Transcription
OverviewPassword Manager Pro offers a complete solution to control,manage, monitor and audit the entire life-cycle of privilegedaccess. In a single package it offers three solutions - privilegedaccount management, remote access management, and privilegedsession management.Password Manager Pro basically consolidates all your privilegedaccounts in a centralized vault in fully encrypted form. It enforcespassword management best practices and secures the privilegedaccounts, the keys to your kingdom. It helps mitigate securityrisks related to privileged access and preempt security breachesand compliance issues.This document lists the security risks mitigated by PasswordManager Pro.PrivilegedAccountManagementAccounts Discovery, Password Protection & ManagementPrivilegedAccountsDiscoveryPassword Manager Pro automatically discovers the IT assetsin the network (Windows, Linux, network devices & virtualmachines) and enumerates the privileged accounts associatedwith them, thus helping enterprises to quickly secure all theirprivileged identities.The discovery process mitigates the following risks: Identify unauthorized accounts or services: PasswordManager Pro lists all the privileged accounts found in yourcritical IT assets. You can easily conduct an internal auditand identify the unauthorized ones. Minimize the number of privileged accounts: Thediscovery process also helps you identify the obsoleteaccounts. You can choose to retain only the accounts thatare absolutely needed.01
Prevent unauthorized access: By randomizing passwordsof privileged accounts upon discovery, you can preventunauthorized access by present or past administrators whohad access to those passwords previously.Password Manager Pro consolidates, stores, and organizes allyour passwords in a secure, centralized repository.CentralizedPasswordVaultCentrally consolidating the privileged accounts enables you tocombat the following risks: Prevent passwords falling into the wrong hands due toinsecure storage: Network and IT administrators tend tostore sensitive credentials in text files and spreadsheets – andeven on sticky notes. These insecure storage practices makeorganizations a paradise for hackers. Password ManagerPro eliminates the vulnerabilities by establishing a secure,centralized repository of passwords. Overcome system lockout due to outdated passwords:With multiple copies of electronic files containing sensitivepasswords floating around the organization, there will beincreased instances of outdated passwords and coordinationissues, impacting operational efficiency. With PasswordManager Pro serving as the centralized repository, you caneliminate the coordination issues and system lockout issuesdue to outdated passwords.Access Provisioning and ControlsPasswordOwnershipand GranularSharingThe basic design of Password Manager Pro revolves around theconcept of password ownership and sharing. One who adds apassword to the repository becomes the owner of the passwordand the owner alone will have access to that password. If theowner wants others to view it, the password has to be shared.At any point, all users (including administrators) will only seethe passwords that are owned and shared.02
Eliminate orphan accounts: Orphaned accounts are privilegedaccounts that remain active but have no associated owner.These accounts are usually the result of an employee movingdepartments or leaving the organization. Failing to shut downor transfer ownership of these accounts can lead to accesscontrol gaps. Password Manager Pro solves this problem byallowing any departing resource owner to transfer ownershipof their resources to another authorized employee. Overcome security risks due to employee turnover: When anIT staff member having privileged access to IT resources leavesthe organization, all access to critical IT systems possessed bythe departing member should be immediately disabled. In theabsence of a password management system, it becomes toughto identify the list of passwords accessed by that user andchange all of them. Password Manager Pro allows transferringownership and randomizing passwords after the departure ofthe IT staff, thus completely eliminating security issues thatcould arise due to employee turnover. Avoid password leakage due to insecure sharing: IT stafftend to share common passwords among team members byword of mouth, email, or phone calls, which lead to passwordcompromise. Password Manager Pro offers secure, granularsharing based on job functions and helps avoid passwordexposure or compromise. Prevent unnecessary access: Password Manager Pro enforcesstrict access controls and ensures that administrators get accessonly to the passwords that they require for their job functions.For example, Windows administrators will get access only toWindows passwords and not to database passwords. This way,organizations can prevent unnecessary access. Eliminate displaying passwords in plain text: Even whilesharing passwords with others through the most securemeans, passwords may be memorized or noted down, whichmay in turn lead to unauthorized access. For ultimate security,Password Manager Pro empowers admins to provide accessto IT resources as needed, without disclosing the resourcepasswords in plain text. Users will be allowed to launch directRDP, SSH, Telnet, SQL console connections with remoteresources and automatically login to websites and applicationswithout seeing passwords.03
