Store · Consulting, Governance & Compliance
Your company's door is almost never broken down. It is opened with a key that was left behind.
Passwords and access are the keys that open everything in your company: the email, the systems, the money, the client data. Today, in most companies of five to five thousand people, those keys are loose. They live in shared spreadsheets, in chat groups, in sticky notes on the monitor and in the head of whoever runs IT. No one quite knows who has access to what, no one changes the old password on the account that runs everything, and when an employee leaves, their access often stays alive. The most expensive attack rarely breaks the door down: it walks in with a key that was left lying around.
Credentials became the main way in. In 2025, 88% of attacks on web applications used a stolen password, not a technical flaw: the attacker does not break in, they log in. (Verizon DBIR 2025)
Most of those who leave keep getting in. Research from 2024 shows that 83% to 91% of former employees can still access accounts and files of the company they left. (Beyond Identity, ID Agent)
The password that runs everything tends to be the most forgotten. Administrator accounts keep the same password for years, known by people who have left and vendors who came and went, and there is almost never a record of who got in.
If your most trusted employee left tomorrow, could you revoke all the access they accumulated at once, and prove who entered each system in the last month?
The real problem
Your company's keys are loose, and no one misses them until someone uses them
No one notices a poorly kept password on the day everything works. They notice it on the day someone gets in where they should not, the audit asks for an answer, the employee who left still has the key. Here is where loose keys cost you, without making a sound:
The spreadsheet that opens the whole company
The company's passwords live in a shared spreadsheet, a chat group or a file on the desktop. Whoever opens that file opens everything at once: the email, the bank, the systems. There is no strong password, no control over who sees it, and no record of who copied what to where.
The employee who left and still gets in
An employee left weeks ago and can still get into the email, the cloud, the system. No one revoked the access because no one knew the full list of what they had. What was a silent risk becomes an incident the day they, or someone with their password, decides to use the key that was left.
The admin password no one changes
The account that runs the server, the cloud and the network has had the same password for years. It has passed through technicians who left, vendors who helped once and old messages. It is the company's master key, the one that opens everything, and it is exactly the one fewest people remember to change, because changing it by hand is work and it is scary.
The audit that asks who got in
An audit, a demanding client or the cyber insurer shows up and the question is simple: who accessed the critical system in the last ninety days, and with what permission? Without a vault that keeps a record, the answer is to dig through emails and spreadsheets for days, hope nothing is missing, and still hand over something no one truly trusts.
The knowledge that walked out with the person who left
The person who knew the passwords, the network layout and the settings of each system left, and the knowledge left with them. Nothing was written down, nothing was standardized. Every task that depended on it became a dig, and the company finds out, the hard way, that its most important information was never its own: it belonged to a person.
None of these moments is carelessness by whoever runs IT. It is the lack of a vault that keeps the keys, controls who opens what and records every access, with the documentation alongside. That is exactly what Managed Identity and Passwords puts in place of loose keys.
What it is
The managed vault for your company's keys, operated by Zamak
Managed Identity and Passwords is a cloud vault, operated by Zamak, that keeps, controls and audits your company's passwords and access. Each credential sits encrypted in a vault; each person gets access only to what they need; critical passwords are generated strong and rotated on their own; and, when someone leaves, all of their access is revoked at once. Alongside comes standardized IT documentation, so the knowledge about your environment stays with the company, not with a person. Also called privileged access management (PAM), it answers three questions that hang in the air today: who has the key, who used the key, and what happens when that person leaves.
The vault that keeps and controls the keys
Passwords leave the spreadsheet and go into an encrypted vault, secured with an encryption key unique to your organization and a second check at login. Each credential is generated strong and unique, and each person gets access only to what their role requires. The key stops lying around and gains an owner, a lock and a rule.
Automatic rotation and revoking at once
Critical passwords are rotated on their own at the right frequency, including administrator accounts tied to Active Directory, so the master key never ages forgotten. And when an employee leaves or changes roles, you revoke all of their access at once and the passwords they knew are changed, without depending on someone remembering each system.
The proof of who got in and the knowledge that stays
Every access leaves a trail: who got in, where and when. You answer the audit, the client and the insurer in seconds, with a reliable record, not a hunt through a spreadsheet. And the IT documentation, standardized by client and system, keeps the knowledge of the environment with the company, so no one leaves taking the information with them.
Not sure how many of your company's keys are loose today? Zamak's free self-check shows the first signs in a few minutes.
