SlideShare une entreprise Scribd logo
1  sur  20
Télécharger pour lire hors ligne
Hitachi ID Privileged Access Manager
Frequently Asked Questions
© 2014 Hitachi ID Systems, Inc. All rights reserved.
Contents
1 What business problems does Hitachi ID Privileged Access Manager address? 1
2 How does Hitachi ID Privileged Access Manager work? 1
3 How often does Hitachi ID Privileged Access Manager change passwords? 2
4 How do we control who can sign into which privileged accounts? 2
5 How do we grant someone temporary or one-time access to a privileged account? 3
6 Can we configure a "two keys to launch" scenario for super-sensitive systems? 4
7 Can Hitachi ID Privileged Access Manager manage password changes to Windows service
accounts? 4
8 Can Hitachi ID Privileged Access Manager randomize passwords on ....? 6
9 Can Hitachi ID Privileged Access Manager launch an administrator login sessions to ....? 7
10 What happens when an administrator needs to sign into the physical console of a server? 8
11 Which web browsers does Hitachi ID Privileged Access Manager support? 8
11.1 Basic user interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
11.2 ActiveX components used to launch login sessions . . . . . . . . . . . . . . . . . . . . . . . 9
12 Can Hitachi ID Privileged Access Manager you secure privileged passwords on laptops
(which move around and get disconnected)? 9
13 How can we automate the setup and teardown of thousands of systems on Hitachi ID
Privileged Access Manager? 11
14 Can Hitachi ID Privileged Access Manager assign privileges less than full-administrator to
users? 12
15 Can Hitachi ID Privileged Access Manager interoperate with sudo on Unix/Linux? 13
16 Can Hitachi ID Privileged Access Manager integrate with SIEM systems? 14
17 How does Hitachi ID Privileged Access Manager defend itself against compromise of sen-
sitive passwords? 14
i
Privileged Access Manager Frequently Asked Questions
18 How do we protect Hitachi ID Privileged Access Manager against data loss? 15
19 Can Hitachi ID Privileged Access Manager record what users do while signed into adminis-
trator accounts? 15
20 How does Hitachi ID Privileged Access Manager control access to recorded login sessions
(privacy protection)? 17
© 2014 Hitachi ID Systems, Inc. All rights reserved.
Hitachi ID Privileged Access Manager Frequently Asked Questions
1 What business problems does Privileged Access Manager ad-
dress?
Many organizations have insecure processes for managing privileged accounts – IDs and passwords on
servers, workstations, applications and network devices with elevated privileges. Inappropriate disclosure
of these passwords would lead to serious security compromise:
• Hundreds or thousands of workstations and servers often share the same ID and password. If the
password on one device is compromised, all of the devices that share the credential are compromised.
• Where a password is used on many systems or needed by many people, it is difficult to coordinate
password changes. As a result, passwords on privileged accounts are often left unchanged for months
or years, creating an extended window of opportunity for an attacker.
• If privileged passwords are rarely changed, when IT staff leave an organization, they retain access to
sensitive systems.
• When many people know the password to a given account, it is impossible to reliably connect changes
(or security compromises) to individual users.
2 How does Privileged Access Manager work?
There are several technological approaches to more securely managing privileged passwords:
Approach Pros Cons
1 Eliminate shared passwords entirely and
assign personal administrator-level
accounts to each IT user, on each asset.
Individual accountability
for configuration
changes.
Too many administrator-level
accounts on each system.
2 Create and delete personal
administrator-level accounts for users on
demand.
Individual accountability
for configuration
changes.
Complex integration
between many systems and
the corporate directory.
3 Modify operating systems and
applications to check whether users are
allowed to perform privileged actions, in
real time. Manage access control
policies centrally.
Fine-grained control
over user access.
Too many administrator-level
accounts on each system
plus complex change control
on each system.
4 Use software installed on each device to
periodically change local passwords.
Send a copy of these passwords to a
secure vault, shared by many systems.
Works even in complex,
segmented networks.
Requires software on each
managed system.
5 Software on a central system periodically
pushes new passwords to each device
and keeps copies in a secure vault.
Minimal footprint on
managed systems.
Requires connectivity from a
central application to
managed systems.
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 1
Privileged Access Manager Frequently Asked Questions
3 How often does Privileged Access Manager change passwords?
This is configurable, with the default being every 24 hours.
Hitachi ID Privileged Access Manager secures sensitive passwords by periodically randomizing them:
1. On push-mode servers and applications:
(a) Periodically – for example, every night between 3AM and 4AM.
(b) When users check passwords back in, after they are finished using them.
(c) When users request a specific password value.
(d) In the event of an urgent termination of a system administrator.
2. On pull-mode laptops and similarly configured devices:
(a) Periodically – for example, every day.
(b) At a random time-of-day, to prevent transaction bursts.
(c) Opportunistically, whenever network connectivity happens to be available from the workstation
to a central server.
4 How do we control who can sign into which privileged accounts?
The most common form of access control in the Hitachi ID Privileged Access Manager is based on managed
system policies. These policies are named collections of managed systems containing privileged accounts
whose passwords may be randomized and access to which is controlled.
Managed systems may either be attached to a policy explicitly (e.g., “attach workstation WKSTN01234 to
policy RGWKSTNS”) or implicitly, using an expression. Expressions may be based on the operating system
type, IP address, MAC address or workstation name (e.g., “attach every workstation running Windows XP
in subnet 10.1.2.3/24 to policy X”)
Managed system policies are configured with operational and access control rules, including:
1. Which accounts’ passwords to randomize on attached systems.
2. How often to change passwords.
3. How to compose random passwords (e.g., length, complexity, etc.).
4. What actions to take after successful or failed attempts to disclose a password.
5. What access disclosure methods to offer users who wish to sign into privileged accounts on attached
systems (e.g., launch remote desktop, launch SSH, temporarily place user in security groups, display
current password to user, etc.).
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 2
Privileged Access Manager Frequently Asked Questions
Privileged Access Manager users are organized into user groups, either explicitly or implicitly. In a typical
deployment, users are assigned to Privileged Access Manager user groups by virtue of their membership in
Active Directory or LDAP groups. Groups of users are then assigned specific rights with respect to specific
managed system policies. For example, “every user in group A may launch RDP sessions to privileged
accounts on systems in policy B.”
Business rules, such as segregation of duties between different sets of users, can also be enforced. This
is done by examining, managing and limiting group membership on reference systems, such as Active
Directory or LDAP, that can be simultaneously assigned to the same user.
5 How do we grant someone temporary or one-time access to a
privileged account?
Hitachi ID Privileged Access Manager includes the same authorization workflow engine as is used in
Hitachi ID Identity Manager. Workflow enables users to request access to a privileged account that was
not previously or permanently authorized. When this happens, one or more additional users are invited (via
e-mail or SMS) to review and approve the request. Approved requests trigger a message to the request’s
recipient, including a URL to Privileged Access Manager where he or she can re-authenticate and “check
out” access.
The workflow process is illustrated by the following series of steps:
1. User UA signs in and requests that the then-current password to login account LA on system S be
made available to user UB at some later time T. UA may or may not be the same person as UB.
2. Privileged Access Manager looks up authorizers associated with LA on S.
3. Privileged Access Manager may run business logic to supplement this authorizer list, for example
with someone in the management chain for UA or UB. The final list of authorizers is LA. There are N
authorizers but approval by just M (M ≤ N) is sufficient to disclose the password to AZ.
4. Privileged Access Manager sends e-mail invitations to authorizers LA.
5. If authorizers fail to respond, they get automatic reminder e-mails.
6. If authorizers continue to fail to respond, Privileged Access Manager runs business logic to find re-
placements for them, effectively escalating the request and invites the replacement authorizers as
well.
7. Authorizers receive invitation e-mails, click on a URL embedded in the e-mail invitation, authenticate
themselves to the Privileged Access Manager web login page, review the request and approve or
reject it.
8. If any authorizers reject the request, e-mails are sent to all participants (UA, UB and AZ) and the
request is terminated.
9. If M authorizers approve the request, thank-you e-mails are sent to all participants. A special e-mail
is sent to the recipient – UB with a URL to an access disclosure page.
10. UB clicks on the e-mail URL and authenticates to Privileged Access Manager and displays the pass-
word.
11. UB clicks on a button to “check-out privileged access.”
12. UB then may click on a button to do one of the following (the options available will vary based on
policy):
(a) Display the password.
(b) Place a copy of the password in the operating system copy buffer.
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 3
Hitachi ID Privileged Access Manager Frequently Asked Questions
(c) Launch an RDP, SSH, vSphere or similar remote control session to the server in question.
In other words, display of a sensitive password is not a mandatory or even recommended part of the
solution.
6 Can we configure a "two keys to launch" scenario for super-
sensitive systems?
Hitachi ID Privileged Access Manager supports approval of change requests by multiple business stake-
holders and/or by multiple groups of business stake-holders. This allows for typical scenarios such as
“approve this request by recipient’s manager plus departmental IT contact plus application owner.”
Since individuals may be unavailable to respond to a request, authorization can substitute groups for single
approvers. Thus, the above example may be reformulated as “approve this request by recipient’s manager
or any of the manager’s peers; plus either of two departmental IT contacts; plus any of three designated
security contacts for the indicated application.”
Change authorization is normally conducted by sending invitations to all authorizers at the same time. This
“parallel” invitation process yields faster approval turn-around times but has no impact on security, since all
requisite approvers must respond before a request is completed. Sequential invitations are also possible
but are not recommended by Hitachi ID Systems due to the longer total time elapsed before all participants
will approve or reject a request.
7 Can Privileged Access Manager manage password changes to
Windows service accounts?
On the Windows operating system, service programs are run either using the SYSTEM login ID, which
possesses almost every privilege on the system (and consequently can do the maximum harm) and which
has no password or using a real user’s login ID and password, in order to execute with reduced privileges.
This means that on each Windows workstation and server there are a number of service accounts, each
with its own password, which are used to run service programs such as web servers, backup agents, anti-
virus software, etc.
Service account passwords differ from administrator passwords in that they are stored in at least two places:
1. Hashed, in the security database – e.g., the local SAM database or Active Directory, just like all users.
2. Reversibly encrypted, in the registry or elsewhere, where the program that starts the service (e.g.,
Service Control Manager or similar) can retrieve it when it needs to start the service.
Other Windows components besides the Service Control Manager also store passwords twice:
1. Virtual directories used to access web content from the IIS web server.
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 4
Privileged Access Manager Frequently Asked Questions
2. Programs scheduled to be run by the Windows Scheduler.
Third party programs may also require passwords to be stored outside the Security Accounts Manager
(SAM) database.
Of the above passwords, all but those used in IIS are static and may represent a security vulnerability.
Privileged Access Manager can be configured to secure service account passwords. This means two
things, depending on the mode of operation:
1. In pull mode, the Privileged Access Manager workstation service periodically scrambles service ac-
count passwords locally, in coordination with the central Privileged Access Manager server cluster.
2. In push mode, Privileged Access Manager servers periodically connect to Windows servers or Active
Directory in order to change the passwords of service accounts.
In both cases, Privileged Access Manager must notify the program that launches services – the subscriber
– of the new password value, so that it can successfully launch the service at the time of the next system
restart or when an administrator manually stops and restarts the service in question. In some cases,
for example when domain accounts are used to run services, an immediate restart may be required or
advisable, due to Kerberos token expiry.
Privileged Access Manager includes extensive automation to discover subscribers and subscriber-to-service-
account dependency. This allows Hitachi ID Systems customers to review what services are run in the se-
curity context of what named users, on what systems. This is particularly helpful where services run in the
security context of domain accounts, since multiple services on multiple servers may rely on the same ser-
vice account and may therefore require notification of the same new password in a quick and fault-tolerant
fashion.
Privileged Access Manager includes several processes that support safe and secure changes to service
account passwords:
1. Auto-discovery of subscriber/account dependencies for a variety of subscriber types: IIS, Scheduler,
SCM, DCOM, at various OS and subscriber versions.
2. A white-list mechanism (usually table driven, but a plug-in is available for more complex scenarios) so
customers can control which service accounts should have their passwords randomized and when.
3. Built-in tools to notify known subscribers of new password values.
4. A transaction manager that can retry notifications to off-line subscribers.
The above are primarily used when managed systems are integrated with Privileged Access Manager in
"push mode" – i.e., there is no locally installed software on the target system and Privileged Access Manager
initiates all connections remotely, over the network, directly or via a co-located Privileged Access Manager
proxy server.
In case push mode is inappropriate – for example because the relevant services (remote registry, WMI, etc.)
are disabled or firewalled or because the end system is offline or inaccessible due to name resolution or
IP routing issues (NAT, etc.), a pull mode service can be installed on the managed system, which performs
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 5
Privileged Access Manager Frequently Asked Questions
essentially the same functions but with much simpler connectivity (call home over HTTPS) and no need for
network accessible services on the local system.
Pull mode is normally used on laptops and in some cases desktop PCs, but works on any system running
any version of the Windows OS.
Any problems encountered in updating a service password can and should be configured to trigger an exit
trap program on the Privileged Access Manager server, to notify an administrator of an imminent problem
when the service in question is next started.
Both the discovery and notification mechanisms described above are extensible. This means that customers
who have other types of subscribers – for example, third party job schedulers – can add small programs
that discover their account dependencies and notify them of new service account passwords. These are
typically command-line programs (Windows executable or script) that run on the Privileged Access Manager
server. For pull mode, the equivalent form of extensibility is provided via deployment-specific DLLs.
8 Can Privileged Access Manager randomize passwords on ....?
Hitachi ID Privileged Access Manager comes with built-in connectors for most common systems and appli-
cations, as illustrated below. All connectors are included in the base price.
Directories: Servers: Databases:
Any LDAP, AD, NDS,
eDirectory, NIS/NIS+.
Windows 2000–2012,
Samba, NDS, SharePoint.
Oracle, Sybase, SQL Server,
DB2/UDB, ODBC, Informix.
Unix: Mainframes: Midrange:
Linux, Solaris, AIX, HPUX,
24 more variants.
z/OS with RAC/F, ACF/2 or
TopSecret.
iSeries (OS400), OpenVMS.
ERP: Collaboration: Tokens, Smart Cards:
JDE, Oracle eBiz,
PeopleSoft, SAP R/3, SAP
ECC 6, Siebel, Business
Objects.
Lotus Notes, Exchange,
GroupWise, BlackBerry ES.
RSA SecurID, SafeWord,
RADIUS, ActivIdentity,
Schlumberger.
WebSSO: Help Desk: HDD Encryption:
CA Siteminder, IBM TAM,
Oracle AM, RSA Access
Manager.
BMC Remedy, BMC SDE,
ServiceNow, HP Service
Manager, CA Unicenter,
Assyst, HEAT, Altiris, Clarify,
Track-It!, RSA Envision, MS
SCS Manager.
McAfee, CheckPoint,
BitLocker, PGP.
SaaS: Miscellaneous: Extensible:
Salesforce.com, WebEx,
Google Apps, MS Office
365, SOAP (generic).
OLAP, Hyperion, iLearn,
Caché, Success Factors,
VMWare vSphere.
SSH, Telnet, TN3270,
HTTP(S), SQL, LDAP,
command-line.
Privileged Access Manager includes a number of flexible connectors, each of which is used to script in-
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 6
Privileged Access Manager Frequently Asked Questions
tegration with a common protocol or mechanism. These connectors allow organizations to quickly and
inexpensively integrate Privileged Access Manager with custom and vertical market applications. The abil-
ity to quickly and inexpensively add integrations increases the value of the Privileged Access Manager
system as a whole.
There are flexible connectors to script interaction with:
API binding: Terminal
emulation:
Web services: Back end
integration:
Command-line:
• C, C++
• Java, J2EE
• .NET
• COM,
ActiveX
• MQ Series
• SSH
• Telnet
• TN3270,
TN5250
• Simulated
browser
• SOAP
• WebRPC
• Pure
HTTP(S)
• SQL
Injection
• LDAP
attributes
• Windows
• Power Shell
• Unix/Linux
Organizations that wish to write a completely new connector to integrate with a custom or vertical market
application may do so using whatever development environment they prefer (J2EE, .NET, Perl, etc.) and
invoke it as either a command-line program or web service.
If the organization develops their own integrations, an effort of between four hours and four days is typical.
Alternately, Hitachi ID Systems offers fixed-cost custom integrations for a nominal fee.
9 Can Privileged Access Manager launch an administrator login ses-
sions to ....?
Hitachi ID Privileged Access Manager controls access by users and programs to privileged accounts on
systems and applications. By default, that means that when a user is authorized to connect to a privileged
account, the user is able to launch a login session directly to that account without ever seeing its password.
Display of current password values can be enabled through Privileged Access Manager policy configuration
but is not normally recommended.
Access disclosure options include:
1. IT staff can directly launch Terminal Services (RDP), SSH (PuTTY), VMWare vSphere, SQL Studio,
web browser/form login and other connections to target systems from the Privileged Access Manager
web user interface, without displaying a password value.
2. IT staff can use an ActiveX control embedded in the Privileged Access Manager web portal to place a
copy of a sensitive password into their Windows copy buffer, again without displaying the passwords.
This password is automatically cleared from their copy buffer after a few seconds.
3. Privileged Access Manager can dynamically attach a recipient’s Active Directory domain login ID to
a local security group on a target system and later remove it. This eliminates the need to disclose
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 7
Privileged Access Manager Frequently Asked Questions
passwords even to a software agent on the recipient’s workstation.
4. Privileged Access Manager can temporarily place a user’s public SSH key into the target account’s
.ssh/authorized_keys file.
5. Where password display is required (e.g., a target system is currently offline), JavaScript in the
Privileged Access Manager web portal removes it from the screen after a few seconds.
A policy defined for each set of managed systems in Privileged Access Manager determines which of these
access disclosure mechanisms is available. For example, password display may be allowed for Windows
workstations, since they may be inaccessible over the network, but RDP sessions with injected passwords
may be mandatory on Windows servers.
10 What happens when an administrator needs to sign into the phys-
ical console of a server?
Password display is supported. Hitachi ID Systems recommends limiting the set of people who have access
to this – i.e., only data center staff should be able to display passwords and perhaps only with workflow
approvals.
11 Which web browsers does Privileged Access Manager support?
11.1 Basic user interface
Hitachi ID Privileged Access Manager presents a pure HTML user interface, with small JavaScript snippets
used only for non-essential functions (such as positioning the cursor or closing the current window).
This interface ensures compatibility with all web browsers. Privileged Access Manager’s web user interface
is routinely and successfully tested using:
• Internet Explorer versions 7.x and later (IE6 works but with minor visual artifacts).
• Firefox (any version released since about 2010 should be fine).
• Safari, Chrome and other WebKit-based browsers.
• Opera (full and mini versions).
• Browsers on smart phones (BlackBerry native, Safari on iPhone, Android native, Dolphin, etc.).
• Even text mode browsers such as lynx and w3m.
The Privileged Access Manager user interface is compatible and periodically tested with speaking web
browsers (for the visually impaired).
In addition to standard HTML, Privileged Access Manager can take advantage of ActiveX components
specifically in IE to execute local code. Example uses of this optional capability include:
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 8
Privileged Access Manager Frequently Asked Questions
1. To launch login sessions to privileged accounts on managed systems and inject credentials into those
login sessions (e.g., PuTTY, RDP, SQL, vSphere, etc.).
2. To record screen, keyboard, webcam and other data during the life of such login sessions.
11.2 ActiveX components used to launch login sessions
ActiveX can be used (but is not required) to:
1. Launch connections from administrator PCs to target systems (RDP, SSH, SQL Studio, VMWare
vSphere, etc.) without having to disclose privileged passwords to users and without users having to
type login IDs and passwords for the privileged accounts on systems they need to sign into. Any
command-line client software, plus the RDP control built into Windows, can be activated in this way.
2. Place a copy of a privileged password in a user’s copy buffer and automatically remove it after a short
time, without having to display it. This allows administrators to (briefly) paste a sensitive password
into a login prompt without having to see it.
IE7 and later are supported as a platform to launch connections via ActiveX (IE6 also works but like all
vendors, Hitachi ID Systems would prefer that IE6 disappeared as soon as possible).
Using ActiveX to launch administrator login sessions means the connection is directly from the user’s PC
to the managed system – not though a proxy. This means there is no bottleneck for performance or service
availability. It also means that Hitachi ID Privileged Access Manager can launch a variety of client/server
administration tools and is not limited to specific versions of specific protocols.
12 Can Privileged Access Manager you secure privileged passwords
on laptops (which move around and get disconnected)?
A password management system can easily make connections to servers, which have fixed network ad-
dresses, are always on and are continuously connected to the network. It is much harder for a central
password management server to connect to mobile laptops, for several reasons:
• Laptops frequently move from site to site.
• Even when they remain in one place, laptop IP addresses may change dynamically, due to use of
DHCP.
• Laptops are often turned off and do not respond to network inquiries when deactivated.
• Laptops may be unplugged from the network, either to move them or for periods of disuse.
• Laptops may be protected by a firewall that blocks network connections inbound to the PC.
In short, while it is easy for laptops to contact a central server, it is nearly impossible for the reverse to
happen reliably.
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 9
Privileged Access Manager Frequently Asked Questions
To secure privileged accounts on mobile workstations (typically laptops), Hitachi ID Privileged Access
Manager includes a service, which installs on the relevant PCs and which contacts a central server to
coordinate local password changes.
This architecture has several important advantages:
• The workstation service uses only HTTPS to communicate with the central server and works even
when the workstation is connected behind NAT devices, firewalls or application proxies.
• The workstation service does not randomize passwords unless it has established connectivity with the
central privileged access management server. This avoids a situation where the central server does
not know the new password value for a workstation.
• Dynamic IP addresses have no impact on this architecture.
• Physical relocation and long periods of detached network connectivity may delay updates to local
passwords, but do not introduce a failure whereby the local administrator passwords on a workstation
are unknown.
Privileged Access Manager supports management of passwords on laptops, which may be mobile, have
dynamic IP addresses, get unplugged, etc. This is done using client software, which works by ”pulling” new,
passwords from the Privileged Access Manager server cluster. Client software is available for:
1. Windows 2000, XP, Windows Vista/7/8, 2003, 2008 and 2008R2.
2. Unix (various vendors) and Linux (IA86).
The Windows pull-mode service includes plug-ins to notify operating system components of new service
account passwords. Plug-ins are provided for the Windows Service Control Manager, Windows Scheduler
and IIS.
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 10
Privileged Access Manager Frequently Asked Questions
13 How can we automate the setup and teardown of thousands of
systems on Privileged Access Manager?
In organizations with large numbers of servers or other systems (e.g., databases, routers, etc.), clearly it
is desirable to auto-discover and auto-maintain a list of systems and lists of accounts to manage on each
