Symark PowerKeeper is a privileged account access management solution delivered as a hardened appliance that secures privileged accounts and files through automated password rotation and management, encryption, secure storage of credentials, and a strong, process-based methodology. Its highly configurable security features let you customize the product to fit your heterogeneous IT environment and support compliance requirements.

Privileged (or administrative) accounts are pervasive in any organization. These accounts are used to access virtually every device, every operating system and every application. These keys to the kingdom grant access to programs and files containing sensitive data. If they are not properly protected and managed, they represent a significant security and compliance risk to the organization.

Privileged passwords are difficult to manage because they are often shared among individuals, lost or forgotten, left at vendor defaults, not regularly maintained, and not protected from misuse. Manually administering these privileged accounts results in high administration costs and lower productivity. Ignoring the maintenance of privileged accounts creates unacceptable security risks, and also violates government regulations (like SOX, HIPAA, and GLBA) and industry standards (like PCI DSS and Basel II). Compliance with these regulations and standards requires the creation of a secure access-control infrastructure and adherence to security best practices. Symark PowerKeeper provides a simple to implement, straight forward solution to these problems and closes these security risks while helping you demonstrate and meet compliance requirements.

PowerKeeper is licensed on a Managed System basis, with unlimited managed accounts, users, applications and scripts allowed. A Managed System is an operating system, directory, database or device containing one or more accounts to be managed with PowerKeeper.

The PowerKeeper license defines the maximum number of managed Systems that the appliance will support. The customer can allocate and re-allocate licenses among Managed Systems as they wish, without needing to contact Symark for a new license key.

Symark PowerKeeper is implemented as a hardened appliance with no access to the operating system to deliver the most secure environment for the management of privileged account passwords and for rapid deployment. All of the processes involved in generating and maintaining passwords, updating those passwords on hosts, databases and other applications and devices, and requesting, approving and granting administrator access to passwords are internal to the PowerKeeper appliance where they are fully protected and ensure that passwords will not be exposed during any processes that require the password to be momentarily unencrypted and displayed in clear text.

In any system that manages passwords, there are necessary steps where the password needs to be unencrypted and momentarily kept in clear text. These steps include when a new password is applied to a host, database or device, or when the password is presented to an approved user. If any of these steps occur in a non-hardened appliance configuration or system, the password is vulnerable to compromise by a rogue user, or to a Trojan process executing on the machine. By performing these steps inside a hardened appliance like PowerKeeper, this threat is eliminated.

Setting up PowerKeeper is a straightforward process. The PowerKeeper appliance is delivered to the customer ready to run. The customer installs the device and sets the network parameters, such as IP address, default gateway, mail server addresses, etc. After that PowerKeeper is ready to start managing privileged accounts.

To manage a privileged account using Automated Password Management, PowerKeeper will need access to the managed system so it can test and change passwords. Once the access to the managed system is configured, the list of user, managed systems and managed accounts need to be populated into PowerKeeper. This can be performed through the web and CLI interfaces, in a bulk load through PowerKeepers import facility, or access can be setup through a provisioning system integrated to PowerKeepers CLI.

No. The setup and implementation process for PowerKeeper does not specifically require any on-site services by Symark personnel, and most of our customers setup PowerKeeper on their own with Symark on-line and telephone support. If further on-site support is required due to lack of available resources or other projects making demands on staff, arrangements for Symark on-site services can be arranged via your Symark account manager.

All data stored in the PowerKeeper appliance is double encrypted in storage. First, the entire PowerKeeper hard disk is encrypted using AES-256 encryption. The encryption is unlocked only by booting from the disk eliminating the potential to remount the disk in another host and read its data. Passwords and files stored on PowerKeeper appliance are encrypted using AES-256 and signed with X.509v3 certificates to verify their authenticity. The encryption products used are FIPS 140-2 validated.

FIPS 140, or the Federal Information Processing Standard 140, is a cryptography standard published by United States Government's National Institute of Standards and Technology (NIST). FIPS 140 validation of cryptography modules is performed using the Cryptographic Module Validation Program (CVMP), which is overseen by the NIST National Voluntary Laboratory Accreditation Program. CMVP validates that the encryption performed by a cryptography module is robust enough to meet the FIPS 140-2 standards or higher. This provides assurance that the encryption performed by the cryptography module has been tested to actually work and meet the standards set forth by NIST. PowerKeeper is the only product of its kind that uses only commercially supported, FIPS 140-2 validated software for all encryption of data in storage and transit.

Yes, every user must authenticate to the PowerKeeper appliance to verify the users identity. If access to the PowerKeeper is allowed, the users access is then restricted to the Roles that they have been granted either directly or via groups. These Roles can be applied to individual managed accounts, all accounts on a managed system and collections of managed systems. This Role model allows user access to only the specific functions and managed accounts that they have been configured to access, and nothing else.

To test and change passwords, PowerKeeper connects to the managed system and changes the password on the managed account. PowerKeeper can connect to the system using a user account or in the case of UNIX or Linux hosts, by connecting through Symark PowerBroker.

When using a user account, PowerKeeper connects to the target device using a secure protocol that is supported by the target device. On most UNIX platforms, the connection is by SSH using a DSS key pair. Database connections, such as Microsoft SQL Server and Oracle connect via ODBC on the PowerKeeper unit and communicate through the databases network protocol, such as Net-lib and SQL*Net. Connections to Windows machines are via encrypted NTLM.

PowerKeeper manages the release of the password in several ways. Users accessing PowerKeeper through the web interface are all assigned an individual identity. Tied to this identity are the Roles that the user has been granted against individual managed accounts, or managed systems, or collections of systems. As an example, a user may be granted the ability to immediately check out a password for one managed account, may be required to go through an approval workflow to check out a password for a managed system, and may be assigned administrator rights for another collection of systems, while for other managed systems and accounts, he may have no privileges at all.

Similarly, when an application is registered with PowerKeeper, the administrator defines the specific managed account(s) to which the application will have access. The application will not be able to access any passwords for managed accounts to which it has not been granted access. In the process of approving the application, the administrator defines an identity for the application or script using certificates and program factors. If the application is not consistent with the identity, it has no access to credentials until the new identity has been approved.

Finally, there is a command line interface (CLI) that can be used to perform administrative and password release functions. Password release functions can be automated or integrated into other systems using the CLI.

PowerKeeper supports replacing embedded credentials in applications and scripts. This is accomplished in two ways. First, PowerKeeper includes an API contained in operating system libraries that can be called to register an application, and once the application profile is approved, to request credentials to be used to back end data sources. The second component, the pkrun command line environment, works in a similar way. Instead of embedding credentials into commands contained in scripts, tokens are placed in the script. When the command is executed by the pkrun command line tool, the credentials replace the tokens inside of the pkrun execution. This enables the command to execute correctly without any exposed credentials.

When an application or script is registered to run with PowerKeeper, the administrator can specify any number of program factors be used to validate the program. These program factors include the program name, the name and version of any libraries it calls, the checksum of the program, the account under which the program is allowed to run, and others. These program factors validate that the program requesting the credentials is the same application that was approved so the credentials cant be harvested by a rogue user or process.

PowerKeeper logs all actions taken through or by PowerKeeper. This includes all password operations, all user operations, as well as the internal functions of the PowerKeeper appliance. The PowerKeeper Administrator or an Auditor can view all PowerKeeper log data, other users are restricted only to log data that is relevant to their granted roles. Log data is maintained and stored on PowerKeeper for the duration of the Administrator-configured retention period. Log data can also be written to syslog, and exported to external systems for long-term storage.

Yes. PowerKeeper retains a history of the past passwords used for a system, and those passwords can be accessed by a PowerKeeper user that has been granted sufficient access for that account. This is helpful in situations where an old password may become active on the host, such as if a host needs to be restored from backup. The number of past passwords retained and how long the past passwords are retained is configurable by a PowerKeeper administrator.

PowerKeeper provides a Web-based report generator for viewing the log data. Eighteen (18) reports track user entitlements (rights) and activities; password approvals, release and usage; failed logins; and reconcile password releases with password resets. Administrator Activity Reports depict administrator activities, such as adding new users or systems and defining user permissions. There are User Reports for Requestors and Approvers, and Password Reports for stored passwords and password update status.

Users, with appropriate rights, can subscribe to reports and receive them via email on a regular basis. A report of subscriptions is available and stored reports can be browsed. The report data is exportable as a CSV file for use with external reporting tools. Reports are also available in HTML.

Yes. PowerKeeper provides entitlement reporting of all privileges that are granted to users of PowerKeeper. Authorized PowerKeeper users can subscribe to these reports or can view the report retained in history on the PowerKeeper appliance. This provides an audit trail of all access that has been granted to privileged account passwords or to files that are stored on the PowerKeeper appliance.

Yes. PowerKeeper provides a secure audit trail of all privileged access granted in your organization, and who approved the access, if applicable. It is a common requirement of most regulatory compliance requirements that a company prove that their systems containing sensitive data are secure, and any high-privilege access is allowed only for appropriate business reasons. PowerKeeper enables organizations to support separation of duties (SOD) and the principal of least privilege.

