When your organization deploys solutions to manage access credentials; monitor access to high-value assets; and provision access for specific programs, tasks and commands, it is also critical to control access to those solutions themselves. Dell Software’s Privileged Account Appliance delivers the security and trust businesses need when deploying Privileged Password Manager (PPM) and Privileged Session Manager (PSM) solutions. As a client-less, agent-less appliance designed specifically to host PPM and PSM applications, the Privileged Account Appliance is hardened out of the box to ensure the highest levels of protection for your organization’s most vital assets.
Privileged Session Manager
Privileged Session Manager enables you to issue privileged access for a specific period or session to administrators, remote vendors and high-risk users, with full recording and replay for auditing and compliance. It provides a single point of control from which you can authorize connections, limit access to specific resources, allow only certain commands to be run, view active connections, record all activity, alert if connections exceed pre-set time limits, and terminate connections. Privileged Session Manager is deployed on a secure, hardened appliance.
- Control access – Authorized users can request a session on specific resources or through specific administrative accounts using a secure Web browser connection. Each user can view only the specific resources he or she is authorized to request access to. You can configure the connection for authorization workflow to further enhance control and achieve compliance.
- Proxy access – Privileged Session Manager proxies all sessions to target resources. Since users have no direct access to resources, the enterprise is protected against any viruses, malware or other dangerous items that may exist on the user’s system. Privileged Session Manager can proxy and record Unix/Linux, Windows, AS/400, Web applications, network devices, firewalls, routers and more.
- Command control – You can allow only specific commands to be executed during a session based on either the user accessing the system or the system they are accessing. In addition, if the user attempts to execute a prohibited command, you can choose to automatically notify a specific individual, kill the command, kill the login or kill the whole session.
- Full session audit, recording and replay – All session activity – every action that takes place on the screen, including mouse movements and clicks as well as typed characters – is recorded and available for forensics and compliance review using DVR-like controls. Only actual activity is recorded, and recordings are compressed to minimize offline storage requirements, to a fraction of the size required by other session-recording solutions.
- EZ Replay – Administrators can search for specific events across sessions, and while viewing a session, they can add bookmarks to easily come back to a specific point in that session at a later date.
- Secure appliance – The hardened appliance does not have a console port or console level interface and can only be accessed via a secure, role-based Web interface. This provides protection from host admin attacks, as well as OS, database or other system-level modifications. The appliance also includes an internal firewall that protects against external network-based attacks and provides additional auditing capabilities.
- Simple workflow – Authorized users simply select the resource or account they need to connect to; the list each user sees shows only the items to which the user is approved to request access. The requestor specifies the expected duration of the session, the reason for the request, and, if required, a ticket number that can be integrated with an existing ticketing system.
- Auto-login – When combined with Privileged Password Manager, Privileged Session Manager access can be configured for automatic login. Auto-login enhances security and compliance by never exposing the account credential to the user.
- Automated privileged governance – Take the hassle out of governing privileged users by automating the process for certifying and approving that only users that need access can request and gain access to privileged credentials. Users can request, provision and attest to privileged and general user access within the same console when you integrate Identity Manager with Privileged Session Manager.
Privileged Password Manager
Privileged Password Manager automates, controls and secures the entire process of granting administrators the credentials necessary to perform their duties. Privileged Password Manager is deployed on a secure, hardened appliance. Privileged Password Manager ensures that when administrators require elevated access (typically through shared credentials, such as the Unix root password), that access is granted according to established policy, with appropriate approvals; that all actions are fully audited and tracked; and that the password is changed immediately upon its return. It’s a secure, compliant and efficient solution to the age-old “keys to the kingdom” problem. One of the most vulnerable – but often overlooked – aspects of IS security is the embedded passwords required for applications to talk to each other or to databases. Privileged Password Manager also replaces hardcoded passwords with programmatic calls that dynamically retrieve the account credential, eliminating this security exposure.
- Release control – Manages password requests from authorized users, programs and scripts for the accounts they are entitled to access, via a secure Web browser connection with support for mobile devices. A password request can be automatically approved or require any level of manual approvals.
- Change control – Supports configurable, granular change control of shared credentials, including time-based, last-use-based, and manual or forced change.
Auto discovery of:
- Accounts and systems – Instantly discovers new accounts and systems, and then either sends notifications about them to specified users or automatically enrolls them in management.
- Users – Automatically provisions users and maps permissions using your organization’s existing LDAP or Active Directory environment.
Application password support – Replaces hardcoded passwords in scripts, procedures and other programs. Application password management capabilities include:
- Programmatic access – Includes both a command-line interface (CLI) and an application programming interface (API) with access for C++, Java, .NET and Perl. Connectivity is via SSH with DSS key exchange.
- Role-based access – Supports role-based access for the CLI and API. You add a “programmatic” user with either “basic” access or “admin” access. Basic access enables the CLI or API to request account passwords and be granted access for authorized targets or accounts; this is appropriate, for example, for a “Requestor.” Admin access enables the CLI or API to perform administrative tasks.
- Оptimal performance – Natively executes approximately 100 call requests per minute. For applications requiring higher performance, the appliance supports an optional cache that supports more than 1,000 password requests a second, satisfying the requirements of your most demanding applications.
- Extensive command set – Includes a comprehensive set of commands that can be executed via the CLI or API. Beyond simple “Get Password” commands, the solution supports extensive admin-level commands to provide tight integration with existing enterprise tools and workflows.
- Enterprise-ready integration – Integrates with existing directories, ticketing systems and user authentication sources, including Active Directory and LDAP. It also fully supports two-factor authentication through Defender® or other third-party two-factor authentication products. A robust CLI/API supports end-to-end integration with existing workflows and tools, including reviewer notification and escalation workflows.
- Secure appliance – Lacks a console port or console-level interface – the appliance can only be accessed via a secure, role-based Web interface that provides protection from host admin attacks, as well as OS, database or other system-level modifications. The appliance also has an internal firewall that protects against external network-based attacks and provides additional auditing capabilities.
- Scalable appliance – Provides secure, enterprise-ready access and management of shared credentials for more than 250,000 accounts at once.
- Secure password storage – Encrypts all passwords stored in Privileged Password Management using AES 256 encryption. In addition, the appliance itself also includes full disk encryption using BitLocker™ Drive Encryption.
- Robust target support – Manages shared credentials on the widest range of target servers, network devices and applications.
- Handheld device support – Supports password request, approval and retrieval via handheld devices, which is configurable on a per-user basis.
- Automated privileged governance – Take the hassle out of governing privileged users by automating the process for certifying and approving that only users that need access can request and gain access to privileged credentials. Users can request, provision and attest to privileged and general user access within the same console when you integrate Identity Manager with Privileged Password Manager.