3. Solution Overview

3.1 ManageEngine PAM360

This project uses ManageEngine PAM360 as the core platform to demonstrate privileged access management in a cloud-based lab environment.

ManageEngine is the enterprise IT management division of Zoho Corporation, a privately held, multinational technology company founded in 1996 by Sridhar Vembu and Tony Thomas. Headquartered in Chennai, India, with a global presence including offices in the United States, Zoho specializes in developing software solutions for businesses of all sizes. ManageEngine focuses on providing comprehensive IT management tools, serving companies in 190 countries.

A member of our group secured a license for ManageEngine PAM360, prompting us to select this solution for our Proof of Concept (PoC). According to Gartner, ManageEngine is recognized as a Challenger in the 2024 Magic Quadrant™ for Privileged Access Management, highlighting its viability for our PoC .

ManageEngine named a Challenger in the 2024 Gartner® Magic Quadrant™ for Privileged Access Management | ManageEngine PAM360

Upon installation, PAM360 is described as:

"A web-based privileged access management (PAM) solution that helps enterprises regulate access to critical IT assets and mitigate risks of privilege misuse and insider threats. Through powerful privileged access governance, smoother workflow automation, advanced analytics, and contextual integrations with various IT services, PAM360 enables enterprises to bring different avenues of their IT management system together, facilitating holistic privileged access security, meaningful inferences, and quicker remedies."

Standouts features for us

• Unified PAM Platform: Combines credential management, session management, key/certificate management, and compliance reporting in one platform.
• DevOps and RPA Integration: Native CI/CD credential management and support for RPA bots, offering deep automation compatibility.
• Comprehensive Certificate Management: Full lifecycle SSL/TLS certificate management with CA integrations.
• Automated Compliance Reporting: Out-of-the-box templates for major standards (ISO 27001, GDPR, PCI DSS, NERC-CIP) facilitate regulatory alignment.
• Session Collaboration: Real-time session collaboration and termination capabilities enhance control over active privileged sessions.
• Integrated Discovery: Automated discovery for SSH keys, certificates, and privileged accounts ensures full visibility.
• Ease of Deployment: User-friendly interface and quick setup make it suitable for teams with limited IT resources.

3.2 Open Source Alternative - JumpServer

We also evaluated JumpServer, an open-source alternative, during the initial research phase. We wanted to find an open-source PAM tool that is free to use, and this solution was the closest that we could get.

JumpServer, developed by Fit2Cloud, is an Alternative to one of the leaders in the market, CyberArk. It runs on a Linux Server and can then be accessed on the web

Here are some features offered by this tool :

• Multi-Protocol Support
  • SSH, RDP, VNC, Telnet: Facilitates secure connections to various systems.
  • Kubernetes, SFTP, Databases: Supports access to container environments and databases.
  • RemoteApp & Web Applications: Enables access to web-based applications without additional plugins
• Web-Based Access
  • Provides a browser-based interface, eliminating the need for client installations
  • Supports session recording, command auditing, and real-time monitoring
• Authentication & Authorization
  • Integration with AD/LDAP: Allows centralized user management
  • Two-Factor Authentication (2FA): Enhances security using TOTP (e.g., Google Authenticator)
  • Role-Based Access Control (RBAC): Defines user permissions based on roles
• Session Management & Auditing
  • Records sessions for SSH, RDP, and database access.
  • Monitors user activities, including keystrokes and commands executed.
  • Provides detailed audit logs for compliance and analysis.
• Asset Management
  • Supports high-availability (HA) cluster deployments.
  • Allows geo-distributed installations and cloud deployments.
  • Integrates with external storage solutions like S3, Ceph, and Azure for storing session recordings.

JumpServer offers two main editions :

• Community Edition
  • License: Free and open-source.
  • Users: Unlimited.
  • Target Systems: Supports up to 5,000.
  • Features: Includes core PAM functionalities suitable for small to medium-sized organizations.
• Enterprise Edition
  • License: Paid, based on the number of target systems.
  • Users: Unlimited.
  • Target Systems: Options for 50, 500, 5,000, or unlimited.
  • Features: Offers advanced features like asset synchronization, account backup, password change scheduler, and ticket management.

Although JumpServer offers multi-protocol support, session auditing, and 2FA, we chose PAM360 for the PoC due to its more complete enterprise features, polished user interface, and the fact that a group member secured a license.

Sources

• https://download.manageengine.com/pdf/factsheet.pdf
• https://www.manageengine.com/privileged-access-management/analyst-opinion/gartner-magic-quadrant-pam.html?new-homepage
• https://jumpserver.org/index-en.html