IAM Business Accelerator for Privileged Identity Scenarios - Administrators accessing emergency privileged IDs

Privileged Identity Scenario 3: Administrators accessing emergency privileged IDs

Summary

To ensure accountability (who did what using which ID?), reduce risk of sabotage by external and internal threats, and maintain compliance (government, industry-specific, business regulations) of the privileged and shared identities, it is important that organization analyze their distribution and use of privileged identities, implement a solution to ensure only privileged and authorized user get access to the identity, only for the time duration that they need it, and that the solution provides sufficient tracking, reporting, and auditing capabilities to demonstrate compliance.

This series of documents describe various Privileged Identity scenarios and how it can be addressed using IBM solution.

This particular document describes implementation details for scenario 3: Administrators accessing emergency privileged IDs.

1. Introduction

IBM Security Privileged Identity Manager provides a solution for organizations that helps protect, manage and track privileged IDs. Its key capabilities include:

· Centralized administration, secure access, and storage of privileged shared account credentials.

· Role-based access control for shared accounts.

· Lifecycle management of shared accounts ownership.

· Ability to change password on every check in.

· Single sign-on through automated check-out and check-in of shared credentials.

· Auditing of shared credentials access events.

· Integration with the broader Identity and Access Management Governance portfolio.

 

Most organizations do well with a blend of individual and shared privileged IDs that offer the optimal combination of security, convenience, and productivity.

 

Refer to section “Privileged IDs and why they are a problem” of IBM Security Privileged Identity Manager Technical White Paper for more details about the challenges and risks with these approaches.

Addressing Privileged Identity Scenarios using IBM Security Privileged Identity Manager White Paper describes the scenarios and their deployment models at a high level. This document will describe the first scenario, its deployment models and how it can be implemented using IBM solution.

 

2.. Scenario: Break the glass situation

Medium or large organizations with IT infrastructure typically have servers distributed across geographical regions. One of the reasons behind it is to provide reliable and uninterrupted services to clients.

Organizations have defined a procedure to be followed in case of emergency (unplanned absence). They can have some shared privileged administrator ids with less privileged than regular admin Ids in the organization which provides appropriate access in case of an emergency. Organization can have some identified people who can immediately start using these emergency Id to access the systems and take necessary actions to restore the services, applications, etc.

Sometimes it is difficult to identify anybody up-front, since it will depend on when and where the emergency occurs and who is available at that time. In such case, Business owners and/or IT admins decide who is the best suited person to handle the situation, and assigns the emergency role to that person.

This emergency credentials of delegated administrators:

· Needs less privileged than regular admin Ids, privileged access to the servers.

· Can perform only a specific set of privileged tasks like restore the services, applications, etc.

· Consists of dozens of employees or contractors.

· Less frequently used.

The organization/IT owners:

· Might require few delegated administrators to handle emergency situations.

· Want to create a accounts that can be shared

The actual owner of the servers:

· Is responsible for setting up shared accounts with limited privileges on each server.

· Wants audit logs that show which user is using which privileged ID at what time.

The manager/supervisor of the delegated administrators is responsible for maintaining the list of emergency administrator users.

 

This document covers two variations of this scenario:

  1. Access to Emergency id: Emergency administrator accessing emergency id
  2. Access to Administrator id: Emergency administrator accessing administrator id

 

3. Scenario Implementation

3.1 Before you begin

Refer to the “IAM Business Accelerator for Privileged Identity Scenarios - Install and configuration guide for Privileged Identity Manager deploymentfor personas, details about protected resources, install and basic configuration steps. This article describes additional configuration and setup required for this scenario.

 

Also configure the system for scenario 1 (Pool of delegated administrators or help desk users accessing privileged IDs)

3.2 Deployment Environment

3.2.1 Personas

Jason: System owner and System Admin

Antonio: Manager of IT Support department

Joe: Emergency Admin

Susan: Joe’s manager

3.2.2 Protected resources and accounts

Account added as a credential to the PIM Server:

· ICEAdmin, SharedSysAdmin01

3.3 High level implementation details

For high level implementation details, see the “2.3 Scenario 3: Administrators need privileged access in case of emergency (break the glass scenario)” of Addressing Privileged Identity Scenarios using IBM Security Privileged Identity Manager White Paper

 

3.4 High level scenario flow

3.4.1 Access to emergency id

Customer has setup an emergency id (ICEAdmin) and Joe is entitled to access it (has ICEAdminRole)

1. In Case of Emergency (ICE), Joe checks out the ICEAdmin id and takes care of the tasks

2. System owner (Jason), IT Support department manager (Antonio) and Joe’s Manager (Susan) get notified by email about the check out activity

3. Once done, Joe checks in the id

4. Password is automatically changed after check in

3.4.2 Access to administrator id

Customer has not setup an emergency id. In Case of Emergency (ICE), Joe is identified to handle the situation.

