Architecture Diagram

Architecture Diagram

The KeeperPAM infrastructure and security model ensures zero-knowledge encryption between the end-user's device and the target infrastructure. Keeper's servers have no ability to decrypt or intercept the underlying sessions.

Keeper is designed for high availability, scalability, secure authorization, and robust disaster recovery. Hosted on Amazon Web Services (AWS), Keeper’s backend infrastructure is multi-region and multi-zone, ensuring redundancy across geographic locations. All core services are designed with high availability (HA) in mind, leveraging AWS best practices for fault tolerance and reliability. The system scales automatically to accommodate increased demand without compromising performance. Keeper's infrastructure supports millions of active users and devices.

On the customer side, the Keeper vault is deployed to users for all PAM access. The vault communicates with the Keeper backend APIs for establishing connections to resources. Keeper's zero-knowledge APIs ensure that Keeper's backend systems do not have the ability to decrypt any stored customer data. Encryption and decryption of data is always performed locally on the device.

Keeper Secrets Manager and Keeper Gateway Devices are responsible for performing secret retrieval, credential rotation, resource discovery and privileged session proxying to the customer's local or cloud environment. These devices communicate directly with the Keeper cloud APIs for the management of state, encrypted data storage, audit event logging and session recording. Since these devices are not responsible for the management of data, Keeper's architecture allows the customer environments to scale automatically without any specific hosting requirements on the customer side.

When a customer installs a Keeper Gateway or Keeper Secrets Manager device, it is typically deployed as a Docker container. Customers can use their preferred container orchestration platform such as Kubernetes, Docker Swarm, or Amazon ECS to manage deployment, enable scaling, and provide the necessary levels of local device redundancy.

Multiple Keeper Gateways can also be assigned to the same resources and folders in the Keeper vault in order to establish physical redundancy.

Components

Keeper Gateway

The Keeper Gateway is a service which is installed into the customer's environment and communicates outbound to Keeper services. The Gateway performs the rotation, discovery and connections to assets on the network. The Gateway receives commands from the Keeper Router, then uses Keeper Secrets Manager APIs to authenticate, communicate and decrypt data from the Keeper cloud.

Keeper Router

The Keeper Router is infrastructure in Keeper's cloud that manages connections between Keeper and Rotation Gateways. The Cloud Router provides real-time messaging and communication between the Keeper Vault, customer gateway and Keeper backend services.

Keeper Relay

The Keeper Relay is infrastructure in Keeper's cloud that is responsible for establishing encrypted WebRTC connections between the end-user vault interface and the customer-hosted Keeper Gateway service.

Keeper Backend API

Keeper's Backend API is the endpoint which all Keeper client applications communicate with. Client applications encrypt data locally and transmit encrypted ciphertext to the API in a Protocol Buffer format.

Scheduler

Keeper hosted infrastructure that manages timing and logistics around scheduled rotation of credentials across the target infrastructure.

Admin Console and Control Plane

The Management console used to set and enforce policies across all Keeper components.

Client Applications

The end-user interface for managing the vault, rotating passwords, running discovery jobs, creating connections and managing tunnels.

Data Flow

1. Keeper user performs action (rotation, connection, tunneling, discovery) from the Vault interface, Admin Console, Commander CLI or other endpoint application.

2. Keeper Gateway establishes an outbound WebSocket connection to the Keeper Router, receives the requests to perform the action.

3. The Vault Client application establishes a WebRTC connection to the customer's hosted Keeper Gateway.

4. The Keeper Gateway pulls the necessary secrets from the vault using Keeper Secrets Manager APIs.

5. The Keeper Gateway performs the action on the target infrastructure (such as rotating a credential or establishing a privileged session) and updates the relevant Keeper vault records.

6. The Keeper Gateway runs any required privilege automation scripts on the Gateway or target machines using native protocols and APIs.

7. Client devices securely retrieve the updated record using Keeper Secrets Manager APIs.

8. Vault end-users interact with the target systems through a zero-trust encrypted session to the target infrastructure.

9. The vault performs encrypted syncing to the Keeper cloud to retrieve the latest record content.

10. Keeper's Advanced Reporting & Alerts module logs all events and triggers alerts.