Privileged Access Management

All IT Infrastructures are managed by Privileged Users, who are given elevated powers through accessing Privileged Accounts to ensure that the uptime, performance, resources, and security of the computers meet the needs of the business. Osirium's Privileged Access Management addresses security and compliance requirements by defining who gets access to what and when.

Privileged Access Management

Privileged Access Management is about preventing the misuse of Privileged Accounts in the Hybrid-Cloud world. This abuse has become one of the most critical security challenges, because uncontrolled access to Privileged Accounts opens a “barn door” through which untrusted 3rd parties can compromise data and inflict cyber-attacks, ultimately causing irreparable damage to the business and its corporate reputation.

Osirium separates people from passwords, specifically the passwords of the Privileged Accounts used on devices, systems and applications. We follow a model of Identity In - Role Out to deliver Single Sign On (see here for Tasks).

The suite ensures that Privileged Account credentials never pass through the users system and therefore never risk interception. You'll never need to share Privileged Account Credentials again.

Password Lifecycle Management is implemented to ensure that all the passwords it manages are the strongest possible for each of the device classes. It has full breakglass and roll-back features to cope with devices that leave the network or are restored from backups.

Take a look at Privileged Access Management features…

See The Features

Privileged Access Management Highlights

Privileged Access Management Available Controls

Profiles are the key to defining who has access to what connections using which tools and tasks. In addition, the PAM module of the Osirium Suite has the following controls:

  • Time Windows Each profile can have specific time windows that define when Privileged SSO is enabled. Users get handy timers to show when they can use connections and a count down that shows when connections will be disabled and terminated.
  • Ticketing Each profile can have tickets made mandatory. In this case any connection or task will require a valid change or incident ticket before use. There is a further integration with ServiceNow which checks both the validity of the ticket and the 'open' status.
  • Session Recording Using the optional Privileged Session Management module all connections through the profile will be recorded.
Privileged Access Management: Granular Privileged Account Control

Granular Privileged Account Control

The suite enables every Privileged Account on every device to be given a particular state. This means that you can start using Osirium with no changes to your device estate. From here you can build in security and compliance through mapping who can use these accounts and what happens to the passwords of these accounts.

Osirium Managed

Osirium creates and manages the username and passwords of personalised accounts on devices and assigns an appropriate role to those accounts. Full audit trails are available from Osirium and the device. Accounts can be given granular ‘Roles’ as opposed to everyone being given full admin and privileged tasks can also be performed on devices.

Password Managed

Passwords of the device accounts are changed but nobody knows them and Osirium provides SSO services to the device with a full audit trail. Typically, all SysAdmins get full admin rights and privileged user tasks can also be performed on devices.

Password Known

This is the minimum level of acceptable best-practice security and typically applies to generic accounts. Osirium knows the passwords and so provides SSO and PASSIVE Session Recording to the device. The password can be manually changed in Osirium without revealing its details. Direct connections to devices can still be made, although no Session Recording will be possible. Typically, all SysAdmins get full admin rights and privileged tasks can also be run on devices.

Approved

It is understood why this account exists but the password has not been provided to Osirium. The account can only be used directly (not using Osirium’s SSO capability). This is a risky unprotected account known by Osirium.

Unapproved

The suite does not know about this account and why it exists. It therefore presents a sizeable risk to the integrity and security of the device.

Privileged Access Management: Secure storage of Privileged Credentials

Secure Storage of Privileged Account Credentials

Multiple Authentication Services are handled, both for verification of User Identity and the credentials needed for system/device/application connections. MSSP style operation can be supported, i.e. where direct access to client Authentication services are not available. Password change requests are intercepted and handled transparently.

Identity Driven Role Based Single Sign On

The ability to map your user identities to roles and then visualise those mappings is key to implementing your Security and Compliance policy. It's useful to be able to divide out your user classes into useful categories such ask 'first-line', 'outsourced', 'contractors'. With Osirium you can set policies on a per profile basis. Imagine how easy it becomes to be able to switch from one outsource organisation to another if you know where all their identities are mapped.

Password Life-Cycle Management

Osirium uses long, complex, randomly created passwords, making dictionary and brute force attacks futile. These passwords can be changed on both schedules and events.

Rules may be set per device to ensure password compliance policies are met and exceeded. Different passwords are used for every Osirium managed account on every device managed by Osirium. This means that the users of these accounts cannot make inappropriate lateral movement across your system estate.

Role Based Access Control

Allows for device access to be granted at a very granular level and to assign specific roles to individual or groups of individuals.

Because the accounts have been created personalised to each user, they can be aligned to a particular set of rights or permissions on the end device, therefore no more sharing the highest level account. This is the real essence of Privileged Access Management.

Privileged Access Management: end to end accountability

End to End Accountability

An audit trail shows who has accessed what, where, when, how, along with the identity to role mapping.

As a result, any audit trail created by the device itself will contain personalised login details, not just ‘admin’ did this, ‘root’ did that, which renders syslog information even more valuable to an SIEM solution. This can be done without any changes to the logging solution and no manual cross referencing.

Device Access Isolation

It is not possible to jump sideways around other servers or devices, because Osirium creates passwords that are unique to each user and each device.

