1 hitachi id privileged access manager technology...1 hitachi id privileged access manager...
TRANSCRIPT
1 Hitachi ID Privileged Access Manager Technology
Product design and network architecture required for a scalable, reliable and functionalprivileged access management system.
2 Problem definition
2.1 Securing privileged accounts
Thousands of IT assets: Who has the keys to the kingdom?
• Servers, network devices, databases andapplications:
– Numerous.– High value.– Heterogeneous.
• Workstations:
– Mobile – dynamic IPs.– Powered on or off.– Direct-attached or firewalled.
• Every IT asset has sensitive passwords:
– Administrator passwords:Used to manage each system.
– Service passwords:Provide security context to serviceprograms.
– Application:Allows one application to connect toanother.
• Do these passwords ever change?• Plaintext in configuration files?• Who knows these passwords? (ex-staff?)• Who made what changes, when and why?
© 2020 Hitachi ID Systems, Inc. All rights reserved. 1
Slide Presentation
2.2 Types of privileged accounts
There are three types of privileged accounts, each with unique requirements:
Interactiveadministrator
Embedded Windows service
Examples • Root - Unix/Linux• Administrator -
Windows• SA - SQL Server
• Databases• Directories• Web services
• SCM• Scheduled jobs• IIS components
Requirements • Single sign-on• Session capture• Concurrency
control
• Secure API• Caching• Client-side key
management
• Subscriberdiscovery
• Fault tolerantnotification
• Deliberateonboarding
3 Functional approach
© 2020 Hitachi ID Systems, Inc. All rights reserved. 2
Slide Presentation
3.1 Securing administrator accounts
© 2020 Hitachi ID Systems, Inc. All rights reserved. 3
Slide Presentation
3.2 Embedded passwords in apps and scripts
© 2020 Hitachi ID Systems, Inc. All rights reserved. 4
Slide Presentation
3.3 Windows service account passwords
4 Technical requirements
© 2020 Hitachi ID Systems, Inc. All rights reserved. 5
Slide Presentation
4.1 Safe and reliable
• Loss of password data would be catastrophic.• Temporary loss of access to password data would be a major service interruption.• The system, in aggregate, must survive:
– Hardware faults (e.g., disk crash, PSU fried, etc.).– Network faults (e.g., router misconfigured, cable cut, etc.).– Physical disasters (e.g., fire, flood, etc. outage).
• When faced with a fault, the system should remain accessible and operationalwithout human intervention .
– Human intervention adds hours of delay to recovery.– See service interruption above.
• Reliably inject new passwords into Windows service infrastructure.
– Failure to notify will trigger an outage.
• Fault tolerant replacement for embedded passwords.
– App that cannot reach the vault also cannot reach its back-end DB.
4.2 Functional
• Randomize passwords.• Encrypt storage.• Pre-authorized access policy.• One-time access request workflow.• Limit concurrent access.• Audit access (meta data, forensics).• Single sign-on where feasible.• Temporary privilege escalation (group memberships, SSH trust).• Reports and dashboards (activity, history, patterns, etc.).
4.3 Manageable
• Not practical to manually onboard thousands of systems.• Onboarding automation:
– Discover systems (multiple data types - AD, LDAP, CSV, etc.).– Classify systems (rules).– Probe systems - find accounts, groups, services.– Classify accounts (rules).– Automatically apply policy.
• Off-boarding automation / archive vault:
– Retired systems.– Deleted accounts.– Accounts that are no longer privileged.
© 2020 Hitachi ID Systems, Inc. All rights reserved. 6
Slide Presentation
4.4 Connected
• Pre-built connectors:
– OS: Windows, Unix, Linux, z/OS, iSeries, ...– DB: Oracle, Microsoft, IBM, MySQL, ...– App: SAP, PeopleSoft, Oracle, Siebel, ...– Network devices: Cisco, Juniper, F5, Avaya, 3Com, ...– Hardware: iLO, DRAC, IBM RSA, ...– Hypervisors: ESXi/vSphere, vCloud, Xen, KVM, ...– SaaS: Salesforce.com, O365, Google, WebEx, ...– IaaS: AWS, vCloud, OpenStack, ...
• Extensible integrations:
– SSH, Telnet, HTTP(S), TN3270, TN5250, SOAP, REST, WMI, CLI, SQL, LDAP(S), ...
• Network path:
– Personal/mobile endpoints (laptops, BYOD) – DHCP, NAT, firewall, sporadic connection.– Endpoints in DMZs – firewalls , cannot resolve hostname, no route.
4.5 Scalable
Privileged accounts: Users:
• Configured.• Passwords
randomizeddaily.
• Concurrentlychecked out.
