SlideShare una empresa de Scribd logo
1 de 14
Descargar para leer sin conexión
1 Hitachi ID Privileged Access Manager



                                                            Managing the User Lifecycle
                                                            Across On-Premises and
                                                            Cloud-Hosted Applications




Securing access to administrator, embedded and service accounts.




2 Agenda
  •   Hitachi ID corporate overview.
  •   ID Management Suite overview.
  •   Securing administrative passwords with Hitachi ID Privileged Access Manager.
  •   Animated demonstration.




                                              © 2012 Hitachi ID Systems, Inc.. All rights reserved.   1
Slide Presentation




3 Hitachi ID Corporate Overview


   Hitachi ID is a leading provider of identity
   and access management solutions.
       • Founded as M-Tech in 1992.
       • A division of Hitachi, Ltd. since 2008.
       • Over 900 customers.
       • More than 11M+ licensed users.
       • Offices in North America, Europe and
         APAC.
       • Partners globally.




4 Representative Hitachi ID Customers




                                                  © 2012 Hitachi ID Systems, Inc.. All rights reserved.       2
Slide Presentation




5 ID Management Suite




6 Securing Privileged Accounts
  Thousands of IT assets:                         Who has the keys to the kingdom?
     • Servers, network devices, databases and        • Every IT asset has sensitive passwords:
       applications:
                                                           – Administrator passwords:
         – Numerous.                                         Used to manage each system.
         – High value.                                     – Service passwords:
         – Heterogeneous.                                    Provide security context to service
     • Workstations:                                         programs.
                                                           – Application:
         – Mobile – dynamic IPs.                             Allows one application to connect to
         – Powered on or off.                                another.
         – Direct-attached or firewalled.              • Do these passwords ever change?
                                                      • Who knows these passwords? (ex-staff?)
                                                      • Audit: who did what?




                                           © 2012 Hitachi ID Systems, Inc.. All rights reserved.       3
Slide Presentation




7 Project Drivers
Organizations need to secure their most sensitive passwords:



   Compliance:          • Pass regulatory audits.
                        • Compliance should be sustainable.
   Security:            • Eliminate static passwords on sensitive accounts.
                        • Create accountability for admin work.
   Cost:                • Efficient process to regularly change privileged passwords.
                        • Simple and effective deactivation for former administrators.
   Flexibility:         • Grant temporary admin access.
                        • Emergencies, production migrations, workload peaks, etc.




8 Participants in PAM
Hitachi ID Privileged Access Manager works by randomizing privileged passwords and connecting
people and programs to privileged accounts as needed:



   Privileged         Get new, random passwords daily or at the desired frequency.
   accounts
   IT Users           Must sign into HiPAM when they need to sign into administrator accounts.
   Services           Are automatically updated with new passwords values.
   Applications       Use the HiPAM API instead of embedded passwords.
   Security           Define policies regarding who can connect to which privileged account.
   officers
   Auditors           Monitor access requests and privileged login sessions.




                                              © 2012 Hitachi ID Systems, Inc.. All rights reserved.       4
Slide Presentation




9 HiPAM Impact

  Feature                         Impact                                Benefit
  Randomize passwords daily       Eliminate static, shared              Disconnect former IT staff.
                                  passwords.
  Controlled disclosure           Control who can see                   The right users and programs
                                  passwords.                            can access privileged accounts,
                                                                        others cannot.
  Logging & Reporting             Monitor password disclosure.          Accountability.
                                                                        Faster troubleshooting.
  Encryption                      Secure passwords in storage           Physical compromise does not
                                  and transit.                          expose passwords.
  Replication                     Passwords stored on multiple          Survive server crashes and site
                                  servers, in different sites.          disasters.




10 Understand and Manage the Risks
A privileged access management (PAM) system becomes the sole repository of the most important
credentials.



   Risk               Description                               Mitigation
   Disclosure             • Compromised vault                       • Encrypted vault.
                            → security disaster.                    • Strong authentication.
                                                                    • Flexible authorization.
   Data Loss              • Destroyed vault                         • Replicate the vault.
                            → IT disaster.
   Non-availability       • Offline vault                            • One vault in each of 2+ sites.
                            → IT service interruption.

Customers must test failure conditions before purchase!




                                               © 2012 Hitachi ID Systems, Inc.. All rights reserved.       5
Slide Presentation




11 Randomizing Passwords
  Push                         •   Periodically (e.g., between 3AM and 4AM).
  random passwords to          •   When users check passwords back in.
  systems:                     •   When users want a specific password.
                               •   On urgent termination.

                               • Suitable for servers and PCs on the corporate network.




  Pull                         • Periodically.
  initiated by user devices:   • Random time-of-day.
                               • Opportunistically, when connectivity is available.

                               • Suitable for home PCs and on-the-road laptops.




