Hitachi ID Privileged Access Manager secures privileged access with:
- Strong authentication, authorization:
Privileged Access Manager integrates with corporate directories to identify users. It can either leverage existing 2FA solutions, such as tokens or smart cards, or introduce its own 2FA, via a smart-phone app.
- Temporary access to accounts and groups:
Users may request access to shared or personal administrator accounts or membership in security groups. Access may be pre-authorized or require approval using the included workflow. Access rules are normally based on membership in groups on the corporate directory.
- Password randomization and vaulting:
Privileged Access Manager can randomize up to 2 million passwords daily. These are stored in an encrypted, replicated vault that protects against data loss and service interruption.
- Access, rather than password disclosure:
While Privileged Access Manager can disclose passwords, it more commonly connects authorized users to login sessions. These can be established directly from the user's PC, or via two kinds of proxy ("jump") servers -- VDI or HTML5. Any kind of administrator program can be launched with these mechanisms.
- Many included connectors:
Privileged Access Manager can secure access to sensitive accounts on most servers, directories, network devices, databases and applications.
- Discovery and analysis of SSH trust:
Privileged Access Manager discovers SSH trust relationships and analyzes this graph when granting access. It can grant access on Unix/Linux systems by creating temporary trust relationships.
- Support for local accounts on mobile PCs:
Privileged Access Manager uses a local agent to secure access to PCs that are sometimes turned off, unplugged from the network, change IP addresses or taken off-site.
- Session recording:
When Privileged Access Manager is configured to launch login sessions and inject vaulted passwords, it can also record user activity. Video capture, keylogging, copy buffer integration and more support detailed forensic audits.
- Windows service account password changes:
Privileged Access Manager can randomize Windows service account passwords. It notifies the Service Control Manager, Scheduler, IIS and other OS components of the new password, to ensure uninterrupted service after each password change.
- A secure API to replace static, embedded passwords:
Privileged Access Manager provides an API that allows one application to securely acquire a password that will then be used to connect to another. This eliminates plaintext passwords in source code or configuration files.
- Auto-discovery of systems and accounts:
Privileged Access Manager can automatically discover systems, lookup appropriate credentials, connect to them and scan for accounts, groups and services. Discovered systems and accounts are automatically assigned to policies based on import rules.
- Analytics and dashboards:
Privileged Access Manager includes a variety of built-in reports and dashboards, to monitor the behaviour of individual users, access to systems and load on the system as a whole. A risk model identifies unusual patterns -- high risk or out-of-pattern behaviour and can trigger additional approvals or trigger post-facto reviews.