Privileged Access Management

1 Privileged Access Management Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications Hitachi ID Privileged Access Manager2 Agenda • Hitachi ID corporate overview. • Hitachi ID Suite overview. • Securing administrative passwords with Hitachi ID Privileged Access Manager. • Animated demonstration.© 2015 Hitachi ID Systems, Inc. All rights reserved. 1

Slide Presentation3 Hitachi ID Corporate Overview Hitachi ID delivers access governance and identity administration solutions to organizations globally. Hitachi ID solutions are used by Fortune 500 companies to secure access to systems in the enterprise and in the cloud. • Founded as M-Tech in 1992. • A division of Hitachi, Ltd. since 2008. • Over 1200 customers. • More than 14M+ licensed users. • Offices in North America, Europe and APAC. • Partners globally.© 2015 Hitachi ID Systems, Inc. All rights reserved. 2

Slide Presentation4 Representative Customers5 Hitachi ID Suite © 2015 Hitachi ID Systems, Inc. All rights reserved. 3

Slide Presentation6 Securing Privileged AccountsThousands of IT assets: Who has the keys to the kingdom? • Servers, network devices, databases and • Every IT asset has sensitive passwords: applications: – Administrator passwords: – Numerous. Used to manage each system. – High value. – Heterogeneous. – Service passwords: • Workstations: Provide security context to service programs. – Mobile – dynamic IPs. – Powered on or off. – Application: – Direct-attached or firewalled. Allows one application to connect to another. • Do these passwords ever change? • Plaintext in configuration files? • Who knows these passwords? (ex-staff?) • Audit: who did what?7 Project Drivers Organizations need to secure their most sensitive passwords:Compliance: • Pass regulatory audits.Security: • Compliance should be sustainable.Cost:Flexibility: • Eliminate static passwords on sensitive accounts. • Create accountability for admin work. • Efficient process to regularly change privileged passwords. • Simple and effective deactivation for former administrators. • Grant temporary admin access. • Emergencies, production migrations, workload peaks, etc. © 2015 Hitachi ID Systems, Inc. All rights reserved. 4

Slide Presentation8 Participants in PAM Hitachi ID Privileged Access Manager works by randomizing privileged passwords and connecting people and programs to privileged accounts as needed:Privileged Get new, random passwords daily or at the desired frequency.accounts Must sign into HiPAM when they need to sign into administrator accounts.IT Users Are automatically updated with new passwords values. Use the HiPAM API instead of embedded passwords.Services Define policies regarding who can connect to which privileged account.Applications Monitor access requests and privileged login sessions.SecurityofficersAuditors9 HiPAM ImpactFeature Impact BenefitRandomize passwords daily Disconnect former IT staff. Eliminate static, sharedControlled disclosure passwords. The right users and programs can access privileged accounts, Control who can see others cannot. passwords. Accountability. Faster troubleshooting.Logging & Reporting Monitor password disclosure. Physical compromise does not expose passwords.Encryption Secure passwords in storage Survive server crashes and siteReplication and transit. disasters. Passwords stored on multiple servers, in different sites. © 2015 Hitachi ID Systems, Inc. All rights reserved. 5

Slide Presentation10 Understand and Manage the Risks A privileged access management (PAM) system becomes the sole repository of the most important credentials.Risk Description MitigationDisclosure • Encrypted vault. • Compromised vault • Strong authentication. → security disaster. • Flexible authorization. • Replicate the vault.Data Loss • Destroyed vaultNon-availability → IT disaster. • One vault in each of 2+ sites. • Offline vault → IT service interruption.Customers must test failure conditions before purchase!11 Randomizing PasswordsPush random • Periodically (e.g., between 3AM and 4AM).passwords to systems: • When users check passwords back in. • When users want a specific password. • On urgent termination. • Suitable for servers and PCs on the corporate network.Pull initiated by user • Periodically.devices: • Random time-of-day. • Opportunistically, when connectivity is available. • Suitable for off-site laptops, systems in a DMZ. © 2015 Hitachi ID Systems, Inc. All rights reserved. 6

