Your Compliance Reports Are Only as Current as Your Last Manual Export

When did you last run a compliance evidence collection that did not surface something unexpected?

Not a gap in your controls. Something more mundane than that. A SCIM connector that failed three weeks ago that nobody noticed because there was no monitoring on it. A provisioning record that shows an offboarded user as deprovisioned, but the application itself still has the account active because the sync did not complete. A GPO configuration that drifted during a patch cycle and was never reverted. None of these are dramatic failures. They are the kind of thing that shows up when someone starts pulling data for an audit and the data does not match what the platform said it was.

The reason this keeps happening is not carelessness. It is architecture. The evidence that compliance audits require does not live in one system. Authentication logs live in the IAM platform. GPO configuration states live in Active Directory. Threat detection events live in the SIEM or the security monitoring layer. Provisioning records live in whatever system runs your identity lifecycle. Getting all of that into one place, in a format an auditor can use, requires a person to do it manually every single time.

That person assembles the evidence. They reconcile the formats. They discover the gaps. They fix what can be fixed before the package goes out. And the package that results reflects the state of the environment during the collection window. Not today. The window when someone was pulling data. 

This blog is about why that architecture cannot satisfy what ISO 27001:2022 and DPDPA Rules 2025 actually require at the evidence level, and what changes when compliance data becomes something your systems produce continuously rather than something your team assembles under a deadline.

The Evidence Collection Problem Is Not a Process Problem. It Is an Architecture Problem.

Most compliance teams treat audit preparation as a sprint. In the weeks before an audit, the team runs harder, pulls more data, and patches what they can before the auditors arrive. The sprint is exhausting and it is built into the annual calendar as an accepted cost.

But the sprint is not the real problem. The sprint is a symptom of a compliance architecture where evidence only gets collected when someone needs it. Between audits, controls drift. Connectors fail. Policies get modified and not reverted. None of that is visible because nobody is looking. The audit creates the forcing function to look, which is why the looking almost always surfaces something.

The architecture problem has three specific components that compound each other. 

No Unified Evidence Surface 

The data that compliance audits require is distributed across systems that were not designed to produce evidence together. The Akku IAM platform holds authentication events and provisioning records. Active Directory holds GPO configuration states. Your SIEM holds threat detection events. Your ticketing system holds access request and approval records. Each of these is a valid data source. None of them produce a unified, audit-ready output without a person in the middle connecting them.

The practical consequence: every audit cycle requires someone to navigate each system, export data in that system’s native format, reconcile the exports, and reformat everything for the auditor’s requirements. For organisations managing compliance across ISO 27001, SOC 2, HIPAA, and DPDPA simultaneously, the same data gets extracted and reformatted multiple times for different framework requirements.

Evidence Is Always Retrospective

Manual evidence collection produces a snapshot. The snapshot is accurate at the time it is taken. By the time it reaches the auditor, the environment has continued to evolve. If your MFA enforcement policy was modified for a department two weeks after the evidence was collected, that modification is not in the compliance package. The auditor is reviewing a state that no longer exists.

ISO 27001:2022 Annex A Control A.8.16 requires ongoing monitoring for anomalous behaviour. The 2022 revision was explicit about this: the standard moved from periodic review to continuous monitoring. A compliance programme that collects evidence periodically and reviews it before audits does not satisfy A.8.16 as written in the current version of the standard. It satisfies the 2013 version’s intent. That distinction matters at recertification.

Gaps Are Found During Collection, Not Before

The most operationally damaging aspect of manual evidence collection is that it is often the first time anyone discovers that something went wrong. The SCIM connector failure that left offboarded users with active entitlements is discovered when someone cross-references the HR departure log against the provisioning records during audit prep. The GPO drift is discovered when someone exports the current configuration and compares it manually against the baseline. The discovery happens at the worst possible time, when the audit is imminent and there is no runway to investigate properly.

A compliance architecture that detects these gaps continuously rather than at collection time changes the operational dynamic entirely. The gap is found when it opens, not when the auditor is two weeks away.

What ISO 27001:2022, DPDPA Rules 2025 and RBI Actually Require at the Evidence Level

The frameworks that govern financial services, healthcare, and ITeS organisations in India are not ambiguous about what evidence they expect. But there is a meaningful gap between what the frameworks say and what most compliance programmes produce.

ISO 27001:2022: Continuous Monitoring Is the Requirement, Not the Aspiration 

Control A.8.15 requires that event logs recording user activities, exceptions, and information security events are produced, stored, protected, and analysed. The key word is analysed. A log that is stored but only reviewed before audits has not been analysed in any operationally meaningful sense. The control requires active review, which implies continuous or near-continuous monitoring rather than periodic batch review. 

Control A.8.16 is more direct. It requires ongoing monitoring of networks, systems, and applications for anomalous behaviour. The 2022 revision added this requirement specifically because the 2013 version’s periodic review approach was insufficient. An organisation that reviews authentication logs quarterly is not satisfying A.8.16. An organisation with a monitoring layer that evaluates authentication events continuously is.

The practical implication for compliance reporting: the evidence package that an ISO 27001:2022 audit expects is not a quarterly snapshot. It is evidence that the monitoring controls were operating continuously over the audit period. That evidence can only come from a system that was actually monitoring continuously, not from a system that collected data before the audit.

DPDPA Rules 2025: Access Accountability Has to Be Demonstrable on Demand

The Digital Personal Data Protection Act requires data fiduciaries to implement appropriate technical and organisational measures to protect personal data. The word appropriate is doing significant regulatory work here. Under DPDPA, an appropriate technical measure for access control is not a policy document and not an annual access review. It is a technical system that can demonstrate, at any point, that access to personal data is restricted to authorised individuals, that access rights are reviewed and kept current, and that access is removed when it is no longer required. 

The data protection board under DPDPA has broad investigatory powers. A supervisory review does not arrive with six weeks of notice. It can arrive when something has gone wrong. If your ability to demonstrate access accountability depends on a manual evidence collection process that takes several days to run, your compliance posture for DPDPA is contingent on having time to prepare. That is not an appropriate technical measure. That is a documentation process.

DPDPA compliance for organisations handling personal data at scale requires that the access accountability evidence is continuously maintained and retrievable on demand. Not assembled when asked for it.

RBI Cybersecurity Framework: Near-Real-Time Is the Stated Standard

The RBI Cybersecurity Framework for scheduled commercial banks requires near-real-time log analysis and audit trails that support forensic investigation. For financial services organisations under RBI oversight, the expectation is that authentication anomalies, privileged access events, and configuration changes are being monitored as they occur. The audit trail exists as a byproduct of that monitoring, not as a separately assembled evidence package.

For organisations currently satisfying RBI requirements through periodic log review, the gap between the framework’s stated standard and the current implementation is a matter of regulatory record. The framework is explicit. The implementation is not matching it.

What Changes When Compliance Data Is Produced Continuously Instead of Collected Manually

The Akku Compliance Reporting API provides a single REST endpoint that returns consolidated compliance data programmatically, on demand or on a configured schedule. Rather than requiring a person to log into multiple systems and extract data, the API produces structured JSON output that covers the three evidence domains auditors request most frequently across ISO 27001, SOC 2, HIPAA, RBI, and DPDPA reviews.

Authentication Events and Login Activity

The API returns total login counts, success and failure rates, MFA failure events with method attempted and failure reason, account lockout events, and recovery attempt activity. Each event is timestamped at the millisecond level and tied to a user identifier. The output is structured JSON compatible with direct ingestion into GRC platforms like ServiceNow GRC and Archer, and into SIEM platforms including Splunk, IBM QRadar, and Microsoft Sentinel. For ITeS and BPO organisations that face client audits with short notice and need to produce structured authentication evidence quickly, this changes the response time from days to the duration of an API call.

GPO Configuration State and Change History

GPO configuration is one of the most frequently requested evidence categories in ISO 27001 and RBI audits. The auditor wants to know what policies are applied, whether they match the required baseline, and whether anything has changed since the last review. Currently, producing that evidence requires a manual export from the Group Policy Management Console, a comparison against a separately maintained baseline document, and a reconciliation of any differences.

The API returns the current GPO configuration state and change history in a structured format. The output identifies what is applied, what changed, when it changed, and what it changed from. The reconciliation step is eliminated because the change history is part of the output rather than a manual comparison.

Threat Detection Events

Threat detection events, authentication anomalies, privilege escalation attempts, and account lockout patterns form the evidence base for demonstrating that detection controls are operating under ISO 27001 A.8.16 and SOC 2 CC7.1. This data currently requires extraction from the security monitoring layer and manual formatting for audit packages. The API consolidates this into the same structured output as authentication events and GPO configuration. A single API call covers all three evidence domains.

How This Fits Into a Broader IAM and PAM Architecture

The Compliance Reporting API is a reporting surface. The quality of the evidence it produces depends on the quality of the controls generating the underlying data.

Authentication events come from the Akku IAM platform handling your organisation’s identity and access management. GPO configuration state comes from your Group Policy environment managed through Akku. Threat detection events include session-level activity captured by AkkuReka, the session proxy component in Akku PAM, which records command-level activity from privileged SSH, RDP, and database sessions.

For teams that have implemented IAM and PAM and are currently spending several days per audit cycle manually assembling evidence, the API eliminates the assembly step without requiring changes to the underlying architecture. The controls already exist. The API makes their output accessible in the format auditors need.

Before You Move On

Pull your last compliance evidence package. Pick any three controls in it that required authentication or access data.

For each one: how many systems did someone log into to collect that data? How long did the collection take? And when the package was complete, how confident was the team that the data reflected the current state of the environment rather than the state during the collection window?

If any of those controls are relevant to DPDPA, add a fourth question: if a data protection board review arrived tomorrow and required you to demonstrate access accountability for those controls as of today, how long would it take to produce that evidence?

The answers define the gap between your current compliance reporting architecture and what the frameworks you are audited against are starting to require. The Compliance Reporting API closes that gap at the data layer. The compliance score and control checkpoints are viewed at the monitoring layer. Evidence on demand is not the same as continuous visibility. But it is the starting point. 

See Akku PAM Compliance Capabilities  |  Talk to the Akku Team

Questions Security and Compliance Teams Ask About Compliance Reporting APIs

Q: What is the difference between a compliance reporting API and a GRC platform?

A: A GRC platform manages compliance workflows: control assignments, evidence uploads, risk registers, and audit scheduling. It depends on evidence being fed into it, either manually or through integrations. A compliance reporting API is an evidence source. It produces structured, audit-ready data from live system state that can be fed into a GRC platform, a SIEM, or a custom dashboard without manual extraction. The two are complementary. The GRC platform is where compliance is managed. The reporting API is where the underlying evidence comes from. For teams that already have a GRC platform but are manually extracting evidence to feed it, the API addresses the extraction step, not the management layer.

Q: Which specific ISO 27001:2022 Annex A controls does the Compliance Reporting API produce evidence for?

A: The API produces evidence relevant to A.8.15 (Logging), which requires that user activity and security event logs are produced, stored, and analysed. It produces evidence for A.8.16 (Monitoring Activities), which requires ongoing monitoring for anomalous behaviour. It supports A.5.15 (Access Control) and A.5.18 (Access Rights) through the authentication event and provisioning record output. GPO configuration data supports controls in the A.8 group that require specific system hardening and configuration baseline management. The full control-to-evidence mapping for Akku’s compliance capabilities is documented on the Akku compliance use case page. 

Q: What does the DPDPA Rules 2025 compliance requirement mean practically for how authentication evidence is stored and produced?

A: Under DPDPA, data fiduciaries must implement technical measures demonstrating that access to personal data is controlled, reviewed, and removed when no longer required. At the evidence level, this means the access record needs to show who had access, when access was granted, under what authorisation, and when it was removed. The access record needs to be producible on demand, not assembled when requested. The Compliance Reporting API produces authentication event data that includes user identifiers, timestamps, and access patterns in structured JSON. For organisations currently relying on manual log exports to satisfy DPDPA obligations, the shift to API-based evidence production changes the response time from days to seconds.

Q: How does the API handle evidence for organisations managing multiple compliance frameworks simultaneously?

A: The API output is framework-agnostic. The same structured JSON covering authentication events, GPO configuration state, and threat detection events is relevant to ISO 27001, SOC 2, HIPAA, RBI, SEBI CSCRF, and DPDPA. The difference between frameworks is which specific fields and time windows the auditor focuses on, not which underlying data is required. For organisations that currently run separate evidence collection processes for each framework, the API output serves all of them from a single call.

Q: What is the latency between a system event occurring and it being available through the API?

A: Events are written to the Akku audit log in near-real-time as they occur. The API reflects the current audit log state with low query latency. For compliance reporting purposes, the API supports both on-demand queries and scheduled retrieval. For monitoring use cases where near-real-time event data is needed for SIEM detection rules, the API supports real-time streaming retrieval. The authentication event output is the same data that feeds the MFA Failures and Login Metrics APIs, both of which are designed for near-real-time consumption.

Q: How does the Compliance Reporting API fit into the broader Akku compliance architecture?

A: The reporting API is one layer of a three-layer compliance architecture in Akku. The compliance score and per-framework breakdown provide the executive summary layer: a continuously updated score across ISO 27001, SOC 2, HIPAA, GDPR, DPDPA, RBI, and SEBI CSCRF, exportable for board reports. The control checkpoints view is the operational layer: every control, its live pass or fail status, the evidence behind it, and the specific fix action where a gap exists. The reporting API is the integration layer: structured evidence output consumable by external GRC platforms, SIEM tools, and custom dashboards. For organisations implementing all three layers, compliance evidence stops being something assembled before audits and becomes a continuous operational data surface.

MFA Verified the User. Nobody Verified the Device.

Your user authenticated this morning. They presented the right credentials. They completed the MFA challenge. Your access control system granted the session.

Here is what your authentication stack evaluated during that process: the identity of the person requesting access.

Here is what it did not evaluate: the security posture of the device they used to request it.

Whether the device was enrolled in any management system. Whether the OS had been patched in the last four months. Whether endpoint protection was running. Whether the device had been compromised. Whether it was a personal phone with no corporate security policy applied to it at all.

For most MFA deployments, none of these questions is part of the authentication decision. And in environments with distributed workforces, BYOD, and high-turnover teams, that gap is not a minor implementation detail. It is a structural exposure that exists at scale, every day, across every session that passes through an authentication layer designed to verify identity, but not endpoint security posture.

Why MFA Is an Identity Assertion, Not a Device Health Assertion

This distinction is worth being precise about because it is frequently misunderstood at the architecture level.

When a user authenticates with an OTP-based second factor, whether TOTP through an authenticator app, SMS OTP, or a push notification, the verification confirms one thing: that the person authenticating has access to the enrolled second factor at that moment. It confirms possession of a device or account associated with the enrolled factor. It says nothing about the security state of the device making the authentication request.

Certificate-based device authentication is different. When a device certificate is presented during authentication, the certificate is issued to a specific enrolled device, and the authentication proves that the request originated from a device holding that certificate. This is closer to device verification, but it still does not confirm the current security posture of the device. A certificate-enrolled device can be compromised, out of compliance with OS patching, or running prohibited applications. The certificate is present. The device may not be safe.

Genuine device verification requires something different: a real-time check of the device’s compliance state against defined policy criteria at the point of every access request. Not a check that was performed during enrollment and cached. A current check at the moment of the session. This is the principle behind zero-trust access security applied specifically to the endpoint layer.

The Environments Where This Gap Is Most Consequential

The device verification gap matters everywhere, but it is most consequential in specific environments because of how work actually happens in them.

ITeS and BPO organisations handling client financial, healthcare, or legal data operate under contractual obligations that specify data handling requirements at the endpoint level. A client contract that requires corporate-managed devices for accessing client data is violated the moment a team member accesses that data from a personal, unmanaged phone, regardless of whether their authentication credentials are valid. The authentication layer does not enforce the contract. A device compliance check does.

The ITeS and BPO industry in India handles some of the most sensitive data in the world on behalf of international clients. The workforce is large, distributed, and high-turnover. Remote work is the default for many roles. The probability that a significant portion of daily access happens from unmanaged personal devices is not theoretical. It is the operational reality. This is precisely what making your BYOD policy more secure means in practice: not a stricter policy document, but a technical control that enforces the policy at the access layer.

Healthcare organisations accessing Electronic Health Records face DPDPA obligations around how patient data is accessed at the device layer. An unmanaged device with no remote wipe capability that accesses patient records creates a data protection exposure that MFA does not address. If that device is lost or stolen, the data accessed during its last session has no technical protection once the authentication session is closed. Remote Security and Data Wipe through Akku MDM allows IT to remove work profile data without affecting personal content, but only from devices that were enrolled and managed in the first place.

Financial services firms under RBI and SEBI oversight face specific endpoint security requirements in the frameworks governing their cybersecurity posture. Unmanaged devices accessing trading systems, customer account data, or financial records represent a documented compliance gap in an audit context.

What Device Compliance Verification Actually Requires at the Architecture Level

Closing the device verification gap requires the access decision to incorporate device state, not just identity state. At the architecture level, this means the session proxy or access control layer must be able to query the device management system for the current compliance status of the requesting device before granting access.

The check needs to evaluate specific, configurable criteria. Device enrollment status in the MDM system. OS version compliance against minimum requirements. Endpoint protection status. Screen lock policy compliance. Data transfer restrictions. These are not binary enrolled or not enrolled checks. They are policy-based compliance evaluations against criteria the organisation defines through Device and Access Policy Enforcement.

The access decision then reflects both identity verification and device compliance. An authenticated user on a non-compliant or unenrolled device is denied access, not because their identity is invalid, but because the device through which they are authenticating does not meet the policy requirements for the data they are trying to access.

How Akku MDM and AkkuReka Enforce This Together

Akku MDM provides the device management and compliance layer. Device enrollment, policy application, and compliance monitoring are managed centrally from a single console across Android and iOS devices. The platform enforces specific device policies, including passcode requirements, screen capture restrictions, camera and microphone governance, and USB and Bluetooth data transfer controls through Device and Access Policy Enforcement. Application governance is handled through App Governance and Whitelisting, ensuring users can only access approved applications on managed devices.

For BYOD environments, Work Profile Isolation separates corporate applications and data from personal applications on Android devices, with enforced boundaries that prevent cross-profile data movement. Corporate data remains under IT control even on personally owned devices. If a device is lost or compromised, Remote Security and Data Wipe allows IT to remove work profile data without affecting personal content.

The compliance verification connects directly into the AkkuReka session proxy and the broader Akku access control layer through the Security Hardening and Zero-Trust Posture framework. When a session is requested, AkkuReka evaluates identity through Akku IAM, device compliance through the MDM system, and contextual factors, including IP, location, and time of day, through Contextual Access Control. A device that fails the MDM compliance check is blocked before the session opens, regardless of whether MFA is passed.

The adaptive MFA layer adds behavioural anomaly detection on top of device compliance verification. The system evaluates the context of every access request against the user’s established patterns. When a request deviates from normal behaviour, such as a new device, an unexpected location, or an unusual time of day, the system escalates the authentication challenge even if the device is enrolled and compliant. Identity verification, device compliance, and contextual behaviour work together as a unified zero-trust verification chain rather than as independent checks.

The same policy engine governs both SaaS application access and privileged server access through Akku PAM. An employee authenticating to a business application and an administrator requesting a privileged server session both pass through the same device compliance check. The policy is consistent across the entire access surface. For teams that need to work from any location securely, the work from anywhere use case covers how device compliance enforcement integrates with the broader remote access security model.

For organisations building out a BYOD security posture, the BYOD security use case covers how device enrollment, work profile isolation, and policy enforcement work together in practice. For teams managing compliance obligations under GDPR, HIPAA, NIS2, or DORA alongside DPDPA, the compliance use case page covers how Akku’s controls map to each framework’s specific access and endpoint requirements.

The Questions Worth Asking About Your Current Setup

Look at the access requests that came through your authentication system in the last thirty days. For each one, answer honestly.

Do you know whether those requests originated from managed, enrolled devices or from personal devices with no corporate security policy applied?

If a device used to access corporate data in that period was lost or stolen today, what data accessed during its last session would be exposed, and what technical control would limit that exposure?

For your ITeS or healthcare teams accessing client or patient data from home: is there a technical mechanism verifying device compliance before access is granted, or is the BYOD policy a document that relies on user compliance?

If your organisation underwent a DPDPA or ISO 27001 audit next month and the auditor asked you to demonstrate that access to personal data is limited to compliant, managed devices, what evidence would you produce?

If any of those questions produced a gap rather than a clear answer, the device verification layer in your access architecture is carrying exposure that MFA alone is not designed to close.

See How Akku MDM Works | See How Akku Enforces Zero-Trust at Every Session | Talk to the Akku Team

Questions IT and Security Teams Ask About Device Verification and MFA

Q: Why does passing MFA not mean the device is secure?

A: MFA verifies identity. It confirms that the person authenticating has access to the enrolled second factor at that moment. It does not evaluate the security posture of the device making the authentication request. An OTP challenge confirms possession of an authenticator app or phone number. It says nothing about whether the device is enrolled in an MDM system, running a compliant OS version, protected by endpoint security software, or in a compromised state. Identity verification and device health verification are separate technical checks that require separate mechanisms.

Q: What is the difference between device enrollment status and device compliance status?

A: Enrollment status confirms that a device is registered in the MDM system and subject to management. Compliance status confirms that the device currently meets the specific policy criteria defined through Device and Access Policy Enforcement: OS version, passcode strength, endpoint protection active, and prohibited applications absent. A device can be enrolled but non-compliant if it has fallen out of policy since enrollment. Genuine device verification checks compliance state at the point of every access request, not just at enrollment.

Q: How does Work Profile Isolation protect corporate data on personally owned BYOD devices?

A: Work Profile Isolation on Android devices creates a separate, isolated container for corporate applications and data. Applications within the work profile cannot share data with personal applications. Copy and paste between profiles is restricted. Files from the work profile cannot be shared externally through personal applications. Corporate data remains under IT control within the work profile boundary. If the device is lost, IT can remotely wipe the work profile data through Remote Security and Data Wipe without affecting the user’s personal data.

Q: What happens technically when a non-compliant device attempts to access corporate resources through Akku?

A: When a session is requested, AkkuReka evaluates the compliance status of the requesting device through the MDM system as part of the zero-trust verification chain. If the device fails the compliance check, regardless of whether MFA passed, AkkuReka denies the session before it opens. The event is logged. No session is created. No data is accessible.

Q: What compliance frameworks specifically reference endpoint or device-level access controls?

A: ISO 27001 Annex A control A.6.2 covers mobile device policy and teleworking requirements, including device management. The RBI Cybersecurity Framework specifies endpoint security requirements for BFSI organisations. DPDPA requires data fiduciaries to implement appropriate technical measures to protect personal data, which regulators interpret as including endpoint controls for devices accessing personal data. HIPAA’s Physical Safeguard requirements at 45 CFR 164.310 include workstation use and device controls. Akku’s approach to meeting these requirements is covered on the compliance use case page.

Server Access Isn’t All-or-Nothing. The Organisations Treating It That Way Have a Problem.

When you give someone SSH access to a Linux server, what exactly have you given them?

Think about that carefully before answering. Because the instinct is to say “access to do the thing they were brought in to do.” But what the SSH session actually provides, absent any command-level restrictions, is an interactive shell with whatever privileges the account carries. That is not the same thing. Not even close.

A developer given SSH access to restart a service has, in the same session, the technical ability to read log files, navigate the file system, view running processes, install packages if the account permits it, modify configuration files, and run any command the system allows for that user. The restart-the-service use case is a one-liner. The SSH session is a general-purpose compute environment.

Most organisations know this is true and treat it as acceptable risk. This blog explains why that calculation is wrong, and what enforcing least privilege at the command level actually looks like technically.

Where the Principle of Least Privilege Stops Short in Most Environments

Least privilege is well understood as a principle and inconsistently applied as a control. At the application layer, role-based access control is reasonably mature in most organisations. Users have the permissions their role requires, and access is reviewed periodically. At the server layer, the model collapses.

The reason is architectural. SSH provides an authenticated shell. Once the shell opens, what the user can do is governed by the Unix permission model on the target system, not by any IAM policy. The IAM system verified the identity. It has no further influence over what happens inside the session.

This means privileged access management that stops at session authentication is not enforcing least privilege. It is enforcing authenticated access, which is a different and weaker control. If you want to understand the full scope of what PAM is supposed to cover, the PAM explained blog covers the complete framework, including where session-level controls fit within the broader privileged access architecture.

There are two common approaches organisations use to address this within the Unix permission model, and both have significant limitations in enterprise environments.

sudo policy files. Restricting commands through the sudoers file on each target server is technically viable but operationally brittle. Every change to the permitted command set requires an update to the sudoers file on every affected server. In environments with dozens or hundreds of servers, this creates a configuration management burden that leads to inconsistency. Servers end up with different policies because updates are applied inconsistently. Over time, the gap between what the policy says and what is actually enforced on each server grows.

The deeper problem is that sudoers management happens at the server layer, disconnected from the identity and access management system. When a user’s role changes or they leave the organisation, the sudoers entries do not automatically update. This is the same offboarding gap that automated provisioning and de-provisioning address at the application layer, but misses entirely at the server layer when PAM is not in place.

Restricted shells. Rbash and similar restricted shell environments limit certain operations within the shell itself. They are easy to escape in ways that are well documented, and they are not a serious control in environments where the user has any technical sophistication.

Neither approach gives you what you actually need: per-user, per-server command restrictions managed centrally, enforced at the session layer, and connected to your IAM system so that changes propagate automatically.

What Happens When the Restriction Model Breaks Down

The risk is not abstract. Consider a third-party vendor brought in to perform database maintenance on a production server. They need to connect to the database service, run specific diagnostic queries, and restart a process if needed. The IT team grants SSH access to the relevant server.

During the session, the vendor is working on the task they were given. But nothing technical prevents them from exploring the file system, reading application configuration files that may contain connection strings for other systems, viewing the contents of log files that include user activity or transaction data, or running commands outside the scope of their engagement.

Most vendors would not do this deliberately. But the risk is not primarily deliberate misuse. It is the combination of accidental exposure and the absence of any audit evidence that would surface it. If the session produces only a login and logout timestamp, there is no record of what was accessed or explored. The SMART Audit Trails capability in Akku PAM closes this specific gap, capturing every command executed during an SSH session with a precise timestamp. But audit trails tell you what happened after the fact. Granular Access Control prevents what should not happen in the first place.

When a compliance audit asks you to demonstrate that your third-party vendor had access scoped to their specific task, an SSH session with no command restrictions and no command-level audit log does not satisfy that requirement. Not under ISO 27001 Annex A.9, not under DPDPA’s data processor governance requirements, not under the RBI Cybersecurity Framework’s privileged access monitoring requirements. For manufacturing organisations managing contractor access to OT-adjacent systems, or financial services firms operating under SEBI’s CSCRF, this is a documented audit gap, not a theoretical concern.

What Command-Level Restriction Actually Requires at the Architecture Level

Effective command-level restriction needs to satisfy three technical requirements simultaneously.

The restriction must be enforced at the session layer, not the server layer. Configuration on the target server is operationally unsustainable at scale and disconnected from the IAM system. The session proxy is the correct enforcement point because it sees every command before execution and has access to the identity and policy context.

The restriction must be per user per server. The same user on different servers may require different permitted command sets. Different users on the same server may require different permitted commands. A flat policy that applies the same restrictions to everyone on a given server does not map to real operational requirements.

The restriction must be connected to the identity system so that policy changes, role changes, and offboarding propagate automatically without a separate remediation step at the server layer.

How Akku PAM Enforces This

Granular Access Control in Akku PAM allows administrators to define a permitted command list for each user on each SSH server, configured from the Akku Admin Console. Different users on the same server can have different permitted command sets. The same user on different servers can have different permissions.

Enforcement happens at the AkkuReka session layer. When the user executes a command inside the SSH session, it is checked against their permitted list in real time before execution on the target server. If the command is permitted, it executes normally. If it is not on the list, it is blocked at the point of execution, regardless of the user’s underlying system privileges on the server. This requires no agent on the target server and no changes to the server configuration.

Because enforcement happens at AkkuReka rather than the server layer, changes to permitted command lists propagate immediately across every server in scope. There is no sudoers file to update, no configuration management job to run, no inconsistency between servers.

SMART Audit Trails capture every command executed during the session, including every command that was attempted and blocked, with a precise timestamp. The combination of Granular Access Control and SMART Audit Trails provides two things neither delivers alone: technical enforcement of the intended access scope, and a complete logged record of how that scope was used. Both are exportable as compliance evidence for ISO 27001, RBI, DPDPA, SOC 2, and PCI-DSS requirements.

The just-in-time access layer adds another dimension on top of command-level restriction. Rather than granting standing SSH access that persists indefinitely, JIT access means elevated access is requested, approved through a configurable chain, granted for the duration of the task, and automatically revoked when the session ends. When you combine JIT access with Granular Access Control, the result is privileged access that is time-bounded, scope-bounded, and command-bounded simultaneously.

The security hardening and zero-trust posture layer applies across every session that AkkuReka governs: adaptive MFA, MDM device compliance enforcement, IP and location restrictions, and time-of-day policies. The same policy engine that governs access to your SaaS applications governs access to your servers. There is no separate security posture for infrastructure versus applications.

When an employee or contractor is offboarded from Akku IAM, their infrastructure access is revoked immediately through AkkuReka. The permitted command lists are irrelevant at that point because the session proxy will not open a session for a deprovisioned identity. There is no separate step at the server layer.

For organisations with third-party vendor access to production infrastructure, Granular Access Control enables a specific capability that is otherwise architecturally difficult to achieve: contractors and vendors can be given SSH access scoped precisely to the tasks they need to perform, with a technical boundary preventing them from exceeding that scope. This is directly relevant for ITeS and BPO organisations managing vendor access to client environments, and for manufacturing organisations where third-party maintenance contractors regularly need server access scoped to specific operational tasks.

Before You Move On

Pull the sudoers configuration from three production servers in your environment. For each server, answer these questions.

Does the current configuration accurately reflect the minimum commands each user requires for their current role, or does it reflect the configuration that was set up when the server was provisioned and has not been meaningfully reviewed since?

If a contractor completed their engagement six months ago and their account was disabled in Active Directory, do the sudoers entries on these servers still reference their account?

If a user exceeds their intended scope during an SSH session today, where in your current logging setup would that show up?

If the policy on these servers needed to change tomorrow, how many systems would you need to update manually, and how confident are you that the update would be applied consistently across all of them?

See How Akku PAM Granular Access Control Works | Talk to the Akku Team

Questions Infrastructure and Security Teams Ask About Command-Level Access Control

Q: Why is SSH access considered all-or-nothing even when role-based access control is in place at the application layer?

A: RBAC at the application layer controls what users can do within applications. SSH access operates at the operating system layer, below the application. Once an SSH session is open, the user has an interactive shell governed by Unix file permissions and sudo policies on the target server, not by any IAM policy. The IAM system verified the identity at the point of authentication and has no further influence inside the session. Least privilege at the application layer and least privilege at the server layer are two separate and independent controls.

Q: What are the limitations of using sudoers files to restrict commands?

A: The sudoers approach works in principle but fails operationally at scale. Every change to the permitted command set requires updating the sudoers file on every affected server individually. In environments with dozens or hundreds of servers, this creates configuration drift where the effective policy on each server diverges from the intended policy over time. Sudoers management is also disconnected from the IAM system, meaning that role changes and offboarding do not automatically propagate to server-level command restrictions. AkkuReka enforces command restrictions centrally at the session proxy layer, eliminating both the configuration drift problem and the IAM disconnection problem.

Q: How does command-level restriction differ from session recording?

A: Session recording captures what happened. Command-level restriction prevents what should not happen. Recording tells you after the fact that a user ran a command they were not supposed to run. Restriction blocks the command before it executes. SMART Audit Trails handle recording. Granular Access Control handles restrictions. Together, they provide enforcement plus forensic evidence.

Q: Does command-level restriction require installing an agent on target servers?

A: Akku PAM’s Granular Access Control does not require any agent on target servers and no changes to server configuration. Enforcement happens at the AkkuReka session proxy layer, which intercepts every command before it reaches the target server. The server receives only commands that passed the permitted list check.

Q: How are permitted command lists managed when contractors or third-party vendors need temporary access?

A: Permitted command lists are configured per user per server from the Akku Admin Console. For a contractor engagement, the administrator creates a list specific to that contractor on the specific servers they need to access. Just-in-time access can be layered on top, so the access is also time-bounded. When the engagement ends, and the contractor’s IAM identity is deprovisioned from Akku IAM, AkkuReka stops opening sessions for that identity immediately. No separate cleanup of server-level configurations is required.

Your Server Credentials Are a Liability. Most IT Teams Already Know It.

When did you last rotate the root password on your most critical production server?

Not when it was scheduled. Not when the policy says it should have been. When it actually happened, with a documented record, and with every system that depended on that credential updated at the same time.

If that question made you pause, you are not alone. And the pause itself is the problem, because an attacker or an auditor is not going to wait for you to work out the answer.

Most infrastructure teams carry this risk quietly. Not because they are careless, but because the operational cost of rotating credentials manually across a production environment is high enough that it gets deferred, and deferred again, until the password that was set during initial provisioning is still running in production two years later.

This blog covers what that actually means at the infrastructure layer, where the failure modes are specific, where they hide, and what it takes to close them properly.

The Three Ways Static Credentials Fail, and None of Them Are Obvious Until Something Goes Wrong

SSH keys that outlive the people who hold them. Disabling an Active Directory account does not revoke SSH access on Linux servers. The two authentication systems operate independently. The server’s authorized_keys file holds public keys that are trusted for connection regardless of whether the corresponding identity is active in any directory service. Unless the public key is explicitly removed from authorized_keys on every target server, a former employee’s SSH key remains valid indefinitely after their AD account is disabled.

In environments with dozens or hundreds of servers, this removal step is almost never done consistently. The result is a standard offboarding process that appears complete, AD account disabled, email deactivated, VPN revoked, while SSH access to production infrastructure persists untouched. This is exactly the kind of gap that automated provisioning and de-provisioning is designed to eliminate, but only when the provisioning system is connected to the infrastructure access layer, not just the application layer.

Service account passwords embedded in configuration files. Database connection strings, API service accounts, and application configuration files frequently contain static credentials. Rotating them requires updating every instance simultaneously, testing that nothing breaks, and coordinating a deployment. The operational cost is high enough that most teams do it infrequently. The password that was set during the initial deployment is often the password running in production three years later, embedded in config files across multiple servers, known by everyone who has ever touched the deployment pipeline.

Jump server credential passthrough. In environments using a bastion host, the jump server frequently holds static credentials to target systems. The user authenticates to the jump server, and the jump server authenticates to the target using credentials stored in its own configuration. From the user’s perspective, access appears controlled. From a security perspective, the target credentials exist in plaintext in the jump server’s configuration, accessible to anyone who can extract them from memory during an active session or read them from the configuration store directly.

What a Credential Compromise Looks Like From the Inside, and Why It Is Hard to Detect

The incident does not start with an alert. It starts with an anomaly. A dataset that looks wrong. A configuration file that has been modified. A process running that was not there yesterday.

The investigation team pulls the access logs. They have authentication events: timestamps, source IPs, and session durations. What they do not have is command-level attribution within sessions. They can establish that a specific service account authenticated to a server during a specific window. They cannot establish what that account did once the session opened, because the logging was never configured at that depth.

This is the visibility gap that SMART Audit Trails address directly. Every SSH command executed during a privileged session is captured with a precise timestamp, automatically, tamper-proof, and searchable. But that audit trail only exists if the session ran through a governed proxy. Static credentials used through a jump server or direct SSH connection produce no such record.

The investigation then tries to attribute the service account to a specific individual. This is where static shared credentials produce their most damaging consequence. When a password has been held by multiple people over time, with no rotation log to establish which version was active at any given moment, the attribution chain collapses. The investigation cannot prove who was responsible. It cannot prove that an unauthorised party was involved either. It produces no conclusion.

For regulated organisations, this is not just an operational failure. The RBI Cybersecurity Framework requires privileged access monitoring and audit trails that support forensic investigation. DPDPA requires data fiduciaries to demonstrate accountability over access to personal data. ISO 27001 Annex A control A.9.4 requires that access to privileged utility programs is restricted and controlled. An inconclusive investigation is evidence that none of these controls were operating effectively.

What Actually Fixing This Requires at the Architecture Level

The answer is not a stricter password policy. A policy requiring 90-day rotation on a 200-server estate still depends on a person doing the work, updating every dependent system, and documenting the change. It fails the moment the person is unavailable, the process is skipped, or the dependency map is incomplete.

Closing this gap requires three things to be true simultaneously.

Credentials must be stored in a central encrypted vault with no local copies, no configuration file embeddings, and no human-readable form outside the vault itself. Every retrieval event must be logged.

Rotation must be automated and independent of human scheduling. The credential changes on a defined interval. The vault stores the new value. Every system that needs the credential retrieves it from the vault at runtime rather than holding a cached copy.

Credential injection must happen at the session layer, not the user layer. This is the architectural distinction most credential management tools miss. Giving a user a rotated password from a vault still gives the user a password. They can copy it, photograph it, or retain it after rotation. True credential security requires that the user never receives the credential at all. The zero-trust session proxy injects it directly into the connection at the protocol layer. The user connects. The credential exchange happens between the proxy and the target system. The user never sees it.

When these three layers work together, the credential never exists in human-accessible form at any point in the session lifecycle. This is the architecture behind enforcing zero-trust access security at the infrastructure level.

How AkkuArka and AkkuReka Implement This

AkkuArka is the credential vault and rotation engine at the core of Akku PAM. Every privileged credential across the infrastructure, server passwords, SSH keys, database credentials, service account passwords, is stored and encrypted centrally. There is no local credential storage, no per-server password management, and no credential distribution to endpoints.

Rotation is automated on a configurable schedule. When rotation runs, AkkuArka generates the new credential, updates the target system, stores the encrypted value in the vault, and invalidates the previous credential. No IT intervention required. No deployment coordination. No risk of a partially updated environment where some instances still hold the old credentials.

For database access, AkkuArka goes further than password rotation. Rather than rotating a shared service account password, it generates a unique throwaway user for every single database session. For PostgreSQL, MySQL, and MongoDB, a new role is created at the point of the access request, scoped with the minimum permissions required for that session. When the session closes, the role is dropped. There is no persistent shared database credential in any form. Every session is isolated by design. This is what just-in-time access looks like applied to credentials, not just sessions.

AkkuReka is the zero-trust session proxy that handles credential injection. When an administrator requests a session, AkkuReka verifies identity through Akku IAM, checks device compliance, evaluates contextual access policies including IP, location, and time of day, and checks approval status if a just-in-time workflow is configured. Only when all conditions are satisfied does AkkuReka open the session.

The credential injection happens at the protocol layer within AkkuReka. For SSH sessions, AkkuReka handles key injection transparently. The administrator opens a browser-based terminal through AkkuReka. The connection to the target server uses credentials retrieved from AkkuArka and injected into the SSH handshake. The administrator never sees the key. Every command executed in the session is captured with a precise timestamp through SMART Audit Trails, tamper-proof and searchable by user, command, server, or time window.

The offboarding gap closes automatically. When an employee is offboarded from Akku IAM, their access to all privileged systems is revoked at that moment. Because access is mediated through AkkuReka rather than direct SSH key authentication, removing the IAM identity terminates infrastructure access immediately. The authorized_keys file on target servers does not need individual updates. There is no window between HR offboarding and IT revocation where a departing employee retains live access.

This matters particularly for manufacturing organisations managing contractor access to OT-adjacent systems and financial services firms where RBI and SEBI audit obligations require documented credential lifecycle management. In both cases, the risk of a former employee or contractor retaining active server credentials is a compliance finding, not just a security concern.

If you want to understand how privileged access management fits into the broader infrastructure security framework, the PAM explainer on the Akku blog covers the full architecture in detail. For teams managing PAM across cloud and hybrid environments, specifically, the PAM in cloud and hybrid environments blog covers the deployment considerations that apply across mixed infrastructure estates.

The Four Questions Worth Asking Before You Move On

Pick your three most critical production servers and answer these honestly.

Can you produce a documented rotation record for every credential used to authenticate to these servers in the last ninety days?

For every authentication event in that period, can you show command-level attribution, not just which account connected, but what that account did inside the session?

If a former employee who left in the last twelve months attempted to authenticate using SSH keys they held before their departure, would the attempt succeed?

Are any service account passwords embedded in configuration files on these servers currently shared with other systems or individuals?

If any of those produced an uncertain answer, the gap between your current posture and what a forensic investigation or compliance audit requires is not theoretical. It is live, right now, in your infrastructure.

See How Akku PAM Works | Talk to the Akku Team

Questions Infrastructure and Security Teams Ask About Server Credential Management

Q: Why does disabling an Active Directory account not revoke SSH access to Linux servers?

A: SSH key-based authentication on Linux servers operates independently of Active Directory. The server’s authorized_keys file holds public keys trusted for authentication regardless of whether the corresponding identity is active in any directory service. Unless the public key is explicitly removed from authorized_keys on every target server, or unless SSH access is gated through a proxy like AkkuReka that enforces IAM state in real time, a disabled AD account does not affect SSH connectivity. This is the most common and least-discussed credential persistence gap in hybrid infrastructure environments.

Q: What is the technical difference between rotating a database password and using per-session throwaway users?

A: Password rotation changes a shared credential on a schedule. Every application, script, and service connecting to the database using that credential must be updated simultaneously, or the connection fails. Throwaway users solve the problem at a different layer. A unique database role is created for each session with permissions scoped to that task, then dropped when the session closes. For PostgreSQL, MySQL, and MongoDB, AkkuArka handles role creation and expiry automatically at the point of each session request.

Q: How does credential injection work at the SSH protocol layer without the user seeing the key?

A: When a session is opened through AkkuReka, the session proxy handles the SSH handshake to the target server directly. AkkuReka retrieves the current credential from AkkuArka, uses it to authenticate to the target on behalf of the session, and presents the user with a proxied terminal connection. The credential is used in the protocol exchange between AkkuReka and the target server. It is never transmitted to the user’s endpoint and never appears in the user’s session context.

Q: How are service account passwords embedded in application configuration files handled?

A: AkkuArka addresses this by becoming the credential source at runtime rather than at deployment time. Instead of embedding a static password in a configuration file, applications retrieve the current credentials from AkkuArka at the point of connection. When AkkuArka rotates the credential, the application automatically retrieves the new value on its next connection attempt. There are no stale configuration files holding old credentials, and no coordinated deployment is required when rotation occurs.

Q: What compliance frameworks specifically require privileged credential management controls?

A: ISO 27001 Annex A control A.9.4 requires restriction and control of access to privileged utility programs, including credential management. The RBI Cybersecurity Framework requires privileged access management controls covering credential governance and audit trails for scheduled commercial banks. DPDPA requires data fiduciaries to implement appropriate technical measures to protect personal data. SOC 2 Trust Services Criteria CC6.1 through CC6.3 cover logical access controls, including privileged account management. PCI-DSS Requirement 8 specifies rotation intervals and shared credential prohibitions. Akku PAM is built to satisfy all of these. See the compliance coverage on the Akku PAM page for the full breakdown.

Is Your PAM Solution Built on a Remote Desktop Gateway?

If you are currently evaluating Privileged Access Management solutions, there is a question worth asking the vendors in your shortlist: what is this product actually built on?

Not every PAM solution on the market was built from the ground up as a PAM platform. Some are remote desktop gateways with PAM features bolted on. Some are built on top of open-source tools like Apache Guacamole, a browser-based access gateway that was never designed for privileged access management.

That distinction matters more than most buyers realise. Here is why.

What Apache Guacamole Actually Is

Apache Guacamole is a free, open-source, clientless remote desktop gateway maintained by the Apache Software Foundation. It allows users to access servers via SSH, RDP, VNC, and Telnet through a web browser, with no client software installed.

It is a well-built tool for what it was designed to do: give administrators browser-based access to infrastructure without a VPN. Many IT teams deploy it as a jump server or bastion host. At zero licensing cost, it is an attractive starting point.

But it is a starting point, not a destination for organisations with real security or compliance requirements.

The Problem With Calling It PAM

The term Privileged Access Management describes a specific set of security controls: dynamic credential management, session approval workflows, adaptive multi-factor authentication, compliance-ready audit trails, and least-privilege enforcement. These are the capabilities auditors look for when they assess your PAM posture for SOC 2, ISO 27001, PCI-DSS, RBI, or DPDPA.

Apache Guacamole provides none of these natively.

It records sessions. It logs who connected and when. It can integrate with LDAP for authentication. But credentials are stored statically in its connection configuration, meaning someone in your IT infrastructure knows the actual server password, or it exists in a file that could be accessed. There is no credential vault that generates dynamic, per-session credentials. There is no approval workflow that stands between a user’s request and the target server. There is no adaptive MFA that escalates when a login comes from an unfamiliar device.

This is not a criticism of Guacamole. It was not designed to be a PAM platform. The issue arises when a product built on Guacamole is sold as one.

What a Gateway-Based ‘PAM’ Cannot Do

Credential Security

In a genuine PAM platform, users never see or handle the target credentials. The platform generates a unique, short-lived credential for each session, injects it silently into the proxied connection, and destroys it when the session ends. There is nothing to leak because there is nothing the user ever knows.

In a Guacamole-based solution, credentials are pre-configured and stored statically. The system passes them through, but they exist in a form that can be accessed, extracted, or exposed. Password rotation is manual. A departing administrator who knew a server password still knows it after you delete their account from the gateway.

Session Governance

A PAM platform includes a session approval workflow: a user requests access, an administrator reviews and approves, and only then does the session open. This provides a human checkpoint for every privileged action on critical infrastructure.

Guacamole has no approval workflow. A user with connection access connects immediately. The audit trail tells you what happened, but nothing prevented it from happening.

Database Access

Guacamole does not support database sessions at all. For organisations where database administrators access PostgreSQL, MySQL, or other systems, a Guacamole-based solution provides zero visibility into what SQL queries were executed during a session, a direct gap in any audit that asks for database activity logs.

A purpose-built PAM platform proxies database sessions and captures every query, timestamped and structured, alongside the session recording.

Compliance Evidence

When an auditor asks for evidence of privileged access controls, they are looking for dynamic credential management, session approval records, searchable audit trails, and adaptive MFA. Guacamole can provide a session recording and a connection log. It cannot provide the rest.

For teams pursuing SOC 2, ISO 27001, PCI-DSS, or India’s RBI Cybersecurity Framework and DPDPA requirements, this gap requires additional tooling, tooling that typically costs more than a purpose-built PAM platform would have in the first place.

How to Tell What You Are Actually Buying

When evaluating a PAM solution, ask these questions directly:

  • Does the platform generate dynamic, per-session credentials, or does it store static credentials in connection configuration?
  • Do users ever see, know, or handle the actual target password, or is credential injection completely invisible to them?
  • Is there a session approval workflow where a human must explicitly authorise access before a session opens?
  • Does the platform proxy database sessions (MySQL, PostgreSQL) and capture SQL query logs, or only SSH and RDP?
  • Is MFA adaptive, does it escalate based on device, location, IP, or time, or is it binary on/off?
  • If you remove a user from the identity platform, is their access to all privileged systems revoked immediately, or does the gateway need to be updated separately?

If the answers reveal a gateway with credential pass-through and no approval workflow, you are looking at infrastructure access tooling, not a PAM platform.

What Akku PAM Is Built On

Akku PAM was designed from the ground up as a Privileged Access Management platform, not adapted from a remote desktop gateway. It is built around two purpose-built components.

AkkuArka is the credential vault. It generates a unique credential for each privileged session, server passwords, database users, SSH keys, at the moment access is requested. When the session ends, the credential expires. There are no static passwords in configuration files. There is nothing for a user to know or leak.

AkkuReka is the session proxy. Every privileged connection, SSH, RDP, database, Kubernetes, passes through AkkuReka. Before a session opens, AkkuReka verifies the identity, the device, the location, the IP, the time of day, and the approval status. The session is recorded end to end. Every SSH command, every SQL query, every RDP action is captured, timestamped, and stored in SMART Audit Trails, tamper-proof and fully searchable.

The result is a privileged access architecture where users connect to critical systems without ever knowing the password, every session requires explicit verification, and every action leaves a complete, searchable audit trail.

For organisations with compliance obligations, or for IT teams that simply want to know, with certainty, what is happening on their infrastructure, that is the difference between a remote desktop gateway and a PAM platform.

The Bottom Line

Apache Guacamole is a capable, free, open-source tool. If browser-based server access with basic session recording is all you need, and compliance, credential security, and audit trails are not requirements, it does its job.

But if a PAM solution is being positioned to you as meeting your compliance and security requirements, and it is built on or compared to a remote desktop gateway, the gap between what it promises and what it can actually prove in an audit is worth understanding before you sign.

Ask the six questions above. The answers will tell you what you are actually buying.

See How Akku PAM Works | Talk to the Akku Team

Questions We Hear Most From IT and Security Teams

Q: Is Apache Guacamole a PAM solution?

A: No. Guacamole is a remote desktop gateway. It provides browser-based access to servers but does not include a credential vault, dynamic credential generation, session approval workflows, or adaptive MFA. These define a Privileged Access Management platform.

Q: Can a Guacamole-based solution meet PAM compliance requirements?

A: Partially, and only with significant additional tooling. Guacamole provides session recording and a connection log, which satisfies some audit requirements. But dynamic credential management, session approval workflows, database session logging, and adaptive MFA require either purpose-built additions or a separate platform.

Q: What is the difference between a remote desktop gateway and a PAM platform?

A: A remote desktop gateway provides access to servers via browser or proxy. A PAM platform governs, records, and controls everything about that access: who approved it, what credentials were used, what actions were taken, and whether those credentials still exist after the session ended. The gateway gets you in. The PAM platform is accountable for what happens once you are.

Q: How does Akku PAM handle privileged session access?

A: Every privileged session passes through AkkuReka, which verifies identity, device, location, IP, and approval before opening the connection. AkkuArka generates a unique credential for the session, one the user never sees, and destroys it when the session ends. Every action is recorded and logged in SMART Audit Trails, searchable by user, command, system, or time window.

Q: Does Akku PAM require complex infrastructure like Guacamole?

A: No. Akku PAM deploys a lightweight worker near your target infrastructure. No Tomcat, no guacd, no database to manage. Most organisations are live within hours to a few days without specialist infrastructure expertise.

You Know Who Logged In. But Do You Know What They Did?

You probably think you know what your admins are doing on your servers. Here is what your logs are actually showing you.

A name. A timestamp. A session duration.

That’s it.

Forty-one minutes on a production server, and your audit trail tells you someone was there. It doesn’t tell you what they typed. What they changed. What they looked at. Whether they ran one command or fifty. Whether anything that happened in those forty-one minutes is the reason your environment looks the way it does today.

Sound familiar? It should, because this isn’t a rare edge case. It’s the default state for most IT environments, and most teams don’t realise it until something breaks and they go looking for answers that aren’t there.

Privileged session access log showing only login and logout timestamps for two admin users with no record of commands executed during the session.

Three Real Scenarios Worth Examining

Here are three scenarios. See if any of them have happened in your organisation.

Scenario one:

A contractor was brought in for a three-week infrastructure project. They were given SSH access to two production servers. The project ended, HR offboarded them, and their email was deactivated. Six months later, during a routine review, you find their SSH key is still live. You want to know how often they connected after the project ended and what they did. Your logs show connection events. That is all.

Scenario two:

Your senior DBA ran a maintenance job last Friday night. The session lasted two hours. Monday morning, a business team reports that a dataset looks wrong. Rows that should be there are not. You pull the logs. You can confirm the DBA was connected. You cannot see a single query they ran.

Scenario three:

A developer needed production access to restart a service. It was meant to take ten minutes. The session lasted forty-five. You approved the access, you can see the login and logout times, and you have no idea what else they did while they were in there.

None of these is hypothetical. These are the conversations happening in security post-mortems across mid-market organisations right now. And in each case, the team investigating the incident hits the same wall. They know who was there. They can’t tell you what happened.

Three privileged access scenarios showing a contractor SSH session, a DBA maintenance session, and a developer production session, each with captured login events but no record of commands run, queries executed, or actions taken.

The Root Cause Is Architectural, Not Operational

It’s not because your team isn’t doing their job. It’s because the tools most organisations use for infrastructure access were built for connectivity, not governance.

A VPN gets your admin to the network. A jump server creates a single pathway. Direct SSH authentication proves identity. None of these was designed to record what happens after the connection opens. They get the person in the room. They don’t watch what the person does inside it.

And honestly, for a standard user accessing a business application, that’s probably fine. The application itself logs activity. The scope of what they can do is bounded.

But privileged users are a different conversation entirely. A sysadmin on a production server can modify configurations, delete files, install scripts, change permissions, and exfiltrate data, all in a single session. A DBA with direct database access can run queries that touch millions of records. A DevOps engineer with Kubernetes access can make changes that won’t surface as problems for days.

The result? Privileged account security is the most under-governed area in most IT environments. You have more documented visibility into what a junior analyst does in your CRM than into what your most trusted infrastructure admins do on your most critical systems.

That’s not a comfortable thing to sit with.

Where the Absence of Session Visibility Becomes a Business Risk

Post-incident investigations:  Something breaks. You need to know what changed and when. Without command-level logs, you are working backwards from symptoms. What should take an hour takes days. Sometimes you never find the answer. And ‘we can see someone was logged in, but we don’t know what they did’ is not an acceptable conclusion when you are explaining an incident to leadership or a regulator.

Compliance and audit requirements:  Whether your obligations sit under ISO 27001, RBI’s Cybersecurity Framework, SEBI’s CSCRF, HIPAA, or India’s DPDPA, the requirement is consistent. You need to be able to demonstrate what privileged users did, not just that they authenticated. ‘We have login records’ gets you through the basic check. It does not satisfy a forensic audit. Auditors are getting better at knowing the difference.

Insider threat detection:  This one’s uncomfortable but worth saying plainly. Your most dangerous insider threat isn’t someone trying to break in from outside. It’s someone who already has legitimate access and uses it in ways they shouldn’t. Detecting that requires knowing what normal behaviour looks like for each privileged user, and building that baseline is impossible if you’re not logging what they do in every session. Right now, if an admin is misusing their access, you might find out eventually. But you won’t find out from your logs.

What Session-Level Accountability Looks Like in Practice

Privileged session monitoring, done properly, operates at a level below authentication events. It captures what happens inside the session itself.

For SSH sessions, that means every command is logged individually with a precise timestamp, automatically, with no setup required on the target server. You can search it later by user, by command, by server, or by time. If something changed, you can find out exactly when and exactly what was run.

Akku PAM SMART Audit Trails interface showing a timestamped SSH command log with every command captured automatically and searchable by user, server, or time window.

For RDP sessions, it means full session recording, a video-playback record of what happened on screen during the session. No more guessing. No more reconstructing from system logs that weren’t built for forensic investigation.

For database access, it means query logging. Every query, every session, every user. That Friday night maintenance job? You’d have a complete record of every statement that ran.

This is the difference between knowing someone was in the room for forty-one minutes and knowing what they did in every minute of it.

Akku PAM is built on this model, where no privileged session reaches your infrastructure unrecorded. But the more immediate question is whether your current setup can answer what we are about to ask.

