Building the case for privileged session management
You simply can’t be everywhere at once. How can you keep tabs on your most sensitive and critical systems? If only you had eyes in the back of your head.
Even organizations with well-documented PAM policies don’t simply trust that people are doing the right things
Privileged session management increases oversight and accountability so you can mitigate the risk of privileged account misuse. Even organizations with well-documented PAM policies don’t simply trust that people are doing the right things with privileged accounts and passwords. They use privileged session management as a second pair of eyes to increase confidence that best-practice PAM policies are in fact being followed.
What is privileged session management?
In privileged session management, the activities of every privileged user, including trusted insiders, third-party vendors, and connected systems, are managed and monitored from the time they launch a privileged session to when that session ends.
Similar to web session management, but more comprehensive and more secure
Privileged session management is similar to the concept of “session management” in the world of web development, with some important differences.
Web session management is the rule set that governs interactions between a web-based application and users of that application. A “web session” is a series of HTTP requests and responses created by a user to communicate with web browsers and websites. When users want to have the state of their web session remembered, for example, when they’ve put items in their shopping cart and are continuing to shop, session management makes this possible.
With session-based tracking and authentication, sessions are recorded on a web server and a session ID is stored on a cookie on the user’s browser. The site can then compare the two pieces of information to verify the user and respond appropriately. Based on data collected with session tracking, web teams analyze usage patterns and make decisions.
Web session management can be vulnerable to attack. It can break due to logouts or timeouts or even cookie theft, cross-site scripting attacks or other exploits. Browsers can be tricked into giving up their session credentials with attacks such as DNS spoofing. Web session management may be targeted by denial of service attacks that flood services with requests to create new sessions.
Privileged session management follows much the same pattern as web session management: Information is stored and matched to authenticate users and allow access. Additionally, user behavior is tracked and details are recorded for further analysis.
Privileged session management is much more comprehensive and secure
However, privileged session management includes more than web-based applications. It can also be used for privileged service accounts and administrative accounts that require privileges to log in.
With sensitive information and critical systems at stake, privileged session management—based on PAM best practices—is much more comprehensive and secure.
How does privileged session management work?
The core features of privileged session management include:
- Remote session management
- Session monitoring
- Session recording
- Workflow management
- Auditing and reporting
Remote session management
To authenticate a user or a system and launch a session, privileged session management matches complex credentials. These secrets are passed back and forth over cryptographically secure network communications.
Advanced PAM systems with remote session management capabilities can establish automatic connections (such as RDP and SSH) between people and systems without exposing credentials to users. PAM tools serve as a proxy through which a privileged session is performed and automatically relay the privileged account password from its vault to the target device or application.
Admins, especially those in large or complex environments, often have multiple sessions active at once. For a single session, it’s a matter of using the right protocol and having access to appropriate credentials to launch a connection and gain access to the system. As IT groups scale their efforts across larger networks, new cloud services, various protocols, etc., serious challenges can arise. If connections are manually managed, the number of configuration settings and lack of user management can quickly become overwhelming. Thycotic’s Connection Manager is an example of a remote session management solution that helps IT teams manage and interact with multiple remote sessions for RDP and SSH securely, from a single screen.
By definition, privileged sessions are meant to be finite. Think of privileged sessions as slices of activity with a set beginning and an end, which you or a user can define. With privileged session management, sessions must be re-authorized each time they are activated, or if they continue past a certain time you set.
Session monitoring and alerts
With live session monitoring, you can tune in to watch active privileged sessions in real time, possibly uncovering suspicious or unauthorized activities. You can keep a close eye on sessions that involve critical systems, remote desktop sessions, and on vendors that often work with less oversight than in-house employees.
Many Thycotic customers set up alerts so they know when privileged sessions are initiated. Some integrate Secret Server with Privileged Behavior Analytics or SIEM solutions to correlate events with different alert levels so they can be prioritized accordingly.
If an administrator sees something concerning during a session they’re monitoring, they can send a message directly to the user, modify privileges or terminate a session immediately.
Session recording
Privileged sessions can be recorded for future analysis, including all keystrokes and activities taken during a session. If a privileged attack does occur, you can easily filter and review past session recordings to uncover the source and adjust policies to prevent a repeat attack.
Recording privileged web sessions can introduce certain privacy concerns. Admins must put the proper filters in place to ensure only privileged sessions are being recorded, and not, for example, an employee’s Gmail account that may be open in another tab.
These session videos can also be helpful for training. If a privileged user makes an innocent mistake, it will be easier to correct if you know exactly where they went wrong. Then, of course, you can use those recordings as a learning opportunity to train other privileged users on common mistakes, and avoid them in the future
Workflow management
You can add additional protections for privileged accounts by setting up approval requirements for privileged sessions. Putting approval steps in place allows you to see who wants access to which information and for what purpose.
Some regulations, particularly in Europe, require that in order for sensitive reports or recordings to be viewed there must be two people—or “four eyes”—present. Workflow rules like Dual Control can help ensure that approvers are assigned and available to monitor and view privileged session recordings.
Auditing and reporting
Increasingly stringent compliance requirements, such as HIPAA, SOX, PCI, and others, expect you to monitor actions performed by privileged accounts. Session management provides an immutable audit log that can be shared with auditors to demonstrate compliance. Advanced session management systems allow you to store data for as long as you need, quickly run reports without slowing down your systems, and filter them to pinpoint specific privileged users or privileged sessions.
Creating a separate user role for those who only need to view the recordings, such as auditors, allows them to have access to recordings but not the corresponding secret or other sensitive data.
Related Reading: Complete Guide to Leveraging Session Recording to Improve Accountability and Meet PCI Compliance
Why do you need privileged session management?
Bottom line: privileged session management improves security and reduces risk.
Proxying a privileged session through your PAM tool means that you can set up your servers to ONLY accept connections from that tool. This prevents unexpected connections from unknown or unauthenticated systems and allows for more secure communications.
Privileged session management provides IT and security leaders peace of mind
Using a proxy through PAM also means people don’t have to view, type or remember passwords. There’s no need to remember long strings of complex passwords or resist the temptation to write them down. No one can look over a shoulder or share a password with others. Password cracking tools can’t access or use the recorded keystrokes.
At the end of the day, privileged session management provides IT and security leaders peace of mind.
With privileged session management, “I feel that I get, not only control, but essential visibility into what my team is doing,” explains Nathan Tanaglia, Manager of Enterprise Services and Networks at the University of Tasmania. He relies on privileged session management to “observe what secrets users are looking at and see if there is something unusual in their activity.”
If unexpected privileged account activity occurs, privileged session management helps Tanaglia and his team take corrective action before a disaster occurs. They might increase oversight with additional approvals, immediately rotate passwords, or even lock down privileged accounts.
Learn more about privileged session management
If you’d like to see privileged session management in action, sign up for a free trial of Secret Server, Thycotic’s comprehensive PAM solution. You’ll be able to test out all aspects of privileged session monitoring for yourself and build reports you can share with your team.
IT Security should be easy. We’ll show you how.
Try Secret Server and experience how FAST & EASY
IT security products can be.
*** This is a Security Bloggers Network syndicated blog from Thycotic authored by Barbara Hoffman. Read the original post at: https://thycotic.com/company/blog/2020/03/17/what-is-privileged-session-management/
