How does just-in-time (JIT) ephemeral access work?
1. IAM integration
Users and user groups are maintained in identity and access management (IAM) systems, Active Directory (AD)/Lightweight Directory Access Protocol (LDAP) or through OpenID Connect (OIDC) providers. These systems contain up-to date information about who (identities/users/group) are authorized to access what and when.
2. Sync with AD/LDAP and cloud
PrivX hosts the roles and ensures that user identities and user groups are automatically synced for any changes in AD/LDAP or in OIDC systems. PrivX also stays in synch with the state of the global cloud estate for any changes, when hosts are spun up or down.
3. Role-based access
PrivX links the user information containing the right identity and authorization to the right role. Therefore, all access to critical targets is granted using role-based access controls (RBAC). Since roles rarely change, and the link between the role and identity is always up-to-date, this approach reduces manual work.
4. UI and just-in-time access
When the user logs in to the browser-based PrivX UI (using SSO and MFA if needed), she can only see and select the targets available to her restricted by her role. The user doesn't handle or see any access secrets at any point but the authentication is done automatically in the background and access is granted just-in-time. The secrets needed for the connection are baked into ephemeral certificates which expire automatically after establishing the session, leaving no secrets behind.
5. Audit trail
PrivX audits and track every session, and this information can be automatically sent to external systems (i.e. SIEMs) for alerting and reporting. Even when using shared accounts, PrivX creates a trace of the individual who made the connection. Sessions can also be recorded for forensics.
6. REST API
Applicaton Programming Interfaces (API)/Software Development Kits (SDK) can be used for customized integrations. Examples of these include integrations to ticketing systems, behavior analytics solutions and Information technology service management (ITSM).
PrivX uses ephemeral certificates. What are they?
PrivX is based on unique ephemeral certificates. In ephemeral certificate-based authorization, the target systems are accessed without the need for permanent access credentials, explicit access revocation or traditional SSH Key management.
For each session, the ephemeral certificate:
- is issued just-in-time from the Certificate Authority, which serves as the trusted third party
- is based on various industry-standard methods, the chief example being the short-lived X.509 certificate
- encodes the target user ID for security
- has a short lifetime (5 minutes) after which it auto-expires
PrivX main features
Security
- Automatically expiring ephemeral certificates for session establishment and privileged session management (PSM) for modern use cases. No digital key renewal or password vaulting, management or rotation needed.
- Just-in-time (JIT) and Just-enough-access (JEA) authentication with role-based access control (RBAC) dynamically linked with Authorization Management (IDM/IAM) for Privilege Elevation and Delegation Management (PEDM)
- Secrets data vault (password vault) for legacy and on-premise support with vaulted keys and Passwords, Vault API and break-glass access
- Secure Transport Layer Security (TLS) communication between directory services and PrivX
- Ephemeral secrets stored in the PrivX vault encrypted with AES128 or AES256 GCM algorithms before they expire
- Storing of PrivX secrets in hardware security modules (HSMs) for hardened security.
Session auditing, monitoring & recording
- Record privileged user activity on critical systems
- Tamper-proof audit trails with three-tiered security on session recordings
- Monitor ongoing privileged connections, including files transferred
- Control SSH/RDP channels to restrict available functionality
- Terminate a connection when needed
Role management
- Mapping of roles to a user group in your ID management system, and automatic syncing of identities and role memberships.
- Built-in multi-step approval workflow for PrivX local users.
- Floating and time-based role membership to provision temporary access.
Integration to Identity Management Systems
- Support for Microsoft Active Directory (AD), Azure AD via Graph API, Google G Suite, LDAP and OpenID Connect providers such as AWS Cognito, Okta, Ubisecure.
- Single-Sign-On (SSO) with multi-factor authentication (MFA), temporary one-time passwords (TOTP) / biometrics Identity verification for added security.
Architecture
- Modern and future-proof microservices architecture built to ensure scalable and secure solution in hybrid environments
- Native Resilience and High Availability (HA)
- Purpose built for on-cloud installations (AWS, Azure, Google Cloud Platform)
- Takes advantage of cloud service provider’s (CSP) built-in elements (DBs, autoscaling, etc.)
Custom integrations to external systems (CMDB, ITSM, IAM,..) through REST APIs.
Target configuration
- Automated, static target configuration
- Easy server provisioning with one-time target configurations
- Integrated with automation and orchestration tools (Chef, Puppet, Ansible, …)
- No agents on the client or the server
- Supports Immutable Infrastructure
Forensics
- Video playback of recorded privileged user sessions.
- Free-text search into SSH session transcripts.
- View audit events with connection details.
SIEM & log collectors
- Forward audit logs and events to Splunk, IBM Qradar, AWS CloudWatch or Azure Event Hub.
- Support for Common Event Format (CEF) & Rsyslog formats.