Published: 12 January 2016
By Tom Guyatt
With Osirium, the passwords of privileged accounts are never sent to the SysAdmin's workstations. Instead the SysAdmins are connected to a session that Osirium has set-up on their behalf based on a least privilege model. There are a whole range of terms used in this industry, and since Osirium is a framework for managing privileged user workflow it uses most of them!
Here's a quick rundown of all these terms, what they do and which bits of Osirium does them:
Osirium does this in a light way, in that you can locally define incoming privileged users. In a large installation Osirium will more likely use the services of an Identity Manager which in itself might use Two Factor Authentication.
This is the business of controlling what systems and devices at what time can be accessed by the Privileged User. Osirium's main PUM tool is a Profile. A Profile is a collection of users, tools and tasks along with a set of roles. Therefore a user in a Profile can use the defined tools and tasks at the role defined for each of the systems or devices defined in that Profile.
Osirium's PUM is further defined within the Profile by:
Our underlying technology allows us to extend this to concepts like "Has the privileged user been issued an incident or change ticket for this session".
These are very closely related and refer to the management of the actual accounts used on systems, applications and devices. Osirium can discover the accounts defined on systems. I can be told that a specific account is to be used as a Control Account and that others can be used for Roles. In many cases Osirium will create accounts at a specific role for the use of a specific user based on their profile membership.
So part of PAM and PAS is the discovery, creation, enabling, disabling and deletion of accounts on systems, applications and devices. Password Management is a particular function described next.
For the accounts that Osirium manages, or has created itself the ECPLM function will create passwords that are truly random and as long as the system or device can accept. These passwords are regularly changed based on schedules, events or SysAdmin requests. There are various technologies that deal with provisioning, un-provisioning and backup and restore of those systems and devices.
Not in the title, but a very important part of Osirium. PTA/PTD allows users to issue predetermined, parameter driven tasks on systems and devices. This gives the users the effects of the privilege for their work, but does so without granting the privilege to the user.