Scribd
Upload
90 views7 pages

Securing Embedded Passwords

Eliminate Static Embedded app2app Passwords with Hitachi ID Privileged Access Manager. See more at: http://hitachi-id.com/documents/

Uploaded by

HitachiID
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
90 views7 pages

Securing Embedded Passwords

Eliminate Static Embedded app2app Passwords with Hitachi ID Privileged Access Manager. See more at: http://hitachi-id.com/documents/

Uploaded by

HitachiID
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 7

1 Securing Embedded Passwords

Business and technical challenges; Hitachi ID Privileged Access Manager approach.

2 Baseline scenario

2017 Hitachi ID Systems, Inc. All rights reserved. 1


Slide Presentation

3 Plaintext passwords

2017 Hitachi ID Systems, Inc. All rights reserved. 2


Slide Presentation

4 Basic approach

2017 Hitachi ID Systems, Inc. All rights reserved. 3


Slide Presentation

5 Catch-22?
How does the script or application authenticate itself to the Hitachi ID Privileged Access Manager
system?
Using an ID and password?
Unattended processes cannot use a token or smart card ...
If using PKI then a password is needed to unlock the private key / certificate ...

Havent we just replaced one password with another?

6 Analysis
There is no silver bullet for this problem.
Just like perpetual motion machines.
Somebody "invents" a new one every year.
How do we make life more difficult for an attacker?
Assume hes compromised:
The applications source code...
The servers filesystem...
Backup media...
It seems we cant get away from a password at some point in the process.
How about changing this password often?
Like every time its used!
And verifying that connections come from a server at the expected location.

7 Hitachi ID Privileged Access Manager API authentication


One time password:
Use a password to sign into the web service.
Change the password at every successful login.
IP subnet filtering:

API client must come from the right subnet.


Audit logs.

2017 Hitachi ID Systems, Inc. All rights reserved. 4


Slide Presentation

8 Authentication

9 Real world complexity


Need to store current value of the OTP.
Serialize API access:
Avoid race conditions.
Must know which "new OTP" is valid.
Caching to reduce API service workload:

Imagine 100 apps, each needing passwords 10,000 times/second.


1,000,000 web service calls/second?
Cache passwords fetched from the API.
Bonus: resiliency in the event of service disruption.
Encrypt cached passwords and current OTP:

Local storage, formatting.


Key generation.

2017 Hitachi ID Systems, Inc. All rights reserved. 5


Slide Presentation

10 Authentication

2017 Hitachi ID Systems, Inc. All rights reserved. 6


Slide Presentation

11 API wrapper
Important layer to manage:

Complexity of SOAP.
OTP change management and serialization.
Password caching.
Encryption and key generation.
The wrapper is available as:

Windows native and .NET.


Linux, Unix native and and Java.
Command-line and .so/.DLL library.

12 HiPAM: PAM API CMD

Animation: ../../pics/camtasia/pam-api-cmd/pam-api-cmd.mp4

500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: sales@Hitachi-ID.com

www.Hitachi-ID.com Date: 2017-03-15 | 2017-03-15 File: PRCS:pres

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy