Imprivata Privileged Access Management Product Update 2.3.202009062236

September 6, 2020

PAM Update: Adds ephemeral account option to enforce zero standing access principle and adds custom icons for folders and records

This update adds an ephemeral account option to enforce no standing access principle and adds custom icons for folders and records.

Added ephemeral account option to enforce no standing access principle

The update adds the Ephemeral Accounts option to provision temporary accounts with the requested privileges on the destination host just in time for the requested access removing the account after the requested access is expired.

The option allows enforcing the no standing access principle when servers under management have no unnecessary privileged access and not even accounts to exploit during the majority of the server lifetime.

PAM Server creates accounts with requested privileges just in time for the administrators to perform tasks on the server.

The update also adds just in time permission elevation option to enable account privileges on the destination host for the duration of the requested access removing the privileges after the requested access is expired.

This option allows to maintain the destination servers in no standing privileges state even though accounts themselves are present on the server.

This step option is used as an intermediate step to transition to the no standing accounts option for just in time provisioning of ephemeral accounts.

The option is powered by After Approval and After Expire task execution triggers.

Access request workflow run on the record with configured After Approval task will defer request approval until the After Approval task will successfully complete by provisioning a new account or elevating existing account privileges on the destination host.

The After Expire task triggered after the requested access completes cleans up the provisioned account or removes privileges elevated by the After Expire script.

The script run under the After Approval policy might utilize LOGIN, DOMAIN, SHADOW_LOGIN and REASON (entered by a user to request access) place-holders to make a decision about specific provisioning rules.

In addition or instead of account provisioning or permission elevation on the destination server the After Approval script might rotate of provision new access certificates, enable firewall rules or change group policies to provide temporary access governed by the request workflow.

Added custom icons for folders and records

The update adds the option to define custom icon images and colors for folders as well as for records of the selected record type.

The option enables better visualization for different objects in the record list for quicker navigation through the folder structure and to simplify the adoption of privileged access management practices.

Folder owners can define custom icons for folders using the folder dropdown menu item Edit Icon in the record list.

System administrators can define custom icons for records of selected record type using the Edit Icon button on the Record Type management screen.