What is Keeper Discovery?

Keeper Discovery empowers DevOps, IT Security, and software development teams with complete visibility into all privileged accounts and IT assets within your organization. Through the Keeper Gateway, Keeper Discovery can identify assets across your infrastructure in the following target configurations:

• Local Environment

• AWS

• Azure

Why use Keeper Discovery?

Organizations often struggle with maintaining visibility over privileged accounts and IT assets across increasingly complex infrastructures, including on-premises environments and multi-cloud setups. This lack of visibility can lead to unmanaged accounts, misconfigurations, and potential security vulnerabilities.

Keeper Discovery solves these challenges by:

• Providing Centralized Visibility: Automatically discovering and cataloging privileged accounts and IT assets across local environments, AWS, and Azure.

• Strengthening Security Posture: Identifying unmanaged accounts, misconfigurations, and security risks to proactively address vulnerabilities.

• Streamlining Discovery: Simplifying the process of asset discovery using the Keeper Gateway, enabling seamless integration into your infrastructure.

• Empowering Teams: Equipping DevOps, IT Security, and software development teams with actionable insights to manage and secure accounts and assets effectively.

• Enhancing Compliance: Ensuring an accurate inventory of privileged accounts and assets for audit and reporting, helping meet regulatory requirements.

Encryption and Security Model

Keeper Discovery operates on a zero-knowledge model, ensuring that neither Keeper's infrastructure nor its employees can view, access, or decrypt any discovered assets. All discovery tasks are executed by the Keeper Gateway within the customer's environment. The gateway encrypts findings and securely exchanges data with the Keeper Vault and privileged users via the Keeper Secrets Manager APIs.

• For more information, see the Architecture section

Features of Keeper Discovery

Keeper Discovery is part of the Zero-Trust KeeperPAM Platform. Keeper Discovery has the following features:

• Create a discovery job to scan assets through any Keeper Gateway

• View the status of running discovery jobs

• Kill discovery jobs

• Automatically apply rules to either Add, Ignore or Prompt for saving a record

• Rules are constructed through a customizable Rules Engine

• Found resources can be added to a specified Shared Folder

Methodology

Keeper's Discovery system first performs a scan of resources, based on the Keeper Gateway capabilities and the defined PAM Configuration.

After locating resources, a rules engine converts the findings into Keeper records and adds those resources to Shared Folders. The types of Keeper Records that can be created are:

• PAM Machines

• PAM Databases

• PAM Directories

• PAM Users

Once resources are discovered, the interactive discovery process enables users to link administrative credentials, such as username/password combinations or SSH keys, to the identified resources. After the initial discovery and credential association, users can initiate a deeper discovery to identify local users and services within each target resource.

Keeper's encrypted data storage model organizes these associations—environments, Gateways, Resources, Accounts, and Services—into a Graph structure. This PAM Graph represents the environment as a hierarchical set of parent-child relationships, allowing KeeperPAM to map and visualize the environment effectively.

How to use Discovery

Discovery can be managed through the Keeper Commander CLI and the Vault UI.

• Discovery Basics

• Discovery using Commander

• Discovery using the Vault

The next section covers the basics on performing discovery with KeeperPAM.

Overview

In this guide, you will learn how to discover resources within your target infrastructure using Discovery.

Prerequisites

Prior to using Discovery, make sure to have the following:

• An active license of KeeperPAM

• Activate Enforcement Policies on the Admin Console to enable discovery

• Deploy a Keeper Gateway using the latest version

Discovery Enforcement Policies

On the Admin Console, the following Enforcement Policies affect the user's ability to run Discovery jobs.

ALLOW_PAM_DISCOVERY

Discovery can also be enabled on the Keeper Commander CLI using the enterprise-role command:

enterprise-role "My Role" --enforcement "ALLOW_PAM_DISCOVERY":true

Installing the Keeper Gateway

The Keeper Gateway is a service that is installed on the customer's network to enabled zero-trust access to target infrastructure. This service is installed on a Docker, Linux or Windows environment in each of the networks under management.

Populating PAM User records

Before running a Discovery job, it is recommended to create PAM User records for any administrative credentials you expect to use. Save these credentials as PAM User record types within the Shared Folder that is associated with your Application and Keeper Gateway.

PAM Configuration

To get started with Discovery, you need a PAM Configuration set up for your target infrastructure. The PAM Configuration directs the discovery process where to locate resources.

Network Discovery

Local network discovery utilize a CIDR for scanning. In order for discovery to locate a resource, it must be listening on the required port. Below is the PAM Configuration data required for a successful discovery.

AWS Discovery

AWS discovery makes use of whatever AWS Role Policies have been granted to the Keeper Gateway in order to discover resources. The PAM Configuration filters against the provided region names to limit the findings.

In order for the Keeper Gateway to discover an AWS resource, it must be able to communicate to the target over standard ports (e.g. port 22 for SSH, 3389 for RDP, etc). If a non-standard port is being used, this needs to be specified in the PAM Configuration. Discovery will only add the resources to the Keeper vault if it can successfully communicate over the port. Adjust your security groups as necessary to allow this.

Below is the PAM Configuration data required for a successful discovery.

Azure Discovery

Azure discovery makes use of whatever permissions have been granted to the role assigned to the Keeper Gateway in order to discover resources. The PAM Configuration filters against the provided region names to limit the findings.

In order for the Keeper Gateway to discover an Azure resource, it must be able to communicate to the target over standard ports (e.g. port 22 for SSH, 3389 for RDP, etc). If a non-standard port is being used, this needs to be specified in the PAM Configuration. Discovery will only add the resources to the Keeper vault if it can successfully communicate over the port. Adjust your Network Security Groups as necessary to allow this.

Below is the PAM Configuration data required for a successful discovery.

Discovery Workflow

The basic workflow for running Discovery jobs is the following:

• Set up a Keeper Gateway with associated Shared Folders

• Populate the shared folders with any administrative credentials as PAM User record types

• Run a discovery job on the target infrastructure

• Process the results to discover PAM Machine, PAM Databases and PAM Directory resources

• Run additional discovery jobs to locate user accounts within each found resource, utilizing credentials provided to the job.

Discovery Types

Keeper will discover Resources and associated user accounts in the following resources:

Databases

• PostgreSQL

• MySQL

• MariaDB

• Microsoft SQL Server

• Oracle

• MongoDB

Machines

• Linux

• Windows

Directories

• Active Directory

• LDAP

• Local users

• Domain users

AWS Cloud

• Virtual Machines

• Directories and directory users

• IAM users

• Databases

• Database users

Azure Cloud

• Virtual Machines

• Directories and directory users

• IAM users

• Databases

• Database users

Services and Scheduled Tasks

When discovery is performed on a Windows machine, Keeper will automatically determine if a PAM User should be directly associated with any running services or scheduled tasks. When rotation is performed on any user accounts, Keeper will then update the Windows service account "log on as" credentials for any Windows services running as the PAM User, and restart the service. Keeper will also update the credential of any scheduled task running as that user on the target machine.

To learn more and set up this capability, see the Service Management page.

Activating PAM Features

After a Discovery process has been completed, you can edit the vault records to activate advanced features such as Rotation, Connections, and Tunnels.

Next Steps:

• Discovery using Commander

• Discovery using the Vault

Overview

In this guide, you will learn how to discover resources within your target infrastructure using Discovery with Keeper Commander.

Prerequisites

Prior to using Discovery on Commander, make sure to review the Discovery Basics documentation.

Starting Commander

Login to Keeper Commander CLI using the keeper shell command.

$ keeper shell

List the Gateways

Run the command pam gateway list or pam g l command to list all gateways

My Vault> pam gateway list
KSM Application Name (UID) Gateway Name    Gateway UID             Status
-------------------------------------------------------------------------
AWS Rotation               Canada AWS      ce_Gg4jGS2a1ywiMo61Sow  ONLINE
Azure AD                   Azure useast1   j-xC9HwOQEKCfVsdyfdeLg  ONLINE
KeeperPAM US-WEST-1        US-WEST-1       QPkRsR8KQmf_4vnHTcofZA  ONLINE
Windows Domain             lureydemo.local rB8bR3drQrqPErKDzbKl9g  ONLINE

My Vault>

The Gateway UID is required to start the discovery process.

Start Discovery Job

Run the pam action discover start command to start a discovery job. The Gateway UID must be provided with the -g option.

pam action discover start -g QPkRsR8KQmf_4vnHTcofZA

View Status of Discovery Job

View the status of the active discovery job by with pam action discover status

My Vault> pam action discover status

Job ID         Gateway Name    Gateway UID            Status
============== =============== ====================== ============
JOBGQyK8PQYlhc KeeperPAM GW1   QPkRsR8KQmf_4vnHTcofZA COMPLETE

There is one COMPLETED job. To process, use the following command.
  pam action discover process -j JOBsR5G0VQBVV0

After a discovery job is complete, the detailes status information can be viewed by running:

pam action discover status -j JOBsR5G0VQBVV0

Proceed to the next step once the Discovery job's status is COMPLETE. Depending on how big your environment is, this may take a few minutes.