                                             © 2012 Hitachi ID Systems, Inc.. All rights reserved.       6
Slide Presentation




12 Authorizing Access to Privileged Accounts
Two models: permanent and one-time.



   Permanent ACL                   One-time request                     Concurrency control
       • Pre-authorized users         • Request access for any              • Coordinate admin
         can launch an admin            user to connect to any                changes by limiting
         session any time.              account.                              number of people
       • Access control model:        • Approvals workflow                     connected to the same
                                        with:                                 account:
           – Users ... belong to
           – User groups ... are          –    Dynamic routing.                  – Can be >1.
             assigned ACLs to             –    Parallel approvals.               – Notify each admin
           – Managed system               –    N of M authorizers.                 of the others.
             policies ... which           –    Auto-reminders.              • Ensure accountability of
             contain                      –    Escalation.                    who had access to an
           – Devices and                  –    Delegation.                    account at a given time.
             applications
       • Also used for API
         clients.




                                              © 2012 Hitachi ID Systems, Inc.. All rights reserved.       7
Slide Presentation




13 Fault-Tolerant Architecture
                                  Hitachi ID                                                   Site A
                                  Privileged Access Manager
                                             Crypto keys
                                             in registry
                                             010101
                             Password        101001
                                 Vault
                                             100101
                                                                        LDAP/S,          Windows
   User                                                                 NTLM             server or DC
                HTTPS

    Admin            Load
  Workstation     Balancer                                              SSH,
                                                                        TCP/IP+AES
                                            Replication
                                            TCP/IP + AES
                                                                                         Unix, Linux




                                                                              TCP/IP
                                                                              +AES                        Various
                                                                                                          Target
                             Password        010101                Firewall                               Systems
                                 Vault       101001
                                             100101                                    Proxy
                                             Crypto keys
                                             in registry



                                  Hitachi ID
                                  Privileged Access Manager    Site B                                        Site C




                                                © 2012 Hitachi ID Systems, Inc.. All rights reserved.               8
Slide Presentation




14 Included Connectors
Many integrations to target systems included in the base price:



    Directories:                     Servers:                           Databases:
    Any LDAP, AD, WinNT, NDS,        Windows NT, 2000, 2003,            Oracle, Sybase, SQL Server,
    eDirectory, NIS/NIS+.            2008, Samba, Novell,               DB2/UDB, Informix, ODBC.
                                     SharePoint.
    Unix:                            Mainframes, Midrange:              HDD Encryption:
    Linux, Solaris, AIX, HPUX, 24    z/OS: RACF, ACF2,                  McAfee, CheckPoint.
    more.                            TopSecret. iSeries,
                                     OpenVMS.
    ERP:                             Collaboration:                     Tokens, Smart Cards:
    JDE, Oracle eBiz, PeopleSoft,    Lotus Notes, Exchange,             RSA SecurID, SafeWord,
    SAP R/3 and ECC 6, Siebel,       GroupWise, BlackBerry ES.          RADIUS, ActivIdentity,
    Business Objects.                                                   Schlumberger.
    WebSSO:                          Help Desk:                         Cloud/SaaS:
    CA Siteminder, IBM TAM,          BMC Remedy, SDE, HP SM,            WebEx, Google Apps,
    Oracle AM, RSA Access            CA Unicenter, Assyst, HEAT,        Salesforce.com, SOAP
    Manager.                         Altiris, Track-It!                 (generic).




15 Application and Service Accounts

  Unattended                • Services,
  programs                    Scheduled Tasks,
  on Windows                  IIS Anonymous Access, etc.
                            • Run in the context of a named user.
                            • Are started with that user’s ID and password.
                            • Hitachi ID Privileged Access Manager updates the appropriate OS
                              component after every password change.


  Applications              • Eliminate embedded passwords via secure API to the vault.
                            • API authentication using one time passcode + client IP.




                                              © 2012 Hitachi ID Systems, Inc.. All rights reserved.       9
Slide Presentation




16 Infrastructure Auto-Discovery
Find and classify systems, services, groups, accounts:



    List systems                    Evaluate import rules              Probe systems
       • From AD, LDAP                  • Manage this system?              •   Local accounts.
         (computers).                   • Attach system to this            •   Security groups.
       • From text file                    policy?                          •   Group memberships.
         (IT inventory).                • Choose initial                   •   Services.
       • Extensible:                      ID/password.                     •   Local svc accounts.
         DNS, IP port scan.             • Manage this account?             •   Domain svc accounts.
                                        • Un manage this
                                          system?


   • Hitachi ID Privileged Access Manager can find, probe, classify and load 10,000 systems/hour.
   • Normally executed every 24 hours.
   • 100% policy driven - no scripts.




                                            © 2012 Hitachi ID Systems, Inc.. All rights reserved.        10
Slide Presentation




17 Alternatives to Displaying Passwords

  Launch session (SSO)   • Launch RDP, SSH, etc.                • Password not disclosed at
                           from Hitachi ID Privileged             all.
                           Access Manager web UI.               • User is connected directly
                         • Plug-ins for additional                without further proxy.
                           programs/protocols.
  Temporary ACL change   • Place user’s AD account in           • No password involved.
                           a local security group               • Native logging references
                           (Windows).                             the user’s own account.
                         • Place user’s public SSH
                           key in .ssh/authorized_keys
                           file (Unix).
                         • Manipulate /etc/sudoers
                           files (Unix).
  Copy                   • Place password in user’s             • Allows user to paste the
                           OS copy buffer.                        password into an e-mail,
                         • Clear buffer after N                   text, file, etc.
                           seconds.                             • Password not directly
                                                                  disclosed.
  Display                • Reveal the cleartext value           • Appropriate for managing
                           of password on screen.                 off-line, console login
                         • Clear display after N                  devices.
                           seconds.




                                   © 2012 Hitachi ID Systems, Inc.. All rights reserved.        11
Slide Presentation




18 Test Safety Features
To prevent a security or an IT operations disaster, a privileged password management system must be
built for safety first:



   Unauthorized                   • Passwords must be encrypted, both in storage and
   disclosure                       transmissions.
                                  • Access controls should determine who can see which
                                    passwords.
                                  • Workflow should allow for one-off disclosure.
                                  • Audit logs should record everything.
   Data loss,                     • Replicate all data – a server crash should be harmless.
   Service Disruption             • Replication must be real time, just like password changes.
                                  • Replication must span physical locations, to allow for site
                                    disasters (fire, flood, wire cut).




       • These features are mandatory.                    • Evaluate products on multiple, replicated
       • Failure is not an option.                          servers.
       • Ask Hitachi ID for an evaluation guide.          • Turn off one server in mid-operation.
                                                          • Inspect database contents and sniff
                                                            network traffic.




                                             © 2012 Hitachi ID Systems, Inc.. All rights reserved.        12
Slide Presentation




19 HiPAM Unique Technology

  Multi-master             • Built-in replication easy to setup and no extra cost.
                           • Geographically distributed for maximum safety.
                           • All nodes active: efficient and scalable.
  Connectors               • Over 110 connectors, out of the box.
                           • Also supports mobile devices.
  Workflow                  • Dynamic routing to multiple authorizers.
                           • Built-in reminders, escalation, delegation.
  AD/LDAP                  • Manage groups that authorize access.
  groups                   • Requests, approvals, SoD policy, certification, reports.
  Session                  • Record keystrokes, video, webcam, more.
  monitor                  • Workflow controls search, playback.
  SSO                      • Launch RDP, SSH, SQL, vSphere and more.
                           • Temporary trust: Windows groups, SSH keys.




20 Request one-time access


Animation: ../pics/camtasia/hipam-71/1-request-access.cam4




21 Approve one-time access


Animation: ../pics/camtasia/hipam-71/2-approve-request.cam4




22 Launch one-time session using a privileged account


Animation: ../pics/camtasia/hipam-71/3-privileged-login-session.cam4


                                            © 2012 Hitachi ID Systems, Inc.. All rights reserved.        13
Slide Presentation




               23 Request, approve, play recording


                 Animation: ../pics/camtasia/hipam-71/7-view-playback.cam4




               24 Report on requests for privileged access


                 Animation: ../pics/camtasia/hipam-71/hipam-06-admin-reports.cam4




               25 Summary
                 Hitachi ID Privileged Access Manager secures privileged accounts:
                      •   Eliminate static, shared passwords to privileged accounts.
                      •   Built-in encryption, replication, geo-diversity for the credential vault.
                      •   Authorized users can launch sessions without knowing or typing a password.
                      •   Infrequent users can request, be authorized for one-time access.
                      •   Strong authentication, authorization and audit throughout the process.
                 Learn more at Hitachi-ID.com/Privileged-Access-Manager




500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: sales@Hitachi-ID.com


                                                                                              File: PRCS:pres
www.Hitachi-ID.com                                                                            Date: March 1, 2012

Más contenido relacionado

La actualidad más candente

Cidway Corporate Access 06 2009 Full
Cidway Corporate Access 06 2009 FullCidway Corporate Access 06 2009 Full
Cidway Corporate Access 06 2009 Fulllfilliat
 
Hitachi ID Solutions Support GLB Compliance
Hitachi ID Solutions Support GLB ComplianceHitachi ID Solutions Support GLB Compliance
Hitachi ID Solutions Support GLB ComplianceHitachi ID Systems, Inc.
 
RightScale Webinar: Compliance in the Cloud
RightScale Webinar: Compliance in the CloudRightScale Webinar: Compliance in the Cloud
RightScale Webinar: Compliance in the CloudRightScale
 
A better waytosecureapps-finalv1
A better waytosecureapps-finalv1A better waytosecureapps-finalv1
A better waytosecureapps-finalv1OracleIDM
 
Cso oow12-summit-sonny-sing hv4
Cso oow12-summit-sonny-sing hv4Cso oow12-summit-sonny-sing hv4
Cso oow12-summit-sonny-sing hv4OracleIDM
 
Od webcast-cloud-fraud final
Od webcast-cloud-fraud finalOd webcast-cloud-fraud final
Od webcast-cloud-fraud finalOracleIDM
 
Hitachi ID Solutions Supporting HIPAA Compliance
Hitachi ID Solutions Supporting HIPAA ComplianceHitachi ID Solutions Supporting HIPAA Compliance
Hitachi ID Solutions Supporting HIPAA ComplianceHitachi ID Systems, Inc.
 
