SlideShare une entreprise Scribd logo

General Introduction to Privileged Access Management

Hitachi ID Systems, Inc.
Hitachi ID Systems, Inc.

Introduction to the business challenges of securely managing access to privileged accounts and the technical approaches available to secure administrator, service and application-to-application IDs.

Technologie
1  sur  8
Télécharger pour lire hors ligne
Privileged Access Management Frequently Asked Questions © 2014 Hitachi ID Systems, Inc. All rights reserved.
Contents 1 What are the business problems related to privileged accounts? 1 2 How does a privileged access management system work? 1 3 How often should passwords on privileged accounts be changed? 2 4 How should access to privileged accounts be controlled? 2 5 Can these systems support a "two keys to launch" scenario? 3 6 What about securing passwords to Windows service accounts? 3 7 How about mainframes, ERP applications and other systems? 4 8 Are there alternatives to displaying passwords to administrators? 4 9 Can single sign-on be included? 4 10 What happens a login to the physical console of a server is needed? 5 11 What about privileged accounts on laptops? 5 12 Can the administrator actions be recorded? 6 i
Privileged Access Management Frequently Asked Questions 1 What are the business problems related to privileged accounts? Many organizations have insecure processes for managing privileged accounts – IDs and passwords on servers, workstations, applications and network devices with elevated privileges. Inappropriate disclosure of these passwords would lead to serious security compromise: • Hundreds or thousands of workstations and servers often share the same ID and password. If the password on one device is compromised, all of the devices that share the credential are compromised. • Where a password is used on many systems or needed by many people, it is difficult to coordinate password changes. As a result, passwords on privileged accounts are often left unchanged for months or years, creating an extended window of opportunity for an attacker. • If privileged passwords are rarely changed, when IT staff leave an organization, they retain access to sensitive systems. • When many people know the password to a given account, it is impossible to reliably connect changes (or security compromises) to individual users. 2 How does a privileged access management system work? There are several technological approaches to more securely managing privileged passwords: Approach Pros Cons 1 Eliminate shared passwords entirely and assign personal administrator-level accounts to each IT user, on each asset. Individual accountability for configuration changes. Too many administrator-level accounts on each system. 2 Create and delete personal administrator-level accounts for users on demand. Individual accountability for configuration changes. Complex integration between many systems and the corporate directory. 3 Modify operating systems and applications to check whether users are allowed to perform privileged actions, in real time. Manage access control policies centrally. Fine-grained control over user access. Too many administrator-level accounts on each system plus complex change control on each system. 4 Use software installed on each device to periodically change local passwords. Send a copy of these passwords to a secure vault, shared by many systems. Works even in complex, segmented networks. Requires software on each managed system. 5 Software on a central system periodically pushes new passwords to each device and keeps copies in a secure vault. Minimal footprint on managed systems. Requires connectivity from a central application to managed systems. By far the most common approach to securing privileged accounts is to randomize their passwords regularly. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 1
Privileged Access Management Frequently Asked Questions Normally this process is initiated by a central server, to eliminate the need for change control on each managed system. 3 How often should passwords on privileged accounts be changed? A good rule of thumb is daily. With a daily password change, if a system administrator quits, he would only have access to a few accounts (on systems where he did work on his last day) and all that access would automatically expire within 24 hours. Longer password change intervals introduce the possibility of access retention for more time, creating a longer window of vulnerability. Shorter password change intervals may interfere with work. For example, an administrator may need to sign into a system for several hours to make a complex change, and an hourly password change might interfere with this work. 4 How should access to privileged accounts be controlled? There are two scenarios where people need access to privileged accounts: 1. Routine access: for example, Windows server administrators need frequent access to privileged accounts on Windows, Linux administrators on their servers, desktop support on user PCs, etc. 2. One-time access: for example, data center staff may need access to systems during an emergency in the middle of the night or programmers may need temporary access to diagnose a production problem. Each of these scenarios calls for its own access control strategy. For routine access, administrators should be pre-authorized to gain access whenever they need it. For them, a privileged access management system becomes a launch-pad for single sign-on to accounts they use to do their job. For one-time access, an approvals workflow is required. Users can sign into request access to specified accounts. Other users are then invited via e-mail or SMS to review these requests. They respond by signing into a web portal and approving or rejecting the proposed access. Approved logins behave just like routine access, but only for a limited time. In either case, user roles and account groups play a part in reducing the complexity of system setup. Users should be assigned roles, such as “Windows administrator.” Systems and privileged accounts should be collected into groups. User roles can then be assigned rights to system groups. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 2
