When considering Cybersecurity, it is a universal truth that unfettered privileged access to systems will result in data breaches and ransomware attacks.
At Osirium, we believe that Privileged Access Security is a combination of three fundamental functions that use three foundation technologies:
- Enterprise-Class Credential Lifecycle Management
- Credential Injection and Process Elevation
- Credential Vaults
This technology stack protects access at the administration and configuration interfaces, allows for a privileged process to be delegated to non-privileged staff and protects the user workstation estate from unauthorised changes.
Separating the User from …
Unlike other vendors, we strive to keep our users away from vaults and passwords for normal business and administration operations. In fact, we’d prefer that you automate the processes and tasks so that users don’t need privileged access in the first place.
Humans are very poor at choosing passwords, and that gets even worse when they are under time pressure – which is typically when a system will ask them to update a password. SSH keys are mostly set and then forgotten. Our view is that the only credentials a human needs to remember are those related to identity. All the other credentials should be under automatic management. This provides real system security and has the advantage of a significant reduction in human cognitive load
Windows users can have a poor experience if they have not got access to Local Admin Rights. However, we’ve already established users are not good with privileges. This is where elevating only the approved process will help. Users can get products installed and change configurations but not run their entire sessions as local admin. It’s worth remembering that ransomware generally needs local admin rights to embed itself in the critical sections of the operating system.
We know that phishing and malware account for just over 95% of all stolen credentials. That’s why we don’t allow privileged credentials to get to the user’s workstations and laptops. We inject the credentials in secure proxies well away from the reaches of keyloggers, RAM scraping and the ever-present phish attempts.
Who can do what on which systems and when? Organisations need to be able to answer these questions in an instant. They need to be able to look at all aspects of access. For example, they should be able to query against a system to see who can assume what roles on it, or be able to query a user to see what systems they can access, when and at what level.
We can’t operate without third parties these days, vendors, contractors, consultants and outsources all need access at some point. With Privileged Access Security, you do not need to expose your systems to other peoples questionable digital hygiene. We have both timed and just-in-time access profiles that help organisations welcome the right help on the right systems at the right time. Our session set-up and credential injection technology mean that third parties cannot move laterally across your network, they are directed to just the systems defined in the profiles.
From the Endpoint (user’s workstations) we can see who can elevate which processes, the hash and the author of these, this means we can deprecate legacy applications and deploy new versions without over-privileged users in the user base. This helps with the unauthorised or unlicensed application issues – where users cannot install applications against the policy. For the Auditor the policy defines what can be run, has been run and everything else is blocked.
Session Recording – the investigator’s go-to tool
When a system is in a non-optimal state, it is often useful to know what happened to get it there. An accurate record of which commands were issues is always better than a possibly failable human account, especially in the case of syntax and parameter errors. For Privileged Access Management, we deliver a video of what happened, and for Privileged Process Automation, we have an HTML rendered account of each question and response. Our Privileged Endpoint Management product delivers an event stream of which users elevated which processes.
Caring for Users
This article has emphasized the security nature of our products. We are reminded daily of the need to do business at near the speed of light. We use all our own products internally, not only to get them battle-hardened but to improve our business flows. We wake up every morning thinking about how security can be more user-friendly, how it can disappear until needed and how it can help to:
- Get users to the right system at the right time
- Let users quickly find the task or process they need to run
- Catch users common input errors
- Allow for easy escalation and return workflows
- Let users request access to the applications they need
- Handle multiple-segmented network architectures
- Deliver no-fear break glass schemes
- Handle devices that fail or are restored from backup
- Deliver accurate, meaningful and easy to scan error messages for common issues and resource limitations
We love users and usability.
There you are, we consider access at the administration, configuration, process, task and endpoint. We feel this gives a 360-degree coverage of any privileged operations organisations undertake. If you’d like to know more about our products and capabilities, please get in touch.