How VaultPAM Works — Visual Concepts

VaultDoor

Every request passes through the gate

How it works

Every access request passes through the vault.

Actors

Vault Gate

SEALEDMFAEU-1

09:14 dev@acme RDP srv-prod-01 GRANTED

09:15 ops@acme SSH srv-bastion GRANTED

09:15 ext@vendor RDP srv-prod-02 DENIED

09:16 admin@acme SSH app-srv-03 GRANTED

09:17 dev@acme DB db-prod-01 GRANTED

09:18 svc@ci SSH srv-bastion DENIED

09:18 ops@acme VNC jump-01 GRANTED

09:19 ext@vendor SSH app-srv-03 DENIED

09:20 admin@acme RDP srv-prod-01 GRANTED

09:21 dev@acme SSH srv-bastion GRANTED

09:22 ext@vendor DB db-prod-01 DENIED

09:22 ops@acme RDP srv-prod-02 GRANTED

09:23 svc@ci VNC jump-02 DENIED

09:24 admin@acme DB db-replica GRANTED

09:25 dev@acme VNC jump-01 GRANTED

09:26 ext@vendor RDP srv-prod-01 DENIED

09:27 svc@ci SSH app-srv-03 DENIED

09:27 ops@acme SSH srv-bastion GRANTED

09:14 dev@acme RDP srv-prod-01 GRANTED

09:15 ops@acme SSH srv-bastion GRANTED

Infrastructure

The Broker

No direct path to your servers exists

Access Mesh

Every connection, visible and controlled

The Ledger

An immutable record of every access event

THE LEDGER·vault-eu-1·LIVE·6 entries

TIMESTAMPACTORPROTOTARGETVERDICTSESSIONSEAL

--:--:--Zdev@acmeRDPsrv-prod-01GRANTED#44214a7f…b3e1

--:--:--Zops@acmeSSHsrv-bastionGRANTED#4422b3e1…cc04

--:--:--Zext@vendorRDPsrv-prod-02DENIED#4423cc04…91fa

--:--:--Zadmin@acmeSSHapp-srv-03GRANTED#442491fa…2d88

--:--:--Zdev@acmeRDPsrv-prod-03GRANTED#44252d88…e07b

--:--:--Zsvc@ciSSHsrv-bastionDENIED#4426e07b…5c3f

SOC 2 READY

The Audit Chain

Tamper-evident hash-chain: why the log cannot be altered

THE AUDIT CHAIN·vault-eu-1·LIVE·5 events·chain verified

CHAIN INTACT

The Observatory

Total awareness of your infrastructure

3 ACTIVE SESSIONSEU-1RECMFA

The Connector

Zero firewall changes — outbound only, fail-closed

The Vault

Credentials encrypted at every layer, never surfacing as plaintext

Encryption Architecture

The key to your servers never crosses your screen.

Credential encrypted at entry→Keys stored in separate vault→Only ciphertext token issued

The Timeline

NIS2 enforcement deadline — where you stand right now

Oct 2024NIS2 Directive effective

Jan 2025Annex I entities: deadline

Oct 2025Enforcement ramp-up

You Are HereToday

Apr 2027Full enforcement + fines

The Session

Five gates. All must open. Any one stops a breach.

GRANTED

The Residency

EU data boundary — architectural constraint, not a configuration

The Onboarding

5 steps, minutes not days — operator user-onboarding pipeline

Average onboarding time: < 5 minutes