managed system, rather than manually adding and maintaining thousands of separate target systems and
accounts.
To auto-discover systems, most organizations pull data from an Active Directory or LDAP directory. Com-
puter objects discovered in the directory are classified based on their attributes and automatically managed
(or not) and attached to appropriate managed system policies, which specify password change frequency,
access control rules, access disclosure methods, etc.
A second auto-discovery process probes each managed system to find accounts that should be managed.
On most systems, a list of local users and groups is generated. Specifically on Windows systems, this
process also lists services, scheduled jobs, IIS objects (e.g., anonymous users, application pools, etc.) and
DCOM objects and see what accounts are used to run each of them. Import rules determine which of these
accounts will be managed by Hitachi ID Privileged Access Manager (e.g., based on account attributes,
group membership, security IDs, account/service relationship, etc.) and which managed system policies to
assign to each managed account.
Alternatives to Active Directory- or LDAP-driven computer object lists include DNS queries or zone transfers,
IP port scans of specific subnets and data imports from an inventory management system.
Privileged Access Manager also includes an automated mechanism to inform programs that store a copy
of passwords of new password values. A plug-in program is provided to connect to Windows servers after
each password change and automatically update Service Control Manager, Windows Scheduler, IIS or
DCOM with new password values.
The Privileged Access Manager auto-discovery process is able to list, classify and probe over 10,000 sys-
tems per hour. It is normally scheduled to run daily.
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 11
Privileged Access Manager Frequently Asked Questions
14 Can Privileged Access Manager assign privileges less than full-
administrator to users?
Yes. For Unix/Linux, please refer to the next question.
For Windows, see below.
Hitachi ID Privileged Access Manager can be configured to disclose privileged access to Windows servers
by temporarily placing an administrative user’s unprivileged Active Directory domain account into a privi-
leged security group on the target computer.
This process works as follows:
1. Administrator A requests privileged access to computer C.
2. The request is approved either because A has been pre-approved for such access (typically via mem-
bership in an AD group) or because some other user, with ownership rights to computer C, approves
the request.
3. Administrator A “checks out” access to computer C.
4. Privileged Access Manager places A’s AD account into a privileged group on computer C, such as
(local group) “Administrators.”
5. A connects to C using RDP. This connection might be mediated by Privileged Access Manager, which
can launch the RDP session directly from its web portal using an Active-X control.
6. Depending on how Privileged Access Manager and C are configured, A may or may not have to type
his personal AD password to establish the RDP connection to C. For example, if C trusts Kerberos-
authenticated RDP sessions or if Privileged Access Manager has an agent on A’s workstation to
acquire his login password, then no manual authentication step will be required.
7. Eventually A will either check-in the session or the session will time out. When either event happens,
Privileged Access Manager will remove A’s AD account from the privileged group on C.
This approach of manipulating group memberships rather than disclosing password has the advantage that
audit logs on the target computer (C in the example above) show activity by the individual administrator (A
in the example above) rather than by a generic local administrator account.
The limitations of this approach are:
1. It does not help with non-Windows machines or non-domain-members.
2. It does not help with machines which are disconnected from the network.
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 12
Privileged Access Manager Frequently Asked Questions
15 Can Privileged Access Manager interoperate with sudo on Unix/Linux?
Hitachi ID Privileged Access Manager can be configured to disclose privileged access to Unix and Linux
computers by temporarily placing an administrative user’s personal SSH public key into the trusted keys file
of a functional account on the target computer.
This architecture works as follows:
1. The Privileged Access Manager server gets its own SSH public and private keys.
2. Every user who may require privileged access to Unix/Linux systems must have:
(a) An SSH client package on his PC.
(b) Defined SSH private and public key.
3. A copy of the public SSH key for every user is kept on the Privileged Access Manager server.
4. Each managed Unix/Linux computer is configured with:
(a) An SSHD listener.
(b) The SUDO package.
(c) A set of functional, unprivileged accounts (more on this later).
5. The /etc/sudoers file on each managed Unix/Linux computer is configured to grant a set of prede-
fined privileges to each functional account. For example:
• The account dba might be allowed to perform DB-related tasks.
• The account backup might be allowed to perform filesystem backups.
• The account procmon might be allowed to perform runaway processes.
• The account monitor might be allowed to perform stats from /proc.
6. The .ssh/authorized_keys file of each of the functional accounts is configured to trust the public
SSH key of the Privileged Access Manager server.
7. At access checkout time, Privileged Access Manager modifies the .ssh/authorized_keys file of
the functional account to which access was granted to include the public key of the user who needs
access to that account.
8. At access checkin or expiry time, Privileged Access Manager modifies the .ssh/authorized_keys
file of the relevant functional account to remove the public key of the user who had access to that
account.
The access disclosure process works as follows:
1. Administrator A requests access to functional account F on computer C.
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 13
Privileged Access Manager Frequently Asked Questions
2. The request is approved either because A has been pre-approved for such access (typically via mem-
bership in an AD group) or because some other user, with ownership rights to F@C, approves the
request.
3. Administrator A “checks out” access to F@C.
4. Privileged Access Manager retrieves a copy of the .ssh/authorized_keys from F@C, adds A’s
public SSH key to the file and puts the new .ssh/authorized_keys back in F@C’s home directory.
5. A connects to F@C using SSH. This connection is authenticated using an SSH key exchange (not a
password).
6. A may have to type a password to access his own SSH private key, depending on how whether his
SSH key is encrypted with his password.
7. Eventually A will either check-in the session or the session will time out. When either event happens,
Privileged Access Manager will remove A’s public SSH key from F@C’s .ssh/authorized_keys
file.
16 Can Privileged Access Manager integrate with SIEM systems?
The logging service in Hitachi ID Privileged Access Manager can be configured to forward SYSLOG mes-
sages to a network logging system, including services exposed by all popular SIEM applications.
17 How does Privileged Access Manager defend itself against com-
promise of sensitive passwords?
Encryption is used to protect stored Hitachi ID Privileged Access Manager data as follows:
Data stored on the Privileged Access Manager server
Data Algorithm Key
Privileged passwords,
used to log into target
systems
128-bit AES 128-bit random
Answers to security
questions
128-bit AES 128-bit random
User old password
history
SHA-1 64-bit random salt
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 14
Privileged Access Manager Frequently Asked Questions
18 How do we protect Privileged Access Manager against data loss?
Once deployed, Hitachi ID Privileged Access Manager becomes an essential part of an organization’s IT
infrastructure, since it alone has access to privileged passwords for thousands of networked devices. An
interruption to the availability of Privileged Access Manager or its password vault would mean that adminis-
trative access to a range of devices is interrupted – a major IT service disruption.
Since servers occasionally break down, Privileged Access Manager supports load balancing and data
replication between multiple physical servers and multiple credential vaults. Any updates written to one
database instance are automatically replicated, in real time, over an encrypted communication path, to all
other Privileged Access Manager servers and all other credential vaults.
In short, Privileged Access Manager incorporates a highly available, replicated, multi-master architecture
for both the application and the credential vault.
To provide out-of-the-box data replication, Privileged Access Manager includes a database service that
replicates updates across multiple database instances. This service can be configured use either Oracle
or Microsoft SQL Server databases for physical storage. Hitachi ID Systems recommends one physical
database per Privileged Access Manager server, normally on the same hardware as the Privileged Access
Manager application.
The Privileged Access Manager data replication system makes it both simple and advisable for organiza-
tions to build a highly-available Privileged Access Manager server cluster, spanning multiple servers, with
each server placed in a different data center. Replication traffic is encrypted, authenticated, bandwidth-
efficient and tolerant of latency, making it suitable for deployment over a WAN.
This multi-site, multi-master replication is configured at no additional cost, beyond that of the hardware for
additional Privileged Access Manager servers, and with minimal manual configuration.
19 Can Privileged Access Manager record what users do while signed
into administrator accounts?
Hitachi ID Privileged Access Manager includes a sophisticated infrastructure for monitoring, recording and
playing back privileged account login sessions. This includes capturing:
1. Successive screen shots of the interactive administrator login session (RDP, SSH, vSphere, etc.).
2. Periodic photographs of the user (presumably) if a web-cam is present.
3. Many types of input events, including key presses, mouse clicks, copies and pastes.
4. Process names started and stopped.
5. UI text elements (labels, text input fields, drop-downs, etc.) displayed on the screen.
6. Mapping and disconnecting file shares (currently under development).
7. Initiating file transfers, especially to removable media such as USB flash drives (currently under de-
velopment).
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 15
Privileged Access Manager Frequently Asked Questions
Capture sources can be individually enabled, disabled or configured.
This data is stored in a secure database and can be accessed later:
1. Search by user, target system, time, date or meta data.
2. Play back movies of user interaction.
3. Report on events during the session (copy, paste, transfer file to removable media, etc.).
This data can be extracted, for example for use in a forensic audit or as courtroom evidence.
Two forms of this session monitoring/recording infrastructure are being developed concurrently:
1. One runs when a privileged account login session is initiated via the Privileged Access Manager web
portal, by launching an RDP session, SSH session, SQL Studio, a 3270 emulator, VMWare vSphere,
etc.
2. Another (in Beta release) can be installed on an individual Windows workstation or server (Windows
XP, 2003, Vista, 2008, 2008R2, 7, 8) and can record user interaction during an interactive login
session by a specified user, even if the session was not initiated using Privileged Access Manager at
all.
Recorded sessions are stored in a combination of the Privileged Access Manager database (session meta
data, keyboard input and other text events, etc.) and on server or network filesystems (video captures,
web-cam snapshots, etc.).
Playback data is packaged as a ZIP file with XML files representing textual data, standard MP4 video files
representing screen movies and JPEG files representing web-cam images. These ZIP files are intended to
be suitable as forensic evidence in the context of investigation of improper employee or contractor behavior.
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 16
Hitachi ID Privileged Access Manager Frequently Asked Questions
20 How does Privileged Access Manager control access to recorded
login sessions (privacy protection)?
Session monitoring can have serious implications on user privacy and so should be implemented with
great care. The session monitoring infrastructure is subject to strict access control rules and workflow
infrastructure. For example, an auditor must first request the right to perform a given search through session
data. If approved, he can execute the search and may find sessions of interest. The auditor must then
request the right to playback selected sessions. Only if this second request is approved can the auditor
retrieve session data. Of course, all such requests and searches this is indelibly logged.
Another measure used to protect user privacy in Hitachi ID Privileged Access Manager is a pattern-matching
censorship process. Hitachi ID Systems customers are encouraged to define regular expression patterns,
matching passwords, social security numbers, credit card numbers, bank account numbers, etc. A pro-
cess on the Privileged Access Manager server post-processes keystroke and keyword data captured by
the session monitor, searching for matches for these patterns. Matches are deleted from the keystroke and
keyword database.
www.Hitachi-ID.com
500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: sales@Hitachi-ID.com
File: / pub/ wp/ documents/ faq/ hipam/ hipam-faq-1.tex
Date: 2011-07-15

