Password Safe Features

Formerly BeyondTrust PowerBroker

Discover, manage, audit, and monitor privileged accounts of all types. Watch the demo!

Highlighted Password Safe Features

Reduce risk with cross-platform vulnerability assessment and remediation, including built-in configuration compliance, patch management and compliance reporting.

Automated Discovery and Onboarding

Complete, Automated Discovery and Onboarding of All Privileged Accounts

Password Safe leverages a distributed network discovery engine to scan, identify and profile all assets. Dynamic categorization of all assets and accounts enables auto-onboarding, and the ability for access policies to self-adjust according to environmental changes. This capability helps IT keep pace with changing environmental variables, reduces time and administrative overhead, and reduces risk by ensuring that no system is left unmonitored/unmanaged.

  • Discover and profile all known and unknown assets (web, cloud, virtual), privileged user accounts, shared accounts, and service accounts
  • Quickly identity assets with common traits and automatically bring them under management via Smart Rules automation.
  • Create Smart Groups to automatically categorize, group, assess, and report on assets by IP range, naming convention, OS, domain, applications, business function, Active Directory, and more.
  • Auto discover all SSH keys on host systems

Privileged Credential Management

Control Access to Privileged Credentials, Automate Rotation and Reduce the Risk of Compromise

Password Safe enables organizations to securely store, rotate and control access to privileged account passwords and other credentials to better protect sensitive assets and more easily meet compliance requirements. Password Safe helps your teams to:

  • Keep passwords fresh: Rotate passwords on a scheduled basis or upon check-in to mitigate the risk of abuse or misuse.
  • Rotate SSH keys: Automatically rotate keys according to a defined schedule and enforce granular access control and workflow.
  • Eliminate application credentials: Get control over scripts, files, code, and embedded keys.
  • Ensure password strength: Define and enforce password policy to meet any complexity requirement.
  • Eliminate old passwords: Analyze password ages and proactively report policy violations.
  • Solve the problem of remote users: Use BeyondTrust Privilege Management for Windows and Mac as an agent to update passwords on remote devices.
  • Active/active targeted password change: Selectively process password change, password test, and account notification queue items for designated workgroups.

Privileged Session Management

Agentless Privileged Session Management

Privileged session monitoring and management is essential to achieve your compliance and security requirements, but can be complex and time-consuming to achieve.

Password Safe privileged session management uses standard desktop tools such as PuTTY and Microsoft Terminal Services Client, ensuring administrators can leverage commonly used tools. With Password Safe, administrators can:

  • Control access: Request RDP/SSH access to authorized systems only
  • Leverage flexible execution: Start sessions instantly, or via workflow
  • Enable true dual control: View any active privileged session, and if required, pause or terminate the session
  • Enforce accountability: Record privileged sessions in real time via a proxy session monitoring service for SSH and RDP
  • Capture everything: Use keystroke indexing and full text search to pinpoint data, and then log an acknowledgement of the review for audit purposes
  • Communicate and comply: Build reports for usage, audit, forensics, and regulatory compliance purposes.
  • Audit and log privileged sessions: Access and watch a session, then log an acknowledgement of the review to meet audit compliance requirements.
  • Quickly search session logs: Index and text search using keystroke to pinpoint data, and then log an acknowledgement of the review for audit purposes.
  • RDP enhanced session audit: Every click within the Windows interface, along with any keystrokes, is audited and recorded in a searchable session replay index.
  • Real-time activity alerting: Defined user activity can generate real-time email alerts, as well as block commands, lock, and terminate SSH sessions.
  • Use Command blacklisting: Connection profiles define keyword groups that can determine a specific course of action – block command, lock session, block and lock session, or terminate session.
  • Auto logoff and disconnect: Utilize ‘log off on disconnect’ feature to ensure sensitive data is not exposed in subsequent RDP sessions.
  • Integrate with SailPoint Predictive Identity Platform (IdentityIQ & IdentityNow): Manage access for privileged and non-privileged accounts with privileged access management and identity and access management (IAM).
  • Adopt a client-less solution with no agents required on the server
  • Fully integrate with native tools (MSTSC, PuTTY, ,etc.)
  • Gain full video recording with 100% accountability

Secure Application Credentials

Password Safe eliminates hard-coded or embedded application credentials automatically, simplifying management for IT and better securing the organization from exploitation of those credentials. Password Safe:

  • Enables removal of hard-coded passwords from applications and scripts
  • Provides an extensible REST interface that supports many languages, including C/C++, Perl .NET, and Java
  • Ensures that passwords can be automatically reset upon release
  • Enforces extensive security controls to lock down access to only authorized applications

Secure SSH Key Management

Simplified SSH Key Management Improves Control, Accountability, and Security for Unix and Linux Systems

Traditional methods of SSH key management are very labor intensive, with many organizations not properly rotating their keys. As well, it is common practice for administrators to share keys. Between the lack of rotation and the sharing of keys, organizations lose accountability over their systems, which could lead to those systems being vulnerable to exploits. Password Safe adds security and simplifies the management of SSH keys by:

  • Storing private keys like any other privileged credential
  • Automatically rotating SSH keys according to a defined schedule
  • Allowing designated 'secondary' accounts and SSH keys to be grouped to a 'primary' account to manage rotation interval, complexity and duration of SSH keys
  • Enforcing granular access control and workflow
  • Alerting when a key is released
  • Automatically logging users onto Unix or Linux systems through the proxy with no user exposure
  • Recording every privileged session with full playback and key usage auditing
  • Offering failover to a managed password for complete redundancy
  • Allowing SSH sessions to be easily established via your existing desktop tools without having to initiate with a web interface

Password Safe greatly simplifies the management and secures the use of SSH keys for better control, accountability and security over Unix and Linux systems.

Just-in-Time Access Control

In Traditional PAM workflows, permissions are often granted globally to individuals based upon job role, and do not take into account real-time risk factors such as location, day or time. Password Safe enables the dynamic assignment of just-in-time privileges via the Advanced Workflow Control engine.

Policies can be extended to block password access to some managed resources unless the request originated from the corporate network, another approved source or only allow access to certain vendor accounts if they originate from the vendor network.

Having this capability ensures that users have the right access according to the context of their request, thereby minimizing opportunities for exploiting privileged credentials.

Extensible API for Security and Scalability

Integrate with an Extensive Set of Tools and Systems to Orchestrate PAM Enterprise-wide

The Password Safe API is designed to address single sign-on shortcomings, simplify developer access, and offer secure credential management. Since legitimate user credentials are used in most data breaches, it has never been more critical for organizations to control access to their sensitive systems.

If credentials are retrieved automatically and securely from the Password Safe API, commercial application developers would never be required to enter a username and password for connectivity. In this case, end-users, like database administrators, never need administrator rights to access a database. This capability improves system security while enabling greater business agility. Organizations and application developers realize multiple benefits in using the Password Safe API:

  • Secure credential management: Instead of entering static credentials, developers call on the Password Safe API to retrieve the latest credentials for the user, application, infrastructure, cloud solution, or database to authenticate and then release the credentials at the end of the session. This triggers the automatic rotation of the password. The end-user is never exposed to the username or password. All authentication is performed silently behind the scenes with complete activity auditing if desired.
  • Simplified developer access: Improve IT's agility and responsiveness by never requiring the entry of a username and password for connectivity to create custom applications. End users, like database administrators, never need administrator credentials to access a database if the tools retrieve stored credentials automatically. Management tools for services, remote access, and infrastructure automatically recognize the logged-on user and their asset and seamlessly request and pass credentials for the application.
  • Protection from SSO hacks: Since credentials can be passed within the application itself, directly from Password Safe, IT can secure runtime and avoid hacking techniques like pass-the-hash and keystroke logging, making this approach far more secure than single sign-on (SSO).

Privileged Threat Intelligence and Behavioral Analytics

BeyondInsight and Password Safe Combine User, Account, and Asset Threat Analytics for Unmatched Visibility

Analyze privileged password, user, and account activity, along with asset characteristics to help you correlate application, service, and process data with a continuously updated malware database. BeyondTrust connects the dots and flags the events you need to focus on, allowing you to act decisively and effectively prioritize risk mitigation.

Aggregate user and asset data to baseline and track behavior:

  • Correlate asset, user and threat activity to reveal critical risks
  • Identify potential malware threats buried in asset activity data
  • Increase the ROI of your existing security solutions
  • Generate reports to inform and align security decisions

Secure Team Passwords

There are teams in your organization that must access accounts as part of their daily work. Examples include Development, Test, QA, Marketing, Finance and others. Most of these accounts do not contain sensitive information, but in the wrong hands, could still cause damage to the organization. For example, unauthorized access to a test environment could have severe consequences for the organization.

Traditionally, most small groups with oversight over shared credentials have managed them manually in spreadsheets or worse, with sticky notes. Organizations can now manage these credentials locally within each team in a secure and auditable way.

Team Passwords is designed to securely store credentials owned by small groups within Password Safe, in a fully auditable controlled environment. This feature delivers secure password practices teams in the organization outside of traditional privileged admin user roles. Sensitive credentials shared by groups, can now be safely stored in Password Safe and locally managed.

Use BeyondInsight to Manage Team Passwords