Skip to main content

LinkedIn Twitter Facebook YouTube
Hitachi ID certification

Product Sites

Privileged Account Activity Management

Privileged account activity management is one of several equivalent terms that refers to privileged access management. This particular variant emphasizes the fact that modern privileged access management systems often include session monitoring capability, to record what was done by users while connected to a shared, privileged account, rather than stopping at granting and revoking access to those accounts.

Hitachi ID Privileged Access Manager can be configured to record screen, keyboard and other data while users are connected to privileged accounts. The recording may be of just the window launched to connect a user to a privileged account or of the user's entire desktop.

The session recording system is tamper resistant -- if users attempt to interrupt recording, their login sessions to privileged accounts are disconnected and an alarm is raised.

Session recordings may be archived indefinitely and may serve a variety of purposes, ranging from knowledge sharing and training to forensic audits. Access to recorded sessions is secured through a combination of access control policies and workflow approvals, designed to safeguard user privacy.

Multiple mechanisms are included to launch and record sessions:

  1. Direct form the user's Windows PC to the managed endpoint, using IE/ActiveX. The ActiveX component may be previously installed or downloaded on demand.
  2. Direct form the user's Windows PC to the managed endpoint, using Chrome, Firefox or Opera and a browser extension. The browser extension may be previously installed (e.g., via software push) or installed by the user on demand.
  3. By prompting the user to launch a downloadable, personalized (per session) executable file onto his Windows PC. This is a single-use download.
  4. By asking the user to first connect via RDP or similar to a Windows/Remote Desktop Services, Citrix or similar intermediate server, and (a) sign into Privileged Access Manager and then (b) launch a session from this proxy server. The same mechanisms as described above are available, but run on the proxy server, rather than the user's PC. The user's PC can run any OS in this case.
  5. By opening a second browser tab to an HTML5 proxy server (running Linux/Tomcat/Guacamole), The session UI is rendered as an HTML canvas on the user's browser, which could be any browser on any OS. The actual SSH or RDP session is established from this proxy onwards to the managed system.

In the first four cases, any Windows-compatible client admin tool can be launched, with credentials injected. Screen capture, copy buffer, window metadata and keylog data are streamed from the system running the admin tool (which may be the user's PC or Windows RDS proxy) to the Privileged Access Manager server(s).

In the last case, only SSH and RDP are currently supported. Screen capture, copy buffer, window metadata and keylog data are streamed from the Linux/Tomcat proxy server to the Privileged Access Manager server(s).

The Privileged Access Manager session monitoring infrastructure is included at no extra cost. Both direct and proxied connections may be deployed. No software is deployed on the managed endpoint. There are no fees per proxy server.

In a typical deployment, admin tools including SSH clients, RDP clients, hypervisor admin consoles (e.g., vSphere), DBA tools (e.g., SQL Management Studio) and more may be launched and monitored. Video capture may be of the user's entire desktop or just the launched window.

Return to Identity Management Concepts

page top page top