Less than a year ago, we introduced a new software suite to manage access to privileged accounts – Indeed Privileged Access Manager (Indeed PAM).
The pilot implementations of Indeed PAM 1.0 were performed in enterprise informational systems in the first months after release. As a result, we received positive customer feedback on the product and suggestions for its development.
The Indeed PAM 1.1 features planned addons and functions implemented according to customer suggestions.
An overview of the suite functionality extensions is given below.
Interoperation with *nix systems
The Indeed PAM 1.1 features support for templates of service operations in *nix systems. This allows to perform the following operations without any modifications of the system:
- Check of connection to resource.
- Synchronization of local accounts.
- Check of account passwords.
- Change of account passwords.
SSH key support
SSH keys can now be used to initiate sessions at resources running under *nix systems. The said keys can now be generated from the management console. This facilitates management of privileged accounts at resources running under *nix systems.
Batch administration operations
Managing a great number of privileged accounts and resources might be a routine task. Such operations performed separately for each element can be time consuming. To facilitate management of privileged accounts, resources, domains and permissions, batch operations are introduced.
We developed a mechanism of centralised distribution of settings to resources (servers, workstations and other equipment), domains and privileged accounts. This includes account policies and session policies.
The policies include the following settings.
1. Account policy:
- Search for new privileged accounts at resources and in domains according to a predefined schedule.
- Check and change of passwords and SSH keys for privileged accounts according to a predefined schedule.
- Verification of password and SSH key if entered manually. This function allows to reveal a mismatch of password or SSH key and account data at the stage of privileged account setup.
- A configurable option for viewing the password or SSH key of privileged account. The password can be reset to a random value in predefined time interval after viewing.
- Flexible complexity setup for random passwords of privileged accounts.
2. Session policy:
- Activation and deactivation of logging for individual privileged accounts.
- Configuration of video recording and screenshot quality.
- Configuration of video record and screenshot rotation in order to reduce disc space required. This function allows to free up the disc space due to removal of old video records and screenshots according to the configured storage term.
Access to web applications
A new connection type makes it possible to log in to web applications automatically, if the latter use HTTP/HTTPs protocols. Sessions of such type now support video recording of session, as well as screenshot making.
Automation of access to web applications is implemented via Single Sign-On (SSO) technology, which is maintained with a separate component named Indeed Enterprise SSO (ESSO) Agent.
The described scenario does not require purchase of special system for SSO support, as all the components required already included into the Indeed PAM 1.1 delivery package.
The new version features a separate section to manage permissions. This section allows for creating new permissions, viewing the ones currently in force, as well as revoked ones.
Each permission contains the following:
- The data on permission assignment to the certain user.
- The list of resources, for which a privileged session is allowed for the user.
- The list of privileged accounts the user can access.
The new version also allows for configuring the date and time of permission start and finish. The setting is configured during creation of permission to access the resource. The function makes it possible to configure the permission status flexibly.
New statuses of privileged accounts
The model of account lifecycle is modified. New statuses of privileged accounts are introduced:
“Pending”: this status means that the privileged account in question has been added to Indeed PAM via synchronization with resource or domain. Such accounts are to be approved by administrator, who is to either move the account to ignored ones or define/generate a password for it. The status makes it possible to filter out the accounts that require participation of administrator, who is to decide whether the account is to be managed with Indeed PAM or not.
“Ignored”: the status means that the account is stored without password and is not managed with Indeed PAM. The status allows for filtering out of accounts that do not require management.
“Error”: the status indicates that the account has an error and allows to eliminate its root cause promptly.
- PAM server now supports fault tolerant cluster mode.
- SSH and RDP connections now support non-standard ports as well.
- We also added system settings for video codecs used.
- Text log of session can now be exported to file.
- Search within the text log is now possible.
- A final video record of a session can now be divided to parts of predefined size.
- If video record is divided into parts, it is now possible to select whether it is stored in a single archive or as custom selection at the administrator workstation.
- The new version also features support of network storage of media files.
The Indeed PAM is the solution to enhance the informational security of an enterprise. The suite provides for control and audit of privileged user activities. This update is yet another step in the process of optimizing and enhancing the protection of business owners from important data leakage and illegal actions of privileged users.