Appendix K: Third-Party PIM Vendors

  • Article

 

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2012

Appendix K: Third-Party PIM Vendors

Note

Descriptions of software described in this appendix were obtained from the respective vendors’ websites. No endorsement of or preference for any solution is intended or implied.

Cyber-Ark

Privileged accounts and passwords are extremely powerful, allowing a privileged user to log on anonymously and have complete control of the target system with full access to all of the information about that system. This vulnerability could potentially cause tremendous financial losses and reputational damage for businesses. For enterprises, privileged accounts are especially difficult to manage:

  • The average enterprise has thousands of privileged identities, accounts, and passwords. Manually managing and updating these are a time-consuming, costly and repetitive process.

  • Administrative and application accounts (hard-coded, embedded credentials) are found on virtually every piece of hardware, software, and application within an organization, including virtual environments.

  • Administrative or application accounts are shared, which means that the system does not track WHO logged on as an Administrator, merely that a login occurred—a significant audit challenge.

  • Unlike a personal identity, such as Jdoe, administrative or application accounts are nearly impossible to disable due to high potential for disruption to business.

  • Administrative and application accounts are subject to regulations such as Sarbanes Oxley, PCI, and Basel II, requiring that companies prove exactly who logs in to sensitive systems and, increasingly, what they are doing.

What is the PIM Suite?

Cyber-Ark’s Privileged Identity Management (PIM) Suite is an enterprise-class, unified policy-based solution that secures, manages and logs all privileged accounts and activities associated with datacenter management whether on-premise or in the cloud:

  • Control access to privileged accounts based on pre-defined security policies

  • Manage application and service credentials

  • Grant granular control to the commands superusers can run

  • Comply with audit and regulatory requirements

  • Streamline policy management of privileged accounts

  • Seamlessly integrate with enterprise systems

The PIM Suite allows organizations to manage, track and audit their most privileged identities, avert internal and external threats, and prevent the loss of sensitive information. It complements the Privileged Session Management Suite designed to isolate, protect and monitor all sensitive target systems in your datacenter including servers, network devices, databases and virtual environments and records all privileged sessions on these systems for better visibility, control and smoother audit processes.

The PIM Suite: features and components

The PIM Suite offers a robust set of system features and capabilities for consistent policy definition and enforcement, automated privileged password management, and centralized reporting for compliance audits. The PIM Suite comprises three well integrated core products which can also be purchased separately as needed:

  • Enterprise Password Vault

  • Application Identity Manager

  • On-Demand Privileges Manager

Because they share a common server platform, an initial deployment of any individual solution can quickly and easily be expanded to address any additional audit or security challenges that may arise in the future.

With Cyber-Ark’s Privileged Identity Management suite you can:

  • Approach Compliance with Confidence: Superior security that protects the ‘keys to your kingdom’ with a proven ability to meet regulatory requirements

  • Minimize Internal or External Threats: Control who is accessing your most sensitive assets with out of the box best practices for defining and enforcing a unified policy for privileged identity management

  • Do Business Better: Improve workforce productivity with a single access point for automatically managing privileged credentials

Quest

Privileged Account Management

Controlling and Auditing Superuser Access

Quest One helps you control and audit administrative access with privileged credentials through granular delegation and command control, keystroke logging and session audit, policy-based control, and secure and automated workflows. This approach enhances security and compliance while improving the efficiency of administering superuser access. Administrators are granted only the rights they need—nothing more, nothing less—and all activity is tracked and audited.

  • Enhance security by granting administrators only the access rights required for their jobs—nothing more, nothing less—and basing those rights on established and intelligently controlled policy. In addition, when full credentials must be used, secure the process of requesting, approving and issuing access to those accounts, including the critical application-to-application (A2A) and application-to-database (A2D) passwords that pose the greatest security risk.

  • Achieve compliance through access control and separation of duties for privileged access that you can track through comprehensive audit capabilities that include policy, rights and activities performed through privileged access—even down to the keystroke level on many critical systems.

  • Improve efficiency through granular, policy-driven delegation of elevated access privileges and execution of specific commands across a wide range of systems and platforms, with centralized management and comprehensive audit. Through automated workflows, your administrators gain sufficient rights to do their jobs eliminating the need for manual credential management. In addition, Quest One adds significant value to Sudo by centralizing management of Sudo policy and providing visibility into Sudo-related activities.

Lieberman Software

Privileged Identity Management

Privileged identities are accounts that hold elevated permission to access files, install and run programs, and change configuration settings. These keys to your IT kingdom exist on virtually every server and desktop operating system, business application, database, Web service, and network appliance in your organization.

Risks of Unsecured Privileged Identities

Privileged identities aren’t controlled by your identity access management (IAM) system, so in all likelihood:

  • You do not know of all the privileged logins that exist on your network;

  • You have no record of which privileged credentials are known to different individuals;

  • You have no proof of who has used privileged logins to gain access to any of your IT resources, when, and for what purpose;

  • There is no way to verify that each of your privileged account passwords are cryptographically strong, are sufficiently unique, and are changed often enough to be secure;

  • You have no reliable list of privileged logins stored within your applications, and no way to know which in-house and vendor personnel can use these credentials to access sensitive information.

Controlling Privileged Account Access

Enterprise Random Password Manager (ERPM) from Lieberman Software can help your organization’s privileged account management through a four-part I.D.E.A. process:

  • Identify and document critical IT assets, their privileged accounts and their interdependencies.

