Head of Product Line, CryptoAuditor. Jussi Valkiainen is the head of product line for CryptoAuditor. He has worked at SSH Communications Security for over ten years and has held various positions in R&D, Marketing, and Product Management with increasing responsibility. Enthusiastic about user-centered design, Jussi works with Global 2000 customers to solve their cybersecurity needs and make it easy for security officers to achieve security and compliance. Prior to joining SSH, he worked at Nokia, and wrote user documentation for microwave radios used in GSM and 3G networks. Jussi holds a Master of Science in Engineering from Helsinki University of Technology (Aalto University).
It is a well-known fact that system administrators with root-level privileges have wider access to company’s critical information assets than the C-level executives. With great power comes great responsibility, and most people will also act responsibly. But as an information security officer, would you trust this power and responsibility to someone you cannot identify or whose actions you cannot verify afterwards?
Your answer is most likely no! Thus, I must ask you, are you sharing privileged account (e.g. root) passwords or SSH keys with multiple persons? If you are, and something unexpected happens, which requires you to investigate the “what”, “who” and” why”, then you are in trouble. You know that there are maybe eight persons in the company who know the root password to that particular host. (Or wait …. did someone actually give the password to that server vendor last week when he needed to upgrade one of the production servers?) But from the logs, you can only see that someone logged in as “root”, not the real person, and since they had root privileges, they possibly even deleted the command logs from the host preventing you from ever knowing.
Using shared privileged accounts without any monitoring or control is almost equivalent to leaving your house key in the front-door lock, just in case a meter reader or a plumber needs to come in while you are away. Now you wouldn’t do that, would you?
To continue the (at best, limping) analogy, you may give your house key only to a babysitter who you know and trust they will let only authorized persons into your house. Then if you are serious about the security of your house, even if you know the babysitter in person, you will put in a video camera that will record what visitors, both wanted and unwanted, do while you are away.
Now back from the analogy to the problem with privileged accounts; the need to control and monitor these accounts gave birth to the Privileged Access Management (PAM) category.
Privileged Access Management solutions address these three important areas:
Identify and log the individual users who are using shared privileged accounts
Control what the privileged users can do, so that every user is not granted full root privileges
Log and record the actions of these users, independently, so that the users themselves cannot tamper with the recording
When you are considering deploying such a solution, you must consider which of these three areas are important for your environment and use case. To note, previous generation “PAM” solutions are often complex to deploy, require installation of gateway or endpoint components, and require the privileged users to change their workflows and/or tools.
But what if you could deploy such a solution without the need to alter user workflows and without the need to install anything extra on the servers or administrator workstations? For that, you would need a solution that works transparently, inline in the network, and captures the privileged user sessions, whether they are using SSH, SFTP, or RDP protocols. This solution would identify the individual privileged user, and store the root credential for the target server connection securely and insert it in the connection without the user ever knowing it. The solution would record a video of each and every user action during the session, each mouse click and key press visible, and store the video securely. The solution would allow replaying the video in web browser, even in real-time, as if watching over the shoulder of the user, and it would allow skipping idle moments in the video and searching from its contents. If a picture is worth a thousand words, a video must be worth a million!
Does such a solution exist? Yes, it does. Read more.