Password Safe Features

BeyondTrust Password Safe features a distributed network discovery engine to scan, identify, and profile all assets. Dynamic categorization of all assets and accounts enables auto-onboarding, and the ability for access policies to self-adjust according to environmental changes.

• Discover all privileged accounts & assets: Scan and profile all known and unknown assets (web, cloud, virtual), privileged user accounts, shared accounts, service accounts, DevOps secrets, and SSH keys.
• Auto-magically group like assets: Create Smart Groups to automatically categorize, group, assess, and report on assets. Sort by IP range, naming convention, OS, domain, applications, business function, Active Directory, and more. Continuously identity new assets and automatically apply Smart Rules when onboarding.

Today's cloud-based development environments require essential security to secure these mission-critical applications. Often, these teams need to share credentials to support their rapid prototyping through deployment. Secrets Safe manages these credentials locally within each team in a secure and auditable way. Secrets Safe is fully integrated within Password Safe — no additional tooling required.

BeyondTrust Secrets Safe is designed to secure store credentials owned by cloud developers in a fully controlled environment. Any sensitive credentials required to make applications run can now be safely shared, stored, and locally managed. These include, and are not limited to:

• API keys
• Tokens
• Certificates
• JSON files
• XML files

Secrets are managed through a graphical user interface. Secrets can be uploaded and retrieved using the GUI or by using the supplied API. Non-human or service tasks can make full use of the API to retrieve secrets they require to access resources.

Teams desiring to use Kubernetes will benefit from BeyondTrust's unique secrets management using Kubernetes Sidecar, which simplifies the logic for connecting to and retrieving secrets from Secrets Safe. Using the Kubernetes Sidecar enables rapid development without requiring deep Kubernetes experience, sidestepping complex secrets management configurations within container code.

Privileged session monitoring and management is essential to achieve compliance and security requirements.

BeyondTrust Password Safe privileged session management uses standard desktop tools such as PuTTY and Microsoft Terminal Services Client, ensuring administrators can leverage commonly used tools. Password Safe session management features include:

• Control Access: Request RDP/SSH access to authorized systems only.
• Leverage Flexible Execution: Start sessions instantly, or via workflow.
• Enable True Dual Control: View any active privileged session, and if required, pause or terminate the session.
• Enforce Accountability: Record privileged sessions in real time via a proxy session monitoring service for SSH and RDP.
• Capture Everything: Use keystroke indexing and full text search to pinpoint data, and then log an acknowledgement of the review for audit purposes.
• Communicate & Comply: Build reports for usage, audit, forensics, and regulatory compliance purposes.
• Audit and Log Privileged Sessions: Access and watch a session, then log an acknowledgement of the review to meet audit compliance requirements.
• Quickly Search Session Logs: Index and text search using keystroke to pinpoint data, and then log an acknowledgement of the review for audit purposes.
• RDP Enhanced Session Audit: Every click within the Windows interface, along with any keystrokes, is audited and recorded in a searchable session replay index.
• Real-Time Activity Alerting: Defined user activity can generate real-time email alerts, as well as block commands, lock, and terminate SSH sessions.
• Use Command Blacklisting: Connection profiles define keyword groups that can determine a specific course of action. Block commands, lock sessions, terminate sessions, or all three.
• Auto Logoff & Disconnect: Utilize ‘log off on disconnect’ feature to ensure sensitive data is not exposed in subsequent RDP sessions.
• Integrate with SailPoint Predictive Identity Platform (IdentityIQ & IdentityNow): Manage access for privileged and non-privileged accounts with privileged access management and identity and access management (IAM).

Traditional methods of SSH key management are very labor intensive, with many organizations not properly rotating their keys. It is also common practice for administrators to share keys. Between the lack of rotation and the sharing of keys, organizations lose accountability over their systems and expose vulnerabilities.

BeyondTrust Password Safe improves security and simplifies management of SSH keys by:

• Onboarding and storing private keys like any other privileged credential.
• Automatically rotating SSH keys according to a defined schedule.
• Allowing designated 'secondary' accounts and SSH keys to be grouped to a 'primary' account to manage rotation interval, complexity, and duration of SSH keys.
• Enforcing granular access control and workflow.
• Alerting when a key is released.
• Automatically logging users onto Unix or Linux systems through the proxy, with no user exposure.
• Recording every privileged session with full playback and key usage auditing.
• Offering failover to a managed password for complete redundancy.
• Allowing SSH sessions to be easily established via your existing desktop tools--without having to initiate with a web interface.

The Password Safe API is designed to address single sign-on shortcomings, simplify developer access, and to provide secure credential management.

Credentials retrieved automatically and securely from the Password Safe API allow application developers to gain access, without entering credential information each time. In this case, end users, like database administrators, never need administrator rights to access a database. This capability improves system security, while enabling greater business agility.

Traditionally, smaller groups managed shared credentials manually with spreadsheets. Or in the worst cases, with sticky notes. Password Safe manages these credentials locally, within each team, in a secure and auditable way.

The Team Passwords capability is designed to securely store credentials owned by small groups within Password Safe in a fully controlled environment. This feature delivers secure password practices to teams outside of traditional privileged user roles. Sensitive credentials shared by groups can now be safely stored in Password Safe and locally managed.