PRIVILEGED ACCESS MANAGEMENT
PROTECTING YOUR DATA & PRIVACY IS OUR TOP PRIORITY
Fine-Grained Access Control
ARCON has a unique technology framework that provides granular access control for privileged users, despite being natively super users. It is not possible to restrict their access to any system. This is possible for several technologies which includes operating systems, databases, network and security devices and applications. Fine-grained access control helps organizations to protect their systems from unauthorized access and unintentional errors, if any. It allows to restrict and control privileged users through a rule and role-based centralized governing policy. The functionality provides the IT risk managers with command restricting and filtering capabilities to ensure controlled access to target systems. It minimizes the risk surface by providing deepest levels of granular control over data controllers and data processors.
There are many privileged users within any IT setup with shared privileged passwords. This practice of shared passwords makes systems and applications vulnerable to misuse or abuse. Moreover, it is extremely diﬃcult to establish a manual control over the password change process. ARCON | PAM provides a highly mature password vault that generates strong and dynamic passwords and the engine can automatically change passwords for several devices or systems at one go. The passwords are then stored in a highly secured electronic vault. The storage methodology is proprietary and is highly secured by several layers of protection that ensures a virtual fortress. The electronic vault integrated with ARCON | PAM workﬂow provides authorized access to these passwords. Password Vault enables enterprises to handle complex and dynamic changes including evolving regulatory mandates.
SSH keys reinforce an enterprise’s authentication control management. SSH keys are credentials used to access privileged accounts. It provides an additional access control security layer. SSH keys are a reliable and secure alternative to Passwords as brute-forcing a password-protected account is possible with modern processing power combined with automated scripts. SSH key pairs are two cryptographically secure keys that can be used to authenticate a client to an SSH server.
Privileged account access requires well-established identity references (validation) for users accessing critical IT components. Multi-factor authentication (MFA) provides a robust validation mechanism. The solution’s MFA functionality acts as a strategic entry point to identity management systems and helps in managing system based users. ARCON offers native software-based One-Time-Password (OTP) validation to begin a privileged session and the tool seamlessly integrates with disparate third-party authentication solutions such as Gemalto, RSA, Vasco, 3M, Precision, SafeNet and Safran.
Session monitoring provides basic auditing and monitoring of privileged activities around the enterprise IT network. The features enables the IT security team to spot any suspicious activity around privileged accounts. Live Dashboard ensures that all critical activities performed by administrators across the IT infrastructure are viewed in real-time.
IT infrastructure faces a huge risk in a shared and distributed privileged account environment. It’s a big challenge for the security and risk management team to identify and track the ownership of privileges. To overcome this challenge, ARCON auto-discovery enables the risks management team to discover shared accounts, software and service accounts across the IT infrastructure. Identification and tracking of privilege ownership mitigate risks associated with unaccounted privileged accounts.
With ARCON’s Password Reconciliation, day-to-day administrative tasks become easy. Once the latest credentials from ARCON | PAM, i.e IP Address, Port, Username and Password for a particular service is received, it connects to the target device automatically using those credentials. Once successfully connected, it gets updated into ARCON | PAM, showing that the particular service is live and has an updated password. All the status of success and failure is updated in the Service Reconcile Status Report.
ARCON | PAM Just-In-Time Privileges functionality ensures all users act as standard users, and not as privileged users. The functionality helps implement the principle of least privilege. With JIT Privileges, an admin can provide access to systems and applications only when the requirement arises. Privileges are elevated for specific tasks on applications and systems
After any request is raised, administrators allow privileged rights to any user to perform a definite task at and for a specified time. ARCON | PAM JIT privileges remove standing privilege by limiting access to systems/ applications and the count of administrative/ operational staff. It even limits access at a granular level and denies full-time access to systems/ applications.
The tool can be used to securely store files in an encrypted format. It allows a user to share such files leveraging the solution. Users uploading the file can set a time limit after which the file will be deleted automatically. End users with My Vault privileges can access those files just like privileges to any applications
App to App Password Management
App to App Password Management of ARCON | PAM manages the passwords for an application through a single terminal in the IT infrastructure. This is an automated process where the password change is managed and monitored by giving the required details of the servers, the IP addresses and the new passwords. It is a smooth process that synchronizes the changes across the network to prevent service disruptions. All the changes are examined in the configuration file before and after the task.
Knight Analytics is a deep learning threat detection system introduced by ARCON | PAM. This AI-based technology is used to detect, predict and display anomalies in the logged data. It uses machine learning algorithms that learn each user’s behaviour based on their historic data and predicts risk on the basis of the activities. There are six different graphs that display the risk percentage to the administrators. These are User Analytics, Service Analytics, User Group Analytics, Service Group Analytics, Group-wise User Analytics, and Group-wise Service Analytics.
Application Gateway Server
Application Gateway Server (AGW) is the single point of access to the target systems. The secure gateway helps in creating an encrypted tunnel from end-points to the target devices. This is completely integrated within the ARCON| PAM solution and creates an added layer of security for open communication channels.
The tool suffices Zero Trust Network Access (ZTNA) framework. Access to systems is based on ‘identity’ along with other attributes and contexts such as IP address, geo-location, devices used, time and date. Overall operational efficiency is maximized by AGW along with robust access monitoring.
ARCON | PAM provides a dynamic group setting with too many relationships and virtual grouping where one can create functional groups of various systems. It helps in facilitating relationships, responsibilities, accountabilities and caters to dynamically changing organizational structures, roles and responsibilities. Virtual Grouping even allows you to manage multiple subsidiaries and companies.
No more tedious and long approval process. The Workflow matrix makes administrators’ lives easy. It enables to configure the approval process for privileged users, user-groups and service groups. Service and password request workflow mechanism speeds-up the process of assigning target servers to privileged users.
Privileged Elevation and Delegation Management (PEDM)
While ARCON | PAM allows an enterprise to build a security layer around privileged accounts by granting access rights to full administrative users based only on predeﬁned access control policy, Privileged Elevation and Delegation Management (PEDM) supplements privileged user management by controlling and monitoring non-admin user activities that require temporary privileged access to the systems.
PEDM essentially discards unnecessary escalation of privileged accounts. An excessive number of privileged accounts, especially in a distributed IT environment, increase potential threats to sensitive information. The tool is an extension to a granular control approach that enables an enterprise to mitigate risks by granting temporary administration rights only on a “need-to-know” and “need- to-do” basis. Access to critical components such as applications, databases, cloud services is granted only after a valid automated approval process. Access rights assigned to critical systems are automatically terminated after the conclusion of “temporary privilege” activities. Further, just like every privileged session activity is documented for audit purposes, the audit trail of PEDM initiated sessions can also be maintained through comprehensive reporting. Hence, it allows an enterprise to gain operational ﬂexibility while ensuring compliance and a robust security framework.
Active Directory (AD) Bridging provides authentication to have a single-sign-on, for Linux/Unix users using Windows Active Directory credentials by bridging the machine and AD Server.
ARCON | PAM oﬀers all the capabilities with Session Manager, Password Manager and Access Manager Modules to transparently connect primary users to their OS exclusively.
The solution provides Single-Sign-On (SSO) features to connect to a different category of systems and devices without entering the login credentials. These are ready built-in connectors for all standard industry systems. Also connectors can be built for legacy applications/systems.
User onboarding allows administrators to seamlessly add new server groups, users accounts with associated privileges to map new users onboarded on ARCON | PAM. It enables administrators to auto-provision and deprovision users or devices by interacting with active directory. With user onboarding, organizations can ensure that all information collected while onboarding stays confidential and locked in a virtual database and out of reach from any kind of physical or unauthorized access.
One Admin Control
No matter how big your enterprise’s IT infrastructure, each and every access to critical systems is made through one ADMIN console. The secure gateway server provides a centralized control point through which all network connections and traffic is routed for management and monitoring. ARCON PAM provides a unified policy engine to offer a rule and role-based restricted privileged access to target systems. Authorization ensures the implementation of an access control framework around people and policies. This way, the privileged access is granted only on a “need-to-know” and “need-to-do” basis, the foundation for robust identity and access control management.
It’s a challenge for an IT help desk to attend requests from one desktop to the other. ARCON’s Desk Insight is an effective tool that enables an administrator to manage requests from any on-boarded desktop in the network. It also allows a help desk engineer to troubleshoot a machine without moving from one desktop to the other. Desk Insight also enables end users to elevate admins rights, privileges, change passwords, and access related tasks in a controlled environment.
