Discovery

Discover machines, databases, accounts and services across your on-prem and cloud infrastructure

What is Keeper Discovery?

Keeper Discovery empowers DevOps, IT Security, and software development teams with complete visibility into all privileged accounts and IT assets within your organization. Through the Keeper Gateway, Keeper Discovery can identify assets across your infrastructure in the following target configurations:

  • Local Environment

  • AWS

  • Azure

Why use Keeper Discovery?

Organizations often struggle with maintaining visibility over privileged accounts and IT assets across increasingly complex infrastructures, including on-premises environments and multi-cloud setups. This lack of visibility can lead to unmanaged accounts, misconfigurations, and potential security vulnerabilities.

Keeper Discovery solves these challenges by:

  • Providing Centralized Visibility: Automatically discovering and cataloging privileged accounts and IT assets across local environments, AWS, and Azure.

  • Strengthening Security Posture: Identifying unmanaged accounts, misconfigurations, and security risks to proactively address vulnerabilities.

  • Streamlining Discovery: Simplifying the process of asset discovery using the Keeper Gateway, enabling seamless integration into your infrastructure.

  • Empowering Teams: Equipping DevOps, IT Security, and software development teams with actionable insights to manage and secure accounts and assets effectively.

  • Enhancing Compliance: Ensuring an accurate inventory of privileged accounts and assets for audit and reporting, helping meet regulatory requirements.

Encryption and Security Model

Keeper Discovery operates on a zero-knowledge model, ensuring that neither Keeper's infrastructure nor its employees can view, access, or decrypt any discovered assets. All discovery tasks are executed by the Keeper Gateway within the customer's environment. The gateway encrypts findings and securely exchanges data with the Keeper Vault and privileged users via the Keeper Secrets Manager APIs.

Features of Keeper Discovery

Keeper Discovery is part of the Zero-Trust KeeperPAM Platform. Keeper Discovery has the following features:

  • Create a discovery job to scan assets through any Keeper Gateway

  • View the status of running discovery jobs

  • Kill discovery jobs

  • Automatically apply rules to either Add, Ignore or Prompt for saving a record

  • Rules are constructed through a customizable Rules Engine

  • Found resources can be added to a specified Shared Folder

Methodology

Keeper's Discovery system first performs a scan of resources, based on the Keeper Gateway capabilities and the defined PAM Configuration.

After locating resources, a rules engine converts the findings into Keeper records and adds those resources to Shared Folders. The types of Keeper Records that can be created are:

Once resources are discovered, the interactive discovery process enables users to link administrative credentials, such as username/password combinations or SSH keys, to the identified resources. After the initial discovery and credential association, users can initiate a deeper discovery to identify local users and services within each target resource.

Keeper's encrypted data storage model organizes these associations—environments, Gateways, Resources, Accounts, and Services—into a Graph structure. This PAM Graph represents the environment as a hierarchical set of parent-child relationships, allowing KeeperPAM to map and visualize the environment effectively.

How to use Discovery

Discovery can be managed through the Keeper Commander CLI and the Vault UI.

The next section covers the basics on performing discovery with KeeperPAM.

PreviousIntegration with GitNextDiscovery Basics

Last updated

Was this helpful?