© 2019 Keeper Security, Inc. 1

Keeper MSP Technical Whitepaper

KeeperMSP Technical Whitepaper

© 2019 Keeper Security, Inc. 2

Table of Contents

Introduction 3 System Architecture 3 Zero-Knowledge Architecture 3 Master Password 4 Encrypted Vault 4

Ubiquitous access to password vaults from any device 6

Fully-Managed SaaS Platform 6

Isolation of Managed Companies 7 IndustryCertifications 8

CertifiedSOC2Compliant 9 ISO27001Certified(InformationSecurityManagementSystem) 9

GDPR Compliance 9 Key Functionality 10 Roles & Enforcements 10 Administrative Permissions 10 TwoFactorAuthentication(2FA) 11 Two Factor code generator in user’s vault 12 MSP Remote Administration & Permissions 12 Teams & Shared Folders 13 License Pool 14 Logging license transactions for Billing purposes 14 Reporting 15 SIEM Integration 16 Versatile provisioning 16 Import / Email 16 AD Bridge 16 SSO 16 Account Transfer 16

Deploying KeeperMSP 17 Full Service model 17 Reseller model 17 Hybrid model 17 Summary 17

KeeperMSP Technical Whitepaper

© 2019 Keeper Security, Inc. 3

Introduction

KeeperMSP is natural extension of Keeper’s Enterprise Password Management solution which allows an MSP to managemultipleindependenttenants(a.k.a.“ManagedCompanies”or“MC’s”)fromacentralconsole.

Keeperbeganasamobile-first,consumer-focusedproduct.Asaresult,ourapplicationiseasyandenjoyabletouse.Thisisevidencedbyour15M+downloads,veryhighrenewalrates,andpositivereviews.Keeper’ssolutionsarealsousedheavilybySmallandMediumBusinesses(SMB’s)giventhesefirmsareoftenhighlyvulnerabletocybersecuritycrimes.Itisestimatedthat39%ofSMB’suseanMSPinsomecapacityastheytypicallynotstaffedwithalltheITspecialiststheyneedtofunctionintoday’sdigitalworld.1

Keeper has also expanded into the Enterprise space and honed the product by meeting the needs of demanding administratorsinmissioncriticalenvironmentswithcomplexdeploymentsandusecases.TheenterpriseversionoftheproducthasbeenarchitectedtoscaleandhasthecorefeaturesandfunctionalitythatMSP’srequire,including:organizationalroles;robustenforcementpolicies;multipleprovisioningmechanisms,fullsupportfor2FAmethods;androbustauditingandreportingcapabilities.

TobetterservicetheMSPmarket,Keepernowoffersthishighlyscalable,purpose-builtsolutionsothatourpasswordmanagementsolutioncanbemoreeasilyofferedandmanagedbyMSP’s.

System Architecture

Zero-Knowledge Architecture

KeeperisaZeroKnowledgesecurityprovider.ZeroKnowledgeisasystemarchitecturethatguaranteesthe highestlevelsofsecurityandprivacybyadheringtothefollowingprinciples:

1. Dataisencryptedanddecryptedatthedevicelevel(notontheserver) 2. Theapplicationneverstoresplaintext(humanreadable)data 3. The server never receives data in plain text 4. NoKeeperemployeeor3rdpartycanviewtheunencrypteddata 5. Thekeystodecryptandencryptdataarederivedfromtheuser’smasterpassword 6. Multi-Layerencryptionprovidesaccesscontrolattheuser,groupandadminlevel 7. SharingofdatausesPublicKeyCryptographyforsecurekeydistribution

Dataisencryptedlocallyontheuser’sdevicebeforeitistransmittedandstoredinKeeper’sCloudSecurityVault.Whendataissynchronizedtoanotherdevice,thedataremainsencrypteduntilitisdecryptedontheotherdevice.

Keeperisthemostsecure,certified,testedandauditedpasswordsecurityplatformintheworld.WearetheonlySOC2andISO27001certifiedpasswordmanagementsolutionintheindustryandPrivacyShieldCompliantwiththeU.S.DepartmentofCommerce’sEU-U.S.PrivacyShieldprogram,meetingtheEuropeanCommission’sDirectiveonDataProtection.Notonlydoweimplementthemostsecurelevelsofencryption,wealsoadheretoverystrictinternalpractices that are continually audited by third parties to help ensure that we continue to develop secure software and providetheworld’smostsecurecybersecurityplatform.

Sources 1SherWebBlog2018

KeeperMSP Technical Whitepaper

© 2019 Keeper Security, Inc. 4

TolearnmoreabouttheKeeperzero-knowledgearchitecturepleaseseeourencryption model documentation.

Master Password

EachKeeperusermustchoosea“MasterPassword”whichisonlyusedforKeeperandnotusedforanyotherservice.Keeper’sZeroKnowledgearchitectureensuresthatnoone–noteventheadministrator,MSPorKeeperemployees–haveaccesstoauser’smasterpassword.

The Master Password must adhere to the guidelines enforced by the Keeper Administrator and can be applied to usersviaroleenforcementpolicies.InthecaseoflostMasterPassword,userscanrecovertheiraccountthroughazero-knowledgerecoveryprocessbyansweringasecurityquestion,emailverificationandtwo-factorverification.

Encrypted Vault

Numerousgovernmentandregulatoryguidelines,includingtheNationalInstituteofStandardsandTechnologyandthe European Union’s General Data Protection Regulations recommend encryption as the most effective form of dataprotection.Keeper’simplementationofsymmetricencryptioninthevaultrepresentsthemostadvancedandsecuresolutionavailableinthemarket.

AllpasswordsinKeeperarestoredinencryptedrecordswhichresideinadigitalvault.Theencryptionkeyto decryptthevaultisfirstderivedfromtheuser’sMasterPassword,whichthenunpacksotherprivatekeyssuchasthe“DataKey”and“RSAPrivateKey”whichareuniquetotheuser.TheDataKeyunpacksadditionalkeyscalled“RecordKeys”and“FolderKeys”whichareusedtodecrypttheuser’sstoredrecords.

KeeperMSP Technical Whitepaper

© 2019 Keeper Security, Inc. 5

Alltoptierpasswordmanagersencryptdataatsomelevel,butnotallencryptionisimplementedthesame. Keepersupports256-bitAESencryptionandPBKDF2forkeyderivation,whicharewidelyacceptedasthe strongestformsofprotectionavailable.Wealsoprovidemultiplelayersofencryptionattherecord,folderand teamlevel.Byimplementingrecord-levelencryption,recordscanbesharedamongprivilegeduserswithout riskingunauthorizedorelevatedaccess.

Protectionof“datainmotion”hasbeenanissueinthepastwithproductsthatmaybrieflydecryptdataduringtransmission,orwhilestoredoncloudserversfortheirownconvenience.ForKeeperanyDataintransitisprotectedby256-bitTLS/SSLencryptionandtheapplicationitselfisprotectedwithKeyPinningandlayersofencryptionthatcannotbedefeatedwithMITM(man-in-the-middle)attacks.

Theencryptedvaultresidesinthecloudtoensuresynchronization,butcanalsobeusedinanofflinemode. Userscanloginofflineanddecryptstoreddataonmobileanddesktopdevices.Offlineaccesscanberestricted onaroleenforcementbasisbytheKeeperAdministrator.

Keeper Encryption Model

KeeperMSP Technical Whitepaper

© 2019 Keeper Security, Inc. 6

Ubiquitous access to password vaults from any device

We live in a multi-deviceworld,butthatshouldn’tinconveniencepeoplewhoneedaccesstovaluableinformation nomatterwheretheyare.Keepersupportsthemajortypesofmobiledevices(iOSandAndroid),aswellasthemostpopularbrowsers,bothonthedesktopandthephoneortablet.Dataisautomaticallysynchronizedacrossthesedevicessoausercangainaccesswherevertheyneedto,fromanydevicetheyhaveaccessto,withoutfear oflosingtheircredentialsifanyonedeviceislost,stolen,orleftbehind.

As ofOctober,2019Keeper’snativeclientapplicationsinclude:Windows7/8/10,MacOS,Linux/Unix,iOS8+,Android4.4+,WindowsPhone8+.InadditionKeeperoffersinternetbrowseradd-ons(calledKeeperFill)forEdge,InternetExplorer,Chrome,Safari,FirefoxandOpera.Downloadhere.

For additionalinformationondeployingKeepertoend-users,go here.

Fully-Managed SaaS Platform

Keeper is a fully managed hybridSaaSsolution.Alltheencryption/decryptionofvaultrecordsoccursonthe user’sdevice.Thisencryptedvaultdataisthenstoredinthecloudforbrowseraccess,synchronizationacrossdevices,andbackup.

All ofKeeper’suser-facingapplicationscontainon-devicelocalencryptedstorage.Theapplicationscanbelockeddowntoonlyrunwithinthecustomer’snetworkenvironmentthroughrole-basedenforcementpolicies.TheMSPcanalsoenforcetheuseof2FAandothersecuritypoliciesthroughtheKeeperAdminConsole.

KeeperMSP Technical Whitepaper

© 2019 Keeper Security, Inc. 7

TheKeeperCloudSecurityVaultishostedwithAmazonAWSinNorthAmericaandEurope,forlocalizeddataprivacyandgeographicsegregationtohostandoperatetheKeepersolutionandarchitecture.UtilizingAmazonAWS allows Keeper to seamlessly scale resources on-demand and provide customers with the fastest and safest cloudstorageenvironment.KeeperSecurityoperatesbothmulti-zoneandmulti-regionenvironmentstomaximizeuptimeandprovidethefastestresponsetimetocustomers.

NewMSPandMCaccountsarecreatedeitherintheUSorEUregions.Oncetheregionhasbeenestablished, thedatacenterregioncannotbechangedwithoutre-creatingtheenvironment.

Isolation of Managed Companies

Keeper MSPprovidesfulldataisolationbetweeneachMC,atboththelogicalandencryptionlayer. Forpreservationofzeroknowledgesecurityarchitecture,eachMC’sdataiscompletelyseparatedand encryptedwithkeyderivationarchitecturethatisspecifictoeachMC.Therefore,noinadvertentsharingof MC-relateddatasuchasemails,admins,teams,rolesorvaultdataispossible.

MSP Technicians exist in the root level of the MSP’s system and have ability to cross-over to each MC instance foradministrativepurposes.Any“local”adminssetupintheMC’sdonothavethatrootlevelaccesstothe MSP’sconsoleoranyoftheMSP’sdata.

KeeperMSP Technical Whitepaper

© 2019 Keeper Security, Inc. 8

Industry Certifications

MSPs serve manyindustrieswhichmaintainstrictregulatorycompliance.PasswordManagementisakeycomponentofcompliancerequirementswithintheMCenvironments.AsaZero-Knowledgeplatform, Keepersolvescriticalcomplianceneedsinregardstostoreddata,passwordpoliciesandaccesscontrols.

License pool with list of Managed Companies

KeeperMSP Technical Whitepaper

© 2019 Keeper Security, Inc. 9

Certified SOC 2 Compliant

Customervaultrecordsareprotectedusingstringentandtightlymonitoredinternalcontrolpractices. KeeperiscertifiedasSOC2Type2compliantinaccordancewiththeAICPAServiceOrganizationControl framework.SOC2certificationhelpsensurethatyourvaultiskeptsecurethroughtheimplementationof standardizedcontrolsasdefinedintheAICPATrustServicePrinciplesframework.

ISO 27001 Certified (Information Security Management System)

Keeper is ISO27001certified,coveringtheKeeperSecurityInformationManagementSystemwhich supportstheKeeperEnterprisePlatform.Keeper’sISO27001certificationisscopedtoincludethe managementandoperationofthedigitalvaultandcloudservices,softwareandapplicationdevelopment, andprotectionofdigitalassetsforthedigitalvaultandcloudservices.

GDPR Compliance

Keeper is GDPR compliant and we are committed to ensuring our business processes and products continuetomaintaincomplianceforourcustomersintheEuropeanUnion.Click here to learn more about Keeper’sGDPRcomplianceanddownloaddataprocessingagreements.

TheKeeperwebsiteandcloudstoragerunsonsecureAmazonWebServices(AWS)cloudcomputing infrastructure.TheAWScloudinfrastructurewhichhostsKeeper’ssystemarchitecturehasbeencertified tomeetthefollowingthird-partyattestations,reportsandcertifications:

KeeperMSP Technical Whitepaper

© 2019 Keeper Security, Inc. 10

Key Functionality

Roles & Enforcements

Roles enableloginenforcementstobesetforuserswhoareassignedtothatrole.Arobustvarietyofenforcementsarepossible,includingthoselimitingplatforms,requiringstrongpasswords,andmore.Roleswithelevatedpermissionsarealsoassignableforadministrativestaff,andallowavarietyofactionslikemanagingteams,roles,runningreportsandmore.

Rolesaresetupinahierarchical“tree”structurewithvisibilityandinheritanceofpermissionslimitedtonodes belowthecurrentnode,butnotsidewaystosiblingnodes.

Administrative Permissions

KeeperMSP Technical Whitepaper

© 2019 Keeper Security, Inc. 11

Two Factor Authentication (2FA)

Role policies that are enforced across all devices and computers can require the use of several popular two-factorauthenticationmethodssuchasDuo,RSASecurID,TextMessage(SMS),GoogleAuthenticator andMicrosoftAuthenticator.

Usersofmobiledevicesmayrequireanextralayerofprotectionvia2FAbothtoaccesstheirKeepervault, aswellaswhenaccessingimportantsitesorapplications.Keepersupportsallthenativebiometric featuresoftheuser’spreferreddevice,includingfingerprintandfacialidentification.InadditionKeeper has the ability to generate and store Two-Factor Codes in vault records for a more convenient and secure accessmethodwhenloggingintowebsitesand/orapplications.

Keeperenablessynchronizationofafullyencryptedlocalcopyoftheuser’spasswordvaultforoffline access.Anychangestothevaultareinstantlyreplicatedacrossalldevicesforconsistencyandsecurity.

Forusing2FAduringlogintositesorapplicationsKeeperhasbuiltinanauthenticatorcapabilitywhich willgenerateaTOTPcodewhenloggingin,andwhichwillfillthatcodeintotheappropriatefieldonthe sitebeingaccessed.Thisdramaticallyimprovessecurityandconvenience,soevenifauser’susername andpasswordarecompromised,accessisstilloff-limitsuntilthe2FAcodeisprovidedaswell.

KeeperMSP Technical Whitepaper

© 2019 Keeper Security, Inc. 12

Two Factor code generator in user’s vault

MSP Remote Administration & Permissions

• An MSPtechnicianwhohasthe“ManageCompanies”permissionenabledisabletolaunchintoaMC’sAdminConsolewithasingleclick.AseparatetabforthatMCwillopenandnowthetechnicianhasfulladministrativerightstosetuproles,teams,users,etc.forthatMC.

KeeperMSP Technical Whitepaper

© 2019 Keeper Security, Inc. 13

• A separate permissions exist to allow an MSP administrator to add/reduce licenses via the MSP’s central license pooltoanMC.Thispermissionprovidestheabilitytolimitwhohasthe“checkbook”forprovidinglicensestoaMC,withoutrestrictingtheirrighttoacttheiradministrator.

Teams & Shared Folders

Teams canbedefinedthatallowgroupsofuserstosharelogincredentialswhicharestoredasacollectionofrecordsinafolder.ThisfunctionalitycanbeleveragedbyMSP’stosetuppasswordsforusebytheirMCclient. Forinstance,aseriesofrecordswiththeURL,username,andaninitialpasswordcouldbesetupbytheMSPtechnicianastheinitial“owner”,andthenthatfoldercouldbesharedwithauser,orusersattheclient.Oncedone,the MSP could relinquish ownership and visibility of that folder so that it is effectively transferred to the MC user andcompletelyprivate.

KeeperMSP Technical Whitepaper

© 2019 Keeper Security, Inc. 14

License Pool

The KeeperMSP product licensing is structured as a wholesale model which enables an MSP to purchase licenses (foravarietyofplans)inbulkfromtheKeepercheckoutpage.TheselicensesentertheMSP’scentralpoolforallocationtotheMC’swhenready.Thiscentralizedpurchasingandinventorywillhelpminimize“roundtrip”purchasesbytheMSPforeveryMCtheymanage.OncelicensesareintheMSP’spool,theycanbeallocated, orre-allocated,asneededtoMC’sandthepooltotalcanbeadjustedupwardsordownwardsforbillingonamonthlybasis.LicensesintheMSP’spoolarecountedmonthlyasabasisforgenerousvolumediscountswhichisrecalculatedupwards(ordownwards)basedontheactualcountintheMSP’spool.

Adjustments,upordown,canbemadeatanytimeduringthemonth.Notethatlicensesarepre-paidforthemonthandnopro-rateadjustmentisgiveniftheyarenotused.Howevercreditwillbeheldforanylicensesthatwerepaidforduringthatmonthandthen“reduced”intheeventanewlicenseofthatsamekindisre-purchasedduringthatperiod.

A numberofserviceplanbundlesareofferedwhichcombinethemostpopularconfigurationsforbothBusinessandEnterprise-classMC’s.Thishelpsminimizethepermutationsofvariousadd-oncapabilitiestosimplifybilling,whilemakingawiderangeofoptionsavailablefortheMSPcustomerbase.

Logging license transactions for Billing purposes

Everytimealicensetoallocatedtp,orde-allocatedfrom,anMCbyanauthorizedadministratoralogentry iscreatedwhichcanthenwereportedandexported,viaa.CSVfile,toa3rdpartybillingsystem.Keeperdoes notprovideanyinvoicingsystemforchargingMC’sandthepricechargedtoMC’sissetbytheMSP,notby Keeper.Anoptionalopentextfieldisprovidedwhenchangingthelicensinglevelsinordertomanuallyrecord anypricingnotesorlevelsiftheMSPchoosesto.

Summaryreportswhichaggregatethenetchangesduringaspecifiedperiodarealsoprovided.

KeeperMSP Technical Whitepaper

© 2019 Keeper Security, Inc. 15

Reporting

Keeper’s AdvancedReportingandAlertsModule(“ARAM”)providesfilteredviewsandrealtimealertsonover 90differenttypesofeventsdrivenbyuserandadministrativeactivity.Theseeventtypeshavebeenexpanded toincludeMSP-specificoperations:

KeeperMSP Technical Whitepaper

© 2019 Keeper Security, Inc. 16

SIEM Integration

This module also supportsintegrationwith3rdpartySecurityInformationandEventManagement(SIEM) toolstosupportexternalloggingofalleventswithasimplesetupflowforSplunk,Sumo,AmazonS3,IBM QRadarandanyothersyslog-compatibleproduct.

Versatile provisioning

Import / Email

Users can be invitedtothesystemmanually,eachtimetheyarecreated.Inadditiontheycanbecreated inbulkwhenimportedfromanemaillist.

AD Bridge

Keeper BridgeallowsbusinessesrunningMicrosoftActiveDirectoryorOpenLDAPtointegrateKeeper passwordmanagementsoftwarewithintheircurrentsystems,automaticallyaddinganynumberofNodes (a.k.a.OrganizationalUnits),Users,RolesandTeams.Onceconnected,Keeperenablesrole-basedaccess controlatanyNode.

These controlsincludemasterpasswordstrength,masking,rotation,2FA,IPwhitelisting,biometrics, platforms,sharingandaccounttransfers.ThosecontrolscanbecascadedtoalllowerNodesifdesired. Teamsmaybeprovisionedforsharingcredentials.Asthepeoplemovethroughouttheorganization,Keeper keepstheirrolesupdatedthroughAD.Thisincludeslockinganaccountwhenanemployeeleavesandthe abilitytotransferthosecredentialstoatrustedadmin.

SSO

Keeper’sSingleSign-Onsolutionprovidesasecurepasswordmanagerthatstoresnotonlylogincredentials andpasswords,butalsoproprietarycustomerdata,accesscredentialstorestrictedsystemsand sensitivedocuments.

KeeperSSOConnectisaSAML2.0applicationwhichleveragesKeeper’szero-knowledgesecurity architecture to securely and seamlessly authenticate users into their Keeper Vault and dynamically provision userstotheplatform.

SSOConnectworkswithpopularSSOIdPplatformssuchasOkta,Centrify,AWS,OneLogin,PingIdentity,F5 BIG-IPAPM,GSuite,MicrosoftADFS/AzureADandJumpCloudtoprovidebusinessestheutmostin authenticationflexibility.

Account Transfer

OrganizationscanenabletheAccountTransferfeature,whichprovidesabreakglassrecoveryofallrecords storedstoredinausersvaultifauserwastoleaveanMCthysupportandtheyfindthemselvesintheposition ofnotknowingthatuser’smasterpasswordforaccessingcriticaldataintheirvault(orsecurityanswerfor accountrecovery).

KeeperMSP Technical Whitepaper

© 2019 Keeper Security, Inc. 17

Deploying KeeperMSP

KeeperMSPcansupportawidespectrumofdeploymentmodels,fromfullservice(“whiteglove”)MSP’swho manageeverythingfortheirusersallthewaytopureresellerswhodolittleornoadministrationfortheirclients.

Full Service model

MSP TechnicianshaveaccesstoaMC’sadminconsoleandthushavefullrightstoprovisionendusers,setup MC-specificroles,loginenforcements,andteamsforsharingcredentials.Thesetechniciansmayalsochooseto set-upalogincredentialsforuserswhichcanbedonebysharingrecordsfromtheirpersonalvaultstothoseofanMC. ThisallowsanMSPtoofferafullyintegratedsetofservicesthatincludedasetofpre-configuredloginsthattheycankeepupdatedifneeded.

Reseller model

Resellers may simply want to act as distributors and for Keeper and sell the solution to customers who can manage themselves.InhiscasetheMCmaycandesignateauseratMCtohandleallmanagementofthesystemfor self-administration.TheresellersrolewouldbelimitedtolicensemanagementfortheMCwhichcanbehandled intheKeeperMSPconsole.

Hybrid model

Both theMSPTechnicianandtheMCAdministratorcanshareresponsibilitiestomanagethesystem.Forinstance,forfrequentlychangingorhighlyspecificsettings(e.g.whichemployeesareinateamfolder)the“local”MCadministratormaybeabletohandlethatmostefficiently.Forlargescaleinitialprovisioningandconfiguration theMSPmaybebetterequippedtofacilitatethiswithKeeper’sActiveDirectorybridge.

Summary

KeeperMSPcombinesprovenpasswordmanagementfunctionalitywithaflexiblenewcapabilitiestoenable MSP’stomanagealargeportfolioofMC’ssecureandefficiently.

keepersecurity.com msp@keepersecurity.com

Business Sales

Americas & APAC +13128292680

United Kingdom +442034058853

Germany & DACH +4989143772993

Support

Consumer +13129715702

Business (Americas & APAC) +13122264782

Business (EMEA) +353212296019

Ireland +353212296020

EMEA +353212296011

Netherlands +31202620932

Iberia & Italy +34919016513

Sweden & Nordics +46840304928