Hello, my name is Ian Stimpson. I'm a solution architect at One Identity. I've got the pleasure in taking you through this next session on Safeguard Privileged Access Management, the core capabilities. We're going to be looking at Safeguard as a solution for solving your privileged access management requirements. And we're going to focus in on what are the core requirements of a PAM solution.
Safeguard, Privilege Access Management-- we're going to now look at some of the high-level capabilities of Safeguard as a solution focusing around solving your privileged access management challenges. But let's really step back. What actually is Safeguard? What is privileged access management? Well, for Safeguard, it's all about being a hybrid-ready, easy-to-use, and comprehensive PAM solution, Privileged Access Management.
As you can see here from the graphic, you can see myself logged into the Privileged Passwords portal. It's a really nice, clean, easy-to-use interface. And you'll see this in the demonstration. What this is really focused on is all about securing, controlling, monitoring, and analyzing, and governing that privileged access across multiple environments and platforms. We're providing full role-based access control with automated workflows to grant the privileged credentials to those users, those privileged users, that require that level of access.
It's also got the ability to manage these credentials, manage these passwords from anywhere using nearly any device. And importantly, it's all about having the visibility with our privileged sessions, the auditor capability of actually finding that needle in the haystack, being able to control and monitor and record the privileged activity of those high-risk users, be it remote vendors or administrators. And as I say, you'll see this in the demonstrations that are going to follow shortly.
But let's have a look. How does this help your business? How does Safeguard benefit your business? Well, I look at this from a few different driving forces. Now, from Safeguard's high-level capability, it's all about reducing that attack surface, delivering low total cost of ownership, and if you're looking at cyber insurance, providing that foundation for cyber insurance.
But looking at this from a high level, the security, all about reducing that enterprise attack surface, and it does this by automating and simplifying the granting of these privileged credentials. From a compliance perspective, maybe you're coming at it from that angle, ensuring that your organization can meet those requirements, meet those auditor requirements by indexing and searching and having the ability to find that needle in the haystack part, finding those events that are critical to your business.
And then from a governance perspective, identifying any abnormal behavior, identifying any high-privilege users that are doing something that's out of the ordinary. Now, that could be the engineer coming in at 2:00 in the morning accessing an asset. Now, that might be normal. But it might be that that's abnormal behavior. But from the business perspective, you want to be informed of that.
And then from the cost perspective, in the world that we live in today. I think cost is extremely important for everyone. And having a solution that's appliant-based, being able to reduce the total cost of ownership while still meeting those cyber security requirements is absolutely paramount. And we do this with this simplified deployment and management.
Now, from the core capabilities that we're talking about here, from a commercial perspective, we offer this in what I've got on the screen here as a Safeguard Privileged Security Bundle. We find this is a great starting point for many organizations. It combines the solutions of the Privileged Passwords, which is really that protection of those critical credentials and passwords across your applications and systems, protecting those systems themselves by recording, monitoring, and controlling access to those systems in a very secure way using a protocol proxy, and then finding out any questionable behavior.
I used the example of an engineer coming in at hours that might not be normal to them. But it can also detect things around their behavior like how they're typing on the keyboard, their mouse movements, really looking at that user behavior and providing the analytics behind that, all providing this back to the business.
So Safeguard Security Privileged Bundle is a great starting point. But it's also to be aware of our bigger family within the PAM portfolio. And I'm just going to touch on this very, very high level. So this session is focused around the Safeguard core capabilities. But quite often, it's very important to have the visibility and the governance.
And we can provide that with the Identity Manager, providing things like privileged access governance to really provide additional value with our Active Roles Solution to provide delegated Active Directory administration and Azure Active Directory or Entra, as it's now called, providing that role-based access for your administrators of your directory services.
We provide Unix account unification. We provide the ability to authenticate to your Unix and Linux platform using your Active Directory credentials, and then doing the privileged elevation and delegation management with our Safeguard services for SUDO, again, looking at providing that capability.
And then, we have our Windows Privileged Management, Safeguard Privileged Manager for Windows, for looking at that privileged elevation across your Windows estate. Now, this is all backed up with our One Identity Starling Cloud Services, again, providing this capability across this portfolio.
Now, the demonstrations that we're looking at here are all focused on that core capability. The first demonstration, I'm going to look at authentication, really important providing strong authentication and numerous options for that, providing a solution that is easy to use. The last thing you want is a security solution that gets in the way of your privileged users because they will try and find a way around it. You need to ensure it's easy to use for them with not causing issues of the way that they actually work.
Now, the examples we're going to look at here is what I refer to as a requested access. As an engineer, I'm going to request access to an asset. I'm then going to show you how you can what I refer to as bring your own client with credential injection at the gateway. And then we're going to look at combining some of the capabilities and doing just-in-time privilege elevation. So let's get started.
Now firstly, within my demonstration environment, I've got a few options configured for authentication. It's all about proving who you are to Safeguard. And that needs to be done securely and strongly. Now, we have local authentication options, really, really beneficial. We have LDAP, Active Directory.
In my example, I'm doing an external federation. I'm reaching out to my identity provider being OneLogin. Now for doing this, it's because it provides me with using the OneLogin Protect, and I can use my biometrics and accept this one-time password. And now I've authenticated in securely using strong authentication and doing this in a passwordless capability.
Now, I've logged into the portal now. Now, you can see, it's a nice, clean, easy-to-use interface. I have my favorites. I have my request portal. And I'm going to for the first option, within two clicks, I'm going to have a secure connection on to my CentOS box. We can see here that I'm requesting it for this moment in time. It's for this CentOS asset using a vaulted credential over SSH.
Now, I've launched that session. It's then in the background got an automatic approval. My entitlement and policy doesn't require an approval. It's automatically granted to me based as my role in the business. I can see that it's appeared in the portal. The request is there. And I can quite simply, depending on where I'm coming in from, launch it via the web session or via, in this example, starting my SSH client. So within literally a couple of clicks, I've got a secure connection to this box with the privileges I require.
And we can see here that we're going to flash up a warning to the engineer saying that this session is being audited as by company policy. We can then see that I'm using the sguser3 as a vaulted credential in terms of gaining access to this asset. So that was the ease of use, very straightforward but very powerful and very secure.
Now, the next option here is I'm going to actually make a new request. So I'm going to take you through the request mechanism. It's a really nice, intuitive interface. I'm going to search for my CentOS assets. It's brought the list up here. And I'm going to select the access type in this example being a credential, a password.
I'm going to click on Next. And you'll notice the access policy is slightly different. It requires me to give a reason for this and a comment. Now, the reason being is I'm requesting a credential. Now, for the credential request, it requires an approval behind the scenes. So in this example here, I'm using Teams integration to grant the approval. So we'll see here a notification has been fed into my Teams client, and I now need to approve that request or investigate it further.
I can then see that this credential has been released. And as an engineer, I can view or copy that credential and use it as is required. Now, once it's used, according to company policy, that's going to be rotated and replaced with another strong credential. And the account can then be disabled after use as well.
So the next option is what I refer to as bring your own client. And my client in this example is a KiTTY client. I've saved a session here, which is, as we open up here, we'll see that I'm doing a gateway authentication as Ian Stimpson. I'm using my Active Directory credentials so I need to authenticate at the gateway.
And then it's going to reach inside the vault and pull out the credential for me to access this CentOS box. So again, we can see here, I'm using a different credential, but again, pulled from the vault based on my entitlement. And that's what we refer to as bring your own client, really powerful capability without impacting the way users might be working today.
Now, the next option that we're going to look at here is what I refer to as the just-in-time access. Now, I saved this as a favorite. We can see here, this is my member server, BFDAR3, and this is the temporary-- well, the SGTEMP domain admin credential that I'm using as part of this connection.
Now, if I go into my Active Directory Users and Computers, we can see that that credential is deactivated at the moment, and it also has no standing privileges. It's only a member of domain users. Now, as an engineer, that really doesn't matter to me because all I'm going to do is submit the request. And I'm going to be given an account with the permissions required to access this target asset.
Now, in the background, Safeguard has re-enabled the account. And then with the Active Roles integration, we're using a dynamic group to add the permissions to this user. And in this example, we're nesting him in the Domain Admins group. So it's a really strong way of providing just-in-time privilege elevation and just-in-time access. Now as I say, as an engineer, I'm going to launch this session. It's going to inject that credential. The credential's got the required permissions that I need to carry out my tasks. So I've now RDPed onto this server.
Now I'm going to simulate a few tasks here. This is really laying some capabilities that I'm going to show you in the next demonstration. So some of the first things that I'm going to do here is I'm going to bring up from within the Windows platform here, I'm going to bring up PowerShell. And we can see here, I've typed out "who am I." And we can see this is the SGTEMP_domainadmin1.
I'm now going to simulate being a bit of a bad actor. I'm going to try and hide my behavior, hide what I'm doing. And I've typed out some commands in the background there and then closed down PowerShell. Now, I think I'm being a bit clever and actually hiding my tracks, but Safeguard Privacy Sessions is a protocol proxy. So all of this is being indexed in search and made it searchable.
In Notepad, again, just for demo purposes, I've typed out unite 2023. And we're going to save that locally on this server. And you'll see this will make sense when I go into the next demonstration because we're going to do some searching and actually find this needle in the haystack of what's been entered here.
So as I log out of this session, I'm then going to close down my request within the Password Portal. And what we're going to see here is that account is then going to revert to being disabled. And it's also going to have the permissions removed. It really is true just-in-time privilege elevation, a really secure way. Credential's are being rotated. It's also having the permissions removed, and the account is being disabled after use or when not in use, really, really powerful way.
So let's just recap on that. What you're seeing here is the ability to authenticate securely and strongly. In my example, I was using identity provider OneLogin to provide passwordless authentication. We then saw the easy-to-use interface gaining access. I then made a request from my favorites to my CentOS box with credential injection, really non-intrusive for the engineer. And then I used a bring your own client. I used my own KiTTY client to launch that session and do gateway-based authentication and injecting the credential from the vault. So your engineers can bring their own client and use what they're used to.
And then finally, we looked at doing a launch of a RDP session to my member server from one of my favorites. With that, the member server, the credentials were enabled and the permissions were applied just when I required them and then reverted back as we can see here still on the screen to a disabled account with no standing privileges.
So let's look at the second demonstration. And this really follows on from the first. We're going to be looking here at the auditing and compliance of the solution, putting an auditor's hat on. We're going to search through some of these privileged sessions, what I refer to as finding that needle in the haystack. And we're going to be looking for any abnormal behavior. And this is using machine learning, using the analytics, looking at the user behavior that sat behind all of this.
So here we are at the screen that I was at just before we finished the last demonstration. We can see I'm logged in here as myself. So I'm here at the Privileged Password Portal. Now, what I'm going to select here is the link solution, which is our Safeguard for privileged sessions.
So I'm kind of wearing two hats. I'm now going to wear the auditor hat, and this gives me the ability. So I'm going to select the Linked Product being the sessions. And from here, we'll see we're doing that single-sign-on into the Sessions portal. And there's many capabilities within here, but we're just going to scratch the surface. I'm going to focus in on the searching and the auditing.
So we can see here from the sessions, these are all of the privileged sessions that have been carried out. There are some great capability to filter. Based on username, I could look for anything that Alan or John or Eric has been up to. I could focus in on specific assets or protocols or where the verdict has been denied or accepted. But the great thing here is finding that needle in the haystack.
So I'm going to do a search initially around my colleague Eric. I'm going to have a look. What's Eric been actually doing? And we can see here there's four sessions on the 6th of September where Eric was using a vaulted credential, two different ones to a Windows and a CentOS box.
