From scratch, Indeed Privileged Access Manager (Indeed PAM) is developed as a management system of access using privileged accounts. The product is based on Indeed Identity’s many years of experience in creating information security products.
Indeed PAM consists of the following functional and logical modules.
Policies and permissions
Policies and permissions determine the parameters of privileged access:
- who is granted access
- to what accounts access is
- to what resources (servers and equipment) access is granted
- for what time (permanently/temporarily, during working hours or at any time)
- what session records should be made (video and text records, text only, screenshots, etc.)
- what local resources (disks, smart cards) will be available to a user in a remote session
- if a user is allowed to view the privileged account password
Centralized policies reduce system administration costs and make the access parameters and rights transparent to information security specialists and auditors.
Vault of privileged credentials
Login credentials required for access (logins, passwords, SSH-key) are stored in the vault to which only the Indeed PAM server has access. Storage and transmission of data to/from the server are performed in an encrypted form using a stronger encryption algorithm. Access to the vault is limited and possible only to the PAM server; to implement this approach, a special procedure is used to “seal” the server – hardening the vault server.
Session recording subsystem
All privileged access sessions are recorded on a mandatory basis and stored in the Indeed PAM archive. In the archive, records are stored in an encrypted form, to access them is possible only when having the corresponding authority within the PAM system. Records are kept in the following formats:
- A text record is always made. It records such data:
- full console input and output in SSH connections;
- all processes started, windows opened and keyboard input for RDP connections.
- Video record is made for both RDP and SSH connections. Video record is not mandatory, the PAM administrator enables it using the policies. Video quality is adjustable and can be different for different accounts, for example, sessions of domain administrators can be recorded with maximum quality and sessions of an operator can be recorded with compression.
- Screenshots are also made for both RDP and SSH connections. Saving screenshots is not mandatory, the PAM administrator enables it using the policies. The frequency of making screenshots and their quality are set in the policies.
It is possible to view active sessions in real time with an opportunity to terminate the session by the PAM administrator.
The event log is an allocated service to collect Indeed PAM events. Such events include all the activity of PAM administrators and users. The log records who changed system parameters and what parameters were changed, who and under what credentials connected to the target resources.
To make integration into SEIM easy and timely response to incidents, the events can be delivered via syslog to a third-party event log.
The Admin Console provides an interface for configuring, administering and auditing the system work and is made as a web application. Using the console, the administrator provides users with access to credentials, configures access policies and overlooks the event logs and privileged sessions. The console also allows administrators to view active privileged sessions in real time and if needed to terminate them. Access to the admin console is executed using two-factor authentication.
To get privileged access, employees use two tools:
- User console is made as a web application. In the user console, employees can see the accounts and resources available to them and start privileged sessions.
- Application at an access gateway. By using such an application, employees get access without using a user console. In such a case, the employee connects directly to the access gateway where he is offered to choose an allowed.
In both cases, employee’s access is secured with two-factor authentication by using OTP (One-Time Password).
Access modules provide mechanisms to open and record privileged sessions.
The access gateway implements a centralized model to get privileged access. Firstly, an employee connects to the access gateway where his rights are checked and two-factor authentication is performed. Then the employee opens a session on the target resource.
The access gateway works on the basis of the Microsoft RDS (Remote Desktop Services) server where the PAM application is installed. This application performs the following functions:
- checks user's access rights – if he is allowed to get access under the requested account to the requested target resource;
- executes the user’s authentication – before opening a session, the user must provide the second authentication factor;
- makes a video and takes screenshots of sessions.
To open sessions in the target systems and applications, the following client software is used at the access gateway:
- Microsoft RDP-client to access Windows servers;
- Browser to access web applications;
- PuTTY SSH-client to access Linux/Unix systems.
SSH Proxy is an alternative option to get access through Indeed PAM to Linux/Unix systems. Such a method has the following advantages:
- no need to use Microsoft RDS;
- possibility to use any SSH-client;
- SSH-client works locally at the employee’s workstation.
SSH Proxy executes the very same functions as an access gateway:
- checks the user's access rights;
- executes the user’s authentication;
- makes a video and takes screenshots of sessions.
When using SSH Proxy, the user initiates a connection from his workstation with the use of SSH-client familiar to him. The employee specifies SSH proxy address as a connection server. When connecting to proxy, the employee’s second authentication factor is requested. After that, a session to a target resource opens.
Subsystem of privileged accounts management
When using PAM class systems, it is important for information security officers to understand that in the company's infrastructure there are no unrecorded privileged accounts and access to them is controlled and logged. In the framework of Indeed PAM, this task is solved by the subsystem of privileged accounts management. The subsystem performs the following functions
- Periodic search for new privileged accounts on target resources. This measure enables to get protection from a dishonest administrator who created an account to work bypassing the PAM system.
- A periodic check of passwords and SSH keys of privileged accounts. This measure ensures that in the PAM vault there are actual login credentials and a dishonest administrator did not reset the account password to use it bypassing the PAM system.
- A periodic change of passwords and SSH keys. Indeed PAM generates random complicated passwords and SSH keys for the controlled privileged accounts protecting them from unauthorized access.
- Reset of the account password after showing it to a user. A PAM administrator can let employees see a password of a privileged account when password usage is required. When the employee receives the password, after a specified period of time, Indeed PAM will reset the password to a new random value.
To perform the said functions, the following connection modules to target systems (connectors) are a part of the subsystem of privileged accounts management:
- connector to Active Directory;
- connector to Windows and Windows Server;
- SSH-connector to connect to Linux/Unix systems on the basis of different distribution kits.
Indeed PAM main characteristics
Access protocols: RDP, SSH, HTTP(s)
Supported types of credentials: Username + password, SSH keys
Search of privileged accounts and passwords management: Windows, Linux, Active Directory
Supported user directories: Active Directory
Technologies of two-factor authentication: Password + TOTP
Supported types of sessions’ records: Text log, Video, Screenshots
Remote access technologies: Microsoft RDS, SSH Proxy