PAM Authentication Overview
The Account Overview tab is only available to users with Admin permissions associated with their account. |
About the HashiCorp® PAM Integration
Continuous Dynamic offers a native integration with Privileged Access Management (PAM) solutions from HashiCorp®. This gives you additional flexibility over where to store scanning credentials for sites that require user authentication.
If you decide to use the PAM integration, you will store and manage your site scanning credentials in HashiCorp Vault instead of the Continuous Dynamic Portal. Vault is a system that provides centralized privileged access and secrets management for enterprises. When setting up the integration, you can choose whether to authenticate with Vault directly or to broker credentials through HashiCorp Boundary, a proxy for secure access management.
When adding a Site asset, Portal users can select a "PAM credentials object" instead of entering username and password credentials. When a scan is initiated, Continuous Dynamic authenticates to Vault, obtains a unique ID for the configured Vault asset, retrieves the scanning credentials, and then initiates the scan.
To use the PAM integration, your scanning credentials must be stored in HashiCorp Vault. Other PAM providers and platforms are not supported. PAM integration is not supported for API assets added using AutoAPI. |
Benefits of using a PAM
Managing scanning credentials in a PAM solution is both secure and efficient.
-
Store site scanning credentials centrally alongside other corporate passwords and secrets.
-
Remove the need to log in to the Continuous Dynamic Portal to manually update scanning credentials every time they are updated or rotated.
-
A PAM solution can automatically enforce company security policies, such as password rotation and expiry.
-
Meet industry requirements by ensuring passwords are not stored in third-party vendors' systems.
Prerequisites
-
The latest version of HashiCorp HCP Vault Dedicated (cloud hosted) or Vault Enterprise (self-managed).
-
Scanning credentials for Site assets in Continuous Dynamic are stored in Vault.
-
You have configured a supported authentication method in HashiCorp; see "Supported Authentication Methods", below.
-
An HCP Boundary installation is required to use the Token and Credentials authentication methods.
Supported Authentication Methods
The integration supports three authentication methods for Continuous Dynamic to integrate with Vault and retrieve site scanning credentials. These are described in the following table:
Authentication method | Platform | Description and setup |
---|---|---|
Token: Brokered credentials, API key |
HashiCorp Boundary |
Authenticate to Vault through HashiCorp Boundary with the use of "brokered credentials", via your API key. To use this method, provide your Boundary API token (key) in the Continuous Dynamic Portal. You can find your API key in the HashiCorp Cloud Portal. By default, the time to live (TTL) for a Boundary API token is 7 days. When creating your API token for Boundary, consider increasing the default TTL to a duration that meets your security requirements. See https://developer.hashicorp.com/hcp/docs/boundary/configure-ttl for further details. |
Credentials: Brokered credentials, username and password |
HashiCorp Boundary |
Authenticate to Vault through HashiCorp Boundary with the use of "brokered credentials", via a username and password. To use this method, provide a set of Boundary credentials (username and password) and an By default, the TTL for a Boundary API token is 7 days. When creating your API token for Boundary, consider increasing the default TTL to a duration that meets your security requirements. See https://developer.hashicorp.com/hcp/docs/boundary/configure-ttl for further details. |
App Role credentials |
HashiCorp Vault |
Authenticate directly to Vault by using the AppRole auth method (see Use AppRole Authentication in the Vault documentation). Note that KV secrets engine version 1 or 2 is required. To use this method, provide your You must have added Continuous Dynamic IP Address ranges to your allow list. |
Creating a PAM Credentials Object
Create a PAM credentials object configured to connect to Vault using a specified authentication type.
-
Log in to the Continuous Dynamic Portal as a user with Admin permissions.
-
Select Admin > Account Overview.
-
Select the PAM Authentication subtab.
The Manage PAM Credentials page lists all PAM credentials objects in your Client. The table displays the Name, Endpoint, Primary Client, and Authentication Type of each object, as well as the supported Actions.
-
Click Add PAM. The Create PAM Credential dialog is displayed:
-
Enter a Name for the PAM credentials object. This must be unique within your Client.
-
In the Endpoint field, specify the API endpoint of your Vault instance; for example, https://pam.example.com/api. This must be a valid URL.
-
Select a supported Authentication Type:
-
Token - see step 8.
-
Credentials - see step 9.
-
App Role - see step 10.
-
-
To use Token authentication, enter your Boundary API key in the API Token field.
-
To use Credentials authentication, enter the following information:
-
A Username and Password for a user account in Boundary. These credentials must correspond to the Auth Method ID that you specify in the next step.
-
In the Auth Method ID field, enter the Boundary auth method ID that you want Continuous Dynamic to use to authenticate to Boundary, e.g.
ampw_xxP3UIBn2k
. Note that the integration supports thepassword
auth method only; see authenticate in the Boundary documentation.
-
-
To use AppRole authentication, enter the following information:
-
App Role ID: The
RoleID
of theAppRole
in Vault to be used for authentication by Continuous Dynamic. Enter therole_id
value. -
Secret ID: A
SecretID
is a token that is used with aRoleID
to authenticate to Vault for a specified time to live (TTL). Enter thesecret_id
value. -
Namespace: The namespace is the Vault secrets engine that contains the target path.
-
-
Select the Continuous Dynamic Client that you want to create the PAM credentials object in (applies to Multi-Client services only).
-
Click Save.
A green banner is displayed if the PAM credentials object was successfully created.
The next step is to link the PAM credentials object to the scanning credentials used for a specific Site asset. PAM credentials are available to select when adding scanning credentials.
Managing PAM Credentials Objects
You can edit and delete PAM credentials objects in the PAM Authentication tab.
-
To edit a PAM credentials object, click Edit, edit the fields you want to change, then click Save.
-
To delete a PAM credentials object, click Delete.
You can only delete PAM credentials objects that are not currently in use by Site assets or Business Logic Assessments. |