Presentation is loading. Please wait.

Presentation is loading. Please wait.

Scalable Privileged Access Management Deployment experience of a global-scale privileged access management system at Bank of America. Identity and Access.

Similar presentations


Presentation on theme: "Scalable Privileged Access Management Deployment experience of a global-scale privileged access management system at Bank of America. Identity and Access."— Presentation transcript:

1 Scalable Privileged Access Management Deployment experience of a global-scale privileged access management system at Bank of America. Identity and Access Management. Guaranteed. © 2012 Hitachi ID Systems, Inc. All rights reserved.

2 Introductions

3 Identity and Access Management. Guaranteed. © 2012 Hitachi ID Systems, Inc. All rights reserved. Introductions Company

4 Identity and Access Management. Guaranteed. © 2012 Hitachi ID Systems, Inc. All rights reserved. Introductions Global profile 40 Countries 25,912 Global Offices and Facilities (Bank of America 2011 Corporate Social Responsibility Report)

5 Identity and Access Management. Guaranteed. © 2012 Hitachi ID Systems, Inc. All rights reserved. Introductions Presenter Mike Futty VP, Platform Security Engineering. Responsible for: Windows systems security engineering. Platform security baselines. Design, engineering and troubleshooting for access control infrastructure. Security product selection, design and deployment. 11 years at Bank of America, Corp (BAC). Also available to answer questions: Idan Shoham, CTO, Hitachi ID.

6 Identity and Access Management. Guaranteed. © 2012 Hitachi ID Systems, Inc. All rights reserved. Why worry about privileged accounts?

7 Identity and Access Management. Guaranteed. © 2012 Hitachi ID Systems, Inc. All rights reserved. Why worry about privileged accounts? Background BAC has made many acquisitions, which brought in many legacy systems. Today, including subsidiaries: BAC has over 275,000 employees, globally. Thousands have some form of elevated access (OS, app, etc.). BAC has a decentralized IT organization -- typical for large firms. There is a clear need for stronger internal controls over access to privileged IDs.

8 Identity and Access Management. Guaranteed. © 2012 Hitachi ID Systems, Inc. All rights reserved. Where are these accounts?

9 Identity and Access Management. Guaranteed. © 2012 Hitachi ID Systems, Inc. All rights reserved. Where are these accounts? Privileged IDs are everywhere

10 Identity and Access Management. Guaranteed. © 2012 Hitachi ID Systems, Inc. All rights reserved. Objectives and requirements

11 Identity and Access Management. Guaranteed. © 2012 Hitachi ID Systems, Inc. All rights reserved. Objectives and requirements Basic concept Eliminate static passwords to shared IDs with elevated privileges. Set passwords to random values - scheduled and at check-in time. Apply uniform policy to who can sign into what. Implement "class of service" access policy: Risk. Organization (business unit.). Environment (prod, dev, etc.). Location. Eliminate persistent access by developers to production systems. Create transparent audit logs of privileged access across the enterprise. Record activity during privileged logins.

12 Identity and Access Management. Guaranteed. © 2012 Hitachi ID Systems, Inc. All rights reserved. Objectives and requirements Business requirements Satisfy numerous process requirements: Not slow down or impact current access. Minimal ongoing support. Meet regulatory requirements: Different jurisdictions with different mandates. Requirements for on-boarding, access control, approvals, audit logs and more. Pre-authorized access for admins, request/approval workflow for everybody else. Manageable process for on-boarding many systems, accounts at once. Training: up front and ongoing. Forensic audits: who broke this server?

13 Identity and Access Management. Guaranteed. © 2012 Hitachi ID Systems, Inc. All rights reserved. Objectives and requirements Security The whole point of this system is higher security: Overarching principle: minimize the number of people with persistent administrative access. Eliminate full-time developer access from production systems. Provide a temporary access mechanism. Session logging. Audit trail: who had and who used access to this system?

