Layer 7 Privileged Access Management

Chat Transcript: Office Hours for CA Privileged Access Management [JULY 2016] 

07-21-2016 11:03 AM

from Kristen Palazzolo (CA) to Everyone:

Welcome everyone!

from Kristen Palazzolo (CA) to Everyone:

How are you doing today?

from Raj to Everyone:

doing good and hope the same there

from Kristen Palazzolo (CA) to Everyone:

@Raj Thanks! Having a great Thursday morning over here in New York

from Kristen Palazzolo (CA) to Everyone:

Welcome to Office Hours for CA Privileged Access Management!

from Kristen Palazzolo (CA) to Everyone:

Today, we will be answering questions about the Xceedium Support Migration, CA Privileged Access Manager Server Control, CA Privileged Identity Manager, and CA Privileged Access Manager.

from Kristen Palazzolo (CA) to Everyone:

Experts are standing by to answer your questions in real-time.

from Kristen Palazzolo (CA) to Everyone:

Just enter your question right here in the chat window.

from Kristen Palazzolo (CA) to Everyone:

There is no audio.

from Raj to Everyone:

How different is CA PAM from its competitors?

from Eduard Palomeras to Everyone:

Hi,

from Eduard Palomeras to Everyone:

What is our vision for agent based PIM?

from William Cotton to Everyone:

is there a ssh login into pam appliance?

from Steven McCullar to Everyone:

@Raj, very differentiated. Appliance-based form factor, huge scalability, ease of administration, no hidden costs are some of the key benefits.

from Reatesh Sanghi (CA) to Everyone:

Hello all

from Raj to Everyone:

@Steven, Thanks and few other vendor even provide PIM/PAM solution as appliance and with all the benefits you mentioned....is there a feature/capability you know that CA PAM only provides and none of the other vendors

from Jeff Parker (CA) to Everyone:

William, SSH is disabled by default, and only enabled by support. Everything can be configured from the console, or PAM UI.

from Jeff Parker (CA) to Everyone:

@William, SSH is disabled by default, and only enabled by support. Everything can be configured from the console, or PAM UI.

from Michael Dullea to Everyone:

Hi @Eduard_Palomeras - Regarding our vision for the agent based PIM, we are in the process of creating a stand-alone version of that product, called CA PAM Server Control.  This product will integrate out-of-the-box with CA Privileged Access Manager for more granular access controls.  The combination of these two products (CA PAM & CA PAM Server Control) will give us the most comprehensive solution in the market for privileged access management!

from Steven McCullar to Everyone:

@Raj CA PAM has a purpose built appliance with all the features built in. Examples of hidden cost avoidance include built in HA, DR, Load Balancing, etc. Also scalability for CA PAM is much better. A pair of appliance can scale to 4000-5000 concurrent recorded sessions.

from Eduard Palomeras to Everyone:

thanks

from Steven McCullar to Everyone:

@Raj, CA PAM's integration with AWS iand with NSX s very diofferentiated.

from Robert Carter to Everyone:

I work PAM for Canada

from Raj to Everyone:

@Steven...thatz good...when you say pair of appliance, how to go about configuring them in cluster? Is there a best practise around the sime

from Raj to Everyone:

*same

from Steven McCullar to Everyone:

@Raj, yes it is very simple, fully documented in the product docs. It is a feature of the product and does not require any additional software or hardware.

from Raj to Everyone:

@Steven...thanks...can i get a copy or the name of the document you are referring to...to understand clustering details. Also, have some questions around how to go about upgrades in a clustered environment - Any reference to that is appreciated!!

from Steven McCullar to Everyone:

@Raj you can add scale simply by adding new appliances to the cluster if you need to.

from Kristen Palazzolo (CA) to Everyone:

RT to invite others to this Office Hours session: https://twitter.com/CA_Community/status/756125412300845056

from Raj to Everyone:

@Steven...thatz interesting....does that mean we don't need a load balancer

from Steven McCullar to Everyone:

@Raj, see the CA PAM Implementation Guide

from Steven McCullar to Everyone:

@Raj, that is correct.

from Raj to Everyone:

@Steven...ok

from Kristen Palazzolo (CA) to Everyone:

We're hosting a Lunch & Learn Webcast tomorrow! "Privileged Access Management: It’s for Applications too" RSVP -> https://communities.ca.com/events/2986

from Raj to Everyone:

