What is Keeper Discovery?

Keeper Discovery empowers DevOps, IT Security, and software development teams with complete visibility into all privileged accounts and IT assets within your organization. Through the Keeper Gateway, Keeper Discovery can identify assets across your infrastructure in the following target configurations:

• Local Environment

• AWS

• Azure

Why use Keeper Discovery?

Organizations often struggle with maintaining visibility over privileged accounts and IT assets across increasingly complex infrastructures, including on-premises environments and multi-cloud setups. This lack of visibility can lead to unmanaged accounts, misconfigurations, and potential security vulnerabilities.

Keeper Discovery solves these challenges by:

• Providing Centralized Visibility: Automatically discovering and cataloging privileged accounts and IT assets across local environments, AWS, and Azure.

• Strengthening Security Posture: Identifying unmanaged accounts, misconfigurations, and security risks to proactively address vulnerabilities.

• Streamlining Discovery: Simplifying the process of asset discovery using the Keeper Gateway, enabling seamless integration into your infrastructure.

• Empowering Teams: Equipping DevOps, IT Security, and software development teams with actionable insights to manage and secure accounts and assets effectively.

• Enhancing Compliance: Ensuring an accurate inventory of privileged accounts and assets for audit and reporting, helping meet regulatory requirements.

Encryption and Security Model

Keeper Discovery operates on a zero-knowledge model, ensuring that neither Keeper's infrastructure nor its employees can view, access, or decrypt any discovered assets. All discovery tasks are executed by the Keeper Gateway within the customer's environment. The gateway encrypts findings and securely exchanges data with the Keeper Vault and privileged users via the Keeper Secrets Manager APIs.

• For more information, see the Architecture section

Features of Keeper Discovery

Keeper Discovery is part of the Zero-Trust KeeperPAM Platform. Keeper Discovery has the following features:

• Create a discovery job to scan assets through any Keeper Gateway

• View the status of running discovery jobs

• Kill discovery jobs

• Automatically apply rules to either Add, Ignore or Prompt for saving a record

• Rules are constructed through a customizable Rules Engine

• Found resources can be added to a specified Shared Folder

Methodology

Keeper's Discovery system first performs a scan of resources, based on the Keeper Gateway capabilities and the defined PAM Configuration.

After locating resources, a rules engine converts the findings into Keeper records and adds those resources to Shared Folders. The types of Keeper Records that can be created are:

• PAM Machines

• PAM Databases

• PAM Directories

• PAM Users

Once resources are discovered, the interactive discovery process enables users to link administrative credentials, such as username/password combinations or SSH keys, to the identified resources. After the initial discovery and credential association, users can initiate a deeper discovery to identify local users and services within each target resource.

Keeper's encrypted data storage model organizes these associations—environments, Gateways, Resources, Accounts, and Services—into a Graph structure. This PAM Graph represents the environment as a hierarchical set of parent-child relationships, allowing KeeperPAM to map and visualize the environment effectively.

How to use Discovery

Discovery can be managed through the Keeper Commander CLI and soon through the Vault UI.

• Discovery using Commander

• Discovery using the Vault

The next section demonstrates how to use Keeper Commander for performing discovery.

Overview

In this guide, you will learn how to discover resources within your target infrastructure using Discovery with Keeper Commander.

Prerequisites

Prior to using Discovery on Commander, make sure to have the following:

• An active license of KeeperPAM

• Activate Enforcement Policies on the Admin Console to enable discovery

• Deploy a Keeper Gateway using the latest version

• Install the latest Keeper Commander version supporting pam action discover

Discovery Enforcement Policies

On the Admin Console, the following Enforcement Policies affect the user's ability to run Discovery jobs:

ALLOW_PAM_DISCOVERY

Discovery can also be enabled on the Keeper Commander CLI using the enterprise-role command:

enterprise-role "My Role" --enforcement "ALLOW_PAM_DISCOVERY":true

Installing the Keeper Gateway

The Keeper Gateway is a service that is installed on the customer's network to enabled zero-trust access to target infrastructure. Typically this service is installed on a Linux or Docker environment in each of the networks under management.

Populating PAM User records

Before running a Discovery job, it is recommended to create PAM User records for any administrative credentials you expect to use. Save these credentials as PAM User record types within the Shared Folder that is associated with your Application and Keeper Gateway.

PAM Configuration

To get started with Discovery, you need a PAM Configuration set up for your target infrastructure. The PAM Configuration directs the discovery process where to locate resources.

Network Discovery

Local network discovery utilize a CIDR for scanning. In order for discovery to locate a resource, it must be listening on the required port. Below is the PAM Configuration data required for a successful discovery.

AWS Discovery

AWS discovery makes use of whatever AWS Role Policies have been granted to the Keeper Gateway in order to discover resources. The PAM Configuration filters against the provided region names to limit the findings.

