Hitachi ID Identity Express: Privileged Access Edition incorporates policies and business rules built around Hitachi ID Privileged Access Manager, designed to simplify control over access to privileged accounts and security groups across a variety of systems.
The Identity Express: Privileged Access Edition uses policy tables to answer a series of access control questions:
- Should a user be able to see a managed account on a managed system in search results?
- Should a request for check-out be flagged as high risk or unusual? Risk scores may be based on time-of-day, day-of-week, request history by the same user or the user's peers and more. High risk requests may require additional approval.
- If a user requests access to a managed account, should this request be automatically approved or should it depend on approval by others? If approval is required, by whom?
- Once a user has checked out a managed account, what disclosure mechanisms should be made available? Launch RDP? SSH? Another command-line program? Inject credentials into an HTML login form? Display the password? Place it in the copy buffer?
- If an administrative tool is launched on behalf of a user, should the login session be recorded? If so, what data streams should be enabled (keylogging, screen capture, etc.)?
Each of these decisions is made by comparing search terms or an access request to a series of rules. A distinct policy table is used to make each decision. The policy tables are system-wide, eliminating duplication in policy definitions.
Policies match requests against the following criteria:
- The type of request -- single account, group set or account set.
- The login ID of the account being requested, if any.
- The hostname or IP address of the managed system.
- The type of managed system (which connector is used).
- The primary managed system policy to which the managed system and account, group set or account set belong.
- The requester and recipient -- via membership in user classes or groups.
- The value of a request attribute, which may be compared to attributes of the requested system or account.
- IP address of the recipient's computer or the managed account, via CIDR subnet matching.
- The time of the request, as compared to a defined interval.
Once a request matches a rule, how Privileged Access Manager will process it depends on policy settings, regarding visibility, approval, disclosure mechanisms, recordings, risk scores, etc.
Figure (Screenshot:screenshot-pam-refbuild-authmod-rule) shows a sample policy rule. This one is from the authorization table and essentially states that users in the UNIXADMINS user class are auto-approved for access to systems where integration is via SSH and the system in question is attached to the UNIX policy.
Windows service account password management:
Identity Express: Privileged Access Edition incorporates a standard process to discover and invite stake-holders to decide how to manage the passwords for Windows service accounts. For each service and service account, administrators are asked:
- Whether the service should be managed.
- When service account passwords should be randomized (daily, weekly, ...).
- Whether services should be restarted after a password change.
- Whether new passwords should be injected into services before and/or after a password change.
- Who to notify of password changes and faults (i.e., app owners).
Embedded passwords in scripts and applications:
Privileged Access Manager can replaced static, plaintext passwords embedded in scripts and applications with a secure API, which fingerprints its caller before providing access to a current password value. Identity Express: Privileged Access Edition incorporates a request form for creating API accounts, used to sign into the web service to retrieve current password values and authenticated with both a on-time password (OTP) and IP subnet matching.
Personal administrator accounts:
Identity Express: Privileged Access Edition includes a mechanism to identify, manage passwords
on and control access to personal administrator accounts, typically
on Active Directory domains. With this component, only account
owners see their own administrative accounts and - since passwords
are randomized - must use Privileged Access Manager to launch connections using