Reports

(Feature available only in Premium and Enterprise Editions )

Contents

Overview

The information on the entire password management process in your enterprise is presented in the form of comprehensive reports in Password Manager Pro. The status and summaries of the different activities such as password inventory, policy compliance, password expiry, user activity etc. are provided in the form of tables and graphs, which assist the IT administrators in making well-informed decisions on password management.

Password Manager Pro provides about fourteen canned reports classified under four types. In addition, there is provision to create custom reports.

Canned Reports

Types of Reports

Password Manager Pro provides four types of reports -

  • Password Reports
  • User Reports
  • General Reports
  • Compliance Reports

Password Reports

All details pertaining to the device properties, hardware properties, firmware details, audit details pertaining to the devices etc have been presented under Password reports.

To access Password reports, just go to Reports >> Password Reports.

Report Name What does it Convey Additional Information

Password Inventory Report

This report provides a snapshot of details about the total number of resources, passwords, resource types and users present in Password Manager Pro. Besides, it provides details about the ownership of each password/resource and details about the time at which the passwords were accessed.

There are three sections in this report:

Password Inventory - Summary Report

This section lists down the details in summary about the total number of resources, total number of passwords, total number of users and total number of resource types.

Password Distribution by Resource Type

This section provides a pie-chart showing the number of resources based on the resource types.

Password Inventory- Detailed Report

This section lists down the details of all the resources passwords, resource types and users present in Password Manager Pro. Besides, it provides details about the ownership of each password/resource and details about the time at which the passwords were accessed.

This report can be generated in the form of PDF or spreadsheet and can also be emailed to required recipients. Click the links "Export to PDF"/Export to XLS and "Email this Report" to do the required operation.

PolicyCompliance Report

This report provides a snapshot of details about the passwords that comply to the password policy set by the administrator and the ones that do not comply. Besides, it provides details about the ownership of each password.

Also, in the case of the passwords which are found to be non-compliant, details about non-compliance are also provided. This helps in taking the required corrective action immediately to make them compliant.

There are three sections in this report:

Password Policy Compliance Summaryt

This section lists down the details in summary about the total number of passwords, total number of passwords that comply to the policy and total number of passwords that are non-compliant.

Policy Violation by Resource Type

This section provides a pie-chart showing the number of passwords that are non-compliant to the defined policy based on the resource type.

List of Password Policies

This section lists down all policies that have been created. Details about each policy can be easily viewed by simply clicking on the name of each policy.

Policy Compliance Status

This section lists down the compliance details of all the resources (whether they are compliant with the defined policy or not). It also depicts the number of violations in each resource and the ownership details of resources and passwords in tabular form. You can make a search in this report by clicking the icon present at the top-right hand corner of the table.

This report can be generated in the form of PDF or spreadsheet and can also be emailed to required recipients. Click the links "Export to PDF"/Export to XLS and "Email this Report" to do the required operation.

Password Expiry Report

This report provides information about the validity details of passwords. In other words, it provides details about the passwords that have expired and the passwords that are valid.

There are three sections in this report:

Password Expiry - Summary

This section lists down the details in summary about the total number of passwords, total number of expired passwords and total number of valid passwords.

Resource Types and Expiry Status

This section provides a pie-chart showing the number of expired passwords in each resource type.

Expiry Status of Passwords

This section lists down the expiry/validity details of all the resources. It also depicts the number of expired/valid passwords in each resource and the ownership details of resources and passwords in tabular form. You can make a search in this report by clicking the icon present at the top-right hand corner of the table.

This report can be generated in the form of PDF and can be emailed to required recipients. Click the links "Export to PDF" and "Email this Report" to do the required operation.

Password Activity Report

This report provides information about the usage details of all passwords in the system. It provides details about the passwords that were most accessed during a specific time period, the ones that were least accessed, average access per day, per week, passwords that were frequently reset etc.

There are six sections in this report:

Activity Statistics - Summary Report

This section lists down the details in summary about the total number of passwords, average access per day/ per week, average password age, the number of passwords for which reset is supported, number of passwords that were reset using agents, number of passwords that were reset without agents, number of failures in password reset

Most Accessed Passwords

This section provides a graph showing the top 10 passwords that were accessed most.