In order for the Keeper Gateway to discover an AWS resource, it must be able to communicate to the target over standard ports (e.g. port 22 for SSH, 3389 for RDP, etc). If a non-standard port is being used, this needs to be specified in the PAM Configuration. Discovery will only add the resources to the Keeper vault if it can successfully communicate over the port. Adjust your security groups as necessary to allow this.

Below is the PAM Configuration data required for a successful discovery.

Azure Discovery

Azure discovery makes use of whatever permissions have been granted to the role assigned to the Keeper Gateway in order to discover resources. The PAM Configuration filters against the provided region names to limit the findings.

In order for the Keeper Gateway to discover an Azure resource, it must be able to communicate to the target over standard ports (e.g. port 22 for SSH, 3389 for RDP, etc). If a non-standard port is being used, this needs to be specified in the PAM Configuration. Discovery will only add the resources to the Keeper vault if it can successfully communicate over the port. Adjust your Network Security Groups as necessary to allow this.

Below is the PAM Configuration data required for a successful discovery.

Discovery Action

Once you have finished meeting all the requirements in the Prerequisites section, login to Keeper Commander to run discovery.

$ keeper shell

List the Gateways

Run the command pam gateway list or pam g l command to list all gateways

My Vault> pam gateway list
KSM Application Name (UID) Gateway Name    Gateway UID             Status
-------------------------------------------------------------------------
AWS Rotation               Canada AWS      ce_Gg4jGS2a1ywiMo61Sow  ONLINE
Azure AD                   Azure useast1   j-xC9HwOQEKCfVsdyfdeLg  ONLINE
KeeperPAM US-WEST-1        US-WEST-1       QPkRsR8KQmf_4vnHTcofZA  ONLINE
Windows Domain             lureydemo.local rB8bR3drQrqPErKDzbKl9g  ONLINE

My Vault>

The Gateway UID is required to start the discovery process.

Start Discovery Job

Run the pam action discover start command to start a discovery job. The Gateway UID must be provided with the -g option.

pam action discover start -g QPkRsR8KQmf_4vnHTcofZA

View Status of Discovery Job

View the status of the active discovery job by with pam action discover status

My Vault> pam action discover status

Job ID         Gateway Name    Gateway UID            Status
============== =============== ====================== ============
JOBGQyK8PQYlhc KeeperPAM GW1   QPkRsR8KQmf_4vnHTcofZA COMPLETE

There is one COMPLETED job. To process, use the following command.
  pam action discover process -j JOBsR5G0VQBVV0

After a discovery job is complete, the detailes status information can be viewed by running:

pam action discover status -j JOBsR5G0VQBVV0

Proceed to the next step once the Discovery job's status is COMPLETE. Depending on how big your environment is, this may take a few minutes.

Process the Discovery Results

Once the discovery job is completed, you can process the findings with the provided Job ID.

pam action discover process -j JOBsR5G0VQBVV0

An interactive CLI session will start where you will be shown information on discovered assets and will be able to provision them as PAM Record types in your vault.

My Vault> pam action discover process -j JOBsR5G0VQBVV0

AWS EC2, us-west-1, Gateway3 - RHEL8, 10.0.0.139
Record Title: Aws AWS-US-WEST-1, EC2 us-west-1 Gateway3 - RHEL8
  Label: pamHostname, Type: pamHostname, Value: Hostname: 10.0.0.139, Port: 22
  Label: operatingSystem, Type: text, Value: linux
  Label: sslVerification, Type: checkbox, Value: False
  Label: instanceName, Type: text, Value: Gateway3 - RHEL8
  Label: instanceId, Type: text, Value: i-0319d6e8703875706
  Label: providerGroup, Type: text, Value: None
  Label: providerRegion, Type: text, Value: us-west-1
[2/2] (E)dit, (A)dd to Resources, Add to (F)older, (S)kip, (I)gnore, (Q)uit> A
Adding record to save queue.

During the Discovery process, you may be prompted to provide a PAM User record or create one on the fly to associate administrative credentials with the target resource.

Once the initial process is complete and administrative credentials have been supplied, you can run another Discovery job. This subsequent job leverages the provided credentials to delve deeper into the target resources, identifying local user accounts, services, and scheduled tasks.

Services and Scheduled Tasks

When discovery is performed on a Windows machine, Keeper will automatically determine if a PAM User should be directly associated with any running services or scheduled tasks. When rotation is performed on any user accounts, Keeper will then update the Windows service account "log on as" credentials for any Windows services running as the PAM User, and restart the service. Keeper will also update the credential of any scheduled task running as that user on the target machine.

To learn more and set up this capability, see the Service Management page.

Activating PAM Features

After a Discovery process has been completed, you can edit the vault records to activate advanced features such as Rotation, Connections, and Tunnels.

Exploring Commander Capabilities

Keeper Commander provides many advanced capabilities for managing gateways, configurations, rotations and discovery. See the KeeperPAM Commands for a list of all available options.