PAM Unified Server Control Functional Overview and Business value
This topic provides a detailed functional overview and presents the business value of PAM with unified Server Control functionality.
This topic provides a detailed functional overview and presents the business value of PAM with unified Server Control functionality.
Problem Statement | Solution |
Many data breaches happen because of compromises in privileged user accounts, such as UNIX/Linux superuser account (root) and Windows administrator accounts. Privileged user accounts provide full, unauthorized access to all applications, data, and audit logs for exploitation. As a result, malicious insiders and external hackers specifically target these accounts. Unfortunately, these superuser accounts cannot be disabled because systems administrators need the privileges to perform necessary and legitimate maintenance of critical servers. Extra protections that audit all access, identify, and prevent unauthorized activities, while still allowing legitimate actions, are key to defending mission-critical servers. Just one improperly authorized privileged account usage can cause widespread, irreparable damage to the infrastructure, intellectual property, and brand equity for exploitation of your organization. You need a proven privileged access management solution that provides powerful controls over privileged users on your most critical systems. | Use PAM Integration of CA Privileged Access Manager Server Control with PAM is a comprehensive and mature solution that is designed to protect your most sensitive systems whether they are physical, virtual, or cloud. CA Privileged Access Manager is a scalable solution capable of deploying fine-grained access controls, auditing, and UNIX authentication bridging across servers from a single PAM control plane. PAM is also uniquely capable of deploying policies that enforce access kernel-level controls on any account, such as UNIX root and Windows administrator. |
The Security Administrators in two different divisions of a company have come to you for assistance in developing consistent security policies across the divisions. | Deploy Policies The three Security Administrators have decided to deploy a PAM 4.0 environment to establish centralized propagation of vaulting and security rules. With PAM 4.0, you can create and deploy a policy to the agents distributed across your entire company or enterprise. |
You are a Security Administrator for the Manufacturing Division of Example.com. Now that management has decided to implement an enterprise-wide security solution, your task is to install the application. | Install PAM Set up the system for installation. Install PAM 4.0 Appliance. Verify the installation. |
You are the Security Administrator for PIM and PAM SC, and management has decided to consolidate security tools into a single platform: PAM. As the owner of this application and project, and to cause minimal business disruptions, you want:
You should still be able to access all existing fine grained policies, devices, devices groups, and deployments from the PAM UI. | Use the Migration Utility The Migration Utility allows you to migrate the DMS data (Devices, Device Groups, Policies, and Deployments) from the existing PIM environment to PAM. Migration does the following tasks:
|
You are a Security Administrator. Now that you want to deploy Server Control or fine-grained policies across multiple agents, you need Distribution Server software which is easy to install and scalable. | Utility Appliance The new Utility Appliance is a hardened all in one virtual appliance that provides all Distribution Server functionality. |
The Example.com security policy requires least privilege and separation of duties, requiring the following restrictions:
Your primary concern is policy management functionality. When you log into PAM as a user with Server Control privileges, you should see the aspects of the UI and functionality that is related to your role. Similarly, users should see only the tabs and tasks that are assigned to their role. | Role-based UI You can assign users in PAM entitlements in privileges, which are known as roles, that enable and can disable different options within the PAM UI. Roles simplify privilege management. Instead of associating a user with each task that they perform, you can assign a role to the user. The user can perform all the tasks in their assigned role. Every user who has the role can now perform the new task. When a user logs in to PAM. The user sees only the tabs and tasks that are assigned to their role. You can assign separate roles to different users to prevent one user being able to complete every task. This feature allows your organization to comply with separation of duties requirements. List of roles:
|
You are a Security Administrator of Example.com. As a Security Administrator, you would like to know and understand the health and status of your different agents. | Agent Status Dashboard Agent Status Dashboard only applies to Server Control-based devices. The Agent Status Dashboard allows users to check the Status (Active, Inactive, Warning) across each of the different Agent types (Server Control, UNAB, PUPM). Note: During a migration from PIM/PAM SC, Agents might be listed as “Uninitialized”. This status is expected until the final cutover occurs, and then PAM starts managing this data. |
As a Security Administrator, you want to automate the policy deployment without having to log in to the PAM UI. | Policy Management through API The PAM APIs for Server Control policy management functionality (Policy CRUD and Policy Manage) allow Security Administrators to automate without using the PAM UI. |
You are a Security Administrator, and you want to track and audit the actual user of your server, not the shared local privileged user name. | Login Integration Login integration helps you to audit the actual user of your server, not the shared local privileged user name. Privileged Access Manager Server Control Login Integration allows Privileged Access Manager to integrate the login process and information with Server Control. When activated, it allows the use of the actual user name for auditing in Privileged Access Manager Server Control. |
As a Security Administrator for the Manufacturing Division of Example.com, you have a deadline to upgrade from existing PIM endpoints to PAM SC/PIM, but you have a concern that it might take several months. | Simplified Agent Installation and Upgrades This functionality allows you to simplify endpoint installations, upgrades, and patches with NO downtime. This functionality includes rollback mechanism in case failures occur. This simplification reduces the time to deploy from several months to days. This functionality supports all Linux variants: YUM Package Manager - OEL, SLES, RHEL APT-GET Package Manager - DEBIAN, UBUNTU |
The Example.com corporate security policy mandates a daily audit to monitor critical hosts for user activity security breaches, attempted security breaches. As a security Administrator, you want to see all the Audit events in centralized UI. | (SIEM) Track User Behavior Activities on Server Control Devices As System Administrator, you decide to log in to the PAM server to configure the SIEM tool information. Next, you log in to the Server Control device to run the Report Agent. The agent then sends the snapshot to Splunk, where you can view the User Activity reports. |
Example.com, wants to consolidate user stores across windows and UNIX hosts. Their goal is to enable Active Directory-based UNIX logins. | UNAB PAM offers the UNIX Authentication Broker to authenticate UNIX users against Active Directory. UNAB must be installed and configured for UNIX users to be able to log in with their AD credential. With AC UNAB Authorization, the administrators can authorize users and groups to host or host groups. With AC UNAB configuration, the administrators can manage UNAB configuration settings. Host or host groups can be managed using this feature. |