PrivX On-Demand Access Manager

What Is PrivX?

PrivX is an access management platform that revolutionizes how privileged access management is done in the cloud and elastic computing environments. It completely eliminates password rotation, secrets management, and credentials vaulting for privileged access. Access is granted based on roles defined in Active Directory in real time.

This means no more agents on servers or clients, no more password rotation, and no more SSH keys. These in turn translate to faster and cheaper deployment, better scalability, better reliability, simplified future-proof architecture, no vendor lock-in, and lower on-going costs.

How Does It Work

Web Portal

PrivX On-Line Access Manager includes a scalable web-based portal for logging into production servers. Users authenticate to the portal using Active Directory credentials and optionally multi-factor authentication. The portal then creates the user short-lived credentials that are used to log into the end server. Active Directory roles are used to determine the user's access rights.

No Secrets on Servers, No Secrets Revealed to Clients

No secret information is ever stored on the servers. This means the servers can be scaled, copied, and spun up and down dynamically as needed. The approach also works perfectly for developer access for debugging servers and containers, as well as for emergency reponse.

Dynamically Created, Short-Lived Credentials

With the SSH protocol, short-lived certificates are used as credentials. This completely eliminates the need for having passwords for service accounts in the first place. There is no need to rotate passwords. Transition from older privileged access management systems is easy, as there is no need to move passwords from existing systems. Both OpenSSH and Tectia SSH are supported.

Instant Deployment

Deploying PrivX is usually very fast. There is no need for lengthy deployment projects. Usually, a portal and a database are installed as virtual machines, and a script is run on desired servers to update SSH configuration files to accept certificates from an internal certificate authority operated by the portal. Many customers have it up and running in production in a few hours.

What is most important, there is no need to install agents on either clients or servers. Only a scriptable configuration change is needed on servers. Only a web browser is required on clients - the need for having SSH clients or Remote Desktop clients is completely eliminated.

Session Recording

PrivX records all privileged access by users. This is an important requirement in many compliance regulations. Furthermore, it provides an important deterrant against insider crime, a forensics and evidence gathering tool, and can pass user actions to sophisticated analytics tools for early warning.

Analytics and Early Warning

PrivX integrates with SIEM (Security Incident and Event Management) and Analytics systems used in the enterprise. It enables early warning of suspicious and wrongful activity by trusted users and vendors.

Transparent Monitoring

PrivX On-Demand Access Manager can also be used in conjunction with CryptoAuditor for transparent monitoring of access made using any SSH clients and Remote Desktop clients. CryptoAuditor decrypts the encrypted SSH and Remote Desktop connections on the fly with the use of server private keys, and is able to transparently inspect, report, and control access by automated processes and administrators who prefer to continue to use their existing tools. This provides more flexibility and better user satisfaction. No other solution is capable of transparently controlling access by automation tools and scripts.

Typical Use Cases and Benefits

Reducing Insider Risk in System Administration and DevOps

According to US CERT, nearly half of their survey participants in 2015 reported an insider incident. 25% said they did not initiate legal action because of lack of evidence; 31% said they could not identify the individual(s) responsible. Many of the worst data leaks involved insiders or contractors.

PrivX reduces the risk of insider incidents because users know they are monitored and evidence is automatically collected. It reduces incident severity and costs because they are caught earlier due to analytics and early warning. It provides the forensics data to identify and evidence to prosecute perpetrators.

Typical uses include securing access by system administrators and securing remote access by vendors and outsourcing partners. A major use case is also securing production deployments and production access in DevOps. Most large organizations have already deployed DevOps for at least some of their projects - often the most critical customer-facing applications.

Ensuring Compliance with Privileged Access Controls

Cybersecurity best practice requires controlling privileged access to critical systems and data. This includes credit card information (PCI DSS), electronic health information (HIPAA), electric grid control (NERC CIP), personal information (EU GDPR), public company financial information (Sarbanes-Oxley), and sensitive government data (NIST SP 800-53).

The cost of non-compliance can be very high. Several health care providers have been fined millions of dollars for HIPAA breaches. EU GRPR comes with penalties of up to 20 million euros or 4% of revenues (whichever is higher). The famous Target breach involved credit card data for 40 million consumers and is estimated to have cost Target hundreds of millions of dollars in penalties, costs, and reputation. This included a $18.5m settlement with 47 US states.

Automating Provisioning and Termination of Access

Provisioning and terminating SSH access to servers is tricky, especially when considering SSH key management. PrivX handles provisioning and termination through its integration with Active Directory and uses roles defined in Active Directory for controlling access in real time. When a person leaves or job role changes, privileged access rights are automatically updated within minutes across the enterprise, on all platforms.

Preventing Bypassing of Privileged Access

Traditional privileged access management systems can be bypassed using SSH keys. Basically, a system administrator can install new authorized keys on servers, and use them to log in directly, without going the privileged access management system. PrivX prevents this by configuring servers to use short-lived certificates. The servers do not need to use authorized keys at all. Thus, they can be configured to not allow traditional public key authentication at all. This ensures that users cannot bypass privileges access management using SSH keys.

Eliminating SSH Keys and Related Complexity

PrivX On-Demand Access Manager works without traditional SSH keys. It only issues short-lived certificates to users, and no credentials are stored on servers. Thus, users do not need SSH keys and SSH server configurations should be such that use of SSH keys is not even possible for normal users. This also means that there is no need to manage SSH keys on the servers.

What's better, it works perfectly in the cloud and scalable, elastic environments. It is fully designed for modern and future architectures.

Reducing Cost and Complexity of Password Vaults and Password Rotation

Password vaulting and password rotation are the traditional approach to privileged access control. Basically, the password for each system account is changed periodically and stored in a vault. In a related approach, private SSH keys are stored in a vault. However, this infrastructure is resource intensive and often requires multi-year, multi-million dollar deployment projects. It doesn't really address the legacy question of who can access what using the keys. Leading traditional privileged access management solutions are also known to require dozens or even over a hundred servers to manage large environments with tens of thousands of servers. Password rotation is expensive, complicated, and prone to glitches.

All this is unnecessary with the PrivX On-Demand Access Manager. No password vaults, no rotation. No SSH keys. No multi-year projects. No associated costs. No need to keep patching additional software on thousands of servers and desktops.