Securing Embedded Passwords

Page 1

1 Securing Embedded Passwords

Business and technical challenges; Hitachi ID Privileged Access Manager approach.

2 Baseline scenario

Š 2017 Hitachi ID Systems, Inc. All rights reserved.

1

Slide Presentation

3 Plaintext passwords

Š 2017 Hitachi ID Systems, Inc. All rights reserved.

2

Slide Presentation

4 Basic approach

Š 2017 Hitachi ID Systems, Inc. All rights reserved.

3

Slide Presentation

5 Catch-22? • How does the script or application authenticate itself to the Hitachi ID Privileged Access Manager system? • Using an ID and password? • Unattended processes cannot use a token or smart card ... • If using PKI – then a password is needed to unlock the private key / certificate ...

• Haven’t we just replaced one password with another?

6 Analysis • There is no silver bullet for this problem. – Just like perpetual motion machines. – Somebody "invents" a new one every year. • How do we make life more difficult for an attacker? • Assume he’s compromised: – The application’s source code... – The server’s filesystem... – Backup media... • • • •

It seems we can’t get away from a password at some point in the process. How about changing this password often? Like every time it’s used! And verifying that connections come from a server at the expected location.

7 Hitachi ID Privileged Access Manager API authentication • One time password: – Use a password to sign into the web service. – Change the password at every successful login. • IP subnet filtering: – API client must come from the right subnet. • Audit logs.

© 2017 Hitachi ID Systems, Inc. All rights reserved.

4

Slide Presentation

8 Authentication

9 Real world complexity • Need to store current value of the OTP. • Serialize API access: – Avoid race conditions. – Must know which "new OTP" is valid. • Caching to reduce API service workload: – – – –

Imagine 100 apps, each needing passwords 10,000 times/second. 1,000,000 web service calls/second? Cache passwords fetched from the API. Bonus: resiliency in the event of service disruption.

• Encrypt cached passwords and current OTP: – Local storage, formatting. – Key generation.

© 2017 Hitachi ID Systems, Inc. All rights reserved.

5

Slide Presentation

10 Authentication

Š 2017 Hitachi ID Systems, Inc. All rights reserved.

6

Slide Presentation

11 API wrapper • Important layer to manage: – – – –

Complexity of SOAP. OTP change management and serialization. Password caching. Encryption and key generation.

• The wrapper is available as: – Windows native and .NET. – Linux, Unix native and and Java. – Command-line and .so/.DLL library.

12 HiPAM: PAM API CMD

Animation: ../../pics/camtasia/pam-api-cmd/pam-api-cmd.mp4

500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: sales@Hitachi-ID.com

www.Hitachi-ID.com

Date: 2017-03-15 | 2017-03-15

File: PRCS:pres

Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.