Proper operation of the IT infrastructure and business applications is key to success for any government agency or private company.
However, the performance of a corporate IT system depends not only on its hardware and software characteristics. To ensure its smooth operation, all components of the IT infrastructure must be managed by professionals.
The IT components are managed by privileged users — external and internal personnel with higher access rights to corporate resources and applications, including their installation, setting up, and maintenance.
The list of privileged users includes:
- System administrators
- Security specialists
- Contractors and outsourcers
- Financial services operators
- Other external or internal employees
In view of the higher access rights of privileged users and the special nature of IT resources they handle, companies need to have in place a proper privileged access management system that would ensure, among other things, minimal privileges for users, as well as monitoring and analysis of user activity.
Furthermore, hackers gaining access to the authentication data of a privileged identity may cause more serious damage to the organization than if the login credentials of ordinary users are compromised.
Administrator accounts can be used to disable the security system, stop the operation of information systems and gain access to confidential information.
Protection of privileged access rights is a more sophisticated task if compared to ensuring the security of ordinary accounts. It cannot be achieved by relying exclusively on standard approaches to the protection of login credentials and requires specialized solutions.
These vulnerabilities can be addressed by setting up a comprehensive privileged access management system. A PAM system must ensure the following:
- Centralized management of connections to critical servers and applications
- Reinforced authentication for privileged identities
- Transparent use of privileged identities on authorized resources, without revealing the password
- Recording of privileged user activity
- Analysis of recorded user activity and investigation of incidents related to controlled resources
The Indeed Privileged Access Manager (Indeed PAM) platform is a class of specialized solutions that goes by many names, including:
- Privileged Access Management (PAM);
- Privileged Account Management (PAM);
- Privileged User Management (PUM);
- Privileged Identity Management (PIM).
This platform draws on our company’s long-term expertise in the development of information security products, specifically those that have to do with access management.
The Indeed PAM platform is a dedicated group of servers that implements centralized policy for monitoring and managing privileged user access.
The key strong point of this platform is that all connections to target resources and applications are made via the Indeed PAM server.
Privileged users can use the client web application to view the available resources and connect to them.
In addition to connecting via the web application, you can also use one of the traditional ways and connect directly to the Indeed PAM network address via RDP and SSH protocols.
The administrator console is a convenient web tool designed for setting up and managing the PAM system, as well as performing relevant audits. An administrator can use this console to manage the privileged access policies, view connection logs, and make recordings of administrative sessions.
The easy-to-use role-based model incorporated with the Indeed PAM platform will allow you to assign appropriate access rights to personnel with different job responsibilities. For example, among other things, you can clearly delimit the responsibilities of security administrators and auditors of privileged sessions.
You can also use two-factor authentication to reinforce the security of access to the administrator console and connections to target resources.
User activity management is a complex task that requires a number of technical and organizational solutions.
In most cases, Employee Monitoring Products and Services (EMPS) or Data Leak Prevention (DLP) solutions are sufficient for monitoring non-privileged user activity, since these tools include a server component responsible for analysis and monitoring of communication channels and a client component used for workstation operations analysis. However, these solutions may prove insufficient or useless for monitoring privileged user activity.
We will name a few special features that may apply to the work of privileged users:
- Higher access rights (including the right to delete client software or assign additional access rights to themselves)
- Uncontrolled workplace (relevant for contractors, outsourcers, or remote administrators)
- Specific target servers where monitoring software cannot be installed (network devices; isolated software environments; exotic, rare, and outdated operating systems)
An intermediary access control and management host (so-called “jump server”) allows to monitor all privileged sessions from a single point without having to install additional software, which can significantly reduce the costs related to PAM management.
Drawing on the principle of minimal user privileges right from the start, PAM policies imply that access rights to a target resource (a server or an application) should be expressly assigned to a specific user. Additional options can help to set up separately the allowed connection time and permission to use privileged accounts for target resources.
Account password management
Privileges to manage or configure target resources and applications are assigned to specific accounts. The traditional approach implies that passwords or other authenticators for such privileged accounts are provided to authorized personnel, i.e. privileged users.
However, such practice poses a threat of misuse or abuse of the privileges provided. For example, personnel may gain access to tools allowing them to clear logs, install additional software, or perform critical and potentially harmful operations that can disrupt the resource functionality or cause financial damage to the company. These and other permissions are often available to privileged users without proper oversight.
The Indeed PAM software suite allows you to have all privileged accounts under control, thereby ensuring their safe use. This way you can prevent unauthorized use of privileged accounts and record all user activity on a dedicated server.
As part of its management functionality, the platform can perform an automatic search for privileged accounts in Active Directory and on Microsoft Windows or Linux/Unix servers. This will help you to make sure that you don’t have any undocumented privileged accounts with access to critical resources in your company’s IT infrastructure.
All passwords in the account data vault are encrypted, and only the Indeed PAM server has access to the encryption key. Indeed PAM also supports the storage of authentication data (usernames and passwords) for target applications, primarily, privileged accounts.
Furthermore, all passwords are automatically updated and by design will not be accessible by privileged users. When a privileged user attempts to connect to a target resource, the Indeed PAM server will automatically insert their login and password. This means that your personnel authorized to manage a specific server or business application will not be able to bypass the Indeed PAM system during authentication, since they do not know the password.
Record and analysis of users’ activities
One of the main reasons why privileged users activity deserves special attention is the potential threat it may pose to the proper operation of the company’s IT infrastructure. Even if we disregard possible malicious actions, hacker attacks and clear sabotage, we still need to consider a relatively large number of incidents related to the so-called “human factor”.
For example, let’s imagine a situation where an employee has made a series of errors, which resulted in a server failure. Whether or not the company has a backup copy and a fail-safe protocol, managers still need to identify the cause of this failure. Often, if the server is down, its event logs are also unavailable. In this case, if you deploy a Security Information & Event Management (SIEM) protocol, you will learn that there has been an incident and a specific employee is potentially responsible (for example, after performing network connection analysis), but you are not likely be aware of what actually happened.
The Indeed PAM platform will provide you with comprehensive information about the causes of the incident and the presence of malicious intent.
When a privileged user works via Indeed PAM, their actions are recorded in different formats, including video and text recording, command interception, shadow copies of transmitted files, etc. You will have immediate access to the list of user operations in the management console. In addition to the actual records of user activity, the system captures a large amount of metadata, i.e. information about the connections (user name, protocols, target resources, connection time, etc.).
After analyzing the records, instead of voicing ungrounded accusations to your personnel, you can gain a prompt understanding of the causes of the incident and plan your immediate response in order to mitigate it (minimize the consequences), thereby preventing further financial and reputational losses.
- Supported protocols: RDP, SSH, HTTP(s), and any other proprietary protocols by publishing relevant applications
- Supported types of authentication data: username + password, SSH keys
- Privileged accounts search and password management: Windows, Linux, and Active Directory
- Supported user directories: Active Directory
- Two-factor authentication technologies: password + TOTP (password generation algorithm)
- Supported session record types: text log, video recording, and screenshots
- Remote access technologies: Microsoft RDS, SSH Proxy