One of the features we offer in our Privileged Access Manager product is the ability to record an IT user’s login session to a privileged account. This can come in handy in a variety of circumstances — forensic audit, knowledge sharing, figuring out what was done to cause a breakage, etc.
The problem is that session capture raises some serious privacy concerns. What if I’m the IT user being monitored, and I take a break from my admin duties to do a bit of personal banking. Maybe I do that at lunchtime – perfectly reasonable. The trouble is, my employer now has a video record, keystroke data, etc. of me signing into my bank account. They literally have my bank account number and password in the logs. Talk about unintended consequences! I’m sure they don’t want the data, but it’s very hard to filter it out of the capture data stream.
That’s inocuous, but what if things get really personal? What happens if an admin is called up at 3AM to fix a critical system issue. He gets out of bed, half dressed, opens his laptop, signs on and does what’s required. But session capture can also turn on his webcam – is that the admin’s partner in bed in the background? Have we activated the webcam on a corporate PC or on his personal device? Did we just enable video surveillance of our admin’s residence? The legal and ethical questions get pretty murky, pretty fast.
None of this is to suggest that session capture is an unreasonable feature — merely that it should be applied with great care.
We have been quite careful about this with our own software — we use workflow processes to approve requests to search through recordings, further workflow approvals to approve requests to play back a particular recording, policy engines to decide when session capture should be enabled and what data streams to turn on (full screen, launched window, keystrokes, copy buffer, webcam, etc.) and more. We take the privacy implications of session capture quite seriously.
Given this background, I was shocked when I recently learned that at least one of our competitors includes a feature for real time session surveillance. They literally allow an auditor, with pre-approved but not per-incident access, to watch what an admin does in real time. Wow. Talk about throwing caution to the winds!
Folks – real time surveillance is just plain creepy. Please don’t do it, even if you happen to have a tool with that capability. Instead, consider the power that session monitoring gives you to compromise someone’s privacy, and apply it very VERY conservatively.