In todayPrivileged Access Management (PAM) involves controlling, monitoring, and securing access to privileged accounts within an organization's complex IT environments, managing privileged access to critical systems and data is more important than ever. Privileged accounts, which grant elevated permissions, are essential for system administration, maintenance, and security tasks. However, these accounts also pose significant security risks due to their extensive access capabilities. Unauthorized or improper use of privileged accounts can lead to data breaches, compliance violations, and other severe consequences.
Privileged Session Manager (PSM) addresses these challenges by providing a comprehensive suite of tools designed to streamline and secure the management of privileged sessions. PSM offers a robust solution for accessing, monitoring, and recording privileged sessions, ensuring that only authorized users can access critical systems and that all activities are thoroughly documented.
Key features of PSM include the ability to restrict access within specific timeframes, real-time session monitoring, and session termination capabilities. Additionally, PSM records all sessions for future playback, aiding in compliance and audit efforts. By enforcing strict access policies and leveraging adaptive multi-factor authentication (MFA), PSM significantly enhances the security posture of any organization.
PSM also integrates seamlessly with existing IT infrastructure, providing a web-based gateway for accessing Windows and Linux servers via RDP or SSH. This eliminates the need for exposing servers to direct network access and reduces the complexity and cost associated with traditional VPN solutions.
Key Benefits of PSM in EmpowerID
PSM provides several key benefits that make it invaluable to IT professionals. Let's explore these benefits in detail:
1. Manage and Record Privileged User Sessions
Privileged accounts are crucial for daily IT operations but pose significant security risks due to their unrestricted access to system resources. EmpowerID's PSM provides a web-based gateway for authorized users to access Windows or Linux servers via RDP or SSH without exposing servers to direct network access. This approach simplifies network security and eliminates the need for costly VPNs. PSM enforces strong adaptive identity verification and records sessions as videos for compliance investigations or verification purposes.
2. Enforce Zero Trust Zoning
EmpowerID PSM is an effective tool for implementing a Zero Trust zoning or "micro-segmentation" strategy. It enables organizations to use pre-provisioned shared accounts for server access without revealing passwords or elevating user access. EmpowerID administrators explicitly define which vaulted privileged credentials are available for administrators to access specific servers by zone, preventing lateral movement or pass-the-hash attacks.
3. Self-Service Server Access Shopping
EmpowerID streamlines the process of requesting and launching privileged session access to servers with a familiar shopping cart interface for end users. Access Request policies control time limits, approval processing, session recording, and privacy settings.
4. Adaptive MFA for Server Access
EmpowerID's adaptive MFA enhances server access security by prompting users for multi-factor authentication only when circumstances warrant it. EmpowerID offers various user-friendly MFA options, including one-time passwords, FIDO/Yubikey tokens, third-party integrations like DUO, and the EmpowerID Mobile phone app.
5. Server Discovery
EmpowerID offers an extensive library of Identity Governance and Administration (IGA) system connectors. These connectors enable the Privileged Session Management solution to automatically discover computers, virtual machines, and their associated privileged credentials. Additionally, the Computer Identity Management module provides optional discovery and management of local computer identities and access.
EmpowerID's ability to discover computers and virtual machines is not limited by their location. It supports popular platforms for running virtual workloads, such as AWS, Azure, and VMware VCenter. Furthermore, EmpowerID can discover computer objects from Active Directory or allow manual registration through user-friendly web-based workflows. This functionality empowers administrators to maintain an up-to-date inventory of managed assets and streamlines the process of configuring servers for PSM access.
Key Features of PSM
PSM offers several key features that collectively enhance its functionality and security:
Access Control: Privileged Session Manager ensures that users can only access resources for which they have been granted permission. Users can request access and initiate a connection via the IAM Shop application. All sessions are proxied to target resources through PSM servers, providing extensive control over the communication transmitted.
Real-time Monitoring, Recording, and Replay: Administrators have the ability to monitor live sessions (if permitted by policy), record sessions, and replay them for review – all from the EmpowerID website.
Secure Credential Sharing: Computer credentials are encrypted and used to initiate privileged sessions with the target resource upon request for automatic login. By not exposing these credentials to users, security is significantly enhanced.
Automatic Login: When integrated with Privileged Access Manager, Privileged Session Manager can be configured for automatic login. This feature improves security and compliance by preventing the exposure of account credentials to users.
PSM Architecture
The PSM cluster consists of 3 dockerized Node.js applications, each with its own responsibilities.
...
Application
...
Daemon
...
The below image depicts the flow that occurs during a PSM session. The description that follows the image outlines the session flow:
...
The user authenticates.
...
The user receives an access token, which is used to determine their access.
...
The user initiates a privileged RDP or SSH session to a computer to which they have been granted access using the credentials the system assigns for the specified session.
...
The Privileged Access Service requests the user’s master password.
...
