You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.

Overview of Privileged Session Manager

Owned by Phillip Hanegan
Aug 21, 2023
4 min read

Privileged Session Manager (PSM) is a suite of applications designed to streamline accessing, monitoring, and recording privileged sessions while ensuring compliance with auditing requirements. PSM allows authorized users to gain privileged access to computers, offering the ability to restrict access within specific timeframes, monitor sessions in real time, and terminate sessions when necessary. PSM also records sessions for future playback. Access policies within PSM include time limits for credential access and automatic session termination after the time limit expires.

To better understand the benefits of PSM in EmpowerID, let's break down its key features and explain how they provide value to IT professionals:

Benefits

Manage and Record Privileged User Sessions

Privileged accounts are essential for daily IT operations but pose significant security risks due to their unrestricted access to system resources. EmpowerID's PSM provides a web-based gateway for authorized users to access Windows or Linux servers via RDP or SSH without exposing servers to direct network access. This approach simplifies network security concerns and eliminates the need for costly VPNs. PSM enforces strong adaptive identity verification and records sessions as videos for compliance investigations or verification purposes.

Enforce Zero Trust Zoning

EmpowerID PSM is an effective tool for implementing a Zero Trust zoning or "micro-segmentation" strategy. It enables organizations to use pre-provisioned shared accounts for server access without revealing passwords or elevating user access. EmpowerID administrators explicitly define which vaulted privileged credentials are available for administrators to access specific servers by zone, preventing lateral movement or pass-the-hash attacks.

Self-Service Server Access Shopping

EmpowerID streamlines the process of requesting and launching privileged session access to servers with a familiar shopping cart interface for end users. Access Request policies control time limits, approval processing, session recording, and privacy settings.

Adaptive MFA for Server Access

EmpowerID's adaptive MFA enhances server access security by prompting users for multi-factor authentication only when circumstances warrant it. EmpowerID offers various user-friendly MFA options, including one-time passwords, FIDO/Yubikey tokens, third-party integrations like DUO, and the EmpowerID Mobile phone app.

Server Discovery

EmpowerID offers an extensive library of Identity Governance and Administration (IGA) system connectors. These connectors enable the Privileged Session Management solution to automatically discover computers, virtual machines, and their associated privileged credentials. Additionally, the Computer Identity Management module provides optional discovery and management of local computer identities and access.

The ability of EmpowerID to discover computers and virtual machines is not limited by their location. It supports popular platforms for running virtual workloads, such as AWS, Azure, and VMware VCenter. Furthermore, EmpowerID can discover computer objects from Active Directory or allow manual registration through user-friendly web-based workflows. This functionality empowers administrators to maintain an up-to-date inventory of managed assets and streamlines the process of configuring servers for PSM access.

 

Features

Access Control: Privileged Session Manager ensures that users can only access resources for which they have been granted permission. Users can request access and initiate a connection via the IAM Shop application. All sessions are proxied to target resources through PSM servers, providing extensive control over the communication transmitted.

Real-time Monitoring, Recording, and Replay: Administrators have the ability to monitor live sessions (if permitted by policy), record sessions, and replay them for review – all from the EmpowerID website.

Secure Credential Sharing: Computer credentials are encrypted and used to initiate privileged sessions with the target resource upon request for automatic login. By not exposing these credentials to users, security is significantly enhanced.

Automatic Login: When integrated with Privileged Access Manager, Privileged Session Manager can be configured for automatic login. This feature improves security and compliance by preventing the exposure of account credentials to users.

Architecture

The PSM cluster consists of 3 dockerized Node.js applications, each with its own responsibilities. 

  1. Application

  2. Daemon

  3. Uploader



Session Flow

The below image depicts the flow that occurs during a PSM session. A description of the flow follows the image.

PSM Session Flow

  1. The user authenticates.

  2. The user receives an access token, which is used to determine their access.

  3. The user initiates a privileged RDP or SSH session to a computer to which they have been granted access using the credentials the system assigns for the specified session.

  4. The Privileged Access Service requests the user’s master password.

  5. Upon successful submission of the master password, the Privileged Access Server used the session connection information to determine where the computer lives and communicates with the PSM Gateway in that zone.

Set Up Privileged Session Management

Create Privileged Access Policies

Enable Computers for Privileged Session Management

View Privileged Session Details

Connect to Live PSM Sessions

Terminate a Privileged Session