This release introduces strong controls in Password Manager Pro for protecting personal data stored and processed in the product, in compliance with privacy regulations.
New Features & Enhancements
Additional protection in web GUI while displaying personal data
Form fields that contain personal data such as Username, DNS Name, Email ID, Server Name and more will henceforth be masked at all times to enhance protection. Additionally, when a specific user unmasks and views any of the masked data fields, the action captured in the audit trails with a timestamp and the IP address of the machine from which the user viewed the data.
Canned report to demonstrate GDPR compliance stature
Password Manager Pro now comes with a canned report that tells you the stature of your compliance with specific requirements listed in Chapter 3 of the General Data Protection Regulation (GDPR), in terms of how users’ personal data is handled within the product. This report, apart from providing a holistic view of how personal data is handled, will also prove useful while preparing for privacy audits.
Provision to authorize selective administrators with privacy administration privileges
From v9700 onwards, a new “Authorized Administrators” option will appear under Admin >> Settings. This option can be used to authorize only the desired administrators with the privilege to view, access, and modify the following Password Manager Pro settings:
- Privacy Settings
- IP Restrictions
- Emergency Measures
When you upgrade to v9700 from earlier versions, users with the following roles will be automatically assigned as authorized administrators:
- Default “Administrator” role
- Custom role with permission to access and modify “PMP Server Settings” under PMP Settings category.
Password protected exports
Administrators can now include an additional layer of password protection for export operations across Password Manager Pro. This applies to,
- Resource and resource group exports (XLS file)
- Audit exports (PDF and CSV files)
- Report exports (XLS and PDF files)
The authorized administrator can either set a global passphrase which will be uniformly used for the aforementioned export operations or allow the users to define their own passphrase for their exported files.
Mandating administrator acknowledgement of data transfer while setting up integration with third party applications
Henceforth, when the Password Manager Pro administrator sets up integration with the services mentioned below, the administrator will be required to acknowledge the data transfer from Password Manager Pro server for each respective integration.
- Cloud Storage – Dropbox, Box, and Amazon S3
- Two-factor Authentication – PhoneFactor, RSA SecurID, RADIUS Authenticator, and Duo Security.
Support for Encryption at Rest (EAR) while using MS SQL server as the backend database
For Password Manager Pro installations that function with a MS SQL server as the backend database, Transparent Data Encryption (TDE) is supported henceforth to achieve EAR. TDE encrypts all the data and log files stored in the SQL server and the key used to encrypt the database is also secured further with a certificate to enhance protection.
Backup file encryption
Database backup (.zip) files in Password Manager Pro-both on-demand and scheduled, will hereafter be encrypted with the Password Manager Pro master encryption key and stored in the destination directory securely. In case of Password Manager Pro installation running a remote MS SQL server database, the backup file will be encrypted only if the specified backup destination is within the server in which Password Manager Pro is installed and not the remote machine.
Privacy controls for canned reports
Password Manager Pro now allows authorized administrators to configure privacy settings for canned reports. Administrators can choose from an exhaustive list of personal data, deciding whether each input in the list should be completely omitted from the reports or included as masked information.
IP-based restrictions are now supported to limit inbound connections and minimize unwanted traffic to Password Manager Pro server. Restrictions can be configured for web access, API calls, communication from native mobile applications, browser extensions, and Password Manager Pro agents deployed on target machines. The IP restrictions can be set at various levels and combinations, such as defined IP ranges or individual IP addresses. The authorized administrator can either whitelist or blacklist the set of desired IP addresses.
Trash can for delete operations
Users and resources in Password Manager Pro can now also be moved to trash alternatively instead of permanent deletion, along with the option to restore from trash when needed. The trashed users and resources will be retained by Password Manager Pro only until the next rotation schedule is carried out for the master encryption key.
Purging selective session recordings
Earlier, session recordings and chat logs could only be purged in bulk by configuring to delete recordings that are older than a specified number of days. From v9700 onwards, session recordings can also be individually selected under Audit >> Recorded Sessions and purged. Additionally, chat logs for a specific session recording can also be deleted while retaining the recording itself and vice versa.
Managing unidentified email addresses in Password Manager Pro
A new provision has been added to enable administrators to track and remove unidentified email addresses in Password Manager Pro which do not belong to any of the users in the application. This provision currently allows management of unidentified email addresses which are captured in “User Sessions” audit as well as those that are configured as notification email recipients for scheduled tasks’ completion statuses and license expiry alerts.
In the rare scenario that a suspicious activity is sensed within Password Manager Pro but has not yet been identified, a set of recommended best practices that can be carried out have been added under Admin >> Manage >> Emergency Measures. The illustrative list of incident response actions give the administrator a head start on stopping all inward and outward communication to and from Password Manager Pro server respectively, such as stopping API calls, blocking agent communication, and stopping the SSHD server.
- Earlier, the “Total Passwords” count displayed in the dashboard did not include resources of the type File Store, Key Store, and License Store. From v9700 onwards, the count will include the aforementioned resources as well.
- While setting up user import from LDAP directories, Password Manager Pro administrators now have the choice to also define the corresponding attribute labels for department and location as used in the LDAP directories.
- A new option has been added to Password Manager Pro MSP version under Admin >> General Settings >> User Management, which can be used to display the organization names of the client orgs in the organization drop down list (at the top right corner) instead of the orgs’ display names.
- The option to delete client organizations has been added to Password Manager Pro MSP version. When a client organization is deleted, all the resources and users added under it will also be deleted.
- In v9601, SSH connections to remote systems failed if Password Manager Pro was running on an Ubuntu server. This has been fixed.
- In v9600 and v9601, due to an issue in Windows resource discovery, when the administrator tried to import OU A, OU B was wrongly imported. This has been fixed.
- From v9000 till v9601, the password expiry date for accounts in the Passwords section was wrongly displayed in the quick info beside each account. For instance, if the expiry date for account’s password was May 25, it was shown as June 25 even though it did not affect the password from expiring on May 25. This has been fixed.
- From v9000 till v9601, the owner of a criteria resource group was sometimes unable to view the password of an account associated with a member resource in that resource group. This happened when the specific resource is owned by another user who’s a member of a user group with which the criteria resource group has been shared and the former owner is not a member of that user group. This has been fixed.
- From v8700 till v9601, if the administrator had disabled the default roles, Password Administrator and Password User using Role Filter in their instance, the disabled roles were automatically enabled when their Password Manager Pro server was restarted.
- Earlier, user import from Active Directory groups did not work if Password Manager Pro secondary server was up instead of primary server. This has been fixed.
- Earlier, when an additional password field was added and used as an account attribute, the option to copy the password to clipboard for that additional field was not available in the resource and account details windows as well as in the Passcard screen. This has been fixed.
- Earlier, “Change Password” option was shown in the My Profile drop down menu for AD, Azure AD, and LDAP users even though it was not applicable to them. The option has now been removed.
- Earlier, PostgreSQL database password as well as the keystore password for HTTPS connections from the web server were stored in the configuration files as plain text. They have now been encrypted with AES-256 algorithm for enhanced security.
Other recent articles in the same category
6 July 2020
18 June 2020
17 June 2020
17 June 2020
16 June 2020