Hitachi ID Privileged Access Manager Features at a Glance

FEATURE: Infrastructure auto-discovery

Description Benefit

Privileged Access Manager periodically extracts alist of systems from a directory such as AD or froma source such as an IT inventory database. It thenapplies rules to decide which of these systems tomanage. Managed systems are probed to findaccounts, groups and services on each one.Rules determine which of these accounts shouldbe controlled by Privileged Access Manager. Thisprocess is normally run every 24 hours.

Auto-discovery is essential for deployingPrivileged Access Manager in medium to largeorganizations, where there may be thousands ofsystems with accounts to secure and wherehundreds of systems may be added, moved orretired daily.

FEATURE: Randomize passwords on privileged accounts

Description Benefit

Privileged Access Manager periodicallyrandomizes passwords on every privilegedaccount within its scope of authority. This isnormally done daily.

Frequent password changes eliminate thepossibility of password sharing or of access beingretained by administrators after work is completed.Former IT staff lose access automatically.

FEATURE: Encrypted, replicated credential vault

Description Benefit

Randomized passwords are encrypted and storedin a database. The database is replicatedbetween at least two servers, installed in at leasttwo physical locations.

Encryption and replication protects againstinappropriate disclosure of sensitive passwords orloss of access to privileged accounts, even in theevent of media theft, server crash or physicaldisaster at a data center.

FEATURE: Access control policies

Description Benefit

IT users sign into Privileged Access Manager torequest access to privileged accounts. Theserequests are subject to access control rules,typically associating groups of users to groups ofmanaged systems. Requests may also carry otherdata, such as incident numbers, which can bevalidated before access is granted.

Policies allow IT security to control who can signinto each system.

© 2014 Hitachi ID Systems, Inc.. All rights reserved. 1

Privileged Access Manager Features at a Glance

FEATURE: One-time access request workflow

Description Benefit

Users without pre-approved login rights cannonetheless request access to privilegedaccounts. These requests are subjected to aworkflow authorization process which may involveone or more approvers and which supportsreminders, escalation, delegation, approval bymultiple people and more.

Workflow approvals supports a range of businessprocesses, including production migration, aflexible workforce and emergency access.

FEATURE: Single sign-on and other access disclosure methods

Description Benefit

Privileged Access Manager does not normallydisplay passwords to privileged accounts from itsvault. Instead, it may launch a login sessionautomatically and inject credentials, or temporarilyplace a user’s AD domain account into a securitygroup or create a temporary SSH trustrelationship.

Users benefit from single sign-on to privilegedaccounts while security is enhanced by avoidingpassword display and even knowledge ofpasswords by administrators.

FEATURE: Audit logs and reports

Description Benefit

Privileged Access Manager records everyattempted, authorized and completed login to aprivileged account. E-mail notifications, incidentmanagement integration and built-in reports createaccountability for access to privileged accounts.

Accountability motivates users to act appropriatelyand creates a forensic audit trail.

FEATURE: Session recording and forensic audits

Description Benefit

Privileged Access Manager can deploy an ActiveXcontrol to an authorized user’s desktop to recordlogin sessions to managed systems. Theserecordings include screen capture, web camvideo, keyboard events and more. Recordings arearchived indefinitely and can be searched andplayed back, subject to access controls andworkflow approvals.

Session recording is useful both for knowledgesharing and forensic audits.

© 2014 Hitachi ID Systems, Inc.. All rights reserved. 2

Privileged Access Manager Features at a Glance

FEATURE: Integration with Windows service accounts

Description Benefit

Privileged Access Manager can periodicallychange the passwords on Windows serviceaccounts. It then notifies Windows OScomponents including SCM, IIS, Scheduler andDCOM of the new password values.

This feature eliminates static passwords onWindows services, which often run with significantprivileges.

FEATURE: API to eliminate embedded application passwords

Description Benefit

Privileged Access Manager can frequentlyscramble and vault the passwords on accountsused by one application to connect to another.Applications can then be modified to call thePrivileged Access Manager API to fetch currentpassword values, eliminating passwords stored inscripts and configuration files.

Plaintext passwords stored in scripts andconfiguration files are a major security risk.Eliminating them significantly improves thesecurity posture of an organization.

FEATURE: Support for laptop passwords

Description Benefit

A laptop service can be deployed to Windows andLinux laptops. This service periodically contactsthe central Privileged Access Manager servercluster, requesting a new password for localadministrator accounts.

This process makes it possible to secureprivileged passwords on mobile devices, whichwould otherwise be unreachable because they arepowered down, disconnected from the network,protected by firewalls and assigned different IPaddresses.

FEATURE: Identity management features included

Description Benefit

In a typical deployment, user rights to accessprivileged accounts depend on user membershipin AD or LDAP groups. Privileged AccessManager includes workflow processes to requestsuch group membership, to apply segregation ofduties policies to these groups, to detectunauthorized changes to these groups and toperiodically invite group owners to review theirmembership.

Effective group membership management ensuresthat security policies are based on reliable data.This is especially helpful for organizations thathave not deployed effective identity managementprocess to manage fine-grained securityentitlements.

© 2014 Hitachi ID Systems, Inc.. All rights reserved. 3

Hitachi ID Privileged Access Manager Features at a Glance

FEATURE: Many included integrations

Description Benefit

Privileged Access Manager includes connectorsfor over 110 systems and applications, plusflexible agents designed to integrate new ones.

Including connectors in the base price andproviding a rich set of connectors lowers both theinitial and ongoing cost of the system.

FEATURE: Multi-master, replicated architecture

Description Benefit

Privileged Access Manager includes a datareplication layer and can be deployed to multipleservers, at multiple locations, at no extra cost.

Built-in support for high-availability andfault-tolerance make Privileged Access Managersuitable for enterprise deployments.

FEATURE: Multi-lingual user interface

Description Benefit

Privileged Access Manager ships with multipleuser interface languages and additional ones canbe added easily, both by Hitachi ID Systems andcustomers.

A multi-lingual user interface makes PrivilegedAccess Manager suitable for internationalorganizations.

www.Hitachi-ID.com

500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: sales@Hitachi-ID.com

File: / pub/ wp/ documents/ features/ hipam/ hipam-features-short-5.texDate: 2011-05-05