Scribd
Upload
187 views9 pages

Privx Datasheet: Zero Trust Access Management

Uploaded by

dungmitec
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
187 views9 pages

Privx Datasheet: Zero Trust Access Management

Uploaded by

dungmitec
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 9

PrivX Datasheet

®
Zero Trust Access Management

What is PrivX?
PrivX is an access management gateway
that is fast to deploy and simple to
maintain. PrivX advances your security by
allowing connections for only the amount
of time needed, removing dependency
on passwords, controlling access to both
cloud-hosted and on-premises applications,
and interfacing directly with your identity
management system.
SSH.COM
2 PrivX®

Your gateway from


ground to cloud

Lean, fast and highly Across hybrid Automated


scalable and multi-cloud administrative access
Light on its feet, PrivX provisions environments Reduce errors and save time by
administrative access for just the connecting with existing AD/LDAP
Control and consolidate access
duration needed – no permanent infrastructure, unifying user/role
to workloads in AWS, GCP, Azure,
access and no passwords to handle. management and enabling SSO (single
OpenStack and on-premises hosts
Quick integration with ID management sign-on) logins. Set it and forget it –
from a single user interface.
systems, no agents to install, and nearly PrivX stays in sync and automatically
unlimited scalability. discovers new hosts.

• Integration with widely used ID data • Connect and stay in sync with
services existing AD/LDAPs and other ID
• No agents to install and maintain data services
• No passwords to vault, rotate and • SSO logins with multi-factor
manage authentication (MFA)
• Scalable microservices architecture • Automatic cloud host discovery
SSH.COM
PrivX®
3

Privileged access
re-imagined
PrivX stands apart from traditional privileged access management
(PAM) tools by delivering a lean, cost effective solution. Compared
to legacy PAMs, PrivX helps you to:

Cut the costs of password


lifecycle management
and vaulting by
granting short-lived
authentication to users
only when they need it.

Economize on
deployment and
maintenance efforts
by avoiding the use of
agents on your client
workstations and hosts.

Fortify your cost-saving


cloud deployments by
controlling access to your
AWS, GCP and Azure-host
servers, on-premises – or
any combination.
SSH.COM
4 PrivX®

How does PrivX work?


Credentialess access
to the right hosts via SSO/MFA

Ephemeral certificates
Over SSH/RDP connections

1. Identities automatically mapped from directory


services. PrivX integrates with Microsoft AD, Azure AD, 3. Access elevation and 3rd parties. Privileged access
LDAP, Google G Suite, AWS Cognito and other OpenID elevations and access for non-directory users is
Connect providers. User/group ID data is automatically managed via request/approval workflows with the
updated as people join, move or leave. When you set option of 4-eyes authorization. Access for 3rd parties
up PrivX you define access to target hosts for each can be managed according to policies defined in PrivX
appropriate role (e.g. quality engineer, developer, and access can be granted or revoked instantly.
sysadmin etc.) and map the roles to existing AD/LDAP
user groups. Any change in your user directory is 4. Monitor and audit connections. PrivX administrators
updated immediately in PrivX, so there’s no separate can monitor and control the access lifecycle, including
privileged user directory. revocation and modification, down to granular access
per host. SSH/RDP sessions can be recorded and played
2. Privileged access via ephemeral certificates. Users back with full audit log. Additionally, PrivX collects
log in to PrivX via their browser using SSO/MFA and can audit events which can be sent to SIEMs for behavioral,
see all their available hosts. They can then access their anomaly detection and other analysis.
hosts in one click. It’s “credentialess” because access is
not granted by user passwords. This is possible because 5. Multi-cloud, private cloud or hybrid. PrivX admins
PrivX validates each secure SSH/RDP connection in have control over access to all on-premise and global
real time with unique, short-lived certificates that are cloud assets in one view. PrivX auto-discovers changes
invisible to the user and automatically expire unless in your host environments. To integrate with standard
authorized by PrivX. There are no agents required on software provisioning tools, like Chef and Ansible, PrivX
the client or host. PrivX acts as the only centralized provides deployment scripts. Users can then make SSH
certification authority for the target hosts. If required, connections to target hosts according to your Ansible
native Mac and Linux SSH clients can be configured with playbook via PrivX without the need for passwords. PrivX
PrivX Agent software. Extender software is also available to manage privileged
access to VPCs (Virtual Private Clouds) via PrivX.
SSH.COM
PrivX®
5

The problems that


today’s IT security
professionals face
IT environments are increasingly complex and they require security
tools that can be both expensive to deploy and burdensome to use
and maintain. Below are a few examples.

Today’s complex Security tools can be a


Security is costly environments require hurdle
enhanced security

PAMs are expensive to As workloads move to the People will find ways to
deploy and maintain cloud, security concerns avoid difficult systems
rise
Traditional PAMs require heavy You need your access
resources to deploy and manage. As organizations take advantage management tool to be easy so
Tasks include installing and of the economy that cloud people will use it. Astute users
updating agents on workstations hosting offers, security concerns can find ways to bypass heavier
as well as vaulting and rotating also mount. Chief among these is tools, like traditional PAMs.
passwords. PAMs can take months managing access to sensitive data
and even years to install, and that reside in the cloud.
some are abandoned before full
deployment.

Compliance can be Need to control access Need to conserve


burdensome inside the network resources

Meeting internal and regulatory Not only are insider attacks a Your administrators have a lot
requirements can be onerous. You threat, but the clever hacker who on their plates. They need easy-
need to demonstrate that your does gain access to your network to-use security tools so they
systems are under control and that can move among your systems can spend their time on more
unwarranted users are kept out of if un-checked at access points. productive activities.
your servers. It’s not enough to control your
perimeter; you need to control
access inside network.
SSH.COM
6 PrivX®

PrivX: A modern
solution for
modern problems
PrivX helps you solve your access management problems cost
effectively, securely, and in a package that your administrators will
find easy to use.

Ephemeral certificate- Agentless* Integration with existing


based authorization Benefit from fast deployment by IMS/IAM
Leave passwords in the dust by using avoiding the need to install traditional Economizing on time and effort, PrivX stays
just-in-time, temporary access to target agents on client workstations and/or in sync with the role-based users in your
hosts. Reduce your threat surface, and host servers. identity management system. Employees
the money you spend on credential come and go and change roles, while PrivX
lifecycle management. You’ll also be more likely to stay stays up to date.
current with PrivX’s version updates
when you only need to centrally Expedite access to target hosts with SSO;
update your software. users log in once and gain one-click entry.

Microservices
Recorded sessions with Hybrid and multi-cloud architecture for
playback support
scalability and high
Make easy work of preparing for PrivX manages access to target hosts
whether they’re in AWS, Azure, GCP
availability
audits, as well as post-event forensics.
All access traffic is recorded and stored cloud environments, or all three as well PrivX lets you easily add instances as your
for review. PrivX collects audit events as private cloud and on-premises. needs grow, while also providing high
which can be sent to SIEMs for user availability for disaster recovery. Your
and entity behavior analytics (UEBA). multiple, distributed PrivX instances can
and other analysis. be dispatched through a common load
balancer and connected to a backend
database to run as a unified, highly
*Available as agentless or with agents. available system.
SSH.COM
PrivX®
7

FEATURES
Short-lived certificate-based authentication
Role-based access control to target hosts Users can be dynamically mapped to roles
View hosts that are accessible by specific roles
Users and groups synced with Microsoft AD, Azure AD
Directory service integration via Graph API, Google G Suite, LDAP and OpenID Connect
providers (e.g. AWS Cognito, Okta, Ubisecure)
• Single sign on (SSO) through directory services applications
via Kerberos
• Username & password for local users
Sign-in and access control to PrivX
• Multi-factor authentication (MFA), time-based one-time
password (TOTP)
• OAuth2 over TLS
• OpenSSH certificate
• Virtual Smart Card for RDP
Authentication to target hosts
• Stored, vaulted credentials
• Username & password

