It can be difficult to securely manage access to thousands of privileged accounts. Consequently, in many organizations, the passwords to privileged accounts are:
There are serious consequences to these password management practices, including:
Hitachi ID Privileged Access Manager is used to secure access to privileged accounts and other forms of privileged access to systems:
Privileged Access Manager eliminates static, shared, well-known passwords by changing passwords to privileged accounts both on a frequent schedule and after every login session.
Privileged Access Manager assigns unique (random) passwords to each account, on each system, at each password change event. This eliminates implicit trust relationships between systems.
Users cannot sign into systems protected by Privileged Access Manager directly. They must first sign into the Privileged Access Manager portal, which can enforce strong, multi-factor authentication before allowing users to proceed. Users can be required to use multi-factor authentication when accessing any system, including those which only natively support passwords.
Privileged Access Manager enforces robust access controls, limiting which systems and accounts users can see, request and sign into. Access may be pre-authorized for immediate login -- suitable for frequent users; or subject to a request/approval workflow -- suitable for one-time access, for example by developers or during emergencies.
At a minimum, Privileged Access Manager records who requested each privileged access, who approved it (if it was not pre-authorized), whether the access was activated, by whom, when, from what network location and from what type of endpoint device. This creates accountability for access.
Privileged Access Manager can also capture screen video, keystroke data, copy buffer contents and more from login sessions to privileged accounts. This forms a forensic audit trail of administrative activity.
Privileged Access Manager can replace embedded passwords in scripts and applications with secure API integration, which retrieves current password values, on demand, after verifying that the calling application is unchanged and running in the correct environment. This eliminates configuration files, registry entries and scripts with plaintext password values.
Privileged Access Manager can also regularly change passwords on Windows service accounts (scheduler, SCM, IIS, etc.). This addresses the problem of static service passwords on sensitive infrastructure accounts.