This document introduces the business case for implementing a session monitoring system to record login sessions to privileged accounts. It examines a series of technological design decisions that must be considered when developing a session monitoring system and offers guidance about how such a system might be best deployed and managed in practice.
2. Contents
1 Introduction 1
2 Business drivers for recording login sessions 1
3 Which login sessions should be recorded? 2
4 What data should be captured? 2
5 Data format and volume 3
6 Where to insert instrumentation 4
7 Visible or stealth surveillance 6
8 Tamper-proofing the recording process 6
9 Planning for network bandwidth and storage requirements 7
10 What to do in the event of a termination 7
11 Privacy protection and access controls 8
12 Summary 9
APPENDICES 10
A Hitachi ID Privileged Access Manager overview 11
B Session monitoring in Hitachi ID Privileged Access Manager 14
i
17. Design and Implementation of Administrator Session Monitoring
The session recording system is tamper resistant – if users attempt to interrupt recording, their login ses-
sions to privileged accounts are disconnected and an alarm is raised.
Privileged Access Manager can be configured to make a recording of a user’s PC for the duration of a
login session to a privileged account. This includes either video capture of either the full screen or just the
login window, key logging, recording of the contents of the copy buffer and even snapshots from the user’s
webcam.
Full screen and web cam capture
Capturing the full screen gives context for administrator actions. For example, if a user downloads a file
from a privileged account to his PC, a recording of just his login window will not show what happens next,
but a full screen recording may show the file being copied to a USB drive or uploaded to a web site.
Capturing web cam snapshots reliably links the session to the user in question. In the event of a forensic
audit, if the user claims that actions recorded and associated with his profile were performed by someone
else, perhaps after stealing his password, there will be clear evidence that it was the user in question who
performed.
Network and storage impact
The session monitor ActiveX component can generate up to about 10 kBytes/second of data, most of which
is video. On a modern PC, it will consume no more than 2% to 3% of the user’s CPU and only a very small
amount of memory.
A single Privileged Access Manager server can collect about 100 concurrent session recording data streams.
This means that a load balanced arrangement of 3 Privileged Access Manager nodes can capture sessions
from 300 IT workers simultaneously, and probably more than 500 users total, 24x7.
The data volume from a single administrator session, assuming a constant stream of data for 8 hours/day,
220 days/year, amounts to about 60GB/year. 100 concurrently active administrators whose every action is
recorded will generate about 6TB/year of data.
www.Hitachi-ID.com
500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: sales@Hitachi-ID.com
File: / pub/ wp/ documents/ sessmon-howto/ sessmon-howto-1.tex
Date: 2011-04-29