There are three main types of privileged accounts -- administrator, service and application-to-application accounts. All of them have higher security rights than the login IDs of regular users, however.
As the scope of an organization's IT assets grows, it can become increasingly difficult to securely manage them:
- There may be thousands of privileged accounts.
- High privilege accounts need to be secured on a wide variety of platforms.
- It is difficult to coordinate password changes and access to shared accounts.
- Former IT staff can retain sensitive access after leaving an organization.
- It can be difficult to trace changes back to individuals who made them.
A privileged access management system controls access to login accounts that have elevated security rights. It typically controls access to administrator IDs, service accounts and accounts used by one system to sign into another.
Privileged access management systems typically randomize the passwords of sensitive accounts, store current passwords in an encrypted vault, connect authorized people and programs to privileged accounts and audit this activity.
A privileged access management system usually does not create privileged accounts, since that is usually a side effect of installing the system on which they exist. Similarly, these IDs are normally removed when a system is uninstalled. Instead, privileged access management systems secure access to these accounts by strongly authenticating users, authorizing their access and granting access only temporarily and with strong audit records, up to and including video capture and key-logging.
Hitachi ID Privileged Access Manager secures privileged access across the enterprise:
- Discovers and classifies privileged accounts and security groups.
- Randomizes passwords and stores them in an encrypted, replicated vault.
- Requires strong authentication before granting access.
- Enforces pre-authorized and one-time access policy, to grant temporary access to privileged accounts and security groups.
- Launches login sessions automatically, through browser extensions and temporary SSH trust.
- Eliminates static embedded and service account passwords.
- Logs access requests and sessions, including video capture and key-logging.