Automatically import PAM credentials after scan

Hi Sebastiaan if I look at this, and your other posts you seem to be on the same type of work as I am, so I'm quite interested in what you may have and want.
To see if that would also apply to us and we could also use it.

But you keep on asking in this and other posts about 'PAM' credentials, and I wonder what you mean with that, exactly, technically. and how this would translate into RDM objects (like credential types ?).
Because as we use it, PAM is privileged access management, in combination with tiering, meaning we have different AD accounts and passwords for each tier. So in that respect I would translate PAM credential as a "simple" Username & password type of credential that is already present in RDM. Or refer to credentials stored in our password manager (CyberArk in our case) making them CyberArk credential types.

Or: maybe i'm completely off and are you referring to Devolutions Password Server, (does that have PAM credentials?) in that case I can't compare that to our situation since we don't use the Password server.

I also wonder what type of scan you're referring to, like running a scan in AD on a specific OU to see if there are new accounts? or other scan?

Regards, Ben

Hello Ben,

The Sebastian question is regarding the PAM feature of Devolutions Password Server.

When you combine RDM and DPS, you obtain the possibility to use privileged accounts directly in RDM. So users could ask for approval, add a reason or not and then DPS will manage the password rotation automatically with AD, SSH or SQL integration.

If you would like to read a bit about our features, you can review the blog https://blog.devolutions.net/2019/05/update-devolutions-pam-platform-for-smbs or please have a look at our video.

Overview of Devolutions Password Server - Privileged Access Management Solution for SMBs
https://youtu.be/Or01zeiaBOI

[Tutorial] Privileged Access Management with Devolutions Password Server
https://www.youtube.com/watch?v=zxdZHAqv-rw


Regards,

Hello,

The focus of our 2020.3 release (planned for October) is to make onboarding new customers better, as well as to reduce the operations that are needed to handle discovery of accounts.

If you are familiar with RDM's Active Directory Synchronizer, you will see that we already have experience in handling many different scenarios (account moved, account deleted, etc etc), but we need to really think this through as it pertains to Privileged Account that are highly sensitive by nature. At the very least, we had planned on showing an alert and highlighting the changes that we had detected.

Now is the time if you have suggestions.

@Ben05, for those in our Community that need a PAM, I would expect that most passwords would disappear from your entries in the treeview, they would rather all get them from the PAM. The side effect is that Privileged Accounts are NOT available offline. Its a totally different space which is more in line with CyberSecurity than connection management. For us it means balancing security and usability and keep RDM/DPS customizable to match with most organizations maturity level in regards to security.

Hi Sebastiaan if I look at this, and your other posts you seem to be on the same type of work as I am, so I'm quite interested in what you may have and want.
To see if that would also apply to us and we could also use it.

But you keep on asking in this and other posts about 'PAM' credentials, and I wonder what you mean with that, exactly, technically. and how this would translate into RDM objects (like credential types ?).
Because as we use it, PAM is privileged access management, in combination with tiering, meaning we have different AD accounts and passwords for each tier. So in that respect I would translate PAM credential as a "simple" Username & password type of credential that is already present in RDM. Or refer to credentials stored in our password manager (CyberArk in our case) making them CyberArk credential types.

Or: maybe i'm completely off and are you referring to Devolutions Password Server, (does that have PAM credentials?) in that case I can't compare that to our situation since we don't use the Password server.

I also wonder what type of scan you're referring to, like running a scan in AD on a specific OU to see if there are new accounts? or other scan?

Regards, Ben

Hi Ben,

I think Devolutions categrorizes PAM as a credential in a Password Server Vault for which the password can automatically be managed by a service account. (Devolutions guys, please correct me if I'm wrong ;)). RDM does not support automatic password resets as far as I know - but I'm not an RDM expert by any means. We're currently using another product as a password manager which can be integrated into RDM. It would be great however to have the features of this product integrated into Password Server so I can have the whole solution (RDM and Password Server with PAM) from a single vendor ;)

As for the scan, yes, I do refer to an AD scan. This is already possible with Password Server, but I would like to automatically have new PAM credentials added to the Vault or folder of my choosing. Maybe also create a new vault based on AD properties of that credential.

Cheers
Sebastian