Hitachi ID Privileged Access Manager can be configured to record screen, keyboard and other data while users are connected to privileged accounts. The recording may be of just the window launched to connect a user to a privileged account or of the user's entire desktop.
The session recording system is tamper resistant -- if users attempt to interrupt recording, their login sessions to privileged accounts are disconnected and an alarm is raised.
Session recordings may be archived indefinitely and may serve a variety of purposes, ranging from knowledge sharing and training to forensic audits. Access to recorded sessions is secured through a combination of access control policies and workflow approvals, designed to safeguard user privacy.
Multiple mechanisms are included to launch and record sessions:
In the first four cases, any Windows-compatible client admin tool can be launched, with credentials injected. Screen capture, copy buffer, window metadata and keylog data are streamed from the system running the admin tool (which may be the user's PC or Windows RDS proxy) to the Privileged Access Manager server(s).
In the last case, only SSH and RDP are currently supported. Screen capture, copy buffer, window metadata and keylog data are streamed from the Linux/Tomcat proxy server to the Privileged Access Manager server(s).
The Privileged Access Manager session monitoring infrastructure is included at no extra cost. Both direct and proxied connections may be deployed. No software is deployed on the managed endpoint. There are no fees per proxy server.
In a typical deployment, admin tools including SSH clients, RDP clients, hypervisor admin consoles (e.g., vSphere), DBA tools (e.g., SQL Management Studio) and more may be launched and monitored. Video capture may be of the user's entire desktop or just the launched window.
Launch from Windows/Browser and monitor
There are multiple session capture technologies included in Privileged Access Manager. The most common approach is to instrument the Windows PC or Windows proxy server where a user launches an administration program. This is done by launching an ActiveX component from IE or a browser extension in Firefox, Opera or Chrome.
The browser extension, in turn, launches the administration tool the user wishes to use -- terminal services client (MSTSC), PuTTY/SecureCRT or similar for SSH sessions, SQL Management Studio, vSphere, etc. and passes a target system address, login ID and password into that client.
While the user is connected, the browser extension captures session data -- video, key-log, etc. and stream that back to an Privileged Access Manager server. It also regularly checks with the server, to find out whether the user's session should be terminated, for example if the allotted time has run out or if the user's access is being terminated intentionally.
Using a browser extension means that the installation footprint of Privileged Access Manager session monitoring is minimal.
HTTPS/HTML5 canvas proxy
The HTML5 proxy server runs Linux/Tomcat plus a combination of Hitachi ID Systems and third party, open source code (Guacamole). An SSH or RDP session is opened from the proxy to the managed endpoint, with credentials retrieved from the vault and injected.
Keystroke, copy buffer and incremental video data are streamed from the proxy to the Privileged Access Manager server(s), to record sessions. The Privileged Access Manager server may instruct the proxy to terminate the connection at any time.
Types of recorded data
The session monitoring infrastructure in Privileged Access Manager is designed to capture any combination of the following data types:
Indefinite session retention
Session recordings may be archived indefinitely and may serve a variety of purposes, ranging from knowledge sharing and training to forensic audits of administrator actions. Access to recorded sessions is secured through a combination of access control rules and workflow processes, to protect user privacy.
The session recording system is tamper resistant -- if users attempt to interrupt recording, their login sessions are disconnected and an alarm is raised.
Privileged Access Manager can be configured to make a recording of a user's PC for the duration of a login session to a privileged account. This includes video capture of either the full screen or just the launched application window(s), key logging, recording of the contents of the copy buffer and even snapshots from the user's webcam.
Full screen and web cam capture
Capturing the full screen gives context for administrator actions. For example, if a user downloads a file from a privileged account to his PC, a recording of just his login window will not show what happens next, but a full screen recording may show the file being copied to a USB drive or uploaded to a web site.
Capturing web cam snapshots reliably links the session to the user in question. In the event of a forensic audit, if the user claims that actions recorded and associated with his profile were performed by someone else, perhaps after stealing his password, there will be clear evidence that it was the user in question who performed.
Network and storage impact
The session monitor ActiveX component can generate up to about 10 kBytes/second of data, most of which is video. On a modern PC, it will consume no more than 2% to 3% of the user's CPU and only a very small amount of memory.
A single Privileged Access Manager server can collect about 100 concurrent session recording data streams. This means that a load balanced arrangement of 3 Privileged Access Manager nodes can capture sessions from 300 IT workers simultaneously and probably more than 500 users total, 24x7.
The data volume from a single administrator session, assuming a constant stream of data for 8 hours/day, 220 days/year, amounts to about 60GB/year. 100 concurrently active administrators whose every action is recorded will generate about 6TB/year of data.