Versions Compared

Old Version 1

changes.mady.by.user Phillip Hanegan

Saved on

compared with

New Version 2

changes.mady.by.user Phillip Hanegan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Privileged Session Manager (PSM) is an application cluster that allows you to access, record, and monitor privileged sessions. With PSM, users can be issued privileged access to computers while meeting audit requirements. It enables granting users access to machines for a specific amount of time, the capability to monitor their a collection of applications that facilitate accessing, monitoring, and recording privileged sessions, while ensuring compliance with auditing requirements. PSM enables authorized users to obtain privileged access to computers, with the flexibility to limit access to specific timeframes, monitor sessions in real-time, and terminate those sessions at any point. Sessions time. PSM provides the ability to record sessions, which can be recorded as well, allowing for the replaying of sessions as needed. Additionallyreplayed as necessary. Moreover, access policies linked to associated with PSM include time limits , which that allow for time-constrained access to credentials and automatic session termination of sessions after the time limit expiryexpires.

Benefits

Manage and Record Privileged User Sessions

Privileged accounts are both a necessity and a liability. These accounts, with their nearly unlimited vital for everyday IT operations, but they pose a significant security risk due to their unrestricted access to system resources, are essential for everyday IT operations yet abuse of privileged accounts is attributed as the cause of . In fact, 62% of security breaches are attributed to privileged account abuse. In a Zero Trust model, only the minimum access required should be granted only to the minimum necessary for the minimal time period and if possible, the shortest duration possible. Additionally, access should be proxied and monitored whenever possible.

EmpowerID’s EmpowerID's Privilege Session Manager (PSM) acts as provides a web-based gateway to provide for authorized users with RDP or SSH to access to Windows or Linux servers but through RDP or SSH without exposing the servers to actual direct network access. This dramatically approach simplifies network security concerns, as both users and servers can be located anywhere. The only constraint is requirements are access between the user and the PSM web interface of the PSM , and between the PSM Gateway and the target servers they wish to reach. This eliminates the need for costly VPNs, which also can slow down the user experience and decrease productivity. This Zero Trust approach effectively prevents most common malware and hack hacking exploits that rely on network connectivity to the target servers they are targeting. In additionFurthermore, PSM enforces strong adaptive identity verification is enforced , and sessions can be optionally recorded as videos for later compliance investigation investigations or verification purposes. In all cases, the password of the privileged credential is never revealed disclosed to the end user eliminating , reducing the potential for sharing or misuse.

Zero Trust Zoning

On Windows, any local admin has administrators can access to the cached passwords for of the last x (typically usually 10) users who have logged into that machinecomputer. If a hacker can trick a user into opening an email or clicking a link that runs malware on a computer where the user has local admin privileges, the hacker now has access to all cached passwords to install software or mover with local admin privileges into running malware on their computer, the hacker can access all cached passwords, potentially installing software or moving laterally to target higher value servers.  The The worst-case scenario would be a hacker gaining is when the hacker gains access to the credentials of a domain admin that had logged into that PCcredentials that were used to log into the compromised computer.

Recent history shows that no one can stop hackers. You can only reduce the damage they can do by seeking to limit has shown that it's difficult to stop hackers, but limiting where they can go and which cached privileged credentials might be are available locally on compromised PCs. That is what is meant by computers can help to reduce the damage they can do. This is achieved through zoning or tiering. Zoning , which can be done implemented at the user access level, just as you work with similar to how network controls , like subnets, routing tables, and firewall rules work. Microsoft proposes 3 three basic tiers for granting credentials in a Windows network: AD domain controllers, servers, and workstations but you . However, organizations can implement as many zones as needed necessary with EmpowerID.

EmpowerID PSM is an invaluable tool to enforce a valuable tool for enforcing a Zero Trust zoning or “micro"micro-segmentation” segmentation" strategy. PSM allows an organization to use enables organizations to use pre-provisioned shared accounts for server access without revealing the passwords instead of or elevating the access of the user’s user's existing account. EmpowerID admins explicitly define which vaulted privileged administrators explicitly define which vaulted privileged credentials will be available for use by admins administrators for specific servers, by zone.  This This is a best practice in avoiding to avoid lateral movement or pass-the-hash attacks.

Self-Service Server Access Shopping

EmpowerID brings simplifies the process of requesting and launching privileged session access to servers by offering a familiar shopping cart interface for end users to request and launch privileged session access to servers. Users simply can easily search for the computer to which they need access to and click to request the use of a vaulted credential for the desired a specific time period. Time Access Request policies control time limits, approval processing, session recording, and privacy settings are all controlled by privileged credential policies.

