Multi-Factor Authentication or MFA is a security mechanism that requires an individual to provide two or more credentials in order to authenticate their identity. In IT, these credentials take the form of passwords, hardware tokens, numerical codes, biometrics, time, and location.

Most implementations leverage two factor combinations, which is why MFA is alsoknown as two-factor authentication or 2FA.

Benefits of MFA

• It creates a layered defense and make it more difficult for an unauthorized person to access systems.
• It can ensure your accounts are up to 99% less likely to be compromised.

Iraje MFA

Iraje PAM offers the most comprehensive set of MFA options to choose from, for the users to get seamless role-based access to their assets with Single Sign On.

• SMS & Email OTP
• Google & Microsoft Authenticator
• Biometric Authenticator
• PKI Tokens, Hard Tokens and Soft Tokens
• CISCO DUO, Twilio, Entrust

Role Based Access Control (RBAC) is an approach to restrict system access to authorized users only. Role-based access control (RBAC) is a policy-neutral secure access-control mechanism defined around roles and privileges. The components of RBAC such as role-permissions, user-role and role-role relationships make it simple to perform user assignments. A study by NIST has demonstrated that RBAC addresses needs of commercial and government organizations. RBAC can be used to facilitate administration of security in large organizations with hundreds of users and thousands of permissions.

Benefits of RBAC

Managing and auditing access entitlements is essential to information security. Access can and should be granted on a need-to-know & time-restricted basis. With hundreds of privileged users and devices, security is more easily maintained by limiting unnecessary access to sensitive information and giving just in time access to users with the principle of least privileges.

Other benefits include:

• Improve access governance
• Enhance operational efficiency and improve compliance to regulatory requirements

Iraje RBAC

Iraje PAM offers a comprehensive set of capabilities of Role Based Access with Need Based Access, Time Restricted Access and Just-In-Time access to critical systems that help prevent unnecessary & long term accesses that increase the risk and probability of data breaches and frauds.

Time restricted access is essential to ensure compliance to the principle of least privileges and minimum necessary access to be given to people who need them. This feature ensures admins get access to systems only for a window of time that they need. Post that they need to revalidate the need to manage/access that device or access to PAM Portal itself.

Time Based Access [TBA] feature is available at 2 levels:

• At the PAM portal level (Users can get time restricted access to Iraje PAM portal)
• At the device level [Users can get time restricted access to the devices]

Time restricted access along with self service workflow allows Just In Time access to users rather than long term or permanent access to the systems.

This feature is critical to infra security and ensure that no long term or permanent accesses are available with admin users.

Iraje PAM offers SSO to all types of

• Servers
• Databases
• Database Management Tools
• Switches accessed over SSH or browser
• Routers accessed over SSH or browser
• Firewalls accessed over SSH or browser
• Devices accessed over SSH or browser
• Thick clients, Web-based Applications
• Client-Server Applications

In an enterprise datacentre there are hundreds or thousands of servers, databases, routers, switches, firewalls, storage devices, applications etc. To manage these devices the privileged users, keep simple, weak, repeatable & guessable super user passwords across multiple devices.

These super user credentials or privileged accounts are extremely critical and important to manage. A single compromise may lead to the entire network or the datacenter getting compromised leading to a massive security breach. These super user passwords need to be vaulted and rotated periodically to ensure these passwords don’t get in wrong hands or get compromised. Iraje Privileged Access Manager helps manage these super user credentials by providing enterprise Single Sign On to all types of devices out of the box without any API, connector, or adaptor.

Every session taken by users through Iraje PAM gets video recorded. This means that once the user is authenticated on the Iraje PAM portal and takes access to any system the session recording starts. While the session recording starts, the PAM super-admin can see the Live session through Iraje PAM Video On Demand module. This module helps the super-admin see any live session just like someone watches a live match on television.

Live session viewing helps in monitoring and training people. Ability to see live sessions of any user through Iraje PAM ensures better security posturing and control for the organization.

Often there is too much data to look at and analyse which leads to the classic situation expressed by the idiom “missing the woods for the trees”. CXOs often get caught with excessive data which makes it complex and time consuming to take critical decisions or get a snap shot of critical parameters.

Iraje Cockpit gives a simple 4 blocker with data on Live Users, Live Devices, Live Commands and Live CPU & Memory for monitoring. This cockpit helps get a live view of the enterprise accesses and gives CXOs the summary view of critical data that helps in quicker decision making.

While maintaining critical assets, privileged users often need support from experts to troubleshoot issues on production servers. The traditional approach is to use third party collaboration tools like WebEx, TeamViewer, or Anydesk for sharing sessions.

Iraje PAM provides ability to share sessions between privileged users and collaborate effectively without having to use such third-party tools. This makes it easier to work together as a team and collaborate better avoid exposing enterprise data through third party tools.

Proactive monitoring is the key to maintaining and securing systems. This has been traditional best practice for professionals to manage their critical assets.

PAM solution provides multiple types of alerts that help govern user identities and accesses on critical enterprise assets.

