Who saves the most time and money with lean PAM software?
- Organizations transitioning IT workloads, applications and services to multi-cloud environments and/or operating in the hybrid cloud.
- Companies looking to decrease the numbers of credentials, privileged passwords or digital keys that they need to manage.
- Enterprises with in-house engineers and admins, agile DevOps teams, outsourced software developers or IT teams.
- Managed Service Providers (MSP) Managed Hosting Providers (MHP) and businesses in operational technology (OT).
- Regulated enterprises that need to demonstrate compliance.
Demonstrate policy compliance and accelerate daily operations for RPA
Premise: MOST Digital, a Robotics-as-a-Service (RaaS) company, needed to access their clients’ critical production environment to automate their tasks.
Challenge: They relied on jump host, VPN tunneling and ad hoc processes that were difficult to manage, required time-consuming manual configurations and did not produce consistent audit trail of activities which was important for their customer.
Change: MOST Digital now uses PrivX to unify all access to a single UI, stay in sync with their Active Directory (AD) system for identities and generate reports of traffic into their clients’ environments for consistent traceability This resulted in greater operational efficiency and improved security and accurate reports for their customers.
Implement multi-cloud-scale PAM for modernized IT
Premise: A stalwart telecoms is migrating to cloud. The incumbent PAM implementation was no longer the optimal solution for the hybrid IT environment.
Challenge: Limited scalability in a dynamic multi-cloud environment, problems in keeping up with the constantly changing cloud estate, limited scalability in service spikes.
Change: As new hosts are added, PrivX automatically discovers and on-boards them – and off-boards them when no longer needed – while providing oversight from a single UI. The solution’s cloud-native architecture can scale up fast without heavy investments into hardware.
Automate 3rd party and consultant access control
Premise: An international mining equipment company needed their vendors to retrieve CAD drawings – their most precious IP – from their production environment.
Challenge: Admins were burdened with manually granting permission while lacking the tools to track access.
Change: The company leverages their existing IAM to on-board and off-board vendors as needed. Our solution maps the user IDs to the right roles hosted in PrivX. Any change or update to a user ID is automatically reflected in privileged roles, making granting, changing or revoking access automatic. Admins can also time-restrict 3rd party access according to the task at hand, and monitor external traffic for auditing.
Deploy PAM in three days to meet tight deadlines
Premise: A network service provider in Asia wanted to control over access their system integrator who helped them design, develop, manage and maintain their wireless network solution.
Challenge: Without a PAM solution, consultants would directly log in to the customer’s virtual servers using simple user accounts and passwords – an acceptable risk. PAM would need to be installed fast, since the network solution was to be launched within a few months.
Change: PrivX was implemented in just three days to keep critical operations running. It also eliminated the risk of password sharing, since consultants no longer handled any privileged passwords or other permanent credentials. A solid audit trail fulfilled compliance and policy requirements.
PrivX adapts to various use cases
Secure interactive access to servers using SSH, RDP or VNC
In this example, a privileged user needs to complete a maintenance task on the target server.
- the user gets just enough access to complete the task.
- the user can easily establish a SSH (Secure Shell), RDP (Remote Desktop Protocol) or VNC (Virtual Network Computing) connection to targets using a browser.
- User accounts on the target can be shared or personal.
- Connections are established with one click via SSO from an up-to-date list of resources in PrivX.
- If needed, native clients can be used.
- There are no secrets to remember or handle.
Protect interactive access to web applications (HTTPS)
Examples of web applications include IT tools, like AWS management console, portals for managing network devices and also the company’s systems for e.g. social media, human resources or finance.
In PrivX, users can easily make connections to web services from a list of available targets. The list is always up-to-date based on the user’s role. Passwords are stored in PrivX so users never handle them or need to remember them.
The admin has full visibility into who made connections to which targets, even if shared accounts are being used. The user’s access rights are automatically revoked if their role changes.