Privileged Access Management Frequently Asked Questions 5 Can these systems support a "two keys to launch" scenario? Using the one-time access workflow described above, a privileged access management system should support multiple authorizers. For example, user A might request access to privileged account P on system S. This request could be routed to multiple people to review – say users B, C and D. If any two of B, C and D approve the request, then user A will be allowed to sign into P. 6 What about securing passwords to Windows service accounts? On the Windows operating system, service programs are run either using the SYSTEM login ID, which possesses almost every privilege on the system (and consequently can do the maximum harm) and which has no password or using a real user’s login ID and password, in order to execute with reduced privileges. This means that on each Windows workstation and server there are a number of service accounts, each with its own password, which are used to run service programs such as web servers, backup agents, anti- virus software, etc. Service account passwords differ from administrator passwords in that they are stored in at least two places: 1. Hashed, in the security database – e.g., the local SAM database or Active Directory, just like all users. 2. Reversibly encrypted, in the registry or elsewhere, where the program that starts the service (e.g., Service Control Manager or similar) can retrieve it when it needs to start the service. Other Windows components besides the Service Control Manager also store passwords twice: 1. Virtual directories used to access web content from the IIS web server. 2. Programs scheduled to be run by the Windows Scheduler. Third party programs may also require passwords to be stored outside the Security Accounts Manager (SAM) database. Of the above passwords, all but those used in IIS are static and may represent a security vulnerability. A privileged access management system should be able to change service account passwords: 1. Automatically discover that an account is used to run services on one or more computers. 2. Randomize passwords on service accounts. 3. Notify the service control manager, scheduler, IIS, etc. of new password values. 4. Queue and retry notification in the event of communication problems. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 3
Privileged Access Management Frequently Asked Questions 7 How about mainframes, ERP applications and other systems? Some privileged access management systems include a rich set of connectors and can manage passwords across the enterprise, rather than just on Windows servers and via scripted SSH sessions. It is helpful to deploy a system that can handle the majority of systems in an organization, rather than having to use different applications for each platform. 8 Are there alternatives to displaying passwords to administrators? Displaying passwords from the vault should only be available as a last resort. In most cases, where con- nectivity is available to the system in question, one of the following mechanisms should be used instead: 1. The privileged access management system can launch login sessions using Terminal Services (RDP), SSH (PuTTY), VMWare vSphere, SQL Studio, etc. and inject passwords from the vault, providing the IT user single sign-on and eliminating the need to display plaintext passwords. 2. A copy of the password could be placed in the user’s copy buffer, so that the user can paste it into a login screen. The copy can also be automatically removed from the copy buffer after a minute or two. 3. The authorized user’s personal (and normally unprivileged) Active Directory account can be temporar- ily attached to security groups on Active Directory or on domain-member computers. 4. The authorized user’s public SSH key can be temporarily appended to the .ssh/authorized_keys file of a privileged account on Unix or Linux. 9 Can single sign-on be included? Yes, as described above, this can be done by launching RDP, SSH or similar sessions; by temporarily adding a user’s AD account to security groups or by temporarily creating SSH trust relationships. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 4
Privileged Access Management Frequently Asked Questions 10 What happens a login to the physical console of a server is needed? Password display is needed where a login to a system’s console is required. This access disclosure mech- anism should be handled via the one-time access disclosure workflow, rather than in the context of routine access. 11 What about privileged accounts on laptops? A password management system can easily make connections to servers, which have fixed network ad- dresses, are always on and are continuously connected to the network. It is much harder for a central password management server to connect to mobile laptops, for several reasons: • Laptops frequently move from site to site. • Even when they remain in one place, laptop IP addresses may change dynamically, due to use of DHCP. • Laptops are often turned off and do not respond to network inquiries when deactivated. • Laptops may be unplugged from the network, either to move them or for periods of disuse. • Laptops may be protected by a firewall that blocks network connections inbound to the PC. In short, while it is easy for laptops to contact a central server, it is nearly impossible for the reverse to happen reliably. To secure privileged accounts on laptops, a privileged access management system must include client-side code, which initiates password changes from the laptop, rather than from the central server. This architecture supports: • Laptops that are periodically disconnected or powered down. • Laptops behind firewalls or with un-routable IP addresses (NAT). • Laptops with dynamic IP addresses. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 5
Privileged Access Management Frequently Asked Questions 12 Can the administrator actions be recorded? Modern privileged access management systems support session recording. This technology is used to record login sessions made by administrators to privileged accounts and later search and playback of these sessions. The approaches used to accomplish this vary widely: 1. Instrumentation installed in advance on the user’s PC. 2. Instrumentation on the user’s PC implemented dynamically via ActiveX. 3. Instrumentation on managed servers. 4. A proxy server which intercepts, records and analyzes connection protocols. www.Hitachi-ID.com 500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: sales@Hitachi-ID.com File: / pub/ wp/ documents/ faq/ hipam/ pam-faq-generic-1.tex Date: 2011-07-21

Recommandé

Defining Enterprise Identity Management
Defining Enterprise Identity ManagementDefining Enterprise Identity Management
Defining Enterprise Identity ManagementHitachi ID Systems, Inc.
 
Hitachi ID Identity Manager: Faster onboarding, reliable deactivation and eff...
Hitachi ID Identity Manager: Faster onboarding, reliable deactivation and eff...Hitachi ID Identity Manager: Faster onboarding, reliable deactivation and eff...
Hitachi ID Identity Manager: Faster onboarding, reliable deactivation and eff...Hitachi ID Systems, Inc.
 
Hitachi ID Identity Manager: Self-service and automated user provisioning
Hitachi ID Identity Manager: Self-service and automated user provisioningHitachi ID Identity Manager: Self-service and automated user provisioning
Hitachi ID Identity Manager: Self-service and automated user provisioningHitachi ID Systems, Inc.
 
Hitachi ID Password Manager: Enrollment, password reset and password synchron...
Hitachi ID Password Manager: Enrollment, password reset and password synchron...Hitachi ID Password Manager: Enrollment, password reset and password synchron...
Hitachi ID Password Manager: Enrollment, password reset and password synchron...Hitachi ID Systems, Inc.
 
Hitachi ID Suite 9.0 Features and Technology
Hitachi ID Suite 9.0 Features and TechnologyHitachi ID Suite 9.0 Features and Technology
Hitachi ID Suite 9.0 Features and TechnologyHitachi ID Systems, Inc.
 
Hitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Systems, Inc.
 
Hitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Systems, Inc.
 
Hitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Systems, Inc.
 

Recommandé

Defining Enterprise Identity Management
Defining Enterprise Identity ManagementDefining Enterprise Identity Management
Defining Enterprise Identity ManagementHitachi ID Systems, Inc.
 
Hitachi ID Identity Manager: Faster onboarding, reliable deactivation and eff...
Hitachi ID Identity Manager: Faster onboarding, reliable deactivation and eff...Hitachi ID Identity Manager: Faster onboarding, reliable deactivation and eff...
Hitachi ID Identity Manager: Faster onboarding, reliable deactivation and eff...Hitachi ID Systems, Inc.
 
Hitachi ID Identity Manager: Self-service and automated user provisioning
Hitachi ID Identity Manager: Self-service and automated user provisioningHitachi ID Identity Manager: Self-service and automated user provisioning
Hitachi ID Identity Manager: Self-service and automated user provisioningHitachi ID Systems, Inc.
 
Hitachi ID Password Manager: Enrollment, password reset and password synchron...
Hitachi ID Password Manager: Enrollment, password reset and password synchron...Hitachi ID Password Manager: Enrollment, password reset and password synchron...
Hitachi ID Password Manager: Enrollment, password reset and password synchron...Hitachi ID Systems, Inc.
 
Hitachi ID Suite 9.0 Features and Technology
Hitachi ID Suite 9.0 Features and TechnologyHitachi ID Suite 9.0 Features and Technology
Hitachi ID Suite 9.0 Features and TechnologyHitachi ID Systems, Inc.
 
Hitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Systems, Inc.
 
Hitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Systems, Inc.
 
Hitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Systems, Inc.
 
Maximizing Value
Maximizing ValueMaximizing Value
Maximizing ValueHitachi ID Systems, Inc.
 
Authentication Management
Authentication ManagementAuthentication Management
Authentication ManagementHitachi ID Systems, Inc.
 
Introduction to Identity Management
Introduction to Identity ManagementIntroduction to Identity Management
Introduction to Identity ManagementHitachi ID Systems, Inc.
 
Hitachi ID Access Certifier
Hitachi ID Access CertifierHitachi ID Access Certifier
Hitachi ID Access CertifierHitachi ID Systems, Inc.
 
Hitachi ID Group Manager
Hitachi ID Group ManagerHitachi ID Group Manager
Hitachi ID Group ManagerHitachi ID Systems, Inc.
 
Hitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Systems, Inc.
 
Hitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Systems, Inc.
 
Hitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Systems, Inc.
 
Hitachi ID Identity and Access Management Suite
Hitachi ID Identity and Access Management SuiteHitachi ID Identity and Access Management Suite
Hitachi ID Identity and Access Management SuiteHitachi ID Systems, Inc.
 
Identity and Access Lifecycle Automation
Identity and Access Lifecycle AutomationIdentity and Access Lifecycle Automation
Identity and Access Lifecycle AutomationHitachi ID Systems, Inc.
 
Building an Identity Management Business Case
Building an Identity Management Business CaseBuilding an Identity Management Business Case
Building an Identity Management Business CaseHitachi ID Systems, Inc.
 
Privileged Access Management
Privileged Access ManagementPrivileged Access Management
Privileged Access ManagementHitachi ID Systems, Inc.
 
Hitachi ID Access Certifier
Hitachi ID Access CertifierHitachi ID Access Certifier
Hitachi ID Access CertifierHitachi ID Systems, Inc.
 
How Well is Your Organization Protecting its Real Crown Jewels - Identities?
How Well is Your Organization Protecting its Real Crown Jewels - Identities?How Well is Your Organization Protecting its Real Crown Jewels - Identities?
How Well is Your Organization Protecting its Real Crown Jewels - Identities?Hitachi ID Systems, Inc.
 
Hitachi ID Privileged Access Manager
Hitachi ID Privileged Access ManagerHitachi ID Privileged Access Manager
Hitachi ID Privileged Access ManagerHitachi ID Systems, Inc.
 
Hitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Systems, Inc.
 
Hitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Systems, Inc.
 
Hitachi ID Management Suite
Hitachi ID Management SuiteHitachi ID Management Suite
Hitachi ID Management SuiteHitachi ID Systems, Inc.
 
Hitachi ID Identity Express™ - Corporate Edition
Hitachi ID Identity Express™ - Corporate EditionHitachi ID Identity Express™ - Corporate Edition
Hitachi ID Identity Express™ - Corporate EditionHitachi ID Systems, Inc.
 
Hitachi ID Group Manager
Hitachi ID Group ManagerHitachi ID Group Manager
Hitachi ID Group ManagerHitachi ID Systems, Inc.
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 

Contenu connexe

Plus de Hitachi ID Systems, Inc.

Hitachi ID Identity and Access Management Suite
Hitachi ID Identity and Access Management SuiteHitachi ID Identity and Access Management Suite
Hitachi ID Identity and Access Management SuiteHitachi ID Systems, Inc.
 
Building an Identity Management Business Case
Building an Identity Management Business CaseBuilding an Identity Management Business Case
Building an Identity Management Business CaseHitachi ID Systems, Inc.
 
How Well is Your Organization Protecting its Real Crown Jewels - Identities?
How Well is Your Organization Protecting its Real Crown Jewels - Identities?How Well is Your Organization Protecting its Real Crown Jewels - Identities?
How Well is Your Organization Protecting its Real Crown Jewels - Identities?Hitachi ID Systems, Inc.
 