Declarative security-oes
Declarative security-oesDeclarative security-oes
Declarative security-oesOracleIDM
 
Hitachi ID Access Certifier: Find and remove stale privileges with periodic r...
Hitachi ID Access Certifier: Find and remove stale privileges with periodic r...Hitachi ID Access Certifier: Find and remove stale privileges with periodic r...
Hitachi ID Access Certifier: Find and remove stale privileges with periodic r...Hitachi ID Systems, Inc.
 
Platform approach-series-the oracleplatform-final
Platform approach-series-the oracleplatform-finalPlatform approach-series-the oracleplatform-final
Platform approach-series-the oracleplatform-finalOracleIDM
 
Healthcare it consolidated
Healthcare it consolidatedHealthcare it consolidated
Healthcare it consolidatedOracleIDM
 
SmartCard Forum 2010 - Enterprise authentication
SmartCard Forum 2010 - Enterprise authenticationSmartCard Forum 2010 - Enterprise authentication
SmartCard Forum 2010 - Enterprise authenticationOKsystem
 
Gartner iam 2011-analytics-aj-orig-recordednp-final
Gartner iam 2011-analytics-aj-orig-recordednp-finalGartner iam 2011-analytics-aj-orig-recordednp-final
Gartner iam 2011-analytics-aj-orig-recordednp-finalOracleIDM
 
Ioug webcast entitlements in check
Ioug webcast entitlements in checkIoug webcast entitlements in check
Ioug webcast entitlements in checkOracleIDM
 

La actualidad más candente (19)

Advanced persistent threats
Advanced persistent threatsAdvanced persistent threats
Advanced persistent threats
 
Cidway Corporate Access 06 2009 Full
Cidway Corporate Access 06 2009 FullCidway Corporate Access 06 2009 Full
Cidway Corporate Access 06 2009 Full
 
Who will guard the guards
Who will guard the guardsWho will guard the guards
Who will guard the guards
 
Hitachi ID Solutions Support GLB Compliance
Hitachi ID Solutions Support GLB ComplianceHitachi ID Solutions Support GLB Compliance
Hitachi ID Solutions Support GLB Compliance
 
RightScale Webinar: Compliance in the Cloud
RightScale Webinar: Compliance in the CloudRightScale Webinar: Compliance in the Cloud
RightScale Webinar: Compliance in the Cloud
 
A better waytosecureapps-finalv1
A better waytosecureapps-finalv1A better waytosecureapps-finalv1
A better waytosecureapps-finalv1
 
Cso oow12-summit-sonny-sing hv4
Cso oow12-summit-sonny-sing hv4Cso oow12-summit-sonny-sing hv4
Cso oow12-summit-sonny-sing hv4
 
Hitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Password Manager
Hitachi ID Password Manager
 
Hitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Password Manager
Hitachi ID Password Manager
 
Od webcast-cloud-fraud final
Od webcast-cloud-fraud finalOd webcast-cloud-fraud final
Od webcast-cloud-fraud final
 
Hitachi ID Password Manager Brochure
Hitachi ID Password Manager BrochureHitachi ID Password Manager Brochure
Hitachi ID Password Manager Brochure
 
Hitachi ID Solutions Supporting HIPAA Compliance
Hitachi ID Solutions Supporting HIPAA ComplianceHitachi ID Solutions Supporting HIPAA Compliance
Hitachi ID Solutions Supporting HIPAA Compliance
 
Declarative security-oes
Declarative security-oesDeclarative security-oes
Declarative security-oes
 
Hitachi ID Access Certifier: Find and remove stale privileges with periodic r...
Hitachi ID Access Certifier: Find and remove stale privileges with periodic r...Hitachi ID Access Certifier: Find and remove stale privileges with periodic r...
Hitachi ID Access Certifier: Find and remove stale privileges with periodic r...
 
Platform approach-series-the oracleplatform-final
Platform approach-series-the oracleplatform-finalPlatform approach-series-the oracleplatform-final
Platform approach-series-the oracleplatform-final
 
Healthcare it consolidated
Healthcare it consolidatedHealthcare it consolidated
Healthcare it consolidated
 
SmartCard Forum 2010 - Enterprise authentication
SmartCard Forum 2010 - Enterprise authenticationSmartCard Forum 2010 - Enterprise authentication
SmartCard Forum 2010 - Enterprise authentication
 
Gartner iam 2011-analytics-aj-orig-recordednp-final
Gartner iam 2011-analytics-aj-orig-recordednp-finalGartner iam 2011-analytics-aj-orig-recordednp-final
Gartner iam 2011-analytics-aj-orig-recordednp-final
 
Ioug webcast entitlements in check
Ioug webcast entitlements in checkIoug webcast entitlements in check
Ioug webcast entitlements in check
 

Similar a Hitachi ID Privileged Access Manager: Randomize and control disclosure of privileged passwords

Hitachi ID Identity and Access Management Suite
Hitachi ID Identity and Access Management SuiteHitachi ID Identity and Access Management Suite
Hitachi ID Identity and Access Management SuiteHitachi ID Systems, Inc.
 
