Privileged Access Management (PAM) is a very important task for ensuring the information security of an enterprise. For large organizations, this issue can be a serious challenge. Obviously, unlike in SME companies, in large organizations, often, a lot of people are having high level access and managing their accounts in manual mode is rather problematic. The Privileged Access Management platforms exist solely to solve this issue.
Let’s first understand, who the privileged users are. No, this is not the CEO and his deputies, as it may strike initially. These are the people, who have access to critical systems, with admin rights. For example, the person, who has the ability to create new accounts in the corporate network, can be described as a privileged user. The same applies to employees, who can change system settings, install and remove software, have access to confidential data, etc. It is not at all difficult to deduce that such a high level of access to the corporate IT system opens up opportunities for abuse and even sabotage. And do not forget — the larger the organization, the more privileged accounts it has. That is why such accounts also need control, which is provided by PAM platforms.
What do they do? Let us note that many of the vendors of such platforms present in the market complex solutions consisting of many individual tools. That is, within the framework of a platform, you can purchase only those tools that are necessary. Thus, if you need only a password manager, then it is not necessary to overpay for unnecessary products — you can only buy it.
Globally speaking, the tools of PAM platforms can be divided into three categories. The first one is access control. Through products of this category, user access policies to certain systems are defined and their capabilities are regulated. Using access control tools, you can create, edit and delete access rights of specific accounts or their groups to segments of the corporate IT infrastructure.
The second is session management. Tools in this category allow you to track user actions in systems to which they have access. These tools also help in investigating incidents, because they clearly show who performed certain actions at a given point of time in a particular system.
The third is password management. This includes their storage, resetting and recovery. Advanced systems are able to provide access to privileged accounts, without disclosing the password to the users. This prevents password leaks and unauthorized access by third parties. In addition, PAM solutions also support multi-factor authentication tools.
The choice of PAM tools, entirely depends on the needs of the company, namely the scale of the infrastructure and the available control tools. There are a lot of offers on the market, in our review we will inform about the best as per Gartner’s version, and in the PAM products comparative table you will find their main features and can compare their functionality.
CyberArk Core Privileged Account Security
CyberArk offers several integrated PAM solutions to the users. The most functional among them is called as Core Privileged Account Security. As the name suggests, the developer himself positions his product as key one and fundamental. This tool offers centralized protection of privileged accounts in a variety of environments, including endpoints on Windows, Linux and Unix, local networks, cloud environment, as well as hybrid infrastructure and workgroups. It has modules for managing accounts, sessions, as well as a reliable password storage and encryption tools.
The Core Privileged Account Security has a tool for analysing the threats and cyber attacks, which is run on critical accounts. It works in real time and with the help of proprietary algorithms of the company, ensures reliable protection of accounts, as well as provides timely information to the administrators of such incidents. For this purpose, self-learning algorithms over time study the typical behavior of the user and notice deviations from the user’s usual actions, which may be a sign of account hacking. If necessary, the account session with suspicious actions can be automatically terminated and blocked. This provides additional system security.
BeyondTrust Privileged Access Management Platform
BeyondTrust offers its customers a multifunctional platform with customizable capabilities for privileged session management. This solution consists of several products and it is perfect for large companies that need to solve a variety of tasks for managing account access with high level of privileges. The platform works with endpoints, Windows, Linux and Unix servers, network devices, and also provides privileged remote access that facilitates work in organizations with multiple offices.
Much attention is paid to work with passwords. For them, there is a secure storage with support for the SSH protocol, as well as the possibility of remote management, including reset and change. Auditing tools and vulnerability search tools allow to identify accounts and assets having high level of risk. For this purpose, algorithms that combine behavioral analytics and the use of predefined policies are used, which allows to cover a wide range of vulnerabilities.
Centrify Privileged Access Management Solution
The company Centrify solutions, integrated within the framework of the Privileged Access Management Solution, offers ample opportunities for both large companies with hybrid infrastructure and small and medium-sized businesses. The solution includes four main areas — access control, authentication, roles, and auditing and monitoring. In the area of access control, the platform offers a reliable password storage and enhanced work with them, secure remote access, account management, operation of privileged accounts with network devices, endpoints and cloud environments via shared accounts. Authentication tool allows to process requests not only from ordinary users, but also from devices, various services and APIs. In this case, a special algorithm checks who has requested for access, and decides whether to grant it or not.
The role management module allows you to define the accessibility of specific accounts, for example, to raise a regular account to the privileged status. It can also grant temporary rights to accounts that will become invalid after a certain period of time. This is very convenient for those companies that often use the services of IT outsourcing. A function to record sessions and detailed auditing is available for all privileged accounts. Advanced monitoring features give administrators many capabilities. For example, the Centrify Privileged Access Management Solution tools even allow to start processes and monitor the integrity of files. An advanced threat detection system can track them by user behavior.
One Identity Safeguard for Privileged Sessions
This product is a variant of the integrated security platform — One Identity Safeguard, which is optimized for working with privileged sessions. It is designed to monitor, track and record sessions of high-risk accounts. Solution can limit user access to certain resources, monitor active connections, and receive alerts if connections exceed pre-set time limits. Safeguard for Privileged Sessions can also track sessions in real time and apply various actions to them. So, if a dangerous command or application is executed, the tool can either just send a warning to the administrator or block the procedure automatically.
Auditing and monitoring sessions provides the most careful tracking of user actions, even including the cursor movement around the screen. The collected data can be viewed as video or text format. All collected data is stored in encrypted form, and only authorized persons have access to it. The product has a password management system and the ability to store them. Multi-factor authentication supports various tools, including smart cards.
ARCON Privileged Access Management
ARCON, unlike many other manufacturers, offers a single product for managing privileged access. Despite this approach, it is very functional. The tool allows to centrally control access, control and limit the capabilities of accounts through a centralized policy based on rules and roles. The tool’s functions allow to automate the process of approving system access for privileged accounts and their groups. Using the single sign-on function, a user who logs in to the system immediately gains access to all resources. At the same time, the ability to log in through his account from other places and other systems is lost, which prevents unauthorized access by entering his login and password. You can also get into the system using a proprietary mobile application, using a mobile device as an authentication tool.
ARCON PAM also provides wide range of features for auditing user sessions and reporting with the provision of text analysis and video reports. The system provides a personalized and detailed analysis of each privileged access to target systems. And you can monitor the current state of affairs in the system using a single admin panel.
Wallix Bastion Enterprise
Wallix offers its product for managing privileged accounts in three variants — Entry Level, Professional and Enterprise. The first is designed for small companies, and the most advanced — Enterprise — for large enterprises with an extensive system of offices and divisions. We will highlight the last one in our review.
The product provides full access control for privileged accounts based on a variety of rules. They can be based on different criteria and meet certain corporate standards. For example, access may be granted based on employee credentials, location, time, etc. At the same time, users logging into the system get access to all authorized devices without the need for re-authorization. The product itself operates in agentless mode, there is no need to install modules on each device where monitoring is performed. The system of user actions monitoring can oversee account actions after logging in to the system both in real time and by post-factum reporting. In addition, Bastion Enterprise can integrate with third-party systems (for example, SIEM), transferring received information there for processing.
Hitachi ID Privileged Access Manager
Hitachi ID Systems PAM is a complete solution for control over privileged access. This solution ensures access control for high-risk accounts and user groups, as well as a high level of security for their work. To do this, as one of the approaches, Hitachi ID Privileged Access Manager replaces regular static passwords with periodically changing random values that are used for login. The original passwords are stored in a secure vault in encrypted form.
The system is able to automatically calculate the risks incurred by the system login of an account, and based on this, make a decision on the admission of the user. Indicators include previous logins, platforms from which they were made, number of logins, etc. If the login attempt is seemed to be suspicious to the system, it will temporarily block this action to the account and give the administrator the rights to make a final decision. The tool also monitors account activity and records their sessions, which, allows to analyze the actions of privileged accounts in the future.
Thycotic Secret Server Platinum
Thycotic offers four options for managing access to privileged users. The line starts with a free version with significantly limited functionality to the most advanced one called Secret Server Platinum, which will be discussed further. The main feature of the tool is that the accounts become “secrets” that cannot be identified with actual users without knowing the encryption key. This ensures protection against unauthorized access to privileged accounts. Moreover, the connections between secrets and people are flexibly configured, it is possible to impose restrictions or allow access depending on the addresses and other parameters. Another tool to protect access to critical accounts is a regular automatic password change.
The product also provides ample opportunities to track the actions of privileged users. They can be recorded in text and video format, as well as viewed online. If necessary, the administrator can terminate the account session at any time. In addition, Thycotic Secret Server Platinum has tools for detailed auditing and sending custom notifications. The administrator can set specific events with notifications and schedule the regular report.
Fudo Security offers a self-contained enterprise-level PAM solution that provides the basic needs of a large business to manage access to privileged users. The system setup is very quick. It takes about an hour. The Fudo Security PAM is available both as a hardware solution and as a virtual device. It provides reliable control over the actions of users and can set the scope of their work. For example, Fudo PAM allows you to bind specific administrator accounts to selected ports or IP addresses, which will prevent attackers from logging into the system from an unauthorized place, even if a privileged account has been hacked.
One of the product’s features is a business intelligence module that measures employee productivity. It collects exhaustive information about their activity, for example, when the employee computer work is idle or what actions are performed by a particular account within the framework of the workflow. For the privileged users themselves, there is a special web portal with a list of target systems connected to the Fudo PAM. Thus, administrators can connect to them directly from this portal simply by selecting the necessary resource.
Despite the rather large choice, most of the PAM platforms are very similar to each other. They provide the tools to control access, work with passwords, monitor sessions and conduct audits. Although such systems are not critical elements of corporate security systems, they can bring many benefits to business infrastructure.
Author: Vladyslav Myronovych, for ROI4CIO
Read Full Article Here – Privileged Access Management Solutions Overview