End-to-end architecture for identity-centric privileged access protection.
End Users
Administrators · IT Ops
Security Operations
DevOps · IT · Compliance
DataDike PAM Platform
Zero Trust On-Premises Privileged Access Security Layer
Privileged Access Management
PAM Core
Centralized management of all privileged credentials
Session Proxy & Protocols
Protocol Broker
Zero credential exposure — injected directly by the proxy
ZTA Zero Trust Access
Access Control
Least privilege enforced on every session
Audit & Compliance
Compliance Engine
Tamper-proof audit trail with 10-year retention
Admin Console & Control Plane
Management Interface
Full platform visibility and governance
End Users
Administrators · IT Ops
Security Operations
DevOps · IT · Compliance
DBA
Database Administrators
Developer
App · DevOps Engineers
Industry
OT · SCADA · ICS
Identity broker & federation
Privileged Access Management
PAM Core
Centralized management of all privileged credentials
Session Proxy & Protocols
Protocol Broker
Zero credential exposure — injected directly by the proxy
ZTA Zero Trust Access
Access Control
Least privilege enforced on every session
Audit & Compliance
Compliance Engine
Tamper-proof audit trail with 10-year retention
Admin Console & Control Plane
Management Interface
Full platform visibility and governance
On-Premises · Air-Gapped · Hybrid · OT/ICS
Navegação segura sem exposição local
Exclusive On-Premises deployment · Pay Per Use (PPS) licensing · No cloud dependency · No agents on target systems
DataDike layers multiple security controls — proxy injection, vault encryption, behavioral analytics, and immutable audit — to ensure no single point of failure can compromise a privileged credential.
Core Component Breakdown
Technical specifications for each main component of the DataDike platform.
Admin Portal
Management Interface
Unified, browser-based console for all administrative operations. Provides real-time dashboards, policy management, user administration, and compliance reports — with multi-tenancy support and segregated RBAC profiles.
Credential Vault
Secure Storage
AES-256 encrypted storage at rest. HSM support via PKCS#11 for key management. Per-device password history, automatic reconciliation, and a proprietary database with no external licensing dependency.
Session Proxy
Protocol Broker
Transparent proxy for SSH, RDP, HTTPS, and database connections. Credentials injected directly — never exposed to the user. Includes a Jump Server module for access via clients like PuTTY, MobaXterm, and SecureCRT.
Policy Engine
Access Control
Attribute-Based Access Control (ABAC) engine evaluating user, device, location, time, and risk score for real-time access decisions. Supports command blocking via blacklist/whitelist with regular expressions.
Audit & Logs
Compliance Engine
Immutable, tamper-proof audit trail. All privileged actions, session metadata, and policy decisions are recorded with cryptographic integrity. Export via CEF, Syslog (RFC 5424), and Sensage to SIEMs.
Gateway Engine
Distributed Connectivity
Distributed gateway infrastructure with support for up to 200 zones and 10 gateways per zone — totaling 2,000 connection points. Primary traffic over encrypted SSH, other protocols are securely tunneled.
Privileged Session Flow
Every privileged session follows a strict, audited workflow — ensuring zero credential exposure and full traceability of all actions performed.
User Authentication
User accesses DataDike via browser with SSO + MFA (TOTP, hardware token, or digital certificate). Identity validated against AD/LDAP.
Access Request
User requests access to the target system. Request linked to an ITSM ticket number (if configured) and routed for approval.
Policy Evaluation
Policy Engine evaluates profile, time window, risk score, approvals, and IP restrictions. Real-time decision.
Credential Injection
Credential Vault provides the password to the Proxy. The Proxy injects it directly into the session — the user never sees the real credential.
Session Recording
All activity is recorded: keystrokes, screen, timestamped commands, file transfers. Customizable alert banner displayed to the user.
Audit & Rotation
Session logged on the immutable trail. Credential rotated automatically at end of session. Alerts issued for detected anomalous behaviors.
Native Integration Ecosystem
DataDike integrates natively with your existing security and IT stack — no custom development required for the primary connectors.
Active Directory / LDAP
Identity
SAML 2.0 / OIDC
SSO / Federation
RADIUS / TACACS+
Authentication
Splunk / IBM QRadar
SIEM
Microsoft Sentinel
SIEM
ArcSight / Sensage
SIEM
ServiceNow / Jira SM
ITSM
Okta / Ping Identity
MFA
AWS / Azure / GCP / OCI
Cloud
IBM Cloud / Huawei Cloud
Cloud
Alibaba Cloud
Cloud
Built to Never Go Down
Active/active clustering with synchronous replication. Automatic failover in under 30 seconds — designed for environments where privileged access is always-on.
HA Cluster
Active-Passive
Automatic failover with no loss of session or configuration
Replication
< 50ms
Synchronization of all changes between cluster nodes
Gateway Zones
200 zones
10 gateways per zone — 2,000 connection points
Retention
10 years
Configurable log and session recording retention
Supported Compliance Standards
FIPS 140-2
AES-256 Encryption / HSM
ISO 27001
Information Security Management
PCI-DSS 4.0
Payment Card Industry Standard
MITRE CNA
CVE Numbering Authority