Data Securities Corporate Technology Information Presentation
Data Securities Corporate Technology Information PresentationData Securities Corporate Technology Information Presentation
Data Securities Corporate Technology Information Presentationguestf018d88
 
Data Securities Corporate Technology Information Presentation
Data Securities Corporate Technology Information PresentationData Securities Corporate Technology Information Presentation
Data Securities Corporate Technology Information PresentationData Securities
 
Troubles with Large Identity Providers.pptx
Troubles with Large Identity Providers.pptxTroubles with Large Identity Providers.pptx
Troubles with Large Identity Providers.pptxYury Leonychev
 
Hitachi ID Suite 9.0 Features and Technology
Hitachi ID Suite 9.0 Features and TechnologyHitachi ID Suite 9.0 Features and Technology
Hitachi ID Suite 9.0 Features and TechnologyHitachi ID Systems, Inc.
 
Monitoreo y análisis de aplicaciones "Multi-Tier"
Monitoreo y análisis de aplicaciones "Multi-Tier"Monitoreo y análisis de aplicaciones "Multi-Tier"
Monitoreo y análisis de aplicaciones "Multi-Tier"GeneXus
 
DSS ITSEC 2012 Balabit_Security_Shell_Control_Box & Logging
DSS ITSEC 2012 Balabit_Security_Shell_Control_Box & LoggingDSS ITSEC 2012 Balabit_Security_Shell_Control_Box & Logging
DSS ITSEC 2012 Balabit_Security_Shell_Control_Box & LoggingAndris Soroka
 
CyberArk Interview.pdf
CyberArk Interview.pdfCyberArk Interview.pdf
CyberArk Interview.pdfInfosec Train
 
Building an Identity Management Business Case
Building an Identity Management Business CaseBuilding an Identity Management Business Case
Building an Identity Management Business CaseHitachi ID Systems, Inc.
 
CIS13: APIs, Identity, and Securing the Enterprise
CIS13: APIs, Identity, and Securing the EnterpriseCIS13: APIs, Identity, and Securing the Enterprise
CIS13: APIs, Identity, and Securing the EnterpriseCloudIDSummit
 
CIS13: Identity at Scale
CIS13: Identity at ScaleCIS13: Identity at Scale
CIS13: Identity at ScaleCloudIDSummit
 

Similar a Hitachi ID Privileged Access Manager: Randomize and control disclosure of privileged passwords (20)

Password Manager: Detailed presentation
Password Manager: Detailed presentationPassword Manager: Detailed presentation
Password Manager: Detailed presentation
 
Intro to Identity Management
Intro to Identity ManagementIntro to Identity Management
Intro to Identity Management
 
Hitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Identity Manager
Hitachi ID Identity Manager
 
Hitachi ID Identity and Access Management Suite
Hitachi ID Identity and Access Management SuiteHitachi ID Identity and Access Management Suite
Hitachi ID Identity and Access Management Suite
 
Identity and Access Lifecycle Automation
Identity and Access Lifecycle AutomationIdentity and Access Lifecycle Automation
Identity and Access Lifecycle Automation
 
Data Securities Corporate Technology Information Presentation
Data Securities Corporate Technology Information PresentationData Securities Corporate Technology Information Presentation
Data Securities Corporate Technology Information Presentation
 
Data Securities Corporate Technology Information Presentation
Data Securities Corporate Technology Information PresentationData Securities Corporate Technology Information Presentation
Data Securities Corporate Technology Information Presentation
 
Troubles with Large Identity Providers.pptx
Troubles with Large Identity Providers.pptxTroubles with Large Identity Providers.pptx
Troubles with Large Identity Providers.pptx
 
Introduction to Identity Management
Introduction to Identity ManagementIntroduction to Identity Management
Introduction to Identity Management
 
Introducing Salesforce Identity
Introducing Salesforce IdentityIntroducing Salesforce Identity
Introducing Salesforce Identity
 
Authentication Management
Authentication ManagementAuthentication Management
Authentication Management
 
Hitachi ID Suite 9.0 Features and Technology
Hitachi ID Suite 9.0 Features and TechnologyHitachi ID Suite 9.0 Features and Technology
Hitachi ID Suite 9.0 Features and Technology
 
Monitoreo y análisis de aplicaciones "Multi-Tier"
Monitoreo y análisis de aplicaciones "Multi-Tier"Monitoreo y análisis de aplicaciones "Multi-Tier"
Monitoreo y análisis de aplicaciones "Multi-Tier"
 
Privileged Access Manager Product Q&A
Privileged Access Manager Product Q&APrivileged Access Manager Product Q&A
Privileged Access Manager Product Q&A
 
DSS ITSEC 2012 Balabit_Security_Shell_Control_Box & Logging
DSS ITSEC 2012 Balabit_Security_Shell_Control_Box & LoggingDSS ITSEC 2012 Balabit_Security_Shell_Control_Box & Logging
DSS ITSEC 2012 Balabit_Security_Shell_Control_Box & Logging
 
CyberArk Interview.pdf
CyberArk Interview.pdfCyberArk Interview.pdf
CyberArk Interview.pdf
 
Building an Identity Management Business Case
Building an Identity Management Business CaseBuilding an Identity Management Business Case
Building an Identity Management Business Case
 
CIS13: APIs, Identity, and Securing the Enterprise
CIS13: APIs, Identity, and Securing the EnterpriseCIS13: APIs, Identity, and Securing the Enterprise
CIS13: APIs, Identity, and Securing the Enterprise
 
CIS13: Identity at Scale
CIS13: Identity at ScaleCIS13: Identity at Scale
CIS13: Identity at Scale
 
Hitachi ID Group Manager
Hitachi ID Group ManagerHitachi ID Group Manager
Hitachi ID Group Manager
 

Más de Hitachi ID Systems, Inc. (15)

Hitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Password Manager
Hitachi ID Password Manager
 
Maximizing Value
Maximizing ValueMaximizing Value
Maximizing Value
 
Hitachi ID Access Certifier
Hitachi ID Access CertifierHitachi ID Access Certifier
Hitachi ID Access Certifier
 
Hitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Identity Manager
Hitachi ID Identity Manager
 
Hitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Identity Manager
Hitachi ID Identity Manager
 
Hitachi ID Access Certifier
Hitachi ID Access CertifierHitachi ID Access Certifier
Hitachi ID Access Certifier
 
How Well is Your Organization Protecting its Real Crown Jewels - Identities?
How Well is Your Organization Protecting its Real Crown Jewels - Identities?How Well is Your Organization Protecting its Real Crown Jewels - Identities?
How Well is Your Organization Protecting its Real Crown Jewels - Identities?
 
Hitachi ID Privileged Access Manager
Hitachi ID Privileged Access ManagerHitachi ID Privileged Access Manager
Hitachi ID Privileged Access Manager
 
Hitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Identity Manager
Hitachi ID Identity Manager
 
Hitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Password Manager
Hitachi ID Password Manager
 
Hitachi ID Management Suite
Hitachi ID Management SuiteHitachi ID Management Suite
Hitachi ID Management Suite
 
Hitachi ID Identity Express™ - Corporate Edition
Hitachi ID Identity Express™ - Corporate EditionHitachi ID Identity Express™ - Corporate Edition
Hitachi ID Identity Express™ - Corporate Edition
 
Hitachi ID Group Manager
Hitachi ID Group ManagerHitachi ID Group Manager
Hitachi ID Group Manager
 
Managing Passwords for Mobile Users
Managing Passwords for Mobile UsersManaging Passwords for Mobile Users
Managing Passwords for Mobile Users
 
From Password Reset to Authentication Management
From Password Reset to Authentication ManagementFrom Password Reset to Authentication Management
From Password Reset to Authentication Management
 

Último

IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 

Último (20)

IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 

Hitachi ID Privileged Access Manager: Randomize and control disclosure of privileged passwords

