Privileged Access Management

1 Privileged Access Management

Managing the User Lifecycle
Across On-Premises and
Cloud-Hosted Applications

Hitachi ID Privileged Access Manager

2 Agenda

• Hitachi ID corporate overview.
• Hitachi ID Suite overview.
• Securing administrative passwords with Hitachi ID Privileged Access Manager.
• Animated demonstration.

© 2015 Hitachi ID Systems, Inc. All rights reserved. 1

Slide Presentation

3 Hitachi ID Corporate Overview

Hitachi ID delivers access governance
and identity administration solutions
to organizations globally.
Hitachi ID solutions are used by Fortune 500
companies to secure access to systems
in the enterprise and in the cloud.

• Founded as M-Tech in 1992.
• A division of Hitachi, Ltd. since 2008.
• Over 1200 customers.
• More than 14M+ licensed users.
• Offices in North America, Europe and

APAC.
• Partners globally.

© 2015 Hitachi ID Systems, Inc. All rights reserved. 2

Slide Presentation

4 Representative Customers

5 Hitachi ID Suite

© 2015 Hitachi ID Systems, Inc. All rights reserved. 3

Slide Presentation

6 Securing Privileged Accounts

Thousands of IT assets: Who has the keys to the kingdom?

• Servers, network devices, databases and • Every IT asset has sensitive passwords:
applications:
– Administrator passwords:
– Numerous. Used to manage each system.
– High value.
– Heterogeneous. – Service passwords:
• Workstations: Provide security context to service
programs.
– Mobile – dynamic IPs.
– Powered on or off. – Application:
– Direct-attached or firewalled. Allows one application to connect to
another.

• Do these passwords ever change?
• Plaintext in configuration files?
• Who knows these passwords? (ex-staff?)
• Audit: who did what?

7 Project Drivers

Organizations need to secure their most sensitive passwords:

Compliance: • Pass regulatory audits.
Security: • Compliance should be sustainable.
Cost:
Flexibility: • Eliminate static passwords on sensitive accounts.
• Create accountability for admin work.

• Efficient process to regularly change privileged passwords.
• Simple and effective deactivation for former administrators.

• Grant temporary admin access.
• Emergencies, production migrations, workload peaks, etc.

© 2015 Hitachi ID Systems, Inc. All rights reserved. 4

Slide Presentation

8 Participants in PAM

Hitachi ID Privileged Access Manager works by randomizing privileged passwords and connecting
people and programs to privileged accounts as needed:

Privileged Get new, random passwords daily or at the desired frequency.
accounts
Must sign into HiPAM when they need to sign into administrator accounts.
IT Users Are automatically updated with new passwords values.
Use the HiPAM API instead of embedded passwords.
Services Define policies regarding who can connect to which privileged account.

Applications Monitor access requests and privileged login sessions.

Security
officers

Auditors

9 HiPAM Impact

Feature Impact Benefit
Randomize passwords daily Disconnect former IT staff.
Eliminate static, shared
Controlled disclosure passwords. The right users and programs
can access privileged accounts,
Control who can see others cannot.
passwords. Accountability.
Faster troubleshooting.
Logging & Reporting Monitor password disclosure. Physical compromise does not
expose passwords.
Encryption Secure passwords in storage Survive server crashes and site
Replication and transit. disasters.

Passwords stored on multiple
servers, in different sites.

© 2015 Hitachi ID Systems, Inc. All rights reserved. 5

Slide Presentation

10 Understand and Manage the Risks

A privileged access management (PAM) system becomes the sole repository of the most important
credentials.

Risk Description Mitigation
Disclosure • Encrypted vault.
• Compromised vault • Strong authentication.
→ security disaster. • Flexible authorization.
• Replicate the vault.
Data Loss • Destroyed vault
Non-availability → IT disaster. • One vault in each of 2+ sites.

• Offline vault
→ IT service interruption.

Customers must test failure conditions before purchase!

11 Randomizing Passwords

Push random • Periodically (e.g., between 3AM and 4AM).
passwords to systems: • When users check passwords back in.
• When users want a specific password.
• On urgent termination.

• Suitable for servers and PCs on the corporate network.

Pull initiated by user • Periodically.
devices: • Random time-of-day.
• Opportunistically, when connectivity is available.

• Suitable for off-site laptops, systems in a DMZ.

