Privileged access management, privileged account management, privileged password management and privileged identity management are just a few of the terms thrown around for this month's group review. This space has been around for as long as there have been privileged or super user accounts that needed to be secured throughout an environment or enterprise, but this group, while mature, has done some significant growing recently. Products in this space traditionally included a password vault that securely "locked up" administrator or root credentials in an encrypted container that could only be accessed via a password or by authorized groups of individuals, and some may have even offered remote login via a select few protocols or applications, but the privileged account managers of today are far more advanced than that.
In this group, we now see products that do all sorts of things - such as integrate with web applications, home-grown applications, mobile applications and so on - to provide ultimate secure access to privileged accounts without exposing usernames and passwords to the end-user. In most cases, we found that this was done seamlessly without any confusing hoops to jump through by the users. System administrators and security administrators can configure these tools with account access policies using granular controls - ranging from remote desktop access with required approval for privilege escalation all the way up to the ability to view and check out the account password - and almost any other scenario in between. After policy is defined, it can be assigned to Active Directory or LDAP groups and users directly - without having to create separate security groups within the management interface of the product.
System access, aside from being granularly controlled, has also become a lot more integrated and feature-rich to the end-user. At the bare minimum, we saw these products offer web-based console access to systems using the remote desktop protocol or a secure shell session in a browser window, but most were more evolved than that. These products offered access to systems using native applications, such as Microsoft Remote Desktop Client and Putty, all the way up to custom applications that were used to access specific types of systems and web application access. This more integrated approach allows for users to employ the tools they are comfortable with or a feature-rich browser window so they do not need to log into the system directly to effectively manage settings or applications.
These products have also evolved to take into account that privileged accounts, such as service accounts, usually link back to applications and if changed unexpectedly could have very damaging results on the very infrastructure that keeps the enterprise moving forward. We saw several offerings that could dynamically change passwords and issue secure strings directly to applications within the code, eliminating the need for clear-text passwords stored within applications which not only keeps things from breaking, but also raises security against harvesting by hackers or malicious code. Furthermore, we also saw a number of products that directly integrated with vulnerability scanners for credential-based scanning (with highest security group membership) without the administrators of the vulnerability scanner even having to know the username and password of the account.
While all the focus on the user is great and we like to see users happy, the big change in this space recently is the addition of detailed, granular and easy to use auditing, reporting and analytics. Sure, most of these tools have always provided some form of auditing and reporting, but the products of today are on a new level. With functions such as full session recording, keylogging, optical character recognition and real-time session shadowing, it has never been easier for security administrators or auditors to get access to the who, what, when and where of a system change or security incident. Not only are sessions recorded and saved in a secure vault, but they are bookmarked in spots where a user makes a change automatically - and that bookmark can be clicked to take an auditor right to the place in the recording where the change happened. No more watching hours of session recordings or trying to track down where the change occurred.
In short, this group of products has been around forever, but they are far from done evolving. As attackers get smarter, malware gets smarter, and even inside bad guys get smarter, these solutions will continue to grow and adapt to new threats to protect the most vital, but also most powerful, credentials in an enterprise from abuse or misuse.
Specifications for privileged access management tools ●=yes ○=no
Product | Password management/ password cycling | Password management for service sccounts | Provides remote access to systems without exposing credential | Allows for credential check-out/in | Passwords kept in an | Session recording/shadowing | Active |
BeyondTrust | ● | ● | ● | ● | ● | ● | ● |
Bomgar | ● | ● | ● | ● | ● | ● | ● |
CA | ● | ● | ● | ● | ● | ● | ● |
Centrify | ● | ● | ● | ● | ● | ● | ● |
CyberArk | ● | ● | ● | ● | ● | ● | ● |
Hitachi ID | ● | ● | ● | ● | ● | ● | ● |
Lieberman | ● | ● | ● | ● | ● | ● | ● |
ManageEngine | ● | ● | ● | ● | ● | ● | ● |
NetIQ | ● | ● | ● | ● | ● | ● | ● |
Netwrix | ○ | ○ | ○ | ○ | ○ | ● | ● |
Pleasant | ● | ○ | ○ | ● | ● | ○ | ● |
Thycotic | ● | ● | ● | ● | ● | ● | ● |
Wallix | ● | ● | ● | ● | ● | ● | ● |