Domum
Zero trust access for remote workers and third-parties with no need for VPN.

What it is

It’s possible to delete credentials embedded in source codes, scripts and configuration files, making passwords managed by the solution and invisible to developers and IT support staff.Secure remote access for employees and third-party, providing zero trust-based access to the company’s network without the need for VPN.

Benefits

• Maximum access segregation based on granularity offered by senhasegura;
• Instant, easy and secure access to employees and third-party with no need for login into the PAM platform;
• No need for VPN or additional configuration
  for remote users;
• Operational gain in the management
  of remote users;
• All benefits brought by senhasegura’s Privileged Account and Session Management capabilities, such as real-time monitoring, session recording, threat analysis and user behavior.

How it works

Whenever an employee or third-party needs access to devices managed by the PAM platform, senhasegura Domum sends a link for the approved access available to the final user, which allows instant and secure access to allowed devices.

Features

• senhasegura’s agentless architecture with no need for additional software or licensing;
• senhasegura Domum allows access to devices with no need for username/password;
• Centralized management with intuitive dashboards;
• All session features such as recording and LiveStream;
• A unique desktop screen which allows a centralized view of actions performed in the environment;
• Access restriction based on aspects like geolocation, time or day of the week, and duration;
• Access workflows with maximum granularity, based on
  industry-recognized access groups.

Technical Features

• Agentless and passwordless approach for secure and instant access to managed assets;
• senhasegura Domum allows access to devices with no need for username/password;
• senhasegura’s agentless architecture with no need for additional software or licensing;
• senhasegura Domum allows access to devices with no need for username/password.

Access Management (PAM)

What it is

Centralized access management, with the purpose of protecting and controlling the use of generic and high privilege credentials, providing secure storage, access segregation and full traceability of use.

Benefits

• Operational gain in the password change process;
• Guaranteed password delivery in a secure and controlled manner;
• Transparent authentication on the target system or network device without displaying the password to network administrators or third parties.

How it works

By configuring Access Groups, you can define the administrator users who will have permission to receive a physical access password, and the group of users who can use the remote access offered by the solution to access a target device or system. All cases may follow approval workflows and reasons provided by the requesting user.

Features

• Secure storage of credentials and passwords;
• Definition of groups for access segregation based on user profiles;
• Flexibility in the approval process for access to privileged accounts (pre-approved accesses, accesses with single or multiple approval);
• Possibility of more than one user requesting access to the same privileged account, without compromising usage traceability;
• Emergency access for immediate password viewing, with reason request and alert to responsible parties if the approver is unavailable;
• Dual password custody to ensure more than one presence in the access;
• Integration with the Help Desk and Change Management tools to validate the reason provided by the requesting user;
• Passwords change according to predetermined time of use or after consultation;
• Automated password change on the main technological platforms, such as network, servers, database, web applications, and security equipment.

Access Management (PAM)

What it is

Centralized access management, with the purpose of protecting and controlling the use of generic and high privilege credentials, providing secure storage, access segregation and full traceability of use.

Benefits

• Operational gain in the password change process;
• Guaranteed password delivery in a secure and controlled manner;
• Transparent authentication on the target system or network device without displaying the password to network administrators or third parties.

How it works

By configuring Access Groups, you can define the administrator users who will have permission to receive a physical access password, and the group of users who can use the remote access offered by the solution to access a target device or system. All cases may follow approval workflows and reasons provided by the requesting user.

Features

• Secure storage of credentials and passwords;
• Definition of groups for access segregation based on user profiles;
• Flexibility in the approval process for access to privileged accounts (pre-approved accesses, accesses with single or multiple approval);
• Possibility of more than one user requesting access to the same privileged account, without compromising usage traceability;
• Emergency access for immediate password viewing, with reason request and alert to responsible parties if the approver is unavailable;
• Dual password custody to ensure more than one presence in the access;
• Integration with the Help Desk and Change Management tools to validate the reason provided by the requesting user;
• Passwords change according to predetermined time of use or after consultation;
• Automated password change on the main technological platforms, such as network, servers, database, web applications, and security equipment.

Technical features

• Password storage using strong encryption standards (AES 256, SHA 256, RSA 2048 bits or higher and FIPS 140-2), and also using HSM devices;
• Integration with leading directory services for managing groups and access profiles, and thus controlling credential use.

Session Management (PSM)

What it is

Recording and storage of all remote sessions performed through the solution for later viewing.

The recording can be used to prove the change to a database, identify an improper action in a critical system, find the root cause of a problem, or meet audit, inspection or legal demands.

Benefits

• Traceability of all actions performed by generic and third-party credentials;
• Less time spent troubleshooting;
• Isolated evidence repository, encrypted, and protected against removal or alteration.

How it works

senhasegura records a unique hash for each session, and you can specifically identify each user’s activity during access, even if they are using a shared credential.

Features

• Session recordings in video format, without the need for local agents;
• Recording of commands typed in RDP and SSH environments;
• Session reviewed through the solution, or exported to MP4 format;
• Search for session log by:
  • User;
  • Credential used;
  • Device or system accessed;
  • Typed commands;
  • Metadata;
  • Type of activity;
  • Time interval.
• Real-time monitoring of sessions in progress and possibility of closing the session remotely.

Technical features

Session recordings and keyboard logs can be enabled:

• To register actions performed in all sessions through the solution;
• To register actions performed on a target device, system, or HTTPs page;
• To register remote access by a user group or device group;
• In sessions via local client on the user’s workstation (PuTTy or Terminal Service).

senhasegura SaaS

The compliance with current standards and regulations (LGPD; DGPR; PCI DSS; ISA 62443; among others) is a challenge for companies of all sizes, especially when time is against us.

senhsegura SaaS is the first Brazilian PAM solution to offer a cloud-native password vault, protecting privileged credentials in managing, rotating password, auditing, and monitoring privileged accounts.

Easily deployed, senhasegura SaaS automatically rotates credentials that administrators use to access critical systems across the organization, thus preventing bad access from negatively impacting your business.

Advantages of deploying a PAM solution such as senhasegura SaaS include:

• Simplification of privileged access management efforts;
• Removal of concerns related to upgrades, which are made directly on the cloud;
• Infrastructure investment becomes unnecessary;
• Recordings and audits of privileged sessions in accordance with current security rules and regulations;
• It allows both internal and external users to enter credentials (passwords) in secure access sessions without users knowing or seeing which credentials were used, dramatically reducing the chances of phishing or misuse;
• It manages access from any privileged account: from local administrators or shared domains to personal admin user accounts;
• It is ideal for all sizes businesses.

senhsegura SaaS version of cloud-based PAM reduces the burden of administrative security management, coupled with rapid system start-up.

Managing privileged access credentials on the cloud, in addition to simplifying the process, enables it to be more cost-effective, making the resource affordable to businesses of all sizes.

Scan Discovery

What it is

The Scan Discovery feature surveys the environment and enables automated registration of devices and their respective credentials in the solution. In this way, senhasegura ensures that all credentials and devices are available for use, and that none of are unknown or outside the privileged access management process.

Benefits

• Easy device and credential registration during the deployment process;
• Schedule a periodic assessment of the environment to ensure that new devices and credentials are identified;
• Independence from the asset inventory process in order to keep the solution current.

How it works

Scan Discovery can be run in any environment, or applied to a specific network segment. You can also define the search plugins that will be used, as well as the types of devices and credentials that will be identified.

The solution can also connect to the network device through its standard protocol (SSH/TELNET, RDP) without the need to install a local agent. Thus, hostname, IP address, credential list, privilege type, and usage log information is collected, such as last access and password change date.

