1 Privileged Access Management Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications Hitachi ID Privileged Access Manager 2 Agenda • Hitachi ID corporate overview. • Hitachi ID Suite overview. • Securing administrative passwords with Hitachi ID Privileged Access Manager. • Animated demonstration. 1 © 2015 Hitachi ID Systems, Inc. All rights reserved.
Slide Presentation 3 Hitachi ID Corporate Overview Hitachi ID delivers access governance and identity administration solutions to organizations globally. Hitachi ID solutions are used by Fortune 500 companies to secure access to systems in the enterprise and in the cloud. • Founded as M-Tech in 1992. • A division of Hitachi, Ltd. since 2008. • Over 1200 customers. • More than 14M+ licensed users. • Offices in North America, Europe and APAC. • Partners globally. 2 © 2015 Hitachi ID Systems, Inc. All rights reserved.
Slide Presentation 4 Representative Customers 5 Hitachi ID Suite 3 © 2015 Hitachi ID Systems, Inc. All rights reserved.
Slide Presentation 6 Securing Privileged Accounts Thousands of IT assets: Who has the keys to the kingdom? • Servers, network devices, databases and applications: • Every IT asset has sensitive passwords: – Administrator passwords: Used to manage each system. – Service passwords: Provide security context to service programs. – Application: Allows one application to connect to another. • Do these passwords ever change? • Plaintext in configuration files? • Who knows these passwords? (ex-staff?) • Audit: who did what? – Numerous. – High value. – Heterogeneous. • Workstations: – Mobile – dynamic IPs. – Powered on or off. – Direct-attached or firewalled. 7 Project Drivers Organizations need to secure their most sensitive passwords: Compliance: • Pass regulatory audits. • Compliance should be sustainable. Security: • Eliminate static passwords on sensitive accounts. • Create accountability for admin work. Cost: • Efficient process to regularly change privileged passwords. • Simple and effective deactivation for former administrators. Flexibility: • Grant temporary admin access. • Emergencies, production migrations, workload peaks, etc. 4 © 2015 Hitachi ID Systems, Inc. All rights reserved.
Slide Presentation 8 Participants in PAM Hitachi ID Privileged Access Manager works by randomizing privileged passwords and connecting people and programs to privileged accounts as needed: Privileged accounts IT Users Services Applications Security officers Auditors Get new, random passwords daily or at the desired frequency. Must sign into HiPAM when they need to sign into administrator accounts. Are automatically updated with new passwords values. Use the HiPAM API instead of embedded passwords. Define policies regarding who can connect to which privileged account. Monitor access requests and privileged login sessions. 9 HiPAM Impact Feature Randomize passwords daily Impact Eliminate static, shared passwords. Control who can see passwords. Benefit Disconnect former IT staff. Controlled disclosure The right users and programs can access privileged accounts, others cannot. Accountability. Faster troubleshooting. Physical compromise does not expose passwords. Survive server crashes and site disasters. Logging & Reporting Monitor password disclosure. Encryption Secure passwords in storage and transit. Passwords stored on multiple servers, in different sites. Replication 5 © 2015 Hitachi ID Systems, Inc. All rights reserved.
Slide Presentation 10 Understand and Manage the Risks A privileged access management (PAM) system becomes the sole repository of the most important credentials. Risk Disclosure Description Mitigation • Compromised vault → security disaster. • Encrypted vault. • Strong authentication. • Flexible authorization. Data Loss • Destroyed vault → IT disaster. • Offline vault → IT service interruption. • Replicate the vault. Non-availability • One vault in each of 2+ sites. Customers must test failure conditions before purchase! 11 Randomizing Passwords Push random passwords to systems: • Periodically (e.g., between 3AM and 4AM). • When users check passwords back in. • When users want a specific password. • On urgent termination. • Suitable for servers and PCs on the corporate network. Pull initiated by user devices: • Periodically. • Random time-of-day. • Opportunistically, when connectivity is available. • Suitable for off-site laptops, systems in a DMZ. 6 © 2015 Hitachi ID Systems, Inc. All rights reserved.
Slide Presentation 12 Authorizing Access to Privileged Accounts Two models: permanent and one-time. Permanent ACL One-time request Concurrency control • Pre-authorized users can launch an admin session any time. • Access control model: • Request access for any user to connect to any account. • Approvals workflow with: • Coordinate admin changes by limiting number of people connected to the same account: – Users ... belong to – User groups ... are assigned ACLs to – Managed system policies ... which contain – Devices and applications • Also used for API clients. – Dynamic routing. – Parallel approvals. – N of M authorizers. – Auto-reminders. – Escalation. – Delegation. – Can be >1. – Notify each admin of the others. • Ensure accountability of who had access to an account at a given time. 7 © 2015 Hitachi ID Systems, Inc. All rights reserved.
Slide Presentation 13 Fault-Tolerant Architecture HitachiID Privileged Access Manager Site A Crypto keys in registry 010101 101001 100101 Password Password Vault Vault Windows server or DC User LDAP/S, NTLM HTTPS Admin Workstation Load Balancer SSH, TCP/IP+AES Replication TCP/IP + AES Unix, Linux TCP/IP +AES Various Target Systems Password Vault Firewall 010101 101001 100101 Proxy Crypto keys in registry HitachiID Privileged Access Manager Site B Site C 8 © 2015 Hitachi ID Systems, Inc. All rights reserved.
Slide Presentation 14 Included Connectors Many integrations to target systems included in the base price: Directories: Any LDAP, AD, WinNT, NDS, eDirectory, NIS/NIS+. Servers: Windows NT, 2000, 2003, 2008[R2], 2012, Samba, Novell, SharePoint. Databases: Oracle, Sybase, SQL Server, DB2/UDB, Informix, Progress, ODBC, Oracle Hyperion EPM Shared Services, Cache. HDD Encryption: McAfee, CheckPoint, BitLocker, PGP. Unix: Linux, Solaris, AIX, HPUX, 24 more variants. Mainframes, Midrange: z/OS: RACF, ACF2, TopSecret. iSeries, OpenVMS. Collaboration: Lotus Notes, iNotes, Exchange, GroupWise, BlackBerry ES. ERP: JDE, Oracle eBiz, PeopleSoft, PeopleSoft HR, SAP R/3 and ECC 6, Siebel, Business Objects. WebSSO: CA Siteminder, IBM TAM, Oracle AM, RSA Access Manager. Tokens, Smart Cards: RSA SecurID, SafeWord, RADIUS, ActivIdentity, Schlumberger. Help Desk: ServiceNow, BMC Remedy, SDE, HP SM, CA Unicenter, Assyst, HEAT, Altiris, Clarify, RSA Envision, Track-It!, MS System Center Service Manager Cloud/SaaS: WebEx, Google Apps, MS Office 365, Success Factors, Salesforce.com, SOAP (generic). 9 © 2015 Hitachi ID Systems, Inc. All rights reserved.
Slide Presentation 15 Types of Privileged Accounts Administrator Embedded Service Definition: • Interactive logins. • Client tools: PuTTY, RDP, SQL Studio, etc. • May be used at a physical console. • One application connects to another. • DB logins, web services, etc. • Interactive logins for troubleshooting. • Run service programs with limited rights. • Windows requires a password! Challenges: • Access control. • Audit/accountability. • Single sign-on. • Session capture. • Authenticating apps prior to password disclosure. • Caching, key management. • Avoiding service interruption due to failed notification: 16 Infrastructure Auto-Discovery Find and classify systems, services, groups, accounts: List systems Evaluate import rules Probe systems • From Hitachi IT Operations Analyzer. • From AD, LDAP (computers). • From text file (IT inventory). • Extensible: DNS, IP port scan. • Manage this system? • Attach system to this policy? • Choose initial ID/password. • Manage this account? • Un manage this system? • Local accounts. • Security groups. • Group memberships. • Services. • Local svc accounts. • Domain svc accounts. • Hitachi ID Privileged Access Manager can find, probe, classify and load 10,000 systems/hour. • Normally executed every 24 hours. • 100% policy driven - no scripts. 10 © 2015 Hitachi ID Systems, Inc. All rights reserved.
Slide Presentation 17 Alternatives to PW display Launch session (SSO) • Launch RDP, SSH, vSphere, SQL Studio, ... • Extensible (just add a CLI). • Password is hidden. • Convenient (SSO). Temporary entitlement • Group membership (AD, Windows, SQL, etc.). • SSH trust (.ssh/authorized_keys). • Entry in /etc/sudoers files. • Native logging shows actual user. • Convenient for platform admins. Copy buffer integration • Inject password into copy buffer. • Clear after N seconds. • Flexible (secondary connections, open-ended tooling). • Convenient. Display • Show the password in the UI. • Clear after N seconds. • Useful at the physical server console. 11 © 2015 Hitachi ID Systems, Inc. All rights reserved.
Slide Presentation 18 Test Safety Features To prevent a security or an IT operations disaster, a privileged password management system must be built for safety first: Unauthorized disclosure • Passwords must be encrypted, both in storage and transmissions. • Access controls should determine who can see which passwords. • Workflow should allow for one-off disclosure. • Audit logs should record everything. Data loss, Service Disruption • Replicate all data – a server crash should be harmless. • Replication must be real time, just like password changes. • Replication must span physical locations, to allow for site disasters (fire, flood, wire cut). • These features are mandatory. • Failure is not an option. • Ask Hitachi ID for an evaluation guide. • Evaluate products on multiple, replicated servers. • Turn off one server in mid-operation. • Inspect database contents and sniff network traffic. 12 © 2015 Hitachi ID Systems, Inc. All rights reserved.
Slide Presentation 19 HiPAM Unique Technology Multi-master, active-active • Trivial to setup, no cost, zero effort to recover from disaster. • Geographically distributed: maximum safety. Not just passwords • Temporary group elevation, SSH trust relationships. • Suspend/resume VM (lower cost of cloud!). Robust workflow • Reminders, escalation, delegation, concurrent invitations. • Not limited to "two keys" scenario. Control groups • Manage AD, LDAP groups that determine who has access. • Requests, approvals, SoD policy, certification, reports. Single product, not "suite" • Credential vault. • Password randomization. • Access control policies. • Session monitoring, playback. • Service account passwords. • Embedded passwords. • 110, extensible connectors. 20 Request one-time access Animation: ../../pics/camtasia/v82/hipam-request-access/hipam-request-access.cam 21 Approve one-time access Animation: ../../pics/camtasia/v82/hipam-approve-request/hipam-approve-request.cam 13 © 2015 Hitachi ID Systems, Inc. All rights reserved.
Slide Presentation 22 Launch one-time session using a privileged account Animation: ../../pics/camtasia/v82/hipam-privileged-login-session/hipam-privileged-login-session.cam 23 Request, approve, play recording Animation: ../../pics/camtasia/v82/hipam-view-playback/hipam-view-playback.cam 24 Report on requests for privileged access Animation: ../../pics/camtasia/hipam-71/hipam-06-admin-reports.cam 25 HiPAM: PuTTY to Linux Animation: ../../pics/camtasia/pam-linux-preauth/pam-linux-preauth.cam 26 Activate Mobile Access Animation: ../../pics/camtasia/v9/enable-mobile-device-1/enable-mobile-device-1.mp4 14 © 2015 Hitachi ID Systems, Inc. All rights reserved.
Slide Presentation 27 Password display Animation: ../../pics/camtasia/v9/pw-disp-scaled-1/pw-disp-scaled-1.mp4 28 Account set checkout Animation: ../../pics/camtasia/v9/account-set-checkout-1/account-set-checkout-1.mp4 29 Summary Hitachi ID Privileged Access Manager secures privileged accounts: • Eliminate static, shared passwords to privileged accounts. • Built-in encryption, replication, geo-diversity for the credential vault. • Authorized users can launch sessions without knowing or typing a password. • Infrequent users can request, be authorized for one-time access. • Strong authentication, authorization and audit throughout the process. Learn more at Hitachi-ID.com/Privileged-Access-Manager 500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: sales@Hitachi-ID.com Date: May 22, 2015 File: PRCS:pres www.Hitachi-ID.com