Controlling Access to Unified PAM Cloud Edition – Authentication Methods¶
Access to the vault is controlled at two levels. The vault can communicate with all LDAP compliant directory services including Azure, AD, and G Suite for user onboarding, offboarding, authentication and access provisioning. In addition to this, the solution also supports all SAML-based SSO options for a single sign on experience.
For the second factor of authentication, Securden integrates with all RADIUS-based MFA solutions. Use of smartcard-based primary authentication is also supported.
Alternatively, the Securden’s native authentication methods can be used by locally created users to log in to the vault.
How does Securden authenticate using directory services?¶
Securden doesn’t store credentials when authenticating through a directory service. It connects with the directory service through SSL and authenticates against AD. Securden Unified PAM communicates with Azure through secure channels by using Azure client IDs and secrets.
How secure is Securden’s native authentication?¶
To withstand brute force attacks, a one-way hash of the password is created through brcypt hash function, one of the advanced algorithms available. Once the hash is created, the hash is then combined with salts to protect against attacks. Even in the rare case of the database getting breached, the encrypted data cannot be deciphered without the encryption key.
Additional layer of protection using MFA¶
Securden helps add an additional layer of security by requiring a second factor of authentication before allowing users to access the vault. Securden integrates with an array of solutions from which you can use any to enforce MFA.
Programmatic access using authentication tokens¶
The vault can be accessed programmatically for fetching credentials using APIs. For authenticating the API requests, Securden follows a token-based authentication mechanism. Human and non-human entities need a URL and Auth token to access the vault’s content.
Design Highlights
- AD authentication over SSL
- Azure authentication through secret generated in Azure
- Credentials are hashed using brcypt function and then salted
- Integration with MFA solutions for added security
- Secure token-based authentication for APIs