1 Hitachi ID Privileged Access Manager. 2 Agenda. 3 Corporate. Temporary, secure and accountable privilege elevation.

Transcription

1 1 Hitachi ID Privileged Access Manager Temporary, secure and accountable privilege elevation. 2 Agenda Corporate Privilege management challenges Hitachi ID Privileged Access Manager features Technology Implementation Differentiation Discussion / next steps 3 Corporate 2016 Hitachi ID Systems, Inc. All rights reserved. 1

2 3.1 Hitachi ID corporate overview Hitachi ID delivers access governance and identity administration solutions to organizations globally. Hitachi ID solutions are used by Fortune 500 companies to secure access to systems in the enterprise and in the cloud. Founded as M-Tech in A division of Hitachi, Ltd. since Over 1200 customers. More than 14M+ licensed users. Offices in North America, Europe and APAC. Global partner network. 3.2 Representative customers 2016 Hitachi ID Systems, Inc. All rights reserved. 2

3 3.3 Hitachi ID Suite 4 Privilege management challenges 4.1 Passwords to privileged accounts Challenges Shared accounts with elevated privileges. Static passwords: Long window of opportunity for attackers. Passwords known to many people: No accountability for use. Departed workers still have access? Solutions Randomize passwords: No longer shared or static. Store values in a vault: Control access to accounts by limiting access to passwords Hitachi ID Systems, Inc. All rights reserved. 3

4 4.2 Accountability for use of elevated privileges Challenges Who used this account? What changes were made? Was use of the access reasonable? Did anything break? Was security compromised? Solutions Personally identify users prior to access. Require strong, multi-factor authentication. Authorize access: Pre-approved for system admins. One-time approval for infrequent users. Audit activity: Access event. Session recording. 4.3 Grant access only temporarily, when needed Challenges Granting permanent access increases risks: Abuse. Accidents. Malware. Better to grant access: Solutions Randomize passwords after use. Launch sessions and inject current credentials. Do not disclose passwords to users: Users can t share what they don t know. On-demand. For short periods. Only when required Hitachi ID Systems, Inc. All rights reserved. 4

5 4.4 Multiple ways to grant access Challenges Different tasks call for different tools. Alternatives to the standard mechanism: Shared accounts. Randomized passwords in a vault. SSO with password injection. Grant multiple credentials at once. Solutions Multiple types of access disclosure. Group sets: Temporarily grant one or more group memberships. Elevate rights of an existing, personal ID. SSH trust: 4.5 Scaling up: thousands of assets, many types Temporary trust relationship. Add user s public SSH key to privileged account s.ssh/authorized_keys file. Account sets: Check out multiple accounts at once. Named accounts or search results. Single request, single approval. Launch multiple logins. Run script across accounts (SIMD). Challenges Admin accounts on every asset. Windows, Unix, Linux, network device, hardware monitor, laptops, databases, apps, midrange, mainframe,... On-premise and cloud. Fixed and moveable/personal assets. Number of assets = 2X or 3X head-count. Security is only as good as the weakest link. Solutions Connectors to various kinds of systems. Auto-discovery to find them. Import rules to manage them Hitachi ID Systems, Inc. All rights reserved. 5

6 4.6 Connectivity challenges Challenges 3 communication paths: User to PAM. PAM to managed system. User to managed system. Each path could be blocked: Systems behind firewalls or NAT. Unroutable addresses. DNS names that do not resolve. Laptops move and get powered down. Solutions PAM to endpoint: Direct connection. PAM to proxy, proxy to endpoint. User to endpoint: Direct to target (launch admin UI, inject creds). RDP to proxy, any protocol to target. HTML5 to proxy, SSH or RDP to target. Endpoint to PAM: Local service calls home. Suitable for laptops, VMs.? User? Managed endpoint? PAM server 4.7 High availability / minimal down-time Challenges Consider what happens in a physical disaster: Vault recovery time delays recovery of all other services. Have to recover the vault first: Cannot afford delays in vault recovery. Solutions Human intervention in recovery would add too much delay. The system must survive disasters. Requirements: Real-time data replication. Geographically distributed. Active-active architecture Hitachi ID Systems, Inc. All rights reserved. 6

7 4.8 Non-human users of privileged accounts Challenges Service accounts are used to run processes. Scripts and applications use embedded passwords to connect to databases and other services. These accounts also have high privilege. Non-human account passwords may be: Plaintext, static or well-known Solutions Discover service accounts. Randomize and vault passwords; Inject new passwords into service subscribers. Expose an API to retrieve passwords. Fingerprint applications to authenticate them. 5 Privileged Access Manager features 2016 Hitachi ID Systems, Inc. All rights reserved. 7

