I apologise if I am missing something here, but does Vault have any services/privilege account discovery features? Meaning, Vault (or Vault agents) will crawl your network looking for servers with unVaulted local
Administrator accounts and alert you when it discovers those credentials are not managed by Vault.
And if Vault doesn’t offer this feature, how are companies with Vault normally handling this?
Vault is purely a store for secrets, so such a feature is out of scope.
Unfortunately I’ve no idea what you might use for such a detection or if you’d need to make something custom.
I had a call with a Sales resource, and I think I have a better understanding. My requirements appear to span a few different products (e.g. Boundry), and so I wouldn’t want someone reading this to be discouraged by the response.
In summary, there is a “discovery” component in Boundry. But that appears to be contingent on those managed resources being on AWS or Azure. For people with on-premise resources, discovering those resources is not possible at this point and time. Although keep in mind by the time you read this, that could have changed.
Even if it does, it seems as though “discovery” isn’t about finding un-Vaulted privileged accounts. It’s, instead, about importing an asset list from your CSP’s APIs.
In short, perhaps one day in the future this might change, but, Boundry + Vault wouldn’t be a replacement for something like BeyondTrust or Delinea Privilege Vault.