Osirium PAM:
Session Management

Privileged Session Management

Monitor and record privileged sessions for security and audit

What is Privileged Session Management (PSM)?

Often it is vital to know exactly what has been done to a system from where and by whom. Unusual behaviour or audit purposes are perfect reasons for this.

Our PxM Platform’s Privileged Session Management (PSM) enables security managers to record, store and playback any activities that take place across their entire hybrid-cloud infrastructures.As a result, Privileged Session Management not only ensures full user access accountability but also acts as a unique deterrent against SysAdmin malpractice. In conclusion, this provides irrefutable evidence of their privileged activities.

Key Capabilities

Task Delegation

With the PxM Platform, any infrastructure or business process can be packaged up as a task allowing for risk-free delegation to 3rd parties or untrained staff. Tasks can also be run without granting any user privileged access to devices. With a single click, perform actions with a set of predefined inputs and controls - no elevated login credentials or insecure and unaccountable access to privileged accounts required. Or run tasks automatically - the platform allows for timed execution in accordance with user-defined schedules

Wide Protocol Support

Tasks can run against a range of devices with a variety of management interfaces; SSH, Telnet, RPC, vSphere, HTTP(S) and even bespoke API contracts. Tasks allow for differences between hardware architectures, for example ‘set port parameters’ will vary across device vendors, you teams only need know the parameters to set. Tasks also fully support web-only devices (cloud portals, etc.), web applications, servers and network devices.

Business Efficiencies

It takes time for an operator to find the systems they wish to change: find the credentials, login, find the command and syntax and parameters to issue, execute commands, and then logout. Now consider they do most of the same actions for each device they deal with.

PTM gives the operator device searching and sanitised parameter entry. They just choose the list of devices, and then issue the task to all in one click. In general, this gives better than a 50:1 time saving.

Reduce Human Error

Wherever there is complexity, multiple steps, change and humans typing there will be human error. PTM hides this complexity and wraps up multiple steps, and deals with change through both data and task abstraction. There'll always be a need to type in values and parameters, and where possible PTM can present these as drop-down lists. In addition, free form data entry can be sanitised before the task is issued.

Call Vendor APIs

APIs represent a strong, stable, functional contract with devices. The other options are command line and web interfaces. Web interfaces almost change with fashion, whereas command lines have greater longevity. With APIs, data is returned in useful formats. With web interfaces it would be scraping, and for command line tedious string parsing is required.

Whilst our task infrastructure has tools and libraries for web scraping and string parsing, it's always better to use a vendor's API. This is why we have a strong partner program where we seek out vendor APIs and developer agreements.

An overview of Privileged Access Management

Read this short whitepaper to see how PAM can protect your shared devices and services.

Read the Overview
Talk to an expert

Advanced Capabilities

Bring Your Own Code (BYOC)

Bring Your Own Code means that customers can use their own code for tasks. Their code base will have been built over many years and using many technologies. The key issues here are that this code will have logic for ‘their’ business and ‘their’ infrastructure. Privileged Process Automation allows this code base to be containerised and isolated from dependency changes

Long-running Tasks

Tasks like backups and data transfers take much longer than an operator’s attention span. We allow for these tasks to be initiated and monitored 'in-flight'. These parks are placed in the dashboard where they can alert for attention.

In-flight Queries

The execution path of tasks can take many paths, and some of these will lead to busy resources or conflicts. Tasks can surface these events as queries to operators, such as "The backup storage is full, do you want to cancel or continue?" This allows the operator to clear some space and continue the task successfully.

Code Analysis

For queries to work, our task engine has to be able to take the many formats that a task can raise in queries and abstract them to a human readable form. For example, if a port configuration failed due to a pre-allocation conflict, the task might return a list of the configuration of all ports. The Abstraction Layer can filter this from all ports to available ports. The Abstraction Layer is a clean way to deliver a consistent interface from a library of tasks written by multiple developers using different technologies over a wide time span

Standard Operations

Privileged Task Management solution allows SysAdmins and DevOps to define “known-issue” workarounds - these are tasks that address issues which are commonly encountered on systems, applications or devices that have well-known resolutions. Typically this may be a one-click or input-sanitised task. It can then be delegated to the Helpdesk so that subsequent support calls for the same problem get fixed immediately, without the issue needing escalation to senior staff.

Task Abstraction

This is the ability to issue the same task to multiple systems and devices from different vendors using different protocols and operating systems. The simplest example is an ARP flush. This command varies between systems, and for devices such as embedded routers it issues via a web interface.The operator needs to issue an ARP flush because of a network change. As far as they are concerned, they choose the task and a list of systems, and the PTM module gets on with it. The operator doesn’t need credentials, privileges or device-specific knowledge.

Data Abstraction

For queries to work, our task engine has to be able to take the many formats that a task can raise in queries and abstract them to a human readable form. For example, if a port configuration failed due to a pre-allocation conflict, the task might return a list of the configuration of all ports. The Abstraction Layer can filter this from all ports to available ports. The Abstraction Layer is a clean way to deliver a consistent interface from a library of tasks written by multiple developers using different technologies over a wide time span

Network Task Abstraction

Port operations on Cisco, HP, Netgear Avaya and various operating systems are a more complex example. Osirium's PTM will present a "set port to VLAN" task. For the operator, it is the VLAN number that is important, not the access method or command syntax. Not only does this speed up network changes, but eases migrations between vendors and versions of hardware. Our customers can add business logic to these tasks. For example, if a port is in a ‘Confidential’ VLAN then it can’t be assigned to another VLAN by general NetOps staff.

Device Techouts

This allows support staff to gather information for the next line of support. Tasks can contain as many actions as you need them to, including status reports, configuration downloads, SQL database operations, uploading files to, or downloading files from devices. Likewise, routine specific logs or reports can be downloaded to the PxM Platform for diagnostic purposes, such as when a Help Desk operator does not have direct privileged access right to a device.

Get Osirium PAM for free!

Secure your infrastructure with the fastest to deploy Privileged Access Management solution. Introducing PAM Express from Osirium. For free, for 10 servers or network devices for production use.

Get PXM Express