All IT Infrastructures are managed by Privileged Users, who are given elevated powers through accessing Privileged Accounts to ensure that the uptime, performance, resources, and security of the computers meet the needs of the business. Osirium's Privileged Access Management addresses security and compliance requirements by defining who gets access to what and when.
Privileged Access Management is about preventing the misuse of Privileged Accounts in the Hybrid-Cloud world. This abuse has become one of the most critical security challenges, because uncontrolled access to Privileged Accounts opens a “barn door” through which untrusted 3rd parties can compromise data and inflict cyber-attacks, ultimately causing irreparable damage to the business and its corporate reputation.
Osirium separates people from passwords, specifically the passwords of the Privileged Accounts used on devices, systems and applications. We follow a model of Identity In - Role Out to deliver Single Sign On (see here for Tasks).
The suite ensures that Privileged Account credentials never pass through the users system and therefore never risk interception. You'll never need to share Privileged Account Credentials again.
Password Lifecycle Management is implemented to ensure that all the passwords it manages are the strongest possible for each of the device classes. It has full breakglass and roll-back features to cope with devices that leave the network or are restored from backups.
Take a look at Privileged Access Management features…See The Features
Profiles are the key to defining who has access to what connections using which tools and tasks. In addition, the PAM module of the Osirium Suite has the following controls:
The suite enables every Privileged Account on every device to be given a particular state. This means that you can start using Osirium with no changes to your device estate. From here you can build in security and compliance through mapping who can use these accounts and what happens to the passwords of these accounts.
Osirium creates and manages the username and passwords of personalised accounts on devices and assigns an appropriate role to those accounts. Full audit trails are available from Osirium and the device. Accounts can be given granular ‘Roles’ as opposed to everyone being given full admin and privileged tasks can also be performed on devices.
Passwords of the device accounts are changed but nobody knows them and Osirium provides SSO services to the device with a full audit trail. Typically, all SysAdmins get full admin rights and privileged user tasks can also be performed on devices.
This is the minimum level of acceptable best-practice security and typically applies to generic accounts. Osirium knows the passwords and so provides SSO and PASSIVE Session Recording to the device. The password can be manually changed in Osirium without revealing its details. Direct connections to devices can still be made, although no Session Recording will be possible. Typically, all SysAdmins get full admin rights and privileged tasks can also be run on devices.
It is understood why this account exists but the password has not been provided to Osirium. The account can only be used directly (not using Osirium’s SSO capability). This is a risky unprotected account known by Osirium.
The suite does not know about this account and why it exists. It therefore presents a sizeable risk to the integrity and security of the device.
Multiple Authentication Services are handled, both for verification of User Identity and the credentials needed for system/device/application connections. MSSP style operation can be supported, i.e. where direct access to client Authentication services are not available. Password change requests are intercepted and handled transparently.
The ability to map your user identities to roles and then visualise those mappings is key to implementing your Security and Compliance policy. It's useful to be able to divide out your user classes into useful categories such ask 'first-line', 'outsourced', 'contractors'. With Osirium you can set policies on a per profile basis. Imagine how easy it becomes to be able to switch from one outsource organisation to another if you know where all their identities are mapped.
Osirium uses long, complex, randomly created passwords, making dictionary and brute force attacks futile. These passwords can be changed on both schedules and events.
Rules may be set per device to ensure password compliance policies are met and exceeded. Different passwords are used for every Osirium managed account on every device managed by Osirium. This means that the users of these accounts cannot make inappropriate lateral movement across your system estate.
Allows for device access to be granted at a very granular level and to assign specific roles to individual or groups of individuals.
Because the accounts have been created personalised to each user, they can be aligned to a particular set of rights or permissions on the end device, therefore no more sharing the highest level account. This is the real essence of Privileged Access Management.
An audit trail shows who has accessed what, where, when, how, along with the identity to role mapping.
As a result, any audit trail created by the device itself will contain personalised login details, not just ‘admin’ did this, ‘root’ did that, which renders syslog information even more valuable to an SIEM solution. This can be done without any changes to the logging solution and no manual cross referencing.
It is not possible to jump sideways around other servers or devices, because Osirium creates passwords that are unique to each user and each device.
This removes the possibility of being given access to UAT and being able to jump-on “Live”, just to “check a setting” and ending up potentially making changes on the wrong device!
