Randomize Privileged Passwords
Hitachi ID Privileged Access Manager secures sensitive passwords by periodically setting them to new, random values:
- On systems integrated via "push mode:"
Note that "push mode" normally means that no software is deployed to the
managed endpoint system.
- Periodically -- for example, every night between 3AM and 4AM.
- When users check accounts back in, after they are finished using them.
- When users request a specific password value.
- In the event of an urgent termination of a system administrator (randomize
all passwords that person may have known).
- On systems integrated via "pull mode:"
Note that "pull mode" implies a local agent on the managed endpoint
system. This approach is useful on laptops, on rapidly
provisioned/deprovisioned VMs in a cloud environment and in some
isolated network segments.
- Periodically -- for example, every day.
- At a random time-of-day, to even out workload on the Privileged Access Manager service.
- Opportunistically, whenever network connectivity happens to be
available from the managed endpoint to the central privileged access system.
Watch a Movie
Randomizing privileged passwords on laptops and other mobile devices
- On mobile devices, the endpoint initiates the password change process.
- Password changes initiated on the endpoint can be performed
even when the device is off-site, behind a firewall, etc.
- Randomized timing improves reliability and reduces peak transaction
- A minimal software footprint is required on the endpoint device.
Randomizing privileged passwords on fixed IT assets
- On servers and other fixed devices or applications, no local software is required.
- Password changes are initiated on an HiPAM server and are
scheduled to happen, as often as hourly.
- Randomized password values are stored in a secure, replicated vault
at a minimum of two physical locations.
- No software is installed on systems.
- Randomize Privileged Passwords:
Privileged Access Manager periodically randomizes passwords on privileged accounts.
- Launch Privileged Login Sessions:
Privileged Access Manager launches login sessions to privileged accounts subject to access control policies and/or workflow approvals.
- Limit Concurrent Administrator Logins:
Privileged Access Manager controls how many people can sign into the same privileged account at the same time using a checkout/checkin process.
- Record Administrator Logins:
Privileged Access Manager can record the login sessions it launches for users to sign into privileged accounts. These recordings are both a forensic audit trail and a knowledge sharing resource.
- Password History:
Privileged Access Manager captures a full history of passwords for privileged accounts. This is useful when recovering servers and databases from backup media.
- Audit Logs and Reports:
Login sessions to privileged accounts are logged by Privileged Access Manager and visible in reports. This makes administrators accountable for changes they may make to systems and applications.
- Eliminate Embedded Passwords:
Privileged Access Manager allows organizations to eliminate static, plaintext passwords embedded in applications. An API allows applications to secure acquire credentials to other applications on demand.
- Change Service Account Passwords:
Privileged Access Manager periodically changes passwords for accounts used to run Windows services and notifies appropriate OS components, such as service control manager and scheduler, of the new password value.