Architecture Overview
Securden Unified PAM (Privileged Access Manager) is a web-based, on-premise, self-hosted software-only solution and is available as a binary package for installation on Windows. The package contains everything needed and you don’t require any other hardware or software. It comes with an inbuilt web server and PostgreSQL server as the RDBMS. Optionally, you can use MS SQL Server as the backend database.You do not require multiple servers for product installation.
The solution runs on a central server connected to a backend database. The server handles all the business logic. End-users connect to the server using any standard web browser or make use of the desktop or mobile application. Setting up Unified PAM is very easy and quick; We’ll send you the download links to your email address here.
MFA, Passkey Support
The product integrates with Active Directory and SAML-based Single Sign-On solutions for user management and authentication. It also integrates with a variety of MFA providers - any TOTP authenticator (Google authenticator or Microsoft authentication), any RADIUS-based authentication mechanism (RSA SecurID, Digipass, etc.), Duo Security, Yubikey, Email to SMS gateway and OTP through email. Securden also supports FIDO2 & Web Auth-based Passkeys for secure, passwordless login.
Data Backup, High Availability, Read-Only Replica Servers
Enterprise requirements such as data backup, high availability, and disaster recovery are all in-built.
AD & SSO Integration
The product integrates with your Active Directory (AD/Azure (Entra ID), Google Workspace, or LDAP) and SAML-based Single Sign-On solutions for user management and authentication.
Encryption and Security
The product stores all sensitive information in a fully encrypted manner in a secure, digital vault. Securden uses AES-256 for encryption. The encryption key is unique to every installation and is automatically generated.
The best way to safeguard the key is to store it in a network location that is not on primary or secondary (in a separate machine) and use a dedicated service account to access the location for read or write operations. You can also use the same service account to run the Securden service so that only Securden has access to that location, and even if the servers where Securden is installed are compromised, the key isn't available on that server.You can alternatively store it in a secure location such as a mounted physical Hardware Security Module (HSM).
Privileged Session Management & Remote Connections
For Remote Connections, session management and recording, Securden provides the option for a gateway approach. All remote connections from endpoints to target IT resources are routed through the remote gateway. This approach eliminates the need for direct connectivity between the endpoints and the sensitive IT infrastructure and ensures a higher level of security. The design also proves to be highly scalable capable of handling a large number of concurrent remote connections.
The remote gateway approach is supported by the option to deploy multiple application servers, which help in handling privileged account management for a distributed network or distributed data center environments from a central installation.
The Securden Session Manager (SSM) & Securden API Server
To access devices on a remote network, the primary PAM server must connect to the Securden Session Manager using port 4822.
The Securden PAM installation package delivers all these functionalities. An installation instance can just have two physical servers (primary and secondary) or multiple application servers as required.
Unified PAM Network Architecture
Get a better understanding of how Securden Unified PAM works in multiple cases.
Case 1: Access within the organization
In this scenario, users within the network utilize Unified PAM to connect to devices in the same network. The combination of Securden Session Manager (SSM) and Securden API Server forms a ‘Gateway’ for access.
Case 2: Remote Operations (Password Reset, Verification) over Internet
In this scenario, remote users utilize Unified PAM to connect to devices on a different network. The API Server is installed on a server/machine on the network where other devices are present.
Case 3: Remote Operations (Password Reset, Verification) over Internet
In this scenario, remote users utilize Unified PAM to connect to devices on a different network. The API Server is installed on a server/machine on the network where other devices are present.