Frequently Reset Passwords

This section provides a graph showing the top 10 passwords that were reset most.

Least Accessed Passwords

This section provides a graph showing the least accessed 10 passwords.

Rarely Changed Passwords

This section provides a graph showing the least reset 10 passwords.

Password Activity Details

This section provides the following details about the passwords that are in sync with the target systems: Date of creation of the password, number of times the password had been accessed from the date of creation, number of time the password underwent changes, the time at which the password was accessed/changed last, the frequency at which the password is being accessed every day, the frequency at which the password is being changed every week etc.

List of resources for which access control workflow has been activated

This section lists all the resources for which password access control workflow has been activated

List of resources for which access control workflow has been deactivated

This section lists all the resources for which password access control workflow has been deactivated

List of resources for which access control workflow has not been configured

This section lists all the resources for which password access control workflow has not been configured at all

This report can be generated in the form of PDF and can be emailed to required recipients. Click the links "Export to PDF" and "Email this Report" to do the required operation.

PasswordsOut of Sync Report

Passwords of resources such as servers, databases, network devices and other applications are stored in Password Manager Pro. It is quite possible that someone who have administrative access to these resources could access the resource directly and change the password of the administrative account.

In such cases, the password stored in Password Manager Pro would be outdated and will not be of use to the users who access Password Manager Pro for the password. Password Manager Pro provides option for checking the integrity of passwords at any point of time on demand and also at periodic intervals.

You can create a scheduled task for carrying out the integrity check at periodic intervals. Click "Schedule Report" and fill in the details.

You can also generate this report at any point of time by clicking the link "Generate Report". When you do so, you will get the results of the automatic integrity check done by Password Manager Pro at 1 AM every day for all the accounts for which remote synchronization has been enabled. The results of the current day's check done at 1 AM will be depicted in the report.

In case, you want to carry out integrity check at any moment on demand to get latest details, you need to click the option "ScheduleIntegrity Check". Password Manager Pro will try to establish connection with the target systems for all the accounts for which remote password reset has been enabled. Once the connection is established, it tries to login with the credentials stores in Password Manager Pro. If login does not succeed, Password Manager Pro concludes that the password is out of sync. In case, Password Manager Pro is not even able to establish connection with the system due to some network problem, it will not be taken as password out of sync. A consolidated notification would be emailed to all the administrators and auditors.

The Passwords Out of Sync report provides information if the passwords in the system are in sync with the corresponding passwords in the target systems.

There are two sections in this report:

Password Integrity Statistics

This section lists down the statistical details in summary about the total number of passwords for which reset is supported, passwords for which reset is done using agents, number of passwords that were reset using agents, number of passwords in the system are in sync with the corresponding passwords in the target systems, number of passwords that are out of sync etc.

Passwords Out of Sync Distribution

This section displays a pie-chart that portrays the distribution of paswwords (that are out of sync) across resource types.

Passwords Out of Sync Details

This section provides an expanded list of passwords, mentioning which of them are not in sync, who owns them, and their resource type.

This report can be generated in the form of PDF or spreadsheet and can also be emailed to required recipients. Click the links "Export to PDF" and "Email this Report" to do the required operation.

Ungrouped Passwords Report

Provides complete details about the password access control workflow scenario of your organizations. List of resources for which access control has been enabled, resources for which access control is activated/deactivated, resources for which the requests are automatically approved, list of password release requests approved/denied etc are depicted through this report.

This report can be generated in the form of PDF or spreadsheet and can also be emailed to required recipients. Click the links "Export to PDF"/Export to XLS and "Email this Report" to do the required operation.

Unshared Passwords

Passwords stored in Password Manager Pro. Certain passwords may not be shared with anyone. Such unshared passwords are listed in this report.

User Reports

Report Name What does it Convey Additional Information

User Access Report

This report provides details about all users in the system with reference to password and resource access.

This report has three sections:

User Statistics - Summary Report

This report can be generated in the form of PDF and can be emailed to required recipients. Click the links "Export to PDF" and "Email this Report" to do the required operation.

Details such as the number of new users added during the last five days, users deleted, role change, number of invalid login attempts, users who carried out password reset during the past five days, users who did not login during the last five days, total number of users/user groups in the system, user roles etc are presented as part of this report.

User Activity Summary Report

The actions performed by users on passwords such as password retrieval, password reset etc captured as part of this summary report. This report provides the number of such actions done by each user. Similarly, the number of password actions performed by members of each user group are also depicted.

User Access Details

The resources and resource groups that are owned by/shared to each user are depicted as part of this report. The privileges allowed for the user are also listed.

User Group Access Details

The list of users who are members of the group, resource groups that are owned by/shared to the user group are depicted as part of this report.

This report can be generated in the form of PDF and can be emailed to required recipients. Click the links "Export to PDF" and "Email this Report" to do the required operation.

User Activity Report

This report provides details about the password usage of all the users in the system.

This report has the following sections:

Activity Statistics - Summary Report

The total number of passwords accessed by users and user groups during a specified time period are depicted in the form of graphs.

Most Active Users - Login/Access/Reset

The list of the top 10 users who performed most login attempts, most password access and most password resets.

Least Active UsersUsers - Login/Access/Reset

The list of 10 users who performed least login attempts, least password access and least password resets.

User Activity Details

All details about users, including the total number of login attempts made, number of invalid attempts, number of passwords accessed, number of passwords reset are depicted.

This report can be generated in the form of PDF or spreadsheet and can also be emailed to required recipients. Click the links "Export to PDF"/Export to XLS and "Email this Report" to do the required operation.

Ungrouped Users Users in Password Manager Pro can be grouped into user groups. Certain users may not be a part of any user group. Such users and the passwords owned by them are listed in this report.

General Reports

Report Name What does it Convey Additional Information

Executive Report

This report provides a snapshot of all password access and user activities in the system.

It is a combined report of Password and User reports. It provides details, in summary, about the following:

Password Statistics, Password Activity, Password Policy, Password Expiry, Password Out of Sync, User Statistics and User Activity.

This report can be generated in the form of PDF and can be emailed to required recipients. Click the links "Export to PDF" and "Email this Report" to do the required operation.

Compliance Report

(Feature available only in Enterprise Edition)

Report Name What does it Convey Additional Information

PCI DSS Compliance Report

The PCI DSS stands for Payment Card Industry Data Security Standard. It is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. It represents a set of rules that need to be adhered to by businesses that process credit cardholder information, to ensure data is protected. The PCI Data Security Standard is comprised of 12 general requirements designed to:

  • Build and maintain a secure network
  • Protect cardholder data
  • Ensure the maintenance of vulnerability management programs
  • Implement strong access control measures
  • Regularly monitor and test networks
  • Ensure the maintenance of information security policies

This standard is governed by PCI Security Standards Council https://www.pcisecuritystandards.org/

This reports the violations in your network from the requirements of Payment Card Industry (PCI) Data Security Standard (DSS), relevant to the use and management practices of shared administrative, software and service account passwords of various systems.

PCI DSS requirements 2,3,7,8,10 & 12 are covered in this report.

Note: In order to adhere to "all" the requirements of the PCI DSS standard completely, you will need other tools and security procedures to be implemented.

You have the option to generate separate compliance reports for each PCI DSS requirement 2,3,7,8,10 & 12. You can also generate a consolidated PCI DSS report too.

This report can be generated in the form of PDF and can be emailed to required recipients. Click the links "Export to PDF" and "Email this Report" to do the required operation.

ISO/IEC 27001 Compliance Report ISO/IEC 27001 is a specification developed to "provide a model for establishing, operating, monitoring, reviewing, maintaining, and improving an information security management system (ISMS). Simply put, ISO 27001 is a robust framework that helps you protect information such as financial data, intellectual property or sensitive customer information. The standard also stresses on the selection of adequate security controls that help protect information assets. In all, ISO 27001 has ten short clauses and also an Annex A. The Annex A alone specifies numerous control frameworks. Among them, A.9 deals with "Access Control." The clause basically requires the use of

  • A robust information security policy is in effect to ensure only authorized users have access to critical systems.
  • All users are uniquely identified and have established accountability for all privileged activities.
  • Access is only allowed to systems through secure mechanisms.
  • Sensitive information is protected with cryptographic controls.