Interactive access session auditing for forensics
IT admins need to make sure that only authorized (privileged) users can access targets.
PrivX employs role-based access controls (RBAC). With integration to IDM/IAM systems it is possible to automate the joiners, movers and leavers process so that users have access only to their available resources at a given time. They are granted access just-in-time (JIT) and and only get just-enough-access (JEA) to get the job done.
Administrators get full visibility into who accessed which target even if shared accounts are being used.
User access rights are automatically revoked if their role changes. Sessions can be recorded for further analysis. Audit events can be sent to external systems, like SIEMs (Security information and event management systems) to provide a 360-degree view of activities.
Secure and audited machine-to-machine access
Machine-to-Machine (M2M) or Application-to-Application (A2A) access can also be secured with PrivX.
For SSH access, SSH client hosts authenticate to the PrivX bastion using SSH public key authentication or by using pre-configured PrivX-specific credentials. The connection from the PrivX bastion to the target host can be authenticated using any supported authentication method.
Since the connection goes through the PrivX bastion, it is audited, and the trace of connections and file transfers is retained in PrivX logs.
Regardless of the authentication method clients use to authenticate to the PrivX bastion or the bastion uses to authenticate to the target host, the client host never acquires credentials to directly access the target host.
For any other machine-to-machine use cases, PrivX provides a Secrets Vault that can store access credentials. The Vault is accessible through a REST API and PrivX provides a command line interface (CLI) client, as well as Golang and Python SDKs (software development kit), for storing and retrieving these secrets.
PrivX Secrets Vault for secrets management
We always encourage customers to use just-in-time and ephemeral certificate-based authentication. For systems that cannot be configured for certificate access, PrivX provides a Vault API and a Vault UI for storing and retrieving secrets.
PrivX comes with a CLI client, as well as Golang and Python SDKs, for storing and retrieving secrets. The privileges to access and modify stored secrets are granted via PrivX roles.
Key-less Gitlab and GitHub access for DevOps
As repository access to Gitlab and GitHub is made over SSH, developers traditionally have to upload their SSH public keys to the service and authenticate their Git actions against the repositories using an SSH private key.
With PrivX, those connections can be configured to use ephemeral certificates. This means that developers authenticate to PrivX using their company credentials and, if context restrictions such as location and time are met, they get mapped to a role that enables repository access. When a developer opens a connection to the repository, PrivX issues an ephemeral certificate containing the access secrets needed to authenticate the connection. The developer does not handle or see any keys or secrets during this process.
You no longer have developer-owned private keys in unknown locations!
It took us four hours to set up the test environment from start to finish. And the amazing part was when we connected to Azure, we could retrieve all the VMs right away without any kinds of hassle.”
Sami Säisä, Director, Head of Strategic Development, MOST Digital
PrivX makes life easier.”
IT manager at a large industrial equipment company
PrivX customer story
How to achieve a great TCO with secure access
A specialist partner company deployed both our PrivX solution and a traditional PAM for comparison at a customer site. They made observations from the client perspective about PrivX Total Cost of Ownership (TCO) benefits.
Lean software functionality
- No client/host agents
- No Remote Desktop Protocol (RDP) licenses required (built into browser access)
Low platform (HW) & license pricing
- 3-5x lower platform costs
- Cost savings: Log and storage requirements, native storage, (Security Information and Event Management) SIEM integration
- 2-3x faster roll-out
- Cost savings: Installation, configuration, onboarding, feature adjustments, access to network devices/IIoT
Great user productivity
- Speed of access (one click) vs. fetching passwords from a vault interface
- No need to remember or search for target host names/accounts
Minimal maintenance resources
- 2x lower resources
- Cost savings through minimal need for: Dedicated PAM personnel, training, keeping the environment up to date and "patching"
CAPEX replaced by small OPEX
- No special internal resources/ capabilities required, no extra platform costs, easy and quick to deploy, no long commitment