This removes the possibility of being given access to UAT and being able to jump-on “Live”, just to “check a setting” and ending up potentially making changes on the wrong device!

Privileged Access Management: Device Group Seperation

Device Group Separation

Device Group Separation enforces policy and good practice by ensuring SysAdmins are not connected to potentially conflicting devices at the same time.

It’s easy to get mixed up with multiple connections to similar devices, across different customers, development, user acceptance and production environments.

Privileged Access Management: Privileged User Management Visibility

Visibility

A real-time view of exactly who is accessing what, (including internal staff and remote 3rd parties).

It also shows what role based access was used along with the activities they’ve been performing.

Strong Authentication Support

SysAdmins can log into Osirium using their existing standard account username and password.

Alternatively, two factor or token-based authentication via RADIUS is available for stronger authentication options.

Privileged Access Management: Searchable Device List

Searchable Device List

Osirium’s Desktop Client allows SysAdmins to easily search for devices by name, type, ip/name etc.

You can also setup your own meta-information by which SysAdmins can search by and find devices, i.e. location, country, use etc.

Privileged Access Management: Device Status Indicator

Device Status Indicator

Regular checks for device management interfaces and that ports are accessible.

Any not are clearly shown with red icons in both the Desktop Client device tree and in the SuperAdmin Osirium Web Management Interface.

Privileged Access Management: Local Admin Tools

Local Admin Tools

The suite launches the native management tools that admins already use. This means they don’t have to use browser plug-ins, or tunnels-in-tunnels to manage the infrastructure.

This keeps SysAdmins happy, motivated and productive as possible.

Privileged Access Management: Single Sign-On

Proxy Architecture

All connections are made through Osirium’s proxies, so all connections come from the Osirium IP address, which means that firewall and device access restrictions can be locked down accordingly.

This avoids complex management routing on devices.

Password Injection

Each admin’s credentials are injected as the connections pass through the proxies.

This means passwords are never sent down to the Osirium Desktop Client. Its not possible to sniff memory or inspect command strings within the process tree to reveal a password. This is especially important for allowing 3rd party access.

Time Window Access

Access can be restricted to multiple, time windows in 30 minute increments through-out the working day.

SysAdmins who have been granted access are presented with a countdown of the time left to complete their job and, optionally, how long to wait until the next window opens up.

Least Privileged Model

It is no longer necessary to issue the maximum level of access to everyone in the admin team.

Osirium applies a least-privilege security posture, ensuring that each privileged role, particularly those out-sourced to 3rd party service providers, are given no more than the level of privileged necessary for them to fulfil their jobs.

Multiple Active Directory Domains Support

The suite handles access to Windows Workstations and Servers within multiple domains, without any need for existing trusts relationships between those domains.

Osirium will provision accounts into the correct AD domain and then Single Sign-On with the correct domain account.

Agent-Less Solution

No agents to be installed on devices, servers or in applications.

This eliminates the costly process of configuring and maintaining update programmes.

Template Based Device Support

Many devices are supported “out-of-the-box”, but additional device support can be easily added through the creation of knowledge template files.

These can be customer created and fully supported by Osirium and our partners.

No Device Reconfiguration

Known credentials for local accounts to devices, servers and applications can be vaulted.

There is no need to reconfigure devices to incorporate, for example, TACACS or LDAP, which is especially useful when managing devices that are configured outside of your control, i.e. if you are a Managed Service Provider.

Multiple Technology Support

Osirium interacts with devices, servers and applications using many different technologies, including SSH, Telnet, RDP, RPC, vSphere, HTTP(S) and even bespoke application APIs.

Osirium can also interact with web-only based applications (such as cloud portals) as well as servers and network devices.

Profile Based Management

Device access is managed through profiles, which define additive access rights and is used to give groups of user access to groups of devices based on their team, device type, job role, etc.

Profiles can even be used to support specific access requirements for specific projects which can quickly be disabled once the project has finished.

Connection Alerts via Email

The suite can alert managers or device/service owners whenever a connection is made to the infrastructure.

Whether it be internal staff accessing live servers with admin rights, or 3rd parties coming in with read-only permissions to undertake support contracts, such alerts provide valuable security insights into infrastructure activities.

Privileged Access Management: Device Account Audit

Device Account Audit

Continual monitoring of the admin accounts across the infrastructure with highlights of any unexpected accounts or those not linked to an Osirium user.

These accounts can then be risk-assessed, then disabled and/or deleted depending on conclusion.

Privileged Access Management: Device Inactivity Report

Device Inactivity Report

Alerts are provided when a user has not accessed their devices for longer periods of time, i.e. 1, 3 months or ever.

This allows access rights to be audited, assessed and appropriate measures taken, including removal.

Privileged Access Management: Break-Glass

Break-Glass

Emergency access to device credentials is provided through Osirium’s BreakGlass feature.

The account details are never revealed but access is automatically provided to the Password Known and Password Managed accounts, or optionally, to a separate Osirium created BreakGlass account. Alternatively, a PDF file with the BreakGlass details is also available, which is encrypted with the Master Key for security.

Password Rollback

Password roll-back ensures that device access is possible at all times, even after a restore activity is performed from a backup that has old passwords.

In this case, Osirium rolls-back the password schedule the old one that matches what has just been restored on the device.