Unified PAM on-prem
Security Design and Specifications¶
Introduction¶
Securden deals with the all-important privileged access management, and hence the product's security design assumes significance. The solution has been architected by adopting the latest security principles and standards to ensure data security and integrity. This document outlines some of the security considerations and design aspects at various levels.
Secure, Central Vault¶
The Vault module forms the core of Securden Password Vault, Enterprise PAM, and Unified PAM products. Securden runs on a dedicated central server connected to a backend database. The vault is implemented as a fully access controlled and highly available cluster of application servers. While the server handles all the business logic, endusers connect to it using any standard web-browser.
The design of the vault¶
Every installation is secured with an automatically generated, unique random key. The key serves as the master key for various encryption operations in the digital vault.
Data storage¶
All sensitive data gets stored in an encrypted form inside the digital vault. Securden uses the AES-256 algorithm to do the encryption.
- The sensitive data provided as input to the Securden server is encrypted using the unique installation key. This happens at the application level.
- The encrypted data is securely stored in the database.
Data integrity¶
- The encryption key cannot be held together with the encrypted data.
- The encryption key is needed only for starting the Securden vault. It has to be kept somewhere outside and made available to the Securden server during startup.
Even if the database gets into a malicious user's hands, sensitive data cannot be deciphered in plain-text without the installation key.
Database connections¶
The database accepts only secure connections. Clients can connect only from the same localhost. In high availability configuration, where the server and the database run on different servers, the database accepts connections only from specific IP addresses.
Design Highlights
- Data Encryption and Storage
- AES-256 encryption.
- Encryption key separated from encrypted data.
Controlling Access to the Vault¶
Strong authentication mechanism¶
Access to the vault is primarily controlled in two ways. The vault can communicate with LDAP-compliant directory servers (Active Directory/Azure AD) for user onboarding, management, and authentication. It also communicates with SAML-based Single Sign-on solutions for authentication. Securden also leverages RADIUS authentication and Smartcard authentication too as the primary authentication mechanism.
Alternatively, the vault comes with its native authentication as part of which accounts are created for users locally.
How does AD authentication / Azure AD authentication work?¶
In this case, Securden doesn't store the passwords. Instead, it connects with the AD through SSL and authenticates against AD or Azure AD.
How secure is the native authentication?¶
Securden uses the bcrypt hash function, which is considered an advanced algorithm that could withstand bruteforce attacks, to create one way hash of the Securden user password. The hash is then encrypted using the AES-256 algorithm.
The Securden installation key (which is unique to every installation) is used as the encryption key. bcrypt enforces security best practices by requiring a salt as part of the hashing process. Hash when combined with salts guards against attacks.
Even if the database containing hashed values reaches a malicious user's hands, passwords cannot be deciphered in plain-text.
Security Reinforcement¶
An additional layer of security with MFA¶
As an additional layer of security, Securden helps enforce a second authentication factor to grant access to the vault. It integrates with a variety of MFA solutions to achieve this.
Token-based authentication for API access¶
The vault can be programmatically accessed using APls and Securden follows a token-based authentication. Authorized users need a URL and an Auth Token to access the permitted data.
Design Highlights
-
Primary Authentication
- Active Directory/ Azure AD authentication.
- RADIUS authentication.
- Smart card authentication.
- Securden's native authentication.
- SAML 2.0-based single sign-on
-
MFA Enforcement for Additional Security
- Any TOTP Authentication.
- Any RADIUS-based Authentication.
- Duo Security.
- Yubikey.
- OTP through email.
- Email-to-SMS gateway
-
API Access
- Token-based authentication for authorized users.
- Dynamic tokens.
Endusers and administrators connect to the vault through the web-interface, browser extensions, mobile apps, and programmatically through APls. In all the cases, Securden ensures that the data transmission happens through secure channels in encrypted form.
Data Transmission Between Various Components¶
Endusers and administrators connect to the vault through the web-interface, browser extensions, mobile apps, and programmatically through APls. In all the cases, Securden ensures that the data transmission happens through secure channels in encrypted form.
Data Transmission: Server - Web-interface, Server - Database¶
All data transmission to and from Securden vault is encrypted. The communication between the Securden web-interface and the server is encrypted and happens through HTTPS. Data transmission between the Securden server and database happens through SSL. Securden enforces deploying a third-party signed or a wildcard SSL certificate.
Access through APls, Mobile Apps, and Browser Extensions¶
Access to credentials and other data through APls, browser extensions, and mobile apps are as secure as the web version. There is no offline caching in extensions and mobile apps. They always connect to the Securden server to fetch data. You have complete control in granting or revoking access to users through APls, extensions, and mobile apps.
Design Highlights
- Data Transmission (Server and Web-interface)
- Encrypted over HTTPS
- Data Transmission (Server and Database)
- SSL
Remote Access, Session Enablement, and Recording¶
Securden facilitates launching remote privileged sessions with servers, databases, network devices, and others. By default, all remote connections and operations happen through the Securden server. This approach ensures that there is no direct connectivity between the end users and the target devices. For additional security, Securden provides an option to configure a gateway to route all remote connections. The gateway holds the Securden Session Manager component.
The remote access mechanism helps grant remote privileged access to users and third-parties without punching holes on the corporate firewall to protocols like RDP and SSH. The remote connection is either a web-based one through 'HTTPS' or standard native clients for RDP and SSH.
Granting access without revealing passwords¶
The remote access architecture enables granting access to target devices and applications without revealing the underlying passwords or keys. This practice helps minimize the security risks associated with misuse of privileged access.
Design Highlights
- Remote Connections and Session Enablement
- No direct connection between end-user machine and target device.
- Secure, encrypted connection.
Data Access Control¶
The data access control measures in Securden ensure that after successful authentication, users get access only to the passwords that are allotted to them after successful authentication. They won't get to know about the accounts that are not related to their job profile. Besides, granular permissions determine the level of control over the passwords accessed.
Well-defined ownership¶
By default, the person who adds an account is designated as the owner of the account. This way, all accounts have well-defined ownership. No account is allowed to be left an orphan. When a user leaves the organization, the ownership has to be transferred to some other user. The security issues arising out of orphaned accounts are mitigated.
Folders as 'Micro Vaults'¶
Accounts can be grouped as folders, which are like 'micro vaults.' Each such micro vault can be granularly shared with the members of a group. For example, all Windows accounts can be grouped as a folder, and it can be shared with the 'Windows Administrators' group with granular privileges. When a new device gets added to the folder, it becomes available to the group and vice-versa.
Just-in-time access with release controls¶
Securden offers provision for ensuring just-in-time access to sensitive devices through password/access release controls. Users will have to raise a request, which is approved by administrators for time-limited access. At the end of the access period, the password can be automatically randomized.
Design Highlights
- Data Access Control
- Access control is intrinsically linked with user roles.
- Workflow-based release controls.
Accountability for Actions¶
A robust mechanism to record and trace activities helps establish a culture of accountability for actions (unintentional or otherwise). The basic design of Securden precisely ensures that.
Comprehensive audit trails¶
Securden maintains a complete trail of all activities, including password retrieval, remote access, record deletion, properties modification, and more across the organization. The comprehensive trails help in forensic audits when something goes wrong.
Session recording¶
The sensitive privileged sessions launched using Securden can be fully recorded and played back something like a digital video. The recording helps trace specific activities, besides serving as a piece of solid forensic evidence.
Real-time monitoring¶
Monitor the ongoing sessions in real-time and keep a tab on activities. Collaborate with users when they require assistance. Terminate the session if suspicious activity is found.
Alerts and notifications¶
Timely alerts play a vital role in taking specific actions that could prevent issues, potential threats, and security breaches. Securden sends real-time notifications upon the occurrence of various events. The alerts are both informative and actionable.
Design Highlights
- Accountability for Actions
- Comprehensive audit trails.
- Session recordings serving as forensic audits.
- Real-time session monitoring.
- Actionable alerts and notifications.
Data Availability¶
Reliable, uninterrupted access to the vault is critical for business continuity. If a password management solution goes down, it affects all business operations. There should be provisions for data backup to handle unexpected situations like a server crash or other physical damages to machines in addition to continuous availability. While the backup and high availability provisions are offered to handle these scenarios, it is important to ensure security around these measures.
The high availability architecture ensures security in all aspects. As the configuration involves running the Securden server and the database on different servers, the database has been configured to accept connections only from specific IP addresses - typically, the servers configured as 'high availability servers' alone. Besides, the database is enforced to accept only SSL connections. The database is guarded not to accept other connections.
To ensure security, the backup copy remains fully encrypted. The encryption key is separated from the backup copy. Typically, the live version and the backup share the same encryption key. While trying to restore data from the backup, the encryption key is needed. Without that, the restoration will not happen.
Miscellaneous¶
Input validation¶
Securden validates all inputs in the web-interface, and the application is guarded against attacks like SQL injections, cross-site scripting, buffer overflow, and other attacks.
Browser extensions - The security aspects¶
- Content Security Policy (CSP) is enforced.
- lnline JavaScript execution and AJAX requests to other sites are prohibited.
Server hardening¶
Securden is recommended to be run on a dedicated, hardened server. Except for the web-server port, no other port needs to be opened on the firewall. No other communication happens with outside entities.
Tamper-proof trails¶
Audit trails pertaining to privileged access activity and the session recordings are securely stored. Access to the data follows granular controls. Trails cannot be tampered with any attempt to delete data triggers alerts.