PrivX™

Benefits Customers & use cases Tech specs Documentation Try PrivX

PrivX™ lean PAM

Technical details

Learn more about ephemeral access, provilege elevation and the unique technologies behind PrivX.

How does just-in-time (JIT) ephemeral access work?

architecture-privx

1. IAM integration

Users and user groups are maintained in identity and access management (IAM) systems, Active Directory (AD)/Lightweight Directory Access Protocol (LDAP) or through OpenID Connect (OIDC) providers. These systems contain up-to date information about who (identities/users/group) are authorized to access what and when.

2. Sync with AD/LDAP and cloud

PrivX hosts the roles and ensures that user identities and user groups are automatically synced for any changes in AD/LDAP or in OIDC systems. PrivX also stays in synch with the state of the global cloud estate for any changes, when hosts are spun up or down.

3. Role-based access

PrivX links the user information containing the right identity and authorization to the right role. Therefore, all access to critical targets is granted using role-based access controls (RBAC). Since roles rarely change, and the link between the role and identity is always up-to-date, this approach reduces manual work.

4. UI and just-in-time access

When the user logs in to the browser-based PrivX UI (using SSO and MFA if needed), she can only see and select the targets available to her restricted by her role. The user doesn't handle or see any access secrets at any point but the authentication is done automatically in the background and access is granted just-in-time. The secrets needed for the connection are baked into ephemeral certificates which expire automatically after establishing the session, leaving no secrets behind.

5. Audit trail

PrivX audits and track every session, and this information can be automatically sent to external systems (i.e. SIEMs) for alerting and reporting. Even when using shared accounts, PrivX creates a trace of the individual who made the connection. Sessions can also be recorded for forensics.

6. REST API

Applicaton Programming Interfaces (API)/Software Development Kits (SDK) can be used for customized integrations. Examples of these include integrations to ticketing systems, behavior analytics solutions and Information technology service management (ITSM).

PrivX uses ephemeral certificates. What are they?

PrivX is based on unique ephemeral certificates. In ephemeral certificate-based authorization, the target systems are accessed without the need for permanent access credentials, explicit access revocation or traditional SSH Key management.

For each session, the ephemeral certificate:

is issued just-in-time from the Certificate Authority, which serves as the trusted third party
is based on various industry-standard methods, the chief example being the short-lived X.509 certificate
encodes the target user ID for security
has a short lifetime (5 minutes) after which it auto-expires

Learn more about ephemeral access >>>

PrivX main features

Security

Automatically expiring ephemeral certificates for session establishment and privileged session management (PSM) for modern use cases. No digital key renewal or password vaulting, management or rotation needed.
Just-in-time (JIT) and Just-enough-access (JEA) authentication with role-based access control (RBAC) dynamically linked with Authorization Management (IDM/IAM) for Privilege Elevation and Delegation Management (PEDM)
Secrets data vault (password vault) for legacy and on-premise support with vaulted keys and Passwords, Vault API and break-glass access
Secure Transport Layer Security (TLS) communication between directory services and PrivX
Ephemeral secrets stored in the PrivX vault encrypted with AES128 or AES256 GCM algorithms before they expire
Storing of PrivX secrets in hardware security modules (HSMs) for hardened security.

Session auditing, monitoring & recording

Record privileged user activity on critical systems
Tamper-proof audit trails with three-tiered security on session recordings
Monitor ongoing privileged connections, including files transferred
Control SSH/RDP channels to restrict available functionality
Terminate a connection when needed

Role management

Mapping of roles to a user group in your ID management system, and automatic syncing of identities and role memberships.
Built-in multi-step approval workflow for PrivX local users.
Floating and time-based role membership to provision temporary access.

Integration to Identity Management Systems

Support for Microsoft Active Directory (AD), Azure AD via Graph API, Google G Suite, LDAP and OpenID Connect providers such as AWS Cognito, Okta, Ubisecure.
Single-Sign-On (SSO) with multi-factor authentication (MFA), temporary one-time passwords (TOTP) / biometrics Identity verification for added security.

Architecture

Modern and future-proof microservices architecture built to ensure scalable and secure solution in hybrid environments
Native Resilience and High Availability (HA)
Purpose built for on-cloud installations (AWS, Azure, Google Cloud Platform)
Takes advantage of cloud service provider’s (CSP) built-in elements (DBs, autoscaling, etc.)
Custom integrations to external systems (CMDB, ITSM, IAM,..) through REST APIs.

Target configuration

Automated, static target configuration
Easy server provisioning with one-time target configurations
Integrated with automation and orchestration tools (Chef, Puppet, Ansible, …)
No agents on the client or the server
Supports Immutable Infrastructure

Forensics

Video playback of recorded privileged user sessions.
Free-text search into SSH session transcripts.
View audit events with connection details.

SIEM & log collectors

Forward audit logs and events to Splunk, IBM Qradar, AWS CloudWatch or Azure Event Hub.
Support for Common Event Format (CEF) & Rsyslog formats.