Transcription
2021PRIVILEGED ACCESSMANAGEMENTBUYER’S GUIDE1
PRIVILEGED ACCESS MANAGEMENT BUYER’S GUIDEMARKET OVERVIEWAlmost uniformly, hackers prefer attacking the easy targets. Although we rarely discuss it, the hackers youneed to worry about aren’t dark hooded teenagers in their parents’ basement. Instead, these are stone-coldprofessionals who cause data breaches for a living.As such, they don’t want to waste their time on targets with next-generation identity and access managementsolutions; that constitutes a major drain on their own time and resources. They want to maximize their timeand their efficiency, just like any other employee. Therefore, they target enterprises with minimal identity andaccess management protections. These guarantee a payout.And how do hackers gain access to easy targets? Through unmanaged and unmonitored privileged accounts.According to Centrify, 74 percent of all breaches begin with compromised or stolen privileged credentials.This applies both to small businesses and large enterprises. According to LastPass, 43 percent of cyberattacks target small businesses—and 60 percent of small businesses shut down in the aftermath of a breach.Yet, even with mounting evidence, enterprises continue to adequately invest in—or outright neglect—privileged access management. Thycotic determined that 70 percent of all enterprises fail to discover all ofthe privileged credentials in their network. In fact, 40 percent never look for all of their privileged accounts.The vast majority fail to provision their privileged accounts, secure logins, or revoke permissions from formeremployees.Despite all of this worrying information, the absence of visibility might prove the most damning piece ofinformation here. Privileged credentials can move about your network far more easily than regular useraccounts. They can access finances, customer data, proprietary assets, and user data as part of theireveryday workflows. In fact, privileged credentials can even destroy the entire IT environment with the rightmoves. There are no excuses for failing to discover, provision, and control all of your privileged credentials.Thankfully, privileged access management solutions facilitates credential visibility and works to securethem from malicious use. It regulates and almost completely automates the creation and removal privilegedcredentials, preventing both secret account creation and orphaned accounts.Enter this Buyer’s Guide; we detail the top Privileged Access Management solution providers with individualprofiles, key features, and capability references. The Editors at Solutions Review cut through the rhetoric toprovide an unbiased rundown of these unique vendors. Additionally, we provide the Bottom Line: our take onwhat makes the featured providers unique, distinctive, or exceptional. Let this provide a solid start to yourselection.Ben Canner, Editor 2021 Solutions Review 500 West Cummings Park Woburn, Massachusetts 01801 USA2
PRIVILEGED ACCESS MANAGEMENT BUYER’S GUIDE80%80 percent of data breaches involve the use of privileged credentials. 162%62% of enterprises fail to provision for privileged access accounts. 251%51% fail to enact secure logins for privileged access accounts. 270%70% of enterprises fail to discover all of the privileged access accounts in their networks. 255%55% fail to revoke permissions after a privileged employee is removed. 263%63% don’t have security alerts in place for failed privileged access account login attempts. 265%65% of enterprises allow for the unrestricted, unmonitored, and shared use ofprivileged accounts. 3Sources:1 The Forrester Wave: Privileged Identity Management, July 20162 Thycotic “2018 Global State of Privileged Access Management (PAM) Risk & Compliance”3 Gartner “Best Practices For Privileged Access Management” 2021 Solutions Review 500 West Cummings Park Woburn, Massachusetts 01801 USA3
PRIVILEGED ACCESS MANAGEMENT BUYER’S GUIDE5 Key Capabilities To Consider WhenEvaluating A Privileged AccessManagement SolutionTwo-Factor or Multifactor AuthenticationTwo-factor and Multifactor Authentication add additional steps (or factors) to the privileged authentication process. Typically,these additional factors involve pairing username and passwords, with an action or something the user has, such as an SMSmessage to their phone, a secure email, or a token. Small-to-midsized businesses (SMBs) and large enterprises must move pastthe username/password paradigm, as passwords have proven increasingly easy to steal in recent years.Single Sign-OnRegular and privileged users can log onto a single platform that gives them automatic login access to multiple applications,databases, and communications for a set period of time. This allows users to present only one set of credentials for their everydaywork processes, rather than forcing them to continually re-enter passwords or remember multiple passwords for logging intoseveral different applications.Role-Based Access ControlsEmployees should be given just enough privileges and permissions to do their jobs effectively, ensuring limited network and datadamage if their credentials are abused. In addition, PAM solutions will often provide granular, role-based access controls that allowadministrators to regulate privileges and entitlements based on a user’s individual role. Additional privileges can often be grantedvia self-service requests and can be approved or denied directly. They can also be granted on a limited basis.Limit Lateral AccessPAM solutions can also limit the authority of privileged access users over their assigned enterprise systems and the commandsthey can enter into those systems. This prevents employees or hackers from escalating privileges without security team oradministrator permission or move laterally within the network into systems they should not have control over or authority within.Your IT security team can set access policies to determine the lateral movement capabilities of your employees.Monitoring Privilege UsePAM solutions provide your enterprise security team the capabilities to monitor, record, and audit privileged accounts’ activity onyour corporate network. This not only serves as a secondary layer of protection against insider threats and hackers, but it is alsooften a crucial part of regulatory compliance protocols and mandates for almost all industries. These monitoring and recordingcapabilities allow IT administrators to review accounts in the event of an incident. 2021 Solutions Review 500 West Cummings Park Woburn, Massachusetts 01801 USA4
