Vaulting Credentials — Tools and Options (CyberArk, Azure PIM, Open Source)

Privileged credentials left in spreadsheets, sticky notes, or shared password managers are a breach waiting to happen. Credential vaulting is the practice of storing privileged account passwords, API keys, certificates, and other secrets in a purpose-built, encrypted vault that controls who can access them, when, and for how long. Modern vaults go beyond simple storage: they rotate passwords automatically, record sessions, enforce checkout workflows, and provide the audit trail that compliance frameworks demand.

This lesson compares the leading credential vaulting solutions — from enterprise-grade platforms like CyberArk and BeyondTrust to cloud-native options like Azure PIM and open-source alternatives — so you can choose the right tool for your organisation’s size, budget, and maturity level.

Why Vaulting Matters

Without a vault, privileged credentials tend to end up in dangerous places:

• Shared spreadsheets — A single compromised file exposes every admin password in the organisation.
• Browser password managers — Not designed for shared or privileged credentials and lack enterprise audit controls.
• Hard-coded in scripts — Service account passwords embedded in automation scripts are a favourite target for attackers and nearly impossible to rotate without breaking things.
• Sticky notes and notebooks — Physical security failures remain surprisingly common, even in otherwise mature organisations.
• Shared knowledge — “Everyone on the team knows the Domain Admin password” is a phrase that should trigger alarm bells. Shared knowledge means shared risk and zero accountability.

A vault solves these problems by providing a single, secured, audited location for all privileged credentials with controlled access and automatic rotation.

Comparing Credential Vaulting Solutions

The market offers a range of options depending on your organisation’s size, budget, and complexity:

Enterprise Solutions

• CyberArk Privilege Cloud / Privileged Access Security — The market leader with the most comprehensive feature set. Offers credential vaulting, automatic password rotation, session recording, JIT checkout workflows, and threat analytics. Best suited for mid-to-large organisations with complex on-premises and cloud environments. Expect significant investment in licensing and implementation resources. CyberArk also provides a free tier called CyberArk Identity Security Platform Shared Services for smaller deployments.
• BeyondTrust Password Safe — A strong enterprise alternative with credential vaulting, session monitoring, and automated rotation. BeyondTrust excels at integrating privileged access management with endpoint privilege management, making it a good choice if you also need to manage local admin rights on workstations.
• Delinea Secret Server — Formerly Thycotic, now merged with Centrify. Offers a user-friendly vault with role-based access, automatic rotation, and session recording. Known for faster deployment times compared to CyberArk. Pricing is generally more accessible for mid-market organisations.

Cloud-Native Solutions

• Azure AD Privileged Identity Management (PIM) — Not a traditional credential vault, but provides JIT role activation for Azure AD and Azure resource roles. Ideal for organisations heavily invested in the Microsoft ecosystem. Available with Azure AD P2 or Microsoft Entra ID Governance licences. Does not vault local admin or service account credentials — you need a separate solution for those.
• AWS Secrets Manager — Vaults and rotates secrets for AWS services (database credentials, API keys). Tightly integrated with AWS IAM. Best for organisations whose infrastructure is primarily on AWS.
• Google Cloud Secret Manager — Similar to AWS Secrets Manager but for the Google Cloud ecosystem. Stores API keys, passwords, and certificates with IAM-based access control.

Open-Source and Lower-Cost Solutions

• HashiCorp Vault (Community Edition) — A powerful, flexible secrets management tool that supports dynamic credential generation, encryption as a service, and multi-cloud environments. The open-source Community Edition is free but requires technical expertise to deploy and maintain. The Enterprise edition adds features like namespaces, replication, and vendor support.
• Microsoft LAPS (Local Administrator Password Solution) — A free tool from Microsoft that automatically rotates local administrator passwords on domain-joined workstations and stores them in Active Directory. LAPS is not a full PAM vault, but it solves the critical problem of shared local admin passwords at zero licensing cost. Windows LAPS (the updated version) stores passwords in Azure AD as well.
• Passbolt — An open-source team password manager with role-based access and audit logging. Suitable for small teams that need a step up from shared spreadsheets but aren’t ready for enterprise PAM.
• Bitwarden (Teams/Enterprise) — While primarily a password manager, the Teams and Enterprise tiers offer shared vaults, role-based access, event logging, and directory integration at a fraction of the cost of dedicated PAM tools.