A Practical Diagnostic for Your Current Environment

Pick any privileged session from the last thirty days in your environment. A sysadmin on a server, a DBA on a database, and a contractor who was given temporary access.

Now answer these:

  • What commands did they run?
  • What files did they access or change?
  •  Can you produce a timestamped record of every action they took during that session?

If you’re hesitating on any of those, your audit trail ends at the login event. You know the door opened. You don’t know what happened inside.

That’s the gap. And now you know it’s there. 

Complete session visibility across SSH, RDP, and database access. Every command. Every query. Every action. Recorded automatically, searchable instantly, ready for the moment you need it.

See How Akku PAM Works | Talk to the Akku Team

How to Prepare for India’s New DPDP Rules and Safeguard Your Organization

The phased rollout of India’s Digital Personal Data Protection (DPDP) Rules officially began on November 14, 2025, marking the full operationalization of the DPDP Act, 2023. While organizations have an eighteen-month window for phased compliance, the complexity of managing digital identities means you must act now to avoid penalties that go as high as 250 crore.

Here is your technical roadmap for operationalizing the new mandates:

  1. Implement Notice and Itemized Consent (Rule 3)
    Generic “I agree” buttons to ask for consent are no longer enough. Rule 3 of DPDP states that you must provide a notice in clear and plain language that includes an itemized description of the data being collected and the specified purpose for which it will be used.
  2. Obtain Verifiable Consent (Rules 10 & 11)
    If you process data from children (under 18) or persons with disabilities, you must adopt technical measures to obtain verifiable consent from a parent or legal guardian. This involves performing due diligence to ensure the person providing consent is an identifiable adult.

  3. Enforce “Reasonable Security Safeguards” (Rule 6)
    Rule 6 defines exactly what “reasonable security safeguards” look like, requiring you to protect personal data – including data handled by third-party processors – through:

    • Data Security: Implementing encryption, obfuscation, masking, or virtual tokens to shield sensitive assets.
    • Access Controls: Managing exactly who can enter computer resources and maintaining visibility through appropriate logs and monitoring to detect unauthorized entry.
  4. Mandate One-Year Log Retention (Rules 6(e) & 8(3))
    Accountability is now backed by a strict storage requirement. Even if a user deletes their account, your organization must retain logs and personal data for a minimum period of one year from the date of processing to enable the investigation of potential breaches.
  5. Automate the Right to Be Forgotten (Rule 8)
    Under the principle of “storage limitation,” you must erase personal data once its specified purpose is served. You must notify the user at least 48 hours before the erasure, giving them a final chance to exercise their rights. For many large entities, data must be cleared three years after the user’s last contact.

  6. Meet Higher Obligations for Significant Data Fiduciaries (Rules 13 and 15)
    If your organization handles massive volumes of data and is classified as an SDF (significant data fiduciaries), you must:

    • Perform a data protection impact assessment (DPIA) and a formal audit every 12 months.
    • Ensure that specified personal data and traffic data are not transferred outside India if restricted by the government.
  7. Grievance Redressal and Data Principal Rights (Rule 14)
    Rule 14(3) requires you to prominently publish a grievance redressal system that responds to user concerns within a period not exceeding 90 days. Additionally, users now have the right to nominate individuals to exercise their rights in case of death or incapacity, requiring identity systems to be flexible enough to manage these transitions.

How Akku Can Help

As a full-stack Identity and Access Management (IAM) platform, we:

  1. Enforce zero-trust: Implement least privilege and just-in-time (JIT) privileges to minimize your attack surface.
  2. Automate lifecycle governance: Use our identity governance (IGA) module to automate “one-click” deprovisioning. This ensures that when a user leaves, all access is comprehensively revoked.
  3. Simplify consent management: Manage itemized and verifiable consent for all user groups, including children, through our Customer Identity (CIAM) solution.
  4. Maintain audit readiness: Our smart analytics provide the mandatory tamper-evident logs for one-year retention, ensuring you are always ready for an investigation or audit.
  5. Centralize device security and endpoint control: Beyond identities, Akku enforces consistent security policies across all endpoints via our GPO and mobile device management (MDM) modules. This allows you to block unauthorized peripherals like USBs, enforce work profile isolation on mobile devices, and prevent unauthorized data exfiltration across Windows, macOS, and Linux.

Talk to us today to find out how Akku can help your organization achieve full DPDP compliance.

Still don’t have PAM in 2026? Here are 10 reasons you need it today!

In today’s high-stakes cybersecurity environment, privileged accounts control access to your most critical systems and sensitive data. Poor management or insufficient oversight of these accounts creates easy targets for cyberattackers, leading to costly breaches and compliance failures. 

According to the 2025 Verizon Data Breach Investigations Report (DBIR), 22% of data breaches in 2025 involved stolen/compromised credentials – with 6% tied to misuse of privileged accounts with access to critical information. Thus, Privileged Access Management (PAM) becomes critical.

Here’s how PAM makes a difference:

  • Periodically changes privileged passwords, so stolen credentials expire fast
  • Provides Just-in-Time (JIT) access, eliminating standing privileges
  • Records every privileged session for complete tamper-proof evidence
  • Enforces zero-trust principles across hybrid cloud and on-premises environments

 

Here are 10 reasons you need a Privileged Access Management system.

1. To gain one-window visibility into accounts, credentials and privileges

Privileged accounts can pose serious security risks when they have too many permissions and too little oversight. Hackers can exploit these accounts to gain access to sensitive data. Additionally, the real number of privileged accounts can be quite different from what organizations believe! This lack of visibility can increase vulnerability.

2. To enforce strict access management & identity verification

By implementing strict access controls, you ensure that users have only the permissions they need to enhance security and promote accountability. By adding in adaptive multi-factor authentication (AMFA), you verify the identity of the users of those privileged accounts to prevent impersonation.

3. To automate the enforcement of least privilege principles

Role-based access control (RBAC) automatically assigns precise permissions based on user roles, ensuring that privileged users receive only what’s needed for their job functions. It also enforces least privilege access with segregation of duties (SoD) rules and automated remediation of violations for stronger compliance.

4. To monitor & record privileged sessions in real-time

Without real-time monitoring, attackers could operate freely during privileged sessions. Without recordings, investigations fail due to missing evidence or deleted logs. Akku delivers live session visibility with anomaly alerts, enabling instant termination of suspicious activity before data exfiltration or damage occurs. It captures full video playback, command-level activity, and tamper-evident audit logs for every privileged session.

5. To prevent the usage of stolen credentials

Stolen privileged credentials can pose a significant threat indefinitely, as they do not rotate automatically. Privileged credential vault addresses this issue by storing passwords, keys, and certificates with automated rotation after every use. This not only prevents credential exposure through direct injection but also maintains detailed audit trails for all interactions with privileged credentials. PAM automates management using strong passwords that are stored securely and changed regularly to minimize breaches. 

6. To avoid the hassles of deploying a client-based system

Traditional PAM often necessitates the use of VPNs, endpoint agents, and client software, which can create deployment complexity across hybrid environments. Some PAMs, like Akku, use clientless privileged session management (PSM) to offer secure browser-based RDP/SSH access without agents or installations, ensuring that credentials never reach end users.

7. To apply just-in-time (JIT) privileged access

Users often require elevated access for specific tasks, but these permissions can remain active long after the tasks are completed, leading to security breaches and insider threats. Such always-on privileges provide attackers with permanent backdoors to exploit sensitive systems. PAM offers a solution by delivering temporary, time-bound access that is granted only when necessary. This access is automatically revoked once the tasks are completed, eliminating the need for manual intervention. Additionally, all activities during JIT sessions are monitored and recorded, allowing for the immediate termination of any suspicious behaviour.

8. To centralize server access

Sharing multiple server passwords and credentials across Windows and Linux environments violates zero-trust principles. Implementing single sign-on (SSO) for server access provides centralized authentication for RDP and SSH sessions, with enforced multi-factor authentication (MFA) and conditional access policies applied consistently.

9. To meet compliance requirements

Comprehensive audit logs, session recordings, and privileged account discovery deliver tamper-proof evidence essential for compliance with HIPAA, PCI-DSS, and SOX. By providing clear visibility into privileged activities across critical systems, these features automate the generation of complete, audit-ready records. This centralized approach streamlines compliance efforts and enhances security, eliminating the risks associated with relying on scattered manual processes.

10. To boost IT productivity

Manual credential management and VPN access create ongoing workflow challenges for IT teams, leading to wasted time on password resets and access requests. Akku simplifies the delegation of access through centralized management tools that include single sign-on (SSO) integration, automated credential rotation using secure vaulting, and clientless session management for smooth server access. This enables teams to work efficiently without compromising security.

Choose Akku’s PAM solution for Complete Protection

Akku’s PAM solution offers all the essential features you need: just-in-time (JIT) access, clientless privileged session management (PSM), credential vaulting, role-based access control (RBAC), and real-time monitoring – all integrated into one seamless platform. Deploy this solution across hybrid environments with zero trust enforcement at every step.

Talk to us today to find out how Akku’s privileged access management solutions can help your business.

Frictionless customer onboarding with Customer Identity & Access Management (CIAM)

As an organization with hundreds or even thousands of customers, streamlined management of their identities and access privileges across your websites and applications is critical. When customers land on your platforms, they expect seamless access to your services from the first click. 

Constant form-filling and multiple logins to gain access to different apps create friction that impacts the customer experience. This is where a customer identity & access management (CIAM) solution becomes essential. CIAM enables effortless and secure customer onboarding with guided workflows that minimize friction and elevate the user experience. 

