What is Privileged Session Management?

Privileged session management is a control feature that limits how long and for what purpose an admin – which can be human or a machine – can access a digital resource. Privileged users can access critical IT assets, such as the management UI for devices or the root file for UNIX server. Sessions management is an additional level of control and security that puts a time limit – or a functional limit along with a time limit – on what the admin can access for that particular session. This instructional web page is directed at non-privileged users and procurement managers assessing One identity for investment.

In the simplest worst-case scenario, if your PAM security system is a legacy system, it may have a simple admin access policy of yes or no. The privileged user has access to everything or nothing. Often with legacy systems, this elevated access may have been managed with shared credentials, which meant there was no individual accountability nor was there any limitations on what an admin could access. With that said, for IT infrastructure to function, there needs to be users that have privileged access at the end of databases, control infrastructure, set user-access permissions and add code to apps to make them even better. But you can’t just leave the vault door open all the time, that encourages users who shouldn’t be in there to be in there. You must control it. So, you give them a time limit and you don’t ever share the keys or the access code with them directly. If they need to access critical infrastructure, they can ask and get issued a hidden password with access that allows them limited capabilities and a specific time limit. They can’t stray from their purpose, and they can’t stay longer than the need to. So, privileged session management is just that, elevated access that has a specific time limit for a user to get a task completed.

Privilege sessions are akin to when mom says she’s counting to three by which time you need to choose an afternoon snack and close the refrigerator door. If you can’t decide on what to eat by the time mom says ‘three,’ your access to the privileged resource – in this case the refrigerator – is immediately shut down. On a more technical level, a privileged session is when an admin is allowed access to a resource for a specific amount of time to complete a task before access expires. Privileged sessions are a mechanism to manage who and how long a privileged user – human or machine user with elevated privileges – can have access to a digital resource.

Access is immediately cut off when a session expires. At that point, if a privileged user needs to re-access that resource, they must reauthenticate and request access to continue working or to perform another task. These privileged resources can be a SaaS tool, an on-prem application, control settings for a router or a database of customer information. PAM security as technology controls access to critical infrastructure like the resources mentioned here.

To create a privileged session, you need to control a few aspects of admin access, such as no shared credentials, no unlimited access, the ability to shut down access automatically, password vaulting and monitoring of privileged activity. You need to know in real time who is accessing a critical resource, what are they doing while they are there and know how long they’ve been in the resource and when they need to log out of the resource. To create a secure privileged session, you need to know if the user has the proper permissions to access the resource being requested; you need to issue temporary credentials that the users never see. The user permissions need to have an expiration element associated with it, and the rights should have specific and limited tasks and activities that can be executed during that session. Combined with security features, such as a depository of user biometric and behavioral data to monitor for anomalies in user activities, you can create an IT environment that delivers efficient and secure privileged sessions to your administrators.

With One Identity Safeguard for Privileged Sessions, you can control, monitor and record privileged sessions of administrators, remote vendors and other high-risk users. Content of the recorded sessions is indexed to make searching for events simple and helps automate reporting so you can easily meet your auditing and compliance requirements. This solution can also serve as a proxy inspecting the protocol traffic on the application level. This makes an effective shield against attacks by rejecting all traffic that violates the protocol. For more information about One Identity Safeguard for Privileged Sessions: