1 Securing Embedded Passwords Business and technical challenges; Hitachi ID Privileged Access Manager approach. 2 Baseline...
Slide Presentation 5 Catch-22? • How does the script or application authenticate itself to the Hitachi ID Privileged Acces...
Slide Presentation 8 Authentication 9 Real world complexity • Need to store current value of the OTP. • Serialize API acce...
Slide Presentation 11 API wrapper • Important layer to manage: – Complexity of SOAP. – OTP change management and serializa...
Securing Embedded Passwords

  Securing Embedded Passwords Business and technical challenges; Hitachi ID Privileged Access Manager approach.
  Catch-22? • How does the script or application authenticate itself to the Hitachi ID Privileged Access Manager system? • Using an ID and password? • Unattended processes cannot use a token or smart card ... • If using PKI – then a password is needed to unlock the private key / certiﬁcate ... • Haven't we just replaced one password with another? Analysis • There is no silver bullet for this problem. – Just like perpetual motion machines. – Somebody "invents" a new one every year. • How do we make life more difﬁcult for an attacker? • Assume he's compromised: – The application's source code... – The server's ﬁlesystem... – Backup media... • It seems we can't get away from a password at some point in the process. • How about changing this password often? • Like every time it's used! • And verifying that connections come from a server at the expected location. Hitachi ID Privileged Access Manager API authentication • One time password: – Use a password to sign into the web service. – Change the password at every successful login. • IP subnet ﬁltering: – API client must come from the right subnet. • Audit logs.
  Real world complexity • Need to store current value of the OTP. • Serialize API access: – Avoid race conditions. – Must know which "new OTP" is valid. • Caching to reduce API service workload: – Imagine 100 apps, each needing passwords 10,000 times/second. – 1,000,000 web service calls/second? – Cache passwords fetched from the API. – Bonus: resiliency in the event of service disruption. • Encrypt cached passwords and current OTP: – Local storage, formatting. – Key generation.
  API wrapper • Important layer to manage: – Complexity of SOAP. – OTP change management and serialization. – Password caching. – Encryption and key generation. • The wrapper is available as: – Windows native and .NET. – Linux, Unix native and and Java. – Command-line and .so/.DLL library.

×