Password Vaulting

Storing privileged account credentials in an encrypted and a secure service

What is a Password Vault?

A Password Vault is a system that facilitates storing passwords in an encrypted form in a secure digital location. The stored and encrypted passwords are automatically fetched at the time of access and passed on to the user transparently or in clear text as desired, establishing communication to his/her entitlements.
 

Why do we Need a Password Vault?

With technological advancement, organizations around the world are adapting to the current situation by increasing their IT infrastructure. Accordingly, the number of resources entitled to a person increases and the need to secure the password for access increases to prevent illegitimate access.

Passwords are limited by a manual password management problem that results in challenges like memory capacity and password security. Memory capacity limits a user’s ability to remember long and complicated passwords and write them down on a sticky note. This also hinders the security of a password by being tempted to use repeat passwords or easy to remember passwords across multiple accounts, exposing the passwords to theft and illegitimate user access.

Passwords should be protected and guarded throughout their entire lifecycle, from creation to end, through a set of defined practices for which there are strict password management rules. It ensures that passwords are stored and encrypted in a secure location known as a password vault and are passed onto the user only if he/she presents proper identification, granting the user access to devices and applications to which he/she is entitled to. The passwords in the vault also undergo rotation on a pre-defined frequency, and when a user requests access, he/she receives credentials from the vault in a controlled fashion.

Sectona Password Vault?

Sectona Privileged Access Management solution provides a password vault that helps store access credentials of critical privileged accounts ensuring target IT assets are governed and protected at all times.

Sectona’s password vault is powered by commercial grade Oracle MySQL database that remains unexposed and tamper proof. The communication of the vault is with the Sectona PAM application through a secure protocol. It also caters to built-in High Availability (HA) architecture and thereby ensures higher security. Configuring Sectona PAM Vault to store credentials in AES 256 or RSA 2048 encrypted format, random and unique salt of defined encryption is used for every new privileged account credential entry. A unique and customizable encryption key can be defined that can be used to access the vault. The vault comes for two distinct categories – Primary Vault & Satellite Vault:

Password-Vaulting-Internal-01
  • Primary PAM Vault is the principal vault communicating with the PAM application responsible for storing credentials and critical data. While this is a centralized vault, the vault could be replicated for multiple instances – namely Primary, HA, DR, and Remote Site. While primary is the principal vault, HA is a near-backup vault, DR is a far-backup vault and remote site is an additional instance of a far backup vault which may or may not be common.
  1. Primary Instance: This is the primary mode of storing facility, which caters to a user’s immediate and principal access point and keeps him/her connected with his resources.
  2. High Availability Instance: Also known as the Fallback Instance, the High Availability Instance acts as a backup when the primary Vault goes down and takes over the Primary Instance mantle and ensures the user can get the required access. The initial primary Instance becomes the HA instance after it is back up online. The HA instance is a replica of the primary instance, always synchronized, enabling the HA to take over the responsibility when the primary instance is not available.
  3. Disaster Recovery Instance: When both the Primary and High Availability Instances are not available due to a failure or shutdown, the DR Instance provides the users with the required credentials to their resources, ensuring business continuity. Configuration to alternate the access node directing it to DR instance in case of a failure in primary and HA can be set in the solution.
  4. Remote Instance: A Remote Site Instance is a partial configuration on a remote DC location as part of the Primary PAM vault, which helps provide access in the temporary unavailability of primary vault. It is a replica of the primary Instance present in a different location, configured for privileged users in an organization requiring simultaneous access to target assets from two different locations.
  5. Sectona Remote site instance works as a partial primary PAM instance, which works as a primary instance to provide sessions in the event of a temporary unavailability of actual primary instance. And once a connection is established, they revert to their original roles. The remote site instance passes along the access log entries to the actual primary instance to ensure vault’s synchronization.
  • Satellite Vault is a secondary offline vault, configured on a secure isolated machine in the same network as the primary vault, easily accessible to users at the time of a Break-Glass Scenario. Satellite Vault is an offline copy of the Primary Instance of primary vault, ensuring complete synchronization by replicating a copy of privileged account credentials, whenever changed as per password rotation policy or ad hoc to maintain the latest copy.

    Satellite Vault administrators define which users or IT function owners can have access to satellite vault at the time of disaster scenario. The satellite vault authentication is also linked with a unique profile key generated from PAM at the time of user creation.

Password-Vaulting-Internal-03
When Sectona PAM is down, as per break-glass scenario, satellite vault administrators will log in to the offline vault and grant authorization for limited access to a set of users. Users can authenticate to the satellite vault with the help of their profile key and subsequently can see a list of authorized assets for the user as per defined access policy. Users can then check out the privileged account credentials to a target server/device without PAM for further use until primary PAM is up and running. The password is thoroughly audit trailed to record checkouts, which are allowed to be viewed only by the administrator.
 

Advantages of Sectona Password Vault

Apart from securing the credentials in a secure location, password vaults offer the following benefits as well:

  • Unique, random, and difficult passwords in compliance with best practice password policies.
  • Grants users the access to IT resources by logging in only once.
  • Automates the process of password change and takes away the risk of manually managing passwords