2 Me. 3 The Problem. Speaker. Company. Ed Breay Sr. Sales Engineer, Hitachi ID Systems.

Transcription

1 1 2 Me Speaker Ed Breay Sr. Sales Engineer, Hitachi ID Systems. Company Hitachi, Ltd.: a 100 year old Fortune 100 conglomerate. Hitachi ID Systems, Inc.: a 19 year old IAM software subsidiary. Headquarters in Calgary, Alberta Canada 150+ employees, offices worldwide Product Hitachi ID Privileged Access Manager Customers Over 1000 enterprises. Average 12,000 employees. 3 The Problem 2012 Hitachi ID Systems, Inc.. All rights reserved. 1

2 3.1 The power of privilge... "To err is human... to really screw things up requires the root password". 3.2 Privileged passwords The most dangerous accounts are often poorly managed. Who knows the admin password for this system? Ex-employees? Contractors? Vendors? Who signed into this account and when? What did they do? Does this admin password ever change? How do data center staff login at 3AM to fix a problem? This system was compromised. Who might have caused the trouble? How secure is the password used by app A to sign into app B? Plaintext? Static? Embedded? Does the password for a service or application ever change? 3.3 Enterprise IT Landscape Locations Devices Accounts Processes Data centers. Regions. Countries. Private. Cloud. Windows. Unix/Linux. Servers. PCs & Laptops. Network devices. Databases. Applications. Mainframes. Administrator. Service. Application to application. Pre-authorized login. One-off requests. Windows services. Embedded passwords. 3.4 Summary 2012 Hitachi ID Systems, Inc.. All rights reserved. 2

3 4 Solution Alternatives 4.1 Authenticating Administrators Approach Details Implications In advance? On demand? When to delete? How to audit? 200 admins x 10,000 systems = 2M accounts? Offline console access? When to delete? How to audit? Less security admin? Coarse grained control? Support for: Routers? Firewalls? Databases? Need secure, reliable storage! Change 10,000 passwords/day? 5 Share accounts and randomize passwords 5.1 Privileged Access Management 2012 Hitachi ID Systems, Inc.. All rights reserved. 3

4 6 New Risks 6.1 Protect the vault Before PAM Disgruntled ex-employee could gain access to plaintext passwords in config file. Weak audit logs / no accountability. Static passwords give intruder time to attack. After PAM Vault or backup media compromised. Vault inaccessible or destroyed! Weak authentication into PAM. Misconfigured authorization rules. Privilege escalation leveraging PAM. 7 Architectural Solutions 7.1 Data leakage Protect the vault and media against bulk compromise. Strong encryption (AES). Physical and logical access control. Key management Hitachi ID Systems, Inc.. All rights reserved. 4

5 7.2 Damage to vault Vault destroyed or at least unreachable from some locations. Real-time data replication. Fault-tolerant (geographically dispersed). Bandwidth efficient. Functional over high latency WAN links. 7.3 Authentication/authorization Control who can gain access and what they can access. Identify users with an existing directory. Multi-factor authentication (e.g., token, card, phone). Authorize using AD/LDAP groups, attributes. Workflow for one-time requests. Detect and remove users added to authorized groups out-of-band Hitachi ID Systems, Inc.. All rights reserved. 5

6 7.4 Minimize password disclosure Users should not see passwords if it can be avoided. Single sign-on direct from workstation (RDP, SSH, etc). Password injection. Temporary group membership. Temporary SSH trust. Password disclosure is only a last resort. 7.5 Accountability It should be possible to see who did what and when. Log requests, approvals, logins. Record sensitive login sessions. Report on meta data. Controlled playback of recordings. 8 Real World Example 2012 Hitachi ID Systems, Inc.. All rights reserved. 6

7 8.1 Corporate profile Financial services. 60,000+ employees. Over $500,000,000,000 in assets. Global offices in 30+ countries. Heavily regulated. Extremely mature home-grown processes and controls. 8.2 Requirements Eliminate static passwords on servers and workstations. Windows PCs and servers: Laptops PCs servers. Admin IDs service accounts. Unix/Linux servers: Admin IDs embedded passwords. Control processes: Workflow to request, approve, grant access to AD groups. Access certification for AD groups. Future phases: Grant access via group membership, no password disclosure. Record admin login sessions. Record logins of high-value, non-it users. Add platforms (e.g., network devices, mainframe). Lifecycle management of functional accounts Hitachi ID Systems, Inc.. All rights reserved. 7

8 8.3 Challenges Global scale No "quiet hour" for batch processing. Interruption in one region cannot cause outage in another. Must scale to 200,000+ systems, 500,000+ accounts. Integrations Many segmented networks. Cannot initiate TCP/IP connections across segments. Laptops get unplugged, powered down, moved. Data quality Dozens of AD domains. Unreliable data about systems. AD group membership not well managed. Operating practices Multi-home critical apps world-wide. Two data centers per city: App in DC A, Database in DC B. All DBs are clustered. SIEM integration. 8.4 Architecture Global scale Auto-discovery and classification must run alongside access checkouts. System must support 500,000 password changes/day. Integrations Local agent on laptops, PCs contact the PAM server. Regional proxy servers to get past firewalls. Data quality Import server records from CMDB, not AD. Actively manage groups in AD that control authorization. Operating practices Multi-master architecture. 3 app servers, 1 DB cluster per metro area. 2 data centers per metro area. Replication across US, UK, China, Japan Hitachi ID Systems, Inc.. All rights reserved. 8

9 8.5 Single city 8.6 Global replication 2012 Hitachi ID Systems, Inc.. All rights reserved. 9

10 8.7 Push and pull 8.8 Integration timeline 9 Questions 500, Street SE, Calgary AB Canada T2G 2J3 Tel: Fax: sales@hitachi-id.com File: PRCS:pres Date: June 26, 2012