Hitachi ID Identity Express™ - Corporate Edition
Hitachi ID Identity Express™ - Corporate EditionHitachi ID Identity Express™ - Corporate Edition
Hitachi ID Identity Express™ - Corporate EditionHitachi ID Systems, Inc.
 

Plus de Hitachi ID Systems, Inc. (20)

Maximizing Value
Maximizing ValueMaximizing Value
Maximizing Value
 
Authentication Management
Authentication ManagementAuthentication Management
Authentication Management
 
Introduction to Identity Management
Introduction to Identity ManagementIntroduction to Identity Management
Introduction to Identity Management
 
Hitachi ID Access Certifier
Hitachi ID Access CertifierHitachi ID Access Certifier
Hitachi ID Access Certifier
 
Hitachi ID Group Manager
Hitachi ID Group ManagerHitachi ID Group Manager
Hitachi ID Group Manager
 
Hitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Identity Manager
Hitachi ID Identity Manager
 
Hitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Identity Manager
Hitachi ID Identity Manager
 
Hitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Identity Manager
Hitachi ID Identity Manager
 
Hitachi ID Identity and Access Management Suite
Hitachi ID Identity and Access Management SuiteHitachi ID Identity and Access Management Suite
Hitachi ID Identity and Access Management Suite
 
Identity and Access Lifecycle Automation
Identity and Access Lifecycle AutomationIdentity and Access Lifecycle Automation
Identity and Access Lifecycle Automation
 
Building an Identity Management Business Case
Building an Identity Management Business CaseBuilding an Identity Management Business Case
Building an Identity Management Business Case
 
Privileged Access Management
Privileged Access ManagementPrivileged Access Management
Privileged Access Management
 
Hitachi ID Access Certifier
Hitachi ID Access CertifierHitachi ID Access Certifier
Hitachi ID Access Certifier
 
How Well is Your Organization Protecting its Real Crown Jewels - Identities?
How Well is Your Organization Protecting its Real Crown Jewels - Identities?How Well is Your Organization Protecting its Real Crown Jewels - Identities?
How Well is Your Organization Protecting its Real Crown Jewels - Identities?
 
Hitachi ID Privileged Access Manager
Hitachi ID Privileged Access ManagerHitachi ID Privileged Access Manager
Hitachi ID Privileged Access Manager
 
Hitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Identity Manager
Hitachi ID Identity Manager
 
Hitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Password Manager
Hitachi ID Password Manager
 
Hitachi ID Management Suite
Hitachi ID Management SuiteHitachi ID Management Suite
Hitachi ID Management Suite
 
Hitachi ID Identity Express™ - Corporate Edition
Hitachi ID Identity Express™ - Corporate EditionHitachi ID Identity Express™ - Corporate Edition
Hitachi ID Identity Express™ - Corporate Edition
 
Hitachi ID Group Manager
Hitachi ID Group ManagerHitachi ID Group Manager
Hitachi ID Group Manager
 

Dernier

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusZilliz
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...apidays
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbuapidays
 

Dernier (20)

