Authentication and Authorization
Authentication and authorization are core components of the SecretZero PAM solution, ensuring secure and controlled access to critical IT systems.
1. Authentication
Authentication into the SecretZero Appliance
The SecretZero Appliance supports two authentication methods for users accessing the appliance:
- Password-based Authentication:
- Users can log in using a secure username and password combination.
- Passwords are securely managed and adhere to the organization’s password policies.
-
Typically used for administrators and users who do not require Single Sign-On (SSO).
-
Single Sign-On (SSO) via SAML:
- SAML-based SSO enables seamless integration with existing Identity Providers (IdPs), such as Okta, Azure AD, or Google Workspace.
- Users can authenticate to the appliance using their corporate credentials without managing additional passwords.
- Benefits:
- Centralized user management.
- Simplified user experience.
- Improved security through the organization's existing authentication mechanisms.
Authentication from Connector Server to Target Systems
Linux Systems: Using OpenSSH Certificates
- Ephemeral Certificates:
- The appliance generates ephemeral SSH certificates for each session request, ensuring short-lived, secure access.
- Trust Establishment:
- The public key (
securitaas.pub) is distributed and pre-trusted on all target Linux systems. - This allows seamless authentication without static keys or passwords.
- The public key (
- Secure Storage:
- The private key remains securely stored within the SecretZero Appliance and is never exposed to the end user.
- Each certificate is automatically invalidated after the session ends, ensuring zero residual access.
Windows Systems: Using Smart Cards
- Virtual Smart Card Enrollment:
- The SecretZero solution uses the S0 Agent to enroll a virtual smart card on the user's desktop. This is a one-time setup.
- The smart card integrates seamlessly with the Windows security framework.
- On-demand Certificate Enrollment:
- Each time a session to a Windows target system is requested, the appliance generates a short-lived certificate.
- The certificate is enrolled into the virtual smart card, enabling secure authentication to the target Windows system.
- This ensures compliance with zero-trust principles and eliminates the need for static credentials.
- Benefits:
- Secure, certificate-based authentication.
- Zero residual access after the session ends.
2. Authorization
Authorization for Linux Systems
- LDAP-based Sudo Authorization:
- The SecretZero Appliance integrates with its built-in LDAP server to manage sudo access on Linux systems.
- Users log in under their own accounts (e.g.,
john.doe) and can elevate privileges (e.g., torootor other privileged accounts) using sudo. - Authorization is provisioned just in time (JIT) in LDAP and automatically removed when access is no longer required.
- This approach provides both authentication and authorization services, ensuring secure and auditable privileged access.
Authorization for Windows Systems
- Group-based Authorization:
- For Windows systems, SecretZero dynamically adds users to specific local groups (e.g., Administrators) based on their access requirements.
- This is managed through the SecretZero Connectors and ensures that users gain access only to the resources they are authorized for.
- Access is provisioned JIT and removed as soon as the session ends.
- Flexibility:
- Organizations can define custom groups for specific tasks or roles, ensuring granular control over privileged access.
Summary
The SecretZero PAM solution combines robust authentication and authorization mechanisms to ensure secure access to both Linux and Windows systems. By leveraging ephemeral certificates, SAML-based SSO, LDAP sudo, and group-based authorization, SecretZero ensures compliance with zero-trust principles and provides a flexible, scalable, and secure PAM solution tailored to organizational needs.