PowerBroker Password Safe 6.6 Extends Workflow Capabilities and Security

Martin Cannard
July 26th, 2018

BeyondTrust PowerBroker Password Safe 6.6 features some exciting enhancements around ease of onboarding for Unix and Linux hosts, enterprise session management and adaptive account grouping, giving users unmatched levels of security, accountability, and control while continuing our commitment to usability and simplicity. Here are some highlights of new features:

Secure Password Update Proxy for Unix and Linux

One of the challenges for managing accounts on remote systems is that you have 2 options for the authority under which you change the password.

1) Use the accounts own password to change its password.

This is great if there is only the ability to have a single account on the managed platform. But what happens if the password becomes out of sync? i.e. let’s say someone logs in using the managed account and changes it to something else… now the account password stored is no longer correct, so the system cannot log on to change it; in these cases, you must manually reset the password to a known state.

2) Use a separate functional account that has rights to be able to change the managed account

The way around the single account sync issue above is to have a separate (usually dedicated) functional account that changes the managed account password. This gets over the out of sync issue because it can log on to override the managed account password regardless of whether it is in sync or not. Best practice is that the functional account password is auto-rotated and never available for checkout.

The problem is that although a separate functional account solves the out of sync issue, you still need to set up an additional account on every system that does not have the capability of leveraging a central domain/directory functional account.

BeyondTrust PowerBroker Password Safe in conjunction with PowerBroker for Unix & Linux now offers the capability to change passwords on Unix and Linux hosts without the need for a functional account on each host. Leveraging remote command execution, PowerBroker for Unix & Linux will change managed account passwords on any remote system under its control.

Policy Rules in PowerBroker for Unix and Linux allow password updates to be securely passed to managed endpoints.

We designed the integration to be simple— you simply specify a proxy host that has the PowerBroker for Unix & Linux client installed, and all password changes/checks will be routed through to managed endpoints with no additional functional account requirement. The best of both worlds!

Enterprise Session Replay Enhancement

PowerBroker Password Safe has expanded the capabilities of its remote proxy capability to allow sessions to be played back from any node in the infrastructure.

Often network connection speeds between organizational sites can be slow, especially to small satellite offices. This creates challenges for accessing remote resources via centralized session management proxies. PowerBroker Password Safe enables proxies to be distributed, providing security and audit without the expense of a slow user experience. In PowerBroker Password Safe version 6.6, you can play back sessions from any node regardless of where they were originally recorded – even if they have been archived.

New APIs for Quarantine and Session Control

A new set of APIs allow you to dynamically control active sessions, and a new User Quarantine function prevents further user activity. Session/Request control enhancements include:

Active Session Control

  • Locking all active sessions for given managed account
  • Locking all active sessions for given managed system
  • Terminating all active sessions for given managed account
  • Terminating all active sessions for given managed system

Active Request Control

  • Terminating all active requests for given managed account
  • Terminating all active requests for given managed system

Custom Attributes for Managed Accounts

Custom attributes have long been available for Assets. In PowerBroker Password Safe v6.6, you can you apply custom attributes to managed accounts also.

The new generic custom attributes can be set from Smart Rules or via the API; once applied, they can be leveraged as a filter for Smart Groups to allow unordered lists of managed accounts to be created. The great thing about this feature is that it allows dynamic inclusion or exclusion of accounts to a security group that can also be driven externally via API/CLI.

Protect Passwords with Copy to Clipboard

Rather than display passwords by default, Password Safe now obfuscates the password and allows users to copy the password to the clipboard by default.

The copy to clipboard feature prevents passwords from being displayed on screen.

This prevents screen-scraping malware from capturing passwords and adds an additional layer of security by passing the password directly to the paste buffer thus ensuring that the password is never initially displayed on the screen.

Usability

We have added many enhancements to improve the user experience including language support, improvements to directory queries and the asset grid. There is a brand-new configuration landing page which supports granular search and embedded help.

Reporting

New reports include Entitlement by User Report and Database User Report, plus many enhancements have been made to improve existing reports. We have boosted the performance of the Analytics and Reporting component, and added the ability to save scheduled reports to a network share.

Other Enhancements

There are over 100 enhancements and new features in this release of PowerBroker Password Safe. Check out the new features document for a complete rundown, and if you would like to learn more about PowerBroker Password Safe, let us know!

Martin Cannard

Martin has been helping organizations solve challenges in the privileged account management and identity and access management space for over 24 years. At Dell Software, Martin managed a team of Solution Architects, focused on designing and implementing solutions in the Privileged Account Management (PAM) space. Prior to joining Dell, Martin was Sr. Product Manager for Novell Privileged User Manager, a privilege management application acquired from Fortefi, an organization where he served as Vice President, Corporate Development. Prior to this, he was Program Manager of Client Technologies at Symantec where he was responsible for many ground-breaking field and channel enablement applications. Additionally, Martin managed the European QA group at Axent Technologies and has held various management positions in consulting, systems development, and operations. Martin is a regular speaker for security events, and webinars.