1 Privileged Access Management

Managing the User Lifecycle

Across On-Premises and
Cloud-Hosted Applications

Hitachi ID Privileged Access Manager

2 Agenda
Hitachi ID corporate overview.
Hitachi ID Suite overview.
Securing administrative passwords with Hitachi ID Privileged Access Manager.
Animated demonstration.

2015 Hitachi ID Systems, Inc. All rights reserved. 1

 Slide Presentation

3 Hitachi ID Corporate Overview

Hitachi ID delivers access governance

and identity administration solutions
to organizations globally.
Hitachi ID solutions are used by Fortune 500
companies to secure access to systems
in the enterprise and in the cloud.
Founded as M-Tech in 1992.
A division of Hitachi, Ltd. since 2008.
Over 1200 customers.
More than 14M+ licensed users.
Offices in North America, Europe and
APAC.
Partners globally.

2015 Hitachi ID Systems, Inc. All rights reserved. 2

 Slide Presentation

4 Representative Customers

5 Hitachi ID Suite

2015 Hitachi ID Systems, Inc. All rights reserved. 3

 Slide Presentation

6 Securing Privileged Accounts

Thousands of IT assets: Who has the keys to the kingdom?
Servers, network devices, databases and Every IT asset has sensitive passwords:
applications:
Administrator passwords:
Numerous. Used to manage each system.
High value. Service passwords:
Heterogeneous. Provide security context to service
Workstations: programs.
Application:
Mobile dynamic IPs. Allows one application to connect to
Powered on or off. another.
Direct-attached or firewalled. Do these passwords ever change?
Plaintext in configuration files?
Who knows these passwords? (ex-staff?)
Audit: who did what?

7 Project Drivers
Organizations need to secure their most sensitive passwords:

Compliance: Pass regulatory audits.

Compliance should be sustainable.
Security: Eliminate static passwords on sensitive accounts.
Create accountability for admin work.
Cost: Efficient process to regularly change privileged passwords.
Simple and effective deactivation for former administrators.
Flexibility: Grant temporary admin access.
Emergencies, production migrations, workload peaks, etc.

2015 Hitachi ID Systems, Inc. All rights reserved. 4

 Slide Presentation

8 Participants in PAM
Hitachi ID Privileged Access Manager works by randomizing privileged passwords and connecting
people and programs to privileged accounts as needed:

Privileged Get new, random passwords daily or at the desired frequency.

accounts
IT Users Must sign into HiPAM when they need to sign into administrator accounts.
Services Are automatically updated with new passwords values.
Applications Use the HiPAM API instead of embedded passwords.
Security Define policies regarding who can connect to which privileged account.
officers
Auditors Monitor access requests and privileged login sessions.

9 HiPAM Impact

Feature Impact Benefit

Randomize passwords daily
Controlled disclosure
Logging & Reporting
Encryption
Replication
Eliminate static, shared
passwords.
Control who can see
passwords.
Monitor password disclosure.
Secure passwords in storage
and transit.
Passwords stored on multiple
servers, in different sites.
Disconnect former IT staff.
The right users and programs
can access privileged accounts,
others cannot.
Accountability.
Faster troubleshooting.
Physical compromise does not
expose passwords.
Survive server crashes and site
disasters.

2015 Hitachi ID Systems, Inc. All rights reserved. 5

 Slide Presentation

10 Understand and Manage the Risks

A privileged access management (PAM) system becomes the sole repository of the most important
credentials.

Risk Description Mitigation

Disclosure Compromised vault Encrypted vault.
security disaster. Strong authentication.
Flexible authorization.
Data Loss Destroyed vault Replicate the vault.
IT disaster.
Non-availability Offline vault One vault in each of 2+ sites.
IT service interruption.

Customers must test failure conditions before purchase!

11 Randomizing Passwords
Push random
passwords to systems:
Periodically (e.g., between 3AM and 4AM).
When users check passwords back in.
When users want a specific password.
On urgent termination.

Suitable for servers and PCs on the corporate network.

Pull initiated by user Periodically.

devices: Random time-of-day.
Opportunistically, when connectivity is available.

Suitable for off-site laptops, systems in a DMZ.

2015 Hitachi ID Systems, Inc. All rights reserved. 6

 Slide Presentation

12 Authorizing Access to Privileged Accounts

Two models: permanent and one-time.

Permanent ACL One-time request Concurrency control

Pre-authorized users Request access for any Coordinate admin
can launch an admin user to connect to any changes by limiting
session any time. account. number of people
Access control model: Approvals workflow connected to the same
with: account:
Users ... belong to
User groups ... are Dynamic routing. Can be >1.
assigned ACLs to Parallel approvals. Notify each admin
Managed system N of M authorizers. of the others.
policies ... which Auto-reminders. Ensure accountability of
contain Escalation. who had access to an
Devices and Delegation. account at a given time.
applications
Also used for API
clients.

2015 Hitachi ID Systems, Inc. All rights reserved. 7

 Slide Presentation

13 Fault-Tolerant Architecture
HitachiID
Privileged Access Manager Site A
Crypto keys
in registry
010101
Password 101001
Vault
100101
Windows
User LDAP/S,
server or DC
HTTPS NTLM

Admin Load
Workstation Balancer SSH,
TCP/IP+AES
Replication
Unix, Linux
TCP/IP + AES

TCP/IP
+AES Various
Target
Password 010101 Firewall Systems
Vault 101001
100101 Proxy
Crypto keys
in registry

HitachiID Site B Site C

Privileged Access Manager

2015 Hitachi ID Systems, Inc. All rights reserved. 8


14 Included Connectors
Many integrations to target systems included in the base price:
Directories:
Any LDAP, AD, WinNT, NDS,
eDirectory, NIS/NIS+.
Unix:
Linux, Solaris, AIX, HPUX, 24
more variants.
ERP:
JDE, Oracle eBiz,
PeopleSoft, PeopleSoft HR,
SAP R/3 and ECC 6, Siebel,
Business Objects.
WebSSO:
CA Siteminder, IBM TAM,
Oracle AM, RSA Access
Manager.
Servers:
Windows NT, 2000, 2003,
2008[R2], 2012, Samba,
Novell, SharePoint.
Mainframes, Midrange:
z/OS: RACF, ACF2,
TopSecret. iSeries,
OpenVMS.
Collaboration:
Lotus Notes, iNotes,
Exchange, GroupWise,
BlackBerry ES.
Help Desk:
ServiceNow, BMC Remedy,
SDE, HP SM, CA Unicenter,
Assyst, HEAT, Altiris, Clarify,
RSA Envision, Track-It!, MS
System Center Service
Manager
2015 Hitachi ID Systems, Inc. All rights reserved.
Slide Presentation
Databases:
Oracle, Sybase, SQL Server,
DB2/UDB, Informix, Progress,
ODBC, Oracle Hyperion EPM
Shared Services, Cache.
HDD Encryption:
McAfee, CheckPoint,
BitLocker, PGP.
Tokens, Smart Cards:
RSA SecurID, SafeWord,
RADIUS, ActivIdentity,
Schlumberger.
Cloud/SaaS:
WebEx, Google Apps, MS
Office 365, Success Factors,
Salesforce.com, SOAP
(generic).
9
 Slide Presentation

15 Types of Privileged Accounts

Administrator Embedded Service

Definition: Interactive logins. One application Run service
Client tools: connects to programs with
PuTTY, RDP, SQL another. limited rights.
Studio, etc. DB logins, web Windows requires a
May be used at a services, etc. password!
physical console. Interactive logins
for troubleshooting.
Challenges: Access control. Authenticating apps Avoiding service
Audit/accountability. prior to password interruption due to
Single sign-on. disclosure. failed notification:
Session capture. Caching, key
management.

16 Infrastructure Auto-Discovery
Find and classify systems, services, groups, accounts:

List systems Evaluate import rules Probe systems

From Hitachi IT Manage this system? Local accounts.
Operations Analyzer. Attach system to this Security groups.
From AD, LDAP policy? Group memberships.
(computers). Choose initial Services.
From text file ID/password. Local svc accounts.
(IT inventory). Manage this account? Domain svc accounts.
Extensible: Un manage this
DNS, IP port scan. system?

Hitachi ID Privileged Access Manager can find, probe, classify and load 10,000 systems/hour.
Normally executed every 24 hours.
100% policy driven - no scripts.

