Applications often must connect to one another, using a login IDs and
password. For example, a web application might
have to sign into a database server.
Traditionally, applications keep login IDs and passwords in
plaintext, in source code or configuration files.
This is insecure, as passwords are visible to anyone with rights
to their filesystem or backup media.
Embedded passwords are also hard to change, since they have to be
modified in at least two places.
- Privileged Access Manager can periodically randomize application passwords
on back-end systems. Changes can
be scheduled for slow hours (e.g., 3AM on Sunday mornings).
- An Privileged Access Manager SOAP API allows applications written in any
programming language, running on any platform to fetch current
- Applications must authenticate themselves to Privileged Access Manager when
retrieving passwords. This is done using a one-time password (OTP),
which changes after each successful authentication.
- Privileged Access Manager can also limit which IP address subnets applications
may connect from. This acts as a second authentication factor --
i.e., ``what you know -- the OTP'' plus ``where you are -- the IP.''
Using Privileged Access Manager, static, embedded passwords are replaced
with dynamic passwords, retrieved securely by applications