From the architecture, understand every access pass through CA PAM to establish featured enforcement. Is that not a single point of failure?

from Eduard Palomeras to Everyone:

can CA PAM, "internal" web browser pass through a web proxy?

from Steven McCullar to Everyone:

@Raj, also please see the CA PAM Planning Guide, even better for clustering details

from Eduard Palomeras to Everyone:

the proxy standing between CA PAM and internet

from Kristen Palazzolo (CA) to Everyone:

support.xceedium.com is migrating to support.ca.com! Read more: https://communities.ca.com/docs/DOC-231168734

from Shahn Soomro (CA) to Everyone:

@Raj, not if you have HA configured. Since our HA model supports logical geo diverse clustering, with good planning you should have VERY high availability

from Shahn Soomro (CA) to Everyone:

@Raj, by implementing CA PAM.. you are NOT (well at least in theory) stopping a user from directly accessing the end system (though you should not allow it as a best practice), if for some reason (frankly bad architecture planning) you PAM infrastructure becomes unavailable. they can go directly to the endpoint.

from vijaya(CA) to Everyone:

Can CA PAM protect/manage "expert" password of firewalls, I mean the second credential that firewall admin uses to get privileged access, which is similar to "su".  If yes, how this can be done

from Shawn Hank (CA) to Everyone:

Yes. PAM has the ability to do this via the Transparent login feature for SSH.

from Raj to Everyone:

@Steven...just a gap in my understandingg....when you have credential management (password rotation policy enforcement and auto-connect enabled cases) it is kind of a blocking direct access, as end users are not even aware of their credentials. This will have impact when CA PAM is not available. Is that correct?

from Shawn Hank (CA) to Everyone:

In the device details page for the firewall (assuming you have added it to PAM) there is a section called "Transparent Login" You can use the "Command String" option and put in whatever the command prompt is from your firewall that is required to get to that second level of privilege.

from Shawn Hank (CA) to Everyone:

@vijaya - I assume that you have the password stored in the vault for PAM to provide this password transparently when prompted.

from Steven McCullar to Everyone:

@Raj you will need the password to log in so HA is very important. There are several approaches to ensure 100% availability. Additional nodes the cluster, hot standby in maintenance mode, etc.

from Raj to Everyone:

When you have CA PAM server control…which is agent based solution (which I see to be more powerful to establish fine grained access), will this not out weight the CA PAM socket filtering, whitelist/blacklisting which is enforced only to access made through CA PAM

from Kristen Palazzolo (CA) to Everyone:

Check out the latest CA PIM #TechTips: https://communities.ca.com/community/ca-security/content?filterID=contentstatus%5Bpublished%5D~category%5Bca-privileged-access-management%5D&filterID=contentstatus%5Bpublished%5D~tag%5Btips%5D

from Shawn Hank (CA) to Everyone:

@vijaya - please see screenshot here: https://www.dropbox.com/s/q65ox8byfohlc33/PAM%20and%20Transparent%20Login%20for%20Secondary%20Authentication.png?dl=0

from Shawn Hank (CA) to Everyone:

It is under Devices > Manage Devices > Transparent Login

from Steven McCullar to Everyone:

@Raj those could be implemented as complementary controls but if you are using the PAM SC controls you may not need to duplicate the control via the SFA in PAM.

from Shawn Hank (CA) to Everyone:

@Raj - PAM can get you 80% of the way there with its gateway-based approach (meaning no agent on the server). I would also add that it's not that one is "better" than the other. They have some overlap and are complimentary. PAM SC for example, provides video play back of sessions, which PAM SC doesn't do. There are reasons to use either or both simultaneously. All dependent upon customer requirements, of course.

from Raj to Everyone:

Thanks Steven and Shawn for helping me understand here!!

from Raj to Everyone:

When do you see CA PAM SC to be available...any planned tentative timelines

from Shawn Hank (CA) to Everyone:

@Raj, @Mike Dullea can answer that one.

from Raj to Everyone:

Is he in this chat

from Kristen Palazzolo (CA) to Everyone:

15 minutes left! Get your final question in now!

from Michael Dullea to Everyone:

Hi @Raj - company policy prevents us from providing timelines but this is something that we are actively working on at the moment.

from Raj to Everyone:

@Thanks Michael Dullea

from Raj to Everyone:

Also I have a business case on having Oracle E-Business Suite integrated with CA PAM, which has its user in its own database. Is this use case encountered in the past, if not how to approach this.