  • Delegate access to privileged credentials so that only appropriate personnel, using the least privilege required, can login to IT assets.

  • Enforce rules for password complexity, diversity and change frequency, and synchronize changes across all dependencies.

  • Audit and alert so that the requester, purpose, and duration of each privileged access request is documented.

ERPM continuously discovers, strengthens, monitors and recovers local, domain and process account passwords in the cross-platform enterprise. It identifies, secures and manages the privileged identities found throughout your IT infrastructure, including:

  • Super-user login accounts utilized by individuals to change configuration settings, run programs and perform other administrative duties.

  • Service accounts that require privileged login IDs and passwords to run.

  • Application-to-application passwords used by web services, line-of-business applications, custom software, and other applications to connect to databases, middleware, and more.

Business Value of Privileged Identity Management

Taking control of privileged identities can help your organization:

  • Reduce IT staff workloads by eliminating the manual steps required to secure privileged account credentials, access systems for maintenance, and document each access.

  • Improve IT governance by automatically documenting which individuals have access to sensitive data and the ability to make changes that impact IT service delivery; at what times, and for what purpose.

  • Lower cost and uncertainty of IT regulatory compliance audits by providing detailed reports that prove compliance with today’s regulatory standards including SOX, PCI-DSS, HIPAA, CAG-8 and others.

  • Mitigate risks whenever planned and unplanned changes happen in your IT environment or IT staff turnover occurs.

Novell

NetIQ Privileged User Manager

Secure access to UNIX, Linux and Windows systems

Do you have visibility into everything that privileged users are doing on your systems across your environment? Would you know if an unauthorized user gained access to sensitive information? The frequency and seriousness these breaches are increasing and compliance requirements for regulated information are forcing businesses to monitor of privileged user access.

NetIQ Privileged User Manager allows IT administrators to work on systems without exposing superuser (administrator or supervisor) passwords or root-account credentials to the administrator. It specifically targets managing, controlling and recording of all privileged administrator activities for UNIX, Linux and Windows environments.

Smart privileged user control features

  • Secure cross-platform privileged user management Control and record “which privileged user have access to what.” You centrally define the commands that privileged users are able to run on any UNIX, Linux or Windows platform.

  • Simplified policy management with web-based console. Centrally manage security policies from a single point. The intuitive drag-and-drop interface makes it easy to create rules instead of relying on manual scripting.

  • Detailed analysis with color-coded risk ratings Powerful risk-analysis tools record and play back user activity—down to the keystroke level. The unique risk-profiling capability points out any collected user input that poses a risk.

  • Automatic data filtering for continuous compliance Prove compliance with permanent audit records 24x7x365, not only around compliance audits. Detailed logs of user activity help maintain your compliance posture.

CA

CA IdentityMinder

CA IdentityMinder™ helps improve the operational efficiency and effectiveness of IT organizations by providing a scalable and configurable identity management foundation that can organize your identity information within the context of your unique business roles and processes. It helps streamline the on-boarding and off-boarding of users, enables the business to manage access requests, and automates identity compliance processes.

Business Challenges

Whether applications reside in the enterprise or the cloud, managing the identities and access of users to key resources is a critical function for IT organizations that are under increasing pressure to cut operating costs while demonstrating continuous compliance. They must also deal with other challenges such as:

  • Mitigating risks. Protect critical systems, applications, and information from unauthorized access and use.

  • Reducing costs. Increase efficiency and productivity, without sacrificing security.

  • Maintaining compliance. Efficiently prove compliance with internal policies, regulations, and best practices.

  • Support business initiatives. Adopt new technologies easily (such as virtualization and cloud) that support business initiatives.

Organizations are seeking solutions that automate identity-related processes throughout the enterprise—from the mainframe to the cloud, across employees, contractors, partners, and customers. The result is a smarter, more efficiently managed infrastructure that helps IT save money, reduce risk, and deliver a more reliable service.

Solution Overview

CA IdentityMinder delivers a unified approach for managing users’ identities throughout their entire lifecycle and providing them with timely, appropriate access to applications and data.

CA IdentityMinder can be used to organize identity information within the context of an organization’s unique business roles and processes. It helps streamline the on-boarding and off-boarding of users, enables the business to manage access requests, and automates identity compliance processes. CA IdentityMinder contains a range of features for managing identities and access rights, and meeting identity compliance requirements.

CA IdentityMinder can increase operational efficiency and user productivity while decreasing Help Desk workload and costs. In addition, the CA Technologies approach to identity management and administration helps improve your overall security posture with a consistent, auditable method for managing identity-related activities and a platform to help maintain adherence to regulations.

Key features

  • User provisioning and deprovisioning. Automates account provisioning, removal, and approval processes throughout the user’s entire lifecycle. Customizable workflows support the unique way each organization approves, alerts, and schedules these activities.

  • User self-service. Enables users to manage attributes of their own identities, reset

  • Passwords and request access to resources, easing the IT and Help Desk burden.

  • Customization without custom code. Powerful features such as ConfigXpress, PolicyXpress, and ConnectorXpress let you customize your identity management infrastructure without custom code.

  • Securing on-premise and cloud applications. Provides centralized control of identities, users, roles and policies across on-premise and cloud applications.