Contenu connexe

Tendances

Intel IT's Identity and Access Management Journey
Intel IT's Identity and Access Management JourneyIntel IT's Identity and Access Management Journey
Intel IT's Identity and Access Management JourneyIntel IT Center
 
Hitachi ID Password Manager Security Analysis
Hitachi ID Password Manager Security AnalysisHitachi ID Password Manager Security Analysis
Hitachi ID Password Manager Security AnalysisHitachi ID Systems, Inc.
 
CrossIdeas Roadshow IBM IAM Governance Andrea Rossi
CrossIdeas Roadshow IBM IAM Governance Andrea RossiCrossIdeas Roadshow IBM IAM Governance Andrea Rossi
CrossIdeas Roadshow IBM IAM Governance Andrea RossiIBM Sverige
 
Identity Governance: Not Just For Compliance
Identity Governance: Not Just For ComplianceIdentity Governance: Not Just For Compliance
Identity Governance: Not Just For ComplianceIBM Security
 
Privileged Access Management (PAM)
Privileged Access Management (PAM)Privileged Access Management (PAM)
Privileged Access Management (PAM)danb02
 
Overview of Identity and Access Management Product Line
Overview of Identity and Access Management Product LineOverview of Identity and Access Management Product Line
Overview of Identity and Access Management Product LineNovell
 
SailPoint - IdentityNow Identity Governance
SailPoint - IdentityNow Identity GovernanceSailPoint - IdentityNow Identity Governance
SailPoint - IdentityNow Identity GovernanceArijan Horvat
 
Identity & Access Management - Securing Your Data in the 21st Century Enterprise
Identity & Access Management - Securing Your Data in the 21st Century EnterpriseIdentity & Access Management - Securing Your Data in the 21st Century Enterprise
Identity & Access Management - Securing Your Data in the 21st Century EnterpriseLance Peterman
 
Enhancing your mobile enterprise security with ibm worklight tips
Enhancing your mobile enterprise security with ibm worklight tipsEnhancing your mobile enterprise security with ibm worklight tips
Enhancing your mobile enterprise security with ibm worklight tipsbupbechanhgmail
 
Managing Identity from the Cloud: Transformation Advantages at VantisLife Ins...
Managing Identity from the Cloud: Transformation Advantages at VantisLife Ins...Managing Identity from the Cloud: Transformation Advantages at VantisLife Ins...
Managing Identity from the Cloud: Transformation Advantages at VantisLife Ins...IBM Security
 
Identity and Access Management 101
Identity and Access Management 101Identity and Access Management 101
Identity and Access Management 101Jerod Brennen
 
Identity and Access Management (IAM)
Identity and Access Management (IAM)Identity and Access Management (IAM)
Identity and Access Management (IAM)Identacor
 
Identity & access management
Identity & access managementIdentity & access management
Identity & access managementVandana Verma
 
Dell Quest TPAM Privileged Access Control
Dell Quest TPAM Privileged Access ControlDell Quest TPAM Privileged Access Control
Dell Quest TPAM Privileged Access ControlAidy Tificate
 
Mark Carlile, EMEA Enterprise Lead at Airwatch - Mobile content strategies an...
Mark Carlile, EMEA Enterprise Lead at Airwatch - Mobile content strategies an...Mark Carlile, EMEA Enterprise Lead at Airwatch - Mobile content strategies an...
Mark Carlile, EMEA Enterprise Lead at Airwatch - Mobile content strategies an...Global Business Events
 

Tendances (20)

IBM Security Portfolio - 2015
IBM Security Portfolio - 2015IBM Security Portfolio - 2015
IBM Security Portfolio - 2015
 
Intel IT's Identity and Access Management Journey
Intel IT's Identity and Access Management JourneyIntel IT's Identity and Access Management Journey
Intel IT's Identity and Access Management Journey
 
Hitachi ID Password Manager Security Analysis
Hitachi ID Password Manager Security AnalysisHitachi ID Password Manager Security Analysis
Hitachi ID Password Manager Security Analysis
 
CrossIdeas Roadshow IBM IAM Governance Andrea Rossi
CrossIdeas Roadshow IBM IAM Governance Andrea RossiCrossIdeas Roadshow IBM IAM Governance Andrea Rossi
CrossIdeas Roadshow IBM IAM Governance Andrea Rossi
 
Identity Governance: Not Just For Compliance
Identity Governance: Not Just For ComplianceIdentity Governance: Not Just For Compliance
Identity Governance: Not Just For Compliance
 
Privileged Access Management (PAM)
Privileged Access Management (PAM)Privileged Access Management (PAM)
Privileged Access Management (PAM)
 
Overview of Identity and Access Management Product Line
Overview of Identity and Access Management Product LineOverview of Identity and Access Management Product Line
Overview of Identity and Access Management Product Line
 
SailPoint - IdentityNow Identity Governance
SailPoint - IdentityNow Identity GovernanceSailPoint - IdentityNow Identity Governance
SailPoint - IdentityNow Identity Governance
 
Identity & Access Management - Securing Your Data in the 21st Century Enterprise
Identity & Access Management - Securing Your Data in the 21st Century EnterpriseIdentity & Access Management - Securing Your Data in the 21st Century Enterprise
Identity & Access Management - Securing Your Data in the 21st Century Enterprise
 
Enhancing your mobile enterprise security with ibm worklight tips
Enhancing your mobile enterprise security with ibm worklight tipsEnhancing your mobile enterprise security with ibm worklight tips
Enhancing your mobile enterprise security with ibm worklight tips
 
Managing Identity from the Cloud: Transformation Advantages at VantisLife Ins...
Managing Identity from the Cloud: Transformation Advantages at VantisLife Ins...Managing Identity from the Cloud: Transformation Advantages at VantisLife Ins...
Managing Identity from the Cloud: Transformation Advantages at VantisLife Ins...
 
Identity and Access Management 101
Identity and Access Management 101Identity and Access Management 101
Identity and Access Management 101
 
Identity and Access Management (IAM)
Identity and Access Management (IAM)Identity and Access Management (IAM)
Identity and Access Management (IAM)
 
Identity & access management
Identity & access managementIdentity & access management
Identity & access management
 
VMware Workspace One
VMware Workspace OneVMware Workspace One
VMware Workspace One
 
Secure Management of Privileged Passwords
Secure Management of Privileged PasswordsSecure Management of Privileged Passwords
Secure Management of Privileged Passwords
 
Hitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Password Manager
Hitachi ID Password Manager
 
Hitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Password Manager
Hitachi ID Password Manager
 
Dell Quest TPAM Privileged Access Control
Dell Quest TPAM Privileged Access ControlDell Quest TPAM Privileged Access Control
Dell Quest TPAM Privileged Access Control
 
Mark Carlile, EMEA Enterprise Lead at Airwatch - Mobile content strategies an...
Mark Carlile, EMEA Enterprise Lead at Airwatch - Mobile content strategies an...Mark Carlile, EMEA Enterprise Lead at Airwatch - Mobile content strategies an...
Mark Carlile, EMEA Enterprise Lead at Airwatch - Mobile content strategies an...
 

Similaire à Privileged Access Manager Product Q&A

Large Scale User Provisioning with Hitachi ID Identity Manager
Large Scale User Provisioning with Hitachi ID Identity ManagerLarge Scale User Provisioning with Hitachi ID Identity Manager
Large Scale User Provisioning with Hitachi ID Identity ManagerHitachi ID Systems, Inc.
 
Password Management Before User Provisioning
Password Management Before User ProvisioningPassword Management Before User Provisioning
Password Management Before User ProvisioningHitachi ID Systems, Inc.
 
Integrating Hitachi ID Management Suite with WebSSO Systems
Integrating Hitachi ID Management Suite with WebSSO SystemsIntegrating Hitachi ID Management Suite with WebSSO Systems
Integrating Hitachi ID Management Suite with WebSSO SystemsHitachi ID Systems, Inc.
 
Successful Enterprise Single Sign-on: Addressing Deployment Challenges
Successful Enterprise Single Sign-on: Addressing Deployment ChallengesSuccessful Enterprise Single Sign-on: Addressing Deployment Challenges
Successful Enterprise Single Sign-on: Addressing Deployment ChallengesHitachi ID Systems, Inc.
 
Building an Identity Management Business Case
Building an Identity Management Business CaseBuilding an Identity Management Business Case
Building an Identity Management Business CaseHitachi ID Systems, Inc.
 
The Essentials | Privileged Access Management
The Essentials | Privileged Access ManagementThe Essentials | Privileged Access Management
The Essentials | Privileged Access ManagementRyan Gallavin
 
Privileged identity management
Privileged identity managementPrivileged identity management
Privileged identity managementNis
 
PCI-DSS Compliance Using the Hitachi ID Management Suite
PCI-DSS Compliance Using the Hitachi ID Management SuitePCI-DSS Compliance Using the Hitachi ID Management Suite
PCI-DSS Compliance Using the Hitachi ID Management SuiteHitachi ID Systems, Inc.
 
Hitachi ID Access Certifier: Find and remove stale privileges with periodic r...
Hitachi ID Access Certifier: Find and remove stale privileges with periodic r...Hitachi ID Access Certifier: Find and remove stale privileges with periodic r...
Hitachi ID Access Certifier: Find and remove stale privileges with periodic r...Hitachi ID Systems, Inc.
 
