Versions Compared

Old Version 4

changes.mady.by.user Phillip Hanegan

Saved on

compared with

New Version Current

changes.mady.by.user Phillip Hanegan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Privileged Session Manager (PSM) is a collection suite of applications that facilitate designed to streamline accessing, monitoring, and recording privileged sessions while ensuring compliance with auditing requirements. PSM enables allows authorized users to obtain gain privileged access to computers, with offering the flexibility ability to limit restrict access to within specific timeframes, monitor sessions in real time, and terminate sessions at any timewhen necessary. PSM provides the ability to record sessions, which can be replayed as necessary. Moreover, access policies associated with also records sessions for future playback. Access policies within PSM include time limits that allow time-constrained access to credentials for credential access and automatic session termination after the time limit expires.

To better understand the benefits of PSM in EmpowerID, let's break down its key features and explain how they provide value to IT professionals:

Benefits

Manage and Record Privileged User Sessions

Privileged accounts are vital essential for everyday daily IT operations , but they pose a significant security risk risks due to their unrestricted access to system resources. In fact, 62% of security breaches are attributed to privileged account abuse. In a Zero Trust model, access should be granted only to the minimum necessary for the shortest duration possible. Additionally, access should be proxied and monitored whenever possible. EmpowerID's Privilege Session Manager ( PSM ) provides a web-based gateway for authorized users to access Windows or Linux servers through via RDP or SSH without exposing the servers to direct network access. This approach simplifies network security concerns , as users and servers can be located anywhere. The only requirements are access between the user and the PSM web interface and between the PSM Gateway and the target servers. This eliminates the need for costly VPNs, which can slow down user experience and decrease productivity. This Zero Trust approach effectively prevents most common malware and hacking exploits that rely on network connectivity to the target servers. Furthermore, PSM enforces strong adaptive identity verification , and records sessions can be recorded as videos for compliance investigations or verification purposes. In all cases, the password of the privileged credential is never disclosed to the end user, reducing the potential for sharing or misuse.

Enforce Zero Trust Zoning

...

Recent history has shown that it's difficult to stop hackers, but limiting where they can go and which cached privileged credentials are available locally on compromised computers can help to reduce the damage they can do. This is achieved through zoning or tiering, which can be implemented at the user access level, similar to how network controls like subnets, routing tables, and firewall rules work. Microsoft proposes three basic tiers for granting credentials in a Windows network: AD domain controllers, servers, and workstations. However, organizations can implement as many zones as necessary with EmpowerID .EmpowerID PSM is a valuable an effective tool for enforcing implementing a Zero Trust zoning or "micro-segmentation" strategy. PSM It enables organizations to use pre-provisioned shared accounts for server access without revealing the passwords or elevating the access of the user's existing accountuser access. EmpowerID administrators explicitly define which vaulted privileged credentials will be are available for use by administrators for to access specific servers by zone. This is a best practice to avoid , preventing lateral movement or pass-the-hash attacks.

Self-Service Server Access Shopping

EmpowerID simplifies streamlines the process of requesting and launching privileged session access to servers by offering with a familiar shopping cart interface for end users. Users can easily search for the computer they need access to and request the use of a vaulted credential for a specific time period. Access Request policies control time limits, approval processing, session recording, and privacy settings.If a request requires approval, EmpowerID generates workflow tasks automatically and tracks their status. All participants receive email notifications, and all requests, decisions, and associated fulfillment actions are recorded for auditing purposes.

Adaptive MFA for Server Access

The primary goal of most hack attacks is to gain access to an organization's key servers or "own the box." Unfortunately, passwords remain the weakest link in an organization's security strategy. Multi-Factor Authentication (MFA) is the only proven method to address this security gap for server access. EmpowerID's adaptive MFA makes it easy for organizations to adopt more secure identity verification procedures by ensuring that users are not required to perform MFA on every server access attempt. Instead, users are prompted for MFA only when the enhances server access security by prompting users for multi-factor authentication only when circumstances warrant it. EmpowerID offers users a variety of various user-friendly MFA options for MFA, including one-time passwords, FIDO/Yubikey tokens, third-party integrations such as like DUO, and the EmpowerID Mobile phone app. With the mobile app, users can click to approve their identity verification request.

Server Discovery

EmpowerID offers one of the most extensive libraries an extensive library of Identity Governance and Administration (IGA) system connectors available. The These connectors enable the Privileged Session Management solution benefits from this diversity and utilizes these connections to automatically discover computers, virtual machines, and their associated privileged credentials. The Additionally, the Computer Identity Management module also enables the provides optional discovery and management of local computer identities and access.

The ability of EmpowerID has the ability to discover computers and virtual machines regardless of where they resideis not limited by their location. It supports the most popular platforms for running virtual workloads, including such as AWS, Azure, and VMware VCenter. Furthermore, EmpowerID can also discover computer objects from your Active Directory or register them manually in allow manual registration through user-friendly web-based workflows. This feature allows functionality empowers administrators to maintain an up-to-date inventory of the managed assets they are managing and simplifies streamlines the process of configuring servers for PSM access.

Features

...

Access Control:

...

Privileged Session Manager

...

ensures that users can only access resources for which they have been granted permission. Users can request access and initiate a connection

...

via the IAM Shop application. All sessions are proxied to

...

target resources through PSM servers,

...

providing extensive control over the communication transmitted

...

.

...

Real-time Monitoring, Recording, and Replay: Administrators

...

have the ability to monitor live sessions (if

...

permitted by policy

...

), record sessions, and replay them for review

...

all from the EmpowerID website.

Secure Credential Sharing: Computer credentials are encrypted and

...

used to initiate privileged sessions with the target resource upon request for automatic login.

...

By not exposing these credentials to users,

...

security is significantly enhanced.

...

Automatic Login: When

...

integrated with Privileged Access Manager, Privileged Session Manager can be configured for automatic login

...

. This feature improves security and compliance by

...

preventing the exposure of account credentials to users.

Architecture

The PSM cluster consists of 3 dockerized Node.js applications, each with its own responsibilities. 

  1. Application

  2. Daemon

  3. Uploader

    Image Removed


    Image Added


Session Flow

The below image depicts the flow that occurs during a PSM session. A description of the flow follows the image.

...

  1. User The user authenticates.

  2. User The user receives an access token, which is used to determine their access.

  3. User The user initiates a privileged RDP or SSH session to a computer to which they have been granted access using the credentials the system assigns for the specified session.

  4. The Privileged Access Service requests the user’s master password.

  5. Upon successful submission of the master password, the Privileged Access Server used the session connection information to determine where the computer lives and communicates with the PSM Gateway in that zone.

...