Managing privileged passwords, including local administrator, service account and embedded application passwords, is a challenge in most organizations. There are often too many passwords, distributed across too many devices, with too many inter-dependencies. As a result, privileged passwords are often static, simple and well-known.

IT staff often retain privileged passwords long after they leave and attackers have long time windows to attack service and application passwords.

These security problems may violate regulatory requirements for privacy protection or transparent corporate governance.

Privileged access management systems secure access to administrator and other accounts with elevated privileges on systems and applications. This is typically done through a combination of:

  • Discovering systems and applications where privileged accounts exist.
  • Extracting a list of accounts from each system.
  • Applying policy to determine which accounts to manage.
  • Periodically randomizing passwords to these accounts.
  • Storing these random passwords in a secure credential vault.
  • Authenticating users who need to access these accounts.
  • Applying access control policy to determine what users are allowed access to which privileged accounts.
  • Providing one or more access disclosure mechanisms to connect approved users to privileged accounts.
  • Controlling how many users may concurrently sign into the same privileged account.
  • Logging and reporting on this access.

Hitachi ID Privileged Access Manager secures privileged access across the enterprise:

  • Discovers and classifies privileged accounts and security groups.
  • Randomizes passwords and stores them in an encrypted, replicated vault.
  • Requires strong authentication before granting access.
  • Enforces pre-authorized and one-time access policy, to grant temporary access to privileged accounts and security groups.
  • Launches login sessions automatically, through browser extensions and temporary SSH trust.
  • Eliminates static embedded and service account passwords.
  • Logs access requests and sessions, including video capture and key-logging.

Return to Identity Management Concepts