Iraje PAM provides real time security alerts that provide better visibility to security professionals.

Some of the critical alerts available in Iraje PAM are:

• PAM bypass alert
• Sensitive device access alert
• Sensitive command alert
• Change password alert
• Open password alert
• Maker checker alert

The PAM bypass alert takes the security to next level as these alerts give visibility unlike any other PAM solution. Security team can get bypass alerts on Windows, Unix, Linux, AIX Operating systems.

Security Information Event Management (SIEM) solutions are far more than a security product, expanding to include compliance reporting as well as User and Entity Behaviour Analytics (UEBA) which is considered an essential capability by analysts.

SIEM solutions gain importance today with the advent of growing sophistication of attacks and the increased penetration of cloud services that increase the probability of attacks.

SIEM solution gives comprehensive visibility into enterprise data across on-premises and cloud-based environments from behind a single pane of glass. While SIEM focuses on external threat vectors and help monitor and prevent security incidents, integration of PAM logs into SIEM ensures the internal access governance is also monitored and control more effectively.

Iraje PAM seamlessly integrates with SIEM solutions that support REST APIs and also integrate with SIEM solutions with direct log integration which do not support REST APIs.

Organizations have different types of servers [Windows, Linux, Unix, AIX] configured in Iraje PAM. These servers are onboarded in Iraje PAM using an admin credential.

Most probably these servers would also have certain admin accounts lying on these devices for legacy reasons. These types of accounts are called dormant accounts, orphaned accounts or simply hidden accounts.

The admin discovery module helps discover these dormant/orphaned accounts on the servers without any agent. When an Iraje PAM scan runs on the server it gives the list of devices, admin accounts present in Iraje PAM and also admin accounts not configured in Iraje PAM.

The job of the security team is to find out which admin accounts are left out/missed or purposely kept outside Iraje PAM.

This is a critical security feature that gives granular visibility and control to security teams to ensure security around privileged accounts is maintained. This feature also helps in avoiding users bypassing PAM to go directly on servers using these privileged accounts.

When Iraje PAM is implemented in an organization a set of devices are configured in PAM so that users can get role-based access with Single Sign On to all devices. At times some devices are missed out, left out or kept outside on purpose.

The Device Discovery module scans the network for the devices that are live in the network and gives their status – whether they are configured in PAM or not. The ensures that the devices that are left out are discovered and onboarded in Iraje PAM.

This feature helps the infra team to give report to the auditor about the compliance of onboarding all devices in Iraje PAM. The auditor also can validate if any device is left out and justification is available for the same.

This scan is to be done on production ranges to discover the set of live devices and their status in Iraje PAM.

The Command Controller is a feature in Iraje PAM that allows security teams to blacklist of whitelist set of commands for users on devices accessed through SSH using Putty.

This feature ensures admins cannot execute commands that are identified as sensitive or risky for them to execute on the devices. These restrictions can be applied at 3 levels:

• User level restrictions
• Device level restrictions
• Group level restrictions

The security teams can have better segregation of duties and ensure least privileges are given to users that need them.

Windows is a GUI environment. Iraje PAM provides agent based advanced restrictions on Windows devices as well. There is a template of restrictions available in PAM that can be applied at the group level, device level or user level.

This allows the security team to do more granular segregation of duties within the admin access as well. The advanced restrictions take security to the next level and improves the security posturing of the organization.

The Windows agent can be remotely installed an uninstalled. Reports are available for the status of the agent and also the restrictions applied to the specific users.

The most important security element is that of traceability of every access and activity done by the privileged users. This helps in complying to internal & external audit requirements as well as comply to regulatory requirements and best practices laid out by various standards like PCI-DSS, ISO, RBI, NIST and others.

Iraje PAM provides more than 50 reports that give all types of identity and access governance reports which help customers meet their audit and compliance requirements.

These reports give full trail of all accesses and activity done by privileged users through Iraje PAM. Enterprises can comply to all types of regulatory and compliance requirements.

These reports include:

• Access Reports – usage, non usage
  Access reports are used to extract information regarding a user usage and non-usage, connections usage and non-usage and dashboard related activities configured in Iraje.
• System Reports
  System Reports provides the detailed information of user accesses and devices configured on PAM.
• Audit Reports
  Audit Reports are used to extract information regarding various aspects which would provide crucial details that are neccesary with respective to audit purpose.
• Compliance Reports
  Compliance report are used to extract information regarding comply certain rules, methods and are neccesary with respective to audit purpose.
• Security Reports
  Security Report provide the details of un-authorized login for windows and linux servers.
• Time Restricted Access Report
  Time Based Access report details the list of all temporary accesses provided to an external user for a specific period of time.
• Out of Office Report
  Out of Office Report displays data of connection being accessed after office hours
• Domain Child Report
  Domain Child Connections Report displays data of domain-child connection configured in PAM.
• Password Enforcement Report
  Password Enforcement Report provides the details of connections passwords i.e., password status, expiry, modified etc
• License Entitlement Report
  License report provides details of user and connection license in PAM

In today’s environment its imperative to give access using principles of least privileges with just in time access which is also time restricted. The privileged users should get access to systems on demand rather than have long term or unrestricted access to them.