2015 Hitachi ID Systems, Inc. All rights reserved. 10

 Slide Presentation

17 Alternatives to PW display

Launch session (SSO) Launch RDP, SSH, Password is hidden.

vSphere, SQL Studio, ... Convenient (SSO).
Extensible (just add a CLI).
Temporary entitlement Group membership (AD, Native logging shows
Windows, SQL, etc.). actual user.
SSH trust Convenient for platform
(.ssh/authorized_keys). admins.
Entry in /etc/sudoers files.
Copy buffer integration Inject password into copy Flexible (secondary
buffer. connections, open-ended
Clear after N seconds. tooling).
Convenient.
Display Show the password in the Useful at the physical
UI. server console.
Clear after N seconds.

2015 Hitachi ID Systems, Inc. All rights reserved. 11

 Slide Presentation

18 Test Safety Features

To prevent a security or an IT operations disaster, a privileged password management system must be
built for safety first:

Unauthorized Passwords must be encrypted, both in storage and

disclosure transmissions.
Access controls should determine who can see which
passwords.
Workflow should allow for one-off disclosure.
Audit logs should record everything.
Data loss, Replicate all data a server crash should be harmless.
Service Disruption Replication must be real time, just like password changes.
Replication must span physical locations, to allow for site
disasters (fire, flood, wire cut).

These features are mandatory. Evaluate products on multiple, replicated

Failure is not an option. servers.
Ask Hitachi ID for an evaluation guide. Turn off one server in mid-operation.
Inspect database contents and sniff
network traffic.

2015 Hitachi ID Systems, Inc. All rights reserved. 12

 Slide Presentation

19 HiPAM Unique Technology

Multi-master, Trivial to setup, no cost, zero effort to recover from disaster.

active-active Geographically distributed: maximum safety.
Not just Temporary group elevation, SSH trust relationships.
passwords Suspend/resume VM (lower cost of cloud!).
Robust Reminders, escalation, delegation, concurrent invitations.
workflow Not limited to "two keys" scenario.
Control Manage AD, LDAP groups that determine who has access.
groups Requests, approvals, SoD policy, certification, reports.
Single
product,
not "suite"
Credential vault. Service account
Password randomization. passwords.
Access control policies. Embedded passwords.
Session monitoring, 110, extensible connectors.
playback.

20 Request one-time access

Animation: ../../pics/camtasia/v82/hipam-request-access/hipam-request-access.cam

21 Approve one-time access

Animation: ../../pics/camtasia/v82/hipam-approve-request/hipam-approve-request.cam

2015 Hitachi ID Systems, Inc. All rights reserved. 13

 Slide Presentation

22 Launch one-time session using a privileged account

Animation: ../../pics/camtasia/v82/hipam-privileged-login-session/hipam-privileged-login-session.cam

23 Request, approve, play recording

Animation: ../../pics/camtasia/v82/hipam-view-playback/hipam-view-playback.cam

24 Report on requests for privileged access

Animation: ../../pics/camtasia/hipam-71/hipam-06-admin-reports.cam

25 HiPAM: PuTTY to Linux

Animation: ../../pics/camtasia/pam-linux-preauth/pam-linux-preauth.cam

26 Activate Mobile Access

Animation: ../../pics/camtasia/v9/enable-mobile-device-1/enable-mobile-device-1.mp4

2015 Hitachi ID Systems, Inc. All rights reserved. 14

 Slide Presentation

27 Password display

Animation: ../../pics/camtasia/v9/pw-disp-scaled-1/pw-disp-scaled-1.mp4

28 Account set checkout

Animation: ../../pics/camtasia/v9/account-set-checkout-1/account-set-checkout-1.mp4

29 Summary
Hitachi ID Privileged Access Manager secures privileged accounts:
Eliminate static, shared passwords to privileged accounts.
Built-in encryption, replication, geo-diversity for the credential vault.
Authorized users can launch sessions without knowing or typing a password.
Infrequent users can request, be authorized for one-time access.
Strong authentication, authorization and audit throughout the process.
Learn more at Hitachi-ID.com/Privileged-Access-Manager

500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: sales@Hitachi-ID.com

www.Hitachi-ID.com Date: May 22, 2015 File: PRCS:pres