Products Core Products ID-Archive

ID-Archive: Securing Administrator Passwords

Overview

ID-Archive™ is software from Hitachi ID for the problem of managing thousands of administrator credentials. ID-Archive enables organizations to regularly randomize administrative passwords on workstations and servers, while maintaining the ability of IT staff to retrieve current credentials for devices into which they must login.

Problems with Managing Administrator Credentials

Most organizations employ weak processes to manage administrator credentials -- local IDs and passwords embedded in servers, workstations and applications with unlimited privileges to those IT resources. Weak processes for managing such sensitive accounts create serious security vulnerabilities:

• Hundreds or thousands of workstations and servers often share the same administrator credentials. If one device is compromised, all are compromised.
• With thousands of workstations and servers, it is difficult or impossible to ever change these credentials. Credentials remain the same for months or years, creating an extended time window for an intruder to crack them.
• If administrator credentials are rarely changed, as IT staff turn over, ex-staff retain keys to sensitive IT assets.

Managing Credentials on Workstations

To manage workstation administrator credentials, ID-Archive includes a service, which installs on each workstation and which contacts a central server and coordinates each workstation password update.

This architecture has several important advantages:

• The workstation service uses only HTTPS to communicate with the central server and works even when the workstation is connected behind NAT devices, firewalls or application proxies.
• The workstation service does not randomize credentials unless it has established connectivity with the central credential server. This avoids a situation where the central server does not know the new password value for a workstation.
• Dynamic IP addresses have no impact on this architecture.
• Physical relocation and long periods of detached network connectivity may delay updates to local passwords, but do not introduce a failure whereby the credentials for a workstation are unknown.

Managing Credentials on Servers

To manage administrator credentials on servers -- i.e., IT assets attached to the network at fixed addresses, each ID-Archive server runs a password updating service. This service periodically runs a connector, also on the ID-Archive server, that communicates with a single target server and changes a single password. Upon successfully setting the new password, the service updates the ID-Archive server with the new password, thus making it available to IT staff.

This process is repeated thousands of times daily, for different types of servers (Windows, Unix, Linux, DBMS, mainframe, application, etc.), using different types of connectors. Connectors for over 70 types of servers and applications are included with ID-Archive.

High Availability and Data Replication

Once deployed, ID-Archive becomes an essential part of an organization's IT infrastructure, since it alone houses administrative credentials to thousands of networked devices. An outage in ID-Archive would mean that administrative access to a range of devices is interrupted -- a major outage to IT service.

Since servers occasionally break down, ID-Archive supports load balancing and data replication between multiple physical servers. Any data updates written to its credential database are replicated, in real time, across all servers.

In short, ID-Archive incorporates a highly available, replicated, multi-master architecture.

To provide out-of-the-box data replication, ID-Archive includes a database service that replicates data between multiple instances. This service can be configured use either Oracle or Microsoft SQL Server databases as the physical storage mechanism. Hitachi ID recommends one physical database instance per ID-Archive server, normally on the same physical hardware as ID-Archive itself.

The ID-Archive replicating data service can use configured to use of the following commercial SQL database engines as its physical data store:

• Oracle 10g, Enterprise Edition.
• Microsoft SQL Server 2005, Enterprise Edition.
• Oracle 10g, Express Edition (free download from http://oracle.com/).
• Microsoft SQL Server 2005, Express Edition (free download from http://microsoft.com/).

The ID-Archive data replication system makes it both simple and advisable for organizations to build a highly-available ID-Archive server cluster, spanning multiple servers, with each server placed in a different physical site. Replication traffic is encrypted, authenticated, bandwidth-efficient and tolerant of latency, making it suitable for deployment over a WAN.

This multi-site, multi-master replication is configured at no additional cost, beyond that of the hardware for additional ID-Archive servers, and with minimal administrative effort.

Network Architecture

The ID-Archive network architecture is illustrated in Figure [link].

    ID-Archive Network Architecture Diagram (1)

© Hitachi ID Systems, Inc. 2008. All rights reserved.