1 Hitachi ID Privileged Access Manager Technology. 2 Problem definition. 2.1 Securing privileged accounts

Transcription

1 1 Hitachi ID Privileged Access Manager Technology Product design and network architecture required for a scalable, reliable and functional privileged access management system. 2 Problem definition 2.1 Securing privileged accounts Thousands of IT assets: Servers, network devices, databases and applications: Numerous. High value. Heterogeneous. Workstations: Mobile dynamic IPs. Powered on or off. Direct-attached or firewalled. Who has the keys to the kingdom? Every IT asset has sensitive passwords: Administrator passwords: Used to manage each system. Service passwords: Provide security context to service programs. Application: Allows one application to connect to another. Do these passwords ever change? Plaintext in configuration files? Who knows these passwords? (ex-staff?) Who made what changes, when and why? 2018 Hitachi ID Systems, Inc. All rights reserved. 1

2 2.2 Types of privileged accounts There are three types of privileged accounts, each with unique requirements: Interactive administrator Embedded Windows service Examples Root - Unix/Linux Administrator - Windows SA - SQL Server Databases Directories Web services SCM Scheduled jobs IIS components Requirements Single sign-on Session capture Concurrency control Secure API Caching Client-side key management Subscriber discovery Fault tolerant notification Deliberate onboarding 3 Functional approach 2018 Hitachi ID Systems, Inc. All rights reserved. 2

3 3.1 Securing administrator accounts 2018 Hitachi ID Systems, Inc. All rights reserved. 3

4 3.2 Embedded passwords in apps and scripts 2018 Hitachi ID Systems, Inc. All rights reserved. 4

5 3.3 Windows service account passwords 4 Technical requirements 2018 Hitachi ID Systems, Inc. All rights reserved. 5

6 4.1 Safe and reliable Loss of password data would be catastrophic. Temporary loss of access to password data would be a major service interruption. The system, in aggregate, must survive: Hardware faults (e.g., disk crash, PSU fried, etc.). Network faults (e.g., router misconfigured, cable cut, etc.). Physical disasters (e.g., fire, flood, etc. outage). When faced with a fault, the system should remain accessible and operational without human intervention. Human intervention adds hours of delay to recovery. See service interruption above. Reliably inject new passwords into Windows service infrastructure. Failure to notify will trigger an outage. Fault tolerant replacement for embedded passwords. App that cannot reach the vault also cannot reach its back-end DB. 4.2 Functional Randomize passwords. Encrypt storage. Pre-authorized access policy. One-time access request workflow. Limit concurrent access. Audit access (meta data, forensics). Single sign-on where feasible. Temporary privilege escalation (group memberships, SSH trust). Reports and dashboards (activity, history, patterns, etc.). 4.3 Manageable Not practical to manually onboard thousands of systems. Onboarding automation: Discover systems (multiple data types - AD, LDAP, CSV, etc.). Classify systems (rules). Probe systems - find accounts, groups, services. Classify accounts (rules). Automatically apply policy. Off-boarding automation / archive vault: Retired systems. Deleted accounts. Accounts that are no longer privileged Hitachi ID Systems, Inc. All rights reserved. 6

7 4.4 Connected Pre-built connectors: OS: Windows, Unix, Linux, z/os, iseries,... DB: Oracle, Microsoft, IBM, MySQL,... App: SAP, PeopleSoft, Oracle, Siebel,... Network devices: Cisco, Juniper, F5, Avaya, 3Com,... Hardware: ilo, DRAC, IBM RSA,... Hypervisors: ESXi/vSphere, vcloud, Xen, KVM,... SaaS: Salesforce.com, O365, Google, WebEx,... IaaS: AWS, vcloud, OpenStack,... Extensible integrations: SSH, Telnet, HTTP(S), TN3270, TN5250, SOAP, REST, WMI, CLI, SQL, LDAP(S),... Network path: Personal/mobile endpoints (laptops, BYOD) DHCP, NAT, firewall, sporadic connection. Endpoints in DMZs firewalls, cannot resolve hostname, no route. 4.5 Scalable Privileged accounts: Users: Configured. Passwords randomized daily. Concurrently checked out. Probed daily. 2,000,000 1,000,000 1, ,000 PAM login profiles. Active sessions. 200,000 1,000 Network path: PAM nodes: User PAM system [proxy?] managed system. Direct, local. Copies of vault. Concurrently active Hitachi ID Systems, Inc. All rights reserved. 7

8 5 Unique capabilities 5.1 Multi-master replication Avoid data loss and service interruption: Multiple copies of the vault in different cities. Real-time data replication. Fault-tolerant. Bandwidth efficient, latency tolerant. Best practice: multiple servers in multiple data centers. Active/active Load balanced. 5.2 Access disclosure mechanisms Launch session (SSO) Temporary entitlement Copy buffer integration Display Launch RDP, SSH, vsphere, SQL Studio,... Extensible (launch any CLI). Group membership (AD, Windows, SQL, etc.). SSH trust (.ssh/authorized_keys). Inject password into copy buffer. Clear after N seconds. Show the password in the UI. Clear after N seconds. Password is hidden. Convenient (SSO). Native logging shows actual user. Flexible (secondary connections, open-ended tooling). Useful at the physical server console Hitachi ID Systems, Inc. All rights reserved. 8

9 5.3 Local workstation service Problems Laptops move around: Changing location. Dynamic IP address. Disconnected, powered down. Firewalled, NAT. In some organizations, the network is segmented: DNS names do not resolve globally. Servers on one network cannot connect to those in another. LWS Solution Optional "local agent". Available for Windows, Linux. Main use case: laptops. Periodically calls home. Rather than PAM servers trying to find / connect to the managed endpoint. Eliminates routing, firewall, name resolution issues. Very easy to deploy. Just push out an MSI package. Current record: onboard 30,000 systems/week for 3 consecutive weeks. Extremely scalable. 5.4 Windows service account passwords Periodically change service account passwords without triggering service faults: Discovery: White listing Notification Fault tolerant Accounts (local and domain), services, dependencies. Which accounts to manage? Is the list of discovered subscribers complete? When/how often to randomize password? Inject new password before/after/both? Restart service? Notify owner? Multiple subscriber types SCM, IIS, DCOM, Scheduler. Before/after password change. Check subscriber availability before password change. Retry notification if first attempt fails Hitachi ID Systems, Inc. All rights reserved. 9

10 5.5 Replacing embedded passwords Applications and scripts can fetch passwords from the credential vault, on demand: Open / portable: Secure: Reliable: Scalable / fast: HiPAM exposes an API over SOAP/HTTPS. Client libraries provided for Windows,.NET, Linux, Unix, Java. SOAP API authenticates each caller with one-time password (OTP) + IP address. Each client has its own ID, which defines accessible credentials. The client library fingerprints the calling app, command-line args, config files to generate encryption keys. App changes, which may be malicious, require re-authorizing access. Library caches passwords, manages the OTP. Caching reduces server load and impact of packet latency. Simple / convenient: GetPassword( "config.xml", errorbuf, sizeof(errorbuf), 0, "systemid", "accountid", argc, argv, NULL, passwordbuf, sizeof(passwordbuf) ) 5.6 Suspend/resume VMs Business driver VMs incur cost only when running. More running VMs higher cost: On-premise hypervisor: higher CapEx to buy capacity. IaaS: higher OpEx to lease capacity. Some workloads are dynamic: Training, demos, POCs, QA systems, spare capacity in web farms,... Users are undisciplined: Forget to shut down when done. Wasted capacity. How to "fix" user behaviour? Suspend/resume Use the Hitachi ID Privileged Access Manager workflow: Check-out VMs when needed. Check-in when done or time expired. Access controls (who controls which machines?). Audit, reporting. Semantics: Check-out power on. Check-in suspend. Connectors: AWS, vsphere. Coming soon: Xen, OpenStack, Hitachi ID Systems, Inc. All rights reserved. 10

11 ( ' & % $ # ", + & * ( ) $ ( ' &. - ) % ( & & 0 /. - ) 3 ) 2 ) 1, & ( ) % 4 2 ) Slide Presentation 5.7 Robust workflow Individual authorizers are slow and unreliable. Special care is required to get fast, reliable replies: Concurrent invitations to multiple users. Approval by N < M users. Automatic reminders. Escalation to replace non-responsive users. Early escalation if users are known to be out-of-office. Scheduled, approved delegation of responsibility. 5.8 Group management The need Most organizations define access control policies based on AD group membership. Are users assigned the right groups? Adequate controls for approval, recertification, SoD, deactivation? The answers are often unsatisfactory... Included features Portal to request membership changes. Robust approvals workflow. SoD between (incompatible) groups. Recertification of membership. Automatically assign groups to matching users. Detect, respond to out-of-band changes. Reports on groups, membership, change history. 5.9 Adaptive Authentication An authentication chain is a defined series of steps. Special type: interactively choose a chain. Special type: programmatically limit available chains. Risk-analysis: VPN? admin user? 2018 Hitachi ID Systems, Inc. All rights reserved. 11

12 5.10 Included connectors Many integrations to target systems included in the base price: Directories: Any LDAP, AD, WinNT, NDS, edirectory, NIS/NIS+. Unix: Linux, Solaris, AIX, HPUX, 24 additional variants. WebSSO: CA Siteminder, IBM TAM, Oracle AM, RSA Access Manager. Servers: Windows NT, 2000, 2003, 2008, 2008[R2], 2012[R2], Samba, Novell, SharePoint. Mainframes, Midrange: z/os: RACF, ACF2, TopSecret. iseries, OpenVMS. Help Desk: ServiceNow, BMC Remedy, SDE, HP SM, CA Unicenter, Assyst, HEAT, Altiris, Track-It, others... Databases: Oracle, SQL Server, DB2/UDB, Informix, Sybase, ODBC. ERP: JDE, Oracle ebiz, PeopleSoft, SAP R/3 and ECC 6, Siebel, Business Objects. Cloud/SaaS: WebEx, Google Apps, MS Office 365, Success Factors, Salesforce.com, SOAP (generic). Scriptable: SSH, Telnet, TN3270, HTTP(S), SQL, LDAP, command-line. 6 Differentiators 2018 Hitachi ID Systems, Inc. All rights reserved. 12

13 6.1 HiPAM advantages (technical) HiPAM Multi-master, active-active. 2FA for everyone, no extra cost. BYOD access, including approvals Single sign-on. Check-out multiple accounts in one request. Temporary privilege elevation. Secure laptops (mobile, NAT, firewalled). Direct connect, HTML5, RDP+launch proxy. Proxy servers to integrate with remote systems. Run any admin tool, with any protocol. Competitors Hot standby, "offline" mode. Either purchase a separate 2FA system or rely on AD passwords. Fire up your laptop, sign into the VPN. Re-authenticate for every privileged session. One account at a time. Only password display/injection. Endpoints not really supported. Only via proxy. Extra cost (more appliances?). Can only launch RDP, SSH. 6.2 HiPAM advantages (commercial) HiPAM Manage groups that control access policy. Proxy servers to integrate with remote systems. Secure Windows service acct passwords. Secure API replaces embedded passwords. Session recording included. Over 120 connectors included. Unlimited users. Competitors A separate IAM system. Extra cost (more appliances?). Separate product. Separate product. Separate product. Some connectors cost more. Fee per user Hitachi ID Systems, Inc. All rights reserved. 13

14 7 Summary Hitachi ID Privileged Access Manager secures privileged accounts: Eliminate static, shared passwords to privileged accounts. Built-in encryption, replication, geo-diversity for the credential vault. Authorized users can launch sessions without knowing or typing a password. Infrequent users can request, be authorized for one-time access. Strong authentication, authorization and audit throughout the process. Learn more at hitachi-id.com/privileged-access-manager 500, Street SE, Calgary AB Canada T2G 2J3 Tel: sales@hitachi-id.com hitachi-id.com Date: File: PRCS:pres