This requires the tickets in ticketing system to be integrated with PAM solution. The PAM solution verifies the ticket information on a range of ticketing solutions from different service providers like BMC, Remedy, Service Now and others. Iraje REST API integration f ramework allows secure way to integrate service requests in PAM and let the privileged user perform the activities specified in the ticket only for a specific window of time.

This helps ensure that your privileged credentials are only available to personnel who are authorized for access through a valid ticket.

The PAM – Ticketing integrations work by verifying the following:

• Verifying that the ticket exists
• Verifying that the ticket is valid and from a valid privileged user
• Confirming that the ticket is assigned to the requesting user
• Ensuring that that the requestor who opened the ticket is authorized for privileged access to the relevant systems and applications. Once these criteria are met, the ticket is actioned upon to perform the relevant function of providing access, removing access, adding a user or onboarding a device into PAM. The ticketing integration provides just in time access and time restricted access for specific purposes only. The access governance improves drastically with the complete audit trails of activities performed by the users against the approved requests in the ticketing system.

As the world grows more, networked with workloads getting automated through technology transformations and the workplace becoming virtual, the need for securing data, governing accesses and mitigating risks has increased multi-fold.

Enterprises stepping on the cloud paradigm to optimize on infra requirements, scale operations and move their application workloads needs to focus equally on the security of the data and the super user credentials that also reside in cloud.

A plethora of point solutions have come up to address this growing need to managing and securing super user credentials. From a password vaults to traditional identity verification and single sign on solutions, there are many solutions available that help manage the identity and accesses of privileged users on cloud.

Fundamental to managing this challenge is to look for the use cases and map it to the solution that meets these use cases better than other solutions. There are few scenarios where PAM solution and or Infra is on cloud.

The standard requirement is to integrate enterprise infra hosted on cloud behind PAM. There is also growing need of enterprises to host PAM on cloud and get their infra integrated into to it. Iraje PAM supports all kinds of cloud integration scenarios. The integrations allow seamless access to enterprise assets through Iraje PAM which may be hosted on cloud or on premise to manage infra that also may be on cloud or on premise or both.

DevOps is a set of practices that combines software development and IT operations. It aims to shorten the systems development life cycle and provide continuous delivery with high software quality. DevOps is complementary with Agile software development.

DevOps is mindset, a culture and a set of technical practices, it provides communication, integration, automation and close cooperation among all the people needed to plan, develop test, deploy, release and maintain a solution.

A wall between developments and operations often results in an environment where the two teams do not trust each other, and each is walking around a little blindly.

A DevOps approach results in a collaboration between two teams where they work with a shared passion to achieve common goals. DevOps integration involves changes to team composition, project management and delivery process to increase the participation of operational stakeholders in projects in order to improve outcomes.

The popular DevOps tools include:

• Slack
• Jenkin
• Docker
• Phantom
• Nagios
• Vagrant
• Ansible
• GitHub
• Maven
• Chef

Iraje allows DevOps integration in PAM through native API integrations with these tools.

Iraje PAM is ready for DevOps integration, to replace the less-secure development practices. Instead of using the hardcoded or externally stored credentials, the tools connect via secure API calls to credentials vaulted in PAM. These API calls set, retrieve and process credential and password requests. This integration removes the need to use less secure credentials and facilitates automation to a much higher level.

As the world grows more, networked with workloads getting automated through technology transformations and the workplace becoming virtual, the need for securing data, governing accesses and mitigating risks has increased multi-fold.

Enterprises stepping on the cloud paradigm to optimize on infra requirements, scale operations and move their application workloads needs to focus equally on the security of the data and the super user credentials that also reside in cloud.

A plethora of point solutions have come up to address this growing need to managing and securing super user credentials. From a password vaults to traditional identity verification and single sign on solutions, there are many solutions available that help manage the identity and accesses of privileged users on cloud.

Fundamental to managing this challenge is to look for the use cases and map it to the solution that meets these use cases better than other solutions. There are few scenarios where PAM solution and or Infra is on cloud.

The standard requirement is to integrate enterprise infra hosted on cloud behind PAM. There is also growing need of enterprises to host PAM on cloud and get their infra integrated into to it. Iraje PAM supports all kinds of cloud integration scenarios. The integrations allow seamless access to enterprise assets through Iraje PAM which may be hosted on cloud or on premise to manage infra that also may be on cloud or on premise or both.

Multi-tenancy is an architecture where a single instance of the application and a single database serve multiple customers. In a single tenant architecture, each customer has their own application and database server. While in Multi-Tenant architecture a single application server and a single database server serves multiple customers.

In a multi-tenant architecture, multiple instances of an application operate in a single shared environment. This architecture is able to work because though each tenant is integrated physically, they are logically separated; meaning that a single instance of the software will run on one server and then serve multiple tenants. In this way, a software application in a multi-tenant architecture can share a dedicated instance of configurations, data, user management and other properties.