10 Steps to Better Windows Privileged Access Management
10 Steps to Better Windows Privileged Access Management10 Steps to Better Windows Privileged Access Management
10 Steps to Better Windows Privileged Access ManagementBeyondTrust
 
The Disadvantages And Disadvantages Of A Single Sign-On On...
The Disadvantages And Disadvantages Of A Single Sign-On On...The Disadvantages And Disadvantages Of A Single Sign-On On...
The Disadvantages And Disadvantages Of A Single Sign-On On...Lori Bowie
 
Dell Password Manager Introduction
Dell Password Manager IntroductionDell Password Manager Introduction
Dell Password Manager IntroductionAidy Tificate
 
Hitachi ID Identity Express™ - Corporate Edition
Hitachi ID Identity Express™ - Corporate EditionHitachi ID Identity Express™ - Corporate Edition
Hitachi ID Identity Express™ - Corporate EditionHitachi ID Systems, Inc.
 
SPTechCon Boston 2013 - Introduction to Security in Microsoft Sharepoint 2013...
SPTechCon Boston 2013 - Introduction to Security in Microsoft Sharepoint 2013...SPTechCon Boston 2013 - Introduction to Security in Microsoft Sharepoint 2013...
SPTechCon Boston 2013 - Introduction to Security in Microsoft Sharepoint 2013...AntonioMaio2
 
Managing Unix Accounts in Today's Complex World: Stop the Shadow IT and Be Mo...
Managing Unix Accounts in Today's Complex World: Stop the Shadow IT and Be Mo...Managing Unix Accounts in Today's Complex World: Stop the Shadow IT and Be Mo...
Managing Unix Accounts in Today's Complex World: Stop the Shadow IT and Be Mo...BeyondTrust
 

Similaire à Privileged Access Manager Product Q&A (20)

Large Scale User Provisioning with Hitachi ID Identity Manager
Large Scale User Provisioning with Hitachi ID Identity ManagerLarge Scale User Provisioning with Hitachi ID Identity Manager
Large Scale User Provisioning with Hitachi ID Identity Manager
 
Privileged Access Management
Privileged Access ManagementPrivileged Access Management
Privileged Access Management
 
Password Management Before User Provisioning
Password Management Before User ProvisioningPassword Management Before User Provisioning
Password Management Before User Provisioning
 
Integrating Hitachi ID Management Suite with WebSSO Systems
Integrating Hitachi ID Management Suite with WebSSO SystemsIntegrating Hitachi ID Management Suite with WebSSO Systems
Integrating Hitachi ID Management Suite with WebSSO Systems
 
Successful Enterprise Single Sign-on: Addressing Deployment Challenges
Successful Enterprise Single Sign-on: Addressing Deployment ChallengesSuccessful Enterprise Single Sign-on: Addressing Deployment Challenges
Successful Enterprise Single Sign-on: Addressing Deployment Challenges
 
Building an Identity Management Business Case
Building an Identity Management Business CaseBuilding an Identity Management Business Case
Building an Identity Management Business Case
 
The Essentials | Privileged Access Management
The Essentials | Privileged Access ManagementThe Essentials | Privileged Access Management
The Essentials | Privileged Access Management
 
Hitachi ID Access Certifier
Hitachi ID Access CertifierHitachi ID Access Certifier
Hitachi ID Access Certifier
 
Hitachi ID Access Certifier
Hitachi ID Access CertifierHitachi ID Access Certifier
Hitachi ID Access Certifier
 
Hitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Identity Manager
Hitachi ID Identity Manager
 
Privileged identity management
Privileged identity managementPrivileged identity management
Privileged identity management
 
PCI-DSS Compliance Using the Hitachi ID Management Suite
PCI-DSS Compliance Using the Hitachi ID Management SuitePCI-DSS Compliance Using the Hitachi ID Management Suite
PCI-DSS Compliance Using the Hitachi ID Management Suite
 
Defining Enterprise Identity Management
Defining Enterprise Identity ManagementDefining Enterprise Identity Management
Defining Enterprise Identity Management
 
Hitachi ID Access Certifier: Find and remove stale privileges with periodic r...
Hitachi ID Access Certifier: Find and remove stale privileges with periodic r...Hitachi ID Access Certifier: Find and remove stale privileges with periodic r...
Hitachi ID Access Certifier: Find and remove stale privileges with periodic r...
 
10 Steps to Better Windows Privileged Access Management
10 Steps to Better Windows Privileged Access Management10 Steps to Better Windows Privileged Access Management
10 Steps to Better Windows Privileged Access Management
 
The Disadvantages And Disadvantages Of A Single Sign-On On...
The Disadvantages And Disadvantages Of A Single Sign-On On...The Disadvantages And Disadvantages Of A Single Sign-On On...
The Disadvantages And Disadvantages Of A Single Sign-On On...
 
Dell Password Manager Introduction
Dell Password Manager IntroductionDell Password Manager Introduction
Dell Password Manager Introduction
 
Hitachi ID Identity Express™ - Corporate Edition
Hitachi ID Identity Express™ - Corporate EditionHitachi ID Identity Express™ - Corporate Edition
Hitachi ID Identity Express™ - Corporate Edition
 
SPTechCon Boston 2013 - Introduction to Security in Microsoft Sharepoint 2013...
SPTechCon Boston 2013 - Introduction to Security in Microsoft Sharepoint 2013...SPTechCon Boston 2013 - Introduction to Security in Microsoft Sharepoint 2013...
SPTechCon Boston 2013 - Introduction to Security in Microsoft Sharepoint 2013...
 
Managing Unix Accounts in Today's Complex World: Stop the Shadow IT and Be Mo...
Managing Unix Accounts in Today's Complex World: Stop the Shadow IT and Be Mo...Managing Unix Accounts in Today's Complex World: Stop the Shadow IT and Be Mo...
Managing Unix Accounts in Today's Complex World: Stop the Shadow IT and Be Mo...
 

Plus de Hitachi ID Systems, Inc.

Hitachi ID Identity and Access Management Suite
Hitachi ID Identity and Access Management SuiteHitachi ID Identity and Access Management Suite
Hitachi ID Identity and Access Management SuiteHitachi ID Systems, Inc.
 
How Well is Your Organization Protecting its Real Crown Jewels - Identities?
How Well is Your Organization Protecting its Real Crown Jewels - Identities?How Well is Your Organization Protecting its Real Crown Jewels - Identities?
How Well is Your Organization Protecting its Real Crown Jewels - Identities?Hitachi ID Systems, Inc.
 
From Password Reset to Authentication Management
From Password Reset to Authentication ManagementFrom Password Reset to Authentication Management
From Password Reset to Authentication ManagementHitachi ID Systems, Inc.
 
Hitachi ID Password Manager: Enrollment, password reset and password synchron...
Hitachi ID Password Manager: Enrollment, password reset and password synchron...Hitachi ID Password Manager: Enrollment, password reset and password synchron...
Hitachi ID Password Manager: Enrollment, password reset and password synchron...Hitachi ID Systems, Inc.
 
Hitachi ID Identity Manager: Self-service and automated user provisioning
Hitachi ID Identity Manager: Self-service and automated user provisioningHitachi ID Identity Manager: Self-service and automated user provisioning
Hitachi ID Identity Manager: Self-service and automated user provisioningHitachi ID Systems, Inc.
 

Plus de Hitachi ID Systems, Inc. (20)

Hitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Password Manager
Hitachi ID Password Manager
 
Maximizing Value
Maximizing ValueMaximizing Value
Maximizing Value
 
Authentication Management
Authentication ManagementAuthentication Management
Authentication Management
 
Introduction to Identity Management
Introduction to Identity ManagementIntroduction to Identity Management
Introduction to Identity Management
 
Hitachi ID Group Manager
Hitachi ID Group ManagerHitachi ID Group Manager
Hitachi ID Group Manager
 
Hitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Identity Manager
Hitachi ID Identity Manager
 
Hitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Identity Manager
Hitachi ID Identity Manager
 
Hitachi ID Identity and Access Management Suite
Hitachi ID Identity and Access Management SuiteHitachi ID Identity and Access Management Suite
Hitachi ID Identity and Access Management Suite
 
Identity and Access Lifecycle Automation
Identity and Access Lifecycle AutomationIdentity and Access Lifecycle Automation
Identity and Access Lifecycle Automation
 
How Well is Your Organization Protecting its Real Crown Jewels - Identities?
How Well is Your Organization Protecting its Real Crown Jewels - Identities?How Well is Your Organization Protecting its Real Crown Jewels - Identities?
How Well is Your Organization Protecting its Real Crown Jewels - Identities?
 
Hitachi ID Privileged Access Manager
Hitachi ID Privileged Access ManagerHitachi ID Privileged Access Manager
Hitachi ID Privileged Access Manager
 
Hitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Identity Manager
Hitachi ID Identity Manager
 
Hitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Password Manager
Hitachi ID Password Manager
 
Hitachi ID Management Suite
Hitachi ID Management SuiteHitachi ID Management Suite
Hitachi ID Management Suite
 
Hitachi ID Group Manager
Hitachi ID Group ManagerHitachi ID Group Manager
Hitachi ID Group Manager
 
Hitachi ID Password Manager Brochure
Hitachi ID Password Manager BrochureHitachi ID Password Manager Brochure
Hitachi ID Password Manager Brochure
 
Managing Passwords for Mobile Users
Managing Passwords for Mobile UsersManaging Passwords for Mobile Users
Managing Passwords for Mobile Users
 
From Password Reset to Authentication Management
From Password Reset to Authentication ManagementFrom Password Reset to Authentication Management
From Password Reset to Authentication Management
 
Hitachi ID Password Manager: Enrollment, password reset and password synchron...
Hitachi ID Password Manager: Enrollment, password reset and password synchron...Hitachi ID Password Manager: Enrollment, password reset and password synchron...
Hitachi ID Password Manager: Enrollment, password reset and password synchron...
 
