Skip to Content

Managed Identity & Password Vault (PAM)

Passwords and access are the keys to your company: they open the email, the system, the money. In most companies, those keys are scattered across spreadsheets, chats and sticky notes, with no one quite knowing who has which, or changing them when someone leaves.

Zamak puts those keys in a managed vault: strong passwords, kept encrypted, rotated on their own, handed out only to who needs them and revoked all at once when someone leaves. You get to know who opened what, and knowledge stops living in one person's head.

$ 0.00
$ 0.00 / month
$ 0.00
$ 0.00 / month

Terms and Conditions
Scoped specifically to your company's needs
Specialists serving in English, Portuguese and Spanish

Store · Consulting, Governance & Compliance

Your company's door is almost never broken down. It is opened with a key that was left behind.

Passwords and access are the keys that open everything in your company: the email, the systems, the money, the client data. Today, in most companies of five to five thousand people, those keys are loose. They live in shared spreadsheets, in chat groups, in sticky notes on the monitor and in the head of whoever runs IT. No one quite knows who has access to what, no one changes the old password on the account that runs everything, and when an employee leaves, their access often stays alive. The most expensive attack rarely breaks the door down: it walks in with a key that was left lying around.

Credentials became the main way in. In 2025, 88% of attacks on web applications used a stolen password, not a technical flaw: the attacker does not break in, they log in. (Verizon DBIR 2025)

Most of those who leave keep getting in. Research from 2024 shows that 83% to 91% of former employees can still access accounts and files of the company they left. (Beyond Identity, ID Agent)

The password that runs everything tends to be the most forgotten. Administrator accounts keep the same password for years, known by people who have left and vendors who came and went, and there is almost never a record of who got in.

If your most trusted employee left tomorrow, could you revoke all the access they accumulated at once, and prove who entered each system in the last month?

Start with Zamak's free IT self-check

The real problem

Your company's keys are loose, and no one misses them until someone uses them

No one notices a poorly kept password on the day everything works. They notice it on the day someone gets in where they should not, the audit asks for an answer, the employee who left still has the key. Here is where loose keys cost you, without making a sound:

The spreadsheet that opens the whole company

The company's passwords live in a shared spreadsheet, a chat group or a file on the desktop. Whoever opens that file opens everything at once: the email, the bank, the systems. There is no strong password, no control over who sees it, and no record of who copied what to where.

The employee who left and still gets in

An employee left weeks ago and can still get into the email, the cloud, the system. No one revoked the access because no one knew the full list of what they had. What was a silent risk becomes an incident the day they, or someone with their password, decides to use the key that was left.

The admin password no one changes

The account that runs the server, the cloud and the network has had the same password for years. It has passed through technicians who left, vendors who helped once and old messages. It is the company's master key, the one that opens everything, and it is exactly the one fewest people remember to change, because changing it by hand is work and it is scary.

The audit that asks who got in

An audit, a demanding client or the cyber insurer shows up and the question is simple: who accessed the critical system in the last ninety days, and with what permission? Without a vault that keeps a record, the answer is to dig through emails and spreadsheets for days, hope nothing is missing, and still hand over something no one truly trusts.

The knowledge that walked out with the person who left

The person who knew the passwords, the network layout and the settings of each system left, and the knowledge left with them. Nothing was written down, nothing was standardized. Every task that depended on it became a dig, and the company finds out, the hard way, that its most important information was never its own: it belonged to a person.

None of these moments is carelessness by whoever runs IT. It is the lack of a vault that keeps the keys, controls who opens what and records every access, with the documentation alongside. That is exactly what Managed Identity and Passwords puts in place of loose keys.

What it is

The managed vault for your company's keys, operated by Zamak

Managed Identity and Passwords is a cloud vault, operated by Zamak, that keeps, controls and audits your company's passwords and access. Each credential sits encrypted in a vault; each person gets access only to what they need; critical passwords are generated strong and rotated on their own; and, when someone leaves, all of their access is revoked at once. Alongside comes standardized IT documentation, so the knowledge about your environment stays with the company, not with a person. Also called privileged access management (PAM), it answers three questions that hang in the air today: who has the key, who used the key, and what happens when that person leaves.

The vault that keeps and controls the keys

Passwords leave the spreadsheet and go into an encrypted vault, secured with an encryption key unique to your organization and a second check at login. Each credential is generated strong and unique, and each person gets access only to what their role requires. The key stops lying around and gains an owner, a lock and a rule.

