PAM Deployment

Procedure to deploy PAM

Deployment procedure

Introduction

PAM is the process that determines who has access to what types of information as it creates an integrated view of risk, threats, and controls.

Implementing a policy of least privilege minimizes unnecessary privilege allocation to ensure access to sensitive data is available only to those users who really need it.

Soffid provides a complete PAM solution. So, we want to describe in detail the Soffid PAM solution deployment procedure.

Prerequisites

First of all, you should install and config the Soffid PAM solution. To do that, you need to install the Jump servers and then configure them on Soffid Console.

A jump server, jump host or jump box is a system on a network used to access and manage devices in a separate security zone. A jump server is a hardened and monitored device that spans two dissimilar security zones and provides a controlled means of access between them. (*)

You can follow the defined steps in the PAM Install & config book.

Deployment procedure

1. Networks

Main Menu > Administration > Resources > Networks

You need to add your company networks or the networks you want to manage, on Soffid Console. To do that you need to create those networks on the Networks page.

Once you have created your networks, you could continue with the next step.

You can find more information on the Networks page.

2. Config Network discovery

Main Menu > Administration > Resources > Network discovery

When you open the Network discovery page, Soffid will display all the networks create on Soffid Console.

The network discovery process can be launched for each network, to do that, you need to configure the potential administrator accounts to connect to the hosts for each network.

You can add one or more potential administrator accounts to try to connect to the network hosts. These can be new accounts or existing accounts on Soffid. Also, you can remove accounts from the accounts to probe list. If you remove an account from the list, that account will continue to exist on Soffid.

You can find more information on the Network discovery page.

Once you have configured the Network discovery parameter for a network, you could execute the process to begin to search or you could schedule the process execution.

3. Launch Network discovery

Main Menu > Administration > Resources > Network discovery

The Network discovery process is an unattended process. You could launch it, and it will be working until it will finish, even you close your Soffid session.

The Network discovery process could be a long process, depending on the network size, the number of hosts, and the firewalls as well.

You can find more information on the Network discovery page.

3.1. Agent definition

When the network discovery process is launched, as the process finds hosts, it will try to connect to them using the defined credentials. When it gets to connect to the host with one credential, it will not try again with others.

If it gets to connect to the host, it will create automatically a Soffid agent with the proper attributes and connector parameters, also with the necessary account metadata.

3.2. Accounts / Account protected services

Then, the reconciliation process of the created agent will be launched and it will try to recover the information about the accounts defined on the host. Also, it will try to recover the information about the account protected services.

3.4. Entry points

The Network discovery process will create, in possible cases, a new entry point to the host with the basic attributes, and the proper executions to run it.

That entry point will display on the Application access tree page.

4. Password vault

Main Menu > Administration > Resources > Password vault

When the network discovery process finishes, it will be really important to determine what are the critical accounts. Those critical accounts should be located in protected storage, the Password vault.

On the password vault, you can locate the accounts, especially the critical account used to access critical systems. Password vault allows you to handle the access control list to these accounts, here you can define who are the owners, the managers, and the SSO users.

You need to configure in the right way the control access list, to allow only the proper users to change and view the passwords. 

You can find more information on the Password vault page.

5. Authorization processes

Soffid allows you to define and add approval processes to manage the use of critical accounts, where the manager or authorized user will approve or deny using them.

To define and configure approval workflows, you can use the Soffid BPM editor

Main Menu > Administration > Configure Soffid > Workflow settings > BPM editor

You can visit the BPM Editor book to find more information.

One you have defined the approval process, you need to establish the relationship between the workflow and the account or accounts, to do that you need to configure the XACML Policy Management and the XACML PEP configuration.

6. XACML 

For detailed information about XACML, you can visit the XACML book.

6.1. XACML Policy Management

Using XACML Soffid can be able to add more complex and restricted rules to the authorizations. Here you can define policy sets and policies to describe general access control requirements.

