for administrative accounts
Monitoring the use of privileged accounts and maintaining the secret of administrative passwords
Privileged accounts essentially involve significant information security risks: compromising of privileged access to the system might lead to severe financial and reputational loss of the company. However, the administrative accounts are routinely protected with password authentication, which is obviously disadvantageous: passwords can be mined or passed to another person without proper authorization. Also, passwords have to be changed promptly when an employee is dismissed. Such problems with administrative access pose a significant threat to the company security. It is necessary to use special Privileged Access Management class solutions to eliminate this risk. The first step to the problem solution is implementation of automatic management for passwords of privileged accounts.
The tasks of password management for privileged accounts can be formulated as follows:
- Passwords should be hidden from the employees. In other words, there should be an opportunity to grant an administrative access to the system without revealing the password itself.
- Passwords should be automatically changed to a randomly generated values on a regular basis. This allows to increase the security level and alleviate the risks of using the password in explicit form.
- There must be an opportunity to grant access rights granularly and to revoke those at any moment. There must be an opportunity to grant an administrative access to explicitly defined servers only.
To solve the mentioned tasks, the Indeed Privileged Access Manager (Indeed PAM) software suite is used. The suite stores privileged accounts centrally and manages them.
Indeed Privileged Access Management has the following features.
Password Management Functions
- Granting an administrative access (or session) without revealing the privileged account password
- Regular change of passwords for privileged accounts
- An opportunity to grant administrative access to the defined resources (servers) only.
Supported account types
- Microsoft Active Directory
- Windows OS accounts
- Linux OS accounts (passwords and SSH-keys)
- Accounts for access to networking hardware
Search for privileged accounts
The Indeed PAM contains a module that searches for privileged accounts, registers those in the system and prompts to get those under control.
Regular automatic change of passwords for privileged accounts
The Indeed PAM regularly changes the passwords of privileged accounts to a random value, complying with the requirements to both the complexity of passwords and the interval between password changes.
General architecture scheme of Indeed PAM to solve the password management task is given below.
The following modules provide for password management in the Indeed PAM:
Indeed PAM Server
This is the core component the of Indeed PAM infrastructure. It is a web application, operating in the Internet Information Services (IIS) server environment. The Indeed PAM server provides for centralized management of system users, user account data and security policies.
The access server is the central part of the privileged access granting scheme. The server provides for access policy compliance, starts an administrator session at the target resource and also carries out text and video recording of sessions. The two-factor authentication is also performed at the access server before starting a privileged session.
Connectors to the target systems
The connectors are used for integration to target systems, such as Windows or Linux servers. The connectors are also used to search for privileged accounts and change their passwords to a random value on a regular basis.
The system registers all the events initiated by users or administrators in the system web interface, as well as all the attempts to gain privileged access rights. Log viewing, report generation and printout are performed in the administrator console. You can configure the system so that an email notification is sent to an administrator or a user upon certain system events.
Privileged account registry
The registry contains credentials for privileged access. The data in the registry is stored in encrypted form. The following database types are supported - SQL DBMS and Microsoft Active Directory.