Control over access to privileged accounts is a cornerstone of IT security. Privileged access management (PAM) systems control access to administrator, service and application-to-application accounts, which represent a higher security risk than any other login IDs. Per Mark Diodati, Research Vice President at Gartner, “Privileged account management products can improve the security of sensitive information by restricting access to privileged account passwords and authenticating system administrators and programmatic processes prior to releasing the password.”
Hitachi ID Systems http://Hitachi-ID.com has developed a set of frequently asked questions related to privileged access management. The FAQ can be downloaded from http://Hitachi-ID.com/privileged-access-manager/docs/privileged-access-manager-faq-generic.html.
Many organizations have insecure processes for managing privileged accounts – IDs and passwords on servers, workstations, applications and network devices with elevated privileges. Inappropriate disclosure of these passwords could lead to serious security breaches:
Several technological approaches can be applied to more securely managing privileged passwords.
By far, the most common approach to securing privileged accounts is to randomize privileged passwords regularly. Normally this process is initiated by a central server, to eliminate the need for change control on each managed system.
A good rule of thumb is daily. With a daily password change, if a system administrator quits, he would only have access to a few accounts (on systems where he did work on his last day) and all that access would automatically expire within 24 hours. Longer password change intervals introduce the possibility of access retention for more time, creating a longer window of vulnerability. Shorter password change intervals may interfere with work. For example, an administrator may need to sign into a system for several hours to make a complex change, and an hourly password change might interfere with this work.
Two scenarios can be applied to control access to privileged accounts:
In either case, user roles and account groups play a part in reducing the complexity of system setup. Users should be assigned roles, such as “Windows administrator.” Systems and privileged accounts should be collected into groups. User roles can then be assigned rights to system groups.
Using the one-time access workflow described above, a privileged access management system should support multiple authorizers. For example, user A might request access to privileged account P on system S. This request could be routed to multiple people to review – say users B, C and D. If any two of B, C and D approve the request, then user A will be allowed to sign into P.
On the Windows operating system, service programs are run either using the SYSTEM login ID, which possesses almost every privilege on the system (and consequently can do the maximum harm) and which has no password or using a real user's login ID and password, in order to execute with reduced privileges. This means that on each Windows workstation and server there are a number of service accounts, each with its own password, which are used to run service programs such as web servers, backup agents, antivirus software, etc.
Some privileged access management systems include a rich set of connectors and can manage passwords across the enterprise, rather than just on Windows servers and via scripted SSH sessions. It is helpful to deploy a system that can handle the majority of systems in an organization, rather than having to use different applications for each platform.
Displaying passwords from the vault should only be available as a last resort. In most cases, where connectivity is available to the system in question, one of the following mechanisms should be used instead:
Yes, as described above, this can be done by launching RDP, SSH or similar sessions; by temporarily adding a user's AD account to security groups or by temporarily creating SSH trust relationships.
Password display is needed where a login to a system's console is required. This access disclosure mechanism should be handled via the one-time access disclosure workflow, rather than in the context of routine access.
A password management system can easily make connections to servers, which have fixed network addresses, are always on and are continuously connected to the network. It is much harder for a central password management server to connect to mobile laptops, for several reasons:
In short, while it is easy for laptops to contact a central server, it is nearly impossible for the reverse to happen reliably. To secure privileged accounts on laptops, a privileged access management system must include client-side code, which initiates password changes from the laptop, rather than from the central server.
This architecture supports:
Modern privileged access management systems support session recording. This technology is used to record login sessions made by administrators to privileged accounts and later search and playback of these sessions.
The approaches used to accomplish this vary widely:
To promote the importance of privileged access management, Hitachi ID Systems recently announced to over 900 existing customers a one-time promotional package, valid over the next two months http://Hitachi-ID.com/landing/privileged-access-manager-existingcustomers.html. It includes 5 days of complimentary professional services, to plan and implement Hitachi ID Privileged Access Manager.
Gideon Shoham, CEO says, “This promotion is intended to encourage our customers to evaluate our technologically advanced and cost effective Privileged Access Manager. This solution is complementary to the user password management solution many of our customers have already deployed.”
Hitachi ID Systems, Inc. is a leading provider of identity and access management solutions. Hitachi ID software helps almost 1000 organizations with over 12 million combined users meet security, internal control, regulatory compliance, IT cost reduction and user service objectives.
Hitachi ID Identity and Access Management Suite includes Identity Manager http://Hitachi-ID.com/identity-manager/, Password Manager http://Hitachi-ID.com/password-manager/ and Privileged Access Manager http://Hitachi-ID.com/privileged-access-manager/. These products manage identities, entitlements and authentication factors across both on-premise and SaaS applications in the cloud.
Industry analyst Ovum Consulting recently recognized Hitachi ID Systems as an enterprise identity and access management powerhouse, citing the company's robust technology and exemplary customer support. Ovum “believes that Hitachi ID's focus on reducing the administrative and helpdesk burden and the company's focus on bottom-up IAM reflects the way in which organizations operate.”
For more information about Hitachi ID Systems and its products, please visit http://Hitachi-ID.com/ or call 1.403.233.0740.
For more information please contact: