• Find systems, accounts.
  • Attach policy.

Random passwords:

  • Default is daily.

Secure storage:

  • Replicated (with fault tolerance/queue).
  • Encrypted.
  • Geographically distributed.

Access controls:

  • Policy: who can sign into which account?

Workflow controls:

  • One time request/approval/login.

Single sign-on:

  • Launch SSH, RDP, vSphere, SQL, etc.
  • Alternately: display password, temporary group membership, temporary SSH trust/SUDO rights.

Application passwords:

  • Notify SCM, IIS, Scheduler, DCOM of new passwords.
  • API to eliminate embedded passwords.


  • Requests, approvals, logins to privileged accounts.

Session monitoring:

  • Screen, keyboard, webcam, process ID, window title, etc.