Zero Trust and PSM: Effective Privileged Accounts Security and Breach Prevention with EmpowerID

When you consider that 62% of security breaches are attributed to privileged accounts abuse, it raises questions around constraint, limitation, and prevention.
On the one hand, you need these elevated accounts to keep both essential and non-essential systems running. Yet, on the other, the almost unlimited access to system resources they require poses enormous business risk
The only feasible answer here is with the Zero Trust model.
Though the Zero Trust principles of never trust and always verify are applicable here, the third principle is also key.
This 3rd principle states that only the minimal access required should ever be be granted, and only for the minimal time period required. Furthermore, Zero Trust also stipulates that, where possible, all access should be proxied and monitored.
EmpowerID’s Privilege Session Manager (PSM) delivers this.
PSM acts as a web-based gateway to provide authorized users with RDP or SSH access to Windows or Linux servers. But it does so without ever exposing the servers to actual network access.
This dramatically simplifies network security concerns as locations are irrelevant–your users and servers can be anywhere.
The only constraint here is access between the user and the web interface of the PSM itself, and then between the PSM Gateway and the server(s) the user wishes to reach.

• Eliminating VPNs reduces costs and associated bottlenecks that, typically, reduce overall user experience and productivity
• Proxying access prevents direct network connectivity to servers and removes most common malware and hack exploits.
• Strong adaptive identity verification can be enforced.
• Sessions can be optionally recorded as videos for later compliance investigation or verification.

Regardess, in all cases, the password of the privileged credential is never revealed to the end user and eliminates any potential for sharing or misuse.

Microsoft proposes 3 basic tiers for granting credentials in a Windows network:

• AD domain controllers
• Servers
• Workstations

EmpowerID can prove to be an invaluable tool because it allows you to implement as many zones as your organization’s security requires and EmpowerID’s PSM enforces a Zero Trust zoning or “micro-segmentation” strategy. Instead of elevating the access of the user’s existing account, this PSM micro-segmentation strategy allows an organization to use pre-provisioned shared accounts for server access. It also does this without ever revealing the passwords. Within EmpowerID, your own admins will explicitly define which vaulted privileged credentials will be available for use by your admins for specific servers, by zone.

Note: this is a best practice in avoiding lateral movement or pass-the-hash attacks.

For most hackers, gaining access to your organization’s key servers is akin to striking the motherlode.
Sadly, passwords continue to be the weakest link in most organization’s security strategy—both the passwords themselves and the practices surrounding them—and they expose a huge gap.
However, though Multi-Factor Authentication (MFA) for server access is a proven means to plug this gap, research has shown that users are resistant to change
EmpowerID’s Adaptive MFA eases the adoption of more secure identity verification procedures by responding to user login attempts based on your organization’s own policies.
For example, you can specify that users aren’t forced to perform MFA on every server access attempt but rather only when the circumstances warrant it.
These circumstances can be graded, of course. For example, you could set a less stringent set of conditions until users are comfortable with the new system and then reconfigure at a later time.
EmpowerID provides users a wide range of friendly options including:

• One-time passwords (OTP)
• The EmpowerID Mobile phone app which allows users to click to approve their identity verification request
• FIDO/Yubikey tokens
• 3rd parties such as DUO, etc.

Your organization needs a complete Identity Management Security solution. One that encompasses as many, if not all, of the systems your organization contains.
EmpowerID includes one of the largest libraries of IGA system connectors available and helps achieve that.
The Privileged Session Management solution itself benefits from this convergence and leverages the connection that EmpowerID makes.
This connection facilitates automatic discovery of your computers, virtual machines, and privileged credentials. In addition, local computer identities and access can optionally be discovered and managed with the Computer Identity Management module
Once connected, EmpowerID automatically discovers computers, computer objects, and virtual machines wherever they may reside.
Moreover, the most popular platforms for running virtual workloads are supported including: Amazon AWS, Azure, and VMware VCenter.
With computer objects, these can either be automatically discovered from your Active Directory or they can be registered manually in friendly web-based workflows.
Finally, server discovery not only allows your admins to maintain an up to date inventory of the assets they are managing, but also simplifies the process for configuring servers for PSM access.