The regulatory standards mandate the IT risk management team to provide detailed information about access control policies needed for safeguarding critical information. Moreover, regulators demand comprehensive audit reports about every privileged user’s activities on critical systems. To meet this regulatory requirement, enterprises need to generate and maintain comprehensive audit trails of every privileged session. ARCON’s robust reporting engine makes your security team audit-ready by providing customized and detailed analytics of every privileged access to target systems. It helps them to make better IT privileged user decision making. The solution enables managers and auditors to assess the organization’s regulatory compliance status at any given time.
Text & Video Logs
ARCON PAM proactively secures all databases and applications as every command/query executed by end-users is captured for a security assessment. This way, the Security and Risk Assessment team seamlessly manages the lifecycle of privileged accounts as every activity performed by privileged users is captured in both video and text format.
The tool leverages the solution’s analytics platform to generate dynamic reports with statistical as well as the graphical representation. Spection gives freedom to choose a report and view it as per their individual requirement. All the necessary entities and elements of a report are filtered and arranged to generate a dynamic report with the help of this tool.
Smart Session Monitoring
The advanced session monitoring module named Smart Session Monitoring (SSM) helps with fast-track reviews of the videos by highlighting critical events in the media. Also, it seamlessly monitors activities performed on the server such as user activities, mouse-clicks, optical character recognition, keystrokes and processes launched.
Incident response mechanisms are given utmost importance today. It is crucial to respond to applicable incident data in the shortest time to avoid any major loss. Traditionally, after the incident, the IT teams need the ability to analyze the reasons, the activities post incident and identification of areas for better responses. If this process is automated, then there can be synergies across the Incident response team and it can save lots of valuable time. With Incident Management feature, a privileged user is able to identify and raise an incident for any activity that looks to be suspicious.
The multi-tab feature allows users/administrators to open multiple sessions in different tabs in the same window and allow them to switch between sessions as required. Multi-tab feature is supported by SSH and RDP service types. Multiple service sessions if opened in a tabbed manner in a single window makes it easier for the user to toggle between services and control all user sessions centrally.
Remote Assist helps system administrators to remotely access and troubleshoot end devices anywhere on the globe. It helps to resolve help-desk tickets, or desktop issues instantly. This secure remote desktop solution offers granular control over your network and allows you to connect to specific users within or outside the enterprise network, while ensuring IT security, and security compliance.
User Access Review
IT helps the IT administrators to review the service access granted to the users at regular intervals. The admins can define a new user access review process, wherein the review process is initialized through an email for approval. The process of setting the scheduler has a start date and the number of due days of the approver can be reviewed before being set. On that particular day, the approver receives an email that is valid for the number of days set by the Admin. Even the admins can modify the details of configured user access and terminate the access before being initialized.
ARCON | Guard application is an SSH server-based utility that is installed centrally on the server. It can be integrated with ARCON | PAM application for command restriction and elevation. It restricts and elevates all the commands when the guard installed SSH server is accessed through third-party applications. This is configured to restrict commands and monitor the session even during unavailability of the ARCON | PAM. The file monitoring feature detects when and who made the modifications to critical system configuration files on the server.
With the burgeoning cloud services and technological advances such as VMWare, organizations have the proclivity towards increasing agility, productivity and efficiency through cloud automation, by reducing the complexity of their IT environment, streamlining IT processes and delivering a DevOps-ready automation platform. vRA provides operations management across physical, virtual and cloud environments. vRA(VMware vRealize Automation) automation can be leveraged to perform automation for Service provisioning in PAM when a new VM is created. ARCON | PAM provides integration with automation solutions like vRA(VMware vRealize Automation) to enable onboarding and de-boarding of privileged accounts as well as devices/systems.
It helps an end-user to manage and control various scripts of a system and monitor their execution. ARCON | PAM has visualized automation as an important feature for safe IT operational solutions. In line with that, ARCON | PAM Automation Script Manager offers full Role-Based Access Control where automation scripts modification and execution rights can be configured based on the end-users’ roles. This way, ARCON | PAM Script Manager helps the Administrators to run scripts and monitor multiple databases continuously.
Robotic Process Automation (RPA)
Doing regular mundane IT tasks is always a dislike for all IT users. Robotic Process Automation (RPA) helps to automate these tasks with ease, efficiency and accuracy. ARCON | PAM offers a provision to customize steps for the end-users for any SSO activity. It could be image-based control recognition, Shortcut keys and Control ID. The RPA technology can even ensure all use-cases of the connectors are fulfilled.
