Saviynt Forums

UVP · ‎04/12/2023

For these questions we are referring below Saviynt Break Glass Process document link :

https://docs.saviyntcloud.com/bundle/CPAM-Admin-Guide-v23x/page/Content/J-Break-Glass/Setting-Up-Bre...

Questions:

1. What do you mean by break glass instance, Is it windows or Linux/Unix server?
2. Saviynt DevOps team shared shards with our client and client Admin team distributed these shards with different individuals
As per documentation, it's not clear that how these individuals will enter shards on terminal window during break glass process securely?

3. What is the path of Break glass utility jar? Is it standard path? If yes, please share Path details
4. As per Break Blass Process diagram the data replication happened after every one hour between Primary and DR vault. Is it possible to reduce this data replication to real time?

5. If Saviynt Application UI is down then How can we get endpoint and account information for break glass activity? Is it possible to get real time analytical report
6. In this document Step 8 , Break glass utility asking this question like "Is the encryption mechanism enabled: [y|n]" - Are there cases where the password is not encrypted? Is the password hashed in that case?

7. In which scenario we will be accession Primary Break glass utility and DR Break Glass Utility ? who will provide confirmation on which region/utility to connect?

8. Is there any recommendation for sharing privileged account credentials with different users after getting these through Break glass process?

9. Post break glass scenario, once users are able to access Saviynt through UI, what are steps needed to stop/revoke client administrator access to break glass instance/server ?

10. Post break glass scenario, Once Saviynt UI application is up then what are different ways to automatically rotate the privileged accounts credentials stored and managed in Saviynt?

11. Is there any process to rotate shards after break glass scenario?

Thanks,

Umesh

NageshK · ‎04/18/2023

@UVP @Dheeraj_Reddy Thankyou for posting your questions in forums. Here are the responses

1. What do you mean by break glass instance, Is it windows or Linux/Unix server?
- BreakGlass instance is a Linux server

2. Saviynt DevOps team shared shards with our client and client Admin team distributed these shards with different individuals
As per documentation, it's not clear that how these individuals will enter shards on terminal window during break glass process securely?
- This must be done through a screenshare where each shard holder will enter their shard when prompted on the screen

3. What is the path of Break glass utility jar? Is it standard path? If yes, please share Path details
- The jar is available in the home directory of the user logging in. So, logged in user can just run the command java -jar PamBreakGlass-1.0-1.0.jar. We shall get this reflected in the documentation

4. As per Break Blass Process diagram the data replication happened after every one hour between Primary and DR vault. Is it possible to reduce this data replication to real time?
- 1 hour is the standard setting and it cannot be modified. Also this cannot be real time as the data replication itself will take time

5. If Saviynt Application UI is down then How can we get endpoint and account information for break glass activity? Is it possible to get real time analytical report
- There is an out of the box analytic control with name "PAM controlled Endpoints" that can be scheduled to run periodically, say 1 hour, and email the list

6. In this document Step 8 , Break glass utility asking this question like "Is the encryption mechanism enabled: [y|n]" - Are there cases where the password is not encrypted? Is the password hashed in that case?
- So far we only have Customers who bring their own vault chose the secrets to not be encrypted. However, the option is still present to serve any edge cases where customers using Saviynt's Vault may not want their secrets to be encrypted

7. In which scenario we will be accession Primary Break glass utility and DR Break Glass Utility ? who will provide confirmation on which region/utility to connect?
- This will be based on the cloud outage and system availability. Primary instance is the default option and if for whatever reason the primary instance is not available, DR instance will be given. The details of the server will be given by Saviynt cloudops team and from usage perspective, the experience will be the same irrepsecitve of if they are using the Primary or DR

8. Is there any recommendation for sharing privileged account credentials with different users after getting these through Break glass process?
- There is no one recommended approach as each organization has its own way of implementing this. We suggest organizations follow their current internal processes for credential sharing

9. Post break glass scenario, once users are able to access Saviynt through UI, what are steps needed to stop/revoke client administrator access to break glass instance/server ?
- Once Saviynt UI is available, Saviynt Cloudops should be informed and they will revoke all access to the instance

10. Post break glass scenario, Once Saviynt UI application is up then what are different ways to automatically rotate the privileged accounts credentials stored and managed in Saviynt?
- If the number of credentials accessed are a few you can perform reset password for individual accounts through "reset password for service accounts". If too many credentials are accessed you can trigger password rotation jar by modifying the password policy to reduce the value in "Expire After". However, please note that the password rotation jar will rotate all applicable credentials irrespective of if they had been accessed during BreakGlass or not.