Supported protocols SSH (v2), RDP, HTTP(S) and SFTP

Fast and responsive user experience HTML5 single page UI over REST APIs

Complete HTTP REST API Anything the UI does can be executed via the API

Capable of indexing tens of thousands of hosts and users from


Host and user searches
multiple sources
Automatically scan and add tagged cloud hosts: AWS, Google
Support for cloud providers
Cloud, OpenStack, Azure
Support for virtual private clouds (VPCs) Connect to VPC using PrivX Extender (reverse proxy)
Includes internal user & host directories
Standalone product Includes a mechanism for requesting roles & approving them
with email notifications

PERFORMANCE
100 000 users mapped to roles
Capacity
10 000 target hosts
10 000 SSH, 60 new RSA connections per second
200 RDP connections
Concurrent connections
Tested on a 3.6GHz 8-core server with 16 GB of RAM, scales
horizontally as needed

TARGET HOST REQUIREMENTS


Certificate-based authentication OpenSSH 5.6 or later

Certificate-based authentication with


OpenSSH 6.9 or later
AuthorizedPrincipalsCommand script

PRIVX INSTANCE
Red Hat Enterprise Linux 7.4 or later
Compatible operating systems
CentOS 7.4 or later
SSH.COM
8 PrivX®

HARDWARE REQUIREMENTS
Evaluation/trial license (<10k users) Recommended minimum: 4GB RAM, 2 core CPU, 15GB disk space
Production license (<100k users) Recommended minimum: 8GB RAM, 8 core CPU, 100GB disk space

DEPLOYMENT
• High availability through active-active cluster nodes
High availability and scaling • Horizontal scaling by adding nodes
• Load balancing with sticky-session support

Installation Download and upgrade PrivX from GPG-signed RPM repositories

• Web-based admin UI
Management • HTTP REST API
• API end point status and service status page
All OpenSSH compatible hosts supported. Automated deployment
SSH target host configuration
scripts provided: CentOS, RedHat, Ubuntu, Debian, Amazon Linux.
Automated deployment Compatible with Ansible and Chef automated deployment tools

For detailed information on deployment and requirements, please refer to the Administrator Manual here.

AUDITING
All user and admin actions are persisted to log files and can be
Audit events persisted to log files
automatically directed to SIEM
View past and ongoing connections
Connection manager
Terminate ongoing connections
Record browser-based SSH and RDP connections. Store encrypted
Record and playback sessions
audit trails in your preferred location.

SECURITY
• Communication between service components and PrivX secured
via TLS
• Information stored in the vault encrypted with AES128 or AES256
System security
GCM
• PrivX secrets can be secured using hardware security modules
(HSMs)
System and connection-based alerts collected and sent to SIEMs
Alerts and reports
(e.g., Splunk, IBM Qradar), AWS CloudWatch or Azure Event Hubs

The information in this document is provided “as is” without any warranty, express or implied, including without any warranties of
merchantability, fitness for a particular purpose and any warranty or condition of non-infringement. SSH Communications Security products
are warranted according to the terms and conditions of the agreements under which they are provided. SSH Communications Security may
make changes to specifications and product descriptions at any time, without notice.

ssh®, PrivX®, Tectia®, Universal SSH Key Manager® and CryptoAuditor® are registered trademarks or trademarks of SSH Communications
Security Corporation and are protected by the relevant jurisdiction-specific and international copyright laws and treaties. Other names and
marks are the property of their respective owners. Copyright © 2019 SSH Communications Security Corporation. All rights reserved.
SSH.COM
PrivX®
9

SSH Communications Security Oyj

Kornetintie 3, 00380 Helsinki

www.ssh.com

+358 20 500 7000

[email protected]

You might also like