  • 1. 1 Hitachi ID Privileged Access Manager Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications Securing access to administrator, embedded and service accounts. 2 Agenda • Hitachi ID corporate overview. • ID Management Suite overview. • Securing administrative passwords with Hitachi ID Privileged Access Manager. • Animated demonstration. © 2012 Hitachi ID Systems, Inc.. All rights reserved. 1
  • 2. Slide Presentation 3 Hitachi ID Corporate Overview Hitachi ID is a leading provider of identity and access management solutions. • Founded as M-Tech in 1992. • A division of Hitachi, Ltd. since 2008. • Over 900 customers. • More than 11M+ licensed users. • Offices in North America, Europe and APAC. • Partners globally. 4 Representative Hitachi ID Customers © 2012 Hitachi ID Systems, Inc.. All rights reserved. 2
  • 3. Slide Presentation 5 ID Management Suite 6 Securing Privileged Accounts Thousands of IT assets: Who has the keys to the kingdom? • Servers, network devices, databases and • Every IT asset has sensitive passwords: applications: – Administrator passwords: – Numerous. Used to manage each system. – High value. – Service passwords: – Heterogeneous. Provide security context to service • Workstations: programs. – Application: – Mobile – dynamic IPs. Allows one application to connect to – Powered on or off. another. – Direct-attached or firewalled. • Do these passwords ever change? • Who knows these passwords? (ex-staff?) • Audit: who did what? © 2012 Hitachi ID Systems, Inc.. All rights reserved. 3
  • 4. Slide Presentation 7 Project Drivers Organizations need to secure their most sensitive passwords: Compliance: • Pass regulatory audits. • Compliance should be sustainable. Security: • Eliminate static passwords on sensitive accounts. • Create accountability for admin work. Cost: • Efficient process to regularly change privileged passwords. • Simple and effective deactivation for former administrators. Flexibility: • Grant temporary admin access. • Emergencies, production migrations, workload peaks, etc. 8 Participants in PAM Hitachi ID Privileged Access Manager works by randomizing privileged passwords and connecting people and programs to privileged accounts as needed: Privileged Get new, random passwords daily or at the desired frequency. accounts IT Users Must sign into HiPAM when they need to sign into administrator accounts. Services Are automatically updated with new passwords values. Applications Use the HiPAM API instead of embedded passwords. Security Define policies regarding who can connect to which privileged account. officers Auditors Monitor access requests and privileged login sessions. © 2012 Hitachi ID Systems, Inc.. All rights reserved. 4
  • 5. Slide Presentation 9 HiPAM Impact Feature Impact Benefit Randomize passwords daily Eliminate static, shared Disconnect former IT staff. passwords. Controlled disclosure Control who can see The right users and programs passwords. can access privileged accounts, others cannot. Logging & Reporting Monitor password disclosure. Accountability. Faster troubleshooting. Encryption Secure passwords in storage Physical compromise does not and transit. expose passwords. Replication Passwords stored on multiple Survive server crashes and site servers, in different sites. disasters. 10 Understand and Manage the Risks A privileged access management (PAM) system becomes the sole repository of the most important credentials. Risk Description Mitigation Disclosure • Compromised vault • Encrypted vault. → security disaster. • Strong authentication. • Flexible authorization. Data Loss • Destroyed vault • Replicate the vault. → IT disaster. Non-availability • Offline vault • One vault in each of 2+ sites. → IT service interruption. Customers must test failure conditions before purchase! © 2012 Hitachi ID Systems, Inc.. All rights reserved. 5
  • 6. Slide Presentation 11 Randomizing Passwords Push • Periodically (e.g., between 3AM and 4AM). random passwords to • When users check passwords back in. systems: • When users want a specific password. • On urgent termination. • Suitable for servers and PCs on the corporate network. Pull • Periodically. initiated by user devices: • Random time-of-day. • Opportunistically, when connectivity is available. • Suitable for home PCs and on-the-road laptops. © 2012 Hitachi ID Systems, Inc.. All rights reserved. 6
  • 7. Slide Presentation 12 Authorizing Access to Privileged Accounts Two models: permanent and one-time. Permanent ACL One-time request Concurrency control • Pre-authorized users • Request access for any • Coordinate admin can launch an admin user to connect to any changes by limiting session any time. account. number of people • Access control model: • Approvals workflow connected to the same with: account: – Users ... belong to – User groups ... are – Dynamic routing. – Can be >1. assigned ACLs to – Parallel approvals. – Notify each admin – Managed system – N of M authorizers. of the others. policies ... which – Auto-reminders. • Ensure accountability of contain – Escalation. who had access to an – Devices and – Delegation. account at a given time. applications • Also used for API clients. © 2012 Hitachi ID Systems, Inc.. All rights reserved. 7
  • 8. Slide Presentation 13 Fault-Tolerant Architecture Hitachi ID Site A Privileged Access Manager Crypto keys in registry 010101 Password 101001 Vault 100101 LDAP/S, Windows User NTLM server or DC HTTPS Admin Load Workstation Balancer SSH, TCP/IP+AES Replication TCP/IP + AES Unix, Linux TCP/IP +AES Various Target Password 010101 Firewall Systems Vault 101001 100101 Proxy Crypto keys in registry Hitachi ID Privileged Access Manager Site B Site C © 2012 Hitachi ID Systems, Inc.. All rights reserved. 8
  • 9. Slide Presentation 14 Included Connectors Many integrations to target systems included in the base price: Directories: Servers: Databases: Any LDAP, AD, WinNT, NDS, Windows NT, 2000, 2003, Oracle, Sybase, SQL Server, eDirectory, NIS/NIS+. 2008, Samba, Novell, DB2/UDB, Informix, ODBC. SharePoint. Unix: Mainframes, Midrange: HDD Encryption: Linux, Solaris, AIX, HPUX, 24 z/OS: RACF, ACF2, McAfee, CheckPoint. more. TopSecret. iSeries, OpenVMS. ERP: Collaboration: Tokens, Smart Cards: JDE, Oracle eBiz, PeopleSoft, Lotus Notes, Exchange, RSA SecurID, SafeWord, SAP R/3 and ECC 6, Siebel, GroupWise, BlackBerry ES. RADIUS, ActivIdentity, Business Objects. Schlumberger. WebSSO: Help Desk: Cloud/SaaS: CA Siteminder, IBM TAM, BMC Remedy, SDE, HP SM, WebEx, Google Apps, Oracle AM, RSA Access CA Unicenter, Assyst, HEAT, Salesforce.com, SOAP Manager. Altiris, Track-It! (generic). 15 Application and Service Accounts Unattended • Services, programs Scheduled Tasks, on Windows IIS Anonymous Access, etc. • Run in the context of a named user. • Are started with that user’s ID and password. • Hitachi ID Privileged Access Manager updates the appropriate OS component after every password change. Applications • Eliminate embedded passwords via secure API to the vault. • API authentication using one time passcode + client IP. © 2012 Hitachi ID Systems, Inc.. All rights reserved. 9
  • 10. Slide Presentation 16 Infrastructure Auto-Discovery Find and classify systems, services, groups, accounts: List systems Evaluate import rules Probe systems • From AD, LDAP • Manage this system? • Local accounts. (computers). • Attach system to this • Security groups. • From text file policy? • Group memberships. (IT inventory). • Choose initial • Services. • Extensible: ID/password. • Local svc accounts. DNS, IP port scan. • Manage this account? • Domain svc accounts. • Un manage this system? • Hitachi ID Privileged Access Manager can find, probe, classify and load 10,000 systems/hour. • Normally executed every 24 hours. • 100% policy driven - no scripts. © 2012 Hitachi ID Systems, Inc.. All rights reserved. 10
  • 11. Slide Presentation 17 Alternatives to Displaying Passwords Launch session (SSO) • Launch RDP, SSH, etc. • Password not disclosed at from Hitachi ID Privileged all. Access Manager web UI. • User is connected directly • Plug-ins for additional without further proxy. programs/protocols. Temporary ACL change • Place user’s AD account in • No password involved. a local security group • Native logging references (Windows). the user’s own account. • Place user’s public SSH key in .ssh/authorized_keys file (Unix). • Manipulate /etc/sudoers files (Unix). Copy • Place password in user’s • Allows user to paste the OS copy buffer. password into an e-mail, • Clear buffer after N text, file, etc. seconds. • Password not directly disclosed. Display • Reveal the cleartext value • Appropriate for managing of password on screen. off-line, console login • Clear display after N devices. seconds. © 2012 Hitachi ID Systems, Inc.. All rights reserved. 11
  • 12. Slide Presentation 18 Test Safety Features To prevent a security or an IT operations disaster, a privileged password management system must be built for safety first: Unauthorized • Passwords must be encrypted, both in storage and disclosure transmissions. • Access controls should determine who can see which passwords. • Workflow should allow for one-off disclosure. • Audit logs should record everything. Data loss, • Replicate all data – a server crash should be harmless. Service Disruption • Replication must be real time, just like password changes. • Replication must span physical locations, to allow for site disasters (fire, flood, wire cut). • These features are mandatory. • Evaluate products on multiple, replicated • Failure is not an option. servers. • Ask Hitachi ID for an evaluation guide. • Turn off one server in mid-operation. • Inspect database contents and sniff network traffic. © 2012 Hitachi ID Systems, Inc.. All rights reserved. 12
  • 13. Slide Presentation 19 HiPAM Unique Technology Multi-master • Built-in replication easy to setup and no extra cost. • Geographically distributed for maximum safety. • All nodes active: efficient and scalable. Connectors • Over 110 connectors, out of the box. • Also supports mobile devices. Workflow • Dynamic routing to multiple authorizers. • Built-in reminders, escalation, delegation. AD/LDAP • Manage groups that authorize access. groups • Requests, approvals, SoD policy, certification, reports. Session • Record keystrokes, video, webcam, more. monitor • Workflow controls search, playback. SSO • Launch RDP, SSH, SQL, vSphere and more. • Temporary trust: Windows groups, SSH keys. 20 Request one-time access Animation: ../pics/camtasia/hipam-71/1-request-access.cam4 21 Approve one-time access Animation: ../pics/camtasia/hipam-71/2-approve-request.cam4 22 Launch one-time session using a privileged account Animation: ../pics/camtasia/hipam-71/3-privileged-login-session.cam4 © 2012 Hitachi ID Systems, Inc.. All rights reserved. 13
  • 14. Slide Presentation 23 Request, approve, play recording Animation: ../pics/camtasia/hipam-71/7-view-playback.cam4 24 Report on requests for privileged access Animation: ../pics/camtasia/hipam-71/hipam-06-admin-reports.cam4 25 Summary Hitachi ID Privileged Access Manager secures privileged accounts: • Eliminate static, shared passwords to privileged accounts. • Built-in encryption, replication, geo-diversity for the credential vault. • Authorized users can launch sessions without knowing or typing a password. • Infrequent users can request, be authorized for one-time access. • Strong authentication, authorization and audit throughout the process. Learn more at Hitachi-ID.com/Privileged-Access-Manager 500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: sales@Hitachi-ID.com File: PRCS:pres www.Hitachi-ID.com Date: March 1, 2012