Feb 11, 2026
Infra Club
As part of our continued efforts to strengthen the security posture of F1Soft Group, we would like to share an important update regarding the Privileged Access Management (PAM) solution developed in-house by F1ARL.
Previously, the group invested approximately NPR 1.5 Crore in an enterprise PAM solution to protect and secure our production infrastructure. To achieve the same level of protection for our Development (Dev) environments under the current enterprise PAM model, an additional investment of a similar amount would be required.
Industry trends, as well as our own security observations, clearly indicate that most sophisticated attacks originate in development environments. In multiple cases, attackers have injected malware into Dev systems and CI/CD pipelines, which later propagated into production. This makes PAM enforcement in Dev environments a mandatory security requirement, not an optional enhancement.
To address this effectively, ARL has designed and developed an in-house PAM solution that is lightweight, scalable, and highly resource-efficient. Unlike the existing enterprise PAM—which requires multiple Windows machines and significant hardware infrastructure—the ARL PAM solution can operate on a single machine or scale horizontally with minimal hardware and operational overhead.
Our proposed rollout strategy is as follows:
Implement PAM in Development environments first
Stabilize the solution through multiple iteration, testing, and hardening cycles
Gradually extend the deployment to production environments once sufficient maturity and stability is achieved
This phased approach significantly reduces operational risk while allowing teams to adapt smoothly. In parallel, our strategic objective is to replace the existing paid enterprise PAM solution and target non-renewal in the next renewal cycle, resulting in substantial cost and infrastructure savings.
A detailed demo of the in-house PAM solution is available for review at:
https://securegate.f1arl.com/ (login demo/demo@1234 )
Teams who wsh to understand the solution in greater depth—including architecture, security design, and source code implementation—are encouraged to reach out to F1ARL for a detailed walkthrough and discussion on how the PAM solution has been developed.
We strongly encourage teams to begin implementing the ARL PAM solution within their Dev environments and actively collaborate to make it stable, secure, and production-ready. This initiative aligns with our broader goal of building scalable, secure, and cost-effective in-house platforms across the group.
For onboarding, demos, or technical support, please coordinate with ARL or the IT Security team.
Below is a structured overview of the PAM platform capabilities, security architecture, and system-level statistics for your reference. This is intended to provide both functional clarity and technical depth.
# | Feature Area | Description | Key Source Files |
|---|---|---|---|
1 | SSH Gateway | Interactive SSH terminal with PTY shell, window-resize synchronization, and asciicast v2 session recording | terminal.go, cli_ssh.go, TerminalPage.jsx |
2 | RDP Gateway | Secure Remote Desktop access via Guacamole proxy with WebM session recording | rdp.go, guacamole_proxy.go, RDPPage.jsx |
3 | Database Proxy (SQL Client) | Multi-engine SQL workbench (MySQL & PostgreSQL) with syntax highlighting, schema browser, and multi-tab results | database.go, SQLClientPage.jsx |
4 | SFTP File Manager | Browser-based file gateway for upload, download, and directory management | sftp.go, FileManagerPage.jsx |
5 | Browser Isolation | Containerized Firefox/Wine with persistent GUI sessions (containers survive user disconnection) | browser.go, BrowserPage.jsx, firefox-hardened/ |
6 | Web Proxy | Secure HTTP/HTTPS application access via reverse proxy | proxy.go, WebProxyPage.jsx |
7 | Session Recording & Forensics | Multi-format recording (WebM, .guac.gz, .cast.gz, .sql.gz) with MinIO archival and forensic playback | recording.go, web_recording.go, RecordingsPage.jsx |
8 | Recording Processor Sidecar | Autonomous Go service for distributed MinIO archival with metadata bridging | recording-processor/, internal_recording.go |
9 | Asset Management | CRUD for SSH, RDP, DB, Web, and Browser assets with protocol and credential linkage | asset.go, AssetsPage.jsx |
10 | User Management | User lifecycle management (Active / Blocked / Deleted), MFA controls, password resets | user.go, UsersPage.jsx |
11 | RBAC (Roles & Permissions) | Fine-grained permission matrix with role-to-user and asset group bindings | role.go, RolesPage.jsx |
