| Developers: | Indeed, Indeed (formerly Indeed ID) |
| Last Release Date: | 2020/04/13 |
| Technology: | Information Security - Authentication, PAM Privileged Access Management |
Content |
The Indeed Privileged Access Manager (Indeed PAM) product is being developed from scratch as access control system using privileged accounts. The product is based on many years of experience of the company "Indid" in creating products in the field. information security
2022: Privileged user control scenario can be worked on Jet CyberCamp cyber training platform
The IT company Jet Infosystems and the Indid company, a Russian developer of information security software solutions, have created a joint cyber training program on the Jet CyberCamp platform. Now information security specialists can work out cases with IndeedPAM - a solution of the Privileged Access Management class, designed to monitor and control the actions of privileged users. This was announced by the company "Jet Infosystems" on September 27, 2022. Read more here.
2020: Inclusion in the Register of Domestic Software
On April 13, 2020, the Russian company Indid announced the inclusion of the Indeed Privileged Access Manager software complex in the Register of Domestic Software (Order of the Ministry of Communications of the Russian Federation No. 162 of 07.04.2020). Indeed PAM is designed to control the actions of system administrators and two-factor authentication of privileged users before accessing important commercial data. The vendor announced the release of this software package in August 2018 and constantly informs about the release of releases in which it expands the functionality of the product.
The inclusion of Indeed PAM in the Register opens up access to the possibility of its implementation not only in private companies, but also in public sector organizations that must comply with the requirements of regulators and legislation in the field of import substitution.
2019: Description of Indeed Privileged Access Manager
(Data current for March 2019)
Policies and Permissions
Policies and permissions define privileged access settings:
- to whom access is granted
- which accounts have been granted access to
- what resources (servers and equipment) are granted access to
- for what time (permanent/temporary, during working hours or at any time)
- what sessions should be recorded (video and text recording, text only, screenshots, etc.)
- what local resources (disks, smart cards) will be available to the user in a remote session
- whether the user is allowed to view the password of the privileged account
Centralized policies reduce system administration costs and make settings and access rights transparent to information security professionals and auditors.
Privileged Credential Store
The credentials data required for access (logins, passwords, - SSH key) are stored in, storage to which only server Indeed PAM has access. Storage and transfer of data to/from the server is carried out in encrypted form using persistent ones. algorithms enciphering Access to the storage is limited and is possible only for the PAM server, a special procedure for "sealing" the server - hardening the server is used to implement this approach. databases
Session Recording Subsystem
All privileged access sessions are recorded without fail and stored in the Indeed PAM archive. In the archive, records are stored in encrypted form, it is possible to access them only by having the appropriate permissions within the PAM system.
Records are maintained in the following formats:
- Text recording is always maintained and records the following data:
- Full console input and output in SSH connections
- All processes to be started, windows to be opened, and keyboard input for RDP connections.
- Video recording is performed for both RDP and SSH connections. Video recording is not required, it is enabled by the PAM administrator using the policy engine. Video quality is configured and can be different for different accounts, for example, sessions of domain administrators can be recorded with maximum quality, and sessions of compressed operators.
- Screenshots are also taken for both RDP and SSH connections. It is not necessary to save screenshots, it is enabled by the PAM administrator using the policy engine. The frequency and quality of screenshots are set in policies.
Viewing active sessions is available in real time with the ability to break the session by the PAM administrator.
Log Server
The log server is a dedicated Indeed PAM event collection service. Such events include all activity of PAM administrators and users. The log records who and what parameters of the system changed and who made a connection to the target resources under what credentials.
For easy integration into SIEM and timely response to incidents, events can be delivered via syslog to a third-party log server.
Administrator Console
The administrator console provides an interface for configuring, managing and auditing the system and is designed as a web application. Using the console, the administrator gives users access to credentials, configures access policies, and reviews event logs and privileged session records. The console also allows PAM administrators to view active privileged sessions in real time and, if necessary, stop the employee's session. The administrator console is accessed by two-factor authentication.
Self-Service Services
Employees use two tools to gain privileged access:
- A user console that is designed as a web application. In the user's console, employees view the accounts and resources available to them, and start privileged sessions.
- The application on the access server. Using this application, employees gain access bypassing the user's console. In this case, the employee connects directly to the access server, where he is prompted to select an allowed connection.
In both cases, employee access is protected by two-factor OTP (One-Time Password) authentication.
Access modules
Access modules provide mechanisms for opening and recording privileged sessions.
Access Server
The access server implements a centralized model of gaining privileged access. The employee first connects to the access server, on which his rights are checked and authentication is performed by the second factor, after which the employee opens a session on the target resource.
SSH Proxy
SSH Proxy is an alternative option for accessing via Indeed PAM LinuxUnix in/-systems.
Account Management Subsystem
When using PAM class systems, it is important for information security officers to understand that there are no unaccounted-for privileged records in the company's infrastructure, and access to them is monitored and logged. Within Indeed PAM, this task is solved by the account management subsystem.
The subsystem performs the following functions:
- Periodically searches target resources for new privileged accounts. This measure allows you to protect yourself from an unscrupulous administrator who created an account for himself to work bypassing the PAM system.
- Periodic verification of passwords and SSH keys of privileged accounts. This feature ensures that the PAM store contains the current credentials and that the unscrupulous administrator has not reset the account password to bypass the PAM.
- Periodic change of passwords and SSH keys. Indeed PAM generates random complex passwords and SSH keys for controlled privileged credentials, protecting them from unauthorized access.
- Resets the account password after it is shown to the user. The PAM administrator can allow employees to view the password of a privileged account when explicit password usage is required. After the employee receives the password, after a specified period of time, Indeed PAM will reset the password to a new random value.
To perform these functions, the account management subsystem includes connection modules (connectors) for the target systems:
- Connector to Active Directory
- Connector to Windows and Windows Server
- SSH connector for connecting to Linux/Unix systems based on various distributions.
Main characteristics of Indeed PAM
- Access Protocols - RDP, SSH, HTTP (s)
- Supported credential types - Username + password, SSH keys
- Search for privileged accounts and password management - Windows, Linux, Active Directory
- Supported User Directories - Active Directory
- Two-factor authentication technologies - Password + TOTP (software generator)
- Supported session recording types - Text log, Video recording, Screenshots
- Remote Access Technologies - Microsoft RDS, SSH Proxy
2018
Privileged accounts carry serious information security risks: compromising privileged access can lead to large financial and reputational losses of the company. Protecting privileged access is more difficult, and the consequences of its misuse are much more serious than in the case of ordinary users. The problem cannot be solved using common approaches to protecting credentials and requires specialized solutions.
You can formulate tasks for protecting and controlling privileged access as follows:
- Log attempts to use privileged accounts in the access log, indicating which employee, when, and which account was accessed
- Video and text recording of privileged sessions with the ability to view a session archive
- Ensure multifactor employee authentication when accessing privileged accounts
- Keep the password of privileged accounts secret from employees, make regular password changes
To solve these problems, we have developed the Indeed Privileged Access Manager (Indeed PAM) software package. The complex centrally stores and manages privileged accounts. Indeed Privileged Access Manager has the following characteristics:
Tasks to be solved
- Keeping Passwords of Administrative Accounts Secret
- Video and text recording of sessions
- Discover privileged accounts to take control of
- Two-Factor Privileged Access Authentication
Supported Account Types
- Microsoft Active Directory
- Windows Accounts
- Linux accounts (passwords and SSH keys)
- Network equipment Access Accounts
Supported Access Protocols
- RDP
- SSH
- Web applications
Search for privileged accounts
- Indeed PAM includes a module that searches for privileged accounts, registers them on the system and offers to take control of them.
Automatically change privileged account passwords regularly
- Indeed PAM performs a regular password change to a random value, fulfilling the requirements for both the complexity of passwords and the frequency of their change.
Architectural Scheme Indeed PAM
| The site content is translated by machine translation software powered by PROMT. The machine-translated articles are not always perfect and may contain errors in vocabulary, syntax or grammar. Read original article If you find inaccuracies or errors in the results of machine translation, please write to editor@tadviser.ru. We will make every effort to correct them as soon as possible. |