How secure is Secret Server?
Secret Server is used by military, government, academic, financial and private organizations throughout the world every day to keep their privileged passwords secure. It uses the latest technology in terms of authentication (RADIUS/two-factor), encryption, hashing, security best practices, auditing and Role Based Access Control (RBAC).
Has Secret Server been tested by independent testing experts? Are these reports available?
Secret Server has been tested by lots of security experts and private testing firms over the years. Many of our enterprise customers have put Secret Server through a security review and even penetration testing. Our security team is very responsive and will work with a customer to ensure all answers are provided to complete a security review. Occasionally we get to see the security review reports from customers who use independent testing firms - we are not allowed to republish or distribute these reports but I can tell you that all of these customers continue to use Secret Server today. We will improve and fix any legitimate issues found in security reviews. Our goal is to make Secret Server as secure as possible.
Secret Server is also freely available for download from our website so every 16 year hacker can poke around and try to find holes in it. :)
Has Secret Server been certified?
Secret Server has been used by many customers to meet specific compliance requirements such as SOX, SAS70, PCI DSS, FERC, NERC, COBIT, ISO and HIPAA. Most certifications and compliance levels depend on implementation - this means that Secret Server itself is not certified but rather how you have implemented the solution (settings, configuration, environment, policies). Security is a process not a product.
Has Thycotic Software or Secret Server been SAS70 audited?
Secret Server cannot be audited for SAS70 since it is a product and the audit would be entirely dependent on how it is implemented and used. Thycotic Software is not a public company (we are a privately held US corporation) so we are not subject to SAS70 audits.
Also see:
Enabling FIPS compliance in Secret Server
Security Best Practices in Secret ServerArticle ID: 136, Created On: 12/13/2010, Modified: 2/1/2012