Review: New tools control access by privileged users

Cyber-Ark tops field of four privilege account management (PAM) products

Privileged IT staffers literally holds the keys to the castle. Access to those keys that open the doors to critical operating system and application resources must be carefully managed and legally audited. Enter the class of products referred to as privilege account management wares.

How we tested Administrative password security products

Archive of Network World tests

Subscribe to the Network Product Test Results newsletter

Privileged access isn't 'single sign-on", which is more of an end-user convenience issue as well as a security spoofing prevention method. PAM products provide controlled privileged access for IT administrators and power users.

Operating systems running on critical servers and even high-end business applications running on Oracle and SQL Server databases don't always have appropriate ticketing systems for granting privileged access. And there's increasing pressure from both internal auditing and government compliance agencies for companies to know who had privileged access, when they had it, and if at all possible, what was done with the access.

Generally, with controlled privileged access, a request is made by IT staff through the PAM product for a privileged account  password.

Most products tested require that all requests be approved. Granting such a request may take more than one administrative nod, as some organizations may choose to use several specific individuals or draw from a pool of individuals that must give a recorded stamp of approval before the privileged password is granted.

The privileged password is only granted for a period of time. The password may expire in short order or be automatically updated by the PAM software to something no one (but the system itself) actually knows at all — only the PAM system.

There may need to be verification that the password wasn't changed by the then-privileged user – a check typically accomplished by a shadow privileged account maintained by the PAM system itself -- and perhaps a subsequent action that changes the password and verifies that this has been done so that the new privileged password is known only to the PAM system.

So the key value proposition for any PAM product is access control coupled with referential integrity of privileged passwords.

Using PAM systems may also require a leap of faith as they can take full and total responsibility for the administrative passwords. If you lose their availability – either by technical glitch or some sort of theft -- all privileged passwords are lost. The PAM database of passwords must also be highly available, meaning that IT should have alternative accessibility measures in place, such as a mirror image or a rapid restoration capability.

In this test we closely examined four PAM products from Cyber-Ark, e-DMZ, Quest and Symark in terms of installation, integration with operating system and corporate applications, management and user accessibility. What we found was three distinctly different approaches to password issuance, management and access style. (There are not four approaches because the e-DMZ and and Symark products were literally cut from the same cloth as the latter OEMed code from the former and did not fork that code until about 15 months ago.)

We picked Cyber Ark Enterprise Password Vault (EPV) as the Clear Choice winner as it offers the widest compatibility list for operating systems, applications and 'rolling your own' passwords. It also offers an in-depth understanding of directory services that we used in that it's able to find them, deal with them, and get moving in very short order with a degree of flexibility that was often more robust than the competition.

While e-DMZ's PAR and Symark's PowerKeeper are cut from the same cloth, the companies have been competing to add features, manageability and compatibility. In our view, Symark is a bit ahead in that regard.

Quest's Privilege Manager (QPM) for Unix is a product in transition, recently licensed by Quest to add to its list of identity management products. We found QPM to be a customizable kit for managing privilege through the use of a proxy agent. It's an interesting approach, and the customizing can be rapidly replicated for larger Unix-alike (we used Linux and FreeBSD) environments.

Henderson and Dvorak are researchers with ExtremeLabs in Indianapolis. They can be reached at

NW Lab Alliance

Henderson is also a member of the Network World Lab Alliance, a cooperative of the premier reviewers in the network industry each bringing to bear years of practical experience on every review. For more Lab Alliance information, including what it takes to become a member, go to

Learn more about this topic

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2008 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)