AD and LDAPIntegrationPassword Manager Pro integrates with corporate identity storessuch as Active Directory or LDAP for user provisioning andauthentication. It continuously synchronizes with the directoryand automatically updates the user database whenever usersare added or removed in AD. In addition, Active Directory’sauthentication capabilities can be extended to Password ManagerPro, letting users log on with their AD credentials. PasswordReleaseControl andAdvancedWorkflowOvercome user provisioning, de-provisioning issues:Password Manager Pro maintains the same user group structurein the product as in AD. Since permission to access differentpasswords can be granted based on AD groups, provisioningand deactivating password access follow changes in AD itself.This helps overcome the security issues that normally arise dueto provisioning and deactivating access.Password Manager Pro enforces an additional layer of securityfor passwords by forcing users to go through a request-releaseworkflow. Users requiring access to a password just have to raise arequest with the admin, along with a credible reason. This allowsthe admin to scrutinize access requests before approval and rejectinvalid requests. If needed, dual approvals can be configured,which necessitates two or more admins to approve a request beforethe passwords are released. Avoid insecure, permanent access when people needtemporary access: Quite often IT staff or third-partycontractors require temporary access to certain resources toperform troubleshooting operations. In such cases, passwordsare transmitted by email or telephone and forgotten thereafter.As a result, IT staff will have permanent access to thoseresources. Password Manager Pro allows administrators torelease passwords for a time-limited period at the end of whichthe password will be automatically reset and access will berevoked. Prevent exploitation of privileged access by maliciousinsiders: By enforcing dual controls on the request-releaseworkflow, malicious insiders looking to exploit authorizedprivileged access will come under scrutiny.04
PasswordReleaseControl andAdvancedWorkflow Eliminate coordination issues, conflicting changes: Whenmore than one administrator happens to access an IT resource,it could potentially lead to conflicting changes and coordinationissues. Password Manager Pro eliminates this by providingexclusive access to specific users for a specified time period. Eliminate lack of control over third-party access: Thirdparty users – including contractors, temporary staff, businesspartners and vendors who require access to the passwordsof critical IT assets – will have to raise a request for access topasswords. Administrators can grant time-limited access; andwhen the time limit expires, access will be revoked and thepassword will be reset. This process grants absolute controlover third-party access to IT resources.Remote Password ResetsPassword Manager Pro resets passwords of remote IT resourcesautomatically at periodic intervals or anytime on-demand. Itassigns strong, unique passwords to each account and supportsa wide-range of endpoints and target systems across physical,virtual, and cloud environments. Eliminate weak, static passwords; overcome crackingattempts: By randomizing passwords of remote IT resourcesat periodic intervals and assigning strong, unique passwords,Password Manager Pro helps eliminate static, unchangedpasswords across the network. This, in turn, preventsunauthorized access and cracking attempts. Eliminate static service accounts: The very powerful serviceaccounts used by the system programs to run applicationsoftware services or processes often possess high or evenexcessive privileges. Service account passwords are generallyset to “never change,” due to the difficulty in discovering alldependent services and propagating the password change.Static service accounts make the enterprise a haven for hackers.05
Password Manager Pro automatically locates service accountsby identifying the various Windows server components thatare run using domain accounts and mapping the services andscheduled tasks to respective accounts. When a service accountpassword is reset, Password Manager Pro automaticallypropagates the change across all dependent services associatedwith the account to avoid any service stoppage. Mitigate pass-the-hash attacks: Windows domain adminaccounts provide administrative privileges on all workstations,servers, and domain controllers. Only a few, trustedadministrators should use the domain administrator accounts.And, they should use the account only to log on to the domaincontroller systems that are as secure as the domain controllers.This is because Windows systems are vulnerable to pass-thehash attacks. The single sign-on functionality of Windowsallows users to enter credentials once and then never have toenter the password again. Windows actually caches the logindetails within the system in the form of password hashes. Ifan attacker manages to access a system where the domainadministrator had logged on in the past using his domainadmin credentials, the attacker could easily obtain the hashand perpetrate an unauthorized transaction.As a best practice approach, domain administrator accountsshould not be used to sign on to any system other than domaincontrollers. If there is a strong need to do so, the passwordaccess should go through a workflow for one-time usage, afterwhich it should be reset. Even if the domain admin accountsare prudently used from trusted systems, they should beperiodically changed. Password Manager Pro periodicallyrandomizes the domain administrator credentials andmitigates pass-the-hash attacks.06
APIs for Application-to-Application and -DatabasePassword ManagementPassword Manager Pro provides three types of APIs for application-toapplication password management - SSH-CLI, XML-RPC, and REST.Applications can programmatically query Password Manager Pro andget credentials. Eliminate hard-coded credentials: Normally, various applicationsrequire access to databases and other applications frequently toquery business-related information. This communication process isusually automated by embedding the application credentials in cleartext within configuration files and scripts. Administrators usuallyfind it difficult to identify, change, and manage these passwords.As a result, the credentials are left unchanged, which may leadto unauthorized access to sensitive systems. Thus, hard-codedcredentials may make technicians’ jobs easier, but this practicecreates an easy launch point for hackers.Password