Review: New tools control access by privileged users

Cyber-Ark tops field of four privilege account management (PAM) products

Privileged IT staffers literally holds the keys to the castle. Access to those keys that open the doors to critical operating system and application resources must be carefully managed and legally audited. Enter the class of products referred to as privilege account management wares.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Privileged IT staffers literally holds the keys to the castle. Access to those keys that open the doors to critical operating system and application resources must be carefully managed and legally audited. Enter the class of products referred to as privilege account management wares.

Privileged access isn't 'single sign-on", which is more of an end-user convenience issue as well as a security spoofing prevention method. PAM products provide controlled privileged access for IT administrators and power users.

Operating systems running on critical servers and even high-end business applications running on Oracle and SQL Server databases don't always have appropriate ticketing systems for granting privileged access. And there's increasing pressure from both internal auditing and government compliance agencies for companies to know who had privileged access, when they had it, and if at all possible, what was done with the access.

Generally, with controlled privileged access, a request is made by IT staff through the PAM product for a privileged account  password.

Most products tested require that all requests be approved. Granting such a request may take more than one administrative nod, as some organizations may choose to use several specific individuals or draw from a pool of individuals that must give a recorded stamp of approval before the privileged password is granted.

The privileged password is only granted for a period of time. The password may expire in short order or be automatically updated by the PAM software to something no one (but the system itself) actually knows at all — only the PAM system.

There may need to be verification that the password wasn't changed by the then-privileged user – a check typically accomplished by a shadow privileged account maintained by the PAM system itself -- and perhaps a subsequent action that changes the password and verifies that this has been done so that the new privileged password is known only to the PAM system.

So the key value proposition for any PAM product is access control coupled with referential integrity of privileged passwords.

Using PAM systems may also require a leap of faith as they can take full and total responsibility for the administrative passwords. If you lose their availability – either by technical glitch or some sort of theft -- all privileged passwords are lost. The PAM database of passwords must also be highly available, meaning that IT should have alternative accessibility measures in place, such as a mirror image or a rapid restoration capability.

In this test we closely examined four PAM products from Cyber-Ark, e-DMZ, Quest and Symark in terms of installation, integration with operating system and corporate applications, management and user accessibility. What we found was three distinctly different approaches to password issuance, management and access style. (There are not four approaches because the e-DMZ and and Symark products were literally cut from the same cloth as the latter OEMed code from the former and did not fork that code until about 15 months ago.)