Now, the other area here is what we're going to show you is some of the power of this search. So I'm going to do a search for any sessions that contain the word "confidential." And there's four that have come back in this time window. But let's extend the time window to all time in the database. And we can see we've got a few more sessions that have come back there.
So let's clear out that search query. And this time, let's expand this to all time in the database again and do a search for any sessions that contain the word "unite." And we can see we've got two sessions that come back here from the 5th and 6th of September. If I go into this one, we can see all of these events, the overview of the events, and then drill in into the detail.
We can look at the different channels and then look at the timeline. So I'm going to search in the timeline of this session for where the word unite actually appears. We can see where this brings it back and where it's visible on the screen. So again, really, really powerful way of finding this.
Now, I could further investigate this. I could download the audit trail. Or as I've done in this example, I'm going to play this back in the browser. For demo purposes, I've speeded this up to five times, but this does provide that visibility from the start to the finish of that privileged session. We can jump forward as you can see here to the interesting events.
And what you'll notice on the task bar at the bottom, it's detected the mouse movement. But it's also detected the keyboard entry. And as simulating a bad actor, all I really did was type out get-process. But because we're a protocol proxy, we're actually indexing those keyboard entries that the engineer has made. Now, it's not necessarily saying the engineer has done anything wrong. It's all about mitigating those circumstances.
Now, let's look for some abnormal behavior. Now, this is a demonstration environment, but there's a few unusual behavior that's being reported as you can see from red and amber in the screen. And what I've done, I'm using the great search capability of building a query. And I'm going to use the analytics is greater than 50. I'm then going to select myself as a username. So the user equals Ian Stimpson.
And once I've selected myself as a user, I'm then also going to select where the connection was terminated. So it's a search query based on an analytic score greater than 50, username is Ian Stimpson, and the verdict is terminated. So we'll do a quick search there, and it's going to bring back all of these sessions.
Now, I can then drill into these again for looking at more details. So I could replay it back as I did in the previous demonstration, or I could just look for the interesting events in the timeline. And we can see here, I know why this has been flagged as unusual behavior because it's a new server or a new asset that I built for configuring remote desktop services to go in conjunction with the Safeguard Remote App Launcher.
And we can further drill into this by looking at the analytics, and we can actually see which servers are normal, which servers are abnormal within here. And we can see that this is an asset that has been recently deployed, which is why it's flashing up with those details of being at 100 in terms of unusual activity.
So I'm going to now summarize what you've really seen here. We've really looked at the core capabilities of Safeguard in this session. Now, Safeguard has some really key capabilities around multi-cloud, the ability to be deployed and manage multi-cloud environments. The session audit capability really is superior, being able to find that needle in the haystack, being able to monitor and audit and view those privileged sessions for those high-risk users. And then building up the user behavior, using behavioral analytics and actually finding what is abnormal behavior. In my example, it flagged that I was accessing a server that I had not accessed before and carrying out unusual activity.
We can then go off and reach and manage legacy systems, again, really important for environments that have legacy systems within them. And one of the key areas here is it's frictionless. The last thing you want to do with a security solution is introduce friction to your business, being able to monitor the privileged sessions transparently for those privileged users and allow the users to bring their own client when they would like to.
We've got a full plug-ins and connector framework, a really robust API for the development side and integrating with different systems, certifications that back up the solution, and then one of the things we didn't touch on here is a secure remote access solution that's within Safeguard to provide that access without requiring a VPN, really, really powerful capability of providing secure remote access.
And then PAM for DevOps, so my colleagues have covered in this additional recordings on our YouTube channel that really show the power of our DevOps capability with Privileged Access Management for DevOps. And I certainly recommend you take a look at that if that's of interest to you. Then, absolutely, this is all about driving that operational security and resilience.
Now I would like to thank you for taking the time to listen to this session. I would also recommend that you listen and watch some of the additional sessions that are available on the YouTube channel around Safeguard and our other solutions within our portfolio there as well.