1 Hitachi ID Privileged Access Manager...Slide Presentation 5.2 Connect to IT assets and manage...
Transcript of 1 Hitachi ID Privileged Access Manager...Slide Presentation 5.2 Connect to IT assets and manage...
1 Hitachi ID Privileged Access Manager
Temporary, secure and accountable privilege elevation.
2 Agenda
• Corporate• Privilege management challenges• Hitachi ID Privileged Access Manager features• Technology• Implementation• Differentiation• Discussion / next steps
3 Corporate
© 2020 Hitachi ID Systems, Inc. All rights reserved. 1
Slide Presentation
3.1 Hitachi ID corporate overview
Hitachi ID delivers access governanceand identity administration solutionsto organizations globally.Hitachi ID IAM solutions are used by Fortune500companies to secure access to systemsin the enterprise and in the cloud.
• Founded as M-Tech in 1992.• A division of Hitachi, Ltd. since 2008.• Over 1200 customers.• More than 14M+ licensed users.• Offices in North America, Europe and
APAC.• Global partner network.
3.2 Representative customers
© 2020 Hitachi ID Systems, Inc. All rights reserved. 2
Slide Presentation
3.3 Hitachi ID Suite
4 Privilege management challenges
4.1 Passwords to privileged accounts
Challenges Solutions
• Shared accounts with elevated privileges.• Static passwords:
– Long window of opportunity forattackers.
• Passwords known to many people:
– No accountability for use.– Departed workers still have access?
• Randomize passwords:
– No longer shared or static.
• Store values in a vault:
– Control access to accounts bylimiting access to passwords.
© 2020 Hitachi ID Systems, Inc. All rights reserved. 3
Slide Presentation
4.2 Accountability for admins
Challenges Solutions
• Who used this account?• What changes were made?• Was use of the access reasonable?• Did anything break?• Was security compromised?
• Personally identify users prior to access.• Require strong, multi-factor
authentication.• Authorize access:
– Pre-approved for system admins.– One-time approval for infrequent
users.
• Audit activity:
– Access event.– Session recording.
4.3 Grant access only temporarily
Challenges Solutions
• Granting permanent access increasesrisks:
– Abuse.– Accidents.– Malware.
• Better to grant access:
– On-demand.– For short periods.– Only when required.
• Randomize passwords after use.• Launch sessions and inject current
credentials.• Do not disclose passwords to users:
– Users can’t share what they don’tknow.
© 2020 Hitachi ID Systems, Inc. All rights reserved. 4
Slide Presentation
4.4 Multiple ways to grant access
Challenges Solutions
• Different tasks call for different tools.• Alternatives to the standard mechanism:
– Shared accounts.– Randomized passwords in a vault.– SSO with password injection.
• Grant multiple credentials at once.
• Multiple types of access disclosure.• Group sets:
– Temporarily grant one or more groupmemberships.
– Elevate rights of an existing,personal ID.
• SSH trust:
– Temporary trust relationship.– Add user’s public SSH key to
privileged account’s.ssh/authorized_keys file.
• Account sets:
– Check out multiple accounts at once.– Named accounts or search results.– Single request, single approval.– Launch multiple logins.– Run script across accounts (SIMD).
4.5 Scaling up: many assets, types
Challenges Solutions
• Admin accounts on every asset.• Windows, Unix, Linux, network device,
hardware monitor, laptops, databases,apps, midrange, mainframe, ...
• On-premises and cloud.• Fixed and moveable/personal assets.• Number of assets = 2X or 3X head-count.• Security is only as good as the weakest
link.
• Connectors to various kinds of systems.• Auto-discovery to find them.• Import rules to manage them.
© 2020 Hitachi ID Systems, Inc. All rights reserved. 5
Slide Presentation
4.6 Connectivity challenges
Challenges Solutions
• 3 communication paths:
– User to PAM.– PAM to managed system.– User to managed system.