from Shawn Hank (CA) to Everyone:

please define the database details. Assuming its Oracle, but what version, etc.

from Steven McCullar to Everyone:

@zRaj Oracle database?

from Raj to Everyone:

yes

from Shawn Hank (CA) to Everyone:

PAM can manage the Oracle Password with the PAM Oracle Connector. Policies around the ability to view the password for the database accounts, as well as use without view are possible. Rotation and complextity rules can be configured and assigned as well.

from Shawn Hank (CA) to Everyone:

Not sure what other integration points your prospect is interested in beyond password management of the Oracle database, but PAM can also login to the Oracle Web UI to manage aspects of the suite itself. and there is the A2A component also that can provide apps and scripts access to PAM managed accounts. PAM is not just for human to machine interaction.

from Raj to Everyone:

ok...thatz good...Thanks Shawn....many a times endpoint/applications resist CA products changing their password or attribute values as part out products rotation policy

from Raj to Everyone:

one final question from me.....what are the business cases, we should consider using Identity Federation (SAML etc...) capability of CA PAM?

from Shahn Soomro (CA) to Everyone:

@Many orgs have SaaS based services and the SAML capability allows us to secure the SaaS solutions' privilege/admin account and provide secure SSO, as well as logging/recording of user session as an admin with clear attribution

from Shawn Hank (CA) to Everyone:

PAM is for privileged user access. So, you can use PAM's built in IDP to provide SAML assertions for any privileged account that you want PAM to federate toward outbound services. I would not consider it a replacement for SSO (former SiteMinder).

from Raj to Everyone:

ok...good Thanks Shahn and Shawn!!

from Shawn Hank (CA) to Everyone:

Many services offer SAML for authentication. One such use case might be access to Office365, AWS, Azure or Google Compute Engine.

from Kristen Palazzolo (CA) to Everyone:

Alright, that's all the time we have for today! Thanks for joining Office Hours for CA Privileged Access Management!

from Shawn Hank (CA) to Everyone:

Any privileged user of these services can have access federated by PAM's IDP, and the session gets recorded.

from Kristen Palazzolo (CA) to Everyone:

I'll post the Chat Transcript to the CA Security Community later today: https://communities.ca.com/community/ca-security

from Kristen Palazzolo (CA) to Everyone:

Have a great rest of your week and a great weekend!

from Raj to Everyone:

This chat was very helpful to understand CA PAM and PAM SC. Special Thanks to Shawn, Steven, Shanhn and Michael Dullea. Thanks Kristen for organizing it. You guys ROCK!!

from Kristen Palazzolo (CA) to Everyone:

@Raj YOU ROCK MORE!

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

07-24-2016 07:26 PM

During the call there was a question about using command strings as part of the PAM Transparent Authentication feature. Here is the conversation again, for context.

 

from vijaya(CA) to Everyone:

Can CA PAM protect/manage "expert" password of firewalls, I mean the second credential that firewall admin uses to get privileged access, which is similar to "su".  If yes, how this can be done

 

from Shawn Hank (CA) to Everyone:

Yes. PAM has the ability to do this via the Transparent login feature for SSH.

 

from Shawn Hank (CA) to Everyone:

In the device details page for the firewall (assuming you have added it to PAM) there is a section called "Transparent Login" You can use the "Command String" option and put in whatever the command prompt is from your firewall that is required to get to that second level of privilege.

 

from Shawn Hank (CA) to Everyone:

@vijaya - I assume that you have the password stored in the vault for PAM to provide this password transparently when prompted.

 

@vijaya - please see screenshot here:https://www.dropbox.com/s/q65ox8byfohlc33/PAM%20and%20Transparent%20Login%20for%20Secondary%20Authentication.png?dl=0

 

Just in case the Dropbox link goes away, I thought it would be good to provide the screenshot here as part of the post on the Expert's Forum. You can get here by going to Devices > Manage Devices> and then going to the Transparent Login section for your SSH-based device:

 

 

This will work for sudo or other commands like Cisco's "enable" login needed to escalate to config permissions.

 

 

Warm Regards,

//Shawn

 

Shawn W. Hank

Senior Principal Consultant, Presales

CA Technologies

Office: +1 703-709-4468

Mobile: +1 571-409-3042

Email: Shawn.Hank@ca.com

07-21-2016 11:16 AM

Thanks for joining ManicRaj, willub, & kkrastev!

Related Entries and Links

No Related Resource entered.