Hitachi ID Identity Manager: Self-service and automated user provisioning
Hitachi ID Identity Manager: Self-service and automated user provisioningHitachi ID Identity Manager: Self-service and automated user provisioning
Hitachi ID Identity Manager: Self-service and automated user provisioning
 

Dernier

Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfAnna Loughnan Colquhoun
 
GenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncGenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncObject Automation
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.francesco barbera
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
Things you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceThings you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceMartin Humpolec
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 

Dernier (20)

Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdf
 
GenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncGenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation Inc
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
Things you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceThings you didn't know you can use in your Salesforce
Things you didn't know you can use in your Salesforce
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 

Privileged Access Manager Product Q&A

  • 1. Hitachi ID Privileged Access Manager Frequently Asked Questions © 2014 Hitachi ID Systems, Inc. All rights reserved.
  • 2. Contents 1 What business problems does Hitachi ID Privileged Access Manager address? 1 2 How does Hitachi ID Privileged Access Manager work? 1 3 How often does Hitachi ID Privileged Access Manager change passwords? 2 4 How do we control who can sign into which privileged accounts? 2 5 How do we grant someone temporary or one-time access to a privileged account? 3 6 Can we configure a "two keys to launch" scenario for super-sensitive systems? 4 7 Can Hitachi ID Privileged Access Manager manage password changes to Windows service accounts? 4 8 Can Hitachi ID Privileged Access Manager randomize passwords on ....? 6 9 Can Hitachi ID Privileged Access Manager launch an administrator login sessions to ....? 7 10 What happens when an administrator needs to sign into the physical console of a server? 8 11 Which web browsers does Hitachi ID Privileged Access Manager support? 8 11.1 Basic user interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 11.2 ActiveX components used to launch login sessions . . . . . . . . . . . . . . . . . . . . . . . 9 12 Can Hitachi ID Privileged Access Manager you secure privileged passwords on laptops (which move around and get disconnected)? 9 13 How can we automate the setup and teardown of thousands of systems on Hitachi ID Privileged Access Manager? 11 14 Can Hitachi ID Privileged Access Manager assign privileges less than full-administrator to users? 12 15 Can Hitachi ID Privileged Access Manager interoperate with sudo on Unix/Linux? 13 16 Can Hitachi ID Privileged Access Manager integrate with SIEM systems? 14 17 How does Hitachi ID Privileged Access Manager defend itself against compromise of sen- sitive passwords? 14 i
  • 3. Privileged Access Manager Frequently Asked Questions 18 How do we protect Hitachi ID Privileged Access Manager against data loss? 15 19 Can Hitachi ID Privileged Access Manager record what users do while signed into adminis- trator accounts? 15 20 How does Hitachi ID Privileged Access Manager control access to recorded login sessions (privacy protection)? 17 © 2014 Hitachi ID Systems, Inc. All rights reserved.
  • 4. Hitachi ID Privileged Access Manager Frequently Asked Questions 1 What business problems does Privileged Access Manager ad- dress? Many organizations have insecure processes for managing privileged accounts – IDs and passwords on servers, workstations, applications and network devices with elevated privileges. Inappropriate disclosure of these passwords would lead to serious security compromise: • Hundreds or thousands of workstations and servers often share the same ID and password. If the password on one device is compromised, all of the devices that share the credential are compromised. • Where a password is used on many systems or needed by many people, it is difficult to coordinate password changes. As a result, passwords on privileged accounts are often left unchanged for months or years, creating an extended window of opportunity for an attacker. • If privileged passwords are rarely changed, when IT staff leave an organization, they retain access to sensitive systems. • When many people know the password to a given account, it is impossible to reliably connect changes (or security compromises) to individual users. 2 How does Privileged Access Manager work? There are several technological approaches to more securely managing privileged passwords: Approach Pros Cons 1 Eliminate shared passwords entirely and assign personal administrator-level accounts to each IT user, on each asset. Individual accountability for configuration changes. Too many administrator-level accounts on each system. 2 Create and delete personal administrator-level accounts for users on demand. Individual accountability for configuration changes. Complex integration between many systems and the corporate directory. 3 Modify operating systems and applications to check whether users are allowed to perform privileged actions, in real time. Manage access control policies centrally. Fine-grained control over user access. Too many administrator-level accounts on each system plus complex change control on each system. 4 Use software installed on each device to periodically change local passwords. Send a copy of these passwords to a secure vault, shared by many systems. Works even in complex, segmented networks. Requires software on each managed system. 5 Software on a central system periodically pushes new passwords to each device and keeps copies in a secure vault. Minimal footprint on managed systems. Requires connectivity from a central application to managed systems. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 1
  • 5. Privileged Access Manager Frequently Asked Questions 3 How often does Privileged Access Manager change passwords? This is configurable, with the default being every 24 hours. Hitachi ID Privileged Access Manager secures sensitive passwords by periodically randomizing them: 1. On push-mode servers and applications: (a) Periodically – for example, every night between 3AM and 4AM. (b) When users check passwords back in, after they are finished using them. (c) When users request a specific password value. (d) In the event of an urgent termination of a system administrator. 2. On pull-mode laptops and similarly configured devices: (a) Periodically – for example, every day. (b) At a random time-of-day, to prevent transaction bursts. (c) Opportunistically, whenever network connectivity happens to be available from the workstation to a central server. 4 How do we control who can sign into which privileged accounts? The most common form of access control in the Hitachi ID Privileged Access Manager is based on managed system policies. These policies are named collections of managed systems containing privileged accounts whose passwords may be randomized and access to which is controlled. Managed systems may either be attached to a policy explicitly (e.g., “attach workstation WKSTN01234 to policy RGWKSTNS”) or implicitly, using an expression. Expressions may be based on the operating system type, IP address, MAC address or workstation name (e.g., “attach every workstation running Windows XP in subnet 10.1.2.3/24 to policy X”) Managed system policies are configured with operational and access control rules, including: 1. Which accounts’ passwords to randomize on attached systems. 2. How often to change passwords. 3. How to compose random passwords (e.g., length, complexity, etc.). 4. What actions to take after successful or failed attempts to disclose a password. 5. What access disclosure methods to offer users who wish to sign into privileged accounts on attached systems (e.g., launch remote desktop, launch SSH, temporarily place user in security groups, display current password to user, etc.). © 2014 Hitachi ID Systems, Inc.. All rights reserved. 2
  • 6. Privileged Access Manager Frequently Asked Questions Privileged Access Manager users are organized into user groups, either explicitly or implicitly. In a typical deployment, users are assigned to Privileged Access Manager user groups by virtue of their membership in Active Directory or LDAP groups. Groups of users are then assigned specific rights with respect to specific managed system policies. For example, “every user in group A may launch RDP sessions to privileged accounts on systems in policy B.” Business rules, such as segregation of duties between different sets of users, can also be enforced. This is done by examining, managing and limiting group membership on reference systems, such as Active Directory or LDAP, that can be simultaneously assigned to the same user. 5 How do we grant someone temporary or one-time access to a privileged account? Hitachi ID Privileged Access Manager includes the same authorization workflow engine as is used in Hitachi ID Identity Manager. Workflow enables users to request access to a privileged account that was not previously or permanently authorized. When this happens, one or more additional users are invited (via e-mail or SMS) to review and approve the request. Approved requests trigger a message to the request’s recipient, including a URL to Privileged Access Manager where he or she can re-authenticate and “check out” access. The workflow process is illustrated by the following series of steps: 1. User UA signs in and requests that the then-current password to login account LA on system S be made available to user UB at some later time T. UA may or may not be the same person as UB. 2. Privileged Access Manager looks up authorizers associated with LA on S. 3. Privileged Access Manager may run business logic to supplement this authorizer list, for example with someone in the management chain for UA or UB. The final list of authorizers is LA. There are N authorizers but approval by just M (M ≤ N) is sufficient to disclose the password to AZ. 4. Privileged Access Manager sends e-mail invitations to authorizers LA. 5. If authorizers fail to respond, they get automatic reminder e-mails. 6. If authorizers continue to fail to respond, Privileged Access Manager runs business logic to find re- placements for them, effectively escalating the request and invites the replacement authorizers as well. 7. Authorizers receive invitation e-mails, click on a URL embedded in the e-mail invitation, authenticate themselves to the Privileged Access Manager web login page, review the request and approve or reject it. 8. If any authorizers reject the request, e-mails are sent to all participants (UA, UB and AZ) and the request is terminated. 9. If M authorizers approve the request, thank-you e-mails are sent to all participants. A special e-mail is sent to the recipient – UB with a URL to an access disclosure page. 10. UB clicks on the e-mail URL and authenticates to Privileged Access Manager and displays the pass- word. 11. UB clicks on a button to “check-out privileged access.” 12. UB then may click on a button to do one of the following (the options available will vary based on policy): (a) Display the password. (b) Place a copy of the password in the operating system copy buffer. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 3
  • 7. Hitachi ID Privileged Access Manager Frequently Asked Questions (c) Launch an RDP, SSH, vSphere or similar remote control session to the server in question. In other words, display of a sensitive password is not a mandatory or even recommended part of the solution. 6 Can we configure a "two keys to launch" scenario for super- sensitive systems? Hitachi ID Privileged Access Manager supports approval of change requests by multiple business stake- holders and/or by multiple groups of business stake-holders. This allows for typical scenarios such as “approve this request by recipient’s manager plus departmental IT contact plus application owner.” Since individuals may be unavailable to respond to a request, authorization can substitute groups for single approvers. Thus, the above example may be reformulated as “approve this request by recipient’s manager or any of the manager’s peers; plus either of two departmental IT contacts; plus any of three designated security contacts for the indicated application.” Change authorization is normally conducted by sending invitations to all authorizers at the same time. This “parallel” invitation process yields faster approval turn-around times but has no impact on security, since all requisite approvers must respond before a request is completed. Sequential invitations are also possible but are not recommended by Hitachi ID Systems due to the longer total time elapsed before all participants will approve or reject a request. 7 Can Privileged Access Manager manage password changes to Windows service accounts? On the Windows operating system, service programs are run either using the SYSTEM login ID, which possesses almost every privilege on the system (and consequently can do the maximum harm) and which has no password or using a real user’s login ID and password, in order to execute with reduced privileges. This means that on each Windows workstation and server there are a number of service accounts, each with its own password, which are used to run service programs such as web servers, backup agents, anti- virus software, etc. Service account passwords differ from administrator passwords in that they are stored in at least two places: 1. Hashed, in the security database – e.g., the local SAM database or Active Directory, just like all users. 2. Reversibly encrypted, in the registry or elsewhere, where the program that starts the service (e.g., Service Control Manager or similar) can retrieve it when it needs to start the service. Other Windows components besides the Service Control Manager also store passwords twice: 1. Virtual directories used to access web content from the IIS web server. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 4
