• Site Map
• Contact Us

• Home
• Our Company
  • Customers
  • Careers
  • Contact Us
  • RSS & Blogs
• Products
  • Identity Manager
  • Password Manager
  • Group Manager
  • Privileged Access Manager
  • Download evaluation
  • Releases
  • CCC
• Solutions
  • Security / GRC
  • Reducing IT support cost
  • Improve user service
• Support
  • Shipping products
  • Supported versions
  • Portal login
  • Report problem
• Services
  • Solution delivery
  • Methodology
  • Education
  • Upgrades
  • AdMax Program
  • Hitachi ID Systems-Managed IAM
  • Guarantee
• News &  Events
  • Press Releases
  • Press Coverage
  • Archived Webinars
• Resource Center
  • White Papers
  • Independent Reviews
  • Brochures
  • Slide Decks
  • Case Studies
  • Regulatory Compliance
  • Certifications
  • Community
• Partners
  • Technology Partners
  • Channel Partners
  • System Integrators and Consultants
  • Managed Service Providers
  • Public Sector
  • Partner Portal
  • Online partner application

Technology Network architecture

Hitachi ID Privileged Access Manager network architecture

High-Availability Password Storage

Once deployed, Hitachi ID Privileged Access Manager becomes an essential part of an organization's IT infrastructure, since it alone has access to privileged passwords for thousands of networked devices. An interruption to the availability of Privileged Access Manager or its password vault would mean that administrative access to a range of devices is interrupted -- a major IT service disruption.

Since servers occasionally break down, Privileged Access Manager supports load balancing and data replication between multiple physical servers and multiple password vaults. Any updates written to one database instance are automatically replicated, in real time, over an encrypted communication path, to all other Privileged Access Manager servers and all other password vaults.

In short, Privileged Access Manager incorporates a highly available, replicated, multi-master architecture for both the application and the password vault.

To provide out-of-the-box data replication, Privileged Access Manager includes a database service that replicates updates across multiple database instances. This service can be configured use either Oracle or Microsoft SQL Server databases for physical storage. Hitachi ID Systems recommends one physical database per Privileged Access Manager server, normally on the same hardware as the Privileged Access Manager application.

The Privileged Access Manager data replication system makes it both simple and advisable for organizations to build a highly-available Privileged Access Manager server cluster, spanning multiple servers, with each server placed in a different data center. Replication traffic is encrypted, authenticated, bandwidth-efficient and tolerant of latency, making it suitable for deployment over a WAN.

This multi-site, multi-master replication is configured at no additional cost, beyond that of the hardware for additional Privileged Access Manager servers, and with minimal manual configuration.

    Privileged Access Manager Network Architecture Diagram (1)

Scaling to Support Thousands of Workstations

To secure privileged accounts on mobile workstations (typically laptops), Privileged Access Manager includes a service, which installs on the relevant PCs and which contacts a central server to coordinate local password changes.

This architecture has several important advantages:

• The workstation service uses only HTTPS to communicate with the central server and works even when the workstation is connected behind NAT devices, firewalls or application proxies.
• The workstation service does not randomize passwords unless it has established connectivity with the central privileged access management server. This avoids a situation where the central server does not know the new password value for a workstation.
• Dynamic IP addresses have no impact on this architecture.
• Physical relocation and long periods of detached network connectivity may delay updates to local passwords, but do not introduce a failure whereby the local administrator passwords on a workstation are unknown.

Privileged Access Manager is a component of Hitachi ID Management Suite. The following architectural description applies to the entire Hitachi ID Management Suite:

Privileged Access Manager is designed for:

• Security:

  Privileged Access Manager is installed on hardened servers. All sensitive data is encrypted in storage and transit. Strong authentication and access controls protect business processes.

• Scalability:

  Multiple Privileged Access Manager servers can be installed, using a built-in data replication facility. Workload can be distributed using any load-balancing technology (IP, DNS, etc.). The end result is a multi-master, distributed architecture that is very easy to setup, as replication is handled at the application layer.

• Performance:

  Privileged Access Manager uses a normalized, relational and indexed database back end. All access to the database is via stored procedures, which help to minimize communication overhead between the application and database. All Privileged Access Manager code is native code, which provides a 2x to 10x performance advantage as compared to Java or .NET

• Openness:

  Open standards are used for inbound integration (SOAP) and outbound communications (SOAP, SMTP, HTTP, etc.).

• Flexibility:

  Both the Privileged Access Manager user interface and all functionality can be customized to meet enterprise requirements.

• Low TCO:

  Privileged Access Manager is easy to set up and requires minimal ongoing administration.

Figure [link] illustrates the Privileged Access Manager network architecture:

    Network architecture diagram (2)

• Users normally access Privileged Access Manager using HTTPS from a web browser.

• Multiple Privileged Access Manager servers may be load balanced using either an IP-level device (e.g., Cisco Local Director, F5 Big/IP) or simply using DNS round-robin distribution.

• Native password changes on some systems may trigger transparent password synchronization. A password change interceptor DLL, library or exit may capture such changes and initiate transparent password synchronization.

• Users may call an IVR system with a telephone and be authenticated either using touch-tone input of personal information or using a voice print. Authenticated users may initiate a password reset.

• Privileged Access Manager connects to most target systems using their native APIs and protocols and thus requires no software to be installed locally on those systems.

• Local agents are provided and recommended for Unix servers and z/OS mainframes. Use of these agents improves transaction security, speed and concurrency.

• A local agent is mandatory on older RSA SecurID servers (version 7.x and later exposes a remote API).

• Where target systems are remote and communication with them is slow, insecure or both, a Privileged Access Manager proxy server may be co-located with the target system in the remote location. In this case, servers in the main Privileged Access Manager server cluster initiate fast, secure connections to the remote proxies, which decode these transactions and forward them to target systems locally, using native, slow and/or insecure protocols.

• Privileged Access Manager can look up and update user profile data in an existing system, including HR databases (ODBC), directories (LDAP) and meta-directories (e.g., WMI to Microsoft ILM).

• Privileged Access Manager can send e-mails to users asking them to register or to notify them of events impacting their profiles. Over 189 events can trigger e-mail notification.

• Privileged Access Manager can create tickets on most common incident management systems, either recording completed activity or requesting assistance (security events, user service follow-up, etc.). Over 189 events can trigger ticket generation. Binary integrations are available for 16 help desk applications and open integration is possible using mail, ODBC, SQL and web services.

© Hitachi ID Systems, Inc. . All rights reserved.