Privileges to manage or configure target resources and applications are assigned to specific accounts. The traditional approach implies that passwords or other authenticators for such privileged accounts are provided to authorized personnel, i.e. privileged users.
These privileges can include the rights to:
- Clear logs
- Install additional software
- Perform critical and potentially harmful operations that can disrupt the resource functionality
- And other rights
These rights are often available to privileged users without any oversight. Such practice poses a threat of misuse or abuse of the privileges provided.
Privileged user activity is hard to monitor because these users get privileged access directly to a resource or through a console, circumventing security controls (when peripherals are connected directly to a hardware server). It applies if an administrator has the right to manage network devices and network communication.
Besides, password authentication is often the only control measure used for such accounts and it has a number of critical disadvantages:
- Brute-force attacks
- Unauthorized password disclosure
- The need to promptly change passwords when employees leave the company
- And others
The described privileged access problems expose the company to security threats. The best solution would be using specialized software suites for Privileged Access Management (a.k.a. Privileged User Management, Privileged Identity Management, Privileged Account Management).
Understanding this problem is an important step towards building a comprehensive information security system in the company.
The first step to solve the problem of protecting information when privileged access is provided is to implement automatic management of privileged account passwords. Indeed Privileged Access Manager (Indeed PAM) finds privileged accounts and monitors the way they are used. Its primary purpose is to prevent their unauthorized and unsupervised use.
Indeed PAM offers a comprehensive set of features that solve the password management problem:
- Automatically searches for privileged accounts
- Allows to manually enter application passwords and monitors them
- Automatically changes passwords at specified intervals
- Retrieves passwords from a vault
- Maintains password history
All passwords for these accounts are stored in an encrypted form in the vault, and only the Indeed PAM server has access to the encryption key.
When a privileged user attempts to establish connection, the Indeed PAM server independently provides login credentials only to the target resource. The important thing is that privileged account passwords remain unavailable to employees.
This means that your personnel authorized to manage a specific server or business application will not be able to bypass the Indeed PAM system during authentication, since they do not know the password.
Automatic account search
Indeed Privileged Access Management automatically searches for privileged accounts in Active Directory and on Microsoft Windows or Linux/Unix servers.
With the traditional approach you would have to find all account data and enter it into the vault manually to put the accounts under control and manage their passwords. It would require a lot of effort from operating personnel and escalate the risk of human factor errors where some accounts may be missed out.
Automatic search radically reduces the number of undocumented privileged accounts with access to critical resources in the IT infrastructure and does it quickly, with minimal involvement of IT and information security personnel.
Application password storage
The vault is populated with privileged account passwords for target applications published on the Indeed PAM access server. With this feature you can monitor not only standard remote administration protocols (RDP, SSH), but also proprietary applications for administering specialized target resources:
- Virtualization infrastructure
- Information protection tools
- Consoles for centralized network device management
- Business applications
- And others
Password management for other users
Indeed PAM’s password management functionality can be used not only to protect administrator accounts, but to ensure safety of any accounts, including the ones of unprivileged users, for example:
- Financial services operators
- Sales managers
- And others
Automatic password change
Password management is not limited to automatic search for passwords and their entry into the vault.
To prevent the privileged user activity monitoring system from being bypassed, Indeed PAM can automatically change privileged account passwords for target resources to random values. It means that privileged users can access critical resources only through Indeed PAM.
Indeed PAM checks the validity of passwords in the vault. It matters when an administrator managed to change a privileged account password for a critical IT infrastructure resource.
Password recovery in case of exceptions
If an exception occurs (for example, if a target resource cannot be accessed via network), Indeed PAM provides a privileged account password for direct access and further resource management. And once network connection is restored, the previously provided password will be replaced with a random one again.
When a target server is down and the only way to get it up and running again is to recover it from a backup, Indeed PAM provides an easy solution to the problem of mismatching passwords to access privileged accounts of the recovered resource. The platform maintains password history, so you can recover any password as of a specified date (prior to a backup date) and continue working with your target resource.
- Automatic search for privileged accounts
- Manual entry of application passwords and their monitoring
- Automatic change of passwords at specified intervals
- Retrieval of passwords from a vault
- Maintaining of password history
Supported account types (search, management):
- Microsoft Active Directory
- Windows accounts
- Linux/Unix accounts (passwords and SSH keys)
- Accounts providing access to network hardware (based on Linux/Unix)
- DBMS accounts: Microsoft SQL, MySQL, PostgreSQL, Oracle DB
Supported account types (management only):
- Application software accounts
- Web application accounts
Supported access protocols: