By Darin_Pendergraft_Oracle on Mar 18, 2014
As you saw in my previous blog there are a lot of new features in PS2 - and as we count down to our PS2 Webcast (April 10 @ 10:00 am PST - Register Here ) we will be posting a series of blogs detailing the new features. In this blog, I have invited the PM team to talk about the new session management capability in OPAM.
11gR2 PS2 is an important release for OPAM where we made significant advances in many product areas. One such area is “Session Management”.
So, what is session management? In the past, privileged access management solutions focused on password vaults and providing secure access to the credentials stored in such vaults.
However, this approach raises certain questions:
- Can we prevent the end user seeing the actual privileged account password?
- How can we control how the end user utilizes the password?
- Can we capture the actions performed by the end user for audit purposes?
Session Management support in OPAM addresses all of these questions by focusing on the following areas:
- Users can initiate a session as a privileged account without knowing the actual account password.
- Instead, the user just needs to authenticate himself and access to the target is granted based on the grants he has.
- Finally, since OPAM uses a gateway based approach the end user can connect using any protocol compliant 3rd party client.
Thus privileged session initiation has been secured while not impacting the established working practices of the end user. The end user is still free to use the tools he is familiar with (ex. putty, openSSH etc.) and does not need to explicitly interact with OPAM for every checkout.
- Sessions can be terminated based on usage policies (ex. after 30 mins)
- Sessions can be terminated by security personal observing suspicious behavior
Since the sessions occur via OPAM’s Session Management server, there’s a controlled single entry point for privileged access. Additionally, since all sessions occur within OPAM’s purview we are able to control what occurs within a session and terminate it as needed.
- Session activity is recorded and stored in an Oracle audit database.
- It is indexed and searchable.
All action that occurs within a session is recorded, indexed and stored in the OPAM database. Therefore answering questions like who ran a certain command on the fileserver as admin between 9am and 10am on April 1st 2013 is trivial.
In summary OPAM’s Privileged Session Management is an important addition to the existing password vault solution, adding personal accountability and extending audit capabilities. In 11gR2 PS2, we focused on SSH since there is a very large footprint of SSH enabled target systems. However, moving forward we’ll be adding both new protocols and additional functionality as part of our session management offering.
For further details see Oracle Privileged Account Manager - Whitepaper