Launch Privileged Login Sessions - Hitachi ID Privileged Access Manager
Hitachi ID Privileged Access Manager is designed to not only randomize and securely store privileged passwords, but also to connect users and programs to privileged accounts after appropriate authentication and authorization. It includes the following access disclosure capabilities:
- To users, via a web interface, subject to access control policy.
- To users who do not have pre-authorized access rights, after approval.
- To applications, in order to replace embedded passwords, using an API where applications authenticate using an OTP and may only connect from a pre-defined range of IP addresses.
- To service launching programs, such as the Windows Service Control Manager, by writing new password values to the appropriate locations after a successful password change.
Note that all disclosure is subject to SSL encryption, strong, personal authentication, access controls or workflow approval and audit logs.
Immediate Disclosure With Access Controls
The most common form of access control in the Privileged Access Manager is based on managed system policies. These policies are named collections of managed systems containing privileged accounts whose passwords may be randomized and access to which is controlled.
Managed systems may either be attached to a policy explicitly (e.g., "attach workstation WKSTN01234 to policy RGWKSTNS") or implicitly, using an expression. Expressions may be based on the operating system type, IP address, MAC address or workstation name (e.g., "attach every workstation running Windows XP in subnet 10.1.2.3/24 to policy X")
Managed system policies are configured with operational and access control rules, including:
- Which accounts' passwords to randomize on attached systems.
- How often to change passwords.
- How to compose random passwords (e.g., length, complexity, etc.).
- What actions to take after successful or failed attempts to disclose a password.
- What access disclosure methods to offer users who wish to sign into privileged accounts on attached systems (e.g., launch remote desktop, launch SSH, temporarily place user in security groups, display current password to user, etc.).
Privileged Access Manager users are organized into user groups, either explicitly or implicitly. In a typical deployment, users are assigned to Privileged Access Manager user groups by virtue of their membership in Active Directory or LDAP groups. Groups of users are then assigned specific rights with respect to specific managed system policies. For example, "every user in group A may launch RDP sessions to privileged accounts on systems in policy B."
Business rules, such as segregation of duties between different sets of users, can also be enforced. This is done by examining, managing and limiting group membership on reference systems, such as Active Directory or LDAP, that can be simultaneously assigned to the same user.
One-Time Disclosure With Approval Workflow
Privileged Access Manager includes the same authorization workflow engine as is used in Hitachi ID Identity Manager. Workflow enables users to request access to a privileged account that was not previously or permanently authorized. When this happens, one or more additional users are invited (via e-mail or SMS) to review and approve the request. Approved requests trigger a message to the request's recipient, including a URL to Privileged Access Manager where he or she can re-authenticate and "check out" access.
The workflow process is illustrated by the following series of steps:
- User UA signs in and requests that the then-current password to login account LA on system S be made available to user UB at some later time T. UA may or may not be the same person as UB.
- Privileged Access Manager looks up authorizers associated with LA on S.
- Privileged Access Manager may run business logic to supplement this authorizer list, for example with someone in the management chain for UA or UB. The final list of authorizers is LA. There are N authorizers but approval by just M (M <= N) is sufficient to disclose the password to AZ.
- Privileged Access Manager sends e-mail invitations to authorizers LA.
- If authorizers fail to respond, they get automatic reminder e-mails.
- If authorizers continue to fail to respond, Privileged Access Manager runs business logic to find replacements for them, effectively escalating the request and invites the replacement authorizers as well.
- Authorizers receive invitation e-mails, click on a URL embedded in the e-mail invitation, authenticate themselves to the Privileged Access Manager web login page, review the request and approve or reject it.
- If any authorizers reject the request, e-mails are sent to all participants (UA, UB and AZ) and the request is terminated.
- If M authorizers approve the request, thank-you e-mails are sent to all participants. A special e-mail is sent to the recipient -- UB with a URL to an access disclosure page.
- UB clicks on the e-mail URL and authenticates to Privileged Access Manager and displays the password.
- UB clicks on a button to "check-out privileged access."
- UB then may click on a button to do one of the following (the options
available will vary based on policy):
- Display the password.
- Place a copy of the password in the operating system copy buffer.
- Launch an RDP, SSH, vSphere or similar remote control session to the server in question.
In other words, display of a sensitive password is not a mandatory or even recommended part of the solution.
Watch a Movie
Request one-time access
Approve one-time access
Launch one-time session to a privileged account