Securden Unified PAM MSP is a software only solution that can be hosted on any machine running Windows Server 2008 R2 and later. The downloadable installation package is all-inclusive and doesn’t need any additional hardware or software as a prerequisite.
Unified PAM MSP comes with a bundled PostgreSQL server as the default RDBMS. However, you have the option to use any version of MS SQL server instead. The solution runs on a central server connected to a backend database. The server handles all the business logic. End-users can connect to the server using any standard web-browser.
The product integrates with Active Directory and SAML-based single sign-on solutions for user management and authentication. It also integrates with a variety of MFA providers - any TOTP authenticator (Google authenticator or Microsoft authentication), any RADIUS-based authentication mechanism (RSA SecurID, Digipass, etc.), Duo Security, YubiKey, Email to SMS gateway and OTP through email.
The primary instance can be hosted on any server satisfying the minimum requirements mentioned below.
Unified PAM MSP is purpose-built for MSPs and supports multiple deployment models to support different types of MSP operations. Regardless of the MSP operating model, Unified PAM MSP will be installed in the MSP environment, and users from client organizations can connect to the product server over standard HTTPS using a web browser.
Unified PAM MSP supports the following deployment options:
- Privileged systems in client environment, PAM server in MSP environment (PAMaaS)
- Privileged systems as well as PAM server in MSP environment
- PAM server in MSP environment, privileged systems distributed across client and MSP environment
Case 1: Privileged systems in client environment, PAM server in MSP environment (PAMaaS)
To connect to IT assets residing in each client’s network, you need to deploy the application layer alone on the client networks.
Additionally, you need to deploy a lightweight remote connector on the client’s network for routing remote operations and connections between client assets and the PAM server. Connection from the remote connector to the PAM server will be outbound only. This means you won’t have to open any inbound ports in the client-side firewall.
To launch remote sessions through native clients, monitor and record them, you need to deploy Securden Session Manager on the remote connector device.
Case 2: Privileged systems as well as PAM server in MSP environment
The primary server and all sensitive IT assets belonging to different clients reside together within the MSP network.
Although not mandatory, it is recommended to use a remote connector to route connections between the primary server and client assets and prevent direct connection between them. The connection between the remote connector and the primary server is established through Secure WebSocket.
If you want to allow users from client organizations to launch native remote connections (RDP, SSH, SQL) along with session monitoring and recording, you need to deploy Securden Session Manager on the remote connector device.
Users from client organizations will be able to monitor remote connections and view recorded sessions of their respective organizations if they have the required privileges.
Case 3: PAM server in MSP environment, privileged systems distributed across client and MSP environment
The PAM server is hosted on the MSP network along with a part of the clients’ IT assets. The remaining part of sensitive IT assets belonging to different clients will reside within the respective client’s IT network.
PAM server communicates with the IT assets inside the client organization through the remote connector. This remote connector needs to be deployed on a device running the application layer of the PAM solution within the client network. The remote connector communicates to the primary PAM server through Secure WebSocket over an outbound connection.
Administrative Flexibility:
Unified PAM MSP provides flexibility in method of administration within each organization. The service provider may assign a technician for each client to oversee all privileged access management activities. Contrastingly, if the client organization wants to take care of the administration, they may do so. MSP administrators and auditors can access client assets and view recordings only if they exist as an administrator within the client organization.
Database Segregation:
All data pertaining to an organization will be stored in the range allocated for that organization in the database. Users from a client organization will only have access to assets belonging to their organization.