Eliminate Embedded Application Passwords - Hitachi ID Privileged Access Manager

Applications often must connect to one another, using a login IDs and password. For example, a web application might have to sign into a database server.

Traditionally, applications keep login IDs and passwords in plaintext, in source code or configuration files. This is insecure, as passwords are visible to anyone with rights to their filesystem or backup media.

Embedded passwords are also hard to change, since they have to be modified in at least two places.

• Privileged Access Manager can periodically randomize application passwords on back-end systems. Changes can be scheduled for slow hours (e.g., 3AM on Sunday mornings).
• An Privileged Access Manager SOAP API allows applications written in any programming language, running on any platform to fetch current password values.
• Applications must authenticate themselves to Privileged Access Manager when retrieving passwords. This is done using a one-time password (OTP), which changes after each successful authentication.
• Privileged Access Manager can also limit which IP address subnets applications may connect from. This acts as a second authentication factor -- i.e., ``what you know -- the OTP'' plus ``where you are -- the IP.''

Using Privileged Access Manager, static, embedded passwords are replaced with dynamic passwords, retrieved securely by applications when needed.