Presentation is loading. Please wait.

Presentation is loading. Please wait.

Scalable Privileged Access Management Deployment experience of a global-scale privileged access management system at Bank of America. Identity and Access.

Published byKatelyn Klein Modified over 11 years ago

Similar presentations

Presentation on theme: "Scalable Privileged Access Management Deployment experience of a global-scale privileged access management system at Bank of America. Identity and Access."— Presentation transcript:

1 Scalable Privileged Access Management Deployment experience of a global-scale privileged access management system at Bank of America. Identity and Access Management. Guaranteed. © 2012 Hitachi ID Systems, Inc. All rights reserved.

2 Introductions

3 Identity and Access Management. Guaranteed. © 2012 Hitachi ID Systems, Inc. All rights reserved. Introductions Company

4 Identity and Access Management. Guaranteed. © 2012 Hitachi ID Systems, Inc. All rights reserved. Introductions Global profile 40 Countries 25,912 Global Offices and Facilities (Bank of America 2011 Corporate Social Responsibility Report)

5 Identity and Access Management. Guaranteed. © 2012 Hitachi ID Systems, Inc. All rights reserved. Introductions Presenter Mike Futty VP, Platform Security Engineering. Responsible for: Windows systems security engineering. Platform security baselines. Design, engineering and troubleshooting for access control infrastructure. Security product selection, design and deployment. 11 years at Bank of America, Corp (BAC). Also available to answer questions: Idan Shoham, CTO, Hitachi ID.

6 Identity and Access Management. Guaranteed. © 2012 Hitachi ID Systems, Inc. All rights reserved. Why worry about privileged accounts?

7 Identity and Access Management. Guaranteed. © 2012 Hitachi ID Systems, Inc. All rights reserved. Why worry about privileged accounts? Background BAC has made many acquisitions, which brought in many legacy systems. Today, including subsidiaries: BAC has over 275,000 employees, globally. Thousands have some form of elevated access (OS, app, etc.). BAC has a decentralized IT organization -- typical for large firms. There is a clear need for stronger internal controls over access to privileged IDs.

8 Identity and Access Management. Guaranteed. © 2012 Hitachi ID Systems, Inc. All rights reserved. Where are these accounts?

9 Identity and Access Management. Guaranteed. © 2012 Hitachi ID Systems, Inc. All rights reserved. Where are these accounts? Privileged IDs are everywhere

10 Identity and Access Management. Guaranteed. © 2012 Hitachi ID Systems, Inc. All rights reserved. Objectives and requirements

11 Identity and Access Management. Guaranteed. © 2012 Hitachi ID Systems, Inc. All rights reserved. Objectives and requirements Basic concept Eliminate static passwords to shared IDs with elevated privileges. Set passwords to random values - scheduled and at check-in time. Apply uniform policy to who can sign into what. Implement "class of service" access policy: Risk. Organization (business unit.). Environment (prod, dev, etc.). Location. Eliminate persistent access by developers to production systems. Create transparent audit logs of privileged access across the enterprise. Record activity during privileged logins.

12 Identity and Access Management. Guaranteed. © 2012 Hitachi ID Systems, Inc. All rights reserved. Objectives and requirements Business requirements Satisfy numerous process requirements: Not slow down or impact current access. Minimal ongoing support. Meet regulatory requirements: Different jurisdictions with different mandates. Requirements for on-boarding, access control, approvals, audit logs and more. Pre-authorized access for admins, request/approval workflow for everybody else. Manageable process for on-boarding many systems, accounts at once. Training: up front and ongoing. Forensic audits: who broke this server?

13 Identity and Access Management. Guaranteed. © 2012 Hitachi ID Systems, Inc. All rights reserved. Objectives and requirements Security The whole point of this system is higher security: Overarching principle: minimize the number of people with persistent administrative access. Eliminate full-time developer access from production systems. Provide a temporary access mechanism. Session logging. Audit trail: who had and who used access to this system?

