VAULTING, ROTATION AND CREDENTIAL MANAGEMENT

Designed to protect and manage passwords by storing them in an encrypted repository. Ensures sensitive credentials are safeguarded while remaining easily accessible to authorized users. When access is required, the system automatically retrieves and provides the necessary credentials.

• All privileged credentials are stored in a centralized encrypted vault.
• Users never see the actual password unless policy allows it.
• Access to credentials is controlled by role-based access policies.
• Every access request is logged and audited.
• AES-256 Encryption – Ensures credentials remain unreadable even if the underlying database is accessed.
• Granular Access Control – Define exactly who can “check out” a password or initiate a session based on their role.
• Zero-Knowledge Architecture – Sensitive clear-text passwords are rarely exposed to human eyes, even during the vaulting process.

Refers to the scheduled process of changing a user’s password to a new value according to a predefined policy. Once rotated, passwords are centrally stored in an encrypted vault and provided to authorized users through automated retrieval.

• Passwords are automatically rotated based on defined policies.
• Rotation can occur: after each use, on a scheduled interval, or after a privileged session ends.
• The new password is updated in the vault automatically.

Automated password rotation and vault update process

• Administrators can define policies for access approval, session monitoring, and audit logging.
• Credentials are mapped to entitlements, ensuring only authorized users can initiate privileged sessions.
• Detailed reports and logs help track usage and detect anomalies.
• Prevents reuse of old credentials.
• Reduces the risk of compromised passwords.
• Ensures compliance with security policies.
• Eliminates manual password updates.

• Primary Vault – The vault solution is designed with two key components: the Primary Vault and the Satellite Vault. The Primary Vault acts as the central repository connected to the PAM application, responsible for safeguarding credentials and other critical information.

Primary Vault as the central repository connected to the PAM application

• Satellite Vault – Serves as a secondary offline vault configured on a secure and isolated system within the same network as the Primary Vault. It is intended for use during Break-Glass scenarios to ensure continued access. Operates as an offline replica of the Primary Vault, continuously synchronized by replicating privileged account credentials whenever updates occur through password rotation policies or ad hoc modifications — ensuring the availability of the most up-to-date credentials.