Frequently Asked Questions (FAQ)

What is PowerBroker Password Safe?
BeyondTrust PowerBroker Password Safe secures access to privileged accounts in heterogeneous IT environments through automated password resets and management workflows, secure storage of credentials, and a sealed operating system. PowerBroker Password Safe leverages automated intelligent adapters that manage privileged access to any operating system, database or device over SSH or Telnet, making it the only solution in the market that is fully heterogeneous out-of-the-box.

PowerBroker Password Safe is a critical component of the BeyondTrust PowerSeries product line that automates Privileged Access Lifecycle Management (PALM). PowerBroker Password Safe secures the “Access” stage of PALM and lays the foundation for best of breed granular privilege control from other BeyondTrust products.

PowerBroker Password Safe is available as a hardened physical appliance or as a secure virtual appliance to match customers’ specific environmental needs.

What Problem Does PowerBroker Password Safe Solve?
Most systems have administrative accounts protected by passwords. Windows has its Administrator account, while Unix has root. Other privileged accounts are set up for specific purposes, such as database management. Good security practice dictates that passwords should be strong, unique and changed frequently, but as accounts and systems multiply, and the list of people who require access keeps growing, password control soon becomes a major activity, adding nothing to the bottom line.

Manual systems are open to abuse, and can be inconvenient. A software system running on a secure networked device is a better solution, but developing such a system is a major project. A similar issue exists between application-to-application (A2A) and application-to-database (A2DB) communication involving service accounts on various IT systems. The passwords for these accounts are often hard-coded or embedded in the calling application or script and rarely, if ever, changed.

Due to the depth of access that privileged and embedded passwords provide to highly sensitive and confidential information, and the fact that these access credentials are shared among administrators, it is only natural that security experts and compliance auditors are recommending and requiring more scrutiny and control in this area.

Without a system of checks and balances and overall accountability for privileged and embedded passwords, an organization lays itself open to exploitation and exposes its mission-critical systems to intentional or accidental harm and malicious activity that is difficult and costly to repair.

How is PowerBroker Password Safe licensed?
PowerBroker Password Safe is licensed on a Managed System basis, with unlimited managed accounts, users, applications and scripts allowed. A Managed System is an operating system, directory, database or device containing one or more accounts to be managed with PowerBroker Password Safe. The PowerBroker Password Safe license defines the maximum number of managed Systems that the appliance will support. The customer can allocate and re-allocate licenses among Managed Systems as they wish, without needing to contact BeyondTrust for a new license key.

Is PowerBroker Password Safe available as a physical or virtual appliance?
Both. BeyondTrust PowerBroker Password Safe is available as a hardened physical appliance and as a secure virtual appliance to match customers’ specific environmental needs. PowerBroker Password Safe maximizes privileged access security and reduces compliance risk for any SSH or Telnet supported systems or devices. PowerBroker Password Safe provides flexible deployment options and a streamlined deployment process for maximum resource efficiency, without any hidden customization costs.

How difficult it is to set up PowerBroker Password Safe?
Deploying PowerBroker Password Safe is a straightforward process. The PowerBroker Password Safe appliance is delivered to the customer ready to run. The customer installs the device and sets the network parameters, such as IP address, default gateway, mail server addresses, etc. After that PowerBroker Password Safe is ready to manage privileged accounts.

Do I have to create new users and roles if I am already using this in LDAP or AD?
No. PowerBroker Password Safe can create users and permissions from an enterprise’s LDAP or AD directory through group membership using our Automatic Authentication and Authorization (AAA) feature.

Do I have to manually update PowerBroker Password Safe when users are added to Active Directory?
No. PowerBroker Password Safe will automatically discover any new users or systems in Active Directory and will import them for management using the Active Directory Auto-Discovery (ADAD) feature. This feature intends to save time and increase efficiency for IT administration.

Is there a centralized web interface available for administrators to access?
Yes. Additionally, PowerBroker Password Safe integrates with BeyondTrust’s PowerSeries Management Console (PSMC). PSMC provides enhanced centralized capabilities for PowerBroker Password Safe installation via a web interface, which is accessible anywhere.

Does PowerBroker Password Safe offer expanded options to customize roles?
Yes. PowerBroker Password Safe is highly configurable to an enterprise’s specific policy guidelines.

Are Professional Services required?
The setup and implementation process for PowerBroker Password Safe does not specifically require any on-site services by BeyondTrust personnel, and most of our customers setup PowerBroker Password Safe on their own with BeyondTrust on-line and telephone support. However, if further on-site support is required due to lack of available resources or other projects making demands on staff, arrangements for BeyondTrust on-site services can be arranged via your BeyondTrust account manager.

How does PowerBroker Password Safe secure the storage of passwords and files?
All data stored in the PowerBroker Password Safe appliance is double encrypted in storage. First, the entire PowerBroker Password Safe hard disk is encrypted using AES-256 encryption. The encryption is unlocked only by booting from the disk eliminating the potential to remount the disk in another host and read its data. Passwords and files stored on PowerBroker Password Safe appliance are encrypted using AES-256 and signed with X.509v3 certificates to verify their authenticity. The commercially supported encryption products used are FIPS 140-2 validated.

What is FIPS 140-2 encryption and why is it important?
FIPS 140-2 (Federal Information Processing Standard 140) is a cryptography standard published by United States Government's National Institute of Standards and Technology (NIST). FIPS 140-2 validation of cryptography modules is performed using the Cryptographic Module Validation Program (CVMP), which is overseen by the NIST National Voluntary Laboratory Accreditation Program. CMVP validates that the encryption performed by a cryptography module is robust enough to meet the FIPS 140-2 standards or higher. This provides assurance that the encryption performed by the cryptography module has been tested to actually work and meet the standards set forth by NIST. PowerBroker Password Safe is the only product of its kind that uses commercially supported, FIPS 140-2 validated software for all encryption of data in storage and transit.

Can PowerBroker Password Safe manage which users have access to privileged accounts passwords?
Yes. Every user must authenticate to the PowerBroker Password Safe appliance to verify the user’s identity. If access to PowerBroker Password Safe is allowed, the user’s access is then restricted to the Roles that they have been granted either directly or via groups. These Roles can be applied to individual managed accounts, all accounts on a managed system, and collections of managed systems. This Role model allows user access to only the specific functions and managed accounts that they have been configured to access, and nothing else.

How does PowerBroker Password Safe change passwords on the managed systems?
To test and change passwords, PowerBroker Password Safe connects to the managed system and changes the password on the managed account. PowerBroker Password Safe can connect to the system using a user account or in the case of Unix or Linux hosts, by connecting through BeyondTrust PowerBroker. For user accounts, PowerBroker Password Safe connects to the target device using a secure protocol that is supported by the target device. On most Unix platforms, the connection is by SSH using a DSS key pair. Database connections, such as Microsoft SQL Server and Oracle connect via ODBC on the PowerBroker Password Safe unit and communicate through the databases network protocol, such as Net-lib and SQL*Net. Connections to Windows machines are via encrypted NTLM.

How does PowerBroker Password Safe manage the release of a password?
PowerBroker Password Safe manages the release of the password via several methods. Users accessing PowerBroker Password Safe through the web interface are all assigned an individual identity. Tied to this identity are the Roles that the user has been granted against individual managed accounts, or managed systems, or collections of systems. As an example, a user may be granted the ability to immediately check out a password for one managed account, may be required to go through an approval workflow to check out a password for a managed system, and may be assigned administrator rights for another collection of systems, while for other managed systems and accounts, he may have no privileges at all. Similarly, when an application is registered with PowerBroker Password Safe, the administrator defines the specific managed account(s) to which the application will have access. The application will not be able to access any passwords for managed accounts to which it has not been granted access. In the process of approving the application, the administrator defines an identity for the application or script using certificates and program factors. If the application is not consistent with the identity, it has no access to credentials until the new identity has been approved. Lastly, there is a command line interface (CLI) that can be used to perform administrative and password release functions. Password release functions can be automated or integrated into other systems using the CLI.

Can PowerBroker Password Safe manage Application to Application (A2A) and Application to Database (A2DB) credentials?
Yes. To ensure best practices, PowerBroker Password Safe replaces embedded credentials in applications and scripts. This is accomplished in two ways. First, PowerBroker Password Safe includes an API contained in operating system libraries that can be called to register an application, and once the application profile is approved, to request credentials to be used to back end data sources. The second component, the pkrun command line environment, works in a similar way. Instead of embedding credentials into commands contained in scripts, tokens are placed in the script. When the command is executed by the pkrun command line tool, the credentials replace the tokens inside of the pkrun execution. This enables the command to execute correctly without any exposed credentials.

How are A2A and A2DB credentials protected from unauthorized use?
When an application or script is registered to run with PowerBroker Password Safe, the administrator can specify any number of program factors be used to validate the program. These program factors include the program name, the name and version of any libraries it calls, the checksum of the program, the account under which the program is allowed to run, and others. These program factors validate that the program requesting the credentials is the same application that was approved so the credentials can’t be harvested by a rogue user or process.

Does PowerBroker Password Safe create an audit trail for compliance?
Yes. PowerBroker Password Safe logs all actions taken through or by PowerBroker Password Safe. This includes all password operations, all user operations, as well as the internal functions of the PowerBroker Password Safe appliance. The PowerBroker Password Safe Administrator or an Auditor can view all PowerBroker Password Safe log data, other users are restricted only to log data that is relevant to their granted roles. Log data is maintained and stored on PowerBroker Password Safe for the duration of the Administrator-configured retention period. Log data can also be written to syslog, and exported to external systems for long-term storage.

Does PowerBroker Password Safe retain a history of passwords?
Yes. PowerBroker Password Safe retains a history of the past passwords used for a system, and those passwords can be accessed by a PowerBroker Password Safe user that has been granted sufficient access for that account. This is helpful in situations where an old password may become active on the host, such as if a host needs to be restored from backup. The number of past passwords retained and how long the past passwords are retained is configurable by a PowerBroker Password Safe administrator.

What kind of reports does PowerBroker Password Safe provide?
PowerBroker Password Safe provides a Web-based report generator for viewing the log data. 18 reports track user entitlements (rights) and activities; password approvals, release and usage; failed logins; and reconcile password releases with password resets. Administrator Activity Reports depict administrator activities, such as adding new users or systems and defining user permissions. There are User Reports for Requestors and Approvers, and Password Reports for stored passwords and password update status. Users, with appropriate rights, can subscribe to reports and receive them via email on a regular basis. A report of subscriptions is available and stored reports can be browsed. The report data is exportable as a CSV file for use with external reporting tools. Reports are also available in HTML.

Does PowerBroker Password Safe provide entitlement reporting?
Yes. PowerBroker Password Safe provides entitlement reporting of all privileges that are granted to users of PowerBroker Password Safe. Authorized PowerBroker Password Safe users can subscribe to these reports or can view the report retained in history on the PowerBroker Password Safe appliance. This provides an audit trail of all access that has been granted to privileged account passwords or to files that are stored on the PowerBroker Password Safe appliance.

Will PowerBroker Password Safe help enterprises meet compliance requirements?
Yes. PowerBroker Password Safe provides a secure audit trail of all privileged access granted in your organization, and who approved the access, if applicable. It is a common requirement of most regulatory compliance requirements that a company prove that their systems containing sensitive data are secure, and any high-privilege access is allowed only for appropriate business reasons. PowerBroker Password Safe enables organizations to support separation of duties (SOD) and the principal of least privilege.

PowerBroker Password Safe provides a secure, process-based methodology for securing privileged access to the hosts, applications, and databases containing sensitive data. When requests are made to access privileged account passwords, requestors must state a valid business reason, and optionally reference a ticket or change management number. Depending on the level of security required, managed accounts and files may be set to auto-approve, or may be configured to require a managers approval for the release of the password. If the requests are approved, requestors will then be issued the account password, so they can log in and do their work. After they check-in the password or when the check-out time limit expires, PowerBroker Password Safe can rotate the password to a new value, preventing any further access.

Similarly, passwords used to access privileged accounts by applications and scripts can be managed by PowerBroker Password Safe. Instead of embedding the password in the application, script or an associated configuration file, the password is securely maintained in the PowerBroker Password Safe appliance. When an application or script needs the password to connect to a data source, it requests the current password from the PowerBroker Password Safe appliance. Using PowerBroker Password Safe's certificates and program factors, the identity of the application or the script and the environment it is running in is verified by PowerBroker Password Safe before the password is released. This prevents an unapproved application or script from being used to capture the privileged account password.

Every step in the process for both users and application/scripts is logged and can be reported on by the PowerBroker Password Safe appliance. There is a special audit role in PowerBroker Password Safe that will allow an auditor to review all this history, but not perform any actions. The auditor will be able to verify that there are proper controls in place to limit access to the systems without any risk to the integrity of the PowerBroker Password Safe appliance, the managed systems or the log data.

Does PowerBroker Password Safe Support one- and two-factor authentication?
Yes. PowerBroker Password Safe supports one or two-factor authentication using PowerBroker Password Safe's internal database, Active Directory, LDAP directories, RSA, Secure Computing and X.509v3 certificates on smart cards.

What types of systems, databases and network devices are supported?
PowerBroker Password Safe can manage any operating system, database or device. For pre-installed devices, all aspects of password generation and management are automated, following configurable rules set by the Administrator or security officer. If any devices are not pre-installed on PowerBroker Password Safe, the administrator can configure PowerBroker Password Safe to manage any device via SSH/Telnet for APM.

How many devices can be managed by PowerBroker Password Safe?
PowerBroker Password Safe is extremely scalable. Utilizing high-performance HP hardware and a proper design and deployment plan, PowerBroker Password Safe appliances can support a virtually unlimited number of managed devices within an enterprise.

Does PowerBroker Password Safe support redundancy and high-availability?
PowerBroker Password Safe supports several layers of fault-tolerance to maximize uptime. First, the PowerBroker Password Safe Performance Monitor continuously checks the internal Agents of the PowerBroker Password Safe unit. If an Agent fails, it is automatically restarted and a SNMP trap (if configured) can be sent to alert administrators.

Secondly, PowerBroker Password Safe supports a high-availability (HA) pairing of two PowerBroker Password Safe units as a primary and replica server. When configured in a HA configuration, the primary PowerBroker Password Safe unit will send all data changes to the replica unit. The replica unit will continually monitor the status of the primary unit, and will automatically promote itself to primary if the primary is unavailable for a customer-defined interval. The failover can also happen manually if a unit needs to be taken off-line temporarily.

Thirdly, the PowerBroker Password Safe unit can be configured to automatically write out encrypted backups to a remote machine. If there is a complete failure of both PowerBroker Password Safe units (or a single PowerBroker Password Safe unit when not in an HA pair), all PowerBroker Password Safe data could be restored to a cold spare PowerBroker Password Safe appliance. Finally, the PowerBroker Password Safe appliance is delivered on an HP ProLiant DL360 G5 server, and includes redundant mirrored drives, hot-swap power supplies and hot-swap fans. This HP hardware is supported on-site by HP Services. Should a hardware component of the PowerBroker Password Safe appliance fail while the customer is current on PowerBroker Password Safe ESS support, an HP service technician will come to the customers site to replace the failed hardware at no cost to the customer.