HitachiIDPrivilegedAccessManager FeaturesataGlance FEATURE:Infrastructureauto-discovery DescriptionBene002t PrivilegedAccessManager periodicallyextractsa listofsystemsfromadirectorysuchasADorfrom asourcesuchasanITinventorydatabase.Itthen appliesrulestodecidewhichofthesesystemsto manage.Managedsystemsareprobedto002nd accounts,groupsandservicesoneachone. Rulesdeterminewhichoftheseaccountsshould becontrolledby PrivilegedAccessManager .This processisnormallyrunevery24hours. Auto-discoveryisessentialfordeploying PrivilegedAccessManager inmediumtolarge organizations,wheretheremaybethousandsof systemswithaccountstosecureandwhere hundredsofsystemsmaybeadded,movedor retireddaily. FEATURE:Randomizepasswordsonprivilegedaccounts DescriptionBene002t PrivilegedAccessManager periodically randomizespasswordsoneveryprivileged accountwithinitsscopeofauthority.Thisis normallydonedaily. Frequentpasswordchangeseliminatethe possibilityofpasswordsharingorofaccessbeing retainedbyadministratorsafterworkiscompleted. FormerITstaffloseaccessautomatically. FEATURE:Encrypted,replicatedcredentialvault DescriptionBene002t Randomizedpasswordsareencryptedandstored inadatabase.Thedatabaseisreplicated betweenatleasttwoservers,installedinatleast twophysicallocations. Encryptionandreplicationprotectsagainst inappropriatedisclosureofsensitivepasswordsor lossofaccesstoprivilegedaccounts,eveninthe eventofmediatheft,servercrashorphysical disasteratadatacenter. FEATURE:Accesscontrolpolicies DescriptionBene002t ITuserssigninto PrivilegedAccessManager to requestaccesstoprivilegedaccounts.These requestsaresubjecttoaccesscontrolrules, typicallyassociatinggroupsofuserstogroupsof managedsystems.Requestsmayalsocarryother data,suchasincidentnumbers,whichcanbe validatedbeforeaccessisgranted. PoliciesallowITsecuritytocontrolwhocansign intoeachsystem. 2512014HitachiIDSystems,Inc.Allrightsreserved. 1

PrivilegedAccessManager FeaturesataGlance FEATURE:One-timeaccessrequestwork003ow DescriptionBene002t Userswithoutpre-approvedloginrightscan nonethelessrequestaccesstoprivileged accounts.Theserequestsaresubjectedtoa work003owauthorizationprocesswhichmayinvolve oneormoreapproversandwhichsupports reminders,escalation,delegation,approvalby multiplepeopleandmore. Work003owapprovalssupportsarangeofbusiness processes,includingproductionmigration,a 003exibleworkforceandemergencyaccess. FEATURE:Singlesign-onandotheraccessdisclosuremethods DescriptionBene002t PrivilegedAccessManager doesnotnormally displaypasswordstoprivilegedaccountsfromits vault.Instead,itmaylaunchaloginsession automaticallyandinjectcredentials,ortemporarily placeauser'sADdomainaccountintoasecurity grouporcreateatemporarySSHtrust relationship. Usersbene002tfromsinglesign-ontoprivileged accountswhilesecurityisenhancedbyavoiding passworddisplayandevenknowledgeof passwordsbyadministrators. FEATURE:Auditlogsandreports DescriptionBene002t PrivilegedAccessManager recordsevery attempted,authorizedandcompletedlogintoa privilegedaccount.E-mailnoti002cations,incident managementintegrationandbuilt-inreportscreate accountabilityforaccesstoprivilegedaccounts. Accountabilitymotivatesuserstoactappropriately andcreatesaforensicaudittrail. FEATURE:Sessionrecordingandforensicaudits DescriptionBene002t PrivilegedAccessManager candeployanActiveX controltoanauthorizeduser'sdesktoptorecord loginsessionstomanagedsystems.These recordingsincludescreencapture,webcam video,keyboardeventsandmore.Recordingsare archivedinde002nitelyandcanbesearchedand playedback,subjecttoaccesscontrolsand work003owapprovals. Sessionrecordingisusefulbothforknowledge sharingandforensicaudits. 2512014HitachiIDSystems,Inc.Allrightsreserved. 2

PrivilegedAccessManager FeaturesataGlance FEATURE:IntegrationwithWindowsserviceaccounts DescriptionBene002t PrivilegedAccessManager canperiodically changethepasswordsonWindowsservice accounts.Itthennoti002esWindowsOS componentsincludingSCM,IIS,Schedulerand DCOMofthenewpasswordvalues. Thisfeatureeliminatesstaticpasswordson Windowsservices,whichoftenrunwithsigni002cant privileges. FEATURE:APItoeliminateembeddedapplicationpasswords DescriptionBene002t PrivilegedAccessManager canfrequently scrambleandvaultthepasswordsonaccounts usedbyoneapplicationtoconnecttoanother. Applicationscanthenbemodi002edtocallthe PrivilegedAccessManager APItofetchcurrent passwordvalues,eliminatingpasswordsstoredin scriptsandcon002guration002les. Plaintextpasswordsstoredinscriptsand con002guration002lesareamajorsecurityrisk. Eliminatingthemsigni002cantlyimprovesthe securitypostureofanorganization. FEATURE:Supportforlaptoppasswords DescriptionBene002t AlaptopservicecanbedeployedtoWindowsand Linuxlaptops.Thisserviceperiodicallycontacts thecentral PrivilegedAccessManager server cluster,requestinganewpasswordforlocal administratoraccounts. Thisprocessmakesitpossibletosecure privilegedpasswordsonmobiledevices,which wouldotherwisebeunreachablebecausetheyare powereddown,disconnectedfromthenetwork, protectedby002rewallsandassigneddifferentIP addresses. FEATURE:Identitymanagementfeaturesincluded DescriptionBene002t Inatypicaldeployment,userrightstoaccess privilegedaccountsdependonusermembership inADorLDAPgroups. PrivilegedAccess Manager includeswork003owprocessestorequest suchgroupmembership,toapplysegregationof dutiespoliciestothesegroups,todetect unauthorizedchangestothesegroupsandto periodicallyinvitegroupownerstoreviewtheir membership. Effectivegroupmembershipmanagementensures thatsecuritypoliciesarebasedonreliabledata. Thisisespeciallyhelpfulfororganizationsthat havenotdeployedeffectiveidentitymanagement processtomanage002ne-grainedsecurity entitlements. 2512014HitachiIDSystems,Inc.Allrightsreserved. 3

HitachiIDPrivilegedAccessManager FeaturesataGlance FEATURE:Manyincludedintegrations DescriptionBene002t PrivilegedAccessManager includesconnectors forover120systemsandapplications,plus 003exibleagentsdesignedtointegratenewones. Includingconnectorsinthebasepriceand providingarichsetofconnectorslowersboththe initialandongoingcostofthesystem. FEATURE:Multi-master,replicatedarchitecture DescriptionBene002t PrivilegedAccessManager includesadata replicationlayerandcanbedeployedtomultiple servers,atmultiplelocations,atnoextracost. Built-insupportforhigh-availabilityand fault-tolerancemake PrivilegedAccessManager suitableforenterprisedeployments. FEATURE:Multi-lingualuserinterface DescriptionBene002t PrivilegedAccessManager shipswithmultiple userinterfacelanguagesandadditionalonescan beaddedeasily,bothbyHitachiIDSystemsand customers. Amulti-lingualuserinterfacemakes Privileged AccessManager suitableforinternational organizations. File:/pub/wp/documents/features/hipam/hipam-features-short-5.tex Date:2011-05-05