Authentication to Privilege Management Cloud
Authentication for Privilege Management Cloud is achieved through Azure B2B, which allows end users in an Azure AD instance to be authenticated into the platform. Customers, therefore, require their users to be in an Azure AD instance; users authenticate through existing corporate means, including any MFA configured within their Azure AD. Customers retain control of password policy and BeyondTrust has no visibility of any end user credentials. The initial user for login will be invited during the fulfillment process, so the first admin email address is required before deployment.
For customers without Azure AD, the recommended approach is for customers to federate their current IDP with Azure AD to enable authentication by this method.
There are a number of granular permissions that can be granted to users of Privilege Management Cloud. These permissions determine which features a user has access to.
BeyondTrust does not have any access to login to the customers’ web management console.
Encryption and Ports
Privilege Management Cloud is configured such that it enforces the use of SSL over port 443 for every connection made to the site.
The Azure firewall is configured to only allow 443 connections and Port 22 for shell jump access (restricted to a single BeyondTrust IP address).
Encryption in motion
All traffic to and from Privilege Management Cloud is encrypted using TLS 1.2. By default, the site leverages the provided wildcard certificate corresponding to the host name in use.
Older ciphers such as TLS 1.0 / 1.1 and SSL 2.0, and SSL 3.0 are disabled.
Encryption at rest
All data in Privilege Management Cloud is stored in Azure SQL databases with transparent encryption enabled.
For more information, please see Transparent data encryption for SQL Database, SQL Managed Instance, and Azure Synapse Analytics.