Privileged Access Manager is a system for securing privileged passwords across many servers and workstations. It periodically randomizes them, stores the resulting values in a replicated database and - when appropriate - discloses passwords to administrators, applications and services.

1. Hitachi ID Privileged Access Manager Features at a Glance
FEATURE: Infrastructure auto-discovery
Description Benefit
Privileged Access Manager periodically extracts a
list of systems from a directory such as AD or from
a source such as an IT inventory database. It then
applies rules to decide which of these systems to
manage. Managed systems are probed to find
accounts, groups and services on each one.
Rules determine which of these accounts should
be controlled by Privileged Access Manager. This
process is normally run every 24 hours.
Auto-discovery is essential for deploying
Privileged Access Manager in medium to large
organizations, where there may be thousands of
systems with accounts to secure and where
hundreds of systems may be added, moved or
retired daily.
FEATURE: Randomize passwords on privileged accounts
Description Benefit
Privileged Access Manager periodically
randomizes passwords on every privileged
account within its scope of authority. This is
normally done daily.
Frequent password changes eliminate the
possibility of password sharing or of access being
retained by administrators after work is completed.
Former IT staff lose access automatically.
FEATURE: Encrypted, replicated credential vault
Description Benefit
Randomized passwords are encrypted and stored
in a database. The database is replicated
between at least two servers, installed in at least
two physical locations.
Encryption and replication protects against
inappropriate disclosure of sensitive passwords or
loss of access to privileged accounts, even in the
event of media theft, server crash or physical
disaster at a data center.
FEATURE: Access control policies
Description Benefit
IT users sign into Privileged Access Manager to
request access to privileged accounts. These
requests are subject to access control rules,
typically associating groups of users to groups of
managed systems. Requests may also carry other
data, such as incident numbers, which can be
validated before access is granted.
Policies allow IT security to control who can sign
into each system.
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 1

2. Privileged Access Manager Features at a Glance
FEATURE: One-time access request workflow
Description Benefit
Users without pre-approved login rights can
nonetheless request access to privileged
accounts. These requests are subjected to a
workflow authorization process which may involve
one or more approvers and which supports
reminders, escalation, delegation, approval by
multiple people and more.
Workflow approvals supports a range of business
processes, including production migration, a
flexible workforce and emergency access.
FEATURE: Single sign-on and other access disclosure methods
Description Benefit
Privileged Access Manager does not normally
display passwords to privileged accounts from its
vault. Instead, it may launch a login session
automatically and inject credentials, or temporarily
place a user’s AD domain account into a security
group or create a temporary SSH trust
relationship.
Users benefit from single sign-on to privileged
accounts while security is enhanced by avoiding
password display and even knowledge of
passwords by administrators.
FEATURE: Audit logs and reports
Description Benefit
Privileged Access Manager records every
attempted, authorized and completed login to a
privileged account. E-mail notifications, incident
management integration and built-in reports create
accountability for access to privileged accounts.
Accountability motivates users to act appropriately
and creates a forensic audit trail.
FEATURE: Session recording and forensic audits
Description Benefit
Privileged Access Manager can deploy an ActiveX
control to an authorized user’s desktop to record
login sessions to managed systems. These
recordings include screen capture, web cam
video, keyboard events and more. Recordings are
archived indefinitely and can be searched and
played back, subject to access controls and
workflow approvals.
Session recording is useful both for knowledge
sharing and forensic audits.
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 2

3. Privileged Access Manager Features at a Glance
FEATURE: Integration with Windows service accounts
Description Benefit
Privileged Access Manager can periodically
change the passwords on Windows service
accounts. It then notifies Windows OS
components including SCM, IIS, Scheduler and
DCOM of the new password values.
This feature eliminates static passwords on
Windows services, which often run with significant
privileges.
FEATURE: API to eliminate embedded application passwords
Description Benefit
Privileged Access Manager can frequently
scramble and vault the passwords on accounts
used by one application to connect to another.
Applications can then be modified to call the
Privileged Access Manager API to fetch current
password values, eliminating passwords stored in
scripts and configuration files.
Plaintext passwords stored in scripts and
configuration files are a major security risk.
Eliminating them significantly improves the
security posture of an organization.
FEATURE: Support for laptop passwords
Description Benefit
A laptop service can be deployed to Windows and
Linux laptops. This service periodically contacts
the central Privileged Access Manager server
cluster, requesting a new password for local
administrator accounts.
This process makes it possible to secure
privileged passwords on mobile devices, which
would otherwise be unreachable because they are
powered down, disconnected from the network,
protected by firewalls and assigned different IP
addresses.
FEATURE: Identity management features included
Description Benefit
In a typical deployment, user rights to access
privileged accounts depend on user membership
in AD or LDAP groups. Privileged Access
Manager includes workflow processes to request
such group membership, to apply segregation of
duties policies to these groups, to detect
unauthorized changes to these groups and to
periodically invite group owners to review their
membership.
Effective group membership management ensures
that security policies are based on reliable data.
This is especially helpful for organizations that
have not deployed effective identity management
process to manage fine-grained security
entitlements.
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 3

4. Hitachi ID Privileged Access Manager Features at a Glance
FEATURE: Many included integrations
Description Benefit
Privileged Access Manager includes connectors
for over 110 systems and applications, plus
flexible agents designed to integrate new ones.
Including connectors in the base price and
providing a rich set of connectors lowers both the
initial and ongoing cost of the system.
FEATURE: Multi-master, replicated architecture
Description Benefit
Privileged Access Manager includes a data
replication layer and can be deployed to multiple
servers, at multiple locations, at no extra cost.
Built-in support for high-availability and
fault-tolerance make Privileged Access Manager
suitable for enterprise deployments.
FEATURE: Multi-lingual user interface
Description Benefit
Privileged Access Manager ships with multiple
user interface languages and additional ones can
be added easily, both by Hitachi ID Systems and
customers.
A multi-lingual user interface makes Privileged
Access Manager suitable for international
organizations.
www.Hitachi-ID.com
500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: sales@Hitachi-ID.com
File: / pub/ wp/ documents/ features/ hipam/ hipam-features-short-5.tex
Date: 2011-05-05