Overview of Privileged Session Manager

Owned by Phillip Hanegan
Last updated: Jul 11, 2024
4 min read

In today's complex IT environments, managing privileged access to critical systems and data is more important than ever. Privileged accounts, which grant elevated permissions, are essential for system administration, maintenance, and security tasks. However, these accounts also pose significant security risks due to their extensive access capabilities. Unauthorized or improper use of privileged accounts can lead to data breaches, compliance violations, and other severe consequences.

Privileged Session Manager (PSM) addresses these challenges by providing a comprehensive suite of tools designed to streamline and secure the management of privileged sessions. PSM offers a robust solution for accessing, monitoring, and recording privileged sessions, ensuring that only authorized users can access critical systems and that all activities are thoroughly documented.

Key features of PSM include the ability to restrict access within specific timeframes, real-time session monitoring, and session termination capabilities. Additionally, PSM records all sessions for future playback, aiding in compliance and audit efforts. By enforcing strict access policies and leveraging adaptive multi-factor authentication (MFA), PSM significantly enhances the security posture of any organization.

PSM also integrates seamlessly with existing IT infrastructure, providing a web-based gateway for accessing Windows and Linux servers via RDP or SSH. This eliminates the need for exposing servers to direct network access and reduces the complexity and cost associated with traditional VPN solutions.

Key Benefits of PSM in EmpowerID

PSM provides several key benefits that make it invaluable to IT professionals. Let's explore these benefits in detail:

1. Manage and Record Privileged User Sessions

Privileged accounts are crucial for daily IT operations but pose significant security risks due to their unrestricted access to system resources. EmpowerID's PSM provides a web-based gateway for authorized users to access Windows or Linux servers via RDP or SSH without exposing servers to direct network access. This approach simplifies network security and eliminates the need for costly VPNs. PSM enforces strong adaptive identity verification and records sessions as videos for compliance investigations or verification purposes.

2. Enforce Zero Trust Zoning

EmpowerID PSM is an effective tool for implementing a Zero Trust zoning or "micro-segmentation" strategy. It enables organizations to use pre-provisioned shared accounts for server access without revealing passwords or elevating user access. EmpowerID administrators explicitly define which vaulted privileged credentials are available for administrators to access specific servers by zone, preventing lateral movement or pass-the-hash attacks.

3. Self-Service Server Access Shopping

EmpowerID streamlines the process of requesting and launching privileged session access to servers with a familiar shopping cart interface for end users. Access Request policies control time limits, approval processing, session recording, and privacy settings.

4. Adaptive MFA for Server Access

EmpowerID's adaptive MFA enhances server access security by prompting users for multi-factor authentication only when circumstances warrant it. EmpowerID offers various user-friendly MFA options, including one-time passwords, FIDO/Yubikey tokens, third-party integrations like DUO, and the EmpowerID Mobile phone app.

5. Server Discovery

EmpowerID offers an extensive library of Identity Governance and Administration (IGA) system connectors. These connectors enable the Privileged Session Management solution to automatically discover computers, virtual machines, and their associated privileged credentials. Additionally, the Computer Identity Management module provides optional discovery and management of local computer identities and access.

EmpowerID's ability to discover computers and virtual machines is not limited by their location. It supports popular platforms for running virtual workloads, such as AWS, Azure, and VMware VCenter. Furthermore, EmpowerID can discover computer objects from Active Directory or allow manual registration through user-friendly web-based workflows. This functionality empowers administrators to maintain an up-to-date inventory of managed assets and streamlines the process of configuring servers for PSM access.

 

Key Features of PSM

PSM offers several key features that collectively enhance its functionality and security:

  • Access Control: Privileged Session Manager ensures that users can only access resources for which they have been granted permission. Users can request access and initiate a connection via the IAM Shop application. All sessions are proxied to target resources through PSM servers, providing extensive control over the communication transmitted.

  • Real-time Monitoring, Recording, and Replay: Administrators have the ability to monitor live sessions (if permitted by policy), record sessions, and replay them for review – all from the EmpowerID website.

  • Secure Credential Sharing: Computer credentials are encrypted and used to initiate privileged sessions with the target resource upon request for automatic login. By not exposing these credentials to users, security is significantly enhanced.

  • Automatic Login: When integrated with Privileged Access Manager, Privileged Session Manager can be configured for automatic login. This feature improves security and compliance by preventing the exposure of account credentials to users.

PSM Architecture

The PSM cluster consists of 3 dockerized Node.js applications, each with its own responsibilities. 

  • Application

  • Daemon

  • Uploader



PSM Session Flow

The below image depicts the flow that occurs during a PSM session. The description that follows the image outlines the session flow:

PSM Session Flow

  1. The user authenticates.

  2. The user receives an access token, which is used to determine their access.

  3. The user initiates a privileged RDP or SSH session to a computer to which they have been granted access using the credentials the system assigns for the specified session.

  4. The Privileged Access Service requests the user’s master password.

  5. Upon successful submission of the master password, the Privileged Access Server used the session connection information to determine where the computer lives and communicates with the PSM Gateway in that zone.