Functional Use Cases
Can I launch RDP and SSH sessions to target devices through PrivX?
Yes, RDP and SSH sessions can be launched via the Web UI, directly from native clients utilising bastion mode and native client direct connections via the client-side agent.
Can PrivX acts as a password vault for the access credentials to the target systems?
Yes, PrivX provides two vaults, one for storing shared target user/account passwords and the other for storing secret data that only admins or those delegated can access e.g. for systems within or without PrivX's reach. The solution can remove the need for passwords when utilizing its ephemeral/short lived certificate capabilities for windows and Linux targets.
Can PrivX store and utilise ssh keys?
Yes, PrivX allows for SSH keys to be uploaded and utilized which can be restricted via role permissions. SSH keys can be used to authenticate users/apps to PrivX as well for connecting to target devices however ephemeral certificates is the preferred method due to its increased security.
Does PrivX support the masking of the target system credentials so they are not visible nor accessible for the users?
Yes, users have no visibility or access to target credentials unless provisioned to do so from within the Secrets Vault, alternatively use our patented and highly secure Just-In-Time ephemeral/short lived certificates to remove the need for password based RDP and SSH access. When accessing HTTPS web targets, credentials are securely stored within the Secrets Vault and are provided/injected into user sessions in an obfuscated format.
Does PrivX include workflow options to add authorizations i.e. Ad-hoc or separate approval from what is preconfigured for specified sessions or user groups e.g. for external users or elevating privileges?
Yes, PrivX includes access request functionality to allow users to make ad-hoc access requests for themselves or on behalf of others. Pre-configured workflows allow admins to create pre-defined role elevations which can have single or multi-step approval requirements. Additionally, time restrictions can be applied meaning access can be automatically revoked after a set period or number of hours.
Does PrivX support both email-based and internal notifications for approval requests
Yes, PrivX can automatically notify approvers when a new request requires their attention both internally and via email. This happens when a new request is created, or when a request proceeds to a new step within the approval process.
Can PrivX support the setting of a time limit to the remote session by the approver?
Yes, PrivX allows for different access types (Permanent, Restricted (e.g. 9am-5pm), and Floating (e.g. 4 hours) which govern time windows and durations.
Does PrivX support two-way transfer of files within a approved session and create a log of files uploaded/downloaded?
Yes, PrivX allows for two-way file transfer without any file size or transfer duration restrictions, separate audit trails are created specifically for logging file transfer activity.
Does PrivX support session recording and session logging?
Yes, PrivX supports both session recording and session logging, recordings can be viewed after a connection has ended (live viewing will be available in an up coming release). PrivX has been designed so that recordings can only be viewed within the solution and only by those authorised to do so. Logs contain time stamps and authorization data relating to specific connections including source and target identity as well as file transfer activity and SSH transcripts.
Can PrivX support the invitation of additional viewers to one session for additional support purposes?
Session recordings can be reviewed once the session has ended (live viewing will be available in an up coming release), permitted users can be given access to specific session recordings as required. A link can be sent allowing the session to be viewed.
Is PrivX able to inform users that session monitoring capabilities are in effect e.g. as an information banner?
Yes, an information banner can be enabled to display a message of your own choosing at login.
Can sessions be terminated in the event of emergency?
Yes, sessions can be terminated by personnel with appropriate privileges
Can PrivX help to manage access to cloud platform management consoles?
Yes, PrivX allows for audited session control management to cloud management dashboards/consoles via root accounts whereby credentials can be kept secret whilst still providing access to those that have been provisioned to do so.
Does PrivX support auto-onboarding of accounts created through infrastructure as code?
The solution supports auto-onboarding of accounts via IAC by integrating with account creation tools and/or by updating infra code to call PrivX API's. Workflow associated with creating infra as a code accounts can be integrated with PrivX API to configure role based privileged access as soon as servers are provisioned.
How do you mitigate the risk of exposing targets to client side vulnerabilities such as viruses etc?
PrivX establishes a HTML5 thin client session when connecting to targets hosts and therefore removes any risk posed by the users machine.
Does PrivX provide shared password management while ensuring auditing and session recording requirements are met?
Shared passwords can be utilised whilst mapping access back to a specific/single identity.
Additionally, shared accounts for linux & windows servers can be authenticated through the use of ephemeral certificates.
What are the best practices for deploying PrivX across multiple regions?
PrivX can be either installed as:
- Multiple, separate HA-installations to each region.
- A single multi-region HA installation with shared database, with PrivX instances specific to each region.
Latency requirements for multi-region deployments vary based on used protocols. For example, routing SSH connections via PrivX doesn’t require any special arrangements of server locations.
For RDP/VNC and for Carrier-based web connections, you need both PrivX and Carrier in the same region as the user and target host. This improves user experience by minimizing user-host latency.
User requests may be routed in one of the following ways:
- Via each region's own PrivX domain.
- Via a shared domain name, and then using geo-IP routing to route the requests from PrivX domain to regional PrivX endpoint.
Each region needs their own PrivX instances (2 minimum for HA). Each region will also need Carrier/web proxy servers if HTTPS auditing is needed.