RSS
Логотип
Баннер в шапке 1
Баннер в шапке 2

Indeed PAM Indeed Privileged Access Manager

Product
Developers: Indeed, Indeed (formerly Indeed ID)
Last Release Date: 2024/05/13
Technology: Information Security - Authentication,  PAM Privileged Access Management

Content

The Indeed Privileged Access Manager (Indeed PAM) product is being developed from scratch as access control system using privileged accounts. The product is based on many years of experience of the company "Indid" in creating products in the field. information security

2024: OpenLDAP and ALD PRO support

Indeed Company on May 13, 2024 announced the launch of an updated version of Indeed PAM (Indeed Privileged Access Manager). Among the key product changes: support for new user directories: OpenLDAP and ALD PRO, connection to arbitrary resources, native support for SIEM via CEF and LEEF log format, manual user blocking in PAM, increased maximum password length, etc.

In Indeed PAM 2.10, it became possible to select OpenLDAP and ALD PRO as directory services. This change enhances the import substitution capabilities of Microsoft's Active Directory directory service. Indeed PAM now supports the following user directories: Active Directory, FreeIPA, OpenLDAP, and ALD PRO.

In the updated version of the product, a new type of resources has been added - arbitrary resources - that is, resources that are not registered in the PAM system. The addition allows you to connect to any resources without having to pre-enter them into the PAM. Such an update will make it easier for users who create virtual machines as part of their work. IT can now connect to them immediately without waiting for the PAM administrator to add them to the resource list.

It also became possible to connect Indeed PAM to the SIEM system without using additional connectors or parsers, which frees the customer from the need for additional modifications.

2022: Privileged user control scenario can be worked on Jet CyberCamp cyber training platform

The IT company Jet Infosystems and the Indid company, a Russian developer of information security software solutions, have created a joint cyber training program on the Jet CyberCamp platform. Now information security specialists can work out cases with  IndeedPAM - a solution of the Privileged Access Management class, designed to monitor and control the actions of privileged users. This was announced by the company "Jet Infosystems" on September 27, 2022. Read more here.

2020: Inclusion in the Register of Domestic Software

On April 13, 2020, the Russian company Indid announced the inclusion of the Indeed Privileged Access Manager software complex in the Register of Domestic Software (Order of the Ministry of Communications of the Russian Federation No. 162 of 07.04.2020). Indeed PAM is designed to control the actions of system administrators and two-factor authentication of privileged users before accessing important commercial data. The vendor announced the release of this software package in August 2018 and constantly informs about the release of releases in which it expands the functionality of the product.

The inclusion of Indeed PAM in the Register opens up access to the possibility of its implementation not only in private companies, but also in public sector organizations that must comply with the requirements of regulators and legislation in the field of import substitution.

2019: Description of Indeed Privileged Access Manager

(Data current for March 2019)

Policies and Permissions

Policies and permissions define privileged access settings:

  • to whom access is granted
  • which accounts have been granted access to
  • what resources (servers and equipment) are granted access to
  • for what time (permanent/temporary, during working hours or at any time)
  • what sessions should be recorded (video and text recording, text only, screenshots, etc.)
  • what local resources (disks, smart cards) will be available to the user in a remote session
  • whether the user is allowed to view the password of the privileged account

Centralized policies reduce system administration costs and make settings and access rights transparent to information security professionals and auditors.

Privileged Credential Store

The credentials data required for access (logins, passwords, - SSH key) are stored in, storage to which only server Indeed PAM has access. Storage and transfer of data to/from the server is carried out in encrypted form using persistent ones. algorithms enciphering Access to the storage is limited and is possible only for the PAM server, a special procedure for "sealing" the server - hardening the server is used to implement this approach. databases

Session Recording Subsystem

All privileged access sessions are recorded without fail and stored in the Indeed PAM archive. In the archive, records are stored in encrypted form, it is possible to access them only by having the appropriate permissions within the PAM system.

Records are maintained in the following formats:

  • Text recording is always maintained and records the following data:
    • Full console input and output in SSH connections
    • All processes to be started, windows to be opened, and keyboard input for RDP connections.

  • Video recording is performed for both RDP and SSH connections. Video recording is not required, it is enabled by the PAM administrator using the policy engine. Video quality is configured and can be different for different accounts, for example, sessions of domain administrators can be recorded with maximum quality, and sessions of compressed operators.
  • Screenshots are also taken for both RDP and SSH connections. It is not necessary to save screenshots, it is enabled by the PAM administrator using the policy engine. The frequency and quality of screenshots are set in policies.

Viewing active sessions is available in real time with the ability to break the session by the PAM administrator.

Log Server

The log server is a dedicated Indeed PAM event collection service. Such events include all activity of PAM administrators and users. The log records who and what parameters of the system changed and who made a connection to the target resources under what credentials.

For easy integration into SIEM and timely response to incidents, events can be delivered via syslog to a third-party log server.

Administrator Console

The administrator console provides an interface for configuring, managing and auditing the system and is designed as a web application. Using the console, the administrator gives users access to credentials, configures access policies, and reviews event logs and privileged session records. The console also allows PAM administrators to view active privileged sessions in real time and, if necessary, stop the employee's session. The administrator console is accessed by two-factor authentication.

Self-Service Services

Employees use two tools to gain privileged access:

  • A user console that is designed as a web application. In the user's console, employees view the accounts and resources available to them, and start privileged sessions.
  • The application on the access server. Using this application, employees gain access bypassing the user's console. In this case, the employee connects directly to the access server, where he is prompted to select an allowed connection.

In both cases, employee access is protected by two-factor OTP (One-Time Password) authentication.

Access modules

Access modules provide mechanisms for opening and recording privileged sessions.

Access Server

The access server implements a centralized model of gaining privileged access. The employee first connects to the access server, on which his rights are checked and authentication is performed by the second factor, after which the employee opens a session on the target resource.

SSH Proxy

SSH Proxy is an alternative option for accessing via Indeed PAM LinuxUnix in/-systems.

Account Management Subsystem

When using PAM class systems, it is important for information security officers to understand that there are no unaccounted-for privileged records in the company's infrastructure, and access to them is monitored and logged. Within Indeed PAM, this task is solved by the account management subsystem.

The subsystem performs the following functions:

  • Periodically searches target resources for new privileged accounts. This measure allows you to protect yourself from an unscrupulous administrator who created an account for himself to work bypassing the PAM system.
  • Periodic verification of passwords and SSH keys of privileged accounts. This feature ensures that the PAM store contains the current credentials and that the unscrupulous administrator has not reset the account password to bypass the PAM.
  • Periodic change of passwords and SSH keys. Indeed PAM generates random complex passwords and SSH keys for controlled privileged credentials, protecting them from unauthorized access.
  • Resets the account password after it is shown to the user. The PAM administrator can allow employees to view the password of a privileged account when explicit password usage is required. After the employee receives the password, after a specified period of time, Indeed PAM will reset the password to a new random value.

To perform these functions, the account management subsystem includes connection modules (connectors) for the target systems:

Main characteristics of Indeed PAM

  • Access Protocols - RDP, SSH, HTTP (s)
  • Supported credential types - Username + password, SSH keys
  • Search for privileged accounts and password management - Windows, Linux, Active Directory
  • Supported User Directories - Active Directory
  • Two-factor authentication technologies - Password + TOTP (software generator)
  • Supported session recording types - Text log, Video recording, Screenshots
  • Remote Access Technologies - Microsoft RDS, SSH Proxy

2018

Privileged accounts carry serious information security risks: compromising privileged access can lead to large financial and reputational losses of the company. Protecting privileged access is more difficult, and the consequences of its misuse are much more serious than in the case of ordinary users. The problem cannot be solved using common approaches to protecting credentials and requires specialized solutions.

You can formulate tasks for protecting and controlling privileged access as follows:

  • Log attempts to use privileged accounts in the access log, indicating which employee, when, and which account was accessed
  • Video and text recording of privileged sessions with the ability to view a session archive
  • Ensure multifactor employee authentication when accessing privileged accounts
  • Keep the password of privileged accounts secret from employees, make regular password changes

To solve these problems, we have developed the Indeed Privileged Access Manager (Indeed PAM) software package. The complex centrally stores and manages privileged accounts. Indeed Privileged Access Manager has the following characteristics:

Tasks to be solved

  • Keeping Passwords of Administrative Accounts Secret
  • Video and text recording of sessions
  • Discover privileged accounts to take control of
  • Two-Factor Privileged Access Authentication

Supported Account Types

Supported Access Protocols

  • RDP
  • SSH
  • Web applications

Search for privileged accounts

  • Indeed PAM includes a module that searches for privileged accounts, registers them on the system and offers to take control of them.

Automatically change privileged account passwords regularly

  • Indeed PAM performs a regular password change to a random value, fulfilling the requirements for both the complexity of passwords and the frequency of their change.

Architectural Scheme Indeed PAM

Indeed PAM General Architectural Scheme