8 5.1 Infrastructure auto discovery Discovery, onboarding and classification must be automated in order to scale up: 1. List systems AD LDAP CSV file SQL or SQLite DB 2. Target systems Rules: manage? (yes/no) Rules: select connection credentials. 3. Probe systems List accounts, groups and services. Massive parallelism is essential here. 3. Manage systems Rules: which policies to apply? 5. Manage accounts Rules: which accounts to manage? Rules: which policies to apply? Import, classify, probe up to 10,000 systems and 500,000 accounts per hour. 100% policy driven no scripts Hitachi ID Systems, Inc. All rights reserved. 8

9 5.2 Connect to IT assets and manage access Discover accounts, groups and services. Randomize passwords. 5.3 Identify and authenticate users Identify users using an existing directory: AD LDAP Any other system/app/db will work. Combine existing credentials: Passwords (AD, LDAP, etc.). Tokens (OTP). Smart cards (PKI). PIN (SMS to mobile or personal ). Smart phone app (ios or Android, included). Step up authentication based on context: Vendor access? Off-site, off-hours or personal device? User with rights to many systems? 2016 Hitachi ID Systems, Inc. All rights reserved. 9

10 5.4 Authorizing access to privileged accounts Two models: permanent and one-time. Permanent ACL One-time request Concurrency control Pre-authorized users can launch an admin session any time. Access control model: Users... belong to User groups... are assigned ACLs to Managed system policies... which contain Devices and applications Also used for API clients. Request access for any user to connect to any account. Approvals workflow with: Dynamic routing. Parallel approvals. N of M authorizers. Auto-reminders. Escalation. Delegation. Coordinate admin changes by limiting number of people connected to the same account: Can be >1. Notify each admin of the others. Ensure accountability of who had access to an account at a given time. 5.5 Access disclosure mechanisms Launch session (SSO) Temporary entitlement Copy buffer integration Display Launch RDP, SSH, vsphere, SQL Studio,... Extensible (launch any CLI). Group membership (AD, Windows, SQL, etc.). SSH trust (.ssh/authorized_keys). Inject password into copy buffer. Clear after N seconds. Show the password in the UI. Clear after N seconds. Password is hidden. Convenient (SSO). Native logging shows actual user. Flexible (secondary connections, open-ended tooling). Useful at the physical server console Hitachi ID Systems, Inc. All rights reserved. 10

11 5.6 Account sets What is an account set? A saved search. Returns managed accounts on managed systems. Example: search on OS, subnet, login ID. Can also include accounts, systems individually. Using account sets Check out multiple accounts at once: e.g., all systems requiring a patch. e.g., all systems supporting an n-tier app. Launch multiple login sessions at once: RDP, SSH, vsphere, SQL Studio, Toad, etc. Push commands to run on all checked out systems, accounts: Retrieve status from end systems. Make configuration changes. Apply patches. 5.7 Options for launching login sessions Real-world constraints Is the managed system reachable from the user s PC? Firewalls, NAT. Name resolution problems. Unroutable addresses. Off-site users (e.g., vendors). What admin tool does the user want? MSTSC - RDP, PuTTY, SecureCRT, etc. - SSH, DBA tools, Hypervisor admin tools, etc. User s device type? Session recording required? Login options Direct connection: Windows client required. IE + ActiveX. FF, Chrome, Opera + extension. Single-use EXE. Indirect via proxy: Windows proxy: * Connect to proxy using RDP. * Sign into proxy first. * Next, sign into HiPAM. * Launch any admin tool. HTML5 proxy: * Sign into HiPAM first. * Launch HTML5 session in browser tab. * Proxy connects to endpoint with SSH, RDP Hitachi ID Systems, Inc. All rights reserved. 11

12 5.8 Direct login from user endpoint to managed system 5.9 Login session via Remote Desktop Services proxy 2016 Hitachi ID Systems, Inc. All rights reserved. 12

13 5.10 SSH or RDP session via HTML5 proxy 2016 Hitachi ID Systems, Inc. All rights reserved. 13

14 5.11 Session monitoring Scalable, detailed, tamper-proof recording of administrator sessions: Record Store/Playback Searchable Secure Full screen. App window. UI meta data. Process meta data. Keyboard. Copy buffer. Webcam. Structured data in DB. Video on filesystem. MPEG4 video. PNG webcam snaps. XML meta data. Meta data (who, when, from-where, to-where, duration,...). Session content (keywords). Right to search. Right to playback. ACLs. Workflow approvals. Multiple sensors: IE + ActiveX FF, Chrome or Opera + browser extension HTML5 proxy 10 kbyte/s per active session; 100 active sessions/server Hitachi ID Systems, Inc. All rights reserved. 14