PowerKeeper provides a secure, process-based methodology for securing privileged access to the hosts, applications, and databases containing sensitive data. When requests are made to access privileged account passwords, requestors must state a valid business reason, and optionally reference a ticket or change management number. Depending on the level of security required, managed accounts and files may be set to auto-approve, or may be configured to require a managers approval for the release of the password. If the requests are approved, requestors will then be issued the account password, so they can log in and do their work. After they check-in the password or when the check-out time limit expires, PowerKeeper can rotate the password to a new value, preventing any further access.

Similarly, passwords used to access privileged accounts by applications and scripts can be managed by PowerKeeper. Instead of embedding the password in the application, script or an associated configuration file, the password is securely maintained in the PowerKeeper appliance. When an application or script needs the password to connect to a data source, it requests the current password from the PowerKeeper appliance. Using PowerKeepers certificates and program factors, the identity of the application or the script and the environment it is running in is verified by PowerKeeper before the password is released. This prevents an unapproved application or script from being used to capture the privileged account password.

Every step in the process for both users and application/scripts is logged and can be reported on by the PowerKeeper appliance. There is a special audit role in PowerKeeper that will allow an auditor to review all this history, but not perform any actions. The auditor will be able to verify that there are proper controls in place to limit access to the systems without any risk to the integrity of the PowerKeeper appliance, the managed systems or the log data.

Yes. PowerKeeper supports one or two-factor authentication using PowerKeepers internal database, Active Directory, LDAP directories, SecurID, Safeword and X.509v3 certificates on smart cards.

PowerKeeper can manage account passwords for any operating system, database or device. PowerKeeper supports two modes of management, Automated Password Management (APM) and Manual Password Management (MPM). On platforms supported for APM, all aspects of password generation and management are automated, following configurable rules set by the Administrator or security officer. The current list of systems supported for Automated Password Management is available at http://www.symark.com/products/pkoverview.html.

For other systems, or systems where Automated Password Management may not be feasible, PowerKeepers MPM will track when password changes are necessary and notify the account administrator when a password change is suggested. PowerKeeper will then generate a strong account password for the administrator to use and prompt for confirmation that the password was successfully changed.

PowerKeeper uses HP ProLiant DL360 G5 hardware to provide the most reliable privileged account access management appliance on the market today. There are several reasons for this. First, the known quality of HP hardware provides assurance that the PowerKeeper appliance is the most reliable solution available. Second, the redundancy features in the HP ProLiant DL360 G5 server provide protection against downtime. The PowerKeeper appliance ships with redundant hot-swap drives, fans and power supplies. Options include hot-bank memory and a redundant CPU.

Finally, the PowerKeeper hardware is backed by on-site support by HP. If there is a hardware failure, an HP technician will be dispatched to your site and will replace the failed hardware. You will not need to ship the device back to Symark. Combined with the other high-availability and redundancy features available in PowerKeeper, Symark provides the most reliable hardware platform for privileged account access management available in the marketplace today.

PowerKeeper is extremely scalable. Utilizing high-performance HP hardware and a proper design and deployment plan, PowerKeeper appliances can support a virtually unlimited number of managed devices within an enterprise.

PowerKeeper supports several layers of fault-tolerance to maximize uptime. First, the PowerKeeper Performance Monitor continuously checks the internal Agents of the PowerKeeper unit. If an Agent fails, it is automatically restarted and a SNMP trap (if configured) can be sent to alert administrators.

Secondly, PowerKeeper supports a high-availability (HA) pairing of two PowerKeeper units as a primary and replica server. When configured in a HA configuration, the primary PowerKeeper unit will send all data changes to the replica unit. The replica unit will continually monitor the status of the primary unit, and will automatically promote itself to primary if the primary is unavailable for a customer-defined interval. The failover can also happen manually if a unit needs to be taken off-line temporarily.

Thirdly, the PowerKeeper unit can be configured to automatically write out encrypted backups to a remote machine. If there is a complete failure of both PowerKeeper units (or a single PowerKeeper unit when not in an HA pair), all PowerKeeper data could be restored to a cold spare PowerKeeper appliance. Finally, the PowerKeeper appliance is delivered on an HP ProLiant DL360 G5 server, and includes redundant mirrored drives, hot-swap power supplies and hot-swap fans. This HP hardware is supported on-site by HP Services. Should a hardware component of the PowerKeeper appliance fail while the customer is current on PowerKeeper ESS support, an HP service technician will come to the customers site to replace the failed hardware at no cost to the customer.