Beyond Features: The Non-Functional Foundations of Modern PAM
One of the challenges in designing, architecting, building, implementing and maintaining modern Privileged Access Management (PAM) software is the sensitive, delicate and critical nature of the assets it protects. As a result, the non-functional capabilities such as availability, recovery, encryption, data sovereignty, monitoring, enterprise identity, adoption and overall security practices are just as important as core functional features such as brokering access, approval workflows or credential rotation.
This article explores the non-functional features and architectural design decisions behind 12Port PAM Server.
Availability
PAM Vault stores the passwords and keys to critical network assets. To make the server deployment resistant to hardware and software failures of PAM server host and network, the application offers too alternative deployment options.
High Availability Deployment introduces active backup to the 12Port server farm. When one of the nodes malfunctions the load balancer directs the traffic to another node:
As an alternative, Disaster Recovery Deployment introduces passive backup. Two nodes in DR deployment operate on two different databases setup with the periodic passive replication. When main nodes malfunctions the load balancer temporarily switches the traffic to DR node:
Recovery
In the situations when PAM server is completely unavailable, the application offers a feature that allows users to access sensitive data from tenant backup files, even when the server is offline, the tenant database or web interface is inaccessible, or the original deployment is unavailable. This type of Emergency Data Retrieval operation is typically referred to as "Break Glass".
Data Protection
PAM Vault stores the passwords and keys to critical network assets in the backend database inside the perimeter of the PAM server farm. The application architecture ensures that the secret data does not leave perimeter of the PAM server farm even in the encrypted form unless it is specifically requested by the user.
User request respects role based access to the secret with field-level permissions, subject to multi-level workflow approval process, time and location restrictions and is logged in the system event log.
No other operation such as brokering session access to remote endpoint, credentials rotation or asset editing result in releasing the secret data to the client. As a result a typical user accessing remote endpoints never transfers the secret to the client workstation. While system owners can request the secret, the action is not necessary for most activities and it is protected and logged.
Encryption
The application encrypts secured fields in asset and asset history (field level encryption), sensitive data (passwords, keys, secrets) in integration configurations, trusted store password, keystore password, TOTP secret key, Signing key for WEB and REST API authentication, Master key used to encrypt all other tenant data.
The application encrypts data using uniquely generated Secret Key using 65536 iterations utilizing AES algorithm with PBKDF2 key derivation function with SHA512 HMAC hash implemented by Bouncy Castle FIPS 140-3 certified library.
Data Sovereignty
12Port is a client-hosted software deployed in the chosen by the client location which allows to comply with data sovereignty requirements.
To simplify deployment and maintenance, 12Port server could be deployed to on-premises or cloud networks, on Windows or Linux hosts, with several editions of commercial, free or open source backend databases (Oracle RDBMS, MS SQL Server, MySQL, MariaDB or PostgreSQL) in addition to the embedded database available for the single node deployments.
Enterprise Identity
From a user identity standpoint, PAM maps individual accounts to privileged access. The example of questions PAM answers for the security audit is who can access sensitive data or who was using root account last weekend. To support this functionality, PAM should integrate with the existing user directories to use personal accounts associated with the identities of company employees and contractors.
12Port PAM provides out of the box integration with Microsoft Active Directory, eDirectory, OpenLDAP compliant user directories and also with Microsoft Entra ID.
These options enable straightforward identification of individuals for permissions and auditing purposes instead of maintaining another set of artificial shared or shadow accounts for privileged access.
SSO
User authentication in a large enterprise is a complex function usually delegated to specialized software called Identity Provider. Authentication might involve sophisticated login process with time or location based MFA rules following organization rules.
12Port includes out of the box Single Sign-On (SSO) option to integrate with 3rd party Identity Providers to delegate authentication to the central authority.
The option brings strong centralized authentication enforcement separating the functions of SSO that answers who you are and PAM that controls what you can do, where, and for how long.
RBAC
Role-Based Access Control (RBAC) is the authorization backbone of Privileged Access Management. It defines who can request, approve, access, and operate privileged resources—consistently and at scale.
12Port PAM includes granular RBAC permissions mechanizm to define access level for assets inheritable the container hierarchy.
12Port PAM also includes site level permissions and roles to grant configuration, management and auditing permisions to various areas of the site control and monitoring.
12Port PAM allows to grant role based access to individual user or to the groups of users managed by integrated user directory such as MS Active Directory or Entra ID. In addition to that 12Port PAM allows to grant roles and permissions to generic local groups mapped to the identities (users or groups) from the integrated user directories.
Operational Visibility
Syslog/SIEM integration turns PAM from an access control system into a continuous security signal. It ensures every privileged action is monitored, correlated, and acted on in real time. SIEM integration enables centralized visibility, real-time threat detection, accountability & forensics, compliance & audit readiness, alerting & automation as well as long-term retention & analysis.
12Port logs an event about every action in the system from the basic configuration updates to granting access, approving the request, establishing a remote session or downloading a file. In addition to auditing system event, a sophisticated logger management component allows to stream these events to the network SIEM system for further analysis correlating PAM generated events with other network activity.
Adoption
The effectiveness of PAM depends on how fully network administrators embrace and follow its workflows. Successful PAM adoption depends on allowing users to maintain familiar day-to-day workflows while introducing new security practices.
12Port PAM allows administrators to use the familiar connectivity tools when accessing remote servers. Alongside its proprietary web client for Windows, Linux, Unix, and network access, 12Port PAM supports a broad ecosystem of open-source and commercial clients — such as MS RDP (mstsc), SSH shells, screen, tmux, MobaXterm, PuTTY, SecureCRT, FileZilla, WinSCP, Ansible, and many other desktop of mobile clients. Support of mobile clients is especially important for the administrators using mobile devices to preserve their original workflow.
The option to support native desktop or mobile clients is implemented by 12Port SSH and RDP Proxies that control the traffic on the protocol level.
For any client, 12Port PAM supports the same set of the security options such as session video recording and playback, MFA prompt, session events recording including key strokes, file and clipboard transfer, granular RBAC permissions granted to groups and identities from LDAP, AD and Entra ID directories, interactive access approval, command filtering, session intelligence with real time traffic analysis and controls.