If your company’s network is geographically dispersed, contains DMZs, or includes untrusted domains and networks, then you need BeyondTrust Privileged Identity to centrally manage it all. Privileged Identity can be deployed to handle split environments spanning cloud and on premises environments, with a mix of almost any platforms, systems, and devices you can imagine using its unique Zone Processor technology.
Privileged Identity can take a proactive approach to managing your privileged identities and can do it faster than our leading competitors.
BeyondTrust Privileged Identity was designed with usable security in mind. The product can seamlessly scale to your business and works quickly to identify weaknesses in privileged accounts- with the ability to rotate thousands of accounts per minute.
Privileged Identity is optimized for speed, understands platforms, and can crawl stacks for credential use, all while helping your organization to be more secure. And Privileged Identity provides the most connectors (most of which require no configuration) to figure out where and how a credential is being used, and manage it.
BeyondTrust Privileged Identity continuously discovers and tracks privileged accounts on your cross-platform network, and automatically provides each account with unique and frequently changing credentials. It ensures that powerful privileged identities are only available to audited users on a temporary, delegated basis – preventing unauthorized and anonymous access to systems with sensitive data.
Privileged Identity provides a full range of APIs allowing almost the entire product to be controlled headlessly or be integrated into any other extensible system or orchestration process. With the APIs you can deploy new systems and have their privileged identities managed and cataloged as soon as it hits the network. When your edge and internal defense systems identify new threats, they can trigger Privileged Identity to protect the credentials being misused.
Discovering where service accounts are used is half the battle. You can’t change service account passwords if you don’t know where they are in use. BeyondTrust Privileged Identity dynamically discovers service account enumeration prior to changing service account passwords every time it executes a password change job.
In dynamic environments, with hundreds or thousands of service accounts, Privileged Identity removes the need to dedicate massive amounts of time and resources to manually maintain a catalog of managed services through a separate network analysis tool. The process is a fully integrated piece of the program that maintains itself every time a service account’s credentials are updated.
Credentials and system data is secured in AES-256 encryption, and stored in a database. BeyondTrust Privileged Identity provides the option for hardware-based encryption, at FIPS 140-2 Levels 2 and 3, when used with a PKCS #11 device. Privileged Identity also provides secure and delegated storage of important documents and files from within the data store.
Data, such as the new or current password is protected both in transit and at rest.
Protecting data in transit is a function of the API/method and/or protocol being used. Linux/UNIX management is done over SSH and the entire session is encrypted. For Windows, the API never sends the new password in clear text.
Once the password has been set successfully, the password is then encrypted using AES-256 bit encryption and it is that encrypted value that is written to the database.
Finally, Privileged Identity can take advantage of TLS encryption between its distributed modules, and between its web application and users’ machines, to protect passwords and other sensitive information and additional network protection mechanisms.
BeyondTrust Privileged Identity's password management policies help prevent against pass-the-hash attacks and rainbow table attacks. With Privileged Identity, passwords are automatically randomized on a scheduled basis as well as after each use.
Privileged Identity's process for generating a random password allow it to approach 100% entropy. That means it's statistically improbable to randomly guess the generated passwords or that a single password could ever be reused, no matter how large your network is.
By using a double-tap method to change the password, Privileged Identity can cause urgent replication of a password change across the enterprise, protecting systems against a golden or silver ticket attack.
Your passwords can be changed on any schedule you like. Our customers span all verticals, and some of these customers change their passwords multiple times per day, based on shift changes. Other mandates, such as PCI-DSS, SOX, GDPR, mandate other schedules depending on the types of accounts. Privileged Identity’s flexible scheduling engine allows fine tuning the password management cycles in your network to meet the needs of any and all mandates.
BeyondTrust Privileged Identity supports a broad range of SAML or OAuth federation identity providers such as; Microsoft (ADFS) or Azure AD, Okta, Ping Identity (PingOne), OneLogin to provide rapid deployment in federated environments, via direct configuration.
With these integrations, Privileged Identity can grant these federated identities secure and seamless access to sensitive systems, applications and credentials – both on-premises and in the cloud.
SAML and OAuth authentication provides a secure Single Sign On (SSO) process that lets authenticated users access Privileged Identity in the same way they access their other applications.
BeyondTrust Privileged Identity supports multiple third-party MFA providers right out of the box without the need for additional professional services or special connectors to get it working. A full OATH compatible MFA system is also provided with the product. This enables you to work with one or more MFA providers to access the Privileged Identity system and your sensitive data.
When talking about privileged credentials, high availability and disaster resiliency is an especially important part of the conversation.
BeyondTrust Privileged Identity provides for a multi-tier fail strategy. Privileged Identity’s N-tier architecture makes it easy to configure for high availability and disaster recovery. Use of an open and reliable database standard delivers 99.99%+ up-time that can’t be matched by security appliance or proprietary data stores. Because Privileged Identity is a multi-tier, software-based, agentless solution, its components can be easily distributed to match your network architecture and supplied with an abundance of failover options ensuring your privileged data is always available to the right people at the right time.