Automatic rotation and revoking at once

Critical passwords are rotated on their own at the right frequency, including administrator accounts tied to Active Directory, so the master key never ages forgotten. And when an employee leaves or changes roles, you revoke all of their access at once and the passwords they knew are changed, without depending on someone remembering each system.

The proof of who got in and the knowledge that stays

Every access leaves a trail: who got in, where and when. You answer the audit, the client and the insurer in seconds, with a reliable record, not a hunt through a spreadsheet. And the IT documentation, standardized by client and system, keeps the knowledge of the environment with the company, so no one leaves taking the information with them.

Not sure how many of your company's keys are loose today? Zamak's free self-check shows the first signs in a few minutes.

What is included

The vault that controls access, and the documentation that does not leave

Two deliveries in one service: the vault that keeps and controls the keys, and the IT documentation that keeps the knowledge with the company. All operated by Zamak, alongside your team.

The vault and access control

Where the company's keys are now kept, controlled and ruled.

  • An encrypted vault with all credentials, protected by a key of your own organization.
  • Strong, unique passwords generated automatically, with no reuse, and a second check at access.
  • Automatic rotation of critical passwords, including administrator accounts in Active Directory.
  • Role-based access: each person sees and opens only what their role requires, nothing more.
  • Revoking all access at once when someone leaves, with the trail of who entered each system.

The IT documentation that stays

The knowledge about your environment, standardized and with the company, not in one head.

  • The credentials, assets and procedures of each system documented in one place.
  • Ready-made templates that standardize what to document, so the record is complete and consistent.
  • Faster onboarding and offboarding, with access granted and removed according to the role.
  • The knowledge of the environment preserved when a technician leaves, with no dig for every task.
  • Zamak's continuous operation keeping the vault and documentation up to date, alongside your team.

Tech specs

How the vault works, under the hood

For those who want to look under the hood: where the keys are, how they are rotated, who can open them and what gets recorded. A cloud vault with industry-standard encryption, an organization key of your own and a second check at login.

Encrypted vault with an organization key

Credentials sit in a cloud vault with industry-standard encryption, protected by randomly generated keys and by an organization key unique to your company, which separates your vault from any other. Access requires a second check through an authenticator app, so the password alone is never enough to open the door.

Automatic rotation, including in Active Directory

The vault generates strong, unique passwords and rotates them at the frequency you set. For service and administrator accounts tied to Active Directory, an agent updates the password on the network and restarts the service when needed, so the change does not break anything. It is the mechanism that lets even the account that runs everything be rotated, with no manual work.

Role-based access (RBAC) and a zero-trust model

Role-based access, known by the acronym RBAC, defines permission levels and groups that determine what each person can do and what they cannot even see, client by client, folder by folder, password by password. It is the zero-trust principle in practice: no one has access to anything by default, only to what their role requires, and nothing beyond.

Audit trail and reports

Every access and every password change is recorded: who, where and when. The platform generates password hygiene reports and allows periodic audits of permissions, so you can show, with a record, who had access to what over a period. It is the ready answer for compliance, the demanding client and the cyber insurer.

Standardized documentation and integrations

The IT documentation gathers credentials, assets and procedures by client, with templates that standardize the record. The vault talks to what you already use, such as Active Directory, Azure AD and Microsoft 365, and to Zamak's operations tools, so information flows instead of becoming yet another separate spreadsheet.

Self-service password reset

When an employee forgets their own password, they reset it securely from the phone, on Windows, Active Directory, Azure AD and Microsoft 365, usually in under a minute and without opening a ticket. The user is back to work right away, and the queue of password tickets, usually the largest in support, all but disappears.

Managed Identity and Passwords is billed per company served, not per device, which keeps the cost predictable as your team grows. The cloud vault holds credentials with industry-standard encryption, randomly generated keys and an organization key unique to your company.

It is the difference between hoping no one finds the loose key and knowing, with a record, where each key is, who used it and when it was last changed.

Download this page as PDF

Take this documentation to present to decision-makers.

How it compares

A managed vault, next to the common ways of keeping passwords

Most companies keep passwords in one of two ways: in a spreadsheet, on paper or in the browser, or in a common password manager built for one person. See what changes when the keys sit in a vault managed by Zamak.

Criterion
Zamak's delivery
Zamak's managed vault
Spreadsheet, paper or browserA common password manager
Where the passwords areEncrypted vault, with a key of your own organizationAn open file anyone can copyA personal vault, one per person, with no company view
When someone leaves the companyRevokes all access at once and changes the passwords they knewYou try to remember everything they had access toThe person takes their vault with them when they leave
The password of the critical accountGenerated strong and rotated on its own, including in Active DirectoryThe same for years, known by many peopleStrong, but changed only by hand, when someone remembers
Who accessed whatAudit trail with a record per accessThere is no record at allPersonal history, not the company's
Who can open each passwordOnly who the role requires, password by passwordWhoever opens the file sees everythingSharing by hand, with no central control
Who operates and answersZamak operates the vault alongside your teamNo one: it is just a fileYou yourself, with no backup

Where the passwords are

Zamak's delivery

Zamak's managed vault

Encrypted vault, with a key of your own organization

Spreadsheet, paper or browser

An open file anyone can copy

A common password manager

A personal vault, one per person, with no company view

When someone leaves the company

Zamak's delivery

Zamak's managed vault

Revokes all access at once and changes the passwords they knew

Spreadsheet, paper or browser

You try to remember everything they had access to

A common password manager

The person takes their vault with them when they leave

The password of the critical account

Zamak's delivery

Zamak's managed vault

Generated strong and rotated on its own, including in Active Directory

Spreadsheet, paper or browser

The same for years, known by many people

A common password manager

Strong, but changed only by hand, when someone remembers

Who accessed what

Zamak's delivery

Zamak's managed vault

Audit trail with a record per access

Spreadsheet, paper or browser

There is no record at all

A common password manager

Personal history, not the company's

Who can open each password

Zamak's delivery

Zamak's managed vault

Only who the role requires, password by password

Spreadsheet, paper or browser

Whoever opens the file sees everything

A common password manager

Sharing by hand, with no central control

Who operates and answers

Zamak's delivery

Zamak's managed vault

Zamak operates the vault alongside your team

Spreadsheet, paper or browser

No one: it is just a file

A common password manager

You yourself, with no backup

Comparison between the common ways of keeping passwords in the market. The Zamak column describes only what we deliver and operate for you.

From risk to impact

From the loose key to business impact

What happensWhat it costs the businessHow the managed vault responds
A reused or leaked password becomes the way in for an attack.Intrusion, data ransom and loss, starting from a single weak key.Strong, unique passwords, rotated on their own, kept in a vault with a second check.
An employee leaves and their access stays active, weeks or months later.A former employee, or whoever has their password, gets in where they no longer should.Revoking all access at once and automatic change of the passwords they knew.
The audit, the client or the insurer asks for proof of who accessed what.Days digging through spreadsheets, a fragile answer and the risk of losing the contract or the policy.An audit trail and reports that answer who got in, where and when, in seconds.
The knowledge of the passwords and the environment lives in one person's head.If that person leaves, the company is left with no access and no idea how its own environment works.Standardized documentation and credentials in the vault, with the knowledge in the company, not in a person.

A reused or leaked password becomes the way in for an attack.

Intrusion, data ransom and loss, starting from a single weak key.

How the managed vault responds

Strong, unique passwords, rotated on their own, kept in a vault with a second check.

An employee leaves and their access stays active, weeks or months later.

A former employee, or whoever has their password, gets in where they no longer should.

How the managed vault responds

Revoking all access at once and automatic change of the passwords they knew.

The audit, the client or the insurer asks for proof of who accessed what.

Days digging through spreadsheets, a fragile answer and the risk of losing the contract or the policy.

How the managed vault responds

An audit trail and reports that answer who got in, where and when, in seconds.

The knowledge of the passwords and the environment lives in one person's head.

If that person leaves, the company is left with no access and no idea how its own environment works.

How the managed vault responds

Standardized documentation and credentials in the vault, with the knowledge in the company, not in a person.

In all these cases, what changes is not luck. It is having the keys in a vault, with control over who opens them, a record of who used them and the documentation alongside, before the problem arrives.

For every role

What changes for each role in your company

The same credential vault that closes those risks, read through the eyes of whoever decides, owns compliance and runs the environment.

Owner and founder

Build it, protect it, grow its value.

The keys to the company you built stop lying loose in spreadsheets and move into a vault with an owner and a rule. If an employee leaves tomorrow, their access is revoked at once, and you know who opened what. Real access control lowers the risk that scares you most and protects the value of what you built.

Manager and director

Predictable cost. Proof on the spot.

When the audit, the client or the cyber insurer asks for proof of access control, you deliver it in seconds, with a reliable record, instead of days of spreadsheet. The cost is predictable, per company, and password control stops being a weak point when closing a contract or renewing the policy.

IT lead and team

A secure extension of your team.

You stop being the only person who knows the passwords and stop carrying that risk alone. The vault and the documentation work alongside the team: cutting off access becomes one gesture, self-service takes password tickets off your queue, and the knowledge stays on record. You gain control and backing, without losing command.

IT partner and provider

Offer the vault under your brand.

Bring your clients password management as a recurring service under your brand, without building the platform, the operation and the support yourself. You enter the conversation with a ready access-security offer, fix your brand into the client's daily use and preserve the relationship; Zamak runs the backline at your side.

Why Zamak

Why Zamak

Keeping a company's keys takes more than a vault: it takes someone to operate the vault with discipline, every day, alongside whoever runs IT. Zamak does that. We use internally the same identity discipline we deliver: no administrator account with an old password, every access recorded, every credential in the vault. We operate your vault alongside your team, never in its place, so that control of the keys belongs to the company, not to a person.

In the end, it is the difference between hoping no one finds the loose key and having your company's keys in a vault, with control over who opens them, a record of who used them and someone operating behind it, before any problem arrives.

Serving companies that cannot stop · Microsoft Solutions Partner · Addee (N-able) Elite Group · Great Place to Work.

Zamak operates the vault with industry-standard encryption and the same identity discipline it applies internally, alongside your team.

Frequently asked questions

Frequently asked questions

No. The IT team, internal or outsourced, stays in command. The vault steps in alongside it, to take off one person's shoulders the burden of knowing and keeping every password. For whoever leads IT, cutting off access becomes one gesture, self-service reduces the password ticket queue, and knowledge stays on record. It reinforces the team, never takes its place.
No. The vault talks to what you already have, such as Active Directory, Azure AD and Microsoft 365. Password rotation acts on the accounts that already exist, and the documentation organizes what is already in your environment. It is not switching systems; it is putting the keys that already exist in a safe, controlled place.
On the day of the departure, you revoke all of that person's access at once, and the passwords of the accounts they knew are changed, including those tied to Active Directory. Instead of trying to remember every system they logged into, access is cut off centrally and a record is kept that it was done. The risk of the former employee who still gets in ceases to exist.
It does not issue the certificate for you, but it delivers the foundation that every data protection or ISO 27001 audit demands: controlling who has access to what and proving it. Role-based access, revocation and the audit trail are exactly the proof the auditor asks for, and they work together with our Compliance Management when you want the full program.
They are safer in a vault than scattered. In the vault, credentials are encrypted, protected by a key unique to your organization and by a second check at login, so the password alone is never enough to open. And access is role-based: even inside the vault, each person sees only what their role allows. It is the opposite of the spreadsheet, where everything is open to whoever gets there.
Yes. For IT partners and providers, the vault can be offered to the end client as a recurring service under your brand, in a co-managed environment that separates what stays only with you from what stays with the client. You come in with a ready access-security offer and Zamak runs the backline at your side. Request a proposal and we will design the partnership model with you.
The investment is sized per company served, not per device, which keeps the cost predictable as your team grows. It brings together the vault that holds the credentials, the initial activation and Zamak's continuous operation, and it pays for itself against the cost of a single improper access or an audit with no answer. Request a proposal and we will size it with you.

Start now

Take your company's keys off the table and put them in a vault.

In a few weeks, your company's passwords leave the spreadsheets and move into a managed vault: strong, rotated on their own, handed out only to who needs them and revoked at once when someone leaves. If your most trusted employee leaves tomorrow, their access is cut off at once, with the proof of who got in. Talk to Zamak and stop hoping no one finds the key that was left behind.

Request a proposal

Tell us in a few fields the size of your team and your moment. A specialist from your country sizes the vault and the price with you, with no need to replace what you already use, and live in a few weeks.

Talk to a specialist

Prefer to talk first? Book a conversation and we will understand your environment, your team and where the loose keys are today.

See managed cybersecurity

The vault is one of the layers of protection. See Zamak's managed cybersecurity, which protects the machines, the network and the people around the keys.

Request received.

A specialist from your country will reach out during business hours to get you started.