Process the Discovery Results

Once the discovery job is completed, you can process the findings with the provided Job ID.

pam action discover process -j JOBsR5G0VQBVV0

An interactive CLI session will start where you will be shown information on discovered assets and will be able to provision them as PAM Record types in your vault.

My Vault> pam action discover process -j JOBsR5G0VQBVV0

AWS EC2, us-west-1, Gateway3 - RHEL8, 10.0.0.139
Record Title: Aws AWS-US-WEST-1, EC2 us-west-1 Gateway3 - RHEL8
  Label: pamHostname, Type: pamHostname, Value: Hostname: 10.0.0.139, Port: 22
  Label: operatingSystem, Type: text, Value: linux
  Label: sslVerification, Type: checkbox, Value: False
  Label: instanceName, Type: text, Value: Gateway3 - RHEL8
  Label: instanceId, Type: text, Value: i-0319d6e8703875706
  Label: providerGroup, Type: text, Value: None
  Label: providerRegion, Type: text, Value: us-west-1
[2/2] (E)dit, (A)dd to Resources, Add to (F)older, (S)kip, (I)gnore, (Q)uit> A
Adding record to save queue.

During the Discovery process, you may be prompted to provide a PAM User record or create one on the fly to associate administrative credentials with the target resource.

Once the initial process is complete and administrative credentials have been supplied, you can run another Discovery job. This subsequent job leverages the provided credentials to delve deeper into the target resources, identifying local user accounts, services, and scheduled tasks.

Exploring Commander Capabilities

Keeper Commander provides many advanced capabilities for managing gateways, configurations, rotations and discovery. See the KeeperPAM Commands for a list of all available options.

Overview

In this guide, you will learn how to discover resources within your target infrastructure using Discovery with the Keeper Vault and Desktop App.

Prerequisites

Prior to using Discovery, make sure to review the Discovery Basics documentation.

Discovery

From the Keeper Vault, click on the Discovery section. Click on "Create Discovery Job" to start a discovery process.

When discovery jobs are either running, failed, or completed states, the jobs will display on the Discovery screen.

Create a Discovery Job

To create a discovery job, select the Keeper Gateway which will perform the discovery. The Gateway is associated to a PAM Configuration, which tells the gateway what type of environment is being scanned.

If the PAM Configuration is lacking details about the environment such as CIDR or cloud secrets, the user is prompted to enter this information.

Discovery Rules

If prior discovery jobs have created discovery rules, the rules can be viewed and managed. A Discovery Rule saves time in the discovery process by ignoring certain findings. For example, if you want to ignore a certain resource.

Job Queue

Discovery jobs can be run in parallel across Keeper Gateways, but a single gateway can only run a single job at a time. If a job on a particular gateway is still running, you will receive an error message and you are giving the opportunity to cancel the job.

Process Results

After a discovery job is in a "Completed" state, clicking the Job will allow you to process the findings interactively. You can multi-select or iterate through the findings, and add the findings to a queue before it is finalized.

When iterating through the discovery results, you can either Ignore, Skip or Queue the result to the final batch of results.

• Ignore: Skip the resource now and for future jobs, creating a Rule for this resource

• Skip: Only skips the resource during this session, but will be found again in subsequent scans

• Queue to Folder: Add the resource to the queue, and finalize all findings at the end

When iterating through the results, you can select the location in the vault where the resource will be stored, and you can immediately assign the Admin Credentials associated to the resource. The Admin Credentials which are linked to the resource server several purposes:

• Finding user accounts: Subsequent discovery jobs will be able to use the Admin Credentials to remotely access the target resource and discover local user accounts.

• Password Rotation: The Admin Credential is used for performing on-demand and scheduled password rotations on any found accounts.

• Just-In-Time Access: Keeper JIT enables role and group elevation for the duration of privileged sessions.

• Ephemeral Accounts: Keeper JIT capabilities include creation of temporary accounts under a certain role or group, for the duration of privileged sessions.

PAM Resources can have Connections and Tunneling activated to simplify the process of establishing access to the targets. PAM Users found during discovery can be enabled for automatic rotation.

Publish Found Resources

After processing through the findings, the queued resources can be published to the vault in the specified Shared Folder locations.

Next Steps

Now that the Discovery is complete, additional resources can be found by running another job against the same Gateway and PAM Configuration. If Admin Credentials have been linked to KeeperPAM Resources, these credentials will be used to discover local user accounts within each resource.