  • 8. Privileged Access Manager Frequently Asked Questions 2. Programs scheduled to be run by the Windows Scheduler. Third party programs may also require passwords to be stored outside the Security Accounts Manager (SAM) database. Of the above passwords, all but those used in IIS are static and may represent a security vulnerability. Privileged Access Manager can be configured to secure service account passwords. This means two things, depending on the mode of operation: 1. In pull mode, the Privileged Access Manager workstation service periodically scrambles service ac- count passwords locally, in coordination with the central Privileged Access Manager server cluster. 2. In push mode, Privileged Access Manager servers periodically connect to Windows servers or Active Directory in order to change the passwords of service accounts. In both cases, Privileged Access Manager must notify the program that launches services – the subscriber – of the new password value, so that it can successfully launch the service at the time of the next system restart or when an administrator manually stops and restarts the service in question. In some cases, for example when domain accounts are used to run services, an immediate restart may be required or advisable, due to Kerberos token expiry. Privileged Access Manager includes extensive automation to discover subscribers and subscriber-to-service- account dependency. This allows Hitachi ID Systems customers to review what services are run in the se- curity context of what named users, on what systems. This is particularly helpful where services run in the security context of domain accounts, since multiple services on multiple servers may rely on the same ser- vice account and may therefore require notification of the same new password in a quick and fault-tolerant fashion. Privileged Access Manager includes several processes that support safe and secure changes to service account passwords: 1. Auto-discovery of subscriber/account dependencies for a variety of subscriber types: IIS, Scheduler, SCM, DCOM, at various OS and subscriber versions. 2. A white-list mechanism (usually table driven, but a plug-in is available for more complex scenarios) so customers can control which service accounts should have their passwords randomized and when. 3. Built-in tools to notify known subscribers of new password values. 4. A transaction manager that can retry notifications to off-line subscribers. The above are primarily used when managed systems are integrated with Privileged Access Manager in "push mode" – i.e., there is no locally installed software on the target system and Privileged Access Manager initiates all connections remotely, over the network, directly or via a co-located Privileged Access Manager proxy server. In case push mode is inappropriate – for example because the relevant services (remote registry, WMI, etc.) are disabled or firewalled or because the end system is offline or inaccessible due to name resolution or IP routing issues (NAT, etc.), a pull mode service can be installed on the managed system, which performs © 2014 Hitachi ID Systems, Inc.. All rights reserved. 5
  • 9. Privileged Access Manager Frequently Asked Questions essentially the same functions but with much simpler connectivity (call home over HTTPS) and no need for network accessible services on the local system. Pull mode is normally used on laptops and in some cases desktop PCs, but works on any system running any version of the Windows OS. Any problems encountered in updating a service password can and should be configured to trigger an exit trap program on the Privileged Access Manager server, to notify an administrator of an imminent problem when the service in question is next started. Both the discovery and notification mechanisms described above are extensible. This means that customers who have other types of subscribers – for example, third party job schedulers – can add small programs that discover their account dependencies and notify them of new service account passwords. These are typically command-line programs (Windows executable or script) that run on the Privileged Access Manager server. For pull mode, the equivalent form of extensibility is provided via deployment-specific DLLs. 8 Can Privileged Access Manager randomize passwords on ....? Hitachi ID Privileged Access Manager comes with built-in connectors for most common systems and appli- cations, as illustrated below. All connectors are included in the base price. Directories: Servers: Databases: Any LDAP, AD, NDS, eDirectory, NIS/NIS+. Windows 2000–2012, Samba, NDS, SharePoint. Oracle, Sybase, SQL Server, DB2/UDB, ODBC, Informix. Unix: Mainframes: Midrange: Linux, Solaris, AIX, HPUX, 24 more variants. z/OS with RAC/F, ACF/2 or TopSecret. iSeries (OS400), OpenVMS. ERP: Collaboration: Tokens, Smart Cards: JDE, Oracle eBiz, PeopleSoft, SAP R/3, SAP ECC 6, Siebel, Business Objects. Lotus Notes, Exchange, GroupWise, BlackBerry ES. RSA SecurID, SafeWord, RADIUS, ActivIdentity, Schlumberger. WebSSO: Help Desk: HDD Encryption: CA Siteminder, IBM TAM, Oracle AM, RSA Access Manager. BMC Remedy, BMC SDE, ServiceNow, HP Service Manager, CA Unicenter, Assyst, HEAT, Altiris, Clarify, Track-It!, RSA Envision, MS SCS Manager. McAfee, CheckPoint, BitLocker, PGP. SaaS: Miscellaneous: Extensible: Salesforce.com, WebEx, Google Apps, MS Office 365, SOAP (generic). OLAP, Hyperion, iLearn, Caché, Success Factors, VMWare vSphere. SSH, Telnet, TN3270, HTTP(S), SQL, LDAP, command-line. Privileged Access Manager includes a number of flexible connectors, each of which is used to script in- © 2014 Hitachi ID Systems, Inc.. All rights reserved. 6
  • 10. Privileged Access Manager Frequently Asked Questions tegration with a common protocol or mechanism. These connectors allow organizations to quickly and inexpensively integrate Privileged Access Manager with custom and vertical market applications. The abil- ity to quickly and inexpensively add integrations increases the value of the Privileged Access Manager system as a whole. There are flexible connectors to script interaction with: API binding: Terminal emulation: Web services: Back end integration: Command-line: • C, C++ • Java, J2EE • .NET • COM, ActiveX • MQ Series • SSH • Telnet • TN3270, TN5250 • Simulated browser • SOAP • WebRPC • Pure HTTP(S) • SQL Injection • LDAP attributes • Windows • Power Shell • Unix/Linux Organizations that wish to write a completely new connector to integrate with a custom or vertical market application may do so using whatever development environment they prefer (J2EE, .NET, Perl, etc.) and invoke it as either a command-line program or web service. If the organization develops their own integrations, an effort of between four hours and four days is typical. Alternately, Hitachi ID Systems offers fixed-cost custom integrations for a nominal fee. 9 Can Privileged Access Manager launch an administrator login ses- sions to ....? Hitachi ID Privileged Access Manager controls access by users and programs to privileged accounts on systems and applications. By default, that means that when a user is authorized to connect to a privileged account, the user is able to launch a login session directly to that account without ever seeing its password. Display of current password values can be enabled through Privileged Access Manager policy configuration but is not normally recommended. Access disclosure options include: 1. IT staff can directly launch Terminal Services (RDP), SSH (PuTTY), VMWare vSphere, SQL Studio, web browser/form login and other connections to target systems from the Privileged Access Manager web user interface, without displaying a password value. 2. IT staff can use an ActiveX control embedded in the Privileged Access Manager web portal to place a copy of a sensitive password into their Windows copy buffer, again without displaying the passwords. This password is automatically cleared from their copy buffer after a few seconds. 3. Privileged Access Manager can dynamically attach a recipient’s Active Directory domain login ID to a local security group on a target system and later remove it. This eliminates the need to disclose © 2014 Hitachi ID Systems, Inc.. All rights reserved. 7
  • 11. Privileged Access Manager Frequently Asked Questions passwords even to a software agent on the recipient’s workstation. 4. Privileged Access Manager can temporarily place a user’s public SSH key into the target account’s .ssh/authorized_keys file. 5. Where password display is required (e.g., a target system is currently offline), JavaScript in the Privileged Access Manager web portal removes it from the screen after a few seconds. A policy defined for each set of managed systems in Privileged Access Manager determines which of these access disclosure mechanisms is available. For example, password display may be allowed for Windows workstations, since they may be inaccessible over the network, but RDP sessions with injected passwords may be mandatory on Windows servers. 10 What happens when an administrator needs to sign into the phys- ical console of a server? Password display is supported. Hitachi ID Systems recommends limiting the set of people who have access to this – i.e., only data center staff should be able to display passwords and perhaps only with workflow approvals. 11 Which web browsers does Privileged Access Manager support? 11.1 Basic user interface Hitachi ID Privileged Access Manager presents a pure HTML user interface, with small JavaScript snippets used only for non-essential functions (such as positioning the cursor or closing the current window). This interface ensures compatibility with all web browsers. Privileged Access Manager’s web user interface is routinely and successfully tested using: • Internet Explorer versions 7.x and later (IE6 works but with minor visual artifacts). • Firefox (any version released since about 2010 should be fine). • Safari, Chrome and other WebKit-based browsers. • Opera (full and mini versions). • Browsers on smart phones (BlackBerry native, Safari on iPhone, Android native, Dolphin, etc.). • Even text mode browsers such as lynx and w3m. The Privileged Access Manager user interface is compatible and periodically tested with speaking web browsers (for the visually impaired). In addition to standard HTML, Privileged Access Manager can take advantage of ActiveX components specifically in IE to execute local code. Example uses of this optional capability include: © 2014 Hitachi ID Systems, Inc.. All rights reserved. 8
  • 12. Privileged Access Manager Frequently Asked Questions 1. To launch login sessions to privileged accounts on managed systems and inject credentials into those login sessions (e.g., PuTTY, RDP, SQL, vSphere, etc.). 2. To record screen, keyboard, webcam and other data during the life of such login sessions. 11.2 ActiveX components used to launch login sessions ActiveX can be used (but is not required) to: 1. Launch connections from administrator PCs to target systems (RDP, SSH, SQL Studio, VMWare vSphere, etc.) without having to disclose privileged passwords to users and without users having to type login IDs and passwords for the privileged accounts on systems they need to sign into. Any command-line client software, plus the RDP control built into Windows, can be activated in this way. 2. Place a copy of a privileged password in a user’s copy buffer and automatically remove it after a short time, without having to display it. This allows administrators to (briefly) paste a sensitive password into a login prompt without having to see it. IE7 and later are supported as a platform to launch connections via ActiveX (IE6 also works but like all vendors, Hitachi ID Systems would prefer that IE6 disappeared as soon as possible). Using ActiveX to launch administrator login sessions means the connection is directly from the user’s PC to the managed system – not though a proxy. This means there is no bottleneck for performance or service availability. It also means that Hitachi ID Privileged Access Manager can launch a variety of client/server administration tools and is not limited to specific versions of specific protocols. 12 Can Privileged Access Manager you secure privileged passwords on laptops (which move around and get disconnected)? A password management system can easily make connections to servers, which have fixed network ad- dresses, are always on and are continuously connected to the network. It is much harder for a central password management server to connect to mobile laptops, for several reasons: • Laptops frequently move from site to site. • Even when they remain in one place, laptop IP addresses may change dynamically, due to use of DHCP. • Laptops are often turned off and do not respond to network inquiries when deactivated. • Laptops may be unplugged from the network, either to move them or for periods of disuse. • Laptops may be protected by a firewall that blocks network connections inbound to the PC. In short, while it is easy for laptops to contact a central server, it is nearly impossible for the reverse to happen reliably. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 9
  • 13. Privileged Access Manager Frequently Asked Questions To secure privileged accounts on mobile workstations (typically laptops), Hitachi ID Privileged Access Manager includes a service, which installs on the relevant PCs and which contacts a central server to coordinate local password changes. This architecture has several important advantages: • The workstation service uses only HTTPS to communicate with the central server and works even when the workstation is connected behind NAT devices, firewalls or application proxies. • The workstation service does not randomize passwords unless it has established connectivity with the central privileged access management server. This avoids a situation where the central server does not know the new password value for a workstation. • Dynamic IP addresses have no impact on this architecture. • Physical relocation and long periods of detached network connectivity may delay updates to local passwords, but do not introduce a failure whereby the local administrator passwords on a workstation are unknown. Privileged Access Manager supports management of passwords on laptops, which may be mobile, have dynamic IP addresses, get unplugged, etc. This is done using client software, which works by ”pulling” new, passwords from the Privileged Access Manager server cluster. Client software is available for: 1. Windows 2000, XP, Windows Vista/7/8, 2003, 2008 and 2008R2. 2. Unix (various vendors) and Linux (IA86). The Windows pull-mode service includes plug-ins to notify operating system components of new service account passwords. Plug-ins are provided for the Windows Service Control Manager, Windows Scheduler and IIS. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 10
