Skip to main content

Hitachi ID certification

Product Sites

Hitachi ID Systems Blogs

Posts Tagged ‘defining privileged access management’

What is the defining characteristic…?

Monday, February 11th, 2013

I’ve been thinking for a while about what, exactly, is the defining characteristic of a privileged access management system?

Some people seem to think that it’s password management. Some even go so far as to call this product category a “password vault.”
But what about granting someone temporary access to elevated access rights in some other way? What about temporary group membership, or temporary SSH trust relationships, for example?

A few years ago, we renamed our software in this cateogry from “Privileged Password Manager” to “Privileged Access Manager” for just this reason — because there were mechanisms at play which have nothing to do with passwords.

I’m still thinking about what it is that really defines this product category, however, and I think I’ve hit on the *one* *key* feature. That feature is granting temporary access — i.e., adding a temporal element to an access grant. If you can control *when* someone gets access to something, then you create a much more interesting audit trail and have an opportunity to generate forensic data, such as screen captures and kelogging (among many others). The key, though, is *time*. You can run these commands as root/Administrator/whatever for the next 2 hours. You can do that either because you were pre-authorized or because someone approved your workflow request, but it’s bounded in time and space.

So that’s my thought for the day. Privileged Access Management is fundamentally a problem in the time domain.

Happy Monday. :-)

page top page top