The suite manages to convert our reviewer despite his distrustful read of network-management tools.
As a corporation grows in size, managing passwords among the organization becomes progressively harder. we are not talking regarding the challenge of managing user passwords. After all, the passwords for end users are managed in roughly constant manner in each massive and tiny organizations.
But this is often not the case for privileged accounts. In larger organizations, it is very tough to make sure that the passwords for privileged accounts are modified according to the company security policy. this could be very true for the native administrative account on users' workstations. This account is usually neglected, which might cause a serious security threat.
Another major challenge related to managing privileged accounts is observing the ways in which they are used. If a corporation is serious regarding security, then its IT professionals got to understand who uses a privileged account and why.
These are just a few of the challenges that CyberArk Tool Ltd. has began to resolve with its Privileged Identity Management (PIM) Suite. We decided to take the software suite for a test drive and see whether or not we believed it'd be helpful to network administrators in an enterprise atmosphere. For the aim of this review, we used version 6.0 of the PIM Suite.
Deploy and set up
Normally Once we write a software review, we prefer to work through the initial deployment and configuration method. That way, we will get a feel for how well the software integrates into my existing work atmosphere. during this specific case, however, we did not have the chance to deploy the software from scratch -- instead, a representative from CyberArk provided us with access to many pre-configured servers running in a cloud atmosphere.
The password Vault
Here's a touch of background info concerning how the CyberArk Tool password vault works. Essentially each managed account is allotted a policy and a safe. A policy may be a set of rules that facilitates password management. The policy controls how usually the password ought to be modified, who has access to the account and so on.
A safe is a logical container for warehousing passwords. Safes are usually created focused on who will want access to the privileged accounts whose passwords will be stored inside the safe. for example, you may create a secure for a business unit or for a bunch of administrators. The safes are together stated as the vault.
Figure 1. The requested password was retrieved from the vault.
Accessing a password
The first issue we wished to do was to achieve access to a password that had been hold on within the password vault. this is often vital because the passwords for privileged accounts got to be changed often, and it's entirely potential that many password changes might have occurred since the last time an administrator required to use a privileged account. Therefore, when an administrator has to use a privileged account, he desires some way of checking out what this password for that account is.
For this test, we logged on as an everyday user (who had been given permission to access the administrative account) and opened the Web-based PIM Suite Console. The user account was automatically authenticated into the vault, and also the console displayed the objects that the user had accessed most often. With that, We clicked on the native administrator account for one of the PCs on the network so clicked the Show button. Upon doing so, the requested password was retrieved from the vault and displayed for ten seconds. The Activities tab shows who had retrieved the password and when.
Although it's possible for a user to look up a password, it is also true that you simply might not wish to disclose the password to all administrators. in an exceedingly massive organization, there are usually totally different levels of administrative responsibilities. as an example, one admin might be responsible of installing and maintaining software, whereas another administrator could be responsible of Active Directory management. If an administrator has a restricted set of job responsibilities, then it does not be to produce him with the credentials to an account that has just about unlimited capabilities.
But there is also times when administrators got to use a privileged account to perform a particular task that is among the realm of their job responsibilities. Thankfully, the CyberArk Tool permits a user to temporarily use a privileged account without ever knowing the account password. When we 1st tried to attach using this account, we puzzled why CyberArk would style a policy that may stop us from exposing a password, however that will still permit us to use the account. After all, if we will readily use the account, then we actually do not got to know its password.
As it seems, clicking on the Connect button does not automatically grant you access to the privileged account. Instead, clicking the Connect button brings up another screen, that allows you to request temporary access to the account.
There's a drop-down at the highest of the screen that enables you to provide a reason for using the account. This list can be pre-populated so that totally different administrators will use the account for various reasons. as an example, you may enable an administrator to use an account just for installing applications, installing patches or creating configuration changes.
This screen additionally permits an administrator to state for how long he'll want access to the account. This keeps the administrator from receiving indefinite access. At the bottom of the screen is a place wherever you'll enter a reference number. Such {a number|variety} may correspond to a facilitate desk ticket number. there is additionally a check box which will be selected if the administrator is performing an emergency operation.
In our opinion, this screen was extremely well thought out. We prefer that it needs the person who's requesting use of the account to clarify precisely why the account is being used and specify for how long he can want access to the account. Such info makes it simple to know who performed an action using a privileged account and why. Requiring administrators to provide such info before accessing privileged accounts may facilitate to deter rogue administrators who could have planned to use the account for unscrupulous functions.
It's worth noting that, once the administrator fills out this screen, he is not instantly given access to the account (unless the policy provides for immediate access).
Instead, the CyberArk Tool sends an e-mail message to a chosen one who makes a call on whether or not grant the request based on the info that has been provided.
Figure 2. you'll enable a user to use a password while not truly exposing the password.
Bulk password Changes
Often, one of the foremost significant issues organizations face is once an administrator leaves, exposing the organization to various security threats. The administrator has an intimate information of the organization's network infrastructure and security procedures. even though you delete or disable the employee's account once he leaves, there is a good probability that he is aware of alternative passwords. He could understand the domain administrator password, and he most likely is aware of some service account passwords (which is nearly as powerful as administrator passwords).
One of the CyberArk PIM Suite options that may help with things like this is often the power to alter passwords in bulk. CyberArk Tool makes it potential to alter all of the passwords that the user is aware of -- and alter all of them at the same time.
we decided to do this feature out by seeing if we may find all of the administrator accounts across the whole organization, and alter the passwords for those accounts in bulk.
We were particularly interested to visualize if we may change each domain admin account passwords as well as the passwords for the native administrator accounts on the individual workstations. native administrator account passwords are rarely modified in the real life and represent a major security threat.
Accomplishing the bulk password change proved to be easier than we assumed it'd be. All we had to do was open the PIM Suite Console and enter the word "administrator" into the search area. When we did, the console displayed forty totally different accounts that match my search criteria. From that time, resetting the passwords was simply a matter of clicking the select All link, followed by the amendment button.
Overall Assessment
We've been a in this industry for over twenty years, and during that time We've seen many alternative third-party applications that are designed to produce easier or additional comprehensive network management. although there are some good network-management products out there, We've developed something of a different perspective toward network-management products generally. that is because We've seen so many amount of|such a large amount of|such a lot of} totally different management products that come with a big price tag, however do not appear to offer any real profit. often the management products that are useful end up being thus difficult that they ultimately prove to be harmful.
We did not understand what to expect after we set out to review the CyberArk Tool PIM Suite. however the software goes a long way toward serving to organizations deal with some serious security vulnerabilities that exist on most networks (such as native administrator passwords that are ne'er changed). The software's auditing and reporting capabilities will be helpful to anyone who has to maintain an administrative paper trail for compliance functions.
