Cyber-Ark tops privilege account managers list

Second, Cyber-Ark easily imported users and groups from our LDAP-based network, finding hosts from user-member systems, so that it was possible to take advantage of Active Directory group membership (administrative or otherwise) to rapidly develop role-based policies.

Cyber-Ark found servers in our testing through an easy discovery process; and because it understands LDAP thoroughly, it was very able to find our LDAP groups in both OpenLDAP on Linux, and through Active Directory's listings. It also found numerous devices (mostly operating system server hosts) with aplomb.

Finding and managing an infrastructure ought to be fast for planners and installers of EPV, if the root directory partitions of desired hosts, application, and/or appliances are readily available. It is important to note that sometimes these elements are blocked depending on an organization's security addressing partitioning for the purpose of thwarting phishing and other cracking attempts.

In the EPV metaphor, group membership is a ticket to access 'safes' within its vaults.

Access rights to the safes are either set up to be transient (and expire at a predetermined date), or remain in place permanently.

Groups and users are hierarchical in terms of their accessibility to safes and their capacity to change system parameters. Pre-defined groups (which could be removed if desired) break down by role functions such as administrator, backup, operators, disaster recovery-authorized, auditors and internal managerial accounts.

The 'Safe Owners' administratively control access to the safes. Various policies to safe access can be defined, such as permitted times that the safe can be accessed, delays before safe entry, and closing the safe. In turn, the devices to be managed (logon to servers, databases, or other supported security or network devices/appliances) have policies that can be set for them using pre-defined templates (in XML) that can be added, modified, then replicated as needed to support subsequent devices.

Administrator access to privilege passwords follows along the same format as competitors e-DMZ and PowerKeeper, through the use of a browser (request and answer) or through a client application called PrivateArk.

The administrative access to EPV is a Secure-HTTP-rendered page where access to administrative rules, vault and safe characteristics can be addressed. The strength of the user interface lies in the aforementioned vault templates. We could use these quickly to gauge the customizations needed to for each of our variety of test devices to rapidly encompass them within EPV's protections. Although it's a tabular interface that's somewhat similar to PowerKeeper and e-DMZ PAR, we found it intuitive, aggregating like-type objects in a more logical format.

Users of vaults and safes cannot see the activities of each other, and bridging them isn't allowed except through common group membership. This allows processes used in EPV by one part of an organization to be masked from other members -- unless they share common group membership.

Rich administrative reports, though, including all vault activities were also easy for us to generate. The audit trails were also easy to follow. Information regarding a privileged access instance from initial request through to a 'finished state' where passwords may be reset are easily tracked and discerned.