How does just-in-time (JIT) ephemeral access work?
1. IAM integration
Users and user groups are maintained in identity and access management (IAM) systems, Active Directory (AD)/Lightweight Directory Access Protocol (LDAP) or through OpenID Connect (OIDC) providers. These systems contain up-to date information about who (identities/users/group) are authorized to access what and when.
2. Sync with AD/LDAP and cloud
PrivX hosts the roles and ensures that user identities and user groups are automatically synced for any changes in AD/LDAP or in OIDC systems. PrivX also stays in synch with the state of the global cloud estate for any changes, when hosts are spun up or down.
3. Role-based access
PrivX links the user information containing the right identity and authorization to the right role. Therefore, all access to critical targets is granted using role-based access controls (RBAC). Since roles rarely change, and the link between the role and identity is always up-to-date, this approach reduces manual work.
PrivX uses ephemeral certificates. What are they?
PrivX is based on unique ephemeral certificates. In ephemeral certificate-based authorization, the target systems are accessed without the need for permanent access credentials, explicit access revocation or traditional SSH Key management.
For each session, the ephemeral certificate:
- is issued just-in-time from the Certificate Authority, which serves as the trusted third party
- is based on various industry-standard methods, the chief example being the short-lived X.509 certificate
- encodes the target user ID for security
- has a short lifetime (5 minutes) after which it auto-expires
PrivX main features
- Automatically expiring ephemeral certificates for session establishment and privileged session management (PSM) for modern use cases. No digital key renewal or password vaulting, management or rotation needed.
- Just-in-time (JIT) and Just-enough-access (JEA) authentication with role-based access control (RBAC) dynamically linked with Authorization Management (IDM/IAM) for Privilege Elevation and Delegation Management (PEDM)
- Secrets data vault (password vault) for legacy and on-premise support with vaulted keys and Passwords, Vault API and break-glass access
- Secure Transport Layer Security (TLS) communication between directory services and PrivX
- Ephemeral secrets stored in the PrivX vault encrypted with AES128 or AES256 GCM algorithms before they expire
- Storing of PrivX secrets in hardware security modules (HSMs) for hardened security.
Session auditing, monitoring & recording
- Record privileged user activity on critical systems
- Tamper-proof audit trails with three-tiered security on session recordings
- Monitor ongoing privileged connections, including files transferred
- Control SSH/RDP channels to restrict available functionality
- Terminate a connection when needed
- Mapping of roles to a user group in your ID management system, and automatic syncing of identities and role memberships.
- Built-in multi-step approval workflow for PrivX local users.
- Floating and time-based role membership to provision temporary access.
Integration to Identity Management Systems
- Support for Microsoft Active Directory (AD), Azure AD via Graph API, Google G Suite, LDAP and OpenID Connect providers such as AWS Cognito, Okta, Ubisecure.
- Single-Sign-On (SSO) with multi-factor authentication (MFA), temporary one-time passwords (TOTP) / biometrics Identity verification for added security.
- Modern and future-proof microservices architecture built to ensure scalable and secure solution in hybrid environments
- Native Resilience and High Availability (HA)
- Purpose built for on-cloud installations (AWS, Azure, Google Cloud Platform)
- Takes advantage of cloud service provider’s (CSP) built-in elements (DBs, autoscaling, etc.)
Custom integrations to external systems (CMDB, ITSM, IAM,..) through REST APIs.
- Automated, static target configuration
- Easy server provisioning with one-time target configurations
- Integrated with automation and orchestration tools (Chef, Puppet, Ansible, …)
- No agents on the client or the server
- Supports Immutable Infrastructure