Symark makes mark in privileged access market

PowerKeeper, like e-DMZ PAR, uses functional accounts at the same privilege level as actual root/privileged/administrative accounts that are established once PowerKeeper is set to control an account as a sort of safety measure. These functional accounts aren't for everyday use, but are employed for backup and maintenance purposes. Once a functional account (think shadow root) is established, the appliance can presumably always be accessed using the PowerKeeper functions (unless physical access is removed).

The installation process takes preparation because PowerKeeper -- like e-DMZ -- has a weak discovery process. You have to do your homework to make sure that PowerKeeper is intimately aware of its environment. To get our systems imported onto PowerKeeper, we made a list in its favored format (it's a unique and tedious one). Once we did this, we very quickly had PowerKeeper as a primary manager of our root and administrative passwords for the two Linux prototypes, Active Directory and FreeBSD servers on the test network. PowerKeeper, through this privileged account, manages all subsequent password controls, including issuance of new passwords and checks with its store of existing ones as passwords expire or must be changed.

Less simple is synchronization of privileged passwords controlled by PowerKeeper, as the direction of control is one-way from PowerKeeper to the account under its control. PowerKeeper doesn't sync with directory services, because it controls its own accounts. On the upside, this lack of backwards synchronization also doesn't pollute PowerKeeper with other directory services passwords, be they a problem or not (for example unvetted in some way to keep with below standard password policy updates).

Changes are made to a privileged password outside of the auspices of PowerKeeper, will turn into an alarm -- because it no longer has access to the system. PowerKeeper, like e-DMZ, becomes the master source for passwords. Change passwords elsewhere, and PowerKeeper's usefulness is thwarted.

For example, if an administrative password for a Microsoft Exchange Server is changed by a Windows administrative account user without using the PowerKeeper process -- PowerKeeper will determine that it no longer has the secure password for that system. In that instance the PowerKeeper shadow account will change that password to one that only PowerKeeper (by policy definition in terms of strength and third-party authentication) will know. The PowerKeeper privilege account on a controlled host can resynchronize the password back, once it is needed to be done. This means that if an organization chooses PowerKeeper to hold its passwords, the IT department must be prepared to rely on it as a 'master' source.

PowerKeeper can aggregate systems through an object management system called Collections. Collections are objects representing systems, devices, and/or applications with like-type characteristics whose logons/credentials/passwords are similar and can be treated similarly. Collections might differentiate sites or branches, like-type applications, such as Oracle where a database administrator password access could be kept by PowerKeeper and changed for a number of Oracle instances as a single object type.

PowerKeeper, once configured, went through our test use cases (vetted and unvetted logons to all of the hosts, devices and applications we used in our test bed) successfully, correctly logging the fact that passwords had been issued or had been denied issuance.

PowerKeeper doesn't keep very close track of what's done with the passwords it manages. If changes are made to a system, those changes must be tracked outside of PowerKeeper. Only the fact that the password's been issued is recorded. There is no session activity recording as we found in e-DMZ PAR

The reporting capability with the Symark spinoff is pretty similar to what e-DMZ offers.

PowerKeeper's documents need work and would be infinitely more useful if they included concrete examples and scenarios that work. Some lack indices, acronym decryption, process explanations and even consistency.