  • 14. Privileged Access Manager Frequently Asked Questions 13 How can we automate the setup and teardown of thousands of systems on Privileged Access Manager? In organizations with large numbers of servers or other systems (e.g., databases, routers, etc.), clearly it is desirable to auto-discover and auto-maintain a list of systems and lists of accounts to manage on each managed system, rather than manually adding and maintaining thousands of separate target systems and accounts. To auto-discover systems, most organizations pull data from an Active Directory or LDAP directory. Com- puter objects discovered in the directory are classified based on their attributes and automatically managed (or not) and attached to appropriate managed system policies, which specify password change frequency, access control rules, access disclosure methods, etc. A second auto-discovery process probes each managed system to find accounts that should be managed. On most systems, a list of local users and groups is generated. Specifically on Windows systems, this process also lists services, scheduled jobs, IIS objects (e.g., anonymous users, application pools, etc.) and DCOM objects and see what accounts are used to run each of them. Import rules determine which of these accounts will be managed by Hitachi ID Privileged Access Manager (e.g., based on account attributes, group membership, security IDs, account/service relationship, etc.) and which managed system policies to assign to each managed account. Alternatives to Active Directory- or LDAP-driven computer object lists include DNS queries or zone transfers, IP port scans of specific subnets and data imports from an inventory management system. Privileged Access Manager also includes an automated mechanism to inform programs that store a copy of passwords of new password values. A plug-in program is provided to connect to Windows servers after each password change and automatically update Service Control Manager, Windows Scheduler, IIS or DCOM with new password values. The Privileged Access Manager auto-discovery process is able to list, classify and probe over 10,000 sys- tems per hour. It is normally scheduled to run daily. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 11
  • 15. Privileged Access Manager Frequently Asked Questions 14 Can Privileged Access Manager assign privileges less than full- administrator to users? Yes. For Unix/Linux, please refer to the next question. For Windows, see below. Hitachi ID Privileged Access Manager can be configured to disclose privileged access to Windows servers by temporarily placing an administrative user’s unprivileged Active Directory domain account into a privi- leged security group on the target computer. This process works as follows: 1. Administrator A requests privileged access to computer C. 2. The request is approved either because A has been pre-approved for such access (typically via mem- bership in an AD group) or because some other user, with ownership rights to computer C, approves the request. 3. Administrator A “checks out” access to computer C. 4. Privileged Access Manager places A’s AD account into a privileged group on computer C, such as (local group) “Administrators.” 5. A connects to C using RDP. This connection might be mediated by Privileged Access Manager, which can launch the RDP session directly from its web portal using an Active-X control. 6. Depending on how Privileged Access Manager and C are configured, A may or may not have to type his personal AD password to establish the RDP connection to C. For example, if C trusts Kerberos- authenticated RDP sessions or if Privileged Access Manager has an agent on A’s workstation to acquire his login password, then no manual authentication step will be required. 7. Eventually A will either check-in the session or the session will time out. When either event happens, Privileged Access Manager will remove A’s AD account from the privileged group on C. This approach of manipulating group memberships rather than disclosing password has the advantage that audit logs on the target computer (C in the example above) show activity by the individual administrator (A in the example above) rather than by a generic local administrator account. The limitations of this approach are: 1. It does not help with non-Windows machines or non-domain-members. 2. It does not help with machines which are disconnected from the network. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 12
  • 16. Privileged Access Manager Frequently Asked Questions 15 Can Privileged Access Manager interoperate with sudo on Unix/Linux? Hitachi ID Privileged Access Manager can be configured to disclose privileged access to Unix and Linux computers by temporarily placing an administrative user’s personal SSH public key into the trusted keys file of a functional account on the target computer. This architecture works as follows: 1. The Privileged Access Manager server gets its own SSH public and private keys. 2. Every user who may require privileged access to Unix/Linux systems must have: (a) An SSH client package on his PC. (b) Defined SSH private and public key. 3. A copy of the public SSH key for every user is kept on the Privileged Access Manager server. 4. Each managed Unix/Linux computer is configured with: (a) An SSHD listener. (b) The SUDO package. (c) A set of functional, unprivileged accounts (more on this later). 5. The /etc/sudoers file on each managed Unix/Linux computer is configured to grant a set of prede- fined privileges to each functional account. For example: • The account dba might be allowed to perform DB-related tasks. • The account backup might be allowed to perform filesystem backups. • The account procmon might be allowed to perform runaway processes. • The account monitor might be allowed to perform stats from /proc. 6. The .ssh/authorized_keys file of each of the functional accounts is configured to trust the public SSH key of the Privileged Access Manager server. 7. At access checkout time, Privileged Access Manager modifies the .ssh/authorized_keys file of the functional account to which access was granted to include the public key of the user who needs access to that account. 8. At access checkin or expiry time, Privileged Access Manager modifies the .ssh/authorized_keys file of the relevant functional account to remove the public key of the user who had access to that account. The access disclosure process works as follows: 1. Administrator A requests access to functional account F on computer C. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 13
  • 17. Privileged Access Manager Frequently Asked Questions 2. The request is approved either because A has been pre-approved for such access (typically via mem- bership in an AD group) or because some other user, with ownership rights to F@C, approves the request. 3. Administrator A “checks out” access to F@C. 4. Privileged Access Manager retrieves a copy of the .ssh/authorized_keys from F@C, adds A’s public SSH key to the file and puts the new .ssh/authorized_keys back in F@C’s home directory. 5. A connects to F@C using SSH. This connection is authenticated using an SSH key exchange (not a password). 6. A may have to type a password to access his own SSH private key, depending on how whether his SSH key is encrypted with his password. 7. Eventually A will either check-in the session or the session will time out. When either event happens, Privileged Access Manager will remove A’s public SSH key from F@C’s .ssh/authorized_keys file. 16 Can Privileged Access Manager integrate with SIEM systems? The logging service in Hitachi ID Privileged Access Manager can be configured to forward SYSLOG mes- sages to a network logging system, including services exposed by all popular SIEM applications. 17 How does Privileged Access Manager defend itself against com- promise of sensitive passwords? Encryption is used to protect stored Hitachi ID Privileged Access Manager data as follows: Data stored on the Privileged Access Manager server Data Algorithm Key Privileged passwords, used to log into target systems 128-bit AES 128-bit random Answers to security questions 128-bit AES 128-bit random User old password history SHA-1 64-bit random salt © 2014 Hitachi ID Systems, Inc.. All rights reserved. 14
  • 18. Privileged Access Manager Frequently Asked Questions 18 How do we protect Privileged Access Manager against data loss? Once deployed, Hitachi ID Privileged Access Manager becomes an essential part of an organization’s IT infrastructure, since it alone has access to privileged passwords for thousands of networked devices. An interruption to the availability of Privileged Access Manager or its password vault would mean that adminis- trative access to a range of devices is interrupted – a major IT service disruption. Since servers occasionally break down, Privileged Access Manager supports load balancing and data replication between multiple physical servers and multiple credential vaults. Any updates written to one database instance are automatically replicated, in real time, over an encrypted communication path, to all other Privileged Access Manager servers and all other credential vaults. In short, Privileged Access Manager incorporates a highly available, replicated, multi-master architecture for both the application and the credential vault. To provide out-of-the-box data replication, Privileged Access Manager includes a database service that replicates updates across multiple database instances. This service can be configured use either Oracle or Microsoft SQL Server databases for physical storage. Hitachi ID Systems recommends one physical database per Privileged Access Manager server, normally on the same hardware as the Privileged Access Manager application. The Privileged Access Manager data replication system makes it both simple and advisable for organiza- tions to build a highly-available Privileged Access Manager server cluster, spanning multiple servers, with each server placed in a different data center. Replication traffic is encrypted, authenticated, bandwidth- efficient and tolerant of latency, making it suitable for deployment over a WAN. This multi-site, multi-master replication is configured at no additional cost, beyond that of the hardware for additional Privileged Access Manager servers, and with minimal manual configuration. 19 Can Privileged Access Manager record what users do while signed into administrator accounts? Hitachi ID Privileged Access Manager includes a sophisticated infrastructure for monitoring, recording and playing back privileged account login sessions. This includes capturing: 1. Successive screen shots of the interactive administrator login session (RDP, SSH, vSphere, etc.). 2. Periodic photographs of the user (presumably) if a web-cam is present. 3. Many types of input events, including key presses, mouse clicks, copies and pastes. 4. Process names started and stopped. 5. UI text elements (labels, text input fields, drop-downs, etc.) displayed on the screen. 6. Mapping and disconnecting file shares (currently under development). 7. Initiating file transfers, especially to removable media such as USB flash drives (currently under de- velopment). © 2014 Hitachi ID Systems, Inc.. All rights reserved. 15
  • 19. Privileged Access Manager Frequently Asked Questions Capture sources can be individually enabled, disabled or configured. This data is stored in a secure database and can be accessed later: 1. Search by user, target system, time, date or meta data. 2. Play back movies of user interaction. 3. Report on events during the session (copy, paste, transfer file to removable media, etc.). This data can be extracted, for example for use in a forensic audit or as courtroom evidence. Two forms of this session monitoring/recording infrastructure are being developed concurrently: 1. One runs when a privileged account login session is initiated via the Privileged Access Manager web portal, by launching an RDP session, SSH session, SQL Studio, a 3270 emulator, VMWare vSphere, etc. 2. Another (in Beta release) can be installed on an individual Windows workstation or server (Windows XP, 2003, Vista, 2008, 2008R2, 7, 8) and can record user interaction during an interactive login session by a specified user, even if the session was not initiated using Privileged Access Manager at all. Recorded sessions are stored in a combination of the Privileged Access Manager database (session meta data, keyboard input and other text events, etc.) and on server or network filesystems (video captures, web-cam snapshots, etc.). Playback data is packaged as a ZIP file with XML files representing textual data, standard MP4 video files representing screen movies and JPEG files representing web-cam images. These ZIP files are intended to be suitable as forensic evidence in the context of investigation of improper employee or contractor behavior. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 16
  • 20. Hitachi ID Privileged Access Manager Frequently Asked Questions 20 How does Privileged Access Manager control access to recorded login sessions (privacy protection)? Session monitoring can have serious implications on user privacy and so should be implemented with great care. The session monitoring infrastructure is subject to strict access control rules and workflow infrastructure. For example, an auditor must first request the right to perform a given search through session data. If approved, he can execute the search and may find sessions of interest. The auditor must then request the right to playback selected sessions. Only if this second request is approved can the auditor retrieve session data. Of course, all such requests and searches this is indelibly logged. Another measure used to protect user privacy in Hitachi ID Privileged Access Manager is a pattern-matching censorship process. Hitachi ID Systems customers are encouraged to define regular expression patterns, matching passwords, social security numbers, credit card numbers, bank account numbers, etc. A pro- cess on the Privileged Access Manager server post-processes keystroke and keyword data captured by the session monitor, searching for matches for these patterns. Matches are deleted from the keystroke and keyword database. www.Hitachi-ID.com 500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: sales@Hitachi-ID.com File: / pub/ wp/ documents/ faq/ hipam/ hipam-faq-1.tex Date: 2011-07-15