Features

• Periodic network scanning by IP range;
• Automatic identification of privileged accounts in the following environments:
  • Unix;
  • Linux;
  • Windows, on local machines or in Active Directory;
  • Oracle;
  • MS SQL;
  • MySQL.

Technical features

The solution has the ability to identify any type of device connected to your network, including:

• Servers (Linux/Unix, Windows and VMWare)
• Database (Oracle, SQL, MySQL)
• Network devices (Firewall, Routers, Switches, Balancers);
• Workstations.

Local User Provisioning

What it is

Provisioning and revocation of privileged local user access on Windows, Linux and Unix platforms, enabling centralized and automated management of devices that aren’t integrated with directory services.

Benefits

• Operational gain in the process of creating and revoking local user accesses;
• Guaranteed revocation of all disconnected user accesses on devices not managed by directory services (AD/ALDAP);
• Secure password delivery, with email sent directly to the provisioned user.

How it works

Provisioning works with no need of installing an agent on the target device. At the time of provisioning, you can define the type of credential being created, register a new home, select the shell that will be used, and send an operation success or failure message to the requester.

Features

• Provisioning one user on multiple servers or multiple users on the same server;
• Sending a new password directly to the person responsible for the login via email;
• Automatic blocking of all logins for a given user upon termination;
• Comment record in the target device’s password file containing the tool operator’s username and the Service Request;
• For the device shell, a shell can be chosen from among those installed on the device at the time of user provisioning. A non-existent shell can therefore not be selected, preventing process execution errors.

Technical features

User Provisioning on the following platforms:

• Main Linux distributions;
• Unix;
• Windows;
• AIX;
• HP-UX;
• Tru64.

SSH Key Management

What it is

Secure storage, rotation and access control for SSH key protection.

Benefits

• Blocking unauthorized access to privileged accounts using SSH keys;
• Control and traceability of SSH key use;
• Management of trust relationships between SSH keys and systems.

How it works

SSH key management is centralized in the solution, which automatically switches key pairs according to your company’s security policies.

Features

• Linux server scan and SSH key identification;
• Connection list structuring between servers;
• SSH Keys resetting with manual publishing;
• SSH Keys publishing;
• Key mapping reports;
• Report and access logs on the use of SSH keys.

Technical features

Encryption of stored SSH keys and all communication through them.

Application Identity

What it is

It’s possible to delete credentials embedded in source codes, scripts and configuration files, making passwords managed by the solution and invisible to developers and IT support staff.

Benefits

• Reliable authentication of all password requests through applications;
• Use of the solution’s connection API for application credential management;
• Granular access control, providing remote access to a specific service or application without displaying the password to the requesting user;

How it works

The solution uses a proprietary template to change the password for application credentials, storing the new password in encrypted form on its database. The credential can be viewed directly by the solution’s connection API or inserted directly into the application server’s connection pool.

Features

• Passwords are changed:
  • Automatically in legacy applications;
  • In HTTP, HTTPS and Social Network applications;
  • In a synchronized manner for credentials used in the integration between the database and the application;
  • In a connection pool.
• Interface for remote access to applications with session recording;
• Templates for application password change in open and auditable format.

Technical features

• Password change of credentials on Application Servers (JBoss, GlassFish, WebLogic and others);
• Access limitation through IP, Path and Token API queries;
• Integration support for RESTful APIs;
• Java component integrated with the vault and password cache to prevent unavailability.

Behavior Analysis

What it is

Even when privileged access is inherent to the user’s role, some critical stages in access management include detection, alert and response to activities performed by this kind of credential.

Benefits

• Privilege Abuse Restriction;
• Control over administrative user actions;
• Quick detection of attacks and compromised accounts;
• Automatic response to suspected credential theft.

How it works

The solution has a self-learning mechanism to identify and respond to any changes in user behavior patterns and access profiles.

Features

• User session analysis based on behavioral history;
• Identification of suspicious accesses or queries by a series of criteria:
  • Excessive number;
  • Unusual time;
  • Unknown origin;
  • Atypical duration.
• Identification of unusual behaviors with abnormality alerts for SIEM/SYSLOG;
• Algorithms developed by senhasegura are continuously adjusted to user behavior;
• Detailed dashboards provide visual representation of incidents and threats, allowing for quick action by the security team.

Technical features

The solution runs an analysis of the following variables:

• Workstation of origin;
• Target system;
• Credentials used;
• Denied access attempts;
• Time and length of session;
• Attempt to execute blocked commands;
• Execution of monitored commands.

Threat Analysis

What it is

A solution dedicated to environment monitoring in order to detect and send real-time alerts of any suspicious action performed with privileged credentials, allowing the security team to prevent an ongoing attack.

Benefits

• Reduced response time to attacks;
• Automatic blocking of stolen privileged credentials;
• Visibility of threats associated with privileged accounts;
• Access to all information associated with the incident.

How it works

A list of suspicious commands and behaviors in the environment is classified according to the level of risk. Whenever risk are identified, alerts are issued and consolidated on a graphic dashboard. The information security team can therefore take immediate action if necessary.

Features

• Graphic dashboards with risk and threat information;
• Alerts with detailed information about the occurrence of suspicious activity;
• Analysis of user sessions with record of abnormality in reports;
• Audit, command alert and blocking, even for privileged users;
• Recording of command input and output logs;
• Command scoring according to the level of risk of each command;
• Identification of lateral movement and privilege escalation;
• Sending suspicious activity alerts to SIEM/SYSLOG.

Technical features

• Self-learning of operating machine history and user behavior to identify any change that represents a threat;
• Scoring, monitoring, alerting and command blocking based on whitelist and blacklist;
• Automatic response for detection of threats without human intervention.

Privileged Information Protection

What it is

Storage of personal information, such as personal passwords and digital certificates.

Benefits

• Automated control of privileged information;
• Use of digital certificates for access to systems and services;
• Automated authentication using personal access credentials.

How it works

The solution manages the entire life cycle of stored information, such as when a digital certificate is close to expiring.

Features

• Digital certificates storage;
• Personal passwords storage;
• Alert on stored information expiration;
• User-friendly information search screen;
• Privileged information change and use logs;
• Permission to share information with other users.

Technical features

Support to ICP-Brasil validated digital certificates.

Hardcoded passwords

The world has been dealing with commercial computing for over half a century, but it still makes the same mistakes. One of them is the use of hardcoded passwords on systems and devices connected to the corporate network, making the company data an easy target for malicious attackers.

senhasegura allows for easy removal of hardcoded passwords and credentials from data sources through scripts, application codes, configuration files and SSH keys, via servers. The password vault connects to the main servers and synchronizes password change with the database. The application, therefore, does not lose connection.

The built-in application can access the senhasegura API at any time and receive the updated password for the resource to be accessed. In this way, this critical data will be inaccessible to all intruders and malicious users.

Password Reset

A password-free environment is still just a concept far from reality, despite being discussed for a long time. For now, the world is stuck with usernames and passwords, and no matter how secure the authentication solution may be, those credentials will not be phased out overnight.

Currently, a more secure approach for using passwords is when a password can only be used once. Single-use passwords protect users from credential theft. Unlike static ones, which don’t change, using passwords only once makes systems resistant to attack.

Once entered in senhasegura, passwords are managed by the solution’s password vault. This means that the vault can change the password at any time. These changes can occur in the following ways:

• Determined by the institution’s password policies (automatic): based on the company’s password policies registered in the system, the vault changes keys automatically and periodically, facilitating the task of the information security team;
• Determined by password exposure (automatic): When a user is authorized to view a password stored by the vault, the password can be used for a set period of time in the system. When this time is over, the vault will immediately change the password so that the credential returns to the vault custody;
• Requested by an administrator user: a user with administrator privileges in the vault can schedule a password change for some or all devices registered in the vault at any time.