Hitachi ID Privileged Access Manager secures sensitive passwords by periodically setting them to new, random values:
- On systems integrated via "push mode:"
Note that "push mode" normally means that no software is deployed to the
managed endpoint system.
- Periodically -- for example, every night between 3AM and 4AM.
- When users check accounts back in, after they are finished using them.
- When users request a specific password value.
- In the event of an urgent termination of a system administrator (randomize
all passwords that person may have known).
- On systems integrated via "pull mode:"
Note that "pull mode" implies a local agent on the managed endpoint
system. This approach is useful on laptops, on rapidly
provisioned/deprovisioned VMs in a cloud environment and in some
isolated network segments.
- Periodically -- for example, every day.
- At a random time-of-day, to even out workload on the Privileged Access Manager service.
- Opportunistically, whenever network connectivity happens to be
available from the managed endpoint to the central privileged access system.