PAM Authentication Overview

The Account Overview tab is only available to users with Admin permissions associated with their account.

About the HashiCorp® PAM Integration

Continuous Dynamic offers a native integration with Privileged Access Management (PAM) solutions from HashiCorp®. This gives you additional flexibility over where to store scanning credentials for sites that require user authentication.

If you decide to use the PAM integration, you will store and manage your site scanning credentials in HashiCorp Vault instead of the Continuous Dynamic Portal. Vault is a system that provides centralized privileged access and secrets management for enterprises. When setting up the integration, you can choose whether to authenticate with Vault directly or to broker credentials through HashiCorp Boundary, a proxy for secure access management.

When adding a Site asset, Portal users can select a "PAM credentials object" instead of entering username and password credentials. When a scan is initiated, Continuous Dynamic authenticates to Vault, obtains a unique ID for the configured Vault asset, retrieves the scanning credentials, and then initiates the scan.

To use the PAM integration, your scanning credentials must be stored in HashiCorp Vault. Other PAM providers and platforms are not supported. PAM integration is not supported for API assets added using AutoAPI.

Benefits of using a PAM

Managing scanning credentials in a PAM solution is both secure and efficient.

  • Store site scanning credentials centrally alongside other corporate passwords and secrets.

  • Remove the need to log in to the Continuous Dynamic Portal to manually update scanning credentials every time they are updated or rotated.

  • A PAM solution can automatically enforce company security policies, such as password rotation and expiry.

  • Meet industry requirements by ensuring passwords are not stored in third-party vendors' systems.

Prerequisites

  • The latest version of HashiCorp HCP Vault Dedicated (cloud hosted) or Vault Enterprise (self-managed).

  • Scanning credentials for Site assets in Continuous Dynamic are stored in Vault.

  • You have configured a supported authentication method in HashiCorp; see "Supported Authentication Methods", below.

  • An HCP Boundary installation is required to use the Token and Credentials authentication methods.

Supported Authentication Methods

The integration supports three authentication methods for Continuous Dynamic to integrate with Vault and retrieve site scanning credentials. These are described in the following table:

Authentication method Platform Description and setup

Token: Brokered credentials, API key

HashiCorp Boundary

Authenticate to Vault through HashiCorp Boundary with the use of "brokered credentials", via your API key.

To use this method, provide your Boundary API token (key) in the Continuous Dynamic Portal. You can find your API key in the HashiCorp Cloud Portal.

By default, the time to live (TTL) for a Boundary API token is 7 days. When creating your API token for Boundary, consider increasing the default TTL to a duration that meets your security requirements. See https://developer.hashicorp.com/hcp/docs/boundary/configure-ttl for further details.

Credentials: Brokered credentials, username and password

HashiCorp Boundary

Authenticate to Vault through HashiCorp Boundary with the use of "brokered credentials", via a username and password.

To use this method, provide a set of Boundary credentials (username and password) and an Auth Method ID in the Continuous Dynamic Portal.

By default, the TTL for a Boundary API token is 7 days. When creating your API token for Boundary, consider increasing the default TTL to a duration that meets your security requirements. See https://developer.hashicorp.com/hcp/docs/boundary/configure-ttl for further details.

App Role credentials

HashiCorp Vault

Authenticate directly to Vault by using the AppRole auth method (see Use AppRole Authentication in the Vault documentation). Note that KV secrets engine version 1 or 2 is required.

To use this method, provide your approle_id, secret_id, and Vault namespace in the Continuous Dynamic Portal. The provided secret_id has a TTL with a default expiry time of 60 minutes. Consider increasing this to a duration that meets your security requirements. See the AppRole documentation for further details.

You must have added Continuous Dynamic IP Address ranges to your allow list.

Creating a PAM Credentials Object

Create a PAM credentials object configured to connect to Vault using a specified authentication type.

  1. Log in to the Continuous Dynamic Portal as a user with Admin permissions.

  2. Select Admin > Account Overview.

  3. Select the PAM Authentication subtab.

    manage pam credentials tab border

    The Manage PAM Credentials page lists all PAM credentials objects in your Client. The table displays the Name, Endpoint, Primary Client, and Authentication Type of each object, as well as the supported Actions.

  4. Click Add PAM. The Create PAM Credential dialog is displayed:

    create pam credential dialog
  5. Enter a Name for the PAM credentials object. This must be unique within your Client.

  6. In the Endpoint field, specify the API endpoint of your Vault instance; for example, https://pam.example.com/api. This must be a valid URL.

  7. Select a supported Authentication Type:

    • Token - see step 8.

    • Credentials - see step 9.

    • App Role - see step 10.

  8. To use Token authentication, enter your Boundary API key in the API Token field.

  9. To use Credentials authentication, enter the following information:

    1. A Username and Password for a user account in Boundary. These credentials must correspond to the Auth Method ID that you specify in the next step.

    2. In the Auth Method ID field, enter the Boundary auth method ID that you want Continuous Dynamic to use to authenticate to Boundary, e.g. ampw_xxP3UIBn2k. Note that the integration supports the password auth method only; see authenticate in the Boundary documentation.

  10. To use AppRole authentication, enter the following information:

    • App Role ID: The RoleID of the AppRole in Vault to be used for authentication by Continuous Dynamic. Enter the role_id value.

    • Secret ID: A SecretID is a token that is used with a RoleID to authenticate to Vault for a specified time to live (TTL). Enter the secret_id value.

    • Namespace: The namespace is the Vault secrets engine that contains the target path.

      pam example approle credential object
  11. Select the Continuous Dynamic Client that you want to create the PAM credentials object in (applies to Multi-Client services only).

  12. Click Save.

    A green banner is displayed if the PAM credentials object was successfully created.

The next step is to link the PAM credentials object to the scanning credentials used for a specific Site asset. PAM credentials are available to select when adding scanning credentials.

Managing PAM Credentials Objects

You can edit and delete PAM credentials objects in the PAM Authentication tab.

  • To edit a PAM credentials object, click Edit, edit the fields you want to change, then click Save.

  • To delete a PAM credentials object, click Delete.

You can only delete PAM credentials objects that are not currently in use by Site assets or Business Logic Assessments.