In rare instances, IT staff may be suspected of causing harm. When this happens, it is helpful to be able to see -- directly -- what the user did while connected to privileged accounts. Such audit logs should persist for years, to support forensic audits.
More generally, policy may dictate that some login sessions should be recorded. This may be for vendor access, or to high risk systems, or to systems in certain jurisdictions or processing certain kinds of data.
- Hitachi ID Privileged Access Manager can both launch and record login sessions.
- Policy may trigger recording based on the circumstances of
the login session:
- High risk users, such as vendors, or specific users?
- High risk or specific systems?
- Time of day, day of week?
- Unusual activity, such as frequent check-outs by the same user?
- Connections from personal devices or from off-site.
- Policy also determines what data to capture:
- Screen video.
- Full desktop or just the launched application.
- Web cam video (snaps of the user).
- Keyboard input and copy buffer contents text.
- Window titles and process names.
- Events such as mapping a drive.
- Sessions can be watched and/or terminated in real time.
- Sessions are archived indefinitely.
- There are search features to find a suitable recording and to find specific content within a recording.
- Censorship rules and approval workflows act to protect the privacy of users whose activity is recorded.
Session recording, search and playback provide a high level of accountability without impacting the configuration or operation of managed systems.