Transcription of www.csuchico.edu
1 Within IT systems, privileged accounts are those that have the ability to perform elevated functions such as system control/administration, system monitoring, and elevated data access. Privileged accounts are considered highly sensitive due to the inherent risk of their misuse, with potential consequent exposure to sensitive data. PAM is all about the management and protection of these privileged is considered a specialized use case of Identity and Access Management (IAM). PAM is typically performed across a set of technologies that span the following functionalities: Shared Account Password Management (SAPM), for managing shared administrative accounts for operating systems, databases, etc. ( the root account in Linux/Unix, the administrator account in Windows). Superuser Privilege Management (SUPM), for managing elevated access and permissions for named super users ( IT system administrators who perform elevated commands using their personal named accounts). Application to Application Password Management (AAPM), for managing passwords of application to application or application to database service accounts.
2 Monitoring and auditing the activity/usage of privileged accounts, including real time session is a common misconception that PAM is limited to simply managing passwords. However, in reality, PAM provides much more security than this. PAM provides the ability to closely track who has access to privileged accounts, and to monitor/audit the manner in which the accounts are actually being used. Advanced use cases include the ability to integrate with data loss prevention and real time threat analytics of the hitachi ID Privileged Access manager solution represents a parallel step in the University s ongoing IAM initiative. hitachi was selected via campus RFP in I objectives: SAPM, AAPM, and monitoring/auditing of privileged accounts in the following target systems: Windows servers, Linux servers, Oracle databases, SQL Server databases, and service accounts in AD/LDAP. The intent is to prove out usage of different account types across different systems with vendor support.
3 The longer term rollout and usage of the hitachi system will be determined by individual departments and account owners in consultation with and by direction of the Associate Vice Provost for Information Resources (Mike Schilling). SUPM is not in scope. Auto discovery of systems that are operating on the network that have privileged accounts (but management of the privileged accounts is manually determined and initiated). Automated rotation of passwords as appropriate on user defined intervals ( password rotation once per month, etc.) Pilot test of session management (wherein users launch privileged sessions through hitachi PAM). Decommission current password management tools (as a follow up).Phase I should begin to address the following security audit findings: 2008 CO Audit Password Standards 2008 CO Audit Granted Privileged Access M&I Assess. Level 1 Data Protection 2008 CO Audit User Access Control M&I Assess. Application, System & Privileged Service Password Management M&I Assess.
4 Identity Management M&I Assess. Account Auditing & Review (Users, Servers, Firewalls, Databases, Applications) 2008 CO Audit Employee SeparationSep 2014 Jan 201710/1411/1412/141/152/153/154/155/156 /157/158/159/1510/1511/1512/151/162/163/ 164/165/166/167/168/169/1610/1611/1612/1 6 Jul 15 Mar 16 Contract Negotiation and SOWOct 14 Jul 15 PAM RFPMay 16 Oct 16 ImplementationObjectives: SAPM, AAPM, and monitoring/auditing privileged accounts in select target systems Auto discovery of target systems Automated rotation of passwords as appropriate on user defined intervals Pilot test of session managementObjectives: Write/post a public RFP for a new PAM toolObjectives: Finalize selection of hitachi ID as RFP winner Document the features that we intend to implement and the systems that will be included Finalize SOW (statement of work) for hitachi s professional services for implementatio
