What is a Password Vault?
Why do we Need a Password Vault?
Passwords are limited by a manual password management problem that results in challenges like memory capacity and password security. Memory capacity limits a user’s ability to remember long and complicated passwords and write them down on a sticky note. This also hinders the security of a password by being tempted to use repeat passwords or easy to remember passwords across multiple accounts, exposing the passwords to theft and illegitimate user access.
Passwords should be protected and guarded throughout their entire lifecycle, from creation to end, through a set of defined practices for which there are strict password management rules. It ensures that passwords are stored and encrypted in a secure location known as a password vault and are passed onto the user only if he/she presents proper identification, granting the user access to devices and applications to which he/she is entitled to. The passwords in the vault also undergo rotation on a pre-defined frequency, and when a user requests access, he/she receives credentials from the vault in a controlled fashion.
Sectona Password Vault?
Sectona’s password vault is powered by commercial grade Oracle MySQL database that remains unexposed and tamper proof. The communication of the vault is with the Sectona PAM application through a secure protocol. It also caters to built-in High Availability (HA) architecture and thereby ensures higher security. Configuring Sectona PAM Vault to store credentials in AES 256 or RSA 2048 encrypted format, random and unique salt of defined encryption is used for every new privileged account credential entry. A unique and customizable encryption key can be defined that can be used to access the vault. The vault comes for two distinct categories – Primary Vault & Satellite Vault:
- Primary PAM Vault is the principal vault communicating with the PAM application responsible for storing credentials and critical data. While this is a centralized vault, the vault could be replicated for multiple instances – namely Primary, HA, DR, and Remote Site. While primary is the principal vault, HA is a near-backup vault, DR is a far-backup vault and remote site is an additional instance of a far backup vault which may or may not be common.
- Primary Instance: This is the primary mode of storing facility, which caters to a user’s immediate and principal access point and keeps him/her connected with his resources.
- High Availability Instance: Also known as the Fallback Instance, the High Availability Instance acts as a backup when the primary Vault goes down and takes over the Primary Instance mantle and ensures the user can get the required access. The initial primary Instance becomes the HA instance after it is back up online. The HA instance is a replica of the primary instance, always synchronized, enabling the HA to take over the responsibility when the primary instance is not available.
- Disaster Recovery Instance: When both the Primary and High Availability Instances are not available due to a failure or shutdown, the DR Instance provides the users with the required credentials to their resources, ensuring business continuity. Configuration to alternate the access node directing it to DR instance in case of a failure in primary and HA can be set in the solution.
- Remote Instance: A Remote Site Instance is a partial configuration on a remote DC location as part of the Primary PAM vault, which helps provide access in the temporary unavailability of primary vault. It is a replica of the primary Instance present in a different location, configured for privileged users in an organization requiring simultaneous access to target assets from two different locations.
- Sectona Remote site instance works as a partial primary PAM instance, which works as a primary instance to provide sessions in the event of a temporary unavailability of actual primary instance. And once a connection is established, they revert to their original roles. The remote site instance passes along the access log entries to the actual primary instance to ensure vault’s synchronization.
- Satellite Vault is a secondary offline vault, configured on a secure isolated machine in the same network as the primary vault, easily accessible to users at the time of a Break-Glass Scenario. Satellite Vault is an offline copy of the Primary Instance of primary vault, ensuring complete synchronization by replicating a copy of privileged account credentials, whenever changed as per password rotation policy or ad hoc to maintain the latest copy.
Satellite Vault administrators define which users or IT function owners can have access to satellite vault at the time of disaster scenario. The satellite vault authentication is also linked with a unique profile key generated from PAM at the time of user creation.
Advantages of Sectona Password Vault
- Unique, random, and difficult passwords in compliance with best practice password policies.
- Grants users the access to IT resources by logging in only once.
- Automates the process of password change and takes away the risk of manually managing passwords.
- 1.1 What is a Password Vault?
- 1.2 Why do we Need a Password Vault?
- 1.3 Sectona Password Vault?
- 1.4 Advantages of Sectona Password Vault
- 1.5 Related Concepts
- 1.6 Password Rotation: Need to Rotate Privileged Account Passwords
- 1.7 Password Reconciliation – Enabling Synchronized Password Management
- 1.8 Password Reset v/s Password Change