11. Is there any process to rotate shards after break glass scenario?
- rotation of shards is currently not supported

Thanks

Nagesh K

UVP · ‎04/18/2023

Thanks @NageshK for answering these questions. we have some follow-up question on this :

2. Saviynt DevOps team shared shards with our client and client Admin team distributed these shards with different individuals
As per documentation, it's not clear that how these individuals will enter shards on terminal window during break glass process securely?
- This must be done through a screen share where each shard holder will enter their shard when prompted on the screen

-Which Tool we need to use to fulfill this screen-share requirement, because we tried with Teams and WebEx but it's not working. Users are unable to copy -paste shards/data from their system to host machine. Let us know on this.

4. As per Break Blass Process diagram the data replication happened after every one hour between Primary and DR vault. Is it possible to reduce this data replication to real time?
- 1 hour is the standard setting and it cannot be modified. Also this cannot be real time as the data replication itself will take time

- Since the Data replication between Primary and DR vault is set to one hour then How are the delta/modified credentials updated during the replication time are retrieve from DR vault

5. If Saviynt Application UI is down then How can we get endpoint and account information for break glass activity? Is it possible to get real time analytical report
- There is an out of the box analytic control with name "PAM controlled Endpoints" that can be scheduled to run periodically, say 1 hour, and email the list

- If we schedule this analytical report to run on daily basis then How can we get delta privileged account information, Is there any other way to retrieve these account and endpoint information when UI is down

NageshK · ‎04/24/2023

@UVP @Dheeraj_Reddy There is usually a "remote control" option in the screen sharing tools like Webex and Zoom. I know that this works well in both Webex and Zoom. Have you tried this option of remote control for pasting the key?

When BreakGlass is invoked, it connects to the primary Vault by default and only in case of the primary vault not available DR vault will be used. So, the delta time comes into play only when the primary vault is not available. Even then, we can use the master account credentials of each workload as these passwords do not rotate often. This will also eliminate the dependency on having the latest account list from the target. And the main purpose of the BreakGlass is to ensure Business Continuity, which can be achieved by retrieving master account credentials.

Thanks,

Nagesh K

UVP · ‎04/24/2023

Thanks Nagesh, @NageshK

Even then, we can use the master account credentials of each workload as these passwords do not rotate often. This will also eliminate the dependency on having the latest account list from the target.

-Could you please elaborate and provide more information on the above statement. How the Master account(We are using Client ID and secret for SaaS application) will help us to retrieving the delta privileged account credentials

or

Are you saying to update privileged account credentials through Master account? If yes, can you share these steps with us.

----------------------------------------------

Follow-up Questions:

1. As we don't want to keep vault to open for long time so Is it possible to provide Administrative token to access the vault for specific time period?

2. During Break glass process, How we can Close the Vault? Is it fine to say that when we stop Break glass utility terminal then it's sign of Closing the vault? Which steps in following document indicates that we closed the vault?

https://docs.saviyntcloud.com/bundle/CPAM-Admin-Guide-v2022x/page/Content/J-Break-Glass/Setting-Up-B...

Let us know your comments on this

Thanks,

Umesh

NageshK · ‎05/11/2023

@UVP @Dheeraj_Reddy During BreakGlass, access to the vault is acquired right after entering the minimum shards in the BG Utility. After retrieving secrets, utility will prompt you if you still have more secrets for retrieval. If you say no, access to vault is closed and any further access to vault will require shards to be entered again. Same is the case if you close/lose the connection to the BreakGlass utility server. This is done for a tighter security measure so that we dont keep the vault open for access when it is not required

Thanks,

Nagesh K

UVP · ‎05/12/2023

Thanks @NageshK , Any idea on below question:

1. As we don't want to keep vault to open for long time so Is it possible to provide Administrative token to access the vault for specific time period?

NageshK · ‎05/12/2023

@UVP As mentioned above, access to vault is short lived for the duration you are interacting with the utility. The moment you say "no" to the question on whether you need to extract more secrets, the access to vault is terminated. And breakglass utility uses the vault shards instead of a static token to access the vault. Tokens are not used here for security purposes

Thanks

Nagesh K

UVP · ‎05/18/2023

Hi @NageshK Quick question:

1. As you said "BreakGlass instance is a Linux server" so How can we connect with this Linux box? Is it through Putty Session? Let us know the recommendation

2. Do you know how we can copy /transfer Privileged account credential or Output CSV file from Break glass instance to local system? Is it through Winscp file transfer tool or Do you have any recommendation for this.

Let us know on this.

Thanks,'

Umesh

Saviynt Forums

CPAM : Questions regarding Saviynt Break Glass process