15 5.12 Windows service account passwords Periodically change service account passwords without triggering service faults: Discovery: White listing Notification Fault tolerant Accounts (local and domain), services, dependencies. Which accounts to manage? Is the list of discovered subscribers complete? When/how often to randomize password? Inject new password before/after/both? Restart service? Notify owner? Multiple subscriber types SCM, IIS, DCOM, Scheduler. Before/after password change. Check subscriber availability before password change. Retry notification if first attempt fails Hitachi ID Systems, Inc. All rights reserved. 15

16 5.13 Service account management process Probe managed endpoints Discovered Managed Review, configure List of managed systems Services Services Service accounts App owners Service accounts Notify Notify subscribers of new password Managed endpoints Randomize passwords 2016 Hitachi ID Systems, Inc. All rights reserved. 16

17 5.14 Replacing embedded passwords Applications and scripts can fetch passwords from the credential vault, on demand: Open / portable: Secure: Reliable: Scalable / fast: HiPAM exposes an API over SOAP/HTTPS. Client libraries provided for Windows,.NET, Linux, Unix, Java. SOAP API authenticates each caller with one-time password (OTP) + IP address. Each client has its own ID, which defines accessible credentials. The client library fingerprints the calling app, command-line args, config files to generate encryption keys. App changes, which may be malicious, require re-authorizing access. Library caches passwords, manages the OTP. Caching reduces server load and impact of packet latency. Simple / convenient: GetPassword( "config.xml", errorbuf, sizeof(errorbuf), 0, "systemid", "accountid", argc, argv, NULL, passwordbuf, sizeof(passwordbuf) ) 2016 Hitachi ID Systems, Inc. All rights reserved. 17

18 5.15 API to securely retrieve credentials Script or Application Native protocol of the service -- possibly secure Application user, password Application ID + Password API wrapper library Database, API or service SOAP/HTTPS - OTP, fetch password Periodically randomize passwords Cached password, OTP Credential vault Encrypted, replicated, audited, access controlled and authenticated Privileged Access Manager 6 Technology 2016 Hitachi ID Systems, Inc. All rights reserved. 18

19 6.1 Fault-tolerant architecture User Credential vault Hitachi ID Privileged Access Manager HTTPS LDAP/S, NTLM Windows server or DC Load balancer SSH, TCP/IP + AES Site A Replication TCP/IP + AES Unix, Linux Credential vault TCP/IP + AES Site B Hitachi ID Privileged Access Manager Firewall Proxy Managed endpoints TCP/IP + AES HTTPS Various protocols Site C 2016 Hitachi ID Systems, Inc. All rights reserved. 19

20 6.2 Multi-master replication Avoid data loss and service interruption: Multiple copies of the vault in different cities. Real-time data replication. Fault-tolerant. Bandwidth efficient, latency tolerant. Best practice: multiple servers in multiple data centers. Active/active Load balanced. 6.3 BYOD access to on-premise IAM system The challenge Users want access on their phones. Phone on the Internet, IAM on-prem. Don t want attackers probing IAM from Internet. Hitachi ID Mobile Access Install + activate ios, Android app. Proxy service on DMZ or cloud. IAM, phone both call the proxy - no firewall changes. IAM not visible on Internet. Internet Personal device Firewall Firewall IAM server (2) HTTPS request: Includes userid, deviceid Outbound connections only DMZ (1) Worker thread: Give me an HTTP request Private corporate network Cloud proxy (3) Message passing system 2016 Hitachi ID Systems, Inc. All rights reserved. 20

