Privileged Accounts
Thousands of IT assets:
Who has the keys to the kingdom?
• Servers, network devices, databases and
applications:
• Every IT asset has sensitive passwords:
– Administrator passwords:
Used to manage each system.
– Service passwords:
Provide security context to service
programs.
– Application:
Allows one application to connect to
another.
– Numerous.
– High value.
– Heterogeneous.
• Workstations:
– Mobile – dynamic IPs.
– Powered on or off.
– Direct-attached or firewalled.
•
•
•
•
Do these passwords ever change?
Plaintext in configuration files?
Who knows these passwords? (ex-staff?)
Audit: who did what?
7 Project Drivers
Organizations need to secure their most sensitive passwords:
Compliance:
• Pass regulatory audits.
• Compliance should be sustainable.
Security:
• Eliminate static passwords on sensitive accounts.
• Create accountability for admin work.
Cost:
• Efficient process to regularly change privileged passwords.
• Simple and effective deactivation for former administrators.
Flexibility:
• Grant temporary admin access.
• Emergencies, production migrations, workload peaks, etc.
© 2015 Hitachi ID Systems, Inc. All rights reserved.
4
Slide Presentation
8 Participants in PAM
Hitachi ID Privileged Access Manager works by randomizing privileged passwords and connecting
people and programs to privileged accounts as needed:
Privileged
accounts
Get new, random passwords daily or at the desired frequency.
IT Users
Must sign into HiPAM when they need to sign into administrator accounts.
Services
Are automatically updated with new passwords values.
Applications
Use the HiPAM API instead of embedded passwords.
Security
officers
Define policies regarding who can connect to which privileged account.
Auditors
Monitor access requests and privileged login sessions.
9 HiPAM Impact
Feature
Impact
Benefit
Randomize passwords daily
Eliminate static, shared
passwords.
Disconnect former IT staff.
Controlled disclosure
Control who can see
passwords.
The right users and programs
can access privileged accounts,
others cannot.
Logging & Reporting
Monitor password disclosure.
Accountability.
Faster troubleshooting.
Encryption
Secure passwords in storage
and transit.
Physical compromise does not
expose passwords.
Replication
Passwords stored on multiple
servers, in different sites.
Survive server crashes and site
disasters.
© 2015 Hitachi ID Systems, Inc. All rights reserved.
5
Slide Presentation
10 Understand and Manage the Risks
A privileged access management (PAM) system becomes the sole repository of the most important
credentials.
Risk
Disclosure
Description
Mitigation
• Compromised vault
→ security disaster.
• Encrypted vault.
• Strong authentication.
• Flexible authorization.
Data Loss
• Destroyed vault
→ IT disaster.
• Replicate the vault.
Non-availability
• Offline vault
→ IT service interruption.
• One vault in each of 2+ sites.
Customers must test failure conditions before purchase!
11 Randomizing Passwords
Push random
passwords to systems:
•
•
•
•
Periodically (e.g., between 3AM and 4AM).
When users check passwords back in.
When users want a specific password.
On urgent termination.
• Suitable for servers and PCs on the corporate network.
Pull initiated by user
devices:
• Periodically.
• Random time-of-day.
• Opportunistically, when connectivity is available.
• Suitable for off-site laptops, systems in a DMZ.
© 2015 Hitachi ID Systems, Inc. All rights reserved.
6
Slide Presentation
12 Authorizing Access to Privileged Accounts
Two models: permanent and one-time.
Permanent ACL
• Pre-authorized users
can launch an admin
session any time.
• Access control model:
– Users ... belong to
– User groups ... are
assigned ACLs to
– Managed system
policies ... which
contain
– Devices and
applications
One-time request
• Request access for any
user to connect to any
account.
• Approvals workflow
with:
–
–
–
–
–
–
Dynamic routing.
Parallel approvals.
N of M authorizers.
Auto-reminders.
Escalation.
Delegation.
Concurrency control
• Coordinate admin
changes by limiting
number of people
connected to the same
account:
– Can be >1.
– Notify each admin
of the others.
• Ensure accountability of
who had access to an
account at a given time.
• Also used for API
clients.
