| Div | ||
|---|---|---|
| ||
Manage and Record Privileged User Sessions Privileged accounts are both a necessity and a liability. These accounts, with their nearly unlimited access to system resources are essential for everyday IT operations yet abuse of privileged accounts is attributed as the cause of 62% of security breaches. In a Zero Trust model, only the minimal access required should be granted for the minimal time period and if possible, the access should be proxied and monitored. EmpowerID’s Privilege Session Manager (PSM) acts as a web-based gateway to provide authorized users with RDP or SSH access to Windows or Linux servers but without exposing the servers to actual network access. This dramatically simplifies network security concerns as both users and servers can be anywhere. The only constraint is access between the user and the web interface of the PSM and between the PSM Gateway and the servers they wish to reach. This eliminates the need for costly VPNs which also slow down the user experience and decrease productivity. This Zero Trust approach prevents most common malware and hack exploits which rely on network connectivity to the servers they are targeting. In addition, strong adaptive identity verification is enforced and sessions can be optionally recorded as videos for later compliance investigation or verification. In all cases, the password of the privileged credential is never revealed to the end user eliminating the potential for sharing or misuse. Zero Trust Zoning On Windows, any local admin has access to the cached passwords for the last x (typically 10) users who have logged into that machine. If a hacker can trick a user into opening an email or clicking a link that runs malware on a computer where the user has local admin privileges, the hacker now has access to all cached passwords to install software or mover laterally to target higher value servers. The worst case scenario would be a hacker gaining access to the credentials of a domain admin that had logged into that PC. Recent history shows that no one can stop hackers. You can only reduce the damage they can do by seeking to limit where they can go and which cached privileged credentials might be available locally on compromised PCs. That is what is mean by zoning or tiering. Zoning can be done at the user access level, just as you work with network controls, like subnets, routing tables, and firewall rules. Microsoft proposes 3 basic tiers for granting credentials in a Windows network: AD domain controllers, servers, and workstations but you can implement as many zones as needed with EmpowerID. EmpowerID PSM is an invaluable tool to enforce a Zero Trust zoning or “micro-segmentation” strategy. PSM allows an organization to use pre-provisioned shared accounts for server access without revealing the passwords instead of elevating the access of the user’s existing account. EmpowerID admins explicitly define which vaulted privileged credentials will be available for use by admins for specific servers, by zone. This is a best practice in avoiding lateral movement or pass-the-hash attacks. Self-Service Server Access Shopping EmpowerID brings a familiar shopping cart for end users to request and launch privileged session access to servers. Users simply search for the computer to which they need access and click to request use of a vaulted credential for the desired time period. Time limits, approval processing, session recording, and privacy settings are all controlled by privileged credential policies. If a request requires approval, EmpowerID automatically generates workflow tasks and tracks their status. All participants are kept informed by email notifications and all requests, decisions and associated fulfillment actions are recorded for auditors. Adaptive MFA for Server Access Gaining access to an organization’s key servers or “owing the box” is the primary goal in most hack attacks. Passwords continue to be the weakest link in an organization’s security strategy and Multi-Factor Authentication for server access is the only proven means to plug this gap. EmpowerID’s adaptive MFA eases the adoption of more secure identity verification procedures by ensuring that users aren’t forced to perform MFA on every server access attempt but rather only when the circumstances warrant it. EmpowerID provides users a wide range of friendly options including one-time password, FIDO/Yubikey tokens, 3rd parties such as DUO, as well as the EmpowerID Mobile phone app which allows users to click to approve their identity verification request. Server Discovery EmpowerID includes one of the largest libraries of IGA system connectors available. The Privileged Session Management solution benefits from this convergence and leverages these connections to automatically discover computers, virtual machines, and their privileged credentials. Local computer identities and access can optionally be discovered and managed with the Computer Identity Management module. EmpowerID discovers computers and virtual machines wherever they may reside. The most popular platforms for running virtual workloads are supported including: Amazon AWS, Azure, and VMware VCenter. EmpowerID also discovers computer objects from your Active Directory or they can be registered manually in friendly web-based workflows. Computer discovery allows admins to maintain an up to date inventory of the assets they are managing as well as simplifies the process for configuring servers for PSM accessan application cluster that allows you to access, record, and monitor privileged sessions. With PSM, users can be issued privileged access to computers while meeting audit requirements. It enables granting access to users for a specific amount of time, capability to monitor live and terminate session at any point and replaying sessions. It also includes time constrained access to credentials and automatic termination of sessions after time limit expiry. |
| Note |
|---|
To comply with European Union GDPR (General Data Protection Regulation) that was implemented on May 25, 2018, you must do one of two things:
|
| Div | ||
|---|---|---|
| ||
Getting Started |
| Div | ||||
|---|---|---|---|---|
| ||||
| Style | ||
|---|---|---|
| ||
| Section | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
