An Open Source (Privileged) Access Management Architecture

Author: Roy Samson

This article defines a reference architecture for an integrated (privileged) access management system through describing the following elements in this realm:

  • Security functions;
  • Technical capabilities;
  • Open source software solutions;
  • Open (source) security protocols;
  • Security architecture principles;
  • (Privileged) access management component roles;
  • Security design pattern.

From a function point-of-view the system most provide the following services:

  • Access management services, defined as functionality for providing an access method -such as a gateway- for users to resources;
  • Identification, authentication, authorization, and single sign-on services;
  • Access governance services, defined as functionality for administrating identities, accounts, authorizations, and permissions.

These functionalities translate to the following selection of technical capabilities:

  • A reverse proxy solution;
  • An identity provider solution for identity authentication purpose;
  • A strong authentication solution;
  • Single sign-on solution;
  • A privileged access and account management system;
  • Secure storage of access credentials;
  • An identity and access management solution.

Open source software available for building such a solution, respectively:

Relevant open (source) security protocols in the (privileged) access management realm:

Security architecture principles in the realm of (privileged) access management:

  • Need-to-know;
  • Need-to-use;
  • Segregation-of-duties;
  • Least privilege;
  • Zero-trust.

To illustrate the purposes of the different components in the (privileged) access management realm often the following roles are used:

  • A Policy Enforcement Point (PEP) assures the enforcement of the policy;
  • A Policy Decision Point (PDP) collects information from one or more PIP’s, assesses this based on policy rules, to come to a policy decision;
  • A Policy Information Point (PIP) contains information attributes relevant for a policy decision;
  • A Policy Administration Point (PAP) administrates identities, accounts, authorizations, permissions, and policy rules.

A simple security design pattern in the realm of (privileged) access management looks as follow:

The role of the first PEP in above design patterns is to enforce whether a user is allowed to access a service yes or no. The role of the second PEP in above design patterns is to enforce what a user is allowed within the service.

WordPress Appliance - Powered by TurnKey Linux