Identity has become the new perimeter. Security teams who want to be proactive in securing their organization’s credentials are looking for integrated enterprise solutions that validate their users’ identity before providing access to critical corporate assets and accounts. This is especially imperative when it comes to privileged identities and access. Privileged access is a high- value target for cybercriminals. According to Forrester Research, 80% of IT security breaches involve privileged credentials. So, it’s unsurprising that Gartner ranked privileged access management (PAM) as #2 in information security spending growth in their report, “Top 10 Security Projects for 2019”, issued this past February.
SSO and PAM: Enabling a Secure Access Experience, Invisible to End Users
Single Sign-On (SSO) is a session and user authentication system that permits a user to apply one set of login credentials (i.e. username and password) to access multiple applications. Those applications can be based on-premise and/or in the cloud. The SSO service authenticates the end user for all applications for which the user has been provided rights. SSO enables a seamless work experience when moving from application to application during the same session, since, once the user is authenticated, there are no additional login prompt screens.
Behind the scenes, organizations can leverage the SSO logging of user activities to monitor and pull audit records on user accounts and access. Organizations can also layer on multi-factor authentication (MFA) with SSO to improve security.
Privileged access management (PAM), also called privileged account management, refers to the practices and solutions for securely managing the privileges/privileged access of user accounts, applications, databases, servers, network devices, etc. Typically, privileged accounts have access to mission-critical systems or applications that could contain confidential information or intellectual property.
Integrating OneLogin SSO & BeyondTrust PAM to Streamline Access & Secure Privileges
When an organization implements OneLogin’s Radius or SAML SSO and MFA with BeyondTrust’s centralized PAM solution, customers can ensure only authorized privileged users can access their accounts. Integrating these solutions significantly reduces an enterprise’s attack surface, while improving visibility and accountability for their users.
Figure 1: OneLogin interface showing both Radius and SAML MFA options available to use.
Option 1: When a user logs into the OneLogin SSO portal, they will click on the BeyondTrust icon to begin accessing accounts, applications, or assets. BeyondTrust Password Safe injects privileged credentials into the secure session initiated directly from the Password Safe appliance to the target system. This approach prevents pass-the-hash and man-in-the-middle compromises because the privileged credentials are never stored on the user’s workstation.
After the user has provided their MFA token (either manually or via push) to authenticate themselves into OneLogin SSO, they have several options in how to access systems via Password Safe. These options are available to maintain the user’s normal productivity, while providing secure access across the enterprise.
Option 2: The OneLogin and BeyondTrust integration also enables users to access the Password Safe Portal via their standard internet browser. The Password Safe Portal will provide all the accounts, applications, and assets the user has been configured to interact with, based on predefined role-based access controls for that user or group. Note that users and groups can be added to Password Safe through Active Directory, LDAP, SailPoint, and centralized user management within BeyondInsight, which is the integrated platform that supports the PAM solutions from BeyondTrust.
Figure 2: Password Safe Portal via the user’s standard internet browser
A user may access systems via PuTTY or another terminal services application of their choice, just as they normally would. In a similar fashion, the user could also initiate the session via a Direct Connect icon from the user’s desktop. The ease of use is immediately apparent to the user because they may connect to the same asset as they did before deploying a privilege management solution, except the user is not required to remember the passwords (thanks OneLogin SSO!). BeyondTrust will automatically inject those credentials into the secure proxied session. The added benefit is that the assets, account credentials, and data stored on those devices now have protection against privileged attack vectors.
The ability to initiate a secure session from Password Safe to nearly any device (Unix, Linux, Windows, Mac, iSeries, Network devices, DevOps, IOT, SCADA, etc.) delivers consistent and reliable security across heterogeneous environments. BeyondTrust helps organizations enforce best practices around privileged credential management, such as requiring every device, database, application, server, administrative, and service account to have a unique password and rotating that credential after each use. If end users are not required to remember those privileged credentials, then organizations won’t have them stored in unsecured spreadsheets, word documents, or written on post-it notes. BeyondTrust can also generate alerts and complete audit reporting for all account activities, down to the keystroke, across a customer’s enterprise.
Ultimately, IT security teams benefit from end-to-end visibility and auditability of user activity when they’re leveraging both OneLogin SSO and BeyondTrust Privileged Access Management. When integrated, these solutions give you better control, visibility, and auditing capabilities, helping you drastically eliminate, or at least defang, dangerous threat vectors.
If you’re interested in getting deeper insights on integrating PAM with SSO, check out the joint webinar from BeyondTrust and OneLogin: Dialing up Your Privileged User Strategy Leveraging Single Sign On.