This document introduces the business case for implementing a session monitoring system to record login sessions to privileged accounts. It examines a series of technological design decisions that must be considered when developing a session monitoring system and offers guidance about how such a system might be best deployed and managed in practice.
Business drivers for recording login sessions
There are three main business drivers for recording the activity of users as they sign into privileged accounts:
- Forensic audits:
In the event that an IT user is suspected of or has been found to act unethically or illegally, it is helpful to be able to play back all of that user's activity, to see what inappropriate actions they may have taken. This data may be required as supporting evidence if the user must be terminated or to support legal proceedings. This data may also be needed to find and reverse any harmful changes the user has made to systems or data.
- Accountability:
The knowledge that their actions are being recorded and that they may be held accountable for them may alter user behaviour for the better.
- Knowledge sharing:
Recording user activity makes it possible to replay work. This can aid in knowledge sharing, under a number of scenarios:
- A user records the steps taken to complete a task and shares this recording with peers, in the context of training. This is intentional, planned knowledge sharing.
- One user accesses a recording of another's actions from some time in the past, to learn how a task was performed. This may be done without the original user's active participation, for example if the original user is unavailable but assistance with performing a task is required urgently.
