All IT Infrastructures are managed by Privileged Users, who are given elevated powers through accessing Privileged Accounts to ensure that the uptime, performance, resources, and security of the computers meet the needs of the business.
It’s the misuse of Privileged Accounts in the Hybrid-Cloud world which has become one of the most critical security challenges, because uncontrolled access to Privileged Accounts opens a “barn door” through which untrusted 3rd parties can compromise data and inflict cyber-attacks, ultimately causing irreparable damage to the business and its corporate reputation.
Osirium creates a secure separation between the users system and credentials and the connection and credentials used for the system/device/application to be managed.
Osirium ensures that device credentials never pass through the users system and therefore never risk interception.
Osirium implements Enterprise Class Password Management to ensure that all the passwords it manages are the strongest possible for each of the device classes. It has full breakglass and roll-back features to cope with devices that leave the network or are restored from backups.
Osirium enables every Privileged Account on every device to be given a particular state;
Osirium creates and manages the username and passwords of personalised accounts on devices and assigns an appropriate role to those accounts. Full audit trails are available from Osirium and the device. Accounts can be given granular ‘Roles’ as opposed to everyone being given full admin and privileged tasks can also be performed on devices.
Osirium changes the passwords of the device accounts but nobody knows them and Osirium provides SSO services to the device with a full audit trail. Typically, all SysAdmins get full admin rights and privileged user tasks can also be performed on devices.
This is the minimum level of acceptable best-practice security and typically applies to generic accounts. Osirium knows the passwords and so provides SSO and PASSIVE Session Recording to the device. The password can be manually changed in Osirium without revealing its details. Direct connections to devices can still be made, although no Session Recording will be possible. Typically, all SysAdmins get full admin rights and privileged tasks can also be run on devices.
It is understood why this account exists but the password has not been provided to Osirium. The account can only be used directly (not using Osirium’s SSO capability). This is a risky unprotected account known by Osirium.
Osirum does not know about this account and why it exists. It therefore presents a sizeable risk to the integrity and security of the device.
Osirium securely stores privileged credentials. These are then used to provide SysAdmin access to devices without their knowing or seeing the passwords.
Accounts can easily have their state level increased, or reduced. This enables each device to have its accounts managed in the way that best suits the security policy.
Osirium uses long, complex, randomly created passwords, making dictionary and brute force attacks futile. Password rules can be set per device to ensure any password policies on devices are met. Different passwords are used for every account on every device managed by Osirium.
Osirium allows device access to be granted at a very granular level and to assign specific roles to individual or groups of individuals. Because the accounts have been created personalised to each user, they can be aligned to a particular set of rights or permissions on the end device, therefore no more sharing the highest level account.