• Probed daily.
• 2,000,000• 1,000,000
• 1,000
• 100,000
•PAM login pro-files.
• Activesessions.
• 200,000• 1,000
Network path: PAM nodes:
• User→PAMsystem→[proxy?]→managed sys-tem.
• Direct, local. • Copies ofvault.
• Concurrentlyactive.
• 10• 10
© 2020 Hitachi ID Systems, Inc. All rights reserved. 7
Slide Presentation
5 Unique capabilities
5.1 Active-active replication
Avoid data loss and service interruption:Multiple copies of the vault in different cities.
• Real-time data replication.• Fault-tolerant.• Bandwidth efficient, latency
tolerant.• Best practice: multiple
servers in multiple datacenters.
• Active/active.• Load balanced.
5.2 Access disclosure mechanisms
Launch session (SSO) • Launch RDP, SSH,vSphere, SQL Studio, ...
• Extensible (launch anyCLI).
• Password is hidden.• Convenient (SSO).
Temporary entitlement • Group membership (AD,Windows, SQL, etc.).
• SSH trust(.ssh/authorized_keys).
• Native logging showsactual user.
Copy buffer integration • Inject password into copybuffer.
• Clear after N seconds.
• Flexible (secondaryconnections, open-endedtooling).
Display • Show the password in theUI.
• Clear after N seconds.
• Useful at the physicalserver console.
© 2020 Hitachi ID Systems, Inc. All rights reserved. 8
Slide Presentation
5.3 Local workstation service
Problems LWS Solution
• Laptops move around:
– Changing location.– Dynamic IP address.– Disconnected, powered down.– Firewalled, NAT.
• In some organizations, the network issegmented:
– DNS names do not resolve globally.– Servers on one network cannot
connect to those in another.
• Optional "local agent".
– Available for Windows, Linux.– Main use case: laptops.
• Periodically calls home.
– Rather than PAM servers trying tofind / connect to the managedendpoint.
• Eliminates routing, firewall, nameresolution issues.
• Very easy to deploy.
– Just push out an MSI package.– Current record: onboard 30,000
systems/week for 3 consecutiveweeks.
• Extremely scalable.
5.4 Windows service account passwords
Periodically change service account passwords without triggering service faults:
Discovery: • Accounts (local and domain), services, dependencies.
White listing • Which accounts to manage?• Is the list of discovered subscribers complete?• When/how often to randomize password?• Inject new password before/after/both?• Restart service?• Notify owner?
Notification • Multiple subscriber types – SCM, IIS, DCOM, Scheduler.• Before/after password change.
Fault tolerant • Check subscriber availability before password change.• Retry notification if first attempt fails.
© 2020 Hitachi ID Systems, Inc. All rights reserved. 9
Slide Presentation
5.5 Replacing embedded passwords
Applications and scripts can fetch passwords from the credential vault, on demand:
Open / portable: • HiPAM exposes an API over SOAP/HTTPS.• Client libraries provided for Windows, .NET, Linux, Unix, Java.
Secure: • SOAP API authenticates each caller with one-time password(OTP) + IP address.
• Each client has its own ID, which defines accessible credentials.• The client library fingerprints the calling app, command-line args,
config files to generate encryption keys.• App changes, which may be malicious, require re-authorizing
access.
Reliable: • Library caches passwords, manages the OTP.
Scalable / fast: • Caching reduces server load and impact of packet latency.
Simple / convenient: • GetPassword( "config.xml", errorBuf, sizeof(errorBuf), 0,"systemID", "accountID",argc, argv, NULL,passwordBuf, sizeof(passwordBuf) )
5.6 Suspend/resume VMs
Business driver Suspend/resume
• VMs incur cost only when running.• More running VMs → higher cost:
– On-premise hypervisor: higherCapEx to buy capacity.
– IaaS: higher OpEx to lease capacity.
• Some workloads are dynamic:
– Training, demos, POCs, QA systems,spare capacity in web farms, ...
• Users are undisciplined:
– Forget to shut down when done.– Wasted capacity.
• How to "fix" user behaviour?
• Use the Hitachi ID Privileged AccessManager workflow:
– Check-out VMs when needed.– Check-in when done or time expired.– Access controls (who controls which
machines?).– Audit, reporting.
• Semantics:
– Check-out → power on.– Check-in → suspend.
• Connectors:
– AWS, vSphere.– Coming soon: Xen, OpenStack, ...
© 2020 Hitachi ID Systems, Inc. All rights reserved. 10
Slide Presentation
5.7 Robust workflow
Individual authorizers are slow and unreliable.Special care is required to get fast, reliable replies:
• Concurrent invitations to multiple users.• Approval by N < M users.• Automatic reminders.• Escalation to replace non-responsive users.• Early escalation if users are known to be out-of-office.• Scheduled, approved delegation of responsibility.
