Applications often connect to other applications, using a login ID and password. The most common example is web applications that connect to database services.
Applications need to store passwords to back end systems -- often in plaintext configuration files or registry entries or XML configuration files. This means that anyone with rights to the filesystem where a password is stored can usually also access the service to which the password connects.
Changing embedded passwords can be difficult to coordinate, as they always appear in at least two places -- the back end service and the script or application that needs to use them. If a script or application runs on hundreds of systems, then the new back end password must be distributed to hundreds of systems.
Hitachi ID Privileged Access Manager Solution
- Privileged Access Manager can periodically randomize embedded account passwords on back-end systems. Changes can be scheduled for off-peak hours (e.g., 3AM on Sunday mornings).
- An Privileged Access Manager API allows applications written in any programming language, running on any platform to fetch current password values.
- Applications must authenticate themselves to Privileged Access Manager when
retrieving passwords. This works as follows:
- Each login by the application to the API uses a unique password, which is replaced at successful login time with a new, randomly generated password.
- A client-side library fingerprints the application, using hashes of the runtime environment, application, command-line, configuration files and more to generate an encryption key, which in turn protects the one-time password (above) and cached passwords retrieved from the vault.
- Locally cached, encrypted passwords make for a highly available, scalable solution.
- A simple API makes integration into existing scripts and applications easy.
- Application and runtime fingerprinting means that any changes to the application require re-authorization before back-end passwords become available once again. This blocks someone with OS or filesystem privileges from gaining unauthorized access to a back end system.
Privileged Access Manager can eliminate static, embedded passwords and replace them with authorization for specific configurations to access back end systems, securely and at scale.