Hitachi ID Privileged Password Manager: Securing Administrator Passwords
OverviewHitachi ID Privileged Password Manager (ID-Archive) is a system for securing privileged passwords across large numbers of devices. It works by regularly randomizing privileged passwords on workstations, servers and applications. Random passwords are encrypted and stored on at least two replicated servers. Passwords may be disclosed:
- To administrators, after they have authenticated and their requests have been authorized.
- To applications, replacing embedded passwords.
- To Windows workstations and servers, which need them to start services.
Alternately to password disclosure, access may be disclosed by temporarily placing an authorized user into a privileged security group on a managed device.
Password changes and disclosure are closely controlled and audited, to satisfy policy and regulatory requirements.
Problems with Managing Privileged Passwords
Many organizations have insecure processes for managing privileged passwords -- local IDs and passwords embedded in servers, workstations and applications with elevated privileges. Inappropriate disclosure of these passwords would lead to serious security compromise:
- Hundreds or thousands of workstations and servers often share the same administrator credentials. If one device is compromised, all are compromised.
- With thousands of workstations and servers, it is difficult or impossible to ever change these passwords. Privileged passwords remain the same for months or years, creating an extended window of opportunity for an attacker to crack them.
- If administrator passwords are rarely changed, as IT staff turn over, ex-staff retain access to sensitive systems.
Managing Server Passwords
To manage administrator passwords on servers -- i.e., IT assets attached to the network at fixed addresses, each Privileged Password Manager server runs a password updating service. This service periodically runs a connector, also on the Privileged Password Manager server, that communicates with a single target server and changes a single password. Upon successfully setting the new password, the service updates the Privileged Password Manager server with the new password, thus making it available to IT staff. The new password is automatically, immediately and securely replicated to all other Privileged Password Manager servers.
This process is repeated thousands of times daily, for different types of servers (Windows, Unix, Linux, DBMS, mainframe, application, etc.), using different types of connectors. Connectors for over 70 types of servers and applications are included with Privileged Password Manager.
Managing Workstation Passwords
To manage privileged passwords on mobile workstations (typically laptops), Privileged Password Manager includes a service, which installs on the relevant PCs and which contacts a central server to coordinate local password changes.
This architecture has several important advantages:
- The workstation service uses only HTTPS to communicate with the central server and works even when the workstation is connected behind NAT devices, firewalls or application proxies.
- The workstation service does not randomize passwords unless it has established connectivity with the central privileged password management server. This avoids a situation where the central server does not know the new password value for a workstation.
- Dynamic IP addresses have no impact on this architecture.
- Physical relocation and long periods of detached network connectivity may delay updates to local passwords, but do not introduce a failure whereby the local administrator passwords on a workstation are unknown.
High Availability and Data Replication
Once deployed, Privileged Password Manager becomes an essential part of an organization's IT infrastructure, since it alone houses privileged passwords for thousands of networked devices. An outage in Privileged Password Manager would mean that administrative access to a range of devices is interrupted -- a major outage to IT service.
Since servers occasionally break down, Privileged Password Manager supports load balancing and data replication between multiple physical servers. Any data updates written to its credential database are replicated, in real time, across all servers.
In short, Privileged Password Manager incorporates a highly available, replicated, multi-master architecture.
To provide out-of-the-box data replication, Privileged Password Manager includes a database service that replicates data between multiple instances. This service can be configured use either Oracle or Microsoft SQL Server databases as the physical storage mechanism. Hitachi ID Systems recommends one physical database instance per Privileged Password Manager server, normally on the same physical hardware as Privileged Password Manager itself.
The Privileged Password Manager data replication system makes it both simple and advisable for organizations to build a highly-available Privileged Password Manager server cluster, spanning multiple servers, with each server placed in a different physical site. Replication traffic is encrypted, authenticated, bandwidth-efficient and tolerant of latency, making it suitable for deployment over a WAN.
This multi-site, multi-master replication is configured at no additional cost, beyond that of the hardware for additional Privileged Password Manager servers, and with minimal administrative effort.
Network Architecture
The Privileged Password Manager network architecture is illustrated in Figure [link].
Privileged Password Manager Network Architecture Diagram (1)