2 Me - Information Assurance | ISACA Me Speaker • Ed Breay • Sr. Sales Engineer, Hitachi ID Systems. Company • Hitachi, ... • Real-time data replication. • Fault-tolerant
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1
2 Me
Speaker • Ed Breay• Sr. Sales Engineer, Hitachi
ID Systems.
Company • Hitachi, Ltd.: a 100 year oldFortune 100 conglomerate.
• Hitachi ID Systems, Inc.: a19 year old IAM softwaresubsidiary.
• Headquarters in Calgary,Alberta Canada
• 150+ employees, officesworldwide
Product • Hitachi ID Privileged AccessManager
Customers • Over 1000 enterprises.• Average 12,000 employees.
Vault destroyed or at least unreachable from some locations.
• Real-time data replication.• Fault-tolerant (geographically
dispersed).• Bandwidth efficient.• Functional over high latency
WAN links.
7.3 Authentication/authorization
Control who can gain access and what they can access.
• Identify users with an existing directory.• Multi-factor authentication (e.g., token, card, phone).• Authorize using AD/LDAP groups, attributes.• Workflow for one-time requests.• Detect and remove users added to authorized groups out-of-band.
• Financial services.• 60,000+ employees.• Over $500,000,000,000 in assets.• Global – offices in 30+ countries.• Heavily regulated.• Extremely mature home-grown processes and
controls.
8.2 Requirements
• Eliminate static passwords on servers and workstations.• Windows PCs and servers:
– Laptops→ PCs→ servers. Admin IDs→ service accounts.
• Unix/Linux servers:
– Admin IDs→ embedded passwords.
• Control processes:
– Workflow to request, approve, grant access to AD groups.– Access certification for AD groups.
• Future phases:
– Grant access via group membership, no password disclosure.– Record admin login sessions.– Record logins of high-value, non-IT users.– Add platforms (e.g., network devices, mainframe).– Lifecycle management of functional accounts.