Security
How is data secured?
Sensitive data is split and stored in encrypted format. In transit, all database connections, intra micro-service connections and UI connections are encrypted via TLS.
Does PrivX support limiting certain functionalities on protocol, e.g. deny port forwarding on SSH tunnel or clipboard on RDP session?
Yes, channel controls are available. However note that with SSH exec
you can get the shell
even when it is disabled on the ssh-channel listing.
Does PrivX support the least privilege principle for granting access to managed resources?
Yes, this is the main principle of PrivX Role Based Access (RBAC). Roles can de defined on multiple elevation levels and grant access rights based on IDM/AD/AAD or ServiceNow.
Does PrivX undergo security testing before release to the market?
Yes, PrivX goes through various security testing - SAST (Static Application Security Testing), DAST (Dynamic Application Security Testing), penetration Testing (by 3rd party) is performed during development and before final release to the market.
I found user-settings API endpoint allows users to save unverified data to PrivX, is this a security risk? No. The API /role-store/api/v1/users/current/settings is designed for data that the UI or user writes only for themselves. A user can modify and save some data, such as their connection history through UI or API, but it has no impact on the audit logs stored in PrivX.