14 Identity and Access Management. Guaranteed. © 2012 Hitachi ID Systems, Inc. All rights reserved. Objectives and requirements Technical Requirements Fault tolerant (fire, flood, earthquake, hurricane, etc.). Scalable: Hundreds of thousands of systems. Thousands of people. Tens of thousands of logins daily. Record 10,000 concurrent sessions globally. Integrate with: Existing security infrastructure. Many platforms (Windows, Unix, Linux, iLO, DRAC, ESXi, etc.). Multiple AD domains. Systems on dozens of DMZs. Administrator-friendly: Support for multiple SSH clients. Support for other admin tools (SQL Studio, vSphere, etc.). Easily expandable. Automatic discovery and classification of systems.

15 Identity and Access Management. Guaranteed. © 2012 Hitachi ID Systems, Inc. All rights reserved. Real-world deployment

16 Identity and Access Management. Guaranteed. © 2012 Hitachi ID Systems, Inc. All rights reserved. Real-world deployment An enterprise IT project

17 Identity and Access Management. Guaranteed. © 2012 Hitachi ID Systems, Inc. All rights reserved. Real-world deployment Timeline

18 Identity and Access Management. Guaranteed. © 2012 Hitachi ID Systems, Inc. All rights reserved. Challenges

19 Identity and Access Management. Guaranteed. © 2012 Hitachi ID Systems, Inc. All rights reserved. Funding: up-front and ongoing. Setting realistic expectations (some stake-holders wanted it before it was even up). Stop people from trying to solve every problem at once. Getting stake-holders to recognize the need for priority and incremental deployment. Challenges Project

20 Identity and Access Management. Guaranteed. © 2012 Hitachi ID Systems, Inc. All rights reserved. Challenges Organization Resistance to change by people who already have elevated access. Convince line of business IT operations teams to: Use a uniform access control model. Grant credentials for HiPAM to use. Ensuring that stake-holders don't use the system to automate existing insecure processes (insist on a policy of least privilege) Training a revolving door of new users

21 Identity and Access Management. Guaranteed. © 2012 Hitachi ID Systems, Inc. All rights reserved. Modeling a production environment with 100+ platforms and 100,000+ systems in QA and development. Reliable data about who owns what in the context of a dynamic organization. Testing: easy to test with one system, hard with a thousand OS patches and policies that cause severe performance degradation. (KB 2689311) Deploying the same OCX controls to Windows XP, Windows 7, etc. Deactivating legacy password management processes. Gradual activation without disrupting existing IDs. Challenges Technical

22 Identity and Access Management. Guaranteed. © 2012 Hitachi ID Systems, Inc. All rights reserved. Current state

23 Identity and Access Management. Guaranteed. © 2012 Hitachi ID Systems, Inc. All rights reserved. Current state Network architecture Available and running: 5 replicated PAM nodes on 3 continents. Multi-master architecture. Each node has an app server, a SQL server and a session monitoring server. Nodes can fail without a service disruption. On-boarding accounts on Windows and Unix systems (administrator, root, fire-call). Load balanced globally.

24 Identity and Access Management. Guaranteed. © 2012 Hitachi ID Systems, Inc. All rights reserved. Current state Global scale and multi-master

25 Identity and Access Management. Guaranteed. © 2012 Hitachi ID Systems, Inc. All rights reserved. Future

26 Identity and Access Management. Guaranteed. © 2012 Hitachi ID Systems, Inc. All rights reserved. Future Expand scope Secure passwords to Windows service accounts. Replacing embedded passwords in applications. Add platforms (e.g., z/OS). Secure Administrator ID on desktops.

27 Identity and Access Management. Guaranteed. © 2012 Hitachi ID Systems, Inc. All rights reserved. Questions?

Download ppt "Scalable Privileged Access Management Deployment experience of a global-scale privileged access management system at Bank of America. Identity and Access."

Similar presentations

Implementing Tableau Server in an Enterprise Environment

Implementing Tableau Server in an Enterprise Environment
Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.
© 2004-2012. Centrify Corporation. All Rights Reserved. Evolving Enterprise Identity: From the Data Center to Cloud and Mobile Centrify Corporation www.centrify.com.

© Centrify Corporation. All Rights Reserved. Evolving Enterprise Identity: From the Data Center to Cloud and Mobile Centrify Corporation
Complete Event Log Viewing, Monitoring and Management.

Complete Event Log Viewing, Monitoring and Management.
Service Manager for MSPs

Service Manager for MSPs
OEM Business Intelligence in Financial Services Application Packages How to Differentiate and Add Value to Your Offering Virtual User Forum for Financial.

OEM Business Intelligence in Financial Services Application Packages How to Differentiate and Add Value to Your Offering Virtual User Forum for Financial.
2  Industry trends and challenges  Windows Server 2012: Modern workstyle, enabled  Access from virtually anywhere, any device  Full Windows experience.

2  Industry trends and challenges  Windows Server 2012: Modern workstyle, enabled  Access from virtually anywhere, any device  Full Windows experience.
2  Industry trends and challenges  Windows Server 2012: Modern workstyle, enabled  Access from virtually anywhere, any device  Full Windows experience.

2  Industry trends and challenges  Windows Server 2012: Modern workstyle, enabled  Access from virtually anywhere, any device  Full Windows experience.
Copyright © 2005, SAS Institute Inc. All rights reserved. User Authentication and Single Sign-on Across the SAS ® 9 Platform Larry Noe and Scott Sweetland,

Copyright © 2005, SAS Institute Inc. All rights reserved. User Authentication and Single Sign-on Across the SAS ® 9 Platform Larry Noe and Scott Sweetland,
SSRS 2008 Architecture Improvements Scale-out SSRS 2008 Report Engine Scalability Improvements.

SSRS 2008 Architecture Improvements Scale-out SSRS 2008 Report Engine Scalability Improvements.
Internet Information Server 6.0. IIS 6.0 Enhancements  Fundamental changes, aimed at: Reliability & Availability Reliability & Availability Performance.

Internet Information Server 6.0. IIS 6.0 Enhancements  Fundamental changes, aimed at: Reliability & Availability Reliability & Availability Performance.
Complete Event Log Viewing, Monitoring and Management.

Complete Event Log Viewing, Monitoring and Management.
Module 14: Implementing an Active Directory Infrastructure.

Module 14: Implementing an Active Directory Infrastructure.
© 2013 IBM Corporation IBM Security Systems 1 © 2013 IBM Corporation Identity Management And Session Recording A Partnership with IBM and ObserveIT.

© 2013 IBM Corporation IBM Security Systems 1 © 2013 IBM Corporation Identity Management And Session Recording A Partnership with IBM and ObserveIT.
Privileged Account Management Jason Fehrenbach, Product Manager.

Privileged Account Management Jason Fehrenbach, Product Manager.
Www.tectia.com COPYRIGHT © 2010 TECTIA CORPORATION. ALL RIGHTS RESERVED. Proactive Measures to Prevent Data Theft Securing, Auditing and Controlling remote.

COPYRIGHT © 2010 TECTIA CORPORATION. ALL RIGHTS RESERVED. Proactive Measures to Prevent Data Theft Securing, Auditing and Controlling remote.
ISecurity Complete Product Series For System i. About Raz-Lee Internationally renowned System i solutions provider Founded in 1983; 100% focused on System.

ISecurity Complete Product Series For System i. About Raz-Lee Internationally renowned System i solutions provider Founded in 1983; 100% focused on System.
Preventing Good People From Doing Bad Things Best Practices for Cloud Security Brian Anderson Chief Marketing Officer & Author of “Preventing Good People.

Preventing Good People From Doing Bad Things Best Practices for Cloud Security Brian Anderson Chief Marketing Officer & Author of “Preventing Good People.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Today’s challenges Deliver applications to mobile platforms (BYOD) Respond to dynamic business requirements for IT: Seasonal/temporary workers Vendors.

Today’s challenges Deliver applications to mobile platforms (BYOD) Respond to dynamic business requirements for IT: Seasonal/temporary workers Vendors.

Similar presentations

Ads by Google