Privileged Access Manager is a system for securing access to privileged accounts. It works by regularly randomizing privileged passwords on workstations, servers, network devices and applications. Random passwords are encrypted and stored on at least two replicated vaults. Access to privileged accounts may be disclosed:
• To IT staff, after they have authenticated and their requests have been authorized.
• To applications, replacing embedded passwords.
• To Windows workstations and servers, which need them to start services.
Password changes and access disclosure are closely controlled and audited, to satisfy policy and regulatory requirements.
19. Securing Privileged Accounts With Hitachi ID Privileged Access Manager
CGI User
Interfaces
Web Server
Services
Identity Cache
Hitachi ID
Services
CPU Storage NICs
File system Networking
Input, output filtering
Application-level ACL
Server-local session state
Random session/page keys.
Locked down.
No Asp, COM, DDE, etc.,
Current SPs.
Input, output filtering
Application-level ACL
Caller authentication
Encrypted I/O.
Sensitive data encrypted
or hashed.
All traffic in/out
is encrypted.
Hardened at current
patch levels;
most services
disabled.
Installed in a physically
secure facility. Alarmed
and monitored.
Application
Operating System
Hardware
Figure 2: Network architecture security diagram
2. Unix (various vendors) and Linux (IA86).
The Windows pull-mode service includes plug-ins to notify operating system components of new service
account passwords. Plug-ins are provided for the Windows Service Control Manager, Windows Scheduler
and IIS.
Push mode agents, installed on the Privileged Access Manager server and designed to write new pass-
words to fixed-address target systems, are included for:
Directories: Servers: Databases:
Any LDAP, AD, NDS,
eDirectory, NIS/NIS+.
Windows 2000–2012,
Samba, NDS, SharePoint.
Oracle, Sybase, SQL Server,
DB2/UDB, ODBC, Informix.
Unix: Mainframes: Midrange:
Linux, Solaris, AIX, HPUX,
24 more variants.
z/OS with RAC/F, ACF/2 or
TopSecret.
iSeries (OS400), OpenVMS.
ERP: Collaboration: Tokens, Smart Cards:
JDE, Oracle eBiz,
PeopleSoft, SAP R/3, SAP
ECC 6, Siebel, Business
Objects.
Lotus Notes, Exchange,
GroupWise, BlackBerry ES.
RSA SecurID, SafeWord,
RADIUS, ActivIdentity,
Schlumberger.
WebSSO: Help Desk: HDD Encryption:
CA Siteminder, IBM TAM,
Oracle AM, RSA Access
Manager.
BMC Remedy, BMC SDE,
ServiceNow, HP Service
Manager, CA Unicenter,
Assyst, HEAT, Altiris, Clarify,
Track-It!, RSA Envision, MS
SCS Manager.
McAfee, CheckPoint,
BitLocker, PGP.
SaaS: Miscellaneous: Extensible:
Salesforce.com, WebEx,
Google Apps, MS Office
365, SOAP (generic).
OLAP, Hyperion, iLearn,
Caché, Success Factors,
VMWare vSphere.
SSH, Telnet, TN3270,
HTTP(S), SQL, LDAP,
command-line.
www.Hitachi-ID.com
500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: sales@Hitachi-ID.com
File: /pub/wp/documents/id-archive/what-is-id-archive-7.tex
Date: 2011-03-02