Privileged Identity & Access Management
Virtually every device or software application within your network infrastructure, or your customer's infrastructure, has a privileged or administrative account to manage it. Often providing or facilitating access to an organisation's most critical assets, the privileged accounts and passwords on these devices are often shared between teams of people responsible for their management. While most identity-management products focus on addressing personal identities, a huge challenge to IT security risk and compliance is often overlooked.
Privileged accounts include super-user logins (e.g. root or admin), service accounts, or M2M or App-2-App accounts used by web services and line-of-business applications. Generally, these are:
- Often neglected through infrequent use or because they are "out of sight, out of mind".
- Rarely changed because of the time it would take.
- Unaudited because it is usually impossible to effectively track the 'who, what, when and why'.
Privilege represents an easier way for your organisation to implement effective privileged identity and password management. By proxying connections, Privilege will help you to centrally control and audit administrative access with privileged credentials through access delegation (separating users from the credentials used to access a device), audit logs and session recording. This approach enhances security and compliance by granting administrative users only the rights they need—nothing more, nothing less.
- Stronger password security. Enforce complex passwords on privileged accounts and run scripts that periodically change passwords in order to reduce the risk of infiltration by malicious programs and unauthorized users.
- Improved staff efficiency. Quickly grant, change and revoke privileged access as staff change or leave job roles. A number of breaches occur because staff retain privileged credentials that are no longer relevant to their current role and because hours of tedious work are required to change shared account credentials.
- Protect critical systems. Minimise any loss or outage to your business and ensure the accountability of every user-access to your infrastructure with advanced out-of-the-box auditing and reporting tools that enforce corporate policy.
- Improve workforce productivity. With a simple web portal interface where users are only given the level of administrative access to see the devices and methods of connection that they are authorised for.
- Protect sensitive assets when working with third parties. Enable direct connection to the target device, optionally on a time-limited basis, without disclosing the privileged credentials.
Eclipse Privilege Features
Privilege will centralise your password management and provide privileged access control for your shared accounts.
Eclipse Privilege provides a resilient and flexible platform that will proxy connections from your engineers or technicians to your managed devices.
Privilege securely stores encrypted credentials in an SQL back-end and supports (optional) database mirroring to provide a totally resilient system. If the principle server fails, Privilege will automatically switch to the mirror.
Active Directory Integration
Link Privilege user groups to Active Directory or LDAP user groups, allowing users to log in with their existing credentials and speeding up user-provisioning. Privilege is also capable of working standalone with its own database of users.
Privilege proxies connections and supports multiple Web Servers and Connection Managers in order to balance the load and distribute resources. It can provide flexible connectivity to devices over an IP-based network or utilise dial-up connections.
Simplify the process of configuring multiple connections or generate an emergency "break-glass" copy of the configuration. Connection details can be imported from or exported to MS Excel.
Privilege supports the administrative protocols common to many of the devices on your network: SSH, Telnet, HTTPS, HTTP, MS Remote Desktop, VNC, PCAnywhere, SFTP, FTP, ASCII (dial-up), Raw TCP.
Privilege provides a Windows console for administration, and a web portal to initiate connections. The web portal includes a handler that launches the appropriate client application on the user's PC.
Eclipse Privilege is a single point of access to ensure that all of your privileged users, applications and devices can only access devices through Privilege and are only given the level access required for their task.
Utilising a group hierarchy and extensive permissions, you can control a user's administration capabilities, which managed devices they see and what level of access they have.
Devices & Connections
Each managed device in Eclipse Privilege supports multiple methods of connectivity (SSH, Web, Remote Desktop, etc) and multiple credentials for each connectivity method. In addition, Privilege supports chained connections; access to a device that has to pass through intermediary devices.
Timed Access Controls
Provide timed access to temporary staff or 3rd party maintainers with just one click. Connections will expire after the period you define or after a set level of inactivity.
Ensure that all M2M or App2App connections are audited. Eclipse Privilege provides the capability to establish connections to devices programmatically and be integrated into larger systems.
Eclipse Privilege enables you to integrate virtually any type of remote equipment. Define new device types and create connection scripts for the log on/log off processes. An in-built script editor and wizard for web-based log-ons will help you.
Eclipse Privilege can run scripts at regular periods to automate administration tasks; for example to change a managed device password (and update the password in Privilege), retrieve configuration data or update time & date settings.
Ensure that you can prove compliance with both internal and external regulations regarding security practices.
SAMS records all desktop activity of technicians or engineers during active sessions with SAMS devices. Connections are blocked if recording is not possible. This ensures that you have a full visual account of any changes or hacking attempts made during the session.
Remote Access Logs
Record all remote access connections, including the start and end time, user name and their IP address, how the device was accessed, session activity (except for Remote Desktop, pcAnywhere and VNC) and any connection notes that were entered after the session was terminated.
The Admin logs are a record of all configuration done using the administration console. They also include entries for users that are locked out of the system.
Privilege can be configured to send you SNMP traps for important events such as successful/failed connections, disconnections, admin logins, web logins or accounts that become locked.
During audits, prove how many connections are being made, by whom, for which connection methods and credentials and for how long. Reports can be automatically scheduled and delivered via email.
Force your engineers and technicians to document any configuration changes or their reason for the connection by requesting notes once a session has been terminated.
- Asset information. Store information within Privilege on your managed devices, such as vendor/third party contact information and device location.
- Password policies. When using Privilege without Active Directory or LDAP integration, use password policies to enforce complex passwords and have users regularly change them.
- Log storage. Automatically delete audit logs after X number of days, after reaching a certain size, or a number of records reached.
Eclipse Privilege requires or supports the following environments:
Privilege Admin Console & Script Manager
Responsible for administering the Eclipse Privilege application
- MS Windows Server 2003 & Server 2003 R2
- MS Windows Server 2008 & Server 2008 R2
- Windows XP SP3
- Windows Vista SP2
- Windows 7 SP1
Initiates and manages the connections to managed devices made by users.
- MS Windows Server 2003 & Server 2003 R2
- MS Windows Server 2008 & Server 2008 R2
Stores configuration, device and credential data.
- MS SQL Server 2005 and Express
- MS SQL Server 2008 and Express
- MS SQL Server 2008 R2 and Express
Required for the user interface to initiate connections.
- IIS 6.0 for Windows Server 2003 and 2003 R2
- IIS 7.0 for Windows Server 2008 and 2008 R2
Used by engineer and technician users as the application interface.
- MS IE 7.0 or later
- Mozilla Firefox 3.0.6 or later
- Google Chrome 10.0 or later