1 of 11

PAM Administration

Introduction to Privilege Access Management (PAM)

Privileged Access Management (PAM) is a set of technologies, policies, and procedures used to manage and monitor access to critical systems and sensitive data within an organization. PAM solutions aim to mitigate the risk of unauthorized access to privileged accounts, which are often used by administrators, IT staff, and other privileged users to manage critical systems and applications.

The goal of PAM is to ensure that privileged access is only granted to authorized users, and that access is granted on a need-to-know basis.

PAM solutions typically involve several components, including privileged account discovery, credential management, access control, session management, and monitoring and reporting.

Credential Management involves securely storing and rotating passwords and other credentials used to access privileged accounts.
Access control involves implementing policies and procedures to control who has access to privileged accounts and when.
Session management involves monitoring and terminating privileged sessions to prevent unauthorized access and misuse.
Monitoring and reporting involves tracking all privileged access activity and generating alerts when suspicious activity is detected.

Implementing a robust PAM solution can help organizations improve their security posture, reduce the risk of data breaches, and comply with regulatory requirements.

However, PAM solutions require careful planning and implementation to ensure they do not disrupt business operations or create additional security risks.

How to Access PAM in Cymmetri

Navigate to your Cymmetri Tenant for e.g. sunstarcafe.newqa.cymmetri.in/login
Login into your tenant by entering your username and password of the Organization Administrator and Click "Login"
Enter Cymmetri Authenticator Code and Click "Verify"
Go To "Configurations"

And Click on "Admins"

Select PAM Write Access option and Click "Add New" to add a new PAM Write Access Administrator

Find the user who needs to be the Administrator and Click "Assign"
Ensure correct Role is selected and Click "Save"
Ensure the selected user is appearing in the list of Admins
Follow the same steps to assign a PAM Read Access Administrator
And PAM Report Access Administrator
Logout from the current login

And login again using the login credentials of the PAM Admin that was just added

Since the user is now an administrator we will need to provide the authenticator code and click on "Verify" to login
To Access PAM we need to Click on "Products"
And then select Privilege Access Management
This opens the screen for Privilege Access Management as shown below

Sub-Sections of PAM

Privilege Access Management in PAM has various subsections for configuring its various components. These subsections are as follows:

Configuration
Devices
Vault User
History
Vaulting Configuration
Break Glass Configuration
SignOn Policy
Report &
Dormancy Disable Config

All these sections help in configuring PAM, Servers and the Users. It also shows the reports and other additional configurations.

Steps to configure PAM Server

The first section in PAM is Configuration. In this section we can configure the PAM server credentials that will help us to connect to the PAM server.

A PAM server is a component of a Privileged Access Management (PAM) solution that is responsible for managing privileged access to critical systems and applications within an organization. The PAM server acts as a central point of control for managing and monitoring privileged accounts and their access.

PAM servers can be deployed on-premises, in the cloud, or as a hybrid solution. They can also be integrated with other security and IT management solutions, such as identity and access management (IAM) systems like Cymmetri.

To configure the PAM Server we need to provide the IP Address and Port No of the PAM server as shown below:

Adding a device/ server in PAM

A device or server represents the critical systems within an organization.Servers play a critical role in Privileged Access Management (PAM) solutions, as they are often the targets of unauthorized access by attackers seeking to gain control over critical systems and sensitive data.

PAM solutions manage and control privileged access to these systems. By leveraging PAM solutions to manage privileged access to servers, organizations can improve their security posture, reduce the risk of data breaches, and comply with regulatory requirements.

In Cymmetri it is the Actual Server(Windows or Linux) that the Privileged User will be connecting to using either RDP or SSH.

Cymmetri allows you to add this device/ server.

The steps to add a RDP device or server are as below:

Click on the Devices sub-section on the PAM Page and click on the Add Server Button
This opens up a new window for adding a server and it gives two options: RDP(Remote Desktop Protocol) and SSH(Secure Shell Protocol)., we need to select RDP for a Windows Server and SSH for a Linux Server. Currently we will select RDP as we want to add a Windows Server
When you select RDP a pop up shows up on the right and it asks for 3 details i.e.
1. Device Label
2. Hostname and
3. Username
Device Label represents name of the device/ server and hence has to be unique.
HostName is the actual server name or its ip.
Username represents the actual server username to be used to connect to the server.
We will change these details as given below:
1. Device Name: Windows RDP Server
2. Hostname: 65.0.122.207
3. Username: Administrator
And then click on Add Device button to add the server
To check if the device is correctly added Click on Devices again and you can see the newly added server should be visible as shown below

The steps to add a SSH device or server are as below:

Click on the Devices sub-section on the PAM Page and click on the Add Server Button
Now from the two options available we need to select SSH
A similar popup like in RDP opens up with Device Label prefilled.
We need to change the Device Label, Hostname and Username as given below:
1. Device Name: Linux SSH
2. Hostname: 10.0.1.7
3. Username: kiran
We then click on Add Device to add the Server and it can be seen in list as shown below:

When a device is added it is added with minimum configuration, i.e. Device Label, Hostname and Username. You can further configure the connection and other device related information if it needs to be customized

For configuring the device further the steps are as follows:

Click on the device you want to configure
Click on Settings
A Settings Page opens when you can find numerous options to configure as show below:
Connection Attributes for any device are read-only as show here, but other attributes can be configured
Shown below are the attributes of a device/ server that can be configured:

Vault User

What is a vault user?

A "vault user" refers to a user account that has access to a secure resources on a server. When configuring PAM, credentials of the vault user are used to connect to the destination server.

Each device/ server configured can have a vault user created for it. It is also possible that a same user created at a centrally located place like an Active Directory can be used to access multiple devices/ server.

Cymmetri allows you to Access and Manage Vault Users a vault user and use it to access the server.

Adding a vault user

Click on Vault User in the Privilege Access Management Section
This opens a pop up that asks for your current password. This is done to confirm the request is actually made by the PAM Administrator
Once the password is entered It shows the list of all Vault Users
On the Top Right there is a button for Add Vault User. Click on that to Add a new vault user.
A new modal opens up where you need to provide username and password for creating a vaut user
Here the User Name has to be unique and Password is optional we may create a user just with the User Name
Once entered click on Save and a user is created as shown below

Editing a vault user details:

For editing the details of a vault user we need to click on the ellipses next to the vault user's name and Select Edit as shown below:
This opens a modal similar to adding a vault user where you can change the vault user credentials and save

Deleting a vault user:

For deleting a vault user we need to click on the ellipses next to the vault user's name and Select Delete as shown below:
Once you click on delete it asks for confirmation, Once confirmed the user is deleted.

Vaulting Configuration

Vaulting Configuration section allows you to configure various details about vaults that are necessary for proper and efficient usage of vault users

It allows you to configure the following:

Password Policy
Active Directory (A central location for vault users)
Manual Generation of Passwords for Vault Users (All or Specific Users)

Password Policy

Cymmetri allows you to select a specific Password Policy for Vault Users, If nothing is changed it uses the default password policy of Cymmetri.
For Changing the Password Policy for Vault Users, Select Vaulting Configuration and then select the Password Policy that you wish to implement from the dropdown provided as shown below:

Active Directory

If the vault users are stored at a central location like Active Directory then we need to configure the location and access credentials of this Active Directory.
For configuring the Active Directory we need to provide the following information as shown below:
1. Active Directory Domain: Here we need to provide the Active Directory LDAP URL and the root domain details. For e.g. ldaps://EC2AMAZ-2LBJU5A.cymmetri.in:636;DC=cymmetri,DC=in
2. User Name: This is the Active Directory Administrative username. For e.g. Cymmadmin
3. Password: This is the Active Directory Administrative password.

Generation of Passwords for Vault Users (All or Specific Users)

For Generating Password for Vault User we need to do the following configurations:

One or more users who will receive an email that contains the list of usernames and passwords
Password for opening the file which contains the list of usernames and passwords
Configure a scheduler to reset the password of users and send an email to the above configured use
Manually send the list of usernames and passwords of all or specific users

One or more users who will receive an email that contains the list of usernames and passwords:

For adding users who will receive the email containing the list of usernames and passwords we need to select one more cymmetri users here as shown below:

Password for opening the file which contains the list of usernames and passwords

For Configuring the password simply enter the password in the password box provided

Configure a scheduler to reset the password of users and send an email to the above configured use

For configuring a schedular we need to enable the scheduler and provide the following details:

A start execution date and
cron expression

The cron expression can also be generated using the Generate Cron Expression option as shown below:

Manually reset and send the list of usernames and passwords of all or specific users

Password of vault users can be reset manually and sent an email for all or for specific users
You can either reset password for all users and send a list by selecting the All users option and clicking on Generate Password button as shown below:
Alternatively you may also send a list of only specific usernames and passwords by selecting To specific users option and then selecting the users whose details you need to reset and send.

Break Glass Configuration

What is break glass configuration?

"Break glass configuration" in Cymmetri refers to a method of obtaining the list of username and passwords of vault users without resetting them. It involves setting up special user accounts that can be used in emergencies to generate an envelope of vault user credentials and send it as a email to the configured user.

For configuring the user(s) we need to select the user(s) from the dropdown as shown below and need to enter a password.

Sending the vault user credentials can be done in two ways:

Configure a scheduler which sends the email at the configured date-time and mentioned frequency as shown below:
Generate and send the envelope manually for All or specific user(s) as shown below:

The email sent to the configured user consists of a .csv file containing user details in encrypted format as shown here:

The User then needs to use a Utility called PassEnvelopeReader to decrpyt the encrypted data and view the list of usernames and password. This utility asks for a password at the beginning to be able to access and decrypt the user details.

PAM Reports and PAM History

PAM Reports

Cymmetri provide you with various PAM Reports that the administrator can use to have various insights.

For accessing PAM Reports you need to access Privilege Access Management ->Report as shown below:

PAM Reports sections provides you with the following types of reports:

PAM History

PAM server can monitor and record privileged sessions, providing audit trails of all privileged access activities. This allows security teams to quickly identify and investigate any suspicious or unauthorized activity.

PAM History shows a complete history of usage by PAM users of the various devices/ servers configured in PAM. PAM History maintains recording of all privileged access activity which can be seen by the administrator as and when needed.

To Access PAM History you need to access Privilege Access Management->History. To view the session recording you need to click on the video icon in right most column Logs

The image below shows a sample recording that the administrator can view

Dormancy Disable Config

Dormancy Disable Config refers to configuring a setting that allows to automatically deprovision access of a user to the server in case the user has been dormant for more than the mentioned number days in this setting. This might be useful for governance purpose as PAM users are high risk users and this setting can help in removing such dormant accesses.

Following steps need to be performed to configure Dormancy Disable

Go To Privilege Access Management -> Dormancy Disable Config
The in the Config Days section need to provide the number of days after which the acoounty activiity can be considered dormant and hence deprovision the access
The status need to be enabled and then you can save the setting for the mentioned number of days.