Overview
Credential Vaulting is the core capability of any PAM program. It involves removing privileged credentials (passwords, SSH keys, API tokens) from spreadsheets, sticky notes, and local admin groups, and placing them in a secure, encrypted digital vault.
The vault acts as a gatekeeper: when an admin needs to access a server, they must authenticate to the vault to "check out" the password or have the vault inject it directly into the session. This ensures that only authorized users can use the credentials and that every use is logged.
Architecture
Reference Pattern: The Central Vault
The vault sits in a secure zone, managing secrets for targets in various environments (On-Prem, Cloud, DMZ).
Diagram
Key Decisions
| Decision | Options | Recommendation | Notes / Gotchas |
|---|---|---|---|
| Storage Architecture | Centralized, Distributed | Centralized w/ Satellites | One logical vault, but satellite nodes for local performance/survivability. |
| Encryption | Software Keys, HSM | HSM (Hardware Security Module) | For high-security environments, the master key must live in hardware. |
| Access Method | Show Password, Injection Only | Injection Only | If a user sees the password, they can write it down. Injection prevents this. |
| Rotation Policy | 90 Days, After Use, Never | After Use (OTP) | "One-Time Passwords" eliminate the risk of pass-the-hash or reused credentials. |
| Availability | Active-Passive, Active-Active | Active-Active | If the vault is down, NOBODY can administer the servers. High Availability is non-negotiable. |
Implementation
Phase 1: The "Break Glass" & Domain Admin Accounts
- Vault the "Domain Admin" and "Enterprise Admin" accounts.
- Vault the local "Administrator" account on all servers (using LAPS or PAM).
- Goal: Secure the "Keys to the Kingdom."
Phase 2: Infrastructure & Database
- Onboard root accounts for Linux/Unix.
- Onboard "sa" (System Admin) accounts for SQL/Oracle databases.
- Connect the vault to the Session Manager for injection.
- Goal: Remove direct knowledge of infrastructure passwords.
Phase 3: Application & DevOps
- Replace hardcoded passwords in scripts with Vault API calls.
- Onboard CI/CD pipeline secrets (Jenkins, Ansible).
- Goal: Secure the automated supply chain.
Risks
- The "Vault Down" Scenario: If the vault is unreachable, how do you fix the server? (Answer: Break-glass procedures).
- Vault Admin Compromise: If the Vault Admin is compromised, the attacker has everything. Protect the Vault Admin with extreme paranoia.
- Adoption Friction: Admins hate check-out workflows. If it's too slow, they will find workarounds (like creating backdoor accounts).
KPIs
- Vault Usage: Percentage of discovered privileged accounts currently stored in the vault (Target: >95%).
- Rotation Success Rate: Percentage of scheduled password rotations that completed successfully.
- Access Without Checkout: Alerts triggered by direct logins to target systems (bypassing the vault).
- Secrets Sprawl: Number of hardcoded credentials detected in code or scripts.
