Skip to main content

Hitachi ID Privileged Access Manager Overview

Hitachi ID Privileged Access Manager is network security software designed specifically to address the problem of insecure, static and well-known administrator passwords.

Hitachi ID Privileged Access Manager: Privileged Access Management It can be difficult to securely manage access to thousands of privileged accounts. Consequently, in many organizations, the passwords to privileged accounts are:

  • known to many people, possibly including former staff,
  • often the same on many systems,
  • rarely if ever changed, and
  • stored in plaintext, by people and by applications.

There are serious consequences to these password management practices, including:

  • There is no accountability for use of shared, privileged accounts. This is both a security / regulatory compliance problem and a problem with diagnosing operational problems.
  • Former staff may retain sensitive access.
  • Attackers have an easier time compromising these dangerous accounts.
  • If one system is compromised (e.g., an IT user's PC or an application server), the attacker can leverage passwords stored or typed on that system to compromise additional systems.

The obvious solution to the security vulnerability of static and shared privileged passwords is to change these passwords so that each one is unique and changes regularly. Doing this can be technically challenging, however:

  • There are thousands of privileged accounts:

    Automation is required to onboard systems and accounts, schedule password changes and authorize access to accounts.

  • There are many kinds of systems, all with privileged accounts:

    The automation must include many integrations -- to client and server operating systems, databases, applications, hypervisors and guest VMs, network devices, health monitoring hardware, web services and more.

  • The majority of privileged accounts are on PCs and laptops.

    End user PC passwords are hard to manage centrally:

    • PCs may be powered down, disconnected or firewalled.
    • PC IP addresses may change along with physical location and be behind NAT in any case.
    • PCs may be configured to block inbound service connections, including requests to change local passwords.

  • Connectivity to servers and applications.

    • Network-attached systems may not always be running. This is especially true of demand-driven VMs.
    • Routing problems, firewalls and name resolution (DNS) problems may block access to network services.
    • Systems with privileged accounts are heterogeneous -- a single mechanism or protocol cannot support them all.

  • Secure, reliable storage.

    Once automation is implemented to regularly change passwords, technical challenges regarding their storage must be addressed. The password storage system must:

    • Be secure. An insecure storage system, if compromised, would allow an intruder to gain administrative access to every device in the IT infrastructure.

    • Be reliable. A disk crash or facility interruption affecting the credential vault would lock out access to every privileged account.

    • Include fine-grained access controls. Only the right people should get access to the right accounts, at the right time, after strong authentication.

    • Log access disclosure. Access to privileged accounts must be logged, to create accountability, both operationally and in the event of a forensic investigation.

These challenges are not trivial -- a custom software development project may get some of them wrong, with possibly disastrous consequences.

To ensure robust management of administrator passwords, it makes sense to acquire and deploy an expertly built application for managing administrator passwords. That application is Privileged Access Manager.

Read More:

  • Features:
    Privileged Access Manager is a system for securing access to privileged accounts. It works by regularly randomizing privileged passwords on workstations, servers, network devices and applications. Random passwords are encrypted and stored on at least two replicated servers.
  • Business Case:
    Privileged Access Manager helps organizations secure access to privileged accounts by randomizing their passwords and forcing users to sign into Privileged Access Manager when they need privileged access. It automatically deactivates access for departed IT users and creates a forensic audit of login session to sensitive accounts.
  • Screen Shots:
    Snapshots of the Privileged Access Manager web interface.
  • Screen Recordings:
    Recordings of user interaction with Privileged Access Manager.
  • Concept Animations:
    Animated demonstrations illustrating user interaction with Privileged Access Manager and data flow between components on the network.
  • Slide Decks:
    Slide presentations that discuss privileged access management in general and Privileged Access Manager in particular.
page top page top