swipe to navigate

Policy-based configuration

Identity Express: Privileged Access Edition incorporates policies and business rules built around Privileged Access Manager, designed to simplify control over access to privileged accounts and security groups across a variety of systems.

The Identity Express: Privileged Access Edition uses policy tables to answer a series of access control questions:

  1. Should a user be able to see a managed account on a managed system in search results?
  2. Should a request for check-out be flagged as high risk or unusual? Risk scores may be based on time-of-day, day-of-week, request history by the same user or the user's peers and more. High risk requests may require additional approval.
  3. If a user requests access to a managed account, should this request be automatically approved or should it depend on approval by others? If approval is required, by whom?
  4. Once a user has checked out a managed account, what disclosure mechanisms should be made available? Launch RDP? SSH? Another command-line program? Inject credentials into an HTML login form? Display the password? Place it in the copy buffer?
  5. If an administrative tool is launched on behalf of a user, should the login session be recorded? If so, what data streams should be enabled (keylogging, screen capture, etc.)?

Each of these decisions is made by comparing search terms or an access request to a series of rules. A distinct policy table is used to make each decision. The policy tables are system-wide, eliminating duplication in policy definitions.

Policies match requests against the following criteria:

  1. The type of request -- single account, group set or account set.
  2. The login ID of the account being requested, if any.
  3. The hostname or IP address of the managed system.
  4. The type of managed system (which connector is used).
  5. The primary managed system policy to which the managed system and account, group set or account set belong.
  6. The requester and recipient -- via membership in user classes or groups.
  7. The value of a request attribute, which may be compared to attributes of the requested system or account.
  8. IP address of the recipient's computer or the managed account, via CIDR subnet matching.
  9. The time of the request, as compared to a defined interval.

Once a request matches a rule, how Privileged Access Manager will process it depends on policy settings, regarding visibility, approval, disclosure mechanisms, recordings, risk scores, etc.

Screen shot: Privileged Access Manager reference configuration - authorization policy rule

Figure (Screenshot:screenshot-pam-refbuild-authmod-rule) shows a sample policy rule. This one is from the authorization table and essentially states that users in the UNIXADMINS user class are auto-approved for access to systems where integration is via SSH and the system in question is attached to the UNIX policy.

Windows service account password management:

Identity Express: Privileged Access Edition incorporates a standard process to discover and invite stake-holders to decide how to manage the passwords for Windows service accounts. For each service and service account, administrators are asked:

  1. Whether the service should be managed.
  2. When service account passwords should be randomized (daily, weekly, ...).
  3. Whether services should be restarted after a password change.
  4. Whether new passwords should be injected into services before and/or after a password change.
  5. Who to notify of password changes and faults (i.e., app owners).

Embedded passwords in scripts and applications:

Privileged Access Manager can replace static, plaintext passwords embedded in scripts and applications with a secure API, which fingerprints its caller before providing access to a current password value. Identity Express: Privileged Access Edition incorporates a request form for creating API accounts, used to sign into the web service to retrieve current password values and authenticated with both a one-time password (OTP) and IP subnet matching.

Personal administrator accounts:

Identity Express: Privileged Access Edition includes a mechanism to identify, manage passwords on and control access to personal administrator accounts, typically on Active Directory domains. With this component, only account owners see their own administrative accounts and - since passwords are randomized - must use Privileged Access Manager to launch connections using these accounts.

Team Management

Team management in Identity Express: Privileged Access Edition delegates onboarding of systems and accounts and definition of access control rules to business stake-holders. Teams help organizations scale up the PAM system and define access control and audit rules by engaging with application owners and system administrators.

Team management is constructed around a number of concepts:

  • A team may represent a group of people, an application or an organizational unit.
  • Teams contain:
    • Managed systems with which Privileged Access Manager is integrated.
    • Managed accounts that appear on managed systems and whose passwords Privileged Access Manager may set.
    • Team groups used to assign privileges to Privileged Access Manager users.
  • Team groups contain:
    • Privileges, such as:
      • Trustee -- able to modify team settings.
      • Authorizer -- charged with approving access requests.
      • Auto approved -- able to check-out managed accounts without waiting for approval by an authorizer.
      • Credential manager -- permitted to set or randomize passwords on managed accounts.
      • Requester -- able to request access to managed accounts.
    • Individual Privileged Access Manager users.
    • Managed groups -- collections of users that appear on integrated systems, such as AD or LDAP.
  • Team vaults are only used to store and retrieve passwords -- not to set or randomize them -- where there is no communication with target systems. Team vaults contain:
    • System vaults -- representations of systems in the environment, but without a connector or technical integration.
    • Vault accounts -- representations of accounts on system vaults, along with stored (but not actively managed) passwords.
  • Proxy zone -- a set of Privileged Access Manager proxy servers responsible for running connectors that communicate with a set of systems, typically in the same location or on the same network segment. Privileged Access Manager may also connect to managed systems directly; that is, a connector runs locally on the Privileged Access Manager application server and uses an appropriate API and network protocol to sign into the system in question.

Team management in Identity Express: Privileged Access Edition includes request forms to manage teams, managed systems, managed accounts, etc. Request forms are provided to:

  • Create new and modify existing teams and team vaults.

  • Onboard new managed systems, by specifying the system's type, address, proxy zone and either new or existing credentials with which Privileged Access Manager will connect to the system (both operationally and as evidence that the requester already has access to the system in question).

    The Identity Express: Privileged Access Edition managed system onboarding form currently supports the following types of systems:

    • Linux: CentOS/RHEL/SuSE.
    • Database: Oracle.
    • Windows server.
    • Solaris
    • AIX

    Additional components are available and expand Identity Express: Privileged Access Edition integrations to also support:

    • Checkpoint GIA
    • Cisco ASA, IOS and IronPort
    • ESXi
    • iSeries
    • SQL Server
    • Sybase ASE and IQ
    • Tandem
    • Teradata
    • z/OS - RACF
    • z/VM - TopSecret

    Components can be readily developed to integrate with other types of systems and applications, as Privileged Access Manager includes a rich set of connectors.

  • Move a managed system to a different team.

  • Off-board a managed system (moving its credential and check-out history data to an archival policy).

  • Onboard accounts, by specifying a team, managed system, disclosure type and session monitoring rules.

  • Modify or off-board managed accounts.

  • Create new and modify existing team vaults.

  • Create new and modify existing vault systems and accounts.

Business rules available in team vaults support the following types of access disclosure:

  • Remote Desktop (RDP).
  • Secure Shell and Secure Copy, using PuTTY, SecureCRT and WinSCP
  • Database administrator access using Oracle SQL Developer and Toad.
  • Password display and copy buffer integration.

Additional components are available and expand Identity Express: Privileged Access Edition integrations to also support SQL Studio (Microsoft), vSphere credential injection into HTML login forms and more.

Bulk onboarding is available through the Resource Management Service (RMS) This service submits requests via a SOAP/HTTPS web services API and from CSV files, using the CSV-to-PDR bulk form submission mechanism.

Once systems and accounts have been onboarded using the team infrastructure, users can sign into Privileged Access Manager and use the usual request mechanism to search, request access, initiate a check-out, disclose access, check-in access, review session recordings, etc.


Comment via LinkedIn