Privileged Access Management
Being both indispensable and essential, privileged accounts require special consideration and treatment. PAM provides you with all the controls around securing and protecting all critical systems and resources.
Manage and Record User Sessions
All PAM sessions can be real-time monitored and recorded for review, auditing, and training purposes.
Secure Password Vaulting
PAM users never have the password revealed to them. This prevents sharing of credentials and other attacks
Full Compliant Access
Via real-time alerts on critical activities, full inventories and monitoring of all systems, accounts, and groups.
Manage and Record Privileged User Sessions
Privileged accounts are both a necessity and a liability. These accounts, with their nearly-unlimited access to system resources are essential for everyday IT operations, yet abuse of privileged accounts is attributed as the cause of 62% of security breaches. EmpowerID protects privileged account access by enabling access without exposing the login credentials of privileged accounts. EmpowerID separates authentication from access control by storing and retrieving passwords from a secure, encrypted password vault.
Our system automatically retrieves passwords and presents them to the target system on behalf of the user, to establish the desired RDP, SSH, or web browser SSO session. Individuals never see or possess the credentials, so they’re not exposed to the risk of compromise or theft by individuals or malware. RDP and SSH sessions can also be recorded, offering DVR-like playback controls for auditors and investigators to review everything that happened during a session.
Securely Vault and Share Passwords
More than half of organizations share privileged passwords internally. Unfortunately, this process typically consists of writing them down on Post-it notes, sending them through email, or sharing spreadsheets containing master lists of multiple passwords. All of these methods are extremely insecure and have been linked to breaches. EmpowerID provides a password vault that enables the secure sharing of passwords and other sensitive information such as API keys or digital certificates.
The latest AES 256-bit encryption with PBKDF2 SHA-256 and salted hashes ensure complete security. When a user saves or retrieves vaulted information, they must enter in their master password, which is a unique key that is never saved on your EmpowerID servers. Without this key, a user’s copy of vaulted information can never be decrypted, not even by your server administrators.
Just In Time Access Infrastructure
A just in time and just enough administrative access infrastructure can dramatically reduce an organization’s attack surface and risk profile. Users require privileged access when performing administrative duties, but permanent access can invite misuse. A just in time privileged access system grants temporary access to decrease risk. With EmpowerID, business users can request temporary elevation of their own privileges or use shared privileged accounts that can be pre-configured or elevated on demand.
In EmpowerID’s shopping cart utility, users can search for the credentials they need to access and put them in their cart to request access. The EmpowerID workflow engine then references an organizational hierarchy to determine which items need approval, how many approvals are needed, and who must approve each. Requests are automatically routed for approval, and their status is tracked in a business-user friendly interface. All participants are kept informed by email notifications and all requests, decisions, and associated fulfillment actions are recorded and integrated into an access recertification process.
Discover and Control Local Computer Administrators
Attackers frequently target local computer administrator accounts as a first step in order to gain privileged access to an organization’s IT network. Local admin accounts effectively “own the machine” having full access to all of local resources including any databases. This access represents a potential audit risk for regulations such as SOX, HIPPA, PCI-DSS, FINMA, MAS, FISMA, and NERC. Local admin accounts can also serve as a stepping stone to a company’s most valuable network data. EmpowerID inventories your servers to discover, monitor, and control local users and groups, including local administrators. Role and attribute-based access control policies control membership to the local administrator's group and allow for access requests through the IT Shop.
Office 365 and AWS Access Management
Office 365 Global Administrator roles and AWS IAM administrative access provide nearly-unlimited access to all aspects of your tenant. EmpowerID extends sophisticated access controls to your Microsoft Office 365 and Amazon AWS Cloud infrastructure to eliminate the need to grant native access for identity administration in these systems. Identity administration tasks can be performed in the EmpowerID web interface with granular delegation and auditing.
And if native access is ever required, EmpowerID initiates just in time access using federated single sign-on that eliminates the use of passwords. Just in time, access for AWS even eliminates the need to create or maintain AWS IAM admin users entirely, as EmpowerID delivers a user’s currently authorized to access as AWS roles during the login process.
Adaptive Multi-Factor Authentication
To prevent data loss and costly public security breaches, multi-factor authentication of privileged account users is a powerful second-line of defense for your organization. EmpowerID includes a powerful adaptive authentication engine that analyzes contextual information such as the IP address of the user, the device they are using, and other factors to dynamically asses the risk of each login. If a risk is identified, a strong second factor can be required to prove the user's identity.
To ease user adoption, 24+ multi-factor authentication options are available, including device authentication, one-time passwords sent to mobile phones, Yubikey Universal 2nd Factor Authentication, Duo Push, knowledge-based authentication (Q&A), and an OATH token server for issuing one-time password tokens. Our wide range of options ensures that every user can perform a strong authentication with minimal hassle even from their mobile devices. Multi-factor authentication services can be used for all types of authentication, including web SSO, LDAP, and RADIUS.
Reporting and Alerting
EmpowerID brings intelligence and in-depth visibility to help you manage privileged account access. With EmpowerID, your systems are continuously inventoried and monitored for changes. A complete audit of all privileged accounts and groups reveals where your risk lies and how these key accounts are being accessed and used. Real-time alerts inform key personnel of critical activities such as privileged account usage, password changes, lockouts, and changes to sensitive group membership. Security admins and auditors can view actionable intelligence on the go from their mobile devices or subscribe to reports.