Privileged access management helps organizations provide secure access to critical applications and data by addressing the very first security layer: the passwords
Take a look at the improvements we’ve made to Imprivata Privileged Access Management in the second half of 2022.
In the second half of 2022, Imprivata Privileged Access Management introduced new features like Native Azure AD Cloud Directory integration and ephemeral accounts for Linux hosts amongst other important security and workflow enhancements. Highly requested features by our customers like “export to CSV” and “deny login access” were also added during the last few months.
With the newest version of Imprivata Privileged Access Management, customers will also benefit from enhanced features like Proximity Group Controls, in-session toolbar pull down, and additional enhancements to the integration with the Imprivata single sign-on (SSO) solution, Imprivata OneSign.
Imprivata Privileged Access Management: Expanded capabilities to keep your organization secure
We’re always working to ensure that our solution helps you to meet tomorrow’s challenges head-on, and the last half of the previous year has been no different. We’re proud of our commitment to listening to – and acting upon – our customer’s requests and encourage ideas to be submitted.
Native Azure AD Cloud Directory integration
Imprivata Privileged Access Management introduces native support for Microsoft’s Azure AD cloud directory. Once integrated, native identities within Azure AD can be used in the privileged access management (PAM) solution for SAML-based user authentication, user and group search, local group membership, permissions, workflow assignments, and more. Integration makes use of the Microsoft Graph API in the customer’s Azure tenant and requires a simple configuration to set up. (Support for External User identities is not yet available but will be supported in the future.) Learn more about the integration here.
Export to CSV
A new Export option has been included for System Administrators to, in bulk or selectively, export Containers and Records to a secure, encrypted CSV file, later to be used with the complementary CSV Import option. This feature can be used in several situations where vault objects need to be moved to another location or even different PAM instances like Production to Test deployments.
Web Session Relay Nodes
A Session Relay Node is designed to reduce potential heavy network traffic that may be apparent in deployments where remote sessions, between a user and a remote host, span geographies. In multi-region deployments and under certain circumstances, a user’s remote web session in such deployments could exhibit a performance decrease that results in latency during their session.
An available Session Relay Node in this deployment may improve web session latency by minimizing the amount of required traffic between the user’s client and the PAM master nodes.
Deny Login Access
A new Deny Login option is now available to System Administrators to deny user(s) or group(s) direct access to the PAM solution. Deny login is a simple feature to configure and features a customizable message that appears to the user whose login has been denied. Once this option has been applied to a principal, their authentication to PAM – including web portals, proxies, and APIs – will be denied.
This feature allows Administrators to create new policies in PAM that can prevent PAM logins by everyone except those authorized accounts like an Admin group in Active Directory.
Ephemeral accounts for Linux hosts
In general, Imprivata Privileged Access Management uses ephemeral accounts to support short-lived, one-time-use accounts for session connectivity. A goal of PAM is to achieve ‘zero standing’ security where no accounts exist on privileged hosts and credentials, or where keys are generated based on the just-in-time principle. Once a user is approved for access, a new, temporary account or key is generated on the host, access is provided using this account and after that access is no longer required, the account or key is deleted from the host.
With our recent Imprivata Privileged Access Management releases, ephemeral account support now includes SSH password and key-based access, building upon our existing support for local Windows accounts.
Session recording preservation
To improve audit retention, session recordings are now retained after a record has been deleted. Previously, customers were instructed to archive old, unneeded records rather than delete them to enable historical data retention, but now they may delete them if they choose. Please note that record archival is still the recommended option as opposed to a deletion.
Admin management of local user SSH keys
Extending the existing functionality of Imprivata Privileged Access Management-managed SSH public/private key pairs for proxy authentication, System Administrators and Vault Owners can now manage the keys of their local users. Previously, only the local users themselves could manage their own key pair, which limited the use case of this feature in DevOps, MSP, and other deployment types.
Now, a Vault Owner may manage the keys of their local users including generating a new pair, uploading new keys, or blocking and deleting existing keys. System Administrators can manage the SSH key pair of any local users within the deployment.
Solution enhancements
In addition to the new features listed above, enhancements to existing features were made to Imprivata Privileged Access Management in the second half of last year. Those include:
- Imprivata OneSign single logout | System Admins can now enable support for Single Logout (SLO) that will completely log out the user, including Imprivata OneSign web SSO, without requiring any additional actions.
- Proximity Group controls | For System Administrators that need to perform maintenance, updating, or troubleshooting on a Session Manager, they can now gracefully disable either a specific host in a Proximity Group or the entire Proximity Group itself. A disabled Proximity Group will no longer accept new sessions but will retain active sessions until they have been completed.
- Drive redirection recording | File transfers during RDP proxy sessions that use native Drive Redirection are now recorded as Session Events for reporting and auditing uses. This further expands the list of actions and events that are recorded by PAM Audit Logs to support advanced reporting.
- In-session toolbar pull-down | To highlight the presence of the toolbar, there is now a visual expansion handle along the top center of the web session that when clicked, will open this dropdown toolbar.
- Finalized Report Center release | The Report Center, located under the Reports section of the left navigation, has now fully replaced the legacy Reports section in PAM. Additionally, the Reports dropdown menu found with a Containers toolbar has also been replaced with a single click: the Report Center button.
Keep your organization secure with market-leading capabilities
We know that you rely on your privileged access management solution to keep your organization secure, no matter what challenges you face. Make sure that you’re taking advantage of the most up-to-date capabilities to help keep you safe.
Or if you are ready to address critical security and compliance challenges by protecting privileged administrator access to an organization’s most sensitive IT systems and digital assets, request a demo.