IT infrastructure. These accounts possess elevated permissions and access rights, enabling tasks such as configuring systems, managing users, and accessing sensitive data. Protecting these accounts is essential to prevent unauthorized access and potential security breaches.
EmpowerID’s Approach to PAM
EmpowerID offers a PAM solution designed for multi-cloud and hybrid environments. The solution is based on the Zero Standing Privilege (ZSP) principle, ensuring that privileged access is granted only when necessary to authorized identities and for a specific duration. EmpowerID provides two deployment models for PAM:
Advanced PAM
Basic PAM
Advanced PAM
The Advanced PAM model features an agentless and vaultless architecture, simplifying deployment and management while providing robust protection across cloud and on-premises environments. This model leverages EmpowerID's microservices and Kubernetes-based framework to achieve scalability and flexibility.
A key aspect of Advanced PAM is its integration with Identity Governance and Administration (IGA) and Access Management (AM) systems. This integration enables controlled privilege escalation, delegation management, and task-based automation. Additionally, Advanced PAM extends its capabilities to include Cloud Infrastructure Entitlements Management (CIEM), focusing on managing and securing access entitlements within cloud environments.
Zero Standing Privilege (ZSP)
Advanced PAM implements the ZSP principle by granting privileged access only when required. This approach reduces the risks associated with permanent privileged accounts, minimizing the attack surface and potential for misuse.
Agentless and Vaultless Architecture
Advanced PAM streamlines deployment and reduces management overhead by eliminating the need to install agents on target systems or maintain credential vaults. This simplifies the infrastructure and accelerates implementation timelines.
Microservices and Kubernetes Framework
A microservices architecture deployed via Kubernetes allows Advanced PAM to be highly scalable and resilient. This framework adapts to changing workloads and organizational needs, supporting horizontal and vertical scaling.
Integration with IGA and AM Systems
Advanced PAM supports interoperability with major Identity Governance and Administration and Access Management systems, including platforms like Microsoft Azure. This integration enables organizations to leverage existing identity infrastructures and policies, ensuring consistency across systems.
Controlled Privilege Escalation and Delegation Management
The solution facilitates temporary privilege elevation and task delegation based on predefined policies. Administrators can specify who can request elevated access, under what conditions, and for how long, ensuring that users have appropriate access when needed without compromising security.
Cloud Infrastructure Entitlements Management (CIEM)
Advanced PAM extends to include CIEM capabilities, focusing on managing and securing access entitlements in cloud environments. This feature helps organizations maintain compliance and reduce risk by providing visibility and control over cloud permissions and entitlements.
Basic PAM
The Basic PAM model offers a traditional, vault-based solution for managing privileged credentials. It includes a centralized vault where credentials are securely stored and managed. Access to these credentials is governed by granular policies that define who can request access, the conditions for access, and the duration. Password rotation can be automated upon check-in or according to a defined schedule.
Secure Credential Vault
Basic PAM provides a central repository for storing privileged credentials with robust security controls. The vault ensures that sensitive credentials are protected using encryption and strict access controls to prevent unauthorized access.
Granular Access Policies
Administrators can define detailed access policies specifying which users can access certain credentials and under what conditions. Policies may include approval workflows, time-based restrictions, and usage limitations to enforce security best practices.
Automated Password Management
The solution enhances security by automating password rotation for privileged accounts. Passwords can be configured to rotate upon check-in or on a scheduled basis, reducing the risk of compromised credentials due to outdated or exposed passwords.
EmpowerID’s Integrated Identity Management Solution
EmpowerID's PAM offerings are part of a broader platform that integrates Privileged Access Management (PAM), Identity Governance and Administration (IGA), and Access Management (AM) functionalities. This integrated approach provides a unified system for managing identities and access across the organization's IT environment.
By utilizing fine-grained IGA connectors and supporting integration with major vendors, EmpowerID addresses a wide range of identity and access management requirements. Combining PAM, IGA, and AM into a single platform aims to reduce complexity, enhance security, and improve operational efficiency.
Unified Identity Management
The integrated platform offers a single interface for managing identities, credentials, and access control policies. This unification simplifies administrative tasks and reduces the learning curve associated with managing multiple systems.
Consistent Security Controls
By enforcing consistent policies and controls across all identity-related functions, the platform helps reduce security gaps and ensures that security measures are uniformly applied throughout the organization.
Scalability and Adaptability
The platform supports organizational growth and adapts to changing technological landscapes, including multi-cloud and hybrid environments. Its modular architecture allows organizations to scale services according to their evolving needs.
Compliance and Auditing Capabilities
EmpowerID's integrated solution facilitates adherence to regulatory requirements by providing comprehensive auditing, reporting, and policy enforcement tools. Administrators can generate detailed reports and monitor compliance with internal policies and external regulations.
Insert excerpt | ||||||
---|---|---|---|---|---|---|
|
...