What is included
The vault that controls access, and the documentation that does not leave
Two deliveries in one service: the vault that keeps and controls the keys, and the IT documentation that keeps the knowledge with the company. All operated by Zamak, alongside your team.
The vault and access control
Where the company's keys are now kept, controlled and ruled.
- An encrypted vault with all credentials, protected by a key of your own organization.
- Strong, unique passwords generated automatically, with no reuse, and a second check at access.
- Automatic rotation of critical passwords, including administrator accounts in Active Directory.
- Role-based access: each person sees and opens only what their role requires, nothing more.
- Revoking all access at once when someone leaves, with the trail of who entered each system.
The IT documentation that stays
The knowledge about your environment, standardized and with the company, not in one head.
- The credentials, assets and procedures of each system documented in one place.
- Ready-made templates that standardize what to document, so the record is complete and consistent.
- Faster onboarding and offboarding, with access granted and removed according to the role.
- The knowledge of the environment preserved when a technician leaves, with no dig for every task.
- Zamak's continuous operation keeping the vault and documentation up to date, alongside your team.
Tech specs
How the vault works, under the hood
For those who want to look under the hood: where the keys are, how they are rotated, who can open them and what gets recorded. A cloud vault with industry-standard encryption, an organization key of your own and a second check at login.
Encrypted vault with an organization key
Credentials sit in a cloud vault with industry-standard encryption, protected by randomly generated keys and by an organization key unique to your company, which separates your vault from any other. Access requires a second check through an authenticator app, so the password alone is never enough to open the door.
Automatic rotation, including in Active Directory
The vault generates strong, unique passwords and rotates them at the frequency you set. For service and administrator accounts tied to Active Directory, an agent updates the password on the network and restarts the service when needed, so the change does not break anything. It is the mechanism that lets even the account that runs everything be rotated, with no manual work.
Role-based access (RBAC) and a zero-trust model
Role-based access, known by the acronym RBAC, defines permission levels and groups that determine what each person can do and what they cannot even see, client by client, folder by folder, password by password. It is the zero-trust principle in practice: no one has access to anything by default, only to what their role requires, and nothing beyond.
Audit trail and reports
Every access and every password change is recorded: who, where and when. The platform generates password hygiene reports and allows periodic audits of permissions, so you can show, with a record, who had access to what over a period. It is the ready answer for compliance, the demanding client and the cyber insurer.
Standardized documentation and integrations
The IT documentation gathers credentials, assets and procedures by client, with templates that standardize the record. The vault talks to what you already use, such as Active Directory, Azure AD and Microsoft 365, and to Zamak's operations tools, so information flows instead of becoming yet another separate spreadsheet.
Self-service password reset
When an employee forgets their own password, they reset it securely from the phone, on Windows, Active Directory, Azure AD and Microsoft 365, usually in under a minute and without opening a ticket. The user is back to work right away, and the queue of password tickets, usually the largest in support, all but disappears.
Managed Identity and Passwords is billed per company served, not per device, which keeps the cost predictable as your team grows. The cloud vault holds credentials with industry-standard encryption, randomly generated keys and an organization key unique to your company.
It is the difference between hoping no one finds the loose key and knowing, with a record, where each key is, who used it and when it was last changed.
Take this documentation to present to decision-makers.
How it compares
A managed vault, next to the common ways of keeping passwords
Most companies keep passwords in one of two ways: in a spreadsheet, on paper or in the browser, or in a common password manager built for one person. See what changes when the keys sit in a vault managed by Zamak.
Where the passwords are
Zamak's delivery
Zamak's managed vault
Encrypted vault, with a key of your own organization
Spreadsheet, paper or browser
An open file anyone can copy
A common password manager
A personal vault, one per person, with no company view
When someone leaves the company
Zamak's delivery
Zamak's managed vault
Revokes all access at once and changes the passwords they knew
Spreadsheet, paper or browser
You try to remember everything they had access to
A common password manager
The person takes their vault with them when they leave
The password of the critical account
Zamak's delivery
Zamak's managed vault
Generated strong and rotated on its own, including in Active Directory
Spreadsheet, paper or browser
The same for years, known by many people
A common password manager
Strong, but changed only by hand, when someone remembers
Who accessed what
Zamak's delivery
Zamak's managed vault
Audit trail with a record per access
Spreadsheet, paper or browser
There is no record at all
A common password manager
Personal history, not the company's
Who can open each password
Zamak's delivery
Zamak's managed vault
Only who the role requires, password by password
Spreadsheet, paper or browser
Whoever opens the file sees everything
A common password manager
Sharing by hand, with no central control
Who operates and answers
Zamak's delivery
Zamak's managed vault
Zamak operates the vault alongside your team
Spreadsheet, paper or browser
No one: it is just a file
A common password manager
You yourself, with no backup
Comparison between the common ways of keeping passwords in the market. The Zamak column describes only what we deliver and operate for you.
