Hitachi ID Privileged Access Manager secures privileged accounts with:
Privileged Access Manager is designed to change as many as 2,000,000 passwords per day to new, random values. This minimizes the window of opportunity that hackers and former users have to compromise systems and applications.
Privileged Access Manager stores randomized passwords in an encrypted and replicated vault. This protects against unauthorized access to passwords and against loss of access to data because of a hardware failure or physical disaster.
Privileged Access Manager ships with built-in integrations for over 120 systems and applications. That means that it can secure access to sensitive accounts on most servers, directories, network devices, databases and applications without customization.
Privileged Access Manager also ships with software that can be installed on laptops running Windows or Linux. This allows it to secure access to computers that are sometimes turned off, unplugged from the network, change IP addresses or physically removed from the premises.
Security officers set policy on Privileged Access Manager to control who can access which accounts. For example, Windows administrators can be granted access to local Administrator accounts, Unix administrators can be allowed to login as root, etc. The policy engine is very flexible, as it connects groups of administrators to named accounts on groups of systems.
Privileged Access Manager includes a powerful workflow engine that allows users to request one-time access to privileged accounts. Requests are subject to policy (who can ask, who must approve).
The workflow engine leverages e-mail to invite authorizers to act and a secure web form for approvals. Timely response is assured by inviting multiple authorizers, sending automated reminders, escalating requests from non-responsive authorizers to alternates and more.
Rather than displaying passwords to users, Privileged Access Manager can:
Where Privileged Access Manager launches a user's login session, it can be configured to record screen, keyboard and other data while users are connected to privileged accounts. The recording may be of just the window launched to connect a user to a privileged account or of the user's entire desktop.
The session recording system is tamper resistant -- if users attempt to interrupt recording, their login sessions to privileged accounts are disconnected and an alarm is raised.
Session recordings may be archived indefinitely and may serve a variety of purposes, ranging from knowledge sharing and training to forensic audits. Access to recorded sessions is secured through a combination of access control policies and workflow approvals, designed to safeguard user privacy.
The Privileged Access Manager session monitoring infrastructure is included at no extra cost. It works using ActiveX components and does not require software to be permanently installed on user PCs. There is no footprint on managed systems and no proxy servers are used.
Session monitoring is compatible with all administration programs and protocols, as it instruments the administrator's PC, rather than network traffic. Recordings can be made of SSH, RDP, vSphere, SQL Studio and any other administrative sessions launched via Privileged Access Manager. Recordings can include key-logging, video, webcam, copy buffer and more, based on policy settings and without regard to the type of session (protocol, client tool) that was launched.
In addition to managing access to administrator accounts, Privileged Access Manager can randomize passwords used to run services, scheduled jobs and other unattended processes on Windows computers. It can then notify the Windows Service Control Manager, Scheduler, IIS and other components of the new password, so that tasks can be successfully started in the future.
Privileged Access Manager exposes an API that allows one application to securely acquire a password that will then be used to connect to another application. This mechanism is used to eliminate plaintext passwords in application source code or text files.
Privileged Access Manager includes an advanced infrastructure auto-discovery system, designed to minimize both initial and ongoing configuration. This system can:
Privileged Access Manager includes a variety of built-in reports, that are used to answer questions such as: