Privileged Access Management

Privileged Access Management (PAM) is an agentless solution that provides a secured database to manage privileged accounts and secrets, establishes secure sessions for users through a standard web browser and automates the execution of jobs or tasks without disclosing or sharing access.

The purpose of this guide is to perform a new installation and first time system initialization.

At the conclusion of this guide, PAM will be ready for system configuration and use.

The target audience is system administrators with knowledge of computer administration, Active Directory and (optionally) database connectivity.

PAM is installed to a Windows or Unix computer (physical or virtual), with optional connection to Active Directory or LDAP.

The system consists of several modules; a database that contains secrets, configuration, passwords and audit events, a service to establish, monitor and record privileged sessions, a user directory to maintain local users and groups and a job engine to execute scripts and tasks.

Privileged Account Management

A secure AES 256-bit encrypted database that contains records which can be stored, shared and used without disclosing the actual privileged account or its secrets (passwords, certificates or keys).

Privileged Session Management

The ability to establish a privileged session to an underlying system (Windows, Unix, Linux, Mac) through a standard web browser while providing the means to monitor, join, record or terminate this session.

Privileged Job Management

Schedule, automate or execute on demand jobs to privileged systems without embedding the secrets in scripts or sharing them with untrusted users.

Software Components

To accomplish the requirements above, PAM needs to install, configure and run the following software and services. These components are deployed during the installation process (single server deployment) or they can be distributed to multiple servers (farm deployment) to scale performance. Single server deployments can be scaled to farm deployments when additional resources become needed.

Architectural Diagram

PAM sits within the firewall in its own SSL secured network. 

Client computers make requests, establish sessions and run jobs from inside or outside the firewall to computers also located inside or outside the firewall using only their native web browser of choice. 

The Database of Secrets secures all records using an AES 256-bit encrypted protocol and only delivers these secrets to authorized remote requests.

 

PAM-Architectural-Diagram.png

Privileged Access Management Architectural Diagram

Services

Depending on your installation, the following services may be deployed to Automatically startup on your computer.

Service Function

PamDirectory

Provides the directory service to manage local users and groups in PAM.

PamManagement

Provides the service to manage the PAM system.

PamSession

Provides the service to establish, maintain, control and record privileged sessions via a user’s web browser.

Table: PAM Services

Active Directory or LDAP Integration

Integration with Active Directory or LDAP provides the ability to add Active Directory Users or Groups to PAM to manage or use the system. 

PAM will use this Active Directory integration to:

  • Authenticate user logins;

  • Read Active Directory group membership;

  • Reset Active Directory passwords.