5.8 Group management
The need Included features
• Most organizations define access controlpolicies based on AD group membership.
• Are users assigned the right groups?• Adequate controls for approval,
recertification, SoD, deactivation?• The answers are often unsatisfactory ...
• Portal to request membership changes.• Robust approvals workflow.• SoD between (incompatible) groups.• Recertification of membership.• Automatically assign groups to matching
users.• Detect, respond to out-of-band changes.• Reports on groups, membership, change
history.
5.9 Adaptive Authentication
• An authentication chain is a definedseries of steps.
• Special type:interactively choose a chain.
• Special type:programmatically limit available chains.
• Risk-analysis:VPN? admin user?
� � �� � �� � �� � � � � � � � � � � �� � � � � � � � � �� ��� � � � � � � � � � � �� �� � � � �� � � � �� ��
� � � � ! " ! �� � # �� $ � � ! �% &� � � '� ! () $� ! � �� ! ( * & + ,&� � � '� ! () �% � ! � �- . � � � � �� � �/ 0 & &� � � �� ( �) �� ( & , 1 �� ) 2 ) 3 ) �% � ! � � - . � � � � �� � �) � 2 4 � � � � ! � �� �
© 2020 Hitachi ID Systems, Inc. All rights reserved. 11
Slide Presentation
5.10 Included connectors
Many integrations to target systems included in the base price:
Directories:Any LDAP, AD, WinNT, NDS,eDirectory, NIS/NIS+.
Servers:Windows NT, 2000, 2003,2008, 2008[R2], 2012[R2],Samba, Novell, SharePoint.
Databases:Oracle, SQL Server,DB2/UDB, Informix, Sybase,ODBC.
Unix:Linux, Solaris, AIX, HPUX, 24additional variants.
Mainframes, Midrange:z/OS: RACF, ACF2,TopSecret. iSeries,OpenVMS.
ERP:JDE, Oracle eBiz, PeopleSoft,SAP R/3 and ECC 6, Siebel,Business Objects.
WebSSO:CA Siteminder, IBM TAM,Oracle AM, RSA AccessManager.
Help Desk:ServiceNow, BMC Remedy,SDE, HP SM, CA Unicenter,Assyst, HEAT, Altiris,Track-It!, others...
Cloud/SaaS:WebEx, Google Apps, MSOffice 365, Success Factors,Salesforce.com, SOAP(generic).
Scriptable:SSH, Telnet, TN3270, HTTP(S), SQL, LDAP, command-line.
6 Differentiators
© 2020 Hitachi ID Systems, Inc. All rights reserved. 12
Slide Presentation
6.1 HiPAM advantages (technical)
HiPAM Competitors
• Multi-master, active-active. • Hot standby, "offline" mode.
• 2FA for everyone, no extra cost. • Either purchase a separate 2FA systemor rely on AD passwords.
• BYOD access, including approvals. • Fire up your laptop, sign into the VPN.
• Single sign-on. • Re-authenticate for every privilegedsession.
• Check-out multiple accounts in onerequest.
• One account at a time.
• Temporary privilege elevation. • Only password display/injection.
• Secure laptops (mobile, NAT, firewalled). • Endpoints not really supported.
• Direct connect, HTML5, RDP+launchproxy.
• Only via proxy.
• Proxy servers to integrate with remotesystems.
• Extra cost (more appliances?).
• Run any admin tool, with any protocol. • Can only launch RDP, SSH.
6.2 HiPAM advantages (commercial)
HiPAM Competitors
• Manage groups that control access policy. • A separate IAM system.
• Proxy servers to integrate with remotesystems.
• Extra cost (more appliances?).
• Secure Windows service acct passwords. • Separate product.
• Secure API replaces embeddedpasswords.
• Separate product.
• Session recording included. • Separate product.
• Over 120 connectors included. • Some connectors cost more.
• Unlimited users. • Fee per user.
© 2020 Hitachi ID Systems, Inc. All rights reserved. 13
Slide Presentation
7 Summary
Hitachi ID Privileged Access Manager secures privileged accounts:
• Eliminate static, shared passwords to privileged accounts.• Built-in encryption, replication, geo-diversity for the credential vault.• Authorized users can launch sessions without knowing or typing a password.• Infrequent users can request, be authorized for one-time access.• Strong authentication, authorization and audit throughout the process.
Learn more at hitachi-id.com/privileged-access-manager
hitachi-id.com
500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 E-Mail: [email protected]
Date: 2020-03-23 | 2020-03-23 File: PRCS:pres