1

2 Me

Speaker • Ed Breay• Sr. Sales Engineer, Hitachi

ID Systems.

Company • Hitachi, Ltd.: a 100 year oldFortune 100 conglomerate.

• Hitachi ID Systems, Inc.: a19 year old IAM softwaresubsidiary.

• Headquarters in Calgary,Alberta Canada

• 150+ employees, officesworldwide

Product • Hitachi ID Privileged AccessManager

Customers • Over 1000 enterprises.• Average 12,000 employees.

3 The Problem

© 2012 Hitachi ID Systems, Inc.. All rights reserved. 1

Slide Presentation

3.1 The power of privilge...

"To err is human... to really screw things up requires the root password".

3.2 Privileged passwords

The most dangerous accounts are often poorly managed.

• Who knows the admin password for thissystem?

– Ex-employees?– Contractors?– Vendors?

• Who signed into this account and when?

– What did they do?

• Does this admin password ever change?• How do data center staff login at 3AM to

fix a problem?

• This system was compromised.

– Who might have caused thetrouble?

• How secure is the password used byapp A to sign into app B?

– Plaintext?– Static?– Embedded?

• Does the password for a service orapplication ever change?

3.3 Enterprise IT Landscape

Locations Devices Accounts Processes

• Data centers.• Regions.• Countries.• Private.• Cloud.

• Windows.• Unix/Linux.• Servers.• PCs & Laptops.• Network

devices.• Databases.• Applications.• Mainframes.

• Administrator.• Service.• Application to

application.

• Pre-authorizedlogin.

• One-offrequests.

• Windowsservices.

• Embeddedpasswords.

3.4 Summary

© 2012 Hitachi ID Systems, Inc.. All rights reserved. 2

Slide Presentation

4 Solution Alternatives4.1 Authenticating Administrators

Approach Details Implications

In advance?On demand?When to delete?How to audit?

200 adminsx 10,000 systems= 2M accounts?

Offline console access?When to delete?How to audit?

Support for:Routers?Firewalls?Databases?

Less security admin?Coarse grained control?

Need secure, reliablestorage!Change 10,000passwords/day?

5 Share accounts and randomize passwords

5.1 Privileged Access Management

© 2012 Hitachi ID Systems, Inc.. All rights reserved. 3

Slide Presentation

6 New Risks6.1 Protect the vault

Before PAM After PAM

• Disgruntled ex-employee could gainaccess to plaintext passwords in configfile.

• Weak audit logs / no accountability.• Static passwords give intruder time to

attack.

• Vault or backup media compromised.• Vault inaccessible or destroyed!• Weak authentication into PAM.• Misconfigured authorization rules.• Privilege escalation leveraging PAM.

7 Architectural Solutions7.1 Data leakage

Protect the vault and media against bulk compromise.

• Strong encryption (AES).• Physical and logical access control.• Key management.

© 2012 Hitachi ID Systems, Inc.. All rights reserved. 4

Slide Presentation

7.2 Damage to vault

Vault destroyed or at least unreachable from some locations.

• Real-time data replication.• Fault-tolerant (geographically

dispersed).• Bandwidth efficient.• Functional over high latency

WAN links.

7.3 Authentication/authorization

Control who can gain access and what they can access.

• Identify users with an existing directory.• Multi-factor authentication (e.g., token, card, phone).• Authorize using AD/LDAP groups, attributes.• Workflow for one-time requests.• Detect and remove users added to authorized groups out-of-band.

© 2012 Hitachi ID Systems, Inc.. All rights reserved. 5

Slide Presentation

7.4 Minimize password disclosure

Users should not see passwords if it can be avoided.

• Single sign-on direct fromworkstation (RDP, SSH, etc).

• Password injection.• Temporary group

membership.• Temporary SSH trust.• Password disclosure is only

a last resort.

7.5 Accountability

It should be possible to see who did what and when.

• Log requests, approvals,logins.

• Record sensitive loginsessions.

• Report on meta data.• Controlled playback of

recordings.

8 Real World Example

© 2012 Hitachi ID Systems, Inc.. All rights reserved. 6

Slide Presentation

8.1 Corporate profile

• Financial services.• 60,000+ employees.• Over $500,000,000,000 in assets.• Global – offices in 30+ countries.• Heavily regulated.• Extremely mature home-grown processes and

controls.

8.2 Requirements

• Eliminate static passwords on servers and workstations.• Windows PCs and servers:

– Laptops→ PCs→ servers. Admin IDs→ service accounts.

• Unix/Linux servers:

– Admin IDs→ embedded passwords.

• Control processes:

– Workflow to request, approve, grant access to AD groups.– Access certification for AD groups.

• Future phases:

– Grant access via group membership, no password disclosure.– Record admin login sessions.– Record logins of high-value, non-IT users.– Add platforms (e.g., network devices, mainframe).– Lifecycle management of functional accounts.

© 2012 Hitachi ID Systems, Inc.. All rights reserved. 7

Slide Presentation

8.3 Challenges

Global scale Data quality

• No "quiet hour" for batch processing.• Interruption in one region cannot cause

outage in another.• Must scale to 200,000+ systems,

500,000+ accounts.

• Dozens of AD domains.• Unreliable data about systems.• AD group membership not well managed.

Integrations Operating practices

• Many segmented networks.• Cannot initiate TCP/IP connections

across segments.• Laptops get unplugged, powered down,

moved.

• Multi-home critical apps world-wide.• Two data centers per city:

App in DC A, Database in DC B.• All DBs are clustered.• SIEM integration.

8.4 Architecture

Global scale Data quality

• Auto-discovery and classification mustrun alongside access checkouts.

• System must support 500,000 passwordchanges/day.

• Import server records from CMDB, notAD.

• Actively manage groups in AD that controlauthorization.

Integrations Operating practices

• Local agent on laptops, PCs contact thePAM server.

• Regional proxy servers to get pastfirewalls.

• Multi-master architecture.• 3 app servers, 1 DB cluster per metro

area.• 2 data centers per metro area.• Replication across US, UK, China, Japan.

© 2012 Hitachi ID Systems, Inc.. All rights reserved. 8

Slide Presentation

8.5 Single city

8.6 Global replication

© 2012 Hitachi ID Systems, Inc.. All rights reserved. 9

Slide Presentation

8.7 Push and pull

8.8 Integration timeline

9 Questions

www.Hitachi-ID.com

500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: sales@Hitachi-ID.com

File: PRCS:presDate: June 26, 2012