From risk to impact
From the loose key to business impact
A reused or leaked password becomes the way in for an attack.
Intrusion, data ransom and loss, starting from a single weak key.
How the managed vault responds
Strong, unique passwords, rotated on their own, kept in a vault with a second check.
An employee leaves and their access stays active, weeks or months later.
A former employee, or whoever has their password, gets in where they no longer should.
How the managed vault responds
Revoking all access at once and automatic change of the passwords they knew.
The audit, the client or the insurer asks for proof of who accessed what.
Days digging through spreadsheets, a fragile answer and the risk of losing the contract or the policy.
How the managed vault responds
An audit trail and reports that answer who got in, where and when, in seconds.
The knowledge of the passwords and the environment lives in one person's head.
If that person leaves, the company is left with no access and no idea how its own environment works.
How the managed vault responds
Standardized documentation and credentials in the vault, with the knowledge in the company, not in a person.
In all these cases, what changes is not luck. It is having the keys in a vault, with control over who opens them, a record of who used them and the documentation alongside, before the problem arrives.
For every role
What changes for each role in your company
The same credential vault that closes those risks, read through the eyes of whoever decides, owns compliance and runs the environment.
Owner and founder
Build it, protect it, grow its value.
The keys to the company you built stop lying loose in spreadsheets and move into a vault with an owner and a rule. If an employee leaves tomorrow, their access is revoked at once, and you know who opened what. Real access control lowers the risk that scares you most and protects the value of what you built.
Manager and director
Predictable cost. Proof on the spot.
When the audit, the client or the cyber insurer asks for proof of access control, you deliver it in seconds, with a reliable record, instead of days of spreadsheet. The cost is predictable, per company, and password control stops being a weak point when closing a contract or renewing the policy.
IT lead and team
A secure extension of your team.
You stop being the only person who knows the passwords and stop carrying that risk alone. The vault and the documentation work alongside the team: cutting off access becomes one gesture, self-service takes password tickets off your queue, and the knowledge stays on record. You gain control and backing, without losing command.
IT partner and provider
Offer the vault under your brand.
Bring your clients password management as a recurring service under your brand, without building the platform, the operation and the support yourself. You enter the conversation with a ready access-security offer, fix your brand into the client's daily use and preserve the relationship; Zamak runs the backline at your side.
Why Zamak
Why Zamak
Keeping a company's keys takes more than a vault: it takes someone to operate the vault with discipline, every day, alongside whoever runs IT. Zamak does that. We use internally the same identity discipline we deliver: no administrator account with an old password, every access recorded, every credential in the vault. We operate your vault alongside your team, never in its place, so that control of the keys belongs to the company, not to a person.
In the end, it is the difference between hoping no one finds the loose key and having your company's keys in a vault, with control over who opens them, a record of who used them and someone operating behind it, before any problem arrives.
Serving companies that cannot stop · Microsoft Solutions Partner · Addee (N-able) Elite Group · Great Place to Work.
Zamak operates the vault with industry-standard encryption and the same identity discipline it applies internally, alongside your team.
Frequently asked questions
Frequently asked questions
See also Compliance Management (GRC) · Zamak managed cybersecurity
Start now
Take your company's keys off the table and put them in a vault.
In a few weeks, your company's passwords leave the spreadsheets and move into a managed vault: strong, rotated on their own, handed out only to who needs them and revoked at once when someone leaves. If your most trusted employee leaves tomorrow, their access is cut off at once, with the proof of who got in. Talk to Zamak and stop hoping no one finds the key that was left behind.
Request a proposal
Tell us in a few fields the size of your team and your moment. A specialist from your country sizes the vault and the price with you, with no need to replace what you already use, and live in a few weeks.
Talk to a specialist
Prefer to talk first? Book a conversation and we will understand your environment, your team and where the loose keys are today.
See managed cybersecurity
The vault is one of the layers of protection. See Zamak's managed cybersecurity, which protects the machines, the network and the people around the keys.