• Each path could be blocked:
– Systems behind firewalls or NAT.– Unroutable addresses.– DNS names that do not resolve.– Laptops move and get powered
down.
• PAM to endpoint:
– Direct connection.– PAM to proxy, proxy to endpoint.
• User to endpoint:
– Direct to target (launch admin UI,inject creds).
– RDP to proxy, any protocol to target.– HTML5 to proxy, SSH or RDP to
target.
• Endpoint to PAM:
– Local service calls home.– Suitable for laptops, VMs.
User
Managedendpoint
PAMserver
?
?
?
4.7 High availability / minimal down-time
Challenges Solutions
• Consider what happens in a physicaldisaster:
– Vault recovery time delays recoveryof all other services.
• Have to recover the vault first:
– Cannot afford delays in vaultrecovery.
• Human intervention in recovery would addtoo much delay.
• The system must survive disasters.• Requirements:
– Real-time data replication.– Geographically distributed.– Active-active architecture.
© 2020 Hitachi ID Systems, Inc. All rights reserved. 6
Slide Presentation
4.8 Non-human users of privileged accounts
Challenges Solutions
• Service accounts are used to runprocesses.
• Scripts and applications use embeddedpasswords to connect to databases andother services.
• These accounts also have high privilege.• Non-human account passwords may be:
– Plaintext, static or well-known
• Discover service accounts.• Randomize and vault passwords;
– Inject new passwords into servicesubscribers.
• Expose an API to retrieve passwords.
– Fingerprint applications toauthenticate them.
© 2020 Hitachi ID Systems, Inc. All rights reserved. 7
Slide Presentation
4.9 Strong authentication
Challenges Solutions
• Authorized users could be hacked.• Malware installed on their PCs.• Passwords compromised.• An attacker could leverage PAM to
expand the reach of their compromise.
• Require two-factor authentication (2FA) atPAM login.
• If no 2FA solution is in place, use oneprovided with Hitachi ID PrivilegedAccess Manager.
• Mobile app scans QR code challenge onPC screen.
• Protect against key-loggers, compromisedpasswords.
5 Privileged Access Manager features
© 2020 Hitachi ID Systems, Inc. All rights reserved. 8
Slide Presentation
5.1 Infrastructure auto discovery
Discovery, onboarding and classification must be automated in order to scale up:
1. List systems • AD• LDAP• CSV file• SQL or SQLite DB
2. Target systems • Rules: manage?(yes/no)
• Rules: selectconnectioncredentials.
3. Probe systems • List accounts,groups andservices.
• Massiveparallelism isessential here.
4. Manage systems • Rules: whichpolicies to apply?
5. Manage accounts • Rules: whichaccounts tomanage?
• Rules: whichpolicies to apply?
• Import, classify, probe up to 10,000 systems and 500,000 accounts per hour.• 100% policy driven – no scripts.
© 2020 Hitachi ID Systems, Inc. All rights reserved. 9
Slide Presentation
5.2 Connect to IT assets and manage access
Discover accounts, groups and services. Randomize passwords.
5.3 Identify and authenticate users
• Identify users using an existing directory:
– AD– LDAP– Any other system/app/DB will work.
• Combine existing credentials:
– Passwords (AD, LDAP, etc.).– Tokens (OTP).– Smart cards (PKI).– PIN (SMS to mobile or personal e-mail).– Smart phone app (iOS or Android, included).
• Step up authentication based on context:
– Vendor access?– Off-site, off-hours or personal device?– User with rights to many systems?
© 2020 Hitachi ID Systems, Inc. All rights reserved. 10
Slide Presentation
5.4 Authorizing access to privileged accounts
Two models: permanent and one-time.
Permanent ACL One-time request Concurrency control
• Pre-authorized userscan launch an adminsession any time.
• Access control model:
– Users ... belong to– User groups ... are
assigned ACLs to– Managed system
policies ... whichcontain
– Devices andapplications
• Also used for APIclients.
• Request access for anyuser to connect to anyaccount.
