Secret Server

Secure Vault and Password Manager 

Automation of complex tasks is crucial for administrators and DevOps teams to eliminate human error and allow an organization to scale. Many applications require passwords or keys in order to access third-party APIs, databases, or external resources. Any complex automation build-out will require access to passwords or keys to call APIs and access data.

By integrating custom and third-party applications with Secret Server, you can avoid built-in application credentials and ensure proper control and management.

Access Control

Virtually all compliance mandates and security best practice frameworks require some form of role-based access control (RBAC). Access control provides a mechanism for system administrators to manage user roles and permissions efficiently and sustainably. Policies set rules which apply to all users, so you don’t need to make on-the-fly decisions about who should be able to access what, why, and how.

Access Control and Least Privilege

Access control makes it possible to implement and manage a least privilege policy in which users have only the access they require to get their jobs done. When systematically applied, controls reduce the risk that a user will be granted too much access. For example, administrators can ensure that users can’t accidentally or intentionally change administrative settings they shouldn’t have rights to. Just as important as implementing least privilege is maintaining appropriate access over time, and effectively avoiding privilege creep whereby a user retains access to resources they no longer require.

Access Control and Separation of Duties

There are two main types of Separation of Duty policies—Static (SSoD) and Dynamic SoD (DSoD). Mutually exclusive role constraints are used to enforce static separation of duty policies, while dynamic separation of duty policies are intended to limit the permissions that are available to a user.

Access Control and Active Directory

Implementing access control via a hub and spoke model, in which Active Directory is the hub, allows for a unified view and centralized, consistent control. For organizations already managing permissions via Active Directory (AD), user groups often map naturally to user roles.

Automation  

Core PAM Automation Increases Visibility, Control, and Oversight

1. Rule-based password generation
2. Scheduled password changing
3. Heartbeat
4. Secret policies
5. Email Alerts
6. If/Then Automation

 Discovery:

The first step to a comprehensive PAM strategy is ensuring you have complete visibility of all types of privileged accounts.

When you don’t know where privileged accounts exist, you may be leaving backdoor accounts in place that allow users to bypass proper controls. External threats may create privileged accounts for later access that can go undetected for months.

Automatic Discovery makes it easy to find all privileged accounts so you can set policies to manage them appropriately. Secret Server can automatically find privileged accounts and map existing secrets. Continuous Discovery alerts you when unexpected accounts are found. Rule-based imports can import the unmanaged accounts you find into Secret Server.

Privileged Session Management, Monitoring & Control:

Session management, monitoring, and control increase oversight and accountability so you can mitigate the risk of privileged account misuse. Even organizations with mature PAM programs don’t merely trust people are always doing the appropriate things with their privileged access. Privileged session management is used as a second pair of eyes to increase confidence that best-practice PAM policies are, in fact, being followed.

In privileged session management, the activities of every privileged user, which includes trusted insiders, third-party vendors, and connected systems, are managed, monitored, and controlled from the time they launch a privileged session to when that session ends.

Advanced Scripting  

-Integrate custom and 3rd-party apps

-Web Services API

-Secret Server SDK

-Powershell Password Changing

-Dependencies

-Custom Ticket System Integration

-DevOps Secrets Vault

-Scriptable Discovery

Service Account Governance:

Service accounts are used to run various services (Windows Services, tasks, app pools and more) on the network. Managing service account credentials according to PAM best practices is challenging for many organizations. Typically, no one knows where all service accounts are being used. Often, one account is used in multiple places, and admins often create new service accounts whenever needed.

Secret Server can help you get a handle on your service accounts and automatically change service account passwords on a regular schedule.

Distributed Engines:

For a privileged access management tool to be effective, it needs to scale for enterprise use and provide the speed to change passwords and permissions immediately.

With Distributed Engines, Secret Server provides scalability and rapid results for some of the largest networks in the world. Using secure network communication, queueing, and parallel processing, Secret Server can discover network credentials, verify whether the password you have on file is correct, and automatically change passwords on thousands of accounts in mere minutes.

You can install a Distributed Engine in a remote site and allow it to operate many functions. Communication with Secret Server Cloud also requires the Distributed Engine to be installed.

Enhanced Auditing, Reporting, and Compliance:

Reporting is a crucial component of your PAM program. Security teams must be able to see at a glance how well policies are followed and where there are exceptions.

Secret Server features help you meet regulatory requirements and demonstrate compliance to satisfy internal and external auditors. Out-of-the-box and custom reporting features save time and make executive reviews and audits painless.

Audit Reports

When someone leaves your organization you can easily assess and control your vulnerability risk by using the User Audit Report feature in Secret Server password management software.

Select a user and date range in Secret Server and instantly display every password, or Secret, the user accessed. Then you can expire each Secret, immediately decreasing the likelihood of a security breach. The User Audit Report is a necessity for those needing to comply with internal and/or external information security mandates.

The User Audit Report

Helps SEC-regulated companies comply with the Sarbanes Oxley Act of 2002 and other regulatory compliance needs.

Records all actions a user takes on a password, like creating, updating, sharing passwords, etc.

Assists in ensuring that all passwords are used properly.

Secrets Audit Reports

In addition to the User Audit Report which focuses on the user, the Secret Audit Report provides accurate details on the Secret itself. Users can protect their sensitive information by monitoring the level of activity on any Secret they have access to.

High-security, time-saving features like this are among the characteristics of Secret Server that make this enterprise-level password management software so popular with IT Admins.

Approval Workflow:

What’s the challenge?

Given the critical nature of some systems and data, or compliance mandates that require segregation of duties for privileged access, IT teams commonly seek to restrict certain parts of their IT environment.

Many users require only limited or temporary access to privileged accounts. For example, third-party contractors may only need access for a specific project. These users should be able to access a privileged account only if they have a legitimate reason. They should lose their access once the reason is no longer valid.

With so many moving parts, it is typically a challenge to maintain oversight over the various users, and enforce accountability for keeping access levels up to date.

Why it's important

Trusted internal users should be aware of all third-party and temporary access so they can make sure privileged user activities are appropriate and privileges aren’t being misused. Substantial vulnerabilities exist in the organization if there are over-privileged users or credentials that should have been expired.

How approval workflow solves it

Approval workflow increases visibility and oversight for all privileged accounts, especially those accessed sporadically for special projects and by third parties.

Requiring two different users to complete a task helps prevent abuse of privilege. Enforcing approval steps and auditing who requested access and who approved it are key security controls to reduce risk.

Secret Server provides multiple options to implement approval workflows that fit your organization’s IT security policies, systems, and organizational structure.

 Unix Protection:

A successful Unix/Linux attack could be catastrophic. Unix and Linux systems are often heavily tied into critical and sensitive data. If a cyber criminal gains access to powerful root accounts, they have complete administrative control.

A multi-layered approach to Unix/Linux privilege management reduces security risk. It’s important to ensure local root accounts are discovered, protected, controlled, and managed. Additionally, it’s important to maintain Least Privilege policies by ensuring that powerful commands (such as Sudo or Su) are limited and monitored.

Secret Server allows you to extend privileged access management policies to Unix and Linux systems to improve visibility, consistency, and easy of management throughout your entire IT environment. By bringing Unix/Linux under a common PAM umbrella, you can centrally discover, rotate, expire, and disable credentials to prevent misuse and cyber attacks.

Disaster Recovery:

Secret Server is designed with multiple disaster recovery capabilities to make sure your organization’s critical data and employees’ hard work will be preserved.