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 

General Introduction to Privileged Access Management

  • 1. Privileged Access Management Frequently Asked Questions © 2014 Hitachi ID Systems, Inc. All rights reserved.
  • 2. Contents 1 What are the business problems related to privileged accounts? 1 2 How does a privileged access management system work? 1 3 How often should passwords on privileged accounts be changed? 2 4 How should access to privileged accounts be controlled? 2 5 Can these systems support a "two keys to launch" scenario? 3 6 What about securing passwords to Windows service accounts? 3 7 How about mainframes, ERP applications and other systems? 4 8 Are there alternatives to displaying passwords to administrators? 4 9 Can single sign-on be included? 4 10 What happens a login to the physical console of a server is needed? 5 11 What about privileged accounts on laptops? 5 12 Can the administrator actions be recorded? 6 i
  • 3. Privileged Access Management Frequently Asked Questions 1 What are the business problems related to privileged accounts? Many organizations have insecure processes for managing privileged accounts – IDs and passwords on servers, workstations, applications and network devices with elevated privileges. Inappropriate disclosure of these passwords would lead to serious security compromise: • Hundreds or thousands of workstations and servers often share the same ID and password. If the password on one device is compromised, all of the devices that share the credential are compromised. • Where a password is used on many systems or needed by many people, it is difficult to coordinate password changes. As a result, passwords on privileged accounts are often left unchanged for months or years, creating an extended window of opportunity for an attacker. • If privileged passwords are rarely changed, when IT staff leave an organization, they retain access to sensitive systems. • When many people know the password to a given account, it is impossible to reliably connect changes (or security compromises) to individual users. 2 How does a privileged access management system work? There are several technological approaches to more securely managing privileged passwords: Approach Pros Cons 1 Eliminate shared passwords entirely and assign personal administrator-level accounts to each IT user, on each asset. Individual accountability for configuration changes. Too many administrator-level accounts on each system. 2 Create and delete personal administrator-level accounts for users on demand. Individual accountability for configuration changes. Complex integration between many systems and the corporate directory. 3 Modify operating systems and applications to check whether users are allowed to perform privileged actions, in real time. Manage access control policies centrally. Fine-grained control over user access. Too many administrator-level accounts on each system plus complex change control on each system. 4 Use software installed on each device to periodically change local passwords. Send a copy of these passwords to a secure vault, shared by many systems. Works even in complex, segmented networks. Requires software on each managed system. 5 Software on a central system periodically pushes new passwords to each device and keeps copies in a secure vault. Minimal footprint on managed systems. Requires connectivity from a central application to managed systems. By far the most common approach to securing privileged accounts is to randomize their passwords regularly. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 1
  • 4. Privileged Access Management Frequently Asked Questions Normally this process is initiated by a central server, to eliminate the need for change control on each managed system. 3 How often should passwords on privileged accounts be changed? A good rule of thumb is daily. With a daily password change, if a system administrator quits, he would only have access to a few accounts (on systems where he did work on his last day) and all that access would automatically expire within 24 hours. Longer password change intervals introduce the possibility of access retention for more time, creating a longer window of vulnerability. Shorter password change intervals may interfere with work. For example, an administrator may need to sign into a system for several hours to make a complex change, and an hourly password change might interfere with this work. 4 How should access to privileged accounts be controlled? There are two scenarios where people need access to privileged accounts: 1. Routine access: for example, Windows server administrators need frequent access to privileged accounts on Windows, Linux administrators on their servers, desktop support on user PCs, etc. 2. One-time access: for example, data center staff may need access to systems during an emergency in the middle of the night or programmers may need temporary access to diagnose a production problem. Each of these scenarios calls for its own access control strategy. For routine access, administrators should be pre-authorized to gain access whenever they need it. For them, a privileged access management system becomes a launch-pad for single sign-on to accounts they use to do their job. For one-time access, an approvals workflow is required. Users can sign into request access to specified accounts. Other users are then invited via e-mail or SMS to review these requests. They respond by signing into a web portal and approving or rejecting the proposed access. Approved logins behave just like routine access, but only for a limited time. In either case, user roles and account groups play a part in reducing the complexity of system setup. Users should be assigned roles, such as “Windows administrator.” Systems and privileged accounts should be collected into groups. User roles can then be assigned rights to system groups. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 2
  • 5. Privileged Access Management Frequently Asked Questions 5 Can these systems support a "two keys to launch" scenario? Using the one-time access workflow described above, a privileged access management system should support multiple authorizers. For example, user A might request access to privileged account P on system S. This request could be routed to multiple people to review – say users B, C and D. If any two of B, C and D approve the request, then user A will be allowed to sign into P. 6 What about securing passwords to Windows service accounts? On the Windows operating system, service programs are run either using the SYSTEM login ID, which possesses almost every privilege on the system (and consequently can do the maximum harm) and which has no password or using a real user’s login ID and password, in order to execute with reduced privileges. This means that on each Windows workstation and server there are a number of service accounts, each with its own password, which are used to run service programs such as web servers, backup agents, anti- virus software, etc. Service account passwords differ from administrator passwords in that they are stored in at least two places: 1. Hashed, in the security database – e.g., the local SAM database or Active Directory, just like all users. 2. Reversibly encrypted, in the registry or elsewhere, where the program that starts the service (e.g., Service Control Manager or similar) can retrieve it when it needs to start the service. Other Windows components besides the Service Control Manager also store passwords twice: 1. Virtual directories used to access web content from the IIS web server. 2. Programs scheduled to be run by the Windows Scheduler. Third party programs may also require passwords to be stored outside the Security Accounts Manager (SAM) database. Of the above passwords, all but those used in IIS are static and may represent a security vulnerability. A privileged access management system should be able to change service account passwords: 1. Automatically discover that an account is used to run services on one or more computers. 2. Randomize passwords on service accounts. 3. Notify the service control manager, scheduler, IIS, etc. of new password values. 4. Queue and retry notification in the event of communication problems. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 3
  • 6. Privileged Access Management Frequently Asked Questions 7 How about mainframes, ERP applications and other systems? Some privileged access management systems include a rich set of connectors and can manage passwords across the enterprise, rather than just on Windows servers and via scripted SSH sessions. It is helpful to deploy a system that can handle the majority of systems in an organization, rather than having to use different applications for each platform. 8 Are there alternatives to displaying passwords to administrators? Displaying passwords from the vault should only be available as a last resort. In most cases, where con- nectivity is available to the system in question, one of the following mechanisms should be used instead: 1. The privileged access management system can launch login sessions using Terminal Services (RDP), SSH (PuTTY), VMWare vSphere, SQL Studio, etc. and inject passwords from the vault, providing the IT user single sign-on and eliminating the need to display plaintext passwords. 2. A copy of the password could be placed in the user’s copy buffer, so that the user can paste it into a login screen. The copy can also be automatically removed from the copy buffer after a minute or two. 3. The authorized user’s personal (and normally unprivileged) Active Directory account can be temporar- ily attached to security groups on Active Directory or on domain-member computers. 4. The authorized user’s public SSH key can be temporarily appended to the .ssh/authorized_keys file of a privileged account on Unix or Linux. 9 Can single sign-on be included? Yes, as described above, this can be done by launching RDP, SSH or similar sessions; by temporarily adding a user’s AD account to security groups or by temporarily creating SSH trust relationships. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 4
  • 7. Privileged Access Management Frequently Asked Questions 10 What happens a login to the physical console of a server is needed? Password display is needed where a login to a system’s console is required. This access disclosure mech- anism should be handled via the one-time access disclosure workflow, rather than in the context of routine access. 11 What about privileged accounts on laptops? A password management system can easily make connections to servers, which have fixed network ad- dresses, are always on and are continuously connected to the network. It is much harder for a central password management server to connect to mobile laptops, for several reasons: • Laptops frequently move from site to site. • Even when they remain in one place, laptop IP addresses may change dynamically, due to use of DHCP. • Laptops are often turned off and do not respond to network inquiries when deactivated. • Laptops may be unplugged from the network, either to move them or for periods of disuse. • Laptops may be protected by a firewall that blocks network connections inbound to the PC. In short, while it is easy for laptops to contact a central server, it is nearly impossible for the reverse to happen reliably. To secure privileged accounts on laptops, a privileged access management system must include client-side code, which initiates password changes from the laptop, rather than from the central server. This architecture supports: • Laptops that are periodically disconnected or powered down. • Laptops behind firewalls or with un-routable IP addresses (NAT). • Laptops with dynamic IP addresses. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 5
  • 8. Privileged Access Management Frequently Asked Questions 12 Can the administrator actions be recorded? Modern privileged access management systems support session recording. This technology is used to record login sessions made by administrators to privileged accounts and later search and playback of these sessions. The approaches used to accomplish this vary widely: 1. Instrumentation installed in advance on the user’s PC. 2. Instrumentation on the user’s PC implemented dynamically via ActiveX. 3. Instrumentation on managed servers. 4. A proxy server which intercepts, records and analyzes connection protocols. www.Hitachi-ID.com 500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: sales@Hitachi-ID.com File: / pub/ wp/ documents/ faq/ hipam/ pam-faq-generic-1.tex Date: 2011-07-21