Overview
Session Recording (often part of Privileged Session Management - PSM) captures the actual activity of a privileged user—screens, keystrokes, and commands—during a session. It is the CCTV of the data center.
This capability serves two purposes:
- Deterrence: Users behave better when they know they are being watched.
- Forensics: If a server crashes or data is stolen, you can replay the tape to see exactly what happened (e.g., "rm -rf /").
Architecture
Reference Pattern: The Jump Host / Proxy
Users do not connect directly to the target. They connect to a Proxy, which records the session and relays the traffic to the target.
Diagram
Key Decisions
| Decision | Options | Recommendation | Notes / Gotchas |
|---|---|---|---|
| Recording Format | Video, Text/Command Log, Metadata | Video + Text Index | Video is heavy to store. Text indexing allows you to search for "sudo" commands within the video. |
| Placement | Gateway (Proxy), Host-based Agent | Gateway (Proxy) | Agents can be disabled by root users. Proxies are harder to bypass. |
| Real-time Monitoring | Live View, Post-event Review | Live View for High Risk | For vendors or risky changes, allow "Over-the-shoulder" monitoring with kill capability. |
| Storage | On-box, External SAN, Cloud Bucket | Tiered Storage | Hot storage (30 days) for quick search; Cold storage (1 year) for compliance. |
| Bypass Policy | Allow Direct Access, Block Direct Access | Block Direct Access | Use network firewalls to ensure the ONLY path to the server is via the Proxy. |
Implementation
Phase 1: High-Risk Access
- Route all Vendor/Contractor access through the PSM.
- Route all Domain Admin RDP sessions through the PSM.
- Goal: Visibility into the most dangerous sessions.
Phase 2: Production Servers
- Route all SSH/RDP access to Production environments through PSM.
- Enable "Command Blocking" for dangerous commands (e.g.,
rm -rf,shutdown). - Goal: Operational control and audit trail.
Phase 3: Database & Cloud
- Implement SQL proxy recording (capturing queries, not just screens).
- Route Cloud Console (AWS/Azure Portal) access through a Web Proxy recorder.
- Goal: Deep visibility into data and cloud management.
Risks
- Storage Costs: Recording 100 concurrent RDP sessions creates massive amounts of video data. Plan capacity carefully.
- Privacy: Recording user sessions can violate privacy laws (GDPR) in some regions. Consult Legal/HR.
- Single Point of Failure: If the PSM Proxy is down, nobody can connect. Deploy in HA clusters.
- User Experience: Proxies introduce latency. If the mouse lags, admins will revolt.
KPIs
- Recording Coverage: Percentage of privileged sessions that are successfully recorded.
- Review Rate: Percentage of sessions that are actually reviewed (manual or automated analysis).
- High-Risk Command Alerts: Number of dangerous commands blocked or alerted during sessions.
- Session Duration Anomalies: Identification of sessions that are unusually long or short (potential bot activity).