PRIVILEGED ACCESS MANAGEMENT BUYER’S GUIDE3 Privileged Access ManagementQuestions You Must Answer BeforeSelecting Your SolutionWho Has Privileged Access In your Enterprise?This is one of those seemingly easy privileged access management questions proving much harder to answer the more youinvestigate it. Privilege creep can result in users having permissions they no longer need as they move throughout roles in yourenterprise. Additionally, discrepancies in the onboarding process can bestow unnecessary access. This means your ordinary usersmight have privileges unknown to your security teams (and even to them) and which can prove devastating in the wrong hands.What Access Do Your Privileged Credentials Have?This query becomes more complicated the more you look into it. Not all superusers are or should be created equal in terms ofdigital permissions. Instead, your enterprise should look to enforce the principle of least privileges throughout all of your users’identities. The principle of least privileges dictates users should have the least amount of permissions possible. Ideally, superusersshould only have the access they absolutely need to accomplish their daily tasks.What Privileged Access Management Tools Do You Have?Legacy solutions are inadequate to handle the demands of modern enterprise’s users and privileges. Your enterprise needs a nextgeneration solution. There is no way around it. According to One Identity, 31% of enterprises use outdated or manual methods likepen and paper to manage their superuser’s credentials. But writing down passwords invites the unscrupulous to steal passwordsor for those passwords to end up in the wrong hands. 2021 Solutions Review 500 West Cummings Park Woburn, Massachusetts 01801 USA5
PRIVILEGED ACCESS MANAGEMENT BUYER’S GUIDESolution Provider Profiles7 . BeyondTrust8 . Broadcom9 . Centrify10 . CyberArk11 . Devolutions12 . Ekran13 . ManageEngine14 . MicroFocus15 . One Identity16 . Remediant17 . Thycotic18 . Xton 2021 Solutions Review 500 West Cummings Park Woburn, Massachusetts 01801 USA6
PRIVILEGED ACCESS MANAGEMENT BUYER’S GUIDEOne of the most recognized names in the privileged access management market,Arizona-based BeyondTrust focuses on eliminating insider privilege abuse andincreasing application visibility. Their Least Privilege Management and ServerPrivilege Management solutions offer app-to-app password managementcapabilities and broad support for PIV-based authentication. BeyondTrust offersmachine learning and predictive analytics which analyzes privileged password,user, and account behaviors. Since its 2018 acquisition by Bomgar, BeyondTrustalso boasts capabilities designed to eliminate manual user password changesand provide quick time to value and deployment.BeyondTrust11695 Johns Creek PkwyJohns Creek, GAUnited States 1 (770) 407-1800www.beyondtrust.comKey FeaturesLeast Privilege ManagementBeyondTrust allows enterprise security teams visibility into applications and endpoints alike and can assignprivileges to apps and tasks rather than users to prevent credentials abuse. They also offer privileged sessionrecording capabilities to facilitate privilege evaluations and possible rescinding when necessary.Enterprise Password ManagementBeyondTrust grants security teams the power to discover, profile, and manage all known and unknown assetsas well as shared, user, and service accounts to gain control over credentials both regular and privileged. Alsoallows for the whitelisting, blacklisting, and greylisting of applications to ensure network safety.Server PrivilegeThrough BeyondTrust’s capabilities, users can control access to Unix, Linux, and Windows servers with finegrained policy control. BeyondTrust also offers integration and behavioral analysis to identify security anomaliesand improve their overall server security while simplifying their privileged access management deployments.Bottom LineBeyondTrust offers customizable privileged session management capabilities, which can provide companies witha versatile solution. BeyondTrust is ideal for companies with many different operating systems in their networkand therefore remote workforces. Recently, it announced its Windows and Mac offerings are available via SaaS.Also, BeyondTrust was named a Leader in the 2020 Gartner Magic Quadrant for Privileged Access Management. 2021 Solutions Review 500 West Cummings Park Woburn, Massachusetts 01801 USA7
PRIVILEGED ACCESS MANAGEMENT BUYER’S GUIDESince acquiring CA Technologies in 2018, Broadcom has folded CA Technologies’privileged access management in their portfolio of enterprise solutions. Infact, they renamed their CA Privileged Access Management to the Layer7Privileged Access Management solution. This solution works through granularauthorization of users to systems and accounts. Also, it constantly monitorsprivileged activity to assess for risk and trigger automated mitigations whenhigh risk is detected. Other key features privileged account vaulting and rotationand key or token-based authentication. Layer7 Privileged Access Managementcontrols privileged access across all IT resources, including in the cloud, anddiscovering all virtual and cloud-based resources.Broadcom1320 Ridder Park DrSan Jose, CaliforniaUnited States 1 (408) 433-8000www.broadcom.comKey FeaturesHost-Based Access ControlLayer7 protects critical servers with fine-grained security controls. It’s host-based access control protects andmonitors files, folders, processes, registries, and connections; it can also manage and enable UNIX and Linuxusers to be authenticated using active directory.Privileged Credential VaultThis capability protects and manages sensitive administrative credentials. Layer7 stores credentials in a securevault and automatically rotates them to ensure compliance. Moreover, Broadcom enforces zero-trust accessmodel ensures that only authorized users receive privileged access.Threat AnalyticsBroadcom’s solution provides continuous, intelligent monitoring that assess privileged user behavior andleverages machine learning. This enables compare current threat actors to historical observations and behaviorsof other users. Threat intelligence can also automatically trigger mitigation and remediation efforts when itdetects high-risk behaviors.Bottom LineBefore its acquisition, CA Technologies was named to the Gartner 2018 Privileged Access Management MagicQuadrant as a Leader. In 2019, they received attention as a Visionary in the 2019 Gartner Magic Quadrant forAccess Management; since Broadcom incorporated CA Technologies portfolio into their own, they should havethe capabilities to protect complex and demanding environments. Broadcom emphasizes their automated riskmitigation and scalability