I am looking for opinions and best practices regarding credential vaults. I’m interested in finding the best hybrid approach for an environment that strongly leans toward a Just-in-Time (JIT) philosophy, but still requires about 5-10% of “traditional freedom” to manually store passwords, keys, and files for assorted network devices and applications.
Specifically, has anyone had success using Netwrix Privilege Secure not only as a PAM solution but also as a standard password manager?
If so, what is the best approach for this? Should we rely on credential release, or is a Bring Your Own Vault (BYOV) strategy more practical? If you recommend BYOV, which external vaults would you suggest?
As a fairly small team, we use the Netwrix secret vaults for any credential that can’t be auto-rotated by Netwrix NPS. There are multiple secret vaults to categorize the credentials they contain, and then the credentials are further grouped via credential groups to allow for easier management of credential release activities. Unfortunately, since NPS doesn’t have any kind of dynamic rule based process for assigning new credentials to credential groups, we either leverage the API to automatically sync new credentials from specific secret vaults to credential groups, or have documented processes guiding the assignment of credentials to proper groups.
That all being said, this is not quite like a standard password manager since only Netwrix NPS admins can add these credentials for release to our technicians, and those credentials are static and non-rotating. Typically that means these credentials are break glass accounts, or low risk information based secrets such as a license key.
BYOV can be pretty powerful if you have structured data to query against. I know there has been a post here about a native integration with Entra/Intune LAPS, but that can totally be built out via the custom BYOV provider. If you already have credentials securely stored somewhere, the BYOV provider can allow JIT access to it based on your access policies.
Hope that gives some insight into how another team is using the vaults and credential storage in Netwrix NPS! Any questions, happy to answer what I can.