close icon
Home Page
Products

Products

PAM logo
Privileged Access Management
PEM logo
Endpoint Privilege Management
PPA logo
Automation
Industries

Industries

school_line
Education
bank_line
Finance
government_line
Government and Defence
hospital_line
Healthcare
computer_line
IT Operations
settings_5_line
Industrial Control Systems
briefcase_line
Legal
store_2_line
Retail
Partners

Partners

Resellers and Distributors
Partner marketing support
Partner opportunity
Resources

Resources

tool_line
Free Tools
bookmark_line
Blog
file_search_line
Case Studies
usb_line
PAM Integrations
video_line
Videos
Webinars
paper_line
White Papers
book_2_line
Osirium University
news_line
Documentation
Company

Company

IDcard_line
About
news_line
News & Events
Team
Investor Hub
Software reviews gold medal
See the report
search_3_line
BOOK A DEMO
All posts
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
6
October 2015

Osirium as an Identity Federator

Andy Harris

Deploying Identity to all Devices

The identity market has been getting stronger, it needs to get stronger as more and more business functions migrate to the cloud.

At Osirium we often use the phrase “Identity In – Role Out“, by this we mean mapping identities of people to roles on systems, devices and applications. A lot more sensible operational information can be derived if you know Which person done What to Which device When.

If we were to identity enable all the devices in an organisation we’d run into two key issues:

  • Cost – mainly in the effort of connecting all the devices to identity services
  • Simple embedded devices do not have identity capability

Here we propose that you use Osirium as an Identity Federator. In this deployment, Osirium consumes identities and delivers SSO to role based connections to devices.

Along the way we solve problems like:

  • Shared Accounts, some devices can only have a handful of accounts
  • Some applications need to be set up by a particular user account that uses applications specific tools.
  • How to manage third party access:
  • For temporary vendor access
  • For short term contractor access
  • For long term outsourcing contracts
  • Stop users wandering around your system estate

These are significant problems to solve, for example you can provision a third party from your own identity provider and give them time window access to specific devices in your infrastructure in the safe knowledge that the passwords will never be known and that they cannot use the access to wander around your network. Add Session Recording to this and you’ll be able to review what changes they made to your system.

Suppose for a moment that you needed a third party to investigate an issue on a SAN server in your virtualised infrastructure. If that third party was untrustworthy they could simply take copies of all the virtual systems on that SAN. After they’ve finished they would have your VM in their environment and could spin these up in single user mode, extract SAMs and shadow files along with any data available. They could run the SAM’s and Shadows against hashing and brute force tools such as John the Ripper and you’d be none the wiser. Then they’d have legitimate accounts with which to access the live versions of these VMs.

Lets look at the same scenario with Osirium, first our third party would have to use their identity, so we know it was definitely them making the connection. Second, would they take the copies knowing their actions were being recorded? Finally, lets consider that they still took the copies even though they were being recorded. Well, they could still boot the systems in single user mode and they’d still get access to the data on those VMs. However, if Osirium had set the passwords then they would be long and complex, up to 128 characters and properly randomised. Hash lookups and John the Ripper would not be able to return the original passwords, and this represents a huge damage limitation.

‍

Related Topics

Privileged Access Management
Manager
Identity & Access Management
all posts
Top
Home Page
cyber essentials certified badge
Industries
EducationFinanceGovernment and DefenceHealthcareIT OperationsIndustrial Control SystemsLegalRetail
Company
AboutTeamBoard of DirectorsInvestor HubJob Opportunities
Resources
Free ToolsBlogPAM IntegrationsVideosWebinarsWhitepapersDatasheetsDocumentationCase Studies
Support
Support PortalOsirium University
© 2023 OSIRIUM. All rights reserved.
AccessibilityPrivacy PolicyEULATerms of ServiceSitemap