Skip to main content

Eliminate Shared Accounts and Passwords - Hitachi ID Privileged Access Manager

It can be difficult to securely manage access to thousands of privileged accounts. Consequently, in many organizations, the passwords to privileged accounts are:

  • known to many people, possibly including former staff,
  • often the same on many systems,
  • rarely if ever changed, and
  • stored in plaintext, by people and by applications.

There are serious consequences to these password management practices, including:

  • There is no accountability for use of shared, privileged accounts. This is both a security / regulatory compliance problem and a problem with diagnosing operational problems.
  • Former staff may retain sensitive access.
  • Attackers have an easier time compromising these dangerous accounts.
  • If one system is compromised (e.g., an IT user's PC or an application server), the attacker can leverage passwords stored or typed on that system to compromise additional systems.

Hitachi ID Privileged Access Manager is used to secure access to privileged accounts and other forms of privileged access to systems:

  • Frequent, scheduled password changes:

    Privileged Access Manager eliminates static, shared, well-known passwords by changing passwords to privileged accounts both on a frequent schedule and after every login session.

  • Unique passwords:

    Privileged Access Manager assigns unique (random) passwords to each account, on each system, at each password change event. This eliminates implicit trust relationships between systems.

  • Strong, personal authentication:

    Users cannot sign into systems protected by Privileged Access Manager directly. They must first sign into the Privileged Access Manager portal, which can enforce strong, multi-factor authentication before allowing users to proceed. Users can be required to use multi-factor authentication when accessing any system, including those which only natively support passwords.

  • Authorization policy:

    Privileged Access Manager enforces robust access controls, limiting which systems and accounts users can see, request and sign into. Access may be pre-authorized for immediate login -- suitable for frequent users; or subject to a request/approval workflow -- suitable for one-time access, for example by developers or during emergencies.

  • Operational and forensic audits:

    At a minimum, Privileged Access Manager records who requested each privileged access, who approved it (if it was not pre-authorized), whether the access was activated, by whom, when, from what network location and from what type of endpoint device. This creates accountability for access.

    Privileged Access Manager can also capture screen video, keystroke data, copy buffer contents and more from login sessions to privileged accounts. This forms a forensic audit trail of administrative activity.

  • Dynamic passwords for non-human users:

    Privileged Access Manager can replace embedded passwords in scripts and applications with secure API integration, which retrieves current password values, on demand, after verifying that the calling application is unchanged and running in the correct environment. This eliminates configuration files, registry entries and scripts with plaintext password values.

    Privileged Access Manager can also regularly change passwords on Windows service accounts (scheduler, SCM, IIS, etc.). This addresses the problem of static service passwords on sensitive infrastructure accounts.

Read More:

page top page top