Manager Pro eliminates the practice of hard-codingof passwords with secure APIs for application-to-applicationand application-to-database password management. The accesscredentials don’t need to be embedded in configuration filesbut can, instead, be stored in Password Manager Pro’s database.Whenever an application needs to connect with other applicationsor databases, it can query and retrieve passwords from PasswordManager Pro using the APIs. This way, the passwords can also besubject to security best practices including rotating passwordsperiodically and assigning strong, unique passwords, without theneed for copious manual updates. Reduce security risks in DevOps environments: DevOpsenvironments span several stages such as sandbox, development,unit testing, integration, quality assurance, user acceptance testing,production, and disaster recovery. They also require automatedaccess to privileged identities by various stakeholders. Applications,scripts, and databases running in DevOps environments requireaccess to privileged identities without any human intervention.Hard-coding credentials is the most dangerous programmingpractice and invites security issues. Password Manager Pro’s APIshelp grant automated access to passwords to authorized applications,besides enforcing standard password practices eliminating securityissues in DevOps environments.07
RemoteAccess &PrivilegedSessionManagementPassword Manager Pro allows authorized users to launchdirect RDP, SSH, Telnet, and SQL console sessions fromany HTML5-compatible browser without end-point agents,browser plug-ins, or helper programs. The connections aretunneled through Password Manager Pro’s server and requireno direct connectivity between the user device and remotehost.In addition to superior reliability, the tunneled connectionprovides extreme security as the passwords necessary toestablish remote sessions do not need to be available locallyon the user’s browser. The sessions launched from PasswordManager Pro’s web interface can be recorded, archived, andplayed back to support forensic audits. In addition, PasswordManager Pro allows administrators to shadow privilegedsessions launched by other users. Reduce the risks in granting remote access to thirdparties: By securing and periodically randomizing thecredentials exposed to third parties, organizations canreduce the risks due to identity theft in the supply chain. Reduce the risk of infection at end points with landingserver configuration: In highly secure environments suchas data centers, remote access to sensitive end points canbe granted through an intermediate jump server. PasswordManager Pro centralizes the management of all thecredentials, including the jump server and handles access.The landing server configuration prevents end points fromgetting infected through insecure connecting machines atthird-party locations.08
Prevent malicious or suspicious activities through dual controls:Track the highly sensitive privileged sessions launched by thirdparties or internal users in real time and terminate suspicioussessions. Eliminate repudiation issues: In the event of breaches or securityissues, third-party contractors or internal administrators cannotdeny performing an activity because Password Manager Pro recordsprivileged sessions in their entirety.Audit, Real-time Management, ReportsPassword Manager Pro records every user action using text-basedlogs in addition to recording sessions. It also raises real-time alertsand notifications on various password events, including access,modification, deletion, changes in share permissions, and otherspecific events. Password Manager Pro also generates syslog messageand SNMP traps, which can be sent to SIEM tools and monitoringsystems respectively. Eliminate accountability issues: Administrative accounts arenormally not tied to an individual and are predominantly usedin shared environments. This could lead to accountability issueswhen something goes wrong. When Password Manager Pro acts asthe centralized password vault, administrators will have to dependonly on Password Manager Pro for accessing IT resources. Theaudit trails generated by Password Manager Pro enable tracingaccess to individuals. Combat advanced persistent threats: Password Manager Proraises syslog messages, which could be sent to SIEM tools forcorrelation with the events from the rest of the enterprise. Asadvanced cyber-attacks normally span a period of time, correlatingdata from various IT assets with the privileged access data fromPassword Manager Pro helps detect cyber-attacks that are inprogress or waiting to happen. Reduce exploitation of privileged access by insiders: Realtime alerts and notifications on privileged access from PasswordManager Pro help organizations detect unauthorized activities andexploitation of privileged access by malicious insiders.09
AboutPasswordManager ProPassword Manager Pro (PMP) is a webbased, privileged access managementsolution for enterprises. It offers acomplete solution to control, manage,monitor and audit the entire life-cycleof privileged access. In a single packageit offers three solutions - privilegedaccount management, remote accessmanagement, and privileged sessionmanagement. The benefits of deployingPassword Manager Pro includeeliminating password fatigue andsecurity lapses by deploying a secure,centralized vault for password storageand access; improving IT productivitymany times by automating frequentpassword changes required in criticalsystems; providing preventive anddetective security controls throughapproval workflows and real-time alertson password access; and meeting securityaudits and regulatory compliance suchas SOX, HIPAA and PCI.Online w.passwordmanagerpro.com
Password Manager Pro o ers a complete solution to control, manage, monitor and audit the entire life-cycle of privileged access. In a single package it o ers three solutions - privileged account management, remote access management, and privileged session management. Password Manager Pro ba