What would happen if we can track and control database queries and map them back to the privileged session through PAM? Session monitoring might not always be the best way to track commands or queries. ARCON | DataWatch after integrating with PAM, acts as a gateway to all database connections, captures the queries & responses and maps them back to the session.
Digital Vault – Secrets Management
ARCON | PAM Secrets Management leverages REST-based APIs to authenticate and provide controlled access to the non-human identities, third-party applications or custom-developed applications to fetch secrets. With the tremendous use of APIs to aid applications access PAM entitlement, various authentication methods have been developed over the period. ARCON PAM has meticulously examined these methods and has integrated with most of the authentication methods to adapt to the evolution of Digital Vault over time.
Digital Vault – DevOps
DevOps is a collection of activities that incorporates software development and IT operations to shorten the software development life cycle while constantly providing upgrades, features, and fixes that are aligned with business goals. There are two types of credentials in DevOps technology: DevOps Application Credentials and Credentials for non-human identities. ARCON PAM ensures that all of your data is secure with its proprietary encryption methodology and releases them based on access controls implied. In this way, ARCON PAM efficiently controls the credential flow in the DevOps stream in the most secure manner without slowing down the pace of this toolchain.
This is a browser-independent extension available for all platforms that offers a point solution for shielding all of the classified secrets and confidential assets for your organization at a single location. With the Browser Plugin, users can automatically sign in to a range of applications that are offered by ARCON | PAM without entering the credentials manually or even remembering them each time they access the applications directly from any browser available on their desktop.
With the increasing demand for new IT mechanisms rising in an organization, the protection of the systems by integrating them with ARCON | PAM becomes radical. ARCON Connector Framework automates the process of creating connectors by eliminating the need for manual data collection. It also simplifies the process of provisioning any new application which is not available in PAM.
Although assisted sessions should use ARCON’s proprietary streaming technology, if a company wants to give a third party unassisted access to target systems (servers), ARCON PAM SSO and the Application Gateway can be integrated within the infrastructure. All of the above is available without the need for a third-party desktop or an HTML5 browser. Furthermore, all of this is accomplished without jeopardizing significant security aspects such as corporate data confidentiality or integrity.
Global Remote Access Solution
This is the most crucial feature launched due to the pandemic. ARCON Global Remote Access Solution (GRAS) offers remote users to establish a remote connection to their assigned desktop or laptop from outside the infrastructure environment securely. Also, the end-users can address the downtime issues or troubleshoot the machine in a controlled environment without the necessity to install and configure the costly VPNs. This solution is simple to use and is a cloud-native application.
This is Just-in-Time privileged interactive access to automatically generate rule and role-based temporary access rights. Amazon Web Services (AWS) Console or Command Line Interface (CLI) component that interacts with AWS Secure Token Service (STS) and allows an administrator to customize accounts with unique AWS roles. When a user logs in to the AWS management console, they are assigned to a particular AWS position and regulation, and they can only execute approved operations on the AWS network.
Vault Broker Suite
Vault Broker Suite is designed for human or non-human identities that require privileged passwords as well as channels to connect to the various systems. The channel request is mainly if the target applications are not able to make a direct connection to the target systems. Instead of forcing the client to create trust with ARCON | PAM Vault and retrieve the secrets, ARCON | PAM has built modules to transfer the authenticated connection to the client, eliminating the need for the client to fetch credentials. The Vault Broker not only can securely connect to the ARCON PAM Vault but also third-party vaults. Consequently, it can act as a credential broker to a third-party secret store.
ARCON | PAM provides seamless integrations with a variety of tools from SIEM, ITSM, RPA, DevOps CI/CD, IDAM, Automation Solutions, Containers and more. Some of the tools that can be integrated with ARCON are Symantec, RSA, Arcsight, Rapid7, BMC Remedy, Precision, ServiceNow, Nessus Manager, Tenable.io/Tenable.sc, Qualys, Ansible, Jenkins, Chef, Kubernetes, Red Hat OpenShift, AWS Elastic Container Service (ECS), Microsoft AD, Azure Ad, G-Suite, AWS IAM, Okta, Sailpoint, 1Kosmos and many more.