Privileged Access Management

Owned by Phillip Hanegan
Last updated: May 16, 2022
3 min read

EmpowerID Privileged Access Management (PAM) secures access to privileged accounts. It does this by enforcing corporate security policies, preventing unauthorized access to enterprise resources, and controlling who has access to privileged accounts.

The three key areas of EmpowerID's Privileged Access Management include:

Password Vaulting

More than half of organizations share privileged passwords internally. Unfortunately, this process typically consists of writing them down on Post-it notes, sending them through email, or sharing spreadsheets containing master lists of multiple passwords. These methods are extremely insecure and have been linked to breaches. EmpowerID provides a password vault that enables the secure sharing of passwords and other sensitive information such as API keys or digital certificates.

End users can request temporary access to vaulted credentials with granular policies to determine who may request which credentials, for how long, and if the credential’s password should be reset on check-in. Requests can be pre-approved or routed for approval with their status tracked in a business-user friendly interface. Audit logs provide a detailed record of every user’s access to a privileged credential proving who approved the request and for how long the access was granted.

When EmpowerID is installed, it generates a root certificate authority (CA) that is unique to the environment. This CA is used to issue personal certificates for encrypting and decrypting data that is linked to a person, as well as for using the Privileged Access Management feature of EmpowerID. The first time a user creates a secret or attempts to check out shared credentials, EmpowerID prompts that user to create a new password for encrypting and decrypting their secrets.

Once the user enters a password, it becomes their master password. EmpowerID uses this master password to generate a public/private key pair certificate for that person, linking the public key to the user and encrypting the private key with the master password using the latest AES-256 bit encryption with PBKDF2 SHA-256 and salted hashes. The master password is then discarded. EmpowerID keeps no record of it to ensure that only the user can retrieve their credentials. Administrators, and the EmpowerID system itself, have no way to do so. 

Privileged Session Management

Privileged accounts are both a necessity and a liability. These accounts, with their nearly unlimited access to system resources, are essential for everyday IT operations yet abuse of privileged accounts is attributed as the cause of 62% of security breaches. In a Zero Trust model, only the minimum access required should be granted for the minimal time period and if possible, the access should be proxied and monitored.

EmpowerID’s Privilege Session Manager (PSM) acts as a web-based gateway to provide authorized users with RDP or SSH access to Windows or Linux servers but without exposing the servers to actual network access. This dramatically simplifies network security concerns as both users and servers can be anywhere. The only constraint is access between the user and the web interface of the PSM and between the PSM Gateway and the servers they wish to reach. This eliminates the need for costly VPNs which also slow down the user experience and decrease productivity. This Zero Trust approach prevents most common malware and hack exploits that rely on network connectivity to the servers they are targeting. In addition, strong adaptive identity verification is enforced and sessions can be optionally recorded as videos for later compliance investigation or verification. In all cases, the password of the privileged credential is never revealed to the end-user eliminating the potential for sharing or misuse.

Local Computer Identity Management

Attackers frequently target local computer administrator accounts as the first step in order to gain privileged access to an organization’s IT network. Local admin accounts effectively “own the machine” having full access to all local resources including any databases. This access represents a potential audit risk for regulations such as SOX, HIPPA, PCI-DSS, FINMA, MAS, FISMA, and NERC. Local admin accounts can also serve as a stepping stone to a company’s most valuable network data. EmpowerID inventories your servers to discover, monitor, and control local users and groups including local administrators. Role and attribute-based access control policies control membership to the local administrator’s group and allow for access requests through the IT Shop.

All privileged identities can be assigned to policies that automate the rotation of their passwords. The EmpowerID system through its connectors resets the passwords in the managed system and updates the vaulted information.