Configuring Basic Vaulting for Admin Accounts

Regardless of which tool you choose, the basic vaulting setup follows these steps:

1. Inventory your privileged credentials — List every admin account, service account, and shared credential. Include the system it accesses, the current owner, and how the password is currently stored and shared.
2. Deploy the vault — Install and configure your chosen solution. For cloud-native tools (Azure PIM, AWS Secrets Manager), this may be as simple as enabling a service. For on-premises tools (CyberArk, Delinea), plan for server infrastructure and connector installation.
3. Onboard credentials — Import or manually add each privileged credential to the vault. Assign ownership and define who can check out each credential.
4. Enable automatic rotation — Configure the vault to rotate passwords on a schedule (e.g., every 30, 60, or 90 days) and immediately after each checkout. This ensures that even if a credential is intercepted, it has a limited useful lifespan.
5. Enforce checkout workflows — Require administrators to check out credentials through the vault rather than knowing passwords directly. For high-risk accounts, enable dual-approval checkout.
6. Enable session recording — If your vault supports it, enable session recording for privileged sessions. This provides a complete video-like record of what was done during each admin session.

Why This Matters

Credential vaulting is the backbone of any serious PAM programme. Without it, you have no reliable way to control who accesses privileged accounts, no way to ensure passwords are rotated regularly, and no audit trail showing who used which credential and when. For SMEs, the good news is that you don’t need to start with a six-figure CyberArk deployment. Microsoft LAPS is free and solves the local admin password problem immediately. Azure PIM is included in licences many organisations already have. Open-source tools like HashiCorp Vault and Passbolt provide capable vaulting at minimal cost. The important thing is to start — any vault is infinitely better than a shared spreadsheet.

What to Do Now

• Audit how privileged credentials are currently stored and shared in your organisation — identify every spreadsheet, shared document, and “everyone knows the password” situation.
• Deploy Microsoft LAPS (or Windows LAPS) across all domain-joined workstations to eliminate shared local admin passwords — this is free and can be done in a week.
• Evaluate whether your existing Microsoft licences include Azure AD PIM and enable it for cloud admin roles.
• For on-premises service accounts and shared admin credentials, evaluate at least two vaulting solutions based on your budget and team size.
• Onboard your top ten highest-risk privileged credentials to the vault within 60 days.
• Enable automatic password rotation for all vaulted credentials.

Evidence to Collect

• Vault deployment documentation showing configuration and hardening of the vault platform itself.
• Inventory of credentials onboarded to the vault, with ownership and checkout policies.
• Automatic rotation configuration screenshots showing rotation schedules for vaulted credentials.
• Checkout logs showing who accessed which credential, when, and with what justification.
• LAPS deployment evidence showing coverage across domain-joined workstations.
• Session recording samples (redacted as needed) demonstrating privileged session capture capability.

Common Mistakes

• Vaulting only some credentials — If you vault your Domain Admin password but leave service account passwords in a spreadsheet, attackers will target the unvaulted credentials. Aim for complete coverage over time.
• Not rotating passwords after checkout — A credential that is checked out, used, and returned without rotation is still compromised if the session was intercepted. Enable automatic rotation after every checkout.
• Making the vault too hard to use — If the checkout process is so cumbersome that administrators create workarounds (writing down passwords, bypassing the vault), you’ve made things worse, not better. Balance security with usability.
• Forgetting about the vault’s own security — The vault itself becomes a high-value target. Ensure the vault platform is hardened, patched, backed up, and monitored with the same rigour as your domain controllers.
• Ignoring service accounts — Organisations often vault human admin accounts but forget about the dozens of service accounts with privileged access. Service accounts frequently have the oldest, most powerful, and least-rotated passwords in the environment.

---

Knowledge Check

---