Also, you can define some obligations as actions that have to be returned with response XACML. Here you can indicate the use of an authorization process.

Main Menu > Administration > Configure Soffid > Security settings > XACML Policy Management

6.2. XACML PEP configuration

You will need to enable and configure the Password vault Policy Enforcement Point (PEP). That is the way that Soffid provides to establish the relationship between the Authorization processes and the Password vault.

Be in mind, you only can configure one Password vault PEP, the policy set that you define, can contain more policy sets and policies to cover all your company needs.

Main Menu > Administration > Configure Soffid > Security settings > XACML PEP configuration

7. PAM policies and PAM rules

Using PAM all the sessions will be recorded (Screen, KeyBoard, Clipboard, and File transfers).

Soffid allows you to configure policies based on rules, so when each one of the rules is fulfilled, one or more actions will be triggered according to the configuration.

The available actions are to close the session, lock the account, open an issue on a ticketing system and notify the breaking rule. You can find more information visiting the and the.

7.1. PAM rules

Main Menu > Administration > Configure Soffid > Security settings > PAM rules

You can define rules to detect commands executed on a server. When a user launches a command defined on a rule, Soffid will detect it.

For detailed information about PAM Rules, you can visit the PAM Rules page.

7.2. PAM policies

Main Menu > Administration > Configure Soffid > Security settings > PAM policies

You can define policies made up of several rules. For each rule, you could select the action to perform when Soffid detects that rule is accomplished. 

On the Password Vault page, you can assign a PAM policy to each folder, depending on your needs.

For detailed information about PAM Policies, you can visit the  PAM Policies page.


(*) https://en.wikipedia.org/wiki/Jump_server


Configuration

Configuration

Network discovery

Description

The Network discovery tool will be in charge to scan the networks to find the hosts and retrieve information about user accounts. Network discovery can detect system accounts as well.

First of all, you need to create the networks that you want to scan. Visit the Networks page for more information. Then, on the Network discovery page, you need to configure for each network, the accounts and passwords of potential administrators to connect to the host and retrieve the information. And finally, you need to start the process execution or you can schedule the execution of the network discovery task.

The operating system of machines can be Windows or Linux and it is not necessary to install any additional software on those machines. 

Once the machines and accounts, both user and system, have been discovered, the critical accounts must be located in the password vault. You can visit the Password vault page for more information.

Screen overview

Standard attributes

Network attributes

Basic 

Those attributes are readOnly, you can update them on the Networks page.

Server

Accounts to probe

When you register a new account, that will be created as an unmanaged account. 

Schedule

For each value of month, day, hour, minute, or day of the week:

Current execution

Last execution

Previous executions

List the information about the previous executions:

Machine attributes

Actions

Network discovery query

Add new account repository

Allows you to create an agent. You must select the System type and the login name and password. When the agent is created, if the connection is successful, the reconciliation process will be executed.

Agent definition

Allows you to browse to the agent definition.

Accounts

Allows you to browse the accounts page and the accounts, which belong to this system, will be displayed

Add new entry point

Allows you to create an existing entry point


Entry point definition

Allows you to browse to the entry point definition.

Network discovery detail

Apply changes

Allows you to save the data of network detail. To save the data it will be mandatory to fill in the required fields.

Undo

Allows you to undo any changes made.

Accounts to probe
Add

Allows you to add a new administrator potential account to connect to the machines of the network.  To add a new account, first of all, you need to click the add button (+) and close the accounts to probe list. Then you will need to choose if you want to add an existing account or register a new account.


save the data of a new network or update the data of a specific network. To save the data it will be mandatory to fill in the required fields

Delete

Allows you to delete one or more accounts of the accounts to probe. You need to select one or more records and next click the button with the subtraction symbol (-).


Schedule 

Start now

Allows you to launch the task execution.

Previous execution

 Logs

Allows you to download the log files of previous executions.


