Skip to main content

Eliminate Shared Accounts and Passwords - Hitachi ID Privileged Access Manager

Many organizations have insecure processes for managing privileged accounts -- IDs and passwords on servers, workstations, applications and network devices with elevated privileges. Inappropriate disclosure of these passwords would lead to serious security compromise:

  • Hundreds or thousands of workstations and servers often share the same ID and password. If the password on one device is compromised, all of the devices that share the credential are compromised.
  • Where a password is used on many systems or needed by many people, it is difficult to coordinate password changes. As a result, passwords on privileged accounts are often left unchanged for months or years, creating an extended window of opportunity for an attacker.
  • If privileged passwords are rarely changed, when IT staff leave an organization, they retain access to sensitive systems.
  • When many people know the password to a given account, it is impossible to reliably connect changes (or security compromises) to individual users.

Hitachi ID Privileged Access Manager is used to secure access to privileged accounts and other forms of privileged access to systems:

  • Frequent, scheduled password changes:

    Privileged Access Manager eliminates static, shared, well-known passwords by changing passwords to privileged accounts both on a frequent schedule and after every login session.

  • Unique passwords:

    Privileged Access Manager assigns unique (random) passwords to each account, on each system, at each password change event. This eliminates implicit trust relationships between systems.

  • Strong, personal authentication:

    Users cannot sign into systems protected by Privileged Access Manager directly. They must first sign into the Privileged Access Manager portal, which can enforce strong, multi-factor authentication before allowing users to proceed. Users can be required to use multi-factor authentication when accessing any system, including those which only natively support passwords.

  • Authorization policy:

    Privileged Access Manager enforces robust access controls, limiting which systems and accounts users can see, request and sign into. Access may be pre-authorized for immediate login -- suitable for frequent users; or subject to a request/approval workflow -- suitable for one-time access, for example by developers or during emergencies.

  • Operational and forensic audits:

    At a minimum, Privileged Access Manager records who requested each privileged access, who approved it (if it was not pre-authorized), whether the access was activated, by whom, when, from what network location and from what type of endpoint device. This creates accountability for access.

    Privileged Access Manager can also capture screen video, keystroke data, copy buffer contents and more from login sessions to privileged accounts. This forms a forensic audit trail of administrative activity.

  • Dynamic passwords for non-human users:

    Privileged Access Manager can replace embedded passwords in scripts and applications with secure API integration, which retrieves current password values, on demand, after verifying that the calling application is unchanged and running in the correct environment. This eliminates configuration files, registry entries and scripts with plaintext password values.

    Privileged Access Manager can also regularly change passwords on Windows service accounts (scheduler, SCM, IIS, etc.). This addresses the problem of static service passwords on sensitive infrastructure accounts.

page top page top