Versions Compared

Old Version 1

changes.mady.by.user Phillip Hanegan

Saved on

compared with

New Version 2

changes.mady.by.user Phillip Hanegan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

In todayPrivileged Access Management (PAM) involves controlling, monitoring, and securing access to privileged accounts within an organization's complex IT environments, managing privileged access to critical systems and data is more important than ever. Privileged accounts, which grant elevated permissions, are essential for system administration, maintenance, and security tasks. However, these accounts also pose significant security risks due to their extensive access capabilities. Unauthorized or improper use of privileged accounts can lead to data breaches, compliance violations, and other severe consequences.

Privileged Session Manager (PSM) addresses these challenges by providing a comprehensive suite of tools designed to streamline and secure the management of privileged sessions. PSM offers a robust solution for accessing, monitoring, and recording privileged sessions, ensuring that only authorized users can access critical systems and that all activities are thoroughly documented.

Key features of PSM include the ability to restrict access within specific timeframes, real-time session monitoring, and session termination capabilities. Additionally, PSM records all sessions for future playback, aiding in compliance and audit efforts. By enforcing strict access policies and leveraging adaptive multi-factor authentication (MFA), PSM significantly enhances the security posture of any organization.

PSM also integrates seamlessly with existing IT infrastructure, providing a web-based gateway for accessing Windows and Linux servers via RDP or SSH. This eliminates the need for exposing servers to direct network access and reduces the complexity and cost associated with traditional VPN solutions.

Key Benefits of PSM in EmpowerID

PSM provides several key benefits that make it invaluable to IT professionals. Let's explore these benefits in detail:

1. Manage and Record Privileged User Sessions

Privileged accounts are crucial for daily IT operations but pose significant security risks due to their unrestricted access to system resources. EmpowerID's PSM provides a web-based gateway for authorized users to access Windows or Linux servers via RDP or SSH without exposing servers to direct network access. This approach simplifies network security and eliminates the need for costly VPNs. PSM enforces strong adaptive identity verification and records sessions as videos for compliance investigations or verification purposes.

2. Enforce Zero Trust Zoning

EmpowerID PSM is an effective tool for implementing a Zero Trust zoning or "micro-segmentation" strategy. It enables organizations to use pre-provisioned shared accounts for server access without revealing passwords or elevating user access. EmpowerID administrators explicitly define which vaulted privileged credentials are available for administrators to access specific servers by zone, preventing lateral movement or pass-the-hash attacks.

3. Self-Service Server Access Shopping

EmpowerID streamlines the process of requesting and launching privileged session access to servers with a familiar shopping cart interface for end users. Access Request policies control time limits, approval processing, session recording, and privacy settings.

4. Adaptive MFA for Server Access

EmpowerID's adaptive MFA enhances server access security by prompting users for multi-factor authentication only when circumstances warrant it. EmpowerID offers various user-friendly MFA options, including one-time passwords, FIDO/Yubikey tokens, third-party integrations like DUO, and the EmpowerID Mobile phone app.

5. Server Discovery

EmpowerID offers an extensive library of Identity Governance and Administration (IGA) system connectors. These connectors enable the Privileged Session Management solution to automatically discover computers, virtual machines, and their associated privileged credentials. Additionally, the Computer Identity Management module provides optional discovery and management of local computer identities and access.

EmpowerID's ability to discover computers and virtual machines is not limited by their location. It supports popular platforms for running virtual workloads, such as AWS, Azure, and VMware VCenter. Furthermore, EmpowerID can discover computer objects from Active Directory or allow manual registration through user-friendly web-based workflows. This functionality empowers administrators to maintain an up-to-date inventory of managed assets and streamlines the process of configuring servers for PSM access.

Key Features of PSM

PSM offers several key features that collectively enhance its functionality and security:

  • Access Control: Privileged Session Manager ensures that users can only access resources for which they have been granted permission. Users can request access and initiate a connection via the IAM Shop application. All sessions are proxied to target resources through PSM servers, providing extensive control over the communication transmitted.

  • Real-time Monitoring, Recording, and Replay: Administrators have the ability to monitor live sessions (if permitted by policy), record sessions, and replay them for review – all from the EmpowerID website.

  • Secure Credential Sharing: Computer credentials are encrypted and used to initiate privileged sessions with the target resource upon request for automatic login. By not exposing these credentials to users, security is significantly enhanced.

  • Automatic Login: When integrated with Privileged Access Manager, Privileged Session Manager can be configured for automatic login. This feature improves security and compliance by preventing the exposure of account credentials to users.

PSM Architecture

The PSM cluster consists of 3 dockerized Node.js applications, each with its own responsibilities. 

...

Application

...

Daemon

...

The below image depicts the flow that occurs during a PSM session. The description that follows the image outlines the session flow:

...

The user authenticates.

...

The user receives an access token, which is used to determine their access.

...

The user initiates a privileged RDP or SSH session to a computer to which they have been granted access using the credentials the system assigns for the specified session.

...

The Privileged Access Service requests the user’s master password.

...

IT infrastructure. These accounts possess elevated permissions and access rights, enabling tasks such as configuring systems, managing users, and accessing sensitive data. Protecting these accounts is essential to prevent unauthorized access and potential security breaches.

EmpowerID’s Approach to PAM

EmpowerID offers a PAM solution designed for multi-cloud and hybrid environments. The solution is based on the Zero Standing Privilege (ZSP) principle, ensuring that privileged access is granted only when necessary to authorized identities and for a specific duration. EmpowerID provides two deployment models for PAM:

  • Advanced PAM

  • Basic PAM

Advanced PAM

The Advanced PAM model features an agentless and vaultless architecture, simplifying deployment and management while providing robust protection across cloud and on-premises environments. This model leverages EmpowerID's microservices and Kubernetes-based framework to achieve scalability and flexibility.

A key aspect of Advanced PAM is its integration with Identity Governance and Administration (IGA) and Access Management (AM) systems. This integration enables controlled privilege escalation, delegation management, and task-based automation. Additionally, Advanced PAM extends its capabilities to include Cloud Infrastructure Entitlements Management (CIEM), focusing on managing and securing access entitlements within cloud environments.

Zero Standing Privilege (ZSP)

Advanced PAM implements the ZSP principle by granting privileged access only when required. This approach reduces the risks associated with permanent privileged accounts, minimizing the attack surface and potential for misuse.

Agentless and Vaultless Architecture

By eliminating the need to install agents on target systems or maintain credential vaults, Advanced PAM streamlines deployment and reduces management overhead. This simplifies the infrastructure and accelerates implementation timelines.

Microservices and Kubernetes Framework

A microservices architecture deployed via Kubernetes allows Advanced PAM to be highly scalable and resilient. This framework adapts to changing workloads and organizational needs, supporting horizontal and vertical scaling.

Integration with IGA and AM Systems

Advanced PAM supports interoperability with major Identity Governance and Administration and Access Management systems, including platforms like Microsoft Azure. This integration enables organizations to leverage existing identity infrastructures and policies, ensuring consistency across systems.

Controlled Privilege Escalation and Delegation Management

The solution facilitates temporary privilege elevation and task delegation based on predefined policies. Administrators can specify who can request elevated access, under what conditions, and for how long, ensuring that users have appropriate access when needed without compromising security.

Cloud Infrastructure Entitlements Management (CIEM)

Advanced PAM extends to include CIEM capabilities, focusing on managing and securing access entitlements in cloud environments. This feature helps organizations maintain compliance and reduce risk by providing visibility and control over cloud permissions and entitlements.

Basic PAM

The Basic PAM model offers a traditional, vault-based solution for managing privileged credentials. It includes a centralized vault where credentials are securely stored and managed. Access to these credentials is governed by granular policies that define who can request access, the conditions for access, and the duration. Password rotation can be automated upon check-in or according to a defined schedule.

Secure Credential Vault

Basic PAM provides a central repository for storing privileged credentials with robust security controls. The vault ensures that sensitive credentials are protected using encryption and strict access controls to prevent unauthorized access.

Granular Access Policies

Administrators can define detailed access policies specifying which users can access certain credentials and under what conditions. Policies may include approval workflows, time-based restrictions, and usage limitations to enforce security best practices.

Automated Password Management

The solution enhances security by automating password rotation for privileged accounts. Passwords can be configured to rotate upon check-in or on a scheduled basis, reducing the risk of compromised credentials due to outdated or exposed passwords.

EmpowerID’s Integrated Identity Management Solution

EmpowerID's PAM offerings are part of a broader platform that integrates Privileged Access Management (PAM), Identity Governance and Administration (IGA), and Access Management (AM) functionalities. This integrated approach provides a unified system for managing identities and access across the organization's IT environment.

By utilizing fine-grained IGA connectors and supporting integration with major vendors, EmpowerID addresses a wide range of identity and access management requirements. Combining PAM, IGA, and AM into a single platform aims to reduce complexity, enhance security, and improve operational efficiency.

Unified Identity Management

The integrated platform offers a single interface for managing identities, credentials, and access control policies. This unification simplifies administrative tasks and reduces the learning curve associated with managing multiple systems.

Consistent Security Controls

By enforcing consistent policies and controls across all identity-related functions, the platform helps reduce security gaps and ensures that security measures are uniformly applied throughout the organization.

Scalability and Adaptability

The platform supports organizational growth and adapts to changing technological landscapes, including multi-cloud and hybrid environments. Its modular architecture allows organizations to scale services according to their evolving needs.

Compliance and Auditing Capabilities

EmpowerID's integrated solution facilitates adherence to regulatory requirements by providing comprehensive auditing, reporting, and policy enforcement tools. Administrators can generate detailed reports and monitor compliance with internal policies and external regulations.

Insert excerpt
IL:External Stylesheet
IL:External Stylesheet
nopaneltrue

...