© 2015 Hitachi ID Systems, Inc. All rights reserved.
7
Slide Presentation
13 Fault-Tolerant Architecture
HitachiID
Privileged Access Manager
Site A
Crypto keys
in registry
User
Admin
Workstation
Password
Vault
010101
101001
100101
LDAP/S,
NTLM
HTTPS
Load
Balancer
Windows
server or DC
SSH,
TCP/IP+AES
Replication
TCP/IP + AES
Unix, Linux
TCP/IP
+AES
Password
Vault
010101
101001
100101
Firewall
Proxy
Various
Target
Systems
Crypto keys
in registry
HitachiID
Privileged Access Manager
Site B
© 2015 Hitachi ID Systems, Inc. All rights reserved.
Site C
8
Slide Presentation
14 Included Connectors
Many integrations to target systems included in the base price:
Directories:
Any LDAP, AD, WinNT, NDS,
eDirectory, NIS/NIS+.
Servers:
Windows NT, 2000, 2003,
2008[R2], 2012, Samba,
Novell, SharePoint.
Databases:
Oracle, Sybase, SQL Server,
DB2/UDB, Informix, Progress,
ODBC, Oracle Hyperion EPM
Shared Services, Cache.
Unix:
Linux, Solaris, AIX, HPUX, 24
more variants.
Mainframes, Midrange:
z/OS: RACF, ACF2,
TopSecret. iSeries,
OpenVMS.
HDD Encryption:
McAfee, CheckPoint,
BitLocker, PGP.
ERP:
JDE, Oracle eBiz,
PeopleSoft, PeopleSoft HR,
SAP R/3 and ECC 6, Siebel,
Business Objects.
Collaboration:
Lotus Notes, iNotes,
Exchange, GroupWise,
BlackBerry ES.
Tokens, Smart Cards:
RSA SecurID, SafeWord,
RADIUS, ActivIdentity,
Schlumberger.
WebSSO:
CA Siteminder, IBM TAM,
Oracle AM, RSA Access
Manager.
Help Desk:
ServiceNow, BMC Remedy,
SDE, HP SM, CA Unicenter,
Assyst, HEAT, Altiris, Clarify,
RSA Envision, Track-It!, MS
System Center Service
Manager
Cloud/SaaS:
WebEx, Google Apps, MS
Office 365, Success Factors,
Salesforce.com, SOAP
(generic).
© 2015 Hitachi ID Systems, Inc. All rights reserved.
9
Slide Presentation
15 Types of Privileged Accounts
Administrator
Embedded
Service
Definition:
• Interactive logins.
• Client tools:
PuTTY, RDP, SQL
Studio, etc.
• May be used at a
physical console.
• One application
connects to
another.
• DB logins, web
services, etc.
• Interactive logins
for troubleshooting.
• Run service
programs with
limited rights.
• Windows requires a
password!
Challenges:
•
•
•
•
• Authenticating apps
prior to password
disclosure.
• Caching, key
management.
• Avoiding service
interruption due to
failed notification:
Access control.
Audit/accountability.
Single sign-on.
Session capture.
16 Infrastructure Auto-Discovery
Find and classify systems, services, groups, accounts:
List systems
• From Hitachi IT
Operations Analyzer.
• From AD, LDAP
(computers).
• From text file
(IT inventory).
• Extensible:
DNS, IP port scan.
Evaluate import rules
• Manage this system?
• Attach system to this
policy?
• Choose initial
ID/password.
• Manage this account?
• Un manage this
system?
Probe systems
•
•
•
•
•
•
Local accounts.
Security groups.
Group memberships.
Services.
Local svc accounts.
Domain svc accounts.
• Hitachi ID Privileged Access Manager can find, probe, classify and load 10,000 systems/hour.
• Normally executed every 24 hours.
• 100% policy driven - no scripts.
© 2015 Hitachi ID Systems, Inc. All rights reserved.
10
Slide Presentation
17 Alternatives to PW display
Launch session (SSO)
• Launch RDP, SSH,
vSphere, SQL Studio, ...
• Extensible (just add a CLI).
• Password is hidden.
• Convenient (SSO).
Temporary entitlement
• Group membership (AD,
Windows, SQL, etc.).
• SSH trust
(.ssh/authorized_keys).
• Entry in /etc/sudoers files.
• Native logging shows
actual user.
• Convenient for platform
admins.
Copy buffer integration
• Inject password into copy
buffer.
• Clear after N seconds.
• Flexible (secondary
connections, open-ended
tooling).
• Convenient.
Display
• Show the password in the
UI.
• Clear after N seconds.
• Useful at the physical
server console.
© 2015 Hitachi ID Systems, Inc. All rights reserved.
11
Slide Presentation
18 Test Safety Features
To prevent a security or an IT operations disaster, a privileged password management system must be
built for safety first:
Unauthorized
disclosure
• Passwords must be encrypted, both in storage and
transmissions.
• Access controls should determine who can see which
passwords.
• Workflow should allow for one-off disclosure.
• Audit logs should record everything.
Data loss,
Service Disruption
• Replicate all data – a server crash should be harmless.
• Replication must be real time, just like password changes.
• Replication must span physical locations, to allow for site
disasters (fire, flood, wire cut).
• These features are mandatory.
• Failure is not an option.
• Ask Hitachi ID for an evaluation guide.
• Evaluate products on multiple, replicated
servers.
• Turn off one server in mid-operation.
• Inspect database contents and sniff
network traffic.
© 2015 Hitachi ID Systems, Inc. All rights reserved.
12
Slide Presentation
19 HiPAM Unique Technology
Multi-master,
active-active
• Trivial to setup, no cost, zero effort to recover from disaster.
• Geographically distributed: maximum safety.
Not just
passwords
• Temporary group elevation, SSH trust relationships.
• Suspend/resume VM (lower cost of cloud!).
Robust
workflow
• Reminders, escalation, delegation, concurrent invitations.
• Not limited to "two keys" scenario.
Control
groups
• Manage AD, LDAP groups that determine who has access.
• Requests, approvals, SoD policy, certification, reports.
Single
product,
not "suite"
•
•
•
•
Credential vault.
Password randomization.
Access control policies.
Session monitoring,
playback.
• Service account
passwords.
• Embedded passwords.
• 110, extensible connectors.
20 Request one-time access
Animation: ../../pics/camtasia/v82/hipam-request-access/hipam-request-access.cam
21 Approve one-time access
Animation: ../../pics/camtasia/v82/hipam-approve-request/hipam-approve-request.cam
© 2015 Hitachi ID Systems, Inc. All rights reserved.
13
Slide Presentation
22 Launch one-time session using a privileged account
Animation: ../../pics/camtasia/v82/hipam-privileged-login-session/hipam-privileged-login-session.cam
23 Request, approve, play recording
Animation: ../../pics/camtasia/v82/hipam-view-playback/hipam-view-playback.cam
24 Report on requests for privileged access
Animation: ../../pics/camtasia/hipam-71/hipam-06-admin-reports.cam
25 HiPAM: PuTTY to Linux
Animation: ../../pics/camtasia/pam-linux-preauth/pam-linux-preauth.cam
26 Activate Mobile Access
Animation: ../../pics/camtasia/v9/enable-mobile-device-1/enable-mobile-device-1.mp4
© 2015 Hitachi ID Systems, Inc. All rights reserved.
14
Slide Presentation
27 Password display
Animation: ../../pics/camtasia/v9/pw-disp-scaled-1/pw-disp-scaled-1.mp4
28 Account set checkout
Animation: ../../pics/camtasia/v9/account-set-checkout-1/account-set-checkout-1.mp4
29 Summary
Hitachi ID Privileged Access Manager secures privileged accounts:
•
•
•
•
•
Eliminate static, shared passwords to privileged accounts.
Built-in encryption, replication, geo-diversity for the credential vault.
Authorized users can launch sessions without knowing or typing a password.
Infrequent users can request, be authorized for one-time access.
Strong authentication, authorization and audit throughout the process.
Learn more at Hitachi-ID.com/Privileged-Access-Manager
500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: [email protected]
www.Hitachi-ID.com
Date: May 14, 2015
File: PRCS:pres