© 2015 Hitachi ID Systems, Inc. All rights reserved. 6

Slide Presentation

12 Authorizing Access to Privileged Accounts

Two models: permanent and one-time.

Permanent ACL One-time request Concurrency control

• Pre-authorized users • Request access for any • Coordinate admin
can launch an admin user to connect to any changes by limiting
session any time. account. number of people
connected to the same
• Access control model: • Approvals workflow account:
with:
– Users ... belong to – Can be >1.
– User groups ... are – Dynamic routing. – Notify each admin
– Parallel approvals.
assigned ACLs to – N of M authorizers. of the others.
– Managed system – Auto-reminders.
– Escalation. • Ensure accountability of
policies ... which – Delegation. who had access to an
contain account at a given time.
– Devices and
applications

• Also used for API
clients.

© 2015 Hitachi ID Systems, Inc. All rights reserved. 7

Slide Presentation

13 Fault-Tolerant Architecture

HitachiID Site A
Privileged Access Manager

User Password Crypto keys LDAP/S, Windows
Vault in registry NTLM server or DC
Admin
Workstation 101001010110000111

HTTPS SSH,
TCP/IP+AES
Load
Balancer

Replication Unix, Linux
TCP/IP + AES

TCP/IP Various
+AES Target
Systems
Password 110100001011000111 Firewall
Vault Site C
Crypto keys Proxy
in registry

HitachiID Site B
Privileged Access Manager

© 2015 Hitachi ID Systems, Inc. All rights reserved. 8

Slide Presentation

14 Included Connectors

Many integrations to target systems included in the base price:

Directories: Servers: Databases:
Any LDAP, AD, WinNT, NDS, Windows NT, 2000, 2003, Oracle, Sybase, SQL Server,
eDirectory, NIS/NIS+. 2008[R2], 2012, Samba, DB2/UDB, Informix, Progress,
Novell, SharePoint. ODBC, Oracle Hyperion EPM
Shared Services, Cache.
Unix: Mainframes, Midrange:
Linux, Solaris, AIX, HPUX, 24 z/OS: RACF, ACF2, HDD Encryption:
more variants. TopSecret. iSeries, McAfee, CheckPoint,
OpenVMS. BitLocker, PGP.
ERP:
JDE, Oracle eBiz, Collaboration: Tokens, Smart Cards:
PeopleSoft, PeopleSoft HR, Lotus Notes, iNotes, RSA SecurID, SafeWord,
SAP R/3 and ECC 6, Siebel, Exchange, GroupWise, RADIUS, ActivIdentity,
Business Objects. BlackBerry ES. Schlumberger.

WebSSO: Help Desk: Cloud/SaaS:
CA Siteminder, IBM TAM, ServiceNow, BMC Remedy, WebEx, Google Apps, MS
Oracle AM, RSA Access SDE, HP SM, CA Unicenter, Office 365, Success Factors,
Manager. Assyst, HEAT, Altiris, Clarify, Salesforce.com, SOAP
RSA Envision, Track-It!, MS (generic).
System Center Service
Manager

© 2015 Hitachi ID Systems, Inc. All rights reserved. 9

Slide Presentation

15 Types of Privileged Accounts

Definition: Administrator Embedded Service
Challenges:
• Interactive logins. • One application • Run service
• Client tools: connects to programs with
another. limited rights.
PuTTY, RDP, SQL
Studio, etc. • DB logins, web • Windows requires a
• May be used at a services, etc. password!
physical console.
• Interactive logins
for troubleshooting.

• Access control. • Authenticating apps • Avoiding service
• Audit/accountability. prior to password interruption due to
• Single sign-on. disclosure. failed notification:
• Session capture.
• Caching, key
management.

16 Infrastructure Auto-Discovery

Find and classify systems, services, groups, accounts:

List systems Evaluate import rules Probe systems

• From Hitachi IT • Manage this system? • Local accounts.
Operations Analyzer. • Attach system to this • Security groups.
• Group memberships.
• From AD, LDAP policy? • Services.
(computers). • Choose initial • Local svc accounts.
• Domain svc accounts.
• From text file ID/password.
(IT inventory). • Manage this account?
• Un manage this
• Extensible:
DNS, IP port scan. system?

• Hitachi ID Privileged Access Manager can find, probe, classify and load 10,000 systems/hour.
• Normally executed every 24 hours.
• 100% policy driven - no scripts.

© 2015 Hitachi ID Systems, Inc. All rights reserved. 10

Slide Presentation

17 Alternatives to PW display

Launch session (SSO) • Launch RDP, SSH, • Password is hidden.
Temporary entitlement vSphere, SQL Studio, ... • Convenient (SSO).

Copy buffer integration • Extensible (just add a CLI). • Native logging shows
actual user.
• Group membership (AD,
Windows, SQL, etc.). • Convenient for platform
admins.
• SSH trust
(.ssh/authorized_keys). • Flexible (secondary
connections, open-ended
• Entry in /etc/sudoers files. tooling).

• Inject password into copy • Convenient.
buffer.
• Useful at the physical
• Clear after N seconds. server console.

Display • Show the password in the
UI.

• Clear after N seconds.

© 2015 Hitachi ID Systems, Inc. All rights reserved. 11

Slide Presentation

18 Test Safety Features

To prevent a security or an IT operations disaster, a privileged password management system must be
built for safety first:

Unauthorized • Passwords must be encrypted, both in storage and
disclosure transmissions.

Data loss, • Access controls should determine who can see which
Service Disruption passwords.

• Workflow should allow for one-off disclosure.
• Audit logs should record everything.

• Replicate all data – a server crash should be harmless.
• Replication must be real time, just like password changes.
• Replication must span physical locations, to allow for site

disasters (fire, flood, wire cut).

• These features are mandatory. • Evaluate products on multiple, replicated
• Failure is not an option. servers.
• Ask Hitachi ID for an evaluation guide.
• Turn off one server in mid-operation.
• Inspect database contents and sniff

network traffic.

© 2015 Hitachi ID Systems, Inc. All rights reserved. 12

Slide Presentation

19 HiPAM Unique Technology

Multi-master, • Trivial to setup, no cost, zero effort to recover from disaster.
active-active • Geographically distributed: maximum safety.

Not just • Temporary group elevation, SSH trust relationships.
passwords • Suspend/resume VM (lower cost of cloud!).

Robust • Reminders, escalation, delegation, concurrent invitations.
workflow • Not limited to "two keys" scenario.

Control • Manage AD, LDAP groups that determine who has access.
groups • Requests, approvals, SoD policy, certification, reports.

Single • Credential vault. • Service account
product, • Password randomization. passwords.
not "suite" • Access control policies.
• Session monitoring, • Embedded passwords.
• 110, extensible connectors.
playback.

20 Request one-time access

Animation: ../../pics/camtasia/v82/hipam-request-access/hipam-request-access.cam

21 Approve one-time access

Animation: ../../pics/camtasia/v82/hipam-approve-request/hipam-approve-request.cam

© 2015 Hitachi ID Systems, Inc. All rights reserved. 13

Slide Presentation

22 Launch one-time session using a privileged account

Animation: ../../pics/camtasia/v82/hipam-privileged-login-session/hipam-privileged-login-session.cam

23 Request, approve, play recording

Animation: ../../pics/camtasia/v82/hipam-view-playback/hipam-view-playback.cam

24 Report on requests for privileged access

Animation: ../../pics/camtasia/hipam-71/hipam-06-admin-reports.cam

25 HiPAM: PuTTY to Linux

Animation: ../../pics/camtasia/pam-linux-preauth/pam-linux-preauth.cam

26 Activate Mobile Access

Animation: ../../pics/camtasia/v9/enable-mobile-device-1/enable-mobile-device-1.mp4

© 2015 Hitachi ID Systems, Inc. All rights reserved. 14

Slide Presentation

27 Password display

Animation: ../../pics/camtasia/v9/pw-disp-scaled-1/pw-disp-scaled-1.mp4

28 Account set checkout

Animation: ../../pics/camtasia/v9/account-set-checkout-1/account-set-checkout-1.mp4

29 Summary

Hitachi ID Privileged Access Manager secures privileged accounts:
• Eliminate static, shared passwords to privileged accounts.
• Built-in encryption, replication, geo-diversity for the credential vault.
• Authorized users can launch sessions without knowing or typing a password.
• Infrequent users can request, be authorized for one-time access.
• Strong authentication, authorization and audit throughout the process.

Learn more at Hitachi-ID.com/Privileged-Access-Manager

500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: sales@Hitachi-ID.com

ww w.Hitachi-ID.com Date: May 22, 2015 File: PRCS:pres