Technical Requirements

Privileged passwords must be protected more vigorously than any other data in an organization:

  1. Sensitive data:
    Privileged passwords and the encryption keys used to protect them are arguably the most sensitive data in an organization, since they unlock all other data. Inappropriate disclosure can be catastrophic.
  2. Business interruption:
    Loss of access to privileged passwords means that the systems which the privileged passwords control cannot be managed, at least until they are powered down and "hacked into." Consider the impact on IT support of a disaster where every root or Administrator password in a company is permanently lost.
  3. Constant change / data backup:
    If privileged passwords are changed regularly, then scheduled backups will contain mostly historical data rather than current passwords and so provide little value. It is therefore important to replicate this data in real time.

Password Encryption and Storage

Hitachi ID Privileged Access Manager encrypts all passwords before storing them in its database. Passwords are encrypted using the 256-bit AES algorithm. A random 128-bit salt is inserted before each plaintext password before encryption. This ensures that even if two accounts are assigned the same password, the crypto text will never be the same.

The key (K1) used to encrypt passwords in the Privileged Access Manager database is a random string, specific to each instance of Privileged Access Manager. K1 is stored in the registry of each server that supports the same instance of Privileged Access Manager. The value stored in the registry is itself encrypted, using a key embedded in the Privileged Access Manager software itself. Alternately, a hardware security module (HSM) may be used to store the master encryption key which decrypts K1.

Replication Across Servers and Locations

Privileged Access Manager includes built-in data replication between servers.

Data replication between Privileged Access Manager servers occurs in real time -- all updates to one server's database are queued up and sent to other (peer) servers as well. If a peer server is unavailable, database updates are automatically retried when the server becomes available again.

All replication is performed at the application level, over an encrypted TCP/IP socket. This makes configuration of a replicated environment straightforward and eliminates the need to license and configure a replicated RDBMS server product.

Application-level replication is especially helpful for deployments where Privileged Access Manager servers are physically distant from one another, for example to provide fault tolerance in the event of a disaster at a single data center. Database replication provided by database vendors such as Microsoft or Oracle is very difficult to configure where the network between nodes is insecure, unreliable, low bandwidth or high latency. Since a WAN network normally exhibits all of these problems, Hitachi ID Systems built replication right into Privileged Access Manager to operate reliably under these same constraints.

Privileged Access Manager data replication is secure. Data transmitted between servers is encrypted and each endpoint authenticates the other. Replication uses relatively low bandwidth and is tolerant of high latency, making it suitable for deployment across physically distant sites. Replication is fault tolerant, in that failed transmissions are queued and retried until they succeed.

Archival Passwords

Privileged Access Manager retains all historical passwords for each managed account, by default. This history is retained even when accounts are unmanaged (i.e., stop granting access and randomizing passwords) since backup media of these systems may need to be reactivated.

When accounts or systems become 'unmanaged' -- either due to policy or because Privileged Access Manager can no longer find them on the network, they are moved to an archival policy within Privileged Access Manager, so that historical passwords and access requests remain accessible.

Separate access controls are applied to historical passwords on currently managed accounts and to archival systems/accounts.