Hitachi ID Privileged Access Manager Features at a Glance

FEATURE: Infrastructure auto-discovery Description Privileged Access Manager periodically extracts a list of systems from a directory such as AD or from a source such as an IT inventory database. It then applies rules to decide which of these systems to manage. Managed systems are probed to nd accounts, groups and services on each one. Rules determine which of these accounts should be controlled by Privileged Access Manager. This process is normally run every 24 hours. Benet Auto-discovery is essential for deploying Privileged Access Manager in medium to large organizations, where there may be thousands of systems with accounts to secure and where hundreds of systems may be added, moved or retired daily.

FEATURE: Randomize passwords on privileged accounts Description Privileged Access Manager periodically randomizes passwords on every privileged account within its scope of authority. This is normally done daily. Benet Frequent password changes eliminate the possibility of password sharing or of access being retained by administrators after work is completed. Former IT staff lose access automatically.

FEATURE: Encrypted, replicated password vault Description Randomized passwords are encrypted and stored in a database. The database is replicated between at least two servers, installed in at least two physical locations. Benet Encryption and replication protects against inappropriate disclosure of sensitive passwords or loss of access to privileged accounts, even in the event of media theft, server crash or physical disaster at a data center.

FEATURE: Access control policies Description IT users sign into Privileged Access Manager to request access to privileged accounts. These requests are subject to access control rules, typically associating groups of users to groups of managed systems. Requests may also carry other data, such as incident numbers, which can be validated before access is granted. Benet Policies allow IT security to control who can sign into each system.

2011 Hitachi ID Systems, Inc. All rights reserved.

Privileged Access Manager Features at a Glance

FEATURE: One-time access request workow Description Users without pre-approved login rights can nonetheless request access to privileged accounts. These requests are subjected to a workow authorization process which may involve one or more approvers and which supports reminders, escalation, delegation, approval by multiple people and more. Benet Workow approvals supports a range of business processes, including production migration, a exible workforce and emergency access.

FEATURE: Single sign-on and other access disclosure methods Description Privileged Access Manager does not normally display passwords to privileged accounts from its vault. Instead, it may launch a login session automatically and inject credentials, or temporarily place a users AD domain account into a security group or create a temporary SSH trust relationship. Benet Users benet from single sign-on to privileged accounts while security is enhanced by avoiding password display and even knowledge of passwords by administrators.

FEATURE: Audit logs and reports Description Privileged Access Manager records every attempted, authorized and completed login to a privileged account. E-mail notications, incident management integration and built-in reports create accountability for access to privileged accounts. Benet Accountability motivates users to act appropriately and creates a forensic audit trail.

FEATURE: Session recording and forensic audits Description Privileged Access Manager can deploy an ActiveX control to an authorized users desktop to record login sessions to managed systems. These recordings include screen capture, web cam video, keyboard events and more. Recordings are archived indenitely and can be searched and played back, subject to access controls and workow approvals. Benet Session recording is useful both for knowledge sharing and forensic audits.

2011 Hitachi ID Systems, Inc. All rights reserved.

Privileged Access Manager Features at a Glance

FEATURE: Integration with Windows service accounts Description Privileged Access Manager can periodically change the passwords on Windows service accounts. It then noties Windows OS components including SCM, IIS, Scheduler and DCOM of the new password values. Benet This feature eliminates static passwords on Windows services, which often run with signicant privileges.

FEATURE: API to eliminate embedded application passwords Description Privileged Access Manager can frequently scramble and vault the passwords on accounts used by one application to connect to another. Applications can then be modied to call the Privileged Access Manager API to fetch current password values, eliminating passwords stored in scripts and conguration les. Benet Plaintext passwords stored in scripts and conguration les are a major security risk. Eliminating them signicantly improves the security posture of an organization.

FEATURE: Support for laptop passwords Description A laptop service can be deployed to Windows and Linux laptops. This service periodically contacts the central Privileged Access Manager server cluster, requesting a new password for local administrator accounts. Benet This process makes it possible to secure privileged passwords on mobile devices, which would otherwise be unreachable because they are powered down, disconnected from the network, protected by rewalls and assigned different IP addresses.

FEATURE: Identity management features included Description In a typical deployment, user rights to access privileged accounts depend on user membership in AD or LDAP groups. Privileged Access Manager includes workow processes to request such group membership, to apply segregation of duties policies to these groups, to detect unauthorized changes to these groups and to periodically invite group owners to review their membership. Benet Effective group membership management ensures that security policies are based on reliable data. This is especially helpful for organizations that have not deployed effective identity management process to manage ne-grained security entitlements.

2011 Hitachi ID Systems, Inc. All rights reserved.

Privileged Access Manager Features at a Glance

FEATURE: Many included integrations Description Privileged Access Manager includes connectors for over 100 systems and applications, plus exible agents designed to integrate new ones. Benet Including connectors in the base price and providing a rich set of connectors lowers both the initial and ongoing cost of the system.

FEATURE: Multi-master, replicated architecture Description Privileged Access Manager includes a data replication layer and can be deployed to multiple servers, at multiple locations, at no extra cost. Benet Built-in support for high-availability and fault-tolerance make Privileged Access Manager suitable for enterprise deployments.

FEATURE: Multi-lingual user interface Description Privileged Access Manager ships with multiple user interface languages and additional ones can be added easily, both by Hitachi ID Systems and customers. Benet A multi-lingual user interface makes Privileged Access Manager suitable for international organizations.

500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: sales@Hitachi-ID.com
File: /pub/wp/documents/features/hipam/hipam-features-short-5.tex Date: 2011-05-05

www.Hitachi-ID.com