Securing Privileged Accounts With Hitachi Id Pam

  • View
    216

  • Download
    0

Embed Size (px)

Text of Securing Privileged Accounts With Hitachi Id Pam

  • 8/3/2019 Securing Privileged Accounts With Hitachi Id Pam

    1/20

    Securing Privileged Accounts

    withHitachi ID Privileged Access Manager

    2014 Hitachi ID Systems, Inc. All rights reserved.

    http://hitachi.com/http://hitachi-id.com/
  • 8/3/2019 Securing Privileged Accounts With Hitachi Id Pam

    2/20

    Privileged Access Manager is a system for securing access to privileged accounts. It works by regularlyrandomizing privileged passwords on workstations, servers, network devices and applications. Randompasswords are encrypted and stored on at least two replicated credential vaults. Access to privilegedaccounts may be disclosed:

    To IT staff, after they have authenticated and their requests have been authorized. To applications, replacing embedded passwords. To Windows workstations and servers, which need them to start services.

    Password changes and access disclosure are closely controlled and audited, to satisfy policy and regulatoryrequirements.

    Contents

    1 Privileged Access Management 1

    2 Technical Challenges 2

    3 Functional Requirements 3

    4 Randomizing Privileged Passwords 4

    5 Access Disclosure 5

    5.1 Frequent Users: Access Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

    5.2 Occasional Users: Workflow Approval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65.3 Concurrency Controls Checkin/Checkout . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

    5.4 Alternatives to Password Disclosure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

    5.5 API for Progammatic Access Disclosure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

    5.6 Updates to Service Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

    6 Strong Authentication 12

    7 Auditing and Regulatory Compliance 13

    8 Hitachi ID Privileged Access ManagerArchitecture 14

    8.1 Network Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

    8.2 Push and Pull Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

    8.3 Hitachi ID Privileged Access ManagerHost Platform . . . . . . . . . . . . . . . . . . . . . . 15

    8.4 Supported Target System Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

    i

  • 8/3/2019 Securing Privileged Accounts With Hitachi Id Pam

    3/20

    Securing Privileged Accounts With Privileged Access Manager

    1 Privileged Access Management

    In a typical enterprise-scale organization there are thousands of servers, workstations and network devices.

    Normally, there is a single, shared administrator password for every type of device. For example, onepassword may be used for each workstation of a given type or for every server with a given configuration.This is convenient for data center and desktop support staff: if they need to perform maintenance or anupgrade on a workstation or server, they know how to log in.

    Such static and well-known privileged passwords create both operational challenges and security problems:

    When administrator login IDs are shared by multiple IT users, there is no audit log mapping adminis-trative changes to individual IT staff. If an administrator makes a change to a system that causes amalfunction, it can be difficult to determine who caused the problem.

    When the same privileged account and password exists on many systems, it is hard to coordinatepassword changes. As a result, privileged passwords are rarely changed and are often known toex-employees.

    Hitachi ID Privileged Access Managersecures privileged accounts on an enterprise scale:

    It periodically randomizes every privileged password. Users must sign intoPrivileged Access Managerwhen they need to use a privileged account. Multi-

    factor authentication can be required. Privileged Access Managerlaunches login sessions on behalf of users, without displaying passwords

    single sign-on. Logins to privileged user accounts can be recorded, including screen capture and keyboard logging.

    This creates strong accountability and forensic audit trails.

    2014 Hitachi ID Systems, Inc.. All r ights reserved. 1

  • 8/3/2019 Securing Privileged Accounts With Hitachi Id Pam

    4/20

    Securing Privileged Accounts With Privileged Access Manager

    2 Technical Challenges

    The obvious solution to the security vulnerability of static and shared privileged passwords is to change

    these passwords so that each one is unique and changes regularly. Doing this can be technically challeng-ing, however:

    There are thousands of privileged passwords:

    Clearly automation is required to manage them.

    There are passwords on many kinds of systems:

    The automation must include many integrations, with different kinds of systems (Windows, Unix, SAP,mainframe, Oracle, etc.).

    The majority of privileged passwords are on PCs and laptops.

    Workstation passwords present special challenges:

    Workstations may be powered down.

    Workstations may be disconnected from the network.

    Workstations may not be reachable from a central data center because they are behind firewalls.

    Connectivity to servers.

    Servers may not be up 100% of the time.

    Servers may not be reachable from a single data center network segment. Specifically, they maybe on different network segments, blocked off from the password management system by one or

    more firewalls.

    Secure, reliable storage.

    Once automation is implemented to regularly change passwords, technical challenges regarding theirstorage must be addressed. The password storage system must:

    Be secure. An insecure storage system, if compromised, would allow an intruder to gain admin-istrative access to every device in the IT infrastructure.

    Be reliable. A disk crash or facility interruption affecting the password storage system wouldmake every administrator ID unavailable.

    Include fine-grained access controls. Only the right administrators should get access to the

    right passwords, after proving their identity.

    Log access disclosure. Access to privileged accounts must be logged, to create accountability.

    2014 Hitachi ID Systems, Inc.. All r ights reserved. 2

  • 8/3/2019 Securing Privileged Accounts With Hitachi Id Pam

    5/20

    Securing Privileged Accounts With Privileged Access Manager

    3 Functional Requirements

    A privileged access management system needs a set of well-integrated features to function:

    1. It must randomize passwords regularly sensitive passwords should be unique and short-lived.

    2. It must be able to disclose passwords to or inject passwords into sessions on behalf of appropriateusers and software agents, but only under the right circumstances:

    (a) To IT staff, if they have been assigned appropriate access rights.

    (b) To IT staff who have not been assigned permanent access rights, but have been granted one-time permission.

    (c) To programs that start services (Windows Service Control Manager, Scheduler, IIS and others)so that they can start services after a password change.

    (d) To applications, to replace embedded passwords in programs and scripts.

    3. Both a static access control model and a dynamic authorization workflow are required.

    4. The system must log both password updates and disclosure. Failed updates can be used to identify

    infrastructure problems while logs of access disclosure create accountability.

    5. The system should be able to control concurrent disclosure of a given password for example to limit

    the number of people concurrently able to manage a server.

    2014 Hitachi ID Systems, Inc.. All r ights reserved. 3

  • 8/3/2019 Securing Privileged Accounts With Hitachi Id Pam

    6/20

    Securing Privileged Accounts With Privileged Access Manager

    4 Randomizing Privileged Passwords

    Hitachi ID Privileged Access Managersecures sensitive passwords by periodically randomizing them:

    1. On push-mode servers and applications:

    (a) Periodically for example, every night between 3AM and 4AM.

    (b) When users check passwords back in, after they are finished using them.

    (c) When users request a specific password value.

    (d) In the event of an urgent termination of a system administrator.

    2. On pull-mode laptops and similarly configured devices:

    (a) Periodically for example, every day.

    (b) At a random time-of-day, to prevent transaction bursts.

    (c) Opportunistically, whenever network connectivity happens to be available from the workstationto a central server.

    Privileged Access Managercan enforce multiple password policies. There is a global password policy as

    well as sets of password rules in each managed system policy.

    Password policies specify the complexity of both randomly chosen and manually selected passwords. Inaddition to mandating character types (lowercase, uppercase, digits, punctuation), the policy can specifyminimum and maximum password lengths, prohibit the use of dictionary words, etc. These features are

    relevant to manually-chosen passwords.

    2014 Hitachi ID Systems, Inc.. All r ights reserved. 4

  • 8/3/2019 Securing Privileged Accounts With Hitachi Id Pam

    7/20

    Securing Privil