14 Identity and Access Management. Guaranteed. © 2012 Hitachi ID Systems, Inc. All rights reserved. Objectives and requirements Technical Requirements Fault tolerant (fire, flood, earthquake, hurricane, etc.). Scalable: Hundreds of thousands of systems. Thousands of people. Tens of thousands of logins daily. Record 10,000 concurrent sessions globally. Integrate with: Existing security infrastructure. Many platforms (Windows, Unix, Linux, iLO, DRAC, ESXi, etc.). Multiple AD domains. Systems on dozens of DMZs. Administrator-friendly: Support for multiple SSH clients. Support for other admin tools (SQL Studio, vSphere, etc.). Easily expandable. Automatic discovery and classification of systems.

15 Identity and Access Management. Guaranteed. © 2012 Hitachi ID Systems, Inc. All rights reserved. Real-world deployment

16 Identity and Access Management. Guaranteed. © 2012 Hitachi ID Systems, Inc. All rights reserved. Real-world deployment An enterprise IT project

17 Identity and Access Management. Guaranteed. © 2012 Hitachi ID Systems, Inc. All rights reserved. Real-world deployment Timeline

18 Identity and Access Management. Guaranteed. © 2012 Hitachi ID Systems, Inc. All rights reserved. Challenges

19 Identity and Access Management. Guaranteed. © 2012 Hitachi ID Systems, Inc. All rights reserved. Funding: up-front and ongoing. Setting realistic expectations (some stake-holders wanted it before it was even up). Stop people from trying to solve every problem at once. Getting stake-holders to recognize the need for priority and incremental deployment. Challenges Project

20 Identity and Access Management. Guaranteed. © 2012 Hitachi ID Systems, Inc. All rights reserved. Challenges Organization Resistance to change by people who already have elevated access. Convince line of business IT operations teams to: Use a uniform access control model. Grant credentials for HiPAM to use. Ensuring that stake-holders don't use the system to automate existing insecure processes (insist on a policy of least privilege) Training a revolving door of new users

21 Identity and Access Management. Guaranteed. © 2012 Hitachi ID Systems, Inc. All rights reserved. Modeling a production environment with 100+ platforms and 100,000+ systems in QA and development. Reliable data about who owns what in the context of a dynamic organization. Testing: easy to test with one system, hard with a thousand OS patches and policies that cause severe performance degradation. (KB ) Deploying the same OCX controls to Windows XP, Windows 7, etc. Deactivating legacy password management processes. Gradual activation without disrupting existing IDs. Challenges Technical

22 Identity and Access Management. Guaranteed. © 2012 Hitachi ID Systems, Inc. All rights reserved. Current state

23 Identity and Access Management. Guaranteed. © 2012 Hitachi ID Systems, Inc. All rights reserved. Current state Network architecture Available and running: 5 replicated PAM nodes on 3 continents. Multi-master architecture. Each node has an app server, a SQL server and a session monitoring server. Nodes can fail without a service disruption. On-boarding accounts on Windows and Unix systems (administrator, root, fire-call). Load balanced globally.

24 Identity and Access Management. Guaranteed. © 2012 Hitachi ID Systems, Inc. All rights reserved. Current state Global scale and multi-master

25 Identity and Access Management. Guaranteed. © 2012 Hitachi ID Systems, Inc. All rights reserved. Future

26 Identity and Access Management. Guaranteed. © 2012 Hitachi ID Systems, Inc. All rights reserved. Future Expand scope Secure passwords to Windows service accounts. Replacing embedded passwords in applications. Add platforms (e.g., z/OS). Secure Administrator ID on desktops.

27 Identity and Access Management. Guaranteed. © 2012 Hitachi ID Systems, Inc. All rights reserved. Questions?


Download ppt "Scalable Privileged Access Management Deployment experience of a global-scale privileged access management system at Bank of America. Identity and Access."

Similar presentations


Ads by Google