Privileged password management and privileged session management are both important security technologies getting a lot of attention right now as we look for ways to better protect the keys to the kingdom from mimikatz derivatives and all the other trends in play right now. It's allow about sequestering privileged credentials and carefully choreographing access to them. Or better yet, not even providing access to them but facilitating use of them.
I would go so far as to say that PPM/PSM, done right, is far more effective and less disruptive than going through all the work to implement the so-called red-forest plan. (It doesn't have to be an either/or choice though; you can do both). Some might take issue with my claiming PPM/PSM is less disruptive but that's why I say “done right”. When administrators are forced to go through a portal and workflow process every time they need to administer a system you may face some real pushback. There are advantages to a portal based workflow approach to PPM/PSM because you can capture information like ticket numbers to link to the session for approval and audit purposes and to enhance accountability.
But a proxy-based privilege management technology can potentially allow administrators to continue using their favorite remote access tools and methods which are often the result of years of experience and productivity optimization – not just personal preference or obstinacy. For instance an admin frequently needs to access many different systems and jump back and forth between them in order to diagnose an issue or make changes and test them. Juggling a bunch of free floating RDP session in Windows is confusing and frustrating, less productive. So many admins depend on products like Remote Desktop Manager that keep all those sessions organized in a tabbed interface.
It's easy to see why our best intentions at security sometimes breed resentment and pushback. The same goes for SSH sessions. I know with SSH I want to be able to choose my font-size, colors, etc.
In this real-training for free ™ webinar, I'll show you how the 2 main privileged session management protocols (RDP and SSH) work in general terms. Then I'll explain how putting a privilege management proxy in the middle of that protocol stream allows you to implement:
- Session recording with searchable metadata
- Password sequestering
- Approval rules
- 2-factor authentication
- Risk mitigation of compromised admin PCs
- Audit and compliance reporting
If you can do all of this transparently, without changing which tools admins use or how they open sessions, your adoption will greatly improve.
By placing a proxy between the admin and the target system you can prevent the privileged password or it's hash from ever touching the admin's endpoint in any way, shape or form. The privileged credentials are used to open a session between the hardened appliance and the system being administered. And if you've read about pass-the-hash and related mimikatz-esque attacks you know why that is so important.
But if the admin's PC is compromised what prevents the attacker from just keylogging the admin's password used to authenticate to the privilege management appliance – whether proxy or portal-based? That's where 2-factor authentication that specifically assures “human-presence” comes in, which I'll explain in the webinar.
But beyond the “convenience/productivity” factor and the complete isolation of password from the admin and his/her endpoint, proxy technology also allows full-fidelity recording of sessions and potentially the capture of metadata to make them searchable. It all comes down to how deeply the proxy understands the RDP and SSH traffic going through it.
All this and more is what we'll explore in my next real training for free ™ session which is sponsored by BeyondTrust. Martin Cannard will briefly show you privileged access management solution and how their proxy technology works.