- Why privileged access management in remote & hybrid work environments is difficult
- What is Keeper Connection Manager (KCM)?
- Agentless and clientless
- Zero-trust access by design
- Built on cloud-native technologies
- Works to secure modern applications
- Installing Keeper Connection Manager
- Configuring new connections in Keeper Connection Manager
- Wrapping up and impressions
- ManageEngine OpManager: Comprehensive monitoring for on-prem, cloud, and containers - Thu, Mar 23 2023
- Install K3s, a lightweight, production-grade Kubernetes distro - Mon, Mar 20 2023
- VMware NSX Advanced Load Balancer: Installation and configuration - Fri, Mar 10 2023
Today’s data environments are highly complex, typically consisting of a combination of on-premises hardware, private clouds, and public clouds. Additionally, the move to widespread remote and hybrid work means that businesses are facing increasing challenges with security and compliance.
One area that many organizations struggle with is privileged access management (PAM). Keeper Connection Manager is a new solution from Keeper Security that helps organizations address the growing struggles of PAM in the enterprise environment.
Why privileged access management in remote & hybrid work environments is difficult
Even when all employees are working on-premises, managing and protecting access to IT infrastructure is difficult. IT admins, DevOps engineers, and developers must manage access to sensitive systems, such as remote desktops, Windows machines, Linux servers, Kubernetes clusters, and database services. When employees must connect to these systems remotely, the challenges are even greater.
Historically, privileged passwords, SSH keys, cloud access keys, and other sensitive credentials were. saved or stored in code, third-party connection tools, or software. API keys, AWS IAM keys, plaintext passwords, and many other types of sensitive information are hardcoded inside config files, source code, and Infrastructure-as-Code (IaC) files. Unfortunately, these solutions are difficult to configure and manage – for example, rotating credentials is a time-consuming hassle – and they do not scale well. They also make it very easy for users to inadvertently expose credentials, causing security and compliance issues.
What is Keeper Connection Manager (KCM)?
Keeper Connection Manager (KCM) emerged from Keeper’s acquisition of Glyptodon Enterprise, the original creators of the open-source Apache Guacamole software for remote desktop access. Built atop the Guacamole gateway, with additional features and enhancements, KCM enables businesses to enhance security by adopting a zero-trust access model for IT infrastructure and resources. It also provides IT admins with the tools needed to implement least-privilege access, role-based access control (RBAC), and multi-factor authentication (MFA).
KCM provides DevOps and IT teams secure access to Kubernetes, MySQL, RDP, SSH, Telnet, and VNC endpoints through any web browser.
Keeper Connection Manager
Agentless and clientless
KCM stands out in the market for its agentless and clientless design. Many PAM solutions require the installation of agents that must be maintained, upgraded, and managed. This can stifle the adoption of a PAM solution, as overworked IT staff and admins are already managing many types of infrastructure and agents required by other solutions. KCM’s agentless and clientless design allows for rapid deployment and minimal ongoing maintenance. There are no agents, each user’s web browser is the client, and KCM does not impact domain controllers or other services.
Zero-trust access by design
KCM is also very much aligned with today’s distributed work environments, where IT and DevOps teams are connecting to internal resources from multiple locations and using a wide array of devices. KCM makes it possible for users to securely connect to IT infrastructure from any major desktop web browser, as well as iOS and Android mobile devices. KCM is designed to support the zero-trust network access model, so all users and devices must be strongly authenticated before they are permitted to access organizational resources.
Once a user is authenticated, and their access level is authorized, all their activity happens behind the enterprise firewall, meaning their connection is just as secure as it would be if they were working on-premises. In addition, the relevant network traffic and data remain on the corporate network.
Built on cloud-native technologies
Because KCM was built in the cloud, for the cloud, it takes full advantage of all the benefits of cloud computing, including flexibility, scalability, and automation. KCM offers several installation options using Docker or RPM, with authentication modules for popular databases and AD/LDAP. Desktop images are easily standardized, and updates to desktops and applications can be automated.
Works to secure modern applications
Ransomware attacks on Kubernetes environments are a serious and growing problem. As organizations seek to modernize their applications, many are migrating to containerized workloads, with Kubernetes as the de facto standard for container orchestration. KCM offers authentication modules for AD/LDAP, SSH, VNC, MySQL, and Kubernetes right out of the box. KCM supports Kubernetes through a protocol implementation that enables Guacamole to attach to the consoles of Kubernetes containers using Kubernetes' REST API connections. Guacamole's Kubernetes support emulates a terminal on the server side, rendering the client's display.
Installing Keeper Connection Manager
The process of installing Keeper Connection Manager is straightforward. In the lab environment, I installed the latest version of Docker in a clean Ubuntu Server VM. After quickly getting Docker up and running, I followed the Simple Docker Install from the official Keeper Connection Manager documentation.
The process for the simple Docker install simply involves pulling down a script, setting execute permissions, and running the script.
Running the simple Docker installation of Keeper Connection Manager
After the installation is complete, KCM displays the auto-generated admin password for logging into the console.
Installation of KCM completes successfully
You can now issue a docker ps and see the Docker containers now running.
Viewing the running Docker containers after the installation of Keeper Connection Manager
Configuring new connections in Keeper Connection Manager
I found Keeper Connection Manager to have an easy and intuitive workflow. Even though I had never used the product before, it took only a few intuitive clicks to navigate where I wanted to go and find the configuration I was looking for.
For example, under Settings > Connections, you will find the configuration settings to create a new connection with various options. The flow of the configuration dialog is, again, intuitive, and it makes sense. The configuration flows from the top of the page to the bottom. Here, I am creating a simple test connection for a Linux server using SSH and password authentication.
Creating a new Linux Server SSH connection using Keeper Connection Manager
After saving the configuration, you will see the connection listed and ready to connect.
New Linux Server SSH connection created successfully and ready to connect
A single click connects you to the Linux SSH prompt right through your web browser.
Connected via Keeper to the new Linux Server SSH connection
Keeper Connection Manager keeps a detailed audit log of connections to each connection resource inside the solution.
Auditing connections to a resource in Keeper Connection Manager
Sharing a connection is also simple. Expanding the arrow beside the configured connection displays an option to create a New Sharing Profile.
Creating a sharing profile for a connection to share with other users
Designating allowed sharing profiles in user properties
Wrapping up and impressions
My experience with Keeper Connection Manager was very positive. Using the simple Docker installation method, it took me around five minutes to install the solution (I had a Linux template that was easily deployed). Even though I had never used the product, the workflow was intuitive for creating a new connection and even sharing the connection with another user added to the system.
The simple and intuitive nature of the solution will certainly help organizations implement privileged access management and quickly gain value from Keeper Connection Manager. However, as of this writing, KCM can only protect VNC, Telnet, SSH, RDP, MySQL, and Kubernetes.
It is also great to see that Keeper has embraced cloud-native technologies, such as running the solution in Docker and offering privileged access management connectivity to Kubernetes clusters, which many organizations are looking for today.
Subscribe to 4sysops newsletter!
Keep in mind that we only scratched the surface of the solution. There are other features that we have not detailed in this overview post. You can learn more about Keeper Connection Manager and sign up for a free trial of the solution for Keeper Connection Manager.
