Architecture of BeyondTrust Password Safe Cloud


Password Safe Cloud is hosted within Microsoft Azure. A Password Safe Cloud deployment consists of:

  1. Management Console
    • BeyondTrust Cloud hosted management console and Password Safe user portal
  2. Resource Brokers
    • An on-prem agent deployed in the customers network facilitating the necessary local functions for password and session management
    • Authentication against your local AD/LDAP services
    • Asset and account discovery
    • Credential management
    • Session proxy

Diagram displaying security architecture in Password Safe Cloud

For more information, please see Azure infrastructure security.


Microsoft Azure data centers come with high levels of compliance standards which are fully documented and available to view.

The virtual machine images are hardened to the latest CIS benchmark. Nightly scans against the VM image check for compliance against the CIS benchmark.

For more information, please see Azure compliance documentation.

Physical Security

For more information, please see the "Physical Security" section of Azure facilities, premises, and physical security.

Network Security

The network architecture is built to protect all entry points assigned to customers. Highly available edge gateways and segmented network components are dedicated and configured in BeyondTrust. The infrastructure is continuously monitored, and vulnerability testing is conducted regularly by internal security staff and third-party security teams.

Access to the Azure Management Console where the network/VNet configuration is managed is also highly restricted within BeyondTrust, available only to those who have a requirement to be able to access the console. This access is also subject to MFA.

All inbound traffic to a customer's Password Safe Cloud site uses standard encrypted HTTP on port 443. The on-prem Resource Broker also communicates with a Password Safe Cloud instance using 443, but additionally requires other specific traffic enabled, which is described in detail in the application's documentation.


Authentication is managed entirely within the application. There is no dependency on cloud identity resources. Detail regarding application authentication can be found in the Password Safe Cloud administration guide.