Privileged Session Manager (PSM) is an application cluster that allows you to access, record, and monitor privileged sessions. With PSM, users can be issued privileged access to computers while meeting audit requirements. It enables granting users access to machines for a specific amount of time, the capability to monitor their sessions in real-time, and terminate those sessions at any point. Sessions can be recorded as well, allowing for the replaying of sessions as needed. Additionally, access policies linked to PSM include time limits, which allow for time-constrained access to credentials and automatic termination of sessions after time limit expiry.a suite of applications designed to streamline accessing, monitoring, and recording privileged sessions while ensuring compliance with auditing requirements. PSM allows authorized users to gain privileged access to computers, offering the ability to restrict access within specific timeframes, monitor sessions in real time, and terminate sessions when necessary. PSM also records sessions for future playback. Access policies within PSM include time limits for credential access and automatic session termination after the time limit expires.
To better understand the benefits of PSM in EmpowerID, let's break down its key features and explain how they provide value to IT professionals:
Benefits
Manage and Record Privileged User Sessions
Privileged accounts are both a necessity and a liability. These accounts, with their nearly unlimited access to system resources, are essential for everyday daily IT operations yet abuse of privileged accounts is attributed as the cause of 62% of security breaches. In a Zero Trust model, only the minimum access required should be granted for the minimal time period and if possible, the access should be proxied and monitored.EmpowerID’s Privilege Session Manager (PSM) acts as but pose significant security risks due to their unrestricted access to system resources. EmpowerID's PSM provides a web-based gateway to provide for authorized users with RDP or SSH to access to Windows or Linux servers but via RDP or SSH without exposing the servers to actual direct network access. This dramatically approach simplifies network security concerns as both users and servers can be anywhere. The only constraint is access between the user and the web interface of the PSM and between the PSM Gateway and the servers they wish to reach. This eliminates the need for costly VPNs which also slow down the user experience and decrease productivity. This Zero Trust approach prevents most common malware and hack exploits that rely on network connectivity to the servers they are targeting. In addition, . PSM enforces strong adaptive identity verification is enforced and records sessions can be optionally recorded as videos for later compliance investigation or verification. In all cases, the password of the privileged credential is never revealed to the end user eliminating the potential for sharing or misuse.
Zero Trust Zoning
On Windows, any local admin has access to the cached passwords for the last x (typically 10) users who have logged into that machine. If a hacker can trick a user into opening an email or clicking a link that runs malware on a computer where the user has local admin privileges, the hacker now has access to all cached passwords to install software or mover laterally to target higher value servers. The worst-case scenario would be a hacker gaining access to the credentials of a domain admin that had logged into that PC.
Recent history shows that no one can stop hackers. You can only reduce the damage they can do by seeking to limit where they can go and which cached privileged credentials might be available locally on compromised PCs. That is what is meant by zoning or tiering. Zoning can be done at the user access level, just as you work with network controls, like subnets, routing tables, and firewall rules. Microsoft proposes 3 basic tiers for granting credentials in a Windows network: AD domain controllers, servers, and workstations but you can implement as many zones as needed with EmpowerID.investigations or verification purposes.
Enforce Zero Trust Zoning
EmpowerID PSM is an invaluable effective tool to enforce for implementing a Zero Trust zoning or “micro"micro-segmentation” segmentation" strategy. PSM allows an organization to use It enables organizations to use pre-provisioned shared accounts for server access without revealing the passwords instead of or elevating the user access of the user’s existing account. EmpowerID admins explicitly define which vaulted privileged credentials will be available for use by admins for specific servers, by zone. This is a best practice in avoiding administrators explicitly define which vaulted privileged credentials are available for administrators to access specific servers by zone, preventing lateral movement or pass-the-hash attacks.
Self-Service Server Access Shopping
EmpowerID brings streamlines the process of requesting and launching privileged session access to servers with a familiar shopping cart interface for end users to request and launch privileged session access to servers. Users simply search for the computer to which they need access and click to request use of a vaulted credential for the desired time period. Time . Access Request policies control time limits, approval processing, session recording, and privacy settings are all controlled by privileged credential policies.
If a request requires approval, EmpowerID automatically generates workflow tasks and tracks their status. All participants are kept informed by email notifications and all requests, decisions and associated fulfillment actions are recorded for auditors.
Adaptive MFA for Server Access
Gaining access to an organization’s key servers or “owing the box” is the primary goal in most hack attacks. Passwords continue to be the weakest link in an organization’s security strategy and Multi-Factor Authentication for server access is the only proven means to plug this gap. EmpowerID’s adaptive MFA eases the adoption of more secure identity verification procedures by ensuring that users aren’t forced to perform MFA on every server access attempt but rather only when the circumstances warrant it. EmpowerID provides users a wide range of friendly options including one-time passwordEmpowerID's adaptive MFA enhances server access security by prompting users for multi-factor authentication only when circumstances warrant it. EmpowerID offers various user-friendly MFA options, including one-time passwords, FIDO/Yubikey tokens, 3rd parties such as third-party integrations like DUO, as well as and the EmpowerID Mobile phone app which allows users to click to approve their identity verification request.
Server Discovery
EmpowerID includes one of the largest libraries of IGA system connectors available. The Privileged Session Management solution benefits from this convergence and leverages these connections to automatically discover computersoffers an extensive library of Identity Governance and Administration (IGA) system connectors. These connectors enable the Privileged Session Management solution to automatically discover computers, virtual machines, and their associated privileged credentials. Local computer identities and access can optionally be discovered and managed with Additionally, the Computer Identity Management module provides optional discovery and management of local computer identities and access.
EmpowerID discovers computers The ability of EmpowerID to discover computers and virtual machines wherever they may reside. The most is not limited by their location. It supports popular platforms for running virtual workloads are supported including , such as AWS, Azure, and VMware VCenter. Furthermore, EmpowerID also discovers can discover computer objects from your Active Directory or they can be registered manually in Active Directory or allow manual registration through user-friendly web-based workflows. Computer discovery allows admins This functionality empowers administrators to maintain an upan up-to-date inventory of the assets they are managing as well as simplifies managed assets and streamlines the process for of configuring servers for PSM access.
Features Features
Access
...
Control: Privileged Session Manager
...
ensures that users
...
can only access resources for which they
...
have been granted
...
permission.
...
Users can request access and initiate a connection
...
via the IAM Shop application. All sessions are proxied to target resources through
...
PSM servers
...
, providing extensive control over the communication transmitted
...
.
...
Real-time Monitoring, Recording, and
...
Replay: Administrators have the ability to monitor live sessions (if permitted by policy), record sessions, and replay them for review – all from the EmpowerID website.
Secure Credential Sharing
...
: Computer credentials are encrypted and
...
used to initiate privileged sessions with the target resource
...
upon request for automatic login.
...
By not exposing these credentials to users
...
, security is significantly enhanced.
...
Automatic Login: When integrated with Privileged Access Manager, Privileged Session Manager can be
...
configured for automatic login
...
. This feature improves security and compliance by
...
preventing the exposure of account credentials to users.
...
Architecture
The PSM cluster consists of 3 dockerized Node.js applications, each with their its own responsibilities.
Application
Daemon
Uploader
...
Session Flow
Below is the UML diagram that outlines a session from initiation to viewing recorded session at the endThe below image depicts the flow that occurs during a PSM session. A description of the flow follows the image.
...
User requests access to a computer by checking-out a credential from the list of available credentials.
...
User clicks the login icon to initiate the RDP session and is prompted to enter their Master password.
...
The connection request is submitted to the PSM Application along with the master password that the user enters.
...
The PSM Application talks to an EmpowerID API Endpoint to authorize and receive the credentials to the target resource.
...
If the authorization is successful EmpowerID returns the credentials to the PSM application server.
...
The PSM Application connects to the target resource through the Daemon with the corresponding protocol.
...
The user authenticates.
The user receives an access token, which is used to determine their access.
The user initiates a privileged RDP or SSH session to a computer to which they have been granted access using the credentials the system assigns for the specified session.
The Privileged Access Service requests the user’s master password.
Upon successful submission of the master password, the Privileged Access Server used the session connection information to determine where the computer lives and communicates with the PSM Gateway in that zone.
| Insert excerpt | ||||||
|---|---|---|---|---|---|---|
|
| Macrosuite divider macro | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Set Up Privileged Session Management
Create Privileged Access Policies
Enable Computers for Privileged Session Management
...