In their mission to protect the infrastructure of an organization, Information Technology (IT) professionals have a lot of things to keep in mind between human and machine identities, privileged systems and the source code. As organizations continue to evolve and move from on-premises infrastructure to the cloud, the complexity of these components becomes more challenging, making the need for a place to securely store credentials vital.
What tends to be even more challenging lies in the solution itself, with many traditional Privileged Access Management (PAM) products being overly difficult to use, and too expensive to deploy and maintain.
In 2023, Keeper Security ran a survey across 400 IT and Security executives and discovered that the overwhelming majority deemed their current PAM solution too complex, with a ton of additional components in the system that aren’t used or are only partially deployed.
This is where Keeper comes in.
Head of Product Management at Keeper Security
Keeper’s next-gen PAM platform addresses the key pain points and requirements in organizations to prevent data breaches with just the features they need. Backed by zero-trust and zero-knowledge security, KeeperPAM seamlessly and quickly integrates with your existing IAM stack, combining enterprise-grade password, secrets and privileged connection management, in one unified platform.
Below is a Q&A session with Zane Bond, Head of Product Management at Keeper Security. Responsible for driving product strategy while building the product roadmap for Keeper’s portfolio, Zane has over 12 years of experience managing cybersecurity solutions across many disciplines, including endpoint security, privileged access management and secrets management.
What does Keeper Security do?
We consider ourselves to be a next-gen PAM solution for perimeterless and multi-cloud IT environments.
Cybersecurity starts with protecting passwords, credentials and secrets. Protecting these and preventing data breaches is what Keeper does.
Who uses your products?
Quite literally millions of people. We have a consumer app but on the business-to-business side, we work with every size organization, from a one person shop all the way up to the federal government.
What makes Keeper different in the Privileged Access Management landscape?
Some of the things that really make us stand out are that we’re cost-effective and easy to deploy. Many PAM solutions are so complex that even after 12 months, they are only partially protected or deployed.
Both zero knowledge and zero trust are at the core of what we do, our security and encryption model ensures data privacy, and our cloud-based solution ensures it’s easy to deploy and maintain.
Our next gen PAM has the features you need, without all the bloat that many other solutions consider acceptable. Professional services should not be required to update software.
It’s a much more user-friendly deployment without sacrificing on the security.
You mentioned “easy to deploy”, what do you mean by that?
Unlike traditional solutions on the market, you don’t have to install and maintain web servers, databases, containers, agents, SSL certificates, and more, just to get started.
Our solutions are also very intuitive with a unified admin console and modern User Interface (UI) for every employee, on all device types.
Our extensive experience in the consumer space has helped provide organizations with tools that are designed to only be used by your privileged users.
What makes you “cost effective”?
Keeper started in the consumer space, ensuring that every part of the platform is easy to use and understand, and is priced appropriately.
Our all-in-one platform means an organization needs to purchase fewer products, which makes it easier for IT to implement, manage and maintain.
Additionally, our pricing is simple and straightforward, with no implementation fees.
How do people know Keeper is secure?
Here are Keeper, we pride ourselves in being extremely open about our security and encryption model.
We also have a host of industry certifications, such as SOC-2 Type2, ISO27001, FedRAMP, Fips140-2 and more.
Probably the most important part of our security model is our true zero-knowledge approach. Users have control of their data, and even an admin cannot view all the passwords without sharing or configuration changes.
The Keeper user is the only person who has full control over the encryption and decryption of their data.
How is the data encrypted?
Keeper is built with a multi-layered encryption system based on client-generated encryption keys. 256-bit AES record-level keys and folder-level keys are generated on the client device which encrypt each individual vault record.
All contents of the vault are encrypted, including logins, file attachments, TOTP codes, payment information, URLs and custom fields.
And how does this work for users who log in with SSO or passwordless technology?
In this case, Elliptic Curve Cryptography (ECC) is used to encrypt and decrypt data at the device level.
A local ECC-256 private key is used to decrypt the data key. After the data key is decrypted, it is used to unwrap the individual record keys and folder keys. The record key then decrypts each of the stored record contents.
The encrypted data key is transmitted between the user’s devices through a push system or key exchange service we call device approval, which is managed by the customer to preserve zero knowledge.
Where is the data hosted?
We use Amazon AWS with data centers in North America, Europe, US GovCloud (which is FedRAMP Moderate ATO), Australia and Japan.
Does Keeper have an active threat-monitoring tool to look for password attacks or other external threats?
We have BreachWatch, a dark web monitoring tool that constantly scans employees’ Keeper Vaults for passwords that have been exposed on the dark web and immediately alerts you to take action and protect your organization.
Our ARAM module allows admins to understand behaviors of users without exposing sensitive information.
Would a company need Keeper if they already use a SSO solution?
SSO is great, but thousands of enterprise applications aren’t covered by SSO. Using SSO with SAML applications by itself has major functional and security gaps.
Keeper easily solves this problem since we integrate with every major SSO provider.
Does Keeper integrate with Yubikey?
Yes. We allow many second factors to be used when logging into your account.
Does Keeper allow password rotation?
Yes, as our newest feature, password rotation enables organizations to easily update users’ privileged credentials on an automated schedule through our centralized PAM platform.
What happens to a vault if an employee leaves the organization?
With Keeper, there is an account transfer feature that allows users’ vaults to be transferred to somebody else within the organization. For that to happen, the admin would send a request, which the user would need to accept.
What are Keeper’s capabilities when it comes to user provisioning?
There are multiple ways of provisioning users; manually, CSV file, Active Directory, SSO, SCIM, email auto-provisioning or command-line provisioning.
How can someone get in touch with Keeper?
You can contact us for any questions or schedule a demo with one of our sales engineers. We’ll be happy to help.
Related Categories