Slide Presentation12 Authorizing Access to Privileged Accounts Two models: permanent and one-time.Permanent ACL One-time request Concurrency control • Pre-authorized users • Request access for any • Coordinate admin can launch an admin user to connect to any changes by limiting session any time. account. number of people connected to the same • Access control model: • Approvals workflow account: with: – Users ... belong to – Can be >1. – User groups ... are – Dynamic routing. – Notify each admin – Parallel approvals. assigned ACLs to – N of M authorizers. of the others. – Managed system – Auto-reminders. – Escalation. • Ensure accountability of policies ... which – Delegation. who had access to an contain account at a given time. – Devices and applications • Also used for API clients. © 2015 Hitachi ID Systems, Inc. All rights reserved. 7

Slide Presentation13 Fault-Tolerant Architecture HitachiID Site A Privileged Access Manager User Password Crypto keys LDAP/S, Windows Vault in registry NTLM server or DC AdminWorkstation 101001010110000111 HTTPS SSH, TCP/IP+AES Load Balancer Replication Unix, Linux TCP/IP + AES TCP/IP Various +AES Target Systems Password 110100001011000111 Firewall Vault Site C Crypto keys Proxy in registry HitachiID Site B Privileged Access Manager © 2015 Hitachi ID Systems, Inc. All rights reserved. 8

Slide Presentation14 Included Connectors Many integrations to target systems included in the base price:Directories: Servers: Databases:Any LDAP, AD, WinNT, NDS, Windows NT, 2000, 2003, Oracle, Sybase, SQL Server,eDirectory, NIS/NIS+. 2008[R2], 2012, Samba, DB2/UDB, Informix, Progress, Novell, SharePoint. ODBC, Oracle Hyperion EPM Shared Services, Cache.Unix: Mainframes, Midrange:Linux, Solaris, AIX, HPUX, 24 z/OS: RACF, ACF2, HDD Encryption:more variants. TopSecret. iSeries, McAfee, CheckPoint, OpenVMS. BitLocker, PGP.ERP:JDE, Oracle eBiz, Collaboration: Tokens, Smart Cards:PeopleSoft, PeopleSoft HR, Lotus Notes, iNotes, RSA SecurID, SafeWord,SAP R/3 and ECC 6, Siebel, Exchange, GroupWise, RADIUS, ActivIdentity,Business Objects. BlackBerry ES. Schlumberger.WebSSO: Help Desk: Cloud/SaaS:CA Siteminder, IBM TAM, ServiceNow, BMC Remedy, WebEx, Google Apps, MSOracle AM, RSA Access SDE, HP SM, CA Unicenter, Office 365, Success Factors,Manager. Assyst, HEAT, Altiris, Clarify, Salesforce.com, SOAP RSA Envision, Track-It!, MS (generic). System Center Service Manager © 2015 Hitachi ID Systems, Inc. All rights reserved. 9

Slide Presentation15 Types of Privileged AccountsDefinition: Administrator Embedded ServiceChallenges: • Interactive logins. • One application • Run service • Client tools: connects to programs with another. limited rights. PuTTY, RDP, SQL Studio, etc. • DB logins, web • Windows requires a • May be used at a services, etc. password! physical console. • Interactive logins for troubleshooting. • Access control. • Authenticating apps • Avoiding service • Audit/accountability. prior to password interruption due to • Single sign-on. disclosure. failed notification: • Session capture. • Caching, key management.16 Infrastructure Auto-Discovery Find and classify systems, services, groups, accounts:List systems Evaluate import rules Probe systems • From Hitachi IT • Manage this system? • Local accounts. Operations Analyzer. • Attach system to this • Security groups. • Group memberships. • From AD, LDAP policy? • Services. (computers). • Choose initial • Local svc accounts. • Domain svc accounts. • From text file ID/password. (IT inventory). • Manage this account? • Un manage this • Extensible: DNS, IP port scan. system?• Hitachi ID Privileged Access Manager can find, probe, classify and load 10,000 systems/hour.• Normally executed every 24 hours.• 100% policy driven - no scripts. © 2015 Hitachi ID Systems, Inc. All rights reserved. 10