Device Group Separation enforces policy and good practice by ensuring SysAdmins are not connected to potentially conflicting devices at the same time.
It’s easy to get mixed up with multiple connections to similar devices, across different customers, development, user acceptance and production environments.
A real-time view of exactly who is accessing what, (including internal staff and remote 3rd parties).
It also shows what role based access was used along with the activities they’ve been performing.
SysAdmins can log into Osirium using their existing standard account username and password.
Alternatively, two factor or token-based authentication via RADIUS is available for stronger authentication options.
Osirium’s Desktop Client allows SysAdmins to easily search for devices by name, type, ip/name etc.
You can also setup your own meta-information by which SysAdmins can search by and find devices, i.e. location, country, use etc.
Regular checks for device management interfaces and that ports are accessible.
Any not are clearly shown with red icons in both the Desktop Client device tree and in the SuperAdmin Osirium Web Management Interface.
The suite launches the native management tools that admins already use. This means they don’t have to use browser plug-ins, or tunnels-in-tunnels to manage the infrastructure.
This keeps SysAdmins happy, motivated and productive as possible.
All connections are made through Osirium’s proxies, so all connections come from the Osirium IP address, which means that firewall and device access restrictions can be locked down accordingly.
This avoids complex management routing on devices.
Each admin’s credentials are injected as the connections pass through the proxies.
This means passwords are never sent down to the Osirium Desktop Client. Its not possible to sniff memory or inspect command strings within the process tree to reveal a password. This is especially important for allowing 3rd party access.
Access can be restricted to multiple, time windows in 30 minute increments through-out the working day.
SysAdmins who have been granted access are presented with a countdown of the time left to complete their job and, optionally, how long to wait until the next window opens up.
It is no longer necessary to issue the maximum level of access to everyone in the admin team.
Osirium applies a least-privilege security posture, ensuring that each privileged role, particularly those out-sourced to 3rd party service providers, are given no more than the level of privileged necessary for them to fulfil their jobs.
The suite handles access to Windows Workstations and Servers within multiple domains, without any need for existing trusts relationships between those domains.
Osirium will provision accounts into the correct AD domain and then Single Sign-On with the correct domain account.
No agents to be installed on devices, servers or in applications.
This eliminates the costly process of configuring and maintaining update programmes.
Many devices are supported “out-of-the-box”, but additional device support can be easily added through the creation of knowledge template files.
These can be customer created and fully supported by Osirium and our partners.
Known credentials for local accounts to devices, servers and applications can be vaulted.
There is no need to reconfigure devices to incorporate, for example, TACACS or LDAP, which is especially useful when managing devices that are configured outside of your control, i.e. if you are a Managed Service Provider.
Osirium interacts with devices, servers and applications using many different technologies, including SSH, Telnet, RDP, RPC, vSphere, HTTP(S) and even bespoke application APIs.
Osirium can also interact with web-only based applications (such as cloud portals) as well as servers and network devices.
Device access is managed through profiles, which define additive access rights and is used to give groups of user access to groups of devices based on their team, device type, job role, etc.
Profiles can even be used to support specific access requirements for specific projects which can quickly be disabled once the project has finished.
The suite can alert managers or device/service owners whenever a connection is made to the infrastructure.
Whether it be internal staff accessing live servers with admin rights, or 3rd parties coming in with read-only permissions to undertake support contracts, such alerts provide valuable security insights into infrastructure activities.
Continual monitoring of the admin accounts across the infrastructure with highlights of any unexpected accounts or those not linked to an Osirium user.
These accounts can then be risk-assessed, then disabled and/or deleted depending on conclusion.
Alerts are provided when a user has not accessed their devices for longer periods of time, i.e. 1, 3 months or ever.
This allows access rights to be audited, assessed and appropriate measures taken, including removal.
Emergency access to device credentials is provided through Osirium’s BreakGlass feature.
The account details are never revealed but access is automatically provided to the Password Known and Password Managed accounts, or optionally, to a separate Osirium created BreakGlass account. Alternatively, a PDF file with the BreakGlass details is also available, which is encrypted with the Master Key for security.
Password roll-back ensures that device access is possible at all times, even after a restore activity is performed from a backup that has old passwords.
In this case, Osirium rolls-back the password schedule the old one that matches what has just been restored on the device.