Previous PDF

swipe to navigate

Privileged password storage must be:

  1. Encrypted.
  2. Replicated.
Replication must:
  1. Span at least two sites.
  2. Include all passwords.
  3. Happen in real time.
  4. Be inexpensive and easy to manage.
The replication protocol must:
  1. Be encrypted.
  2. Tolerate low bandwidth.
  3. Tolerate high packet latency.
  4. Recover from network interruptions.
Native replication features in Oracle and Microsoft databases do not meet all of the above conditions, so application-level replication is preferable. Hitachi ID Privileged Access Manager includes appropriate replication technology out of the box.

Background: Securing Privileged Accounts

Consider an organization which operates 1000 servers and where there are 5 administrator-level accounts on each server. To secure these, a privileged access management system may choose a new, random password for each of the 5000 accounts daily. This process improves security by:

  1. Ensuring that users only know the sensitive passwords they need to do their jobs.
  2. Compromise of a single password / login ID / system does not lead to compromise of any other systems.
  3. Limiting the time period during which a user has administrative access.

In other words, randomizing privileged passwords daily supports basic security principles:

  1. Authentication:
    Users who need access to a privileged account must first authenticate themselves, before connecting to the application or server in question.
  2. Authorization:
    The privileged access management system has an opportunity to apply access control rules and/or approval processes before connecting the session.
  3. Accountability:
    All sessions are logged, making IT users accountable for changes made on systems to which they had privileged access.

Previous PDF

Comment via LinkedIn