Configuration

Password vault

Description

Soffid provides a protected storage, to save and manage accounts for multiple applications, that is the Password vault. Here you can save the accounts and passwords to access to critical systems and to your applications as well. Password vault allows you to handle the access control list to these accounts. Sometimes these accounts can be used by a specific user or a set of users.

The accounts are organized in folders depending on the permissión, and the criticality level, .... These accounts can be system accounts or user accounts.

The Password vault exposes a subset of accounts to some users. These accounts are available through the Self-services portal. You can visit My applications page for more information.

When a privileged account is being config, it will be able to assign a workflow or approval process to request in order to use that account. For more information visit the link How to apply policies

Users can be authorized to manage their own personal accounts, sso:manageAccounts. For more info visit the Authorizations page.

Folders

In the password vault, two kinds of folders are used: personal folders and shared folders, which depend on the Owners configuration you define.

On one hand, each user has their own personal folder. Inside this folder, the user can create accounts. That account will not be shared with any other user.

On the other hand, the shared folders could be used or managed by the owner/manager/SSO users.

Accounts

Soffid allows you to create new accounts on a specific folder on the password vault page, to add a new account will be mandatory to fill in some attributes, like System, name, and login name. You can consult the existing accounts related to a folder. For each account, you can update or delete the account, view and set a password.

Also, you can create accounts on the Account page and assign the appropriate vault folder.

Soffid allows administrator users to configure a workflow to request permissions when a user try to change the password of a privileged account in the password vault. That process can be defined with the BPM Editor as an Account reservation type. For more information you can visit the BPM Editor book.

Overview

  1. Accounts

Standard attributes

Folder attributes

Accounts attributes

Actions Tab

This tab shows the read-only attributes of the user account:

Also, this tab allows you to launch the connection to the target system, view the password, set the password to launch the connection, and unlock the use of that account. All those options depend on the account definition and user privileges.

Basics Tab

This tab displais all the account attributes and allows you to update the account configuration.

Visit the Account page to view more information about the standard attributes of an account.

Actions

Folders query actions

Query

Allows you to query folders through, only Quick search is available.

Add new

Allows you to create a new folder. You can choose that option on the hamburger menu or by clicking the add button (+).

To add a new folder it will be mandatory to fill in the required fields.

A folder needs to have, at less, an owner to manage it.

Folder actions

Apply changes

Allows you to save a new folder or update an existing folder. To save the data it will be mandatory to fill in the required fields. Be in mind that is important to indicate who are the owners of the folder.

Undo

Allows you to quit without saving any change made.

Delete

Allows you to delete a folder if you have the right permissions. To delete a folder you can click on the hamburger icon and then click the delete button (trash icon). Soffid will ask you for confirmation to perform that action, you could confirm or cancel the operation.

Account actions

Apply changes

Allows you to save a new account. To save the data it will be mandatory to fill in the required fields. Be in mind that is important to indicate who are the owners of the folder. If the account exists on the system, you can assign the vault folder to the account window.

Undo

Allows you to quit without saving any change made.

Delete

Allows you to delete an account from a folder if you have the right permissions. To delete a host you can click on the hamburger icon and then click the delete button (trash icon). Soffid will ask you for confirmation to perform that action, you could confirm or cancel the operation.

Set password

Allows you to set a password to access to the account.


How to apply policies

Soffid allows you to define policies and rules to apply to a specific folder or a set of folders. To do that is needed to install the XACML  addon and configure the proper policies and rules. 

Also, you can config a workflow or approval process to request in order to use accounts saved on a folder.

It is mandatory to enable the Password Vault PEP and populate the information about the XACML policy set and the version which applies.

Example 

XACML PEP config

It is mandatory to enable the Password Vault PEP and populate the information about the XACML policy set and the version which applies.

Password Vault:

image-1627909636077.png

XACML PEP config:

image-1627903193056.png

XACML Policy Management

You need to configure the access to the folder "VaultFolder", that folder can contain other folders and accounts. It will be mandatory to config the access list, who are the owners, managers, and so on. You need to know if you need to config the control access list by accounts, by folders, or both.

image-1627904759237.png

For instance, the policies you need to implement are the following:

1. Only users between 6:00 and 18:00 could use the accounts inside the "demoFolder".

image-1627909569093.png

image-1627909585789.png

2.- User "bob" never could use the accounts of demoFolder.

image-1627909447400.png

image-1627909485850.png

3. Users with result permits, need the authorization to use the accounts.

You need to config the workflow that will be called, to config you need to include the bpm obligation on the policy. Also, you can include a message to the user, or other obligations. 

image-1627909874242.png




Visit the XACML Book for more information.

Visit the BPM Editor Book for more information.



Configuration

PAM Rules

Definition

Soffid allows you to define rules to detect commands executed on a server. When a user launches a command defined on a rule, Soffid will detect it.

To use that rules you need to define the PAM policies. For more information, you can visit the PAM policies page.

Standard attributes

Actions

PAM rules query

Query

Allows you to query PAM rules through different search systems, Quick, Basic and Advanced.

Add or remove columns

Allows you to show and hide columns in the table.

Add new

Allows you to create a new PAM rule. You can choose that option on the hamburger menu or click the add button (+).

To add a new PAM rule it will be mandatory to fill in the required fields.

Delete

Allows you to remove one or more PAM rules by selecting one or more records and next clicking the button with the subtraction symbol (-).

To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation.

Import

Allows you to upload a CSV file with the PAM rules list to add or update PAM rules to Soffid.

First, you need to pick up a CSV file, that CSV has to contain a specific configuration. Then you need to check the content to be loaded, it is allowed to choose if you want or not to load a specific attribute. And finally, you need to select the mappings for each column of the CSV file to import the data correctly and click the Import button.

Download CSV file

Allows you to download a CSV file with the PAM rules information.

PAM rules detail

Apply changes

Allows you to create a new configuration PAM rule or to update an existing one. To save the data it will be mandatory to fill in the required fields.

Undo

Allows you to quit without applying any changes made.

Delete

Allows you to delete a PAM rule. To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation.


Configuration

PAM Policies

Definition

Privileged Access Management (PAM) policies are a set of guidelines and controls that dictate how privileged access is granted, managed, and audited within an organization.

Soffid allows you to define policies, those policies can be made up of several rules. For each rule, you could select the action to perform when Soffid detects that rule is accomplished.

To use those policies you need to define how policies will be used by each folder in the password vault. For more information, you can visit the Password vault page

Screen overview

Standard attributes

When you save the standard attributes of a PAM policy and edit the policy again, the rule list will be shown. Here you can customize the policy depending on the existing rules.

Actions

PAM rules query

Query

Allows you to query PAM policies through different search systems, Quick, Basic and Advanced.

Add or remove columns

Allows you to show and hide columns in the table.

Add new

Allows you to create a new PAM policy. You can choose that option on the hamburger menu or click the add button (+).

To add a new PAM policy it will be mandatory to fill in the required fields.

Delete

Allows you to remove one or more PAM policies by selecting one or more records and next clicking the button with the subtraction symbol (-).

To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation.

Import

Allows you to upload a CSV file with the PAM policies list to add or update PAM policies to Soffid.

First, you need to pick up a CSV file, that CSV has to contain a specific configuration. Then you need to check the content to be loaded, it is allowed to choose if you want or not to load a specific attribute. And finally, you need to select the mappings for each column of the CSV file to import the data correctly and click the Import button.

Download CSV file

Allows you to download a CSV file with the PAM policies information.

PAM rules detail

Apply changes

Allows you to create a new configuration PAM policy or to update an existing one. To save the data it will be mandatory to fill in the required fields.

Undo

Allows you to quit without applying any changes made.

Delete

Allows you to delete a PAM policy. To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation.