For the best web experience, please use IE11+, Chrome, Firefox, or Safari

What is Privileged Session Management?

Privileged session management (PSM) enables organizations to issue privileged access for a specific period – or session – to administrators, remote privileged users, contractors and high-risk users. Privileged session solutions can authorize connections, facilitate audit and reviews, oversee access to critical resources, limit command choices and terminate connections.
What is privileged session management?

The definition of Privileged Session Management (PSM)

Privileged session management is a control feature that limits how long and for what purpose an admin – which can be human or a machine – can access a digital resource. Privileged users can access critical IT assets, such as the management UI for devices or the root file for UNIX server. Sessions management is an additional level of control and security that puts a time limit – or a functional limit along with a time limit – on what the admin can access for that particular session. This instructional web page is directed at non-privileged users and procurement managers assessing One identity for investment.

In the simplest worst-case scenario, if your PAM security system is a legacy system, it may have a simple admin access policy of yes or no. The privileged user has access to everything or nothing. Often with legacy systems, this elevated access may have been managed with shared credentials, which meant there was no individual accountability nor was there any limitations on what an admin could access. With that said, for IT infrastructure to function, there needs to be users that have privileged access at the end of databases, control infrastructure, set user-access permissions and add code to apps to make them even better. But you can’t just leave the vault door open all the time, that encourages users who shouldn’t be in there to be in there. You must control it. So, you give them a time limit and you don’t ever share the keys or the access code with them directly. If they need to access critical infrastructure, they can ask and get issued a hidden password with access that allows them limited capabilities and a specific time limit. They can’t stray from their purpose, and they can’t stay longer than the need to. So, privileged session management is just that, elevated access that has a specific time limit for a user to get a task completed.

What are Privileged Sessions in PAM?

Privilege sessions are akin to when mom says she’s counting to three by which time you need to choose an afternoon snack and close the refrigerator door. If you can’t decide on what to eat by the time mom says ‘three,’ your access to the privileged resource – in this case the refrigerator – is immediately shut down. On a more technical level, a privileged session is when an admin is allowed access to a resource for a specific amount of time to complete a task before access expires. Privileged sessions are a mechanism to manage who and how long a privileged user – human or machine user with elevated privileges – can have access to a digital resource.

Access is immediately cut off when a session expires. At that point, if a privileged user needs to re-access that resource, they must reauthenticate and request access to continue working or to perform another task. These privileged resources can be a SaaS tool, an on-prem application, control settings for a router or a database of customer information. PAM security as technology controls access to critical infrastructure like the resources mentioned here.

How to create a Privileged Session?

To create a privileged session, you need to control a few aspects of admin access, such as no shared credentials, no unlimited access, the ability to shut down access automatically, password vaulting and monitoring of privileged activity. You need to know in real time who is accessing a critical resource, what are they doing while they are there and know how long they’ve been in the resource and when they need to log out of the resource. To create a secure privileged session, you need to know if the user has the proper permissions to access the resource being requested; you need to issue temporary credentials that the users never see. The user permissions need to have an expiration element associated with it, and the rights should have specific and limited tasks and activities that can be executed during that session. Combined with security features, such as a depository of user biometric and behavioral data to monitor for anomalies in user activities, you can create an IT environment that delivers efficient and secure privileged sessions to your administrators.

How to grant a kill session for the privileged users?

Sessions can be killed via the timeout set by the length of time by the admin. Sessions can also force the end of a session when a user violates a policy set by the administrator.

Privileged Session monitoring vs recording

The difference between session monitoring and session recording is significant. Monitoring a privileged session in its purest sense is to just watch a session for anomalous or risky behaviors by the privileged user access a resource. Alerts can be sent but monitoring doesn’t necessarily mean any action is taken to shut down the privileged access. It’s akin to one sibling watching another take an extra treat from the cupboard and say “I’m gonna go tell mom” but the second sibling continues what they are doing in the meantime. Monitoring can trigger automated suspension of a session, but the session isn’t recorded beyond logging data. Whereas session recording is watching and recording all the behaviors of a user down to keystrokes and mouse movements. This recording can be reviewed like a video tape to see exactly what a user did versus interpreting data and inferring specific behaviors from it. This elevated level of recording can be critical for forensic analysis as well as for great for training purposes to avoid similar mistakes or risky behaviors in the future. When monitoring and recording of privileged sessions is tied to real-time alerting and blocking, it can be a powerful cybersecurity tool to stop bad and risky behaviors before they can result in far-reaching and expensive impacts.

What is One Identity Safeguard for Privileged Sessions?

With One Identity Safeguard for Privileged Sessions, you can control, monitor and record privileged sessions of administrators, remote vendors and other high-risk users. Content of the recorded sessions is indexed to make searching for events simple and helps automate reporting so you can easily meet your auditing and compliance requirements. This solution can also serve as a proxy inspecting the protocol traffic on the application level. This makes an effective shield against attacks by rejecting all traffic that violates the protocol. For more information about One Identity Safeguard for Privileged Sessions: