Hitachi ID Privileged Access Manager secures sensitive passwords by periodically setting them to new, random values:

  1. On systems integrated via "push mode:"
    1. Periodically -- for example, every night between 3AM and 4AM.
    2. When users check accounts back in, after they are finished using them.
    3. When users request a specific password value.
    4. In the event of an urgent termination of a system administrator (randomize all passwords that person may have known).
    Note that "push mode" normally means that no software is deployed to the managed endpoint system.

  2. On systems integrated via "pull mode:"
    1. Periodically -- for example, every day.
    2. At a random time-of-day, to even out workload on the Privileged Access Manager service.
    3. Opportunistically, whenever network connectivity happens to be available from the managed endpoint to the central privileged access system.
    Note that "pull mode" implies a local agent on the managed endpoint system. This approach is useful on laptops, on rapidly provisioned/deprovisioned VMs in a cloud environment and in some isolated network segments.

Privileged Access Manager can enforce multiple password policies. There is a global password policy as well as sets of password rules in each managed system policy.

Password policies specify the complexity of both randomly chosen and manually selected passwords. In addition to mandating character types (lowercase, uppercase, digits, punctuation), each policy can specify minimum and maximum password lengths, prohibit the use of dictionary words, etc.

Watch Movies

Randomizing privileged passwords on fixed IT assets


Content:

  • On servers and other fixed systems, no local software is required.

Key concepts:

  • Password changes are initiated on a Privileged Access Manager server and are scheduled to happen, as often as hourly.
  • Randomized password values are stored in a secure, replicated vault at a minimum of two physical locations.
  • No software is installed on systems.

Randomizing privileged passwords on laptops or rapidly provisioned VMs


Content:

  • On laptops, the endpoint initiates the password change process.

Key concepts:

  • Password changes initiated on the endpoint can be performed even when the device is off-site, behind a firewall, etc.
  • Randomized timing improves reliability and reduces peak transaction volume.
  • A minimal software footprint is required on the endpoint device.