Protection of access to Indeed Privileged Access Manager
The Privileged Access Management class solutions allow to leave out an explicit usage of passwords for privileged accounts and to grant the rights to use such passwords to administrators at certain resources granularly. Another problem to be solved in the aspect of granting the privileged access is reliable authentication of administrators. The administrator must be authenticated unambiguously before he or she gains access to a session with elevated rights. The task can be solved with two-factor authentication of PAM users.
Generally, the task of authentication in PAM can be stated as follows. It is necessary to provide for an opportunity of multi-factor user authentication before a user gains privileged access to the system.
To solve the task, the Indeed Privileged Access Manager (Indeed PAM) software suite uses an authentication server. The Indeed PAM authentication server has the following features.
PAM user authentication
- This stipulates for two-factor user authentication with password and OTP (One-Time Password).
- There also should be an option of integration to Indeed Access Manager in order to delegate the user authentication procedure to the latter.
General architecture scheme of Indeed PAM to solve the authentication task is given below.
The following modules provide for password management in the Indeed PAM:
Indeed PAM Server
This is the core component the of Indeed PAM infrastructure. It is a web application, operating in the Internet Information Services (IIS) server environment. The Indeed PAM server provides for centralized management of system users, user account data and security policies.
The server provides for two-factor user authentication service to be used by other components (user console and access server). The authentication server also implements the user interface for authentication and registration of credentials.
The access server is the central part of the privileged access granting scheme. The server provides for access policy compliance, starts an administrator session at the target resource and also carries out text and video recording of sessions. The two-factor authentication is also performed at the access server before starting a privileged session.
In the user console, the employees can view accounts and resources available to them. It is also possible to start a privileged session from the user console. The user console is made as a web application.