Skip to main content

Hitachi ID Privileged Access Manager Features

Hitachi ID Privileged Access Manager secures privileged accounts with:

  • Random passwords:

    Privileged Access Manager is designed to change as many as 2,000,000 passwords per day to new, random values. This minimizes the window of opportunity that hackers and former users have to compromise systems and applications.

  • Encrypted, replicated vault:

    Privileged Access Manager stores randomized passwords in an encrypted and replicated vault. This protects against unauthorized access to passwords and against loss of access to data because of a hardware failure or physical disaster.

  • Many included connectors:

    Privileged Access Manager ships with built-in integrations for over 120 systems and applications. That means that it can secure access to sensitive accounts on most servers, directories, network devices, databases and applications without customization.

  • Laptop support with a local service:

    Privileged Access Manager also ships with software that can be installed on laptops running Windows or Linux. This allows it to secure access to computers that are sometimes turned off, unplugged from the network, change IP addresses or physically removed from the premises.

  • Access control policy engine:

    Security officers set policy on Privileged Access Manager to control who can access which accounts. For example, Windows administrators can be granted access to local Administrator accounts, Unix administrators can be allowed to login as root, etc. The policy engine is very flexible, as it connects groups of administrators to named accounts on groups of systems.

  • Workflow for one-time access requests:

    Privileged Access Manager includes a powerful workflow engine that allows users to request one-time access to privileged accounts. Requests are subject to policy (who can ask, who must approve).

    The workflow engine leverages e-mail to invite authorizers to act and a secure web form for approvals. Timely response is assured by inviting multiple authorizers, sending automated reminders, escalating requests from non-responsive authorizers to alternates and more.

  • Flexible access disclosure options:

    Rather than displaying passwords to users, Privileged Access Manager can:

    • Launch RDP, SSH, SQL Studio, VMware vSphere and similar sessions, injecting passwords without displaying them.
    • Temporarily attach the authorized user's Active Directory account to a local security group on the target Windows server.
    • Temporarily attach the authorized user's SSH public key to the authorized_users key ring on the target Unix or Linux server.

  • Session recording:

    Privileged Access Manager can be configured to record screen, keyboard and other data while users are connected to privileged accounts. The recording may be of just the window launched to connect a user to a privileged account or of the user's entire desktop.

    The session recording system is tamper resistant -- if users attempt to interrupt recording, their login sessions to privileged accounts are disconnected and an alarm is raised.

    Session recordings may be archived indefinitely and may serve a variety of purposes, ranging from knowledge sharing and training to forensic audits. Access to recorded sessions is secured through a combination of access control policies and workflow approvals, designed to safeguard user privacy.

    Multiple mechanisms are included to launch and record sessions:

    1. Direct form the user's Windows PC to the managed endpoint, using IE/ActiveX. The ActiveX component may be previously installed or downloaded on demand.
    2. Direct form the user's Windows PC to the managed endpoint, using Chrome, Firefox or Opera and a browser extension. The browser extension may be previously installed (e.g., via software push) or installed by the user on demand.
    3. By prompting the user to launch a downloadable, personalized (per session) executable file onto his Windows PC. This is a single-use download.
    4. By asking the user to first connect via RDP or similar to a Windows/Remote Desktop Services, Citrix or similar intermediate server, and (a) sign into Privileged Access Manager and then (b) launch a session from this proxy server. The same mechanisms as described above are available, but run on the proxy server, rather than the user's PC. The user's PC can run any OS in this case.
    5. By opening a second browser tab to an HTML5 proxy server (running Linux/Tomcat/Guacamole), The session UI is rendered as an HTML canvas on the user's browser, which could be any browser on any OS. The actual SSH or RDP session is established from this proxy onwards to the managed system.

    In the first four cases, any Windows-compatible client admin tool can be launched, with credentials injected. Screen capture, copy buffer, window metadata and keylog data are streamed from the system running the admin tool (which may be the user's PC or Windows RDS proxy) to the Privileged Access Manager server(s).

    In the last case, only SSH and RDP are currently supported. Screen capture, copy buffer, window metadata and keylog data are streamed from the Linux/Tomcat proxy server to the Privileged Access Manager server(s).

    The Privileged Access Manager session monitoring infrastructure is included at no extra cost. Both direct and proxied connections may be deployed. No software is deployed on the managed endpoint. There are no fees per proxy server.

    In a typical deployment, admin tools including SSH clients, RDP clients, hypervisor admin consoles (e.g., vSphere), DBA tools (e.g., SQL Management Studio) and more may be launched and monitored. Video capture may be of the user's entire desktop or just the launched window.

  • Infrastructure to secure Windows service account passwords:

    In addition to managing access to administrator accounts, Privileged Access Manager can randomize passwords used to run services, scheduled jobs and other unattended processes on Windows computers. It can then notify the Windows Service Control Manager, Scheduler, IIS and other components of the new password, so that tasks can be successfully started in the future.

  • An API to replace static, embedded passwords:

    Privileged Access Manager exposes an API that allows one application to securely acquire a password that will then be used to connect to another application. This mechanism is used to eliminate plaintext passwords in application source code or text files.

  • Auto-discovery:

    Privileged Access Manager includes an advanced infrastructure auto-discovery system, designed to minimize both initial and ongoing configuration. This system can:

    1. Extract a list of systems from AD, LDAP or other sources.
    2. Apply rules to decide whether a given system should be managed.
    3. Apply rules to choose a security policy to apply to each managed system.
    4. Probe systems in a massively parallel fashion, to get a list of accounts, groups and services on each one.
    5. Apply rules to decide which accounts on each system should be managed.

  • Reports:

    Privileged Access Manager includes a variety of built-in reports, that are used to answer questions such as:

    • What computers are on the network?
    • Which computers have been unresponsive during the past 30 days?
    • Which administrators have signed into this computer?
    • Which systems has this administrator managed?
    • Who has made a large number of requests for one-off access?

Read More:

  • Features:
    Privileged Access Manager is a system for securing access to privileged accounts. It works by regularly randomizing privileged passwords on workstations, servers, network devices and applications. Random passwords are encrypted and stored on at least two replicated servers.
  • Business Case:
    Privileged Access Manager helps organizations secure access to privileged accounts by randomizing their passwords and forcing users to sign into Privileged Access Manager when they need privileged access. It automatically deactivates access for departed IT users and creates a forensic audit of login session to sensitive accounts.
  • Screen Shots:
    Snapshots of the Privileged Access Manager web interface.
  • Screen Recordings:
    Recordings of user interaction with Privileged Access Manager.
  • Concept Animations:
    Animated demonstrations illustrating user interaction with Privileged Access Manager and data flow between components on the network.
  • Slide Decks:
    Slide presentations that discuss privileged access management in general and Privileged Access Manager in particular.
page top page top