Slide Presentation17 Alternatives to PW displayLaunch session (SSO) • Launch RDP, SSH, • Password is hidden.Temporary entitlement vSphere, SQL Studio, ... • Convenient (SSO).Copy buffer integration • Extensible (just add a CLI). • Native logging shows actual user. • Group membership (AD, Windows, SQL, etc.). • Convenient for platform admins. • SSH trust (.ssh/authorized_keys). • Flexible (secondary connections, open-ended • Entry in /etc/sudoers files. tooling). • Inject password into copy • Convenient. buffer. • Useful at the physical • Clear after N seconds. server console.Display • Show the password in the UI. • Clear after N seconds. © 2015 Hitachi ID Systems, Inc. All rights reserved. 11

Slide Presentation18 Test Safety Features To prevent a security or an IT operations disaster, a privileged password management system must be built for safety first:Unauthorized • Passwords must be encrypted, both in storage anddisclosure transmissions.Data loss, • Access controls should determine who can see whichService Disruption passwords. • Workflow should allow for one-off disclosure. • Audit logs should record everything. • Replicate all data – a server crash should be harmless. • Replication must be real time, just like password changes. • Replication must span physical locations, to allow for site disasters (fire, flood, wire cut).• These features are mandatory. • Evaluate products on multiple, replicated• Failure is not an option. servers.• Ask Hitachi ID for an evaluation guide. • Turn off one server in mid-operation. • Inspect database contents and sniff network traffic. © 2015 Hitachi ID Systems, Inc. All rights reserved. 12

Slide Presentation19 HiPAM Unique TechnologyMulti-master, • Trivial to setup, no cost, zero effort to recover from disaster.active-active • Geographically distributed: maximum safety.Not just • Temporary group elevation, SSH trust relationships.passwords • Suspend/resume VM (lower cost of cloud!).Robust • Reminders, escalation, delegation, concurrent invitations.workflow • Not limited to \"two keys\" scenario.Control • Manage AD, LDAP groups that determine who has access.groups • Requests, approvals, SoD policy, certification, reports.Single • Credential vault. • Service accountproduct, • Password randomization. passwords.not \"suite\" • Access control policies. • Session monitoring, • Embedded passwords. • 110, extensible connectors. playback.20 Request one-time access Animation: ../../pics/camtasia/v82/hipam-request-access/hipam-request-access.cam21 Approve one-time access Animation: ../../pics/camtasia/v82/hipam-approve-request/hipam-approve-request.cam © 2015 Hitachi ID Systems, Inc. All rights reserved. 13

Slide Presentation22 Launch one-time session using a privileged account Animation: ../../pics/camtasia/v82/hipam-privileged-login-session/hipam-privileged-login-session.cam23 Request, approve, play recording Animation: ../../pics/camtasia/v82/hipam-view-playback/hipam-view-playback.cam24 Report on requests for privileged access Animation: ../../pics/camtasia/hipam-71/hipam-06-admin-reports.cam25 HiPAM: PuTTY to Linux Animation: ../../pics/camtasia/pam-linux-preauth/pam-linux-preauth.cam26 Activate Mobile Access Animation: ../../pics/camtasia/v9/enable-mobile-device-1/enable-mobile-device-1.mp4© 2015 Hitachi ID Systems, Inc. All rights reserved. 14

Slide Presentation27 Password display Animation: ../../pics/camtasia/v9/pw-disp-scaled-1/pw-disp-scaled-1.mp428 Account set checkout Animation: ../../pics/camtasia/v9/account-set-checkout-1/account-set-checkout-1.mp429 Summary Hitachi ID Privileged Access Manager secures privileged accounts: • Eliminate static, shared passwords to privileged accounts. • Built-in encryption, replication, geo-diversity for the credential vault. • Authorized users can launch sessions without knowing or typing a password. • Infrequent users can request, be authorized for one-time access. • Strong authentication, authorization and audit throughout the process. Learn more at Hitachi-ID.com/Privileged-Access-Manager500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: [email protected] w.Hitachi-ID.com Date: May 22, 2015 File: PRCS:pres