Most organizations maintain at least one server for storing sensitive information and executing secure resources. For example, an organization may maintain a customer database that stores sensitive information about its customers on a server. Typically, access to such servers is restricted by locating the servers in a secure area and by requiring admin credentials to obtain access to the servers. In this specification, access to a server should be construed broadly as encompassing access to any data stored on the server, access to any application executing on the server (including the operating system of the server), or access to any other computing construct provided by the server.
In such cases, an organization will typically employ one or more administrators to maintain the servers. To allow these administrators to perform their assigned functions, they may oftentimes share the admin credentials for accessing the secure servers so that any one of the administrators can use the admin credentials at any particular time. FIG. 1 depicts this typical scenario. As shown, an administrator 150 uses a client device 102 to access a server 101 using admin credentials known to administrator 150 and possibly to other administrators. Access in this manner is typically accomplished by using a network protocol (e.g., SSH, RDP, Telnet, etc.) to remotely connect to server 101.
Various problems exist with this approach including, for example, that an administrator may retain knowledge of the admin credentials even after his employment with the organization, and that there are few options for identifying which administrator has used the admin credentials to perform a particular task on server 101. To address these problems, an organization may oftentimes employ a privileged account (or access) management (“PAM”) system. Generally, a PAM system acts as an intermediary between server 101 and client device 102 to manage and/or monitor access to server 101.
PAM systems can typically perform two basic functions. First, a PAM system can control and monitor who obtains access to the admin credentials. This is typically accomplished by frequently changing the admin credentials (e.g., after each use of the admin credentials). FIG. 2A depicts an example of a PAM system providing this function. Second, a PAM system can monitor the interactions of the administrator with the server while using a remote session to connect to the server. FIGS. 2B and 2C depict different examples of a PAM system providing this function.
In FIG. 2A, a PAM system 103 acts as an intermediary between client device 102 and server 101 to control and monitor who obtains access to the admin credentials for creating a session with server 101. In this scenario, it will be assumed that PAM system 103 updates the admin credentials (e.g., changes the password) after each time an administrator is given access to the admin credentials (e.g., after each time an administrator checks in the admin credentials). Accordingly, prior to accessing server 101, an administrator is required to request the current admin credentials. As shown, in step 1, administrator 150 uses client device 102 to send a request to PAM system 103 for the current admin credentials for accessing server 101. Typically, this request will first require authentication (e.g., the input of credentials specific to administrator 150) and specify a reason for the request (e.g., to reboot server 101, back up server 101, install or update a server resource, etc.). In such cases, a security officer 151 will be notified of the request. In step 2, the security officer approves the request causing the current admin credentials to be returned to (or checked out to) client device 102 in step 3. Then, in step 4, administrator 150 can use the checked out admin credentials to create a session (e.g., an SSH or RDP session) with server 101 to accomplish the desired tasks. Finally, in step 5, after completing the desired tasks, administrator 150 checks in the admin credentials. Typically, PAM system 103 would then change the admin credentials to prevent administrator 150 from being able to again access server 101 without first repeating steps 1-3.
FIGS. 2B and 2C represent different ways in which PAM system 103 may be configured to allow a session to be monitored. In some implementations, this monitoring can be performed in conjunction with the functions described with reference to FIG. 2A. FIG. 2B represents a case where PAM system 103 employs a proxy between client device 102 and server 101. In contrast, FIG. 2C represents a case where PAM system 103 employs an agent on server system 101 to manage a session with client device 102. Although not specifically described, PAM system 103 could also employ a hosted session configuration which, for purposes of this background, would be illustrated in a similar manner as FIG. 2B but with the proxy being replaced by a hosted session component. It is noted that the specific configuration employed by PAM system 103 is not essential to the invention, and the invention applies equally to any configuration of PAM 103.
In the proxy configuration depicted in FIG. 2B, administrator 150, in step 1, uses client device 102 to send a request to PAM system 103 for a privileged session with server 101. Typically, this request would require authentication, include a reason for the access, and require approval by security officer 151 in step 2. Assuming the request is approved, in step 3, PAM system 103 implements a proxy 201 for maintaining two remote sessions. Step 3a represents the creation of a session (e.g., an SSH or RDP session) between proxy 201 and server 101 in which the admin credentials are used by proxy 201 to access server 101. Step 3b represents the creation of a corresponding session (e.g., an SSH or RDP session) between client device 102 and proxy 201. Proxy 201 acts as an intermediary for routing session traffic between the corresponding sessions. Because all communications between client device 102 and server 101 pass through proxy 201, PAM system 103 can monitor the session as shown in step 4. In this depicted implementation, the admin credentials are never provided to administrator 150.
It is noted that a variation on the implementation shown in FIG. 2B exists in which the admin credentials are provided to administrator 150 (e.g., as described with reference to FIG. 2A). In such a variation, rather than having PAM system 103 automatically initiate the corresponding sessions via proxy 201, administrator 150 may first initiate a session with proxy 201 using the admin credentials, and then proxy 201 would initiate a corresponding session with server 101. Similarly, when the administrator is provided with the admin credentials, a PAM system may be configured to implement a transparent proxy or other type of proxy. However, as mentioned above, the present invention can be implemented in any PAM system configuration including many different types of proxy configurations.
In the agent configuration depicted in FIG. 2C, a similar set of steps are followed. The primary difference between the proxy and host configurations is that in the host configuration, the host has direct access to the server resources because it executes on server 101, and therefore a single session is required between client device 102 and agent 202. In other words, agent 202 can access server resources in a similar manner as a user could if directly interacting with server 101. In the agent configuration, for purposes of this specification, the agent that executes on the server is considered as being part of the PAM system. As with the proxy implementation, the session between client device 102 and agent 202 can be initiated automatically by PAM system 103 (e.g., in implementations where the admin credentials are not provided to administrator 150), or the session can be initiated in response to a request from client device 102 (e.g., in implementations where the admin credentials are provided to administrator 150).
In each of the configurations represented by FIGS. 2B and 2C, PAM system 103 can be configured to monitor and store any communications that are transmitted over a session between client device 102 and server 101. This monitoring can typically include capturing keystrokes and mouse input among other things.