When customer registration aligns with natural user expectations rather than feeling like an obstacle, organizations see higher completion rates and improved customer trust. This approach delivers scalable identity management that supports growth without compromising security.

How do you reduce friction during customer onboarding?

There are several ways to make customer onboarding smooth while staying secure. 

  • Self-service registration guides customers through simple workflows without manual intervention
  • Low-friction social login with Google, Meta, or LinkedIn lets customers skip the password creation step entirely
  • A unified customer identity works across all touchpoints without needing multiple rounds of registration
  • Streamlined consent and access management happen seamlessly in the background

Long registration forms and repeated password prompts take up time customers don’t have, especially when logging in via a mobile device. With Akku, customers can authenticate via Google/Apple/Facebook in seconds, enabling profile completion across sessions without re-authentication.

The ‘one-and-done’ customer onboarding experience

The repetitive “Create Account” screen can cause irritation and even end the customer journey. 

By integrating your robust CIAM solution with all your brand tools, websites and apps, you eliminate the need for multiple onboarding actions. 

When a customer signs up for your primary tool, they aren’t just creating a profile for that tool or website; they are creating a universal digital passport that’s recognized across your entire ecosystem. Seamless cross-tool integration results in:

  • Better cross-platform harmony: When the customer moves from your website or web app to your native mobile app, a CIAM does away with the need for a secondary registration.
  • Improved synergy between sister brands: In a similar vein, if your company owns multiple brands, a CIAM allows a user to log into a “sister website” using existing credentials, instantly carrying over their preferences and history, instead of creating a new account and building a new digital footprint.
  • Faster signup for rewards and other benefits programs: Customers joining your e-commerce site, for example, can be automatically signed up for your rewards program as well as any other business tools or additional features. They do not need to fill out a separate registration form or even link accounts to gain these additional benefits.

By treating identity as a single source of truth, you bring all your platforms, tools and interfaces into a unified stack. Single-step onboarding across multiple platforms makes the customer journey effortless.

Modern customer journeys require modern identity management

Of course, customer onboarding is only the first step to seamless experience. Today’s customers expect one-click social logins, biometric access, and instant recovery from any device. Friction builds fast: multiple logins across different channels irritate the customer, duplicate profiles fragment experiences, and scattered consent tracking creates compliance gaps.

CIAM centralizes identity management across all touchpoints, eliminating pain points through directory services and real-time synchronization. Behavioral analytics detect anomalies instantly while contextual access controls adapt security based on location, device, and usage patterns.

This approach transforms authentication from a barrier into seamless protection, maintaining enterprise-grade security while delivering smooth customer experiences across every digital interaction.

The future of customer onboarding with Akku’s CIAM

Customers demand seamless access across every touchpoint. Akku delivers intelligent automation through guided workflows, social login integration, and adaptive MFA across web, mobile, and partner platforms. 

Powered by REST APIs and pre-built connectors, Akku’s CIAM solution provides unified identity management with centralized consent records that transform compliance into a competitive advantage. Unlike complex enterprise CIAM platforms, Akku delivers exactly what you need – self-registration, social login, adaptive MFA, consent tracking – for secure, frictionless onboarding.

Talk to us today to find out how Akku can help your business.

How Mobile Device Management is Powering the Future of Remote Work

When businesses move to remote operations, teams tend to prioritize fast internet and collaboration tools. However, problems arise when sensitive data ends up on the personal smartphones of employees. This is where MDM becomes critical. 

MDM is a system that helps organizations manage and secure the mobile devices their teams use for work. It sets rules for apps and access and ensures that devices follow company standards. Choosing the right MDM software is often the first step toward making mobile work safe and predictable.

What is MDM and Why It Matters

MDM Full Form

MDM stands for Mobile Device Management. MDM helps you make each mobile device in your organization into a managed endpoint. IT teams can set rules, add or restrict apps, and push updates. It can also erase data if a device is lost, and also keeps work and personal information separate on the same device. If you have a checklist like inventory, policy, and onboarding, then you have the start of a solid MDM solution strategy.

Core Features of a Mobile Device Management System

A strong mobile device management system feels invisible. Any IT team can manage hundreds of devices without strain. The real power of MDM lies in its simplicity. It turns complex tasks into everyday routines that anyone can handle. Here are the features no mobile device management software should ever be without.

  • Remote setup and configuration. A new hire unboxes a mobile device, and it arrives with the right apps and security settings. No on-site handover is needed. This is often the first reason companies adopt remote device management software.
  • App control. Organizations use app whitelisting to allow only approved applications and app blacklisting to block those considered risky. This ensures that every device runs only trusted software.
  • Security enforcement. Policies for security parameters such as passwords and automatic updates help address core mobile device management security priorities.
  • Remote lock and wipe. Admins can lock or erase devices quickly using remote device management software features.
  • Inventory and reporting. IT can see what devices exist in the system, who uses them, and whether they meet compliance rules. Visibility is the foundation of any reliable MDM software deployment.
  • Platform support. The best MDM solutions work across operating systems such as iOS, Android and Windows, ensuring every mobile device follows the same security and management policies.

These capabilities don’t just reduce risk – they cut the time IT spends on routine tasks. For small and medium businesses, that saves money and reduces outages. This is why adopting MDM tools is less about cost and more about predictable operations.

Why Traditional IT Security Isn’t Enough Anymore

In a world of remote and hybrid operations, if your security model assumes a single office, you have a problem. Firewalls and office network controls work well when everyone logs in from the same place. Remote work breaks that assumption. Employees use home Wi-Fi, public hotspots, and cellular networks. They work from hotels, trains, and co-working spaces.

That dispersion changes the threat model. A firewall can no longer protect every entry point. An employee might download a file on a personal phone and then access the same file from a work laptop. Legacy tools were not designed to handle this level of complexity. With mobile device management, security shifts focus from the network to the device. It accepts that devices travel, and it protects them directly.

How MDM Solutions Enable Remote Device Management

Remote Device Management is the difference between a policy on paper and a policy in action.

Consider patching. In an office, IT schedules a maintenance window and updates machines. For distributed teams, coordinated patching is harder. Remote device management software can push updates automatically and verify installation. This cuts the window of vulnerability.

Think about access control. With MDM solutions, a machine that fails security checks can be quarantined. It can be prevented from reaching critical systems until it meets standards. That is a practical control that reduces exposure without blocking users entirely.

Finally, consider BYOD situations. Employees expect privacy. IT needs control. MDM tools provide profiles and containers. Work data stays inside the container. Personal data remains untouched. This balance keeps employees willing to use personal devices while protecting company assets.

If you are evaluating tools, a simple way to compare is to create an MDM tools list that includes onboarding time, reporting, encryption standards, and whether the vendor provides templates for compliance.

Specialized Use Cases of MDM in Remote Work

1. Managing devices across multiple locations

Work is no longer tied to one building. Employees check emails from home, sit in cafes, and travel between cities. Each mobile device carries access to sensitive information. MDM quietly ensures that every device follows the same rules. IT can trust that the network stays secure even when the team is scattered.

2. Onboarding remote teams instantly

New hires may never step foot in an office. A phone or tablet arrives at their doorstep. With MDM, the device can be set up remotely, so the right work apps are installed and work profile security settings are put in place. Work starts without delay, and IT is confident that every device is compliant.

3. Handling lost or stolen devices remotely

A phone left in a taxi or forgotten at a café can put company data at risk. With MDM, administrators can lock the device or erase company data from anywhere, mitigating the risk of potential breaches.

4. Ensuring compliance without physical checks

Clients and regulators want proof that security policies are followed. MDM makes it possible to gain comprehensive visibility from a single dashboard, with reports on which devices meet standards and which need attention.

5. Protecting data on personal devices

When employees use personal phones for work, MDM separates personal information from company data. Work stays secure on a dedicated work profile, while private data stays private. And that means employees can use their own devices without creating risk for the organization.

6. Responding to threats in real time

Remote work increases the number of points of vulnerability. MDM observes devices, and raises alerts when policies are violated. This means IT can step in before small issues turn into serious problems.

Future of Mobile Device Management in Remote-First Companies

Remote-first does not mean office-free. It means designing systems for flexibility. The future of Mobile Device Management (MDM) will reflect three trends.

First, automation will grow. Tools will detect anomalies and take remediation steps without human intervention. That reduces response time. Second, MDM software will integrate more tightly with collaboration platforms. Security will follow the conversation and the file, not only the device. Third, compliance capabilities will be built in. Companies will get pre-configured policies for popular regulations.

Expect MDM solutions to fold reporting, threat signals, and device posture into a single dashboard inside your mobile device management system. That will make it easier to answer a regulator or an affected customer quickly and with evidence.

For leaders, that future offers a choice. You can treat device security as a recurring cost. Or you can make it a strategic enabler. The latter choice makes remote work reliable. It turns flexibility into a competitive advantage.

Powering the Future of Remote Work with Akku’s MDM Solution

Remote work has transformed the office into a network of homes, cafes, and coworking spaces. This shift made mobile devices the heart of productivity and security. Without a system to manage them, businesses face risk and confusion.

Akku’s MDM solution puts control in the hands of IT teams without adding complexity.

Unlike many MDM platforms that are complex and expensive to deploy, Akku delivers the features you really need to get your mobile device management strategy off the ground quickly and efficiently. For your business, that means time and resources you can invest into innovation and growth.

Talk to us today to find out how Akku can help your business.