21 6.4 Included connectors Many integrations to target systems included in the base price: Directories: Any LDAP, Active Directory, NIS/NIS+. Unix: Linux, Solaris, AIX, HPUX, 24 more variants. ERP: JDE, Oracle ebiz, PeopleSoft, PeopleSoft HR, SAP R/3 and ECC 6, Siebel, Business Objects. WebSSO: CA Siteminder, IBM TAM, Oracle AM, RSA Access Manager. Servers: Windows NT, 2000, 2003, 2008[R2], 2012[R2], Samba. Mainframes, Midrange: z/os: RACF, ACF2, TopSecret. iseries, OpenVMS. Collaboration: Lotus Notes, inotes, Exchange, SharePoint, BlackBerry ES. Help Desk: ServiceNow, BMC Remedy, SDE, HP SM, CA Unicenter, Assyst, HEAT, Altiris, Clarify, RSA Envision, Track-It!, MS System Center Databases: Oracle, Sybase, SQL Server, DB2/UDB, Informix, Progress, Hyperion, Cache, ODBC. HDD Encryption: McAfee, CheckPoint, BitLocker, PGP. Tokens, Smart Cards: RSA SecurID, SafeWord, Vasco, ActivIdentity, Schlumberger, RADIUS. Cloud/SaaS: WebEx, Google Apps, MS Office 365, Success Factors, Salesforce.com, SOAP. 6.5 Rapid integration with custom apps Hitachi ID Privileged Access Manager easily integrates with custom, vertical and hosted applications using flexible agents. Each flexible agent connects to a class of applications: API bindings (C, C++, Java, COM, ActiveX, MQ Series). Telnet / TN3270 / TN5250 / sessions with TLS or SSL. SSH sessions. HTTP(S) administrative interfaces. Web services. Win32 and Unix command-line administration programs. SQL scripts. Custom LDAP attributes. Integration takes a few hours to a few days. Fixed cost service available from Hitachi ID Hitachi ID Systems, Inc. All rights reserved. 21

22 6.6 Device integrations HiPAM can be used to manage access to devices, including: Cisco / IOS. Juniper JunOS. F5 / BigIP. Dell DRAC cards. HP ilo cards. IBM RSA cards. Deep integration with Cisco ACS (TACACS+, RADIUS). Extensible via scripted SSH, Telnet, HTTP(S) sessions. 7 Implementation 7.1 Hitachi ID professional services Hitachi ID offers a complete range of services relating to Hitachi ID Privileged Access Manager, including: Needs analysis and solution design. Fixed price system deployment. Project planning. Roll-out management, including maximizing user adoption. Ongoing system monitoring. Training. Services are based on extensive experience with the Hitachi ID solution delivery process. The Hitachi ID professional services team is highly technical and have years of experience deploying IAM solutions. Hitachi ID partners with integrators that also offer business process and system design services to mutual customers. All implementation services are fixed price: Solution design. Statement of work Hitachi ID Systems, Inc. All rights reserved. 22

23 7.2 Hitachi ID Identity Express - Privileged Access Pre-configured integrations, logic to expedite deployment. Users identified, authorized via AD domain. 2FA for all logins (smart phone app, SMS/PIN, PIN). Randomize, control access to admin passwords. One-time access approved via members of AD groups. Risk scores applied to access requests, to highlight the unusual. Session recording, playback, approval workflows pre-configured. Infrastructure for discovering, managing Windows service account passwords. Infrastructure for replacing embedded passwords in apps, scripts. 8 Differentiation 8.1 HiPAM advantages (technical) Hitachi ID Privileged Access Manager Multi-master, active-active. 2FA for everyone, no extra cost. BYOD access, including approvals Check-out multiple accounts in one request. Temporary privilege elevation. Secure laptops (mobile, NAT, firewalled). Direct connect, HTML5, RDP+launch proxy. Proxy servers to integrate with remote systems. Run any admin tool, with any protocol. Competitors Hot standby, "offline" mode. Either purchase a separate 2FA system or rely on AD passwords. Fire up your laptop, sign into the VPN. One account at a time. Only password display/injection. Endpoints not really supported. Only via proxy. Extra cost (more appliances?). Can only launch RDP, SSH Hitachi ID Systems, Inc. All rights reserved. 23

24 8.2 HiPAM advantages (commercial) Hitachi ID Privileged Access Manager Manage groups that control access policy. Proxy servers to integrate with remote systems. Secure Windows service acct passwords. Secure API replaces embedded passwords. Session recording included. Over 110 connectors included. Unlimited users. Competitors Need a separate IAM system for that. Extra cost (more appliances?). Separate product. Separate product. Separate product. Some connectors cost more. Fee per user. 9 Summary Hitachi ID Privileged Access Manager secures privileged accounts: Eliminate static, shared passwords to privileged accounts. Built-in encryption, replication, geo-diversity for the credential vault. Authorized users can launch sessions without knowing or typing a password. Infrequent users can request, be authorized for one-time access. Strong authentication, authorization and audit throughout the process. Learn more at Hitachi-ID.com/Privileged-Access-Manager 500, Street SE, Calgary AB Canada T2G 2J3 Tel: Fax: sales@hitachi-id.com Date: Monday 24 th October, File: PRCS:pres