Axidian Privilege

Proper operation of the IT infrastructure and business applications is the key to success for any government agency or private company. To ensure the smooth operation of a corporate IT system, you need to make sure that your software and hardware are managed by professionals.

The IT components are managed by privileged users—external and internal personnel with higher access rights to corporate resources and applications, including their installation, setting up, and maintenance.

The list of privileged users includes:

• System administrators
• Security specialists
• Contractors and outsourcers
• Financial services operators
• Auditors
• Other external or internal employees

Since privileged users have higher access level companies need to have a system to manage privileged accounts that ensures monitoring and analysis of user activity.

Furthermore, breaching a privileged user account may cause greater damage to an organization than compromising an ordinary account. Administrator accounts can be used to disable the security system, stop the operation of information systems and gain access to confidential information.

Protection of privileged access rights is a more sophisticated task if compared to ensuring the security of ordinary accounts. It cannot be achieved by relying exclusively on standard approaches to the protection of login credentials and requires specialized solutions.

These vulnerabilities can be addressed by setting up a comprehensive privileged access management system. A PAM system must ensure the following:

• Centralized management of connections to critical servers and applications
• Reinforced authentication for privileged accounts
• Transparent use of privileged accounts on authorized resources, without revealing the password
• Recording of privileged user activity
• Possibility of analyzing recorded user activity and investigation of incidents related to controlled resources

User activity management is a complex task that requires a number of technical and organizational solutions.

In most cases, Employee Monitoring Products and Services (EMPS) or Data Leak Prevention (DLP) solutions are sufficient for monitoring non-privileged user activity since these tools include a server component responsible for analysis and monitoring of communication channels and a client component used for workstation operations analysis. However, these solutions may prove insufficient or useless for monitoring privileged user activity.

Let’s name a few special features that may apply to the work of privileged users:

• Higher access rights (including the right to delete client software or assign additional access rights to themselves)
• Uncontrolled workplace (relevant for contractors, outsourcers, or remote administrators)
• Specific target servers where monitoring software cannot be installed (network devices; isolated software environments; exotic, rare, and outdated operating systems)

An intermediary access control and management host (so-called «jump server») allows to monitor all privileged sessions from a single point without having to install additional software, which can significantly reduce the costs related to PAM management.

Drawing on the principle of minimal user privileges right from the start, PAM policies imply that access rights to a target resource (a server or an application) should be expressly assigned to a specific user. Additional options can help to set up separately the allowed connection time and permission to use privileged accounts for target resources.

The traditional approach when password or other authenticators are provided to authorized personnel poses a threat of misuse or abuse of the provided privileges. For example, personnel may gain access to tools allowing them to clear logs, install additional software, or perform critical and potentially harmful operations that can disrupt the resource functionality or cause financial damage to the company. These and other permissions are often available to privileged users without proper oversight.

The Axidian Privilege software suite allows you to have all privileged accounts under control, thereby ensuring their safe use. This way you can prevent unauthorized use of privileged accounts and record all user activity on a dedicated server.

As part of its management functionality, the platform can perform an automatic search for privileged accounts in Active Directory and on Microsoft Windows or Linux/Unix servers. This will help you make sure that you don’t have any undocumented privileged accounts with access to critical resources in your company’s IT infrastructure.

All passwords in the account data vault are encrypted, and only the Axidian Privilege server has access to the encryption key.

Furthermore, all passwords are automatically updated and by design will not be accessible by privileged users. When a privileged user attempts to connect to a target resource, the Axidian Privilege server will automatically insert their login and password. This means that your personnel authorized to manage a specific server or business application will not be able to bypass the Axidian Privilege system during authentication, since they do not know the password.

Even if we disregard possible malicious actions, hacker attacks and clear sabotage, we still need to consider one of the important potential threats that privileged user may pose—the so-called «human factor».

Let’s imagine a server failure resulting from employee error. Whether or not the company has a backup copy and a fail-safe protocol, the cause still needs to be identified. There may be no access to event logs, as the server is down, so you can deploy a Security Information & Event Management (SIEM) protocol and perform network traffic analysis to find out that there has been an incident and a specific employee is potentially responsible. However, this information is not enough to determine the details and prevent similar cases.

Axidian Privilege will provide you with comprehensive information about the causes of the incident.

When privileged users work via Axidian Privilege, their actions are recorded in different formats, including video and text recording, command interception, shadow copies of transmitted files—easy to access in the management console. In addition to the actual records of user activity, Axidian Privilege captures a large amount of metadata—user name, protocols, target resources, connection time, etc.

After analyzing the records you can gain a prompt understanding of the causes of the incident and plan your immediate response in order to minimize the consequences, thereby preventing further financial and reputational losses.

Application to Application Password Management (AAPM) is a utility in Axidian Privilege system that allows you to use privileged accounts in applications that are installed on target resources.

The utility complements the functionality of Axidian Privilege by enhancing protection when you need two sets of credentials—one for the application itself and the other for accessing a target resource that hosts this application.

In most cases, users store their authentication data for applications in a text file on their computer, which may pose security threats to your company because these credentials are not managed via PAM.

The AAPM utility allows you to solve this problem—with AAPM, you can store application credentials in PAM and retrieve this data after connecting to a resource.

• Supported protocols: RDP, SSH, HTTP (s), and any other proprietary protocols by publishing relevant applications
• Supported types of authentication data: username + password, SSH keys
• Privileged accounts search and password management: Windows, Linux, and user directory
• Supported user directories: Active Directory, FreeIPA, OpenLDAP
• Two-factor authentication technologies: password + TOTP (Time-based One-Time Password, algorithm of password generation)
• Supported session record types: text log, video recording, and screenshots
• Remote access technologies: Microsoft RDS, SSH Proxy

You can choose the option that works best for you:

• Package Based on Privileged Users gives you the right to use Axidian Privilege for a stated number of users. Each employee who gets access to resources with the help of privileged credentials must have a PAM user license.
• Package Based on Privileged Sessions gives you the right to have a limited number of concurrent sessions in Axidian Privilege. The number of PAM users and registered resources is not limited.