Recording Access Requests and Login Sessions
Hitachi ID Bravura Privilege logs and can report on every disclosure of access to every privileged account. This means that the time interval during which a user was connected to a privileged account or during which a password was disclosed to a program or person is always recorded, is retained definitely and is visible in reports. Additional details include source and destination DNS names, IP addresses, etc.
Bravura Privilege also logs all attempts by users to search for managed systems and to connect to privileged accounts, even if login attempts were denied. This means that even denied attempts and requests to access privileged accounts are visible in reports.
Bravura Privilege also logs auto-discovery and auto-configuration process status as well as manual changes to its own configuration. This means that the health of systems on the network can be inferred from Bravura Privilege reports.
Exit traps can be used to forward copies of Bravura Privilege log entries to another system (e.g., an SIEM, typically via SYSLOG) for analytics and tamper-proof archive.
Reports Create Accountability
The schema is well documented and is available to all product licensees and evaluators under NDA. The current release schema documentation is about 127 pages long and includes detailed descriptions of every field, table, relation, value constraint, etc.
Hitachi ID Systems customer can add custom reports to the Bravura Privilege web UI, so that they can be run interactively, scheduled, have output delivered via e-mail, etc. These reports are written using short Python scripts that mostly contain a SQL SELECT statement which interacts with the Bravura Privilege back-end database, but can also pull data from other sources (e.g., web services, other SQL databases, LDAP directories, etc.).
Data available through Bravura Privilege includes:
- A list of IDs per target system.
- A list of managed systems per managed system policy.
- A list of users per user group.
- Full detail of transaction history.
- Additional user attributes (e.g., roles, employee ID)
- Select user attributes drawn from target systems.
Bravura Privilege includes many standard reports, executed or scheduled through the web user interface and delivered interactively or by e-mail:
- Users: who can sign into Bravura Privilege, who can authorize requests for privileged access, who have temporarily been delegated approval rights, who can manage Bravura Privilege itself, etc.
- Policies: user classes, access rights assigned to users and user groups, segregation of duties policies.
- Workflow: open requests, request history, non-responsive authorizers.
- Managed systems: target systems and policies.
- Access disclosure: password checkout history, currently checked out passwords, expired passwords (due to be randomized).
- System operation: event log, authentication history, history of updates made to target systems.
- System audit: configuration and policy changes made to Bravura Privilege.
Each report includes a set of search parameters that enables users (who must have the right to run reports) to fine-tune the data they retrieve.
Screen shot: Bravura Privilege dashboard