Académique Documents
Professionnel Documents
Culture Documents
Agenda
Hitachi ID corporate overview. IDM Suite overview. Securing administrative passwords with Hitachi ID Privileged Access Manager. Animated demonstration.
Slide Presentation
Hitachi ID delivers access governance and identity administration solutions to organizations globally. Hitachi ID solutions are used by Fortune 500 companies to secure access to systems in the enterprise and in the cloud. Founded as M-Tech in 1992. A division of Hitachi, Ltd. since 2008. Over 1000 customers. More than 12M+ licensed users. Ofces in North America, Europe and APAC. Partners globally.
Slide Presentation
IDM Suite
Slide Presentation
Project Drivers
Pass regulatory audits. Compliance should be sustainable. Eliminate static passwords on sensitive accounts. Create accountability for admin work. Efcient process to regularly change privileged passwords. Simple and effective deactivation for former administrators. Grant temporary admin access. Emergencies, production migrations, workload peaks, etc.
Participants in PAM
Hitachi ID Privileged Access Manager works by randomizing privileged passwords and connecting people and programs to privileged accounts as needed:
Get new, random passwords daily or at the desired frequency. Must sign into HiPAM when they need to sign into administrator accounts. Are automatically updated with new passwords values. Use the HiPAM API instead of embedded passwords. Dene policies regarding who can connect to which privileged account. Monitor access requests and privileged login sessions.
Slide Presentation
HiPAM Impact
Feature Randomize passwords daily Controlled disclosure Impact Eliminate static, shared passwords. Control who can see passwords. Monitor password disclosure. Secure passwords in storage and transit. Passwords stored on multiple servers, in different sites. Benet Disconnect former IT staff. The right users and programs can access privileged accounts, others cannot. Accountability. Faster troubleshooting. Physical compromise does not expose passwords. Survive server crashes and site disasters.
10
A privileged access management (PAM) system becomes the sole repository of the most important credentials.
Risk Disclosure
Description Compromised vault security disaster. Destroyed vault IT disaster. Ofine vault IT service interruption.
Mitigation Encrypted vault. Strong authentication. Flexible authorization. Replicate the vault. One vault in each of 2+ sites.
Slide Presentation
11
Randomizing Passwords
Push random passwords to systems: Periodically (e.g., between 3AM and 4AM). When users check passwords back in. When users want a specic password. On urgent termination.
Periodically. Random time-of-day. Opportunistically, when connectivity is available. Suitable for home PCs and on-the-road laptops.
Slide Presentation
12
Permanent ACL Pre-authorized users can launch an admin session any time. Access control model: Users ... belong to User groups ... are assigned ACLs to Managed system policies ... which contain Devices and applications Also used for API clients.
One-time request Request access for any user to connect to any account. Approvals workow with: Dynamic routing. Parallel approvals. N of M authorizers. Auto-reminders. Escalation. Delegation.
Concurrency control Coordinate admin changes by limiting number of people connected to the same account: Can be >1. Notify each admin of the others. Ensure accountability of who had access to an account at a given time.
Slide Presentation
13
Fault-Tolerant Architecture
HitachiID Privileged Access Manager
Crypto keys in registry
Site A
User
Admin Workstation
Windows server or DC
Unix, Linux
Firewall
Proxy
Site B
Site C
Slide Presentation
14
Included Connectors
Servers: Windows NT, 2000, 2003, 2008, 2008R2, Samba, Novell, SharePoint. Mainframes, Midrange: z/OS: RACF, ACF2, TopSecret. iSeries, OpenVMS. Collaboration: Lotus Notes, Exchange, GroupWise, BlackBerry ES.
Databases: Oracle, Sybase, SQL Server, DB2/UDB, Informix, ODBC, Oracle Hyperion EPM Shared Services, Cache. HDD Encryption: McAfee, CheckPoint, BitLocker, PGP. Tokens, Smart Cards: RSA SecurID, SafeWord, RADIUS, ActivIdentity, Schlumberger. Cloud/SaaS: WebEx, Google Apps, MS Ofce 365, Salesforce.com, SOAP (generic).
Unix: Linux, Solaris, AIX, HPUX, 24 more variants. ERP: JDE, Oracle eBiz, PeopleSoft, PeopleSoft HR, SAP R/3 and ECC 6, Siebel, Business Objects. WebSSO: CA Siteminder, IBM TAM, Oracle AM, RSA Access Manager.
Help Desk: ServiceNow, BMC Remedy, SDE, HP SM, CA Unicenter, Assyst, HEAT, Altiris, Clarify, RSA Envision, Track-It!, MS System Center Service Manager
15
Applications
Eliminate embedded passwords via secure API to the vault. API authentication using one time passcode + client IP.
Slide Presentation
16
Infrastructure Auto-Discovery
List systems From Hitachi IT Operations Analyzer. From AD, LDAP (computers). From text le (IT inventory). Extensible: DNS, IP port scan.
Evaluate import rules Manage this system? Attach system to this policy? Choose initial ID/password. Manage this account? Un manage this system?
Probe systems Local accounts. Security groups. Group memberships. Services. Local svc accounts. Domain svc accounts.
Hitachi ID Privileged Access Manager can nd, probe, classify and load 10,000 systems/hour. Normally executed every 24 hours. 100% policy driven - no scripts.
10
Slide Presentation
17
Copy
Allows user to paste the password into an e-mail, text, le, etc. Password not directly disclosed. Appropriate for managing off-line, console login devices.
Display
Reveal the cleartext value of password on screen. Clear display after N seconds.
11
Slide Presentation
18
To prevent a security or an IT operations disaster, a privileged password management system must be built for safety rst:
Unauthorized disclosure
Passwords must be encrypted, both in storage and transmissions. Access controls should determine who can see which passwords. Workow should allow for one-off disclosure. Audit logs should record everything. Replicate all data a server crash should be harmless. Replication must be real time, just like password changes. Replication must span physical locations, to allow for site disasters (re, ood, wire cut).
These features are mandatory. Failure is not an option. Ask Hitachi ID for an evaluation guide.
Evaluate products on multiple, replicated servers. Turn off one server in mid-operation. Inspect database contents and sniff network trafc.
12
Slide Presentation
19
Reminders, escalation, delegation, parallel process. Manage membership in groups that authorize access. Requests, approvals, SoD policy, certication, reports. Session monitoring. Windows service account management. API to replace embedded passwords. 110 connectors.
All-inclusive product
20
Animation: ../pics/camtasia/v82/hipam-request-access/hipam-request-access.cam
21
Animation: ../pics/camtasia/v82/hipam-approve-request/hipam-approve-request.cam
22
Animation: ../pics/camtasia/v82/hipam-privileged-login-session/hipam-privileged-login-session.cam 13
Slide Presentation
23
Animation: ../pics/camtasia/v82/hipam-view-playback/hipam-view-playback.cam
24
Animation: ../pics/camtasia/hipam-71/hipam-06-admin-reports.cam
25
Summary
Eliminate static, shared passwords to privileged accounts. Built-in encryption, replication, geo-diversity for the credential vault. Authorized users can launch sessions without knowing or typing a password. Infrequent users can request, be authorized for one-time access. Strong authentication, authorization and audit throughout the process.
500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: sales@Hitachi-ID.com
File: PRCS:pres Date: September 19, 2013
www.Hitachi-ID.com