Hitachi ID Privileged Access Manager Features at a Glance

Hitachi ID Privileged Access Manager is a system for securing privileged accounts across many servers and workstations. It periodically randomizes them, stores the values in a replicated database and - when appropriate - discloses access to administrators, applications and services.

FEATURE: Infrastructure auto-discovery
Description Benefit

Hitachi ID Privileged Access Manager periodically extracts a list of systems from a directory such as AD or from a source such as an IT inventory database. It then applies rules to decide which of these systems to manage. Managed systems are probed to find accounts, groups and services on each one. Rules determine which of these accounts should be controlled by Privileged Access Manager. This process is normally run every 24 hours.

Auto-discovery is essential for deploying Privileged Access Manager in medium to large organizations, where there may be thousands of systems with accounts to secure and where hundreds of systems may be added, moved or retired daily.


FEATURE: Randomize passwords on privileged accounts
Description Benefit

Privileged Access Manager periodically randomizes passwords on every privileged account within its scope of authority. This is normally done daily.

Frequent password changes eliminate the possibility of password sharing or of access being retained by administrators after work is completed. Former IT staff lose access automatically.


FEATURE: Encrypted, replicated credential vault
Description Benefit

Randomized passwords are encrypted and stored in a database. The database is replicated between at least two servers, installed in at least two physical locations.

Encryption and replication protects against inappropriate disclosure of sensitive passwords or loss of access to privileged accounts, even in the event of media theft, server crash or physical disaster at a data center.


FEATURE: Access control policies
Description Benefit

IT users sign into Privileged Access Manager to request access to privileged accounts. These requests are subject to access control rules, typically associating groups of users to groups of managed systems. Requests may also carry other data, such as incident numbers, which can be validated before access is granted.

Policies allow IT security to control who can sign into each system.


FEATURE: One-time access request workflow
Description Benefit

Users without pre-approved login rights can nonetheless request access to privileged accounts. These requests are subjected to a workflow authorization process which may involve one or more approvers and which supports reminders, escalation, delegation, approval by multiple people and more.

Workflow approvals supports a range of business processes, including production migration, a flexible workforce and emergency access.


FEATURE: Single sign-on and other access disclosure methods
Description Benefit

Privileged Access Manager does not normally display passwords to privileged accounts from its vault. Instead, it may launch a login session automatically and inject credentials, or temporarily place a user's AD domain account into a security group or create a temporary SSH trust relationship.

Users benefit from single sign-on to privileged accounts while security is enhanced by avoiding password display and even knowledge of passwords by administrators.


FEATURE: Audit logs and reports
Description Benefit

Privileged Access Manager records every attempted, authorized and completed login to a privileged account. E-mail notifications, incident management integration and built-in reports create accountability for access to privileged accounts.

Accountability motivates users to act appropriately and creates a forensic audit trail.


FEATURE: Session recording and forensic audits
Description Benefit

Privileged Access Manager can deploy an ActiveX control to an authorized user's desktop to record login sessions to managed systems. These recordings include screen capture, web cam video, keyboard events and more. Recordings are archived indefinitely and can be searched and played back, subject to access controls and workflow approvals.

Session recording is useful both for knowledge sharing and forensic audits.


FEATURE: Integration with Windows service accounts
Description Benefit

Privileged Access Manager can periodically change the passwords on Windows service accounts. It then notifies Windows OS components including SCM, IIS, Scheduler and DCOM of the new password values.

This feature eliminates static passwords on Windows services, which often run with significant privileges.


FEATURE: API to eliminate embedded application passwords
Description Benefit

Privileged Access Manager can frequently scramble and vault the passwords on accounts used by one application to connect to another. Applications can then be modified to call the Privileged Access Manager API to fetch current password values, eliminating passwords stored in scripts and configuration files.

Plaintext passwords stored in scripts and configuration files are a major security risk. Eliminating them significantly improves the security posture of an organization.


FEATURE: Support for laptop passwords
Description Benefit

A laptop service can be deployed to Windows and Linux laptops. This service periodically contacts the central Privileged Access Manager server cluster, requesting a new password for local administrator accounts.

This process makes it possible to secure privileged passwords on mobile devices, which would otherwise be unreachable because they are powered down, disconnected from the network, protected by firewalls and assigned different IP addresses.


FEATURE: Identity management features included
Description Benefit

In a typical deployment, user rights to access privileged accounts depend on user membership in AD or LDAP groups. Privileged Access Manager includes workflow processes to request such group membership, to apply segregation of duties policies to these groups, to detect unauthorized changes to these groups and to periodically invite group owners to review their membership.

Effective group membership management ensures that security policies are based on reliable data. This is especially helpful for organizations that have not deployed effective identity management process to manage fine-grained security entitlements.


FEATURE: Many included integrations
Description Benefit

Privileged Access Manager includes connectors for over 120 systems and applications, plus flexible agents designed to integrate new ones.

Including connectors in the base price and providing a rich set of connectors lowers both the initial and ongoing cost of the system.


FEATURE: Multi-master, replicated architecture
Description Benefit

Privileged Access Manager includes a data replication layer and can be deployed to multiple servers, at multiple locations, at no extra cost.

Built-in support for high-availability and fault-tolerance make Privileged Access Manager suitable for enterprise deployments.


FEATURE: Multi-lingual user interface
Description Benefit

Privileged Access Manager ships with multiple user interface languages and additional ones can be added easily, both by Hitachi ID Systems and customers.

A multi-lingual user interface makes Privileged Access Manager suitable for international organizations.