What are the break glass (or) high availability measures available in on-premise Securden Privileged Access Management (PAM) solutions?

Securden provides high availability and data redundancy measures to ensure credentials and sensitive data can be accessed at all times. The measures are designed to comprehensively address different issues that an organization might face. From server failure to network outage, Securden addresses all possible disaster scenarios and provides robust measures to ensure business continuity. The measures are explained below:

Break-glass Account

Securden provides a break glass provision using which you can designate a list of users who can access all work accounts stored in the Securden database bypassing all access controls. To configure emergency access, navigate to Admin >> Emergency Access >> Configure Emergency Access and follow the steps below.

How To Configure Emergency Access In PAM
  • Specify the list of users who can use the break glass account.
  • Specify how long any user can have break glass access to the vault.
  • You can also configure a mandatory waiting period which the users have to adhere to before gaining break glass access to the vault.

Once you set up emergency access, a second administrator must grant approval before the provision is enforced.

To gain emergency access when logged in, Navigate to Admin >> Emergency Access >> Initiate Emergency Access. Whenever users try to gain break glass access, all administrators will be alerted through email.

Note: Emergency access provisions not available in Securden Endpoint Privilege Manager.

Encrypted HTML Backup

Credentials such as passwords, certificates, files, and secrets that are stored in the encrypted vault can be exported as an encrypted HTML file. You can assign a passphrase of your choice when exporting and use the same phrase when opening the exported HTML file.

If you forget the passphrase, then the only workaround is to export a fresh copy of the vault’s contents with a new passphrase. In such cases, the older HTML file should be properly disposed. Encrypted HTML backups can be exported in two levels.

  • Users can take an offline copy of the credentials to which they have access at the time of exporting. Users can navigate to Accounts >> More >> Offline Access to export an encrypted HTML copy of all credentials to which they currently have access.
    How To Export Passwords For Offline Access
    Once users provide the passphrase of their choice, they may click on Export Offline Access.
  • Super administrators can take an offline copy of the entire vault for safekeeping and for use during emergencies. Super admins can navigate to Admin >> High Availability >> Passwords Backup (Encrypted HTML File) to export a HTML file containing all the credentials stored in the vault by providing a suitable passphrase.

The offline copies are encrypted using the passphrase provided during export and cannot be opened without the appropriate passphrase.

Note: Encrypted HTML backups are not available in Securden Endpoint Privilege Manager.

High Availability Setup

You can deploy any number of application servers to ensure continuous access to credentials. The high availability setup can be configured using application servers without database replication or be configured to act as secondary servers with active database replication and synchronization or a standby server with read-only database replicas. The use case for each type is explained below.

Standby Servers with Database Replication

Main purpose:

To provide continuous access to the Securden server when the primary server and database server goes offline.

How it works:

The standby server has its own standby database which is in continuous synchronization with the master database in the primary server.

When the primary server or the master database server goes offline, users will be rerouted to use the standby server. Now, the standby database server will become the master database and will remain the master even after the primary servers are back online. Once the offline database is back online, it now becomes the standby database and is synchronized with the new master database.

Standby Servers with Read-only Database Replica

Main purpose:

To provide continuous access to the Securden server while limiting the abilities of the user to read operations.

How it works:

The standby database will be in continuous synchronization with the primary database. When the primary database goes offline, the application server will connect with the read-only replica database to provide users with access to the Securden server.

The users will be able to see the passwords and launch connections to remote assets. However, they will not be able to create new accounts, reset the passwords, create folders (or) subfolders, or make any configurational changes.

All activities that are performed while using the read-only database will be tracked using a temporary file. Once the primary is back online, then the activities will be added to the audit sections in the primary database. Then the standby database will synchronize with the primary database.

Application Servers without Database Replication

Main purpose:

Used for load distribution for faster connections and to improve the user experience in general.

How it works:

Once the app servers are deployed, they all work with the same database and different users will be connecting to one of the application servers. The number of requests handled by each application server will be optimized for efficiency.

If a standby server is configured in parallel with load distribution servers, then the app servers will connect with the current master database server.

How To Configure High Availability In PAM

You can configure high availability by following the steps below.

  • Identify a suitable machine to work as the secondary server and install Securden on the device.
  • On the primary server, navigate to Admin >> High Availability >> High Availability and click on Configure Secondary Application Server to setup secondary servers in your network.
  • Here you have the option to configure a high availability setup using standby servers with database replication or application servers without database replication.
    Note: You can configure a maximum of one standby server with database replication when configuring high availability. However, you can set up multiple application servers without database replication for load distribution purposes.
  • Provide the required details about the device chosen to act as the secondary server and click Save.
  • You will get a zip file package which you need to download and deploy on the secondary application server device.
  • Verify the high availability setup.

For detailed explanation, refer to the Unified PAM Admin guide.

You have successfully configured the Securden high availability setup.

Securden Help Assistant
What's next?
Request a Demo Get a Price Quote

Thanks for sharing your details.
We will be in touch with you shortly

Thanks for sharing your details.
We will be in touch with you shortly