12 | User Groups | Logical user grouping for RBAC and policy assignment | user_group.go, UserGroupsPage.jsx |
13 | Asset Groups | Logical asset grouping for permission enforcement | asset_group.go, AssetGroupsPage.jsx |
14 | Departments | Organizational hierarchy for user classification | department.go, DepartmentsPage.jsx |
15 | Credential Vault | Encrypted credential store with private and group-based sharing | credential.go, CredentialsPage.jsx |
16 | JIT (Just-In-Time) Access | Time-bound privilege elevation with request → approval → revoke workflow | jit.go, jit_enforce.go, JITPage.jsx |
17 | Access Schedules | Time-window policies controlling asset accessibility | schedule.go, AccessSchedulesPage.jsx |
18 | Audit Logging | Complete audit trail for logins, sessions, and admin operations | audit.go, AuditPage.jsx |
19 | Device Management | Device lifecycle (Pending / Approved / Blocked) with forensic tracking | device.go, DeviceManagementPage.jsx |
20 | Dashboard & Analytics | Real-time visibility into sessions, assets, users, and system health | dashboard.go, Dashboard.jsx |
21 | Settings Portal | UI-based configuration for MinIO, Guacamole, browser isolation, and security policies | settings.go, SettingsPage.jsx |
22 | TCP Proxy / DB Tunneling | Secure tunneling for external DB tools (e.g., DBeaver) via PAM gateway | tcp_proxy.go |
23 | CLI Tool | Native CLI for SSH, SCP, asset management, and JIT workflows | cli/ |
24 | Distributed Topology | Standalone, Main+Worker, and Worker-only deployment models | docker-compose.standalone.yml, docker-compose.main.yml, docker-compose.worker.yml |
# | Security Practice | Implementation Details | Key Source Files |
|---|---|---|---|
1 | JWT Authentication | Stateless, cryptographically signed JWTs for all APIs | auth.go |
2 | Hardware Device Binding | JWTs bound to X-Device-Fingerprint to prevent token replay | device.go, auth.go |
3 | MFA / TOTP | RFC-compliant TOTP (6-digit, 30s) with admin-enforced MFA | auth.go |
4 | Independent MFA Posture | MFA enforcement decoupled from security mode | security.go |
5 | JWE Payload Encryption | RSA-OAEP-256 + A256GCM end-to-end payload encryption | auth.go, encryption.go |
6 | Hierarchical Security Modes | Open, IP-Only, Device-Only, Strict (IP + Device + MFA) | security.go |
7 | Policy Resolution Engine | Global → Group → User override hierarchy | security.go |
8 | IP Allowlisting | CIDR-based IP control with expiry support | security.go |
9 | Device Approval Workflow | New devices require admin approval before access | device.go |
10 | RBAC Enforcement | Role-based access bound to user and asset groups | role.go |
11 | Redis Permission Cache | 10-minute TTL RBAC cache (~90% DB load reduction) | redis/ |
12 | JIT Enforcement | Middleware-level enforcement of approved time windows | jit_enforce.go |
13 | Access Schedules | Hour/day-based access restrictions | schedule.go |
14 | Credential Encryption at Rest | AES-encrypted vault storage | encryption.go, credential.go |
15 | Forced Password Rotation | Mandatory password change on first login | auth.go |
16 | Account Status Bridge | Unified Active / Blocked / Deleted enforcement | auth.go |
17 | Comprehensive Audit Logs | User, IP, device, and timestamp for all privileged actions | audit.go |
18 | Session Recording | Mandatory recording for SSH, RDP, DB, and Browser sessions | recording_service.go |
19 | Active Session Visibility | Real-time session monitoring with force-logout | session.go |
20 | Internal API Auth | Secure auth for sidecar and worker communications | internal_api.go |
21 | CORS Engine | Environment-driven dynamic allowed origins | common.go |
22 | One-Time Credential Display | Admin-reset passwords visible only once | UsersPage.jsx |
23 | CLI Device Parity | CLI propagates device fingerprint headers | cli/ |
24 | Guacamole DB Auth | Database-backed auth for state consistency | guacamole_db.go |
25 | Database Auto-Bootstrap | Zero-touch creation of 48 schemas and system roles | database/ |
26 | Container Isolation | Per-user isolated Firefox/Wine containers | firefox-hardened/, browser-worker/ |
27 | Caddy Reverse Proxy | Automatic HTTPS and TLS termination | Caddyfile |
28 | Runtime Config Injection | No build-time secrets embedded in images | docker/ |
Metric | Count |
|---|---|
Backend Handlers | 25 |
Frontend Pages | 22 |
Backend Services | 19 |
Data Models | 14 |
Middleware Layers | 4 |
Protocol Connectors | 4 (SSH, RDP, Database, Guacamole) |
Supported Protocols | 6 (SSH, RDP, VNC, SQL, SFTP, Web Proxy, Browser Isolation) |
Docker Compose Topologies | 4 (Dev, Standalone, Main, Worker) |