This report communicates an organization's compliance level in relation to the control requirements as outlined in the clause A.9. The compliance will be based on various factors such as stringent password policies for privileged accounts in the enterprise, authentic audit records, strong authentication mechanisms, secure privileged access, and data security levels. A consolidated ISO/IEC 27001 compliance report will include information about the controls listed under A.9.1, A.9.1.1, A.9.1.2, A.9.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.5, A.9.2.6, A.9.3, A.9.3.1, A.9.4, A.9.4.1, A.9.4.2 and A.9.4.3. There are also option to generate separate compliance reports for requirements listed under each sections given above.

  1. This report can be generated in the form of PDF or spreadsheet and can also be emailed to required recipients. Click the links "Export to PDF"/Export to XLS and "Email this Report" to do the required operation.
  2. These compliance reports help address requirements only in select clauses of each security standards. In order to adhere to "all" the requirements of ISO 27001 other tools and security procedures should be implemented.

NERC CIP Compliance Report The NERC CIP standards is a set of requirements designed to ensure the security and eliability of the power systems. The North American Electric Reliability Corporation (NERC) introduced the Critical Infrastructure Protection (CIP) standards mainly to protect the critical assets such as electric utilities generation and transmission systems in the power grid. Broadly, NERC CIP has nine sections that cover various physical, virtual, and organizational measures that must be enforced to secure the bulk power system. In particular, the clauses CIP-004-3a, CIP-005-3a, and CIP-007-3a mandate

  • A regular review of authorized personnel with access to critical systems.
  • Granular access controls based on functional roles.
  • Robust authentication methods.
  • Comprehensive auditing of security events.
  • Monitoring of user activity during privileged sessions.
  • Use of strong passwords with reliable complexities.

This reports shows an organization's level of compliance with select requirements of clauses CIP-004-3a, CIP-005-3a, and CIP-007-3a. The report will help auditors understand the various security measures implemented in the concerned organization, such as privileged access control policies, authentication checks for privileged users, user activity auditing, privileged session recording & monitoring, and password policy enforcement. Apart from a consolidated NERC CIP report, there are also options to generate separate compliance reports for requirements specific to each clauses, i.e. CIP-004-3a, CIP-005-3a, and CIP-007-3a.

This reports can be generated in the form of PDF or spreadsheet and can also be emailed to required recipients. Click the links "Export to PDF"/Export to XLS and "Email this Report" to do the required operation. These compliance reports help address requirements only in select clauses of each security standards. In order to adhere to "all" the requirements of NERC CIP, other tools and security procedures should be implemented.

Scheduling Report Generation

All reports can be scheduled to be generated at periodic intervals. The reports thus generated can be sent via email to required recipients. To create a schedule for any report,

  • Navigate to "Reports" tab.
  • Click the link "Schedule Report" available under the name of each report.
  • In the pop-up form that opens, select the required schedule from the provided terms - Days / Monthly / Once / Never.
  • Next, enter the date / time at which the schedule has to commence.
  • Choose the format in which the report has to be mailed to the recipients, PDF or XLS or both.
  • Select the recipients to whom the report should be mailed to, from the given options.
  • You can also enter the list of email ids to which the report has to be emailed.
  • Click "Schedule".

The result of the scheduled task created here are audited and can be viewed from the "Task Audit" section.

To terminate an already created schedule,

  • Click the link "Schedule Report" available under the name of report (for which the schedule has to be terminated).
  • In the GUI that opens, select the option "Never"
  • Click "Schedule"
  • The schedule will be terminated

Custom Reports

(Feature available only in Enterprise Edition)

You can create customized reports out of the four canned reports (Password Inventory, Password Compliance, Password Expiry and Password Integrity) and two audit reports (Resource Audit and User Audit). You can specify certain criteria and create customized reports as per your needs.

The custom reports have been designed to bring out specific information from the Password Manager Pro database as per your needs. The canned reports provide a snapshot of details in general. On the other hand, you can create a custom report out of this canned report to get specific details.

For instance, let us take the case of creating a custom report out of Password Inventory Report. Assume that you want to get a report on the resources owned by 'User A' in 'Network Administration' department. You can create a custom report from the 'Password Inventory Report' by specifying the criteria as Resources from 'Department' 'Network Administration' AND 'Owner' name as 'User A'.

The real power of the custom reports lies in the fact that you can specify criteria expression and cull out information catering to your more specific needs.

Let us take another example to explain this:

Assume that your need is to take a list of all the sensitive passwords belonging to the resource types Windows and Windows Domain, Linux and Cisco, owned by a particular administrator - say John. Also, you want to get details on the share permissions for those passwords - with whom the passwords have been shared.

Here, the following are the conditions:

  • Sensitive accounts with names 'administrator' on Windows and Windows Domain, 'root' on Linux and 'enable' on Cisco are to be identified
  • Among such accounts, only those that are owned by john are to be identified

So, the criteria will be as follows:

To identify the 'administrator' accounts on Windows/Windows Domain, the criteria is

  • Resource Type starts with Windows (take this as column C1)
  • Account Name is administrator (take this as column C2)

To identify the 'root' accounts on Linux, the criteria is

  • Resource Type is Linux (take this as column C3)
  • Account Name is root (take this as column C4)

To identify the 'enable' accounts on Cisco devices, the criteria is

  • Resource Type contains Cisco (take this as column C5)
  • Account Name is root (take this as column C6)

To identify the resources owned by john

  • Owner is John (take this as column C7)

Now, you need to specify the criteria expression to combine the above factors:

((C1 and C2) or (C3 and C4) or (C5 and C6)) and C7

That means, you want to identify the resources/accounts complying to any and all the criteria listed above and finally match the ownership.

How to create custom reports?

To create custom reports,

  • Navigate to "Reports" >> "Custom Reports".
  • Click the link "Create Custom Reports" available on top left hand corner.
  • In the pop-up form that opens, provide a name for the custom report being created; enter description for easy identification of the report.
  • Select the type of report out of which you wish to create the custom report.
  • specify the criteria based on which the custom report has to be created. Refer to the example above on specifying the criteria. In case, you want to specify multiple values for the same column name, enter the entries in comma separated form. In the example above, in case, you want to generate the report pertaining to two departments - Network Administration and Finance departments, enter the values for the column 'Department' as Network Administration,Finance.
  • in case, you want to specify advanced criteria, edit the control expressions field; you can specify advanced conditions using expressions. Refer to the example above for details.
  • you have the option to control the number and order of columns to be displayed in the custom report. From "Select Columns" on LHS, choose the required columns. Use the up, down arrows on the RHS to control the arrangement of the columns in the report
  • click "Save" to save the entries. Click "Generate Report" to generate the customized report.

Custom Reports - Use Case

By leveraging the power of the custom reports, you can meet many of your auditing requirements with ease. Following is just one use case:

Exit Audit Report

Continuously assessing the vulnerability with respect to password access is one of the important auditing requirements. When an administrator, who had active access to the privileged passwords leaves the organization, it is imperative to assess the vulnerability. This requires taking a list of all the passwords that were accessed by the particular user during a specified time period and then initiate steps to change the passwords.

Taking a report on all the password management operations performed by the particular administrator during a specified time period, could serve as 'Exit Audit Report'. Custom reports help you generate a report to achieve this precisely. All that you need to do is to get the report out of the 'Resource Audit'.

  • Specify the time period for the custom report
  • Select the criteria as 'Operation Type' contains (C1) (just leave the criteria field blank to represent that you want to take a report on all operations)
  • 'Operated by' 'User A' (C2) who is leaving the organization

The resultant report will provide you list of password management operations performed by the particular administrator during the time range specified.

Custom Reports out of 'Resource Audit' and 'User Audit' would prove highly useful as you would be able to meet most of your auditing requirements by properly leveraging them.

The resultant report will provide you list of password management operations performed by the particular administrator during the time range specified.

©2014, ZOHO Corp. All Rights Reserved.

Top