1. Joe requests for a role (ICERole), which is approved by Jason

2. Joe checks out the regular system admin, SharedSysAdmin01, from credential pool and takes care of the emergency tasks

3. System owner (Jason), IT Support department manager (Antonio) and Joe’s Manager (Susan) get notified by email about the check out activity

4. Once done, Joe checks in the id

5. Password is automatically changed after check in

 

3.5 Additional Configuration

3.5.1 Access to emergency id

This section provides step by step information about the additional configuration required for this scenario:

1. Create ICEAdminRole

2. Adopt Windows Server account and add to credential vault

3. Setup Shared Access Policy

4. Customize the checkout operation for notification

 

1. Create ICEAdminRole

Create static role: ICEAdminRole and make user Joe member of ICEAdminRole

2. Adopt Windows Server account and add to Credential Vault

Adopt the ICEAdmin account and add it to the credential vault

o Login to ISIM Console as an Administrator (ITIM Manager).

o Go to 'Manage Services'. Select 'Accounts...” option from the context menu of service 'Enterprise Windows Server' and look for 'ICEAdmin' account

o Select 'Assign to user...' option from the context menu of account 'ICEAdmin'

o Select user 'Jason' from users table and click 'Continue'

o Select 'System' as the ownership type for the account and click continue and then confirm the updates on confirmation screen

o Again check accounts on 'Enterprise Windows Server' and search for 'ICEAdmin'. Select 'Add to Vault...' option from the context menu of 'SharedSysAdmin01'. This will take you to 'Add Credential to Vault' page.

o In this case we are going to use option 'Automatically generate a new password. This is the preferred option.' and 'Require the checkin and checkout process for shared IDs'

o Set 'Maximum Checkout Duration' to 1 hr

o Keep other parameter values to default and click 'Continue'

o Provide some 'Justification' and click 'Submit'

3. Setup Shared Access Policy

Create a shared access policy 'ICE Admins Shared ID policy'

o Login to ISIM Console as an Administrator (ITIM Manager).

o Go to 'Manage Shared Access' → 'Manage Share Access Policy' and click 'Create' button.

o Create a shared access policy as descried in following steps

§ 'General Information' tab

· Policy name - 'ICE Admins Shared ID policy'

· Description - 'Use of ICE Admins Shared ID Shared IDs allowed only for IT Support members'

· Policy status – 'Enabled'

· Business Unit - JK Enterprises

· Make policy available to credentials and credential pools in - 'This business unit and its subunits' and Click 'Members'

§ 'Members' tab

· Member Type – roles specified below

o ICEAdminRole

§ 'Entitlements' tab

· Entitlements - add 'ICEAdmin'

o Click 'Finish' to create a shared access policy.

4. Customize checkout operation for notification

Create an operation 'checkoutWithNotifications' with checkout extension with email notifications.

o Login to ISIM Console as an Administrator (ITIM Manager).

o Go to 'Configure System' → 'Manage Operations' page

o Click 'Add' with Operation Level 'Global Level' and provide name 'checkoutWithNotifications'

o Provide following details in properties.



















o Extension node with following details

o Add 3 'Mail' notification nodes between extension and end node with following details.

§ Mail node 1 -

· General -

Activity ID: CheckoutEmailID1

Activity name: Checkout Email 1

Recpient: Manager

Join Type: AND

Split type: AND

Notification -

Subject - Checkout performed - Credential : <JS>process.subject</JS>

 

Message Body (Text) - Checkout operation performed on <JS>process.subject</JS> by user <JS>process.requesteeName</JS>.

(Xhtml)

Add -

Click here - <a href="http://jke.test:9080/itim/self" > </a> inside body.

§ Mail node 2 -

· General -

Activity ID: CheckoutEmailID12

Activity name: Checkout Email 12

Recpient: Recpient: Person (with email account) - Jason

Join Type: AND

Split type: AND

Notification -

Subject - Checkout performed - Credential : <JS>process.subject</JS>

Message Body (Text) - Checkout operation performed on <JS>process.subject</JS> by user <JS>process.requesteeName</JS>.

Add -

Click here - <a href="http://jke.test:9080/itim/self" > </a> inside body.

 

§ Mail node 3 -

· General -

Activity ID: CheckoutEmailID3

Activity name: Checkout Email 3

Recpient: Person (with email account) - Antonio

Join Type: AND

Split type: AND

Notification -

Subject - Checkout performed - Credential : <JS>process.subject</JS>

Message Body (Text) - Checkout operation performed on <JS>process.subject</JS> by user <JS>process.requesteeName</JS>.

Add -

Click here - <a href="http://jke.test:9080/itim/self" > </a> inside body.

 

- Click 'Ok' of Mail node and then 'Ok' of editor to save the operation.

 

Final Operation will look like this



 

 

3.5.2 Access to administrator id

This section provides step by step information about the additional configuration required for this scenario:

1. Create ICERole and setup as access

2. Setup approval on role request

3. Setup Shared Access Policy

4. Customize the checkout operation for notification

1. Create ICERole and setup as access

o Login to ISIM Console as an administrator (ITIM Manager)

o Go to 'Manage roles' and Click 'Create' button.

o Follow following instruction for creating 'ICERole' role.

§ In 'Role Type' tab -

- Role Type - Static

- Role classification - 'Business role'

- Business unit - JK enterprise

§ In 'General Information' tab -

- Name - ICERole

- Description - Role with extra privileges to use during Emergency only.

§ In 'Access Information' - Select 'Enable access for this role' and Select access type as 'Role' from tree.

§ Expand 'Owners' section and add 'Jason' in 'User Owners' table.

o Click 'Finish' to create static role.

 

2. Setup approval on role request

o Login to ISIM Console as an administrator (ITIM Manager)

o Go to 'Configure System > Manage Operations

 





o Open 'add' operation and add an extension to the flow as shown in the following picture.

 

 

 

 

o Follow same steps for ‘modify’ operation

 

3. Setup Shared Access Policy

Update a shared access policy 'Windows System Admins Shared IDs policy' for ICERole

o Login to ISIM Console as an administrator (ITIM Manager)

o Go to 'Manage Shared Access > Manage Share Access Policy' and Click 'Create' button.

o Click on 'Windows System Admins Shared IDs policy' and go to 'Members' tab.

o Add 'ICERole' and Click 'Submit' to update policy.

 

4. Customize the checkout operation for notification

Refer to step 4 in section 3.5.1

 

4. Scenario playbook

4.1 Access to emergency id

Customer has setup an emergency id (ICEAdmin) and Joe is entitled to access it (has ICEAdminRole)

1. In Case of Emergency (ICE), Joe checks out the ICEAdmin id and takes care of the tasks

1. Log-in to ISIM Self Service UI with user as Joe.

2. Select "Check out credential" from My Shared Access section.

3. Select ICEAdmin credential from the list

4. Specify Justification details.

5. Click Checkout and click on 'View password' link from Checkout confirmation screen. Copy the password to login to the Windows System.

 

2. System owner (Jason), IT Support department manager (Antonio) and Joe’s Manager (Susan) get notified by email about the check out activity

1. Check the mail box for these user. They should have an email indicating that ICEAdmin was checked out by Joe.

 

3. Once done, Joe checks in the id

1. Log-in to ISIM Self Service UI with user as Joe and click on ‘Check in Credential’ link from My Shared Access section

2. Select "ICEAdmin" from the table and click ‘Checkin’ button

 

4. Password is automatically changed after check in

1. Try to access the Windows System with ICEAdmin and old password. This should fail.

 

4.2 Access to administrator id

Customer has not setup an emergency id. In Case of Emergency (ICE), Joe is identified to handle the situation.

1. Joe requests for a role (ICERole), which is approved by Jason

1. Login to ISIM Self Service UI with user as Joe and click on ‘Request Access’ link

2. Click on link 'Search' and then select role 'ICERole'

3. Logout as user Joe

4. Login to ISIM Self Service UI with user as Jason and approve the role request

2. Joe checks out the regular system admin, SharedSysAdmin01, from credential pool and takes care of the emergency tasks

1. Login to ISIM Self Service UI with user Joe again and Select "Check out credential" from My Shared Access section.

2. Click on link 'Windows System Administrators Pool' and provide some appropriate expiration time with justification

3. Click 'Checkout' button and click on 'View password' link from Checkout confirmation screen.

3. System owner (Jason), IT Support department manager (Antonio) and Joe’s Manager (Susan) get notified by email about the check out activity

1. Check the mail box for these user. They should have an email indicating that SharedSysAdmin01 was checked out by Joe.

 

4. Once done, Joe checks in the id

1. Log-in to ISIM Self Service UI with user as Joe and click on ‘Check in Credential’ link from My Shared Access section

2. Select "ShsredSysAdmin01” from the table and click ‘Checkin’ button

 