• Approvals workflowwith:
– Dynamic routing.– Parallel approvals.– N of M authorizers.– Auto-reminders.– Escalation.– Delegation.
• Coordinate adminchanges by limitingnumber of peopleconnected to the sameaccount:
– Can be >1.– Notify each admin
of the others.
• Ensure accountability ofwho had access to anaccount at a given time.
5.5 Access disclosure mechanisms
Launch session (SSO) • Launch RDP, SSH,vSphere, SQL Studio, ...
• Extensible (launch anyCLI).
• Password is hidden.• Convenient (SSO).
Temporary entitlement • Group membership (AD,Windows, SQL, etc.).
• SSH trust(.ssh/authorized_keys).
• Native logging showsactual user.
Copy buffer integration • Inject password into copybuffer.
• Clear after N seconds.
• Flexible (secondaryconnections, open-endedtooling).
Display • Show the password in theUI.
• Clear after N seconds.
• Useful at the physicalserver console.
© 2020 Hitachi ID Systems, Inc. All rights reserved. 11
Slide Presentation
5.6 Account sets
What is an account set? Using account sets
• A saved search.• Returns managed accounts on managed
systems.• Example: search on OS, subnet, login ID.• Can also include accounts, systems
individually.
• Check out multiple accounts at once:
– e.g., all systems requiring a patch.– e.g., all systems supporting an n-tier
app.
• Launch multiple login sessions at once:
– RDP, SSH, vSphere, SQL Studio,Toad, etc.
• Push commands to run on all checked outsystems, accounts:
– Retrieve status from end systems.– Make configuration changes.– Apply patches.
5.7 Options for launching login sessions
Real-world constraints Login options
• Is the managed system reachable fromthe user’s PC?
– Firewalls, NAT.– Name resolution problems.– Unroutable addresses.– Off-site users (e.g., vendors).
• What admin tool does the user want?
– MSTSC - RDP,– PuTTY, SecureCRT, etc. - SSH,– DBA tools,– Hypervisor admin tools, etc.
• User’s device type?• Session recording required?
• Direct connection:
– Windows client required.– IE + ActiveX.– FF, Chrome, Opera + extension.– Single-use EXE.
• Indirect via proxy:
– Windows proxy:
* Connect to proxy using RDP.* Sign into proxy first.* Next, sign into HiPAM.* Launch any admin tool.
– HTML5 proxy:
* Sign into HiPAM first.* Launch HTML5 session in
browser tab.* Proxy connects to endpoint with
SSH, RDP.
© 2020 Hitachi ID Systems, Inc. All rights reserved. 12
Slide Presentation
5.8 Direct login from user endpoint
5.9 Login session via VDI proxy
© 2020 Hitachi ID Systems, Inc. All rights reserved. 13
Slide Presentation
5.10 SSH or RDP session via HTML5 proxy
© 2020 Hitachi ID Systems, Inc. All rights reserved. 14
Slide Presentation
5.11 Session monitoring
Scalable, detailed, tamper-proof recording of administrator sessions:
Record Store/Playback Searchable Secure
• Full screen.• App window.• UI meta data.• Process meta
data.• Keyboard.• Copy buffer.• Webcam.
• Structured datain DB.
• Video onfilesystem.
• MPEG4 video.• PNG webcam
snaps.• XML meta data.
• Meta data (who,when,from-where,to-where,duration, ...).
• Session content(keywords).
• Right to search.• Right to
playback.• ACLs.• Workflow
approvals.
• Multiple sensors:
– IE + ActiveX– FF, Chrome or Opera + browser extension– HTML5 proxy
• 10 kbyte/s per active session; 100 active sessions/server.
© 2020 Hitachi ID Systems, Inc. All rights reserved. 15
Slide Presentation
5.12 Windows service account passwords
Periodically change service account passwords without triggering service faults:
Discovery: • Accounts (local and domain), services, dependencies.
White listing • Which accounts to manage?• Is the list of discovered subscribers complete?• When/how often to randomize password?• Inject new password before/after/both?• Restart service?• Notify owner?
Notification • Multiple subscriber types – SCM, IIS, DCOM, Scheduler.• Before/after password change.
Fault tolerant • Check subscriber availability before password change.• Retry notification if first attempt fails.
© 2020 Hitachi ID Systems, Inc. All rights reserved. 16
Slide Presentation
5.13 Service account management process
Review, configure
Probe managed
endpoints
App owners
Notify subscribers
of new password
Managed
endpoints
List of managed
systemsServices
Discovered
Service
accounts
Service
accounts
Services
Managed
Randomize
passwords
Notify
© 2020 Hitachi ID Systems, Inc. All rights reserved. 17
Slide Presentation
5.14 Replacing embedded passwords
Applications and scripts can fetch passwords from the credential vault, on demand:
Open / portable: • HiPAM exposes an API over SOAP/HTTPS.• Client libraries provided for Windows, .NET, Linux, Unix, Java.
Secure: • SOAP API authenticates each caller with one-time password(OTP) + IP address.
• Each client has its own ID, which defines accessible credentials.• The client library fingerprints the calling app, command-line args,
config files to generate encryption keys.• App changes, which may be malicious, require re-authorizing
access.
Reliable: • Library caches passwords, manages the OTP.
Scalable / fast: • Caching reduces server load and impact of packet latency.
Simple / convenient: • GetPassword( "config.xml", errorBuf, sizeof(errorBuf), 0,"systemID", "accountID",argc, argv, NULL,passwordBuf, sizeof(passwordBuf) )
© 2020 Hitachi ID Systems, Inc. All rights reserved. 18
Slide Presentation
5.15 API to securely retrieve credentials
Application
ID + Password
Native protocol of
the service --
possibly secure
Encrypted,
replicated,
audited,
access controlled
and authenticated
Periodically
randomize
passwordsSOAP/HTTPS - OTP, fetch password
Cached
password, OTP
Script or
Application
API
wrapper
library
Privileged
Access
Manager
Credential
vault
Database,
API or service
Application user,
password
HTTPS
Various protocols
© 2020 Hitachi ID Systems, Inc. All rights reserved. 19
Slide Presentation
6 Recorded Demos
6.1 Request privileged account
Animation: ../../pics/camtasia/suite11/hipam-request-password.mp4
6.2 Approve one-time access
Animation: ../../pics/camtasia/suite11/hipam-approve-request.mp4
6.3 Launch approved RDP to Windows
Animation: ../../pics/camtasia/suite11/hipam-launch-rdp-approved-request.mp4
6.4 Request and launch PuTTY to Linux
Animation: ../../pics/camtasia/v10/hipam-linux-preauth.mp4
6.5 Request, approve and play recording
Animation: ../../pics/camtasia/suite11/hipam-view-playback-nb.mp4
6.6 Report on requests for privileged access
Animation: ../../pics/camtasia/v10/hipam-admin-reports.mp4
6.7 Password display
Animation: ../../pics/camtasia/v9/pw-disp-scaled-1/pw-disp-scaled-1.mp4
7 Technology
© 2020 Hitachi ID Systems, Inc. All rights reserved. 20
Slide Presentation
7.1 Fault-tolerant architecture
User
HTTPS
Load
balancer
Credential
vault
Credential
vault
Hitachi ID Privileged
Access Manager
Hitachi ID Privileged
Access Manager
Replication
TCP/IP + AES
TCP/IP
+ AES
Proxy
Managed
endpoints
LDAP/S,
NTLM
SSH,
TCP/IP + AES
Windows
server or DC
Unix, Linux
Firewall
Site A
Site B
Site C
TCP/IP + AES
HTTPS
Various protocols
© 2020 Hitachi ID Systems, Inc. All rights reserved. 21
Slide Presentation
7.2 Active-active replication
Avoid data loss and service interruption:Multiple copies of the vault in different cities.
• Real-time data replication.• Fault-tolerant.• Bandwidth efficient, latency
tolerant.• Best practice: multiple
servers in multiple datacenters.
• Active/active.• Load balanced.
7.3 BYOD access to on-premises IAM system
The challenge Hitachi ID Mobile Access
• Users want access on their phones.• Phone on the Internet, IAM on-prem.• Don’t want attackers probing IAM from
Internet.
• Install + activate iOS, Android app.• Proxy service on DMZ or cloud.• IAM, phone both call the proxy - no
firewall changes.• IAM not visible on Internet.
Outbound connections only
DMZ Private corporate
network
Personal
device
FirewallFirewall
Internet
(3)
Message passing system
(1)
Worker thread:
“Give me an HTTP
request”
(2)
HTTPS request:
“Includes userID,
deviceID”
IAM server
Cloud
proxy
© 2020 Hitachi ID Systems, Inc. All rights reserved. 22
Slide Presentation
7.4 Included connectors
Directories: Databases: Server OS – X86/IA64: Server OS – Unix: Server OS – Mainframe:
Active Directory and AzureAD; any LDAP; NIS/NIS+ andeDirectory.
Oracle; SAP ASE and HANA;SQL Server; DB2/UDB;Hyperion; Caché; MySQL;OLAP and ODBC.
Windows: NT thru 2016; Linuxand *BSD.
Solaris, AIX and HP-UX. RAC/F, ACF/2 and TopSecret.
Server OS – Midrange: ERP, CRM and other apps: Messaging & collaboration: Smart cards and 2FA: Access managers / SSO:
iSeries (OS400); OpenVMSand HPE/Tandem NonStop.
Oracle EBS; SAP ECC andR/3; JD Edwards; PeopleSoft;Salesforce.com; Concur;Business Objects and Epic.
Microsoft Exchange, Lync andOffice 365; LotusNotes/Domino; Google Apps;Cisco WebEx, Call Managerand Unity.
Any RADIUS service or SAMLIdP; Duo Security; RSASecurID; SafeWord; Vasco;ActivIdentity andSchlumberger.
CA SiteMinder; IBM SecurityAccess Manager; Oracle AM;RSA Access Manager andImprivata OneSign.
Help desk / ITSM: PC filesystem encryption: Server health monitoring: HR / HCM: Extensible / scriptable:
ServiceNow; BMC Remedy,RemedyForce and Footprints;JIRA; HPE Service Manager;CA Service Desk; AxiosAssyst; Ivanti HEAT;Symantec Altiris; Track-It!; MSSCS Manager and Cherwell.
Microsoft BitLocker; McAfee;Symantec EndpointEncryption and PGP;CheckPoint and SophosSafeGuard.
HP iLO, Dell DRAC and IBMRSA.
WorkDay; PeopleSoft HR;SAP HCM andSuccessFactors.
CSV files; SCIM; SSH;Telnet/TN3270/TN5250;HTTP(S); SQL; LDAP;PowerShell and Python.
Hypervisors and IaaS: Mobile management: Network devices: Filesystems and content: SIEM:
AWS; vSphere and ESXi. BlackBerry Enterprise Serverand MobileIron.
Cisco IOS PIX and ASA;Juniper JunOS andScreenOS; F5 BigIP; HPProcurve; Brocade Fabric OSand CheckPointSecurePlatform.
Windows/CIFS/DFS;SharePoint; Samba; HitachiContent Platform and HCPAnywhere; Box.com andTwitter.
Splunk; ArcSight; RSAEnvision and QRadar. AnySIEM supporting SYSLOG orWindows events.
Management & inventory:
Qualys; McAfee ePO andMVM; Cisco ACS;ServiceNow ITAM; HPUCMDB; Hitachi HiTrack.
7.5 Integration with custom apps
• Hitachi ID Privileged Access Manager easily integrates with custom, vertical and hosted applicationsusing flexible agents .
• Each flexible agent connects to a class of applications:
– API bindings (C, C++, Java, COM, ActiveX, MQ Series).– Telnet / TN3270 / TN5250 / sessions with TLS or SSL.– SSH sessions.– HTTP(S) administrative interfaces.– Web services.– Win32 and Unix command-line administration programs.– SQL scripts.– Custom LDAP attributes.
• Integration takes a few hours to a few days.• Fixed cost service available from Hitachi ID.
© 2020 Hitachi ID Systems, Inc. All rights reserved. 23
Slide Presentation
7.6 Device integrations
HiPAM can be used to manage access to devices, including:
• Cisco / IOS.• Juniper JunOS.• F5 / BigIP.• Dell DRAC cards.• HP iLO cards.• IBM RSA cards.• Deep integration with Cisco ACS (TACACS+, RADIUS).• Extensible via scripted SSH, Telnet, HTTP(S) sessions.
8 Implementation
8.1 Hitachi ID professional services
• Hitachi ID offers a complete range of services relating to Hitachi ID Privileged Access Manager,including:
– Needs analysis and solution design.– Fixed price system deployment.– Project planning.– Roll-out management, including maximizing user adoption.– Ongoing system monitoring.– Training.
• Services are based on extensive experience with the Hitachi ID solution delivery process.• The Hitachi ID professional services team is highly technical and have years of experience deploying
IAM solutions.• Hitachi ID partners with integrators that also offer business process and system design services to
mutual customers.• All implementation services are fixed price:
– Solution design.– Statement of work.
© 2020 Hitachi ID Systems, Inc. All rights reserved. 24
Slide Presentation
8.2 ID Express - Privileged Access
• Pre-configured integrations, logic to expedite deployment.• Users identified, authorized via AD domain.• 2FA for all logins (smart phone app, SMS/PIN, e-mail PIN).• Randomize, control access to admin passwords.• One-time access approved via members of AD groups.• Risk scores applied to access requests, to highlight the unusual.• Session recording, playback, approval workflows pre-configured.• Infrastructure for discovering, managing Windows service account passwords.• Infrastructure for replacing embedded passwords in apps, scripts.
9 Differentiation
9.1 HiPAM advantages (technical)
HiPAM Competitors
• Multi-master, active-active. • Hot standby, "offline" mode.
• 2FA for everyone, no extra cost. • Either purchase a separate 2FA systemor rely on AD passwords.
• BYOD access, including approvals. • Fire up your laptop, sign into the VPN.
• Single sign-on. • Re-authenticate for every privilegedsession.
• Check-out multiple accounts in onerequest.
• One account at a time.
• Temporary privilege elevation. • Only password display/injection.
• Secure laptops (mobile, NAT, firewalled). • Endpoints not really supported.
• Direct connect, HTML5, RDP+launchproxy.
• Only via proxy.
• Proxy servers to integrate with remotesystems.
• Extra cost (more appliances?).
• Run any admin tool, with any protocol. • Can only launch RDP, SSH.
© 2020 Hitachi ID Systems, Inc. All rights reserved. 25
Slide Presentation
9.2 HiPAM advantages (commercial)
HiPAM Competitors
• Manage groups that control access policy. • A separate IAM system.
• Proxy servers to integrate with remotesystems.
• Extra cost (more appliances?).
• Secure Windows service acct passwords. • Separate product.
• Secure API replaces embeddedpasswords.
• Separate product.
• Session recording included. • Separate product.
• Over 120 connectors included. • Some connectors cost more.
• Unlimited users. • Fee per user.
10 Summary
Hitachi ID Privileged Access Manager secures privileged accounts:
• Eliminate static, shared passwords to privileged accounts.• Built-in encryption, replication, geo-diversity for the credential vault.• Authorized users can launch sessions without knowing or typing a password.• Infrequent users can request, be authorized for one-time access.• Strong authentication, authorization and audit throughout the process.
Learn more at hitachi-id.com/privileged-access-manager
hitachi-id.com
500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 E-Mail: [email protected]
Date: 2020-03-23 | 2020-03-23 File: PRCS:pres