If a request requires approval, EmpowerID automatically generates workflow tasks automatically and tracks their status. All participants are kept informed by receive email notifications, and all requests, decisions, and associated fulfillment actions are recorded for auditorsauditing purposes.

Adaptive MFA for Server Access

Gaining The primary goal of most hack attacks is to gain access to an organization’s organization's key servers or “owing the box” is the primary goal in most hack attacks. Passwords continue to be "own the box." Unfortunately, passwords remain the weakest link in an organization’s organization's security strategy and . Multi-Factor Authentication for server access is Authentication (MFA) is the only proven means method to plug address this security gap . EmpowerID’s adaptive MFA eases the adoption of more secure identity verification procedures for server access. EmpowerID's adaptive MFA makes it easy for organizations to adopt more secure identity verification procedures by ensuring that users aren’t forced are not required to perform MFA on every server access attempt but rather every server access attempt. Instead, users are prompted for MFA only when the circumstances warrant it.

EmpowerID provides offers users a wide range variety of user-friendly options for MFA, including one-time passwordpasswords, FIDO/Yubikey tokens, 3rd parties third-party integrations such as DUO, as well as and the EmpowerID Mobile phone app which allows users to app. With the mobile app, users can simply click to approve their identity their identity verification request.

Server Discovery

EmpowerID includes offers one of the largest most extensive libraries of Identity Governance and Administration (IGA) system connectors available. The Privileged Session Management Privileged Session Management solution benefits from this convergence diversity and leverages utilizes these connections to automatically discover computersdiscover computers, virtual machines, and their privileged credentials. Local The Computer Identity Management module also enables the optional discovery and management of local computer identities and access can optionally be discovered and managed with the Computer Identity Management module.

EmpowerID discovers computers has the ability to discover computers and virtual machines wherever regardless of where they may reside.  The It supports the most popular platforms for running virtual workloads are supported , including AWS, Azure, and VMware VCenter. EmpowerID can also discovers discover computer objects from your Active Directory or they can be registered Directory or register them manually in user-friendly web-based workflows.  Computer discovery This feature allows admins administrators to maintain an upan up-to-date inventory of the assets they are managing as well as and simplifies the process for of configuring servers for PSM access.

...

Features:

  • Access – : With Privileged Session Manager permits , users to view can only access resources for which they are have been granted accesspermission. They Users can request access and initiate a connection through the EmpowerID website.
    Privileged Session Manager proxies all sessions to IAM Shop application. All sessions are proxied to the target resources through the PSM servers thus enabling , which provides extensive control over the transmitted communication.

  • Live Monitoring, Recording, and replay – Replay: Administrators can view monitor live sessions live (Provided if the policy allows for it), record sessions, and replay them for review, all from the EmpowerID website.

  • Credential Sharing – : Computer credentials are encrypted and on request are used to initiate privileged sessions with the target resource by upon request for automatic login. The These credentials are not exposed to users to enhance , thereby enhancing security. 

  • Auto-login – Privileged Session Manager can be Login: When combined with Privileged Access Manager, enabling you to configure access Privileged Session Manager can be configured for automatic login, which enhances improves security and compliance by not exposing account credentials to users. 

Architecture

The PSM cluster consists of 3 dockerized Node.js applications, each with their own responsibilities. 

  1. Application

  2. Daemon

  3. Uploader

    Image Modified


Session Flow

Below is the UML diagram that outlines a session from initiation to viewing recorded session at the end. A description of the flow follows the image.

...

  1. User requests access to a computer by checking-out a credential from the list of available credentials.

  2. User clicks the login icon to initiate the RDP session and is prompted to enter their Master password. 

  3. The connection request is submitted to the PSM Application along with the master password that the user enters.

  4. The PSM Application talks to an EmpowerID API Endpoint to authorize and receive the credentials to the target resource.

  5. If the authorization is successful EmpowerID returns the credentials to the PSM application server.

  6. The PSM Application connects to the target resource through the Daemon with the corresponding protocol.

  7. Input from the browser and response from the server are exchanged through a websocket connection.

Insert excerpt
IL:External Stylesheet
IL:External Stylesheet
nopaneltrue

Macrosuite divider macro
dividerWidth100
dividerTypetext-with-icon
emoji{"id":"smile","name":"Smiling Face with Open Mouth and Smiling Eyes","short_names":["smile"],"colons":":smile:","emoticons":["C:","c:",":D",":-D"],"unified":"1f604","skin":null,"native":"😄"}
textColor#000000
dividerWeight3
labelPositionmiddle
textAlignmentcenter
iconColor#0052CC
iconSizemedium
fontSizemedium
textNext Steps
emojiEnabledfalse
dividerColor#DFE1E6
dividerIconfont-awesome/FlagCheckered

Set Up Privileged Session Management

...