5. Password is automatically changed after check in

1. Try to access the Windows System with SharedSysAdmin01 and old password. This should fail.

 

5. Audits and Reports

Check out and check in activities of credentials and credential pools are audited and can be seen in “Shared Access History” reports. Some custom report examples for shared access objects are available on the following link.

http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=%2Fcom.ibm.isim.doc_6.0%2Fadmin%2Fcpt%2Fcpt_ic_admin_abt_shrdaccess_obj.htm

 

Information on IBM Security Privileged Identity Management reports is available on following link.

http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=%2Fcom.ibm.ispim.doc_10%2FPim_Guide%2Fconcepts%2Fc_types_reports.html



7. Resources



  1. Addressing Privileged Identity Scenarios using IBM Security Privileged Identity Manager White Paper

    https://www.ibm.com/developerworks/mydeveloperworks/wikis/home/wiki/Wc42dcb83bbad_485d_a112_1d03408e24c0/page/IBM%20Security%20Privileged%20Identity%20Manager%20Scenarios%20White%20Paper
  2. IBM Security Privileged Identity Manager Technical White Paper

    https://www.ibm.com/developerworks/mydeveloperworks/wikis/home/wiki/Wc42dcb83bbad_485d_a112_1d03408e24c0/page/IBM%20Security%20Privileged%20Identity%20Manager%20Technical%20White%20Paper
  3. IAM Business Accelerator for Privileged Identity Scenarios - Install and configuration guide for Privileged Identity Manager deployment

    https://www.ibm.com/developerworks/mydeveloperworks/wikis/home?lang=en#/wiki/Wc42dcb83bbad_485d_a112_1d03408e24c0/page/IAM%20Business%20Accelerator%20for%20Privileged%20Identity%20Scenarios%20-%20Install%20and%20configuration%20guide%20for%20Privileged%20Identity%20Manager%20deployment

  4. IAM Business Accelerator for Privileged Identity Scenarios - Pool of delegated administrators or help desk users accessing privileged IDs

    https://www.ibm.com/developerworks/mydeveloperworks/wikis/home?lang=en#/wiki/Wc42dcb83bbad_485d_a112_1d03408e24c0/page/IAM%20Business%20Accelerator%20for%20Privileged%20Identity%20Scenarios%20-%20Pool%20of%20delegated%20administrators%20or%20help%20desk%20users%20accessing%20privileged%20IDs

  5. IAM Business Accelerator for Privileged Identity Scenarios - Application Admins need Ad-hoc privileged access

    https://www.ibm.com/developerworks/mydeveloperworks/wikis/home?lang=en#/wiki/Wc42dcb83bbad_485d_a112_1d03408e24c0/page/IAM%20Business%20Accelerator%20for%20Privileged%20Identity%20Scenarios%20-%20Application%20Admins%20need%20Ad-hoc%20privileged%20access

  6. IAM Business Accelerator for Privileged Identity Scenarios - Applications or cron jobs need access to privileged IDs

    https://www.ibm.com/developerworks/mydeveloperworks/wikis/home?lang=en#/wiki/Wc42dcb83bbad_485d_a112_1d03408e24c0/page/IAM%20Business%20Accelerator%20for%20Privileged%20Identity%20Scenarios%20-%20Applications%20or%20cron%20jobs%20need%20access%20to%20privileged%20IDs

  7. IAM Business Accelerator for Privileged Identity Scenarios - Multiple Network Administrators need to share single superuser account to network device

    https://www.ibm.com/developerworks/mydeveloperworks/wikis/home?lang=en#/wiki/Wc42dcb83bbad_485d_a112_1d03408e24c0/page/IAM%20Business%20Accelerator%20for%20Privileged%20Identity%20Scenarios%20-%20Multiple%20Network%20Administrators%20need%20to%20share%20single%20superuser%20account%20to%20network%20device

  8. IBM Security Privileged Identity Manager Information Center

    http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.ispim.doc_10/ic-homepage.html

  9. IBM Security Identity Manager Information Center

    http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.isim.doc_6.0/ic-homepage.htm

  10. IBM Security Access Manager for Enterprise Single Sign-On Information Center

    http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.itamesso.doc/ic-homepage.html

  11. Adapters for IBM Security Identity Manager

    http://www-01.ibm.com/support/docview.wss?uid=swg21599053

 

8. For more information

To learn more about IBM security solutions, please contact your IBM representative or IBM Business Partner, or visit: ibm.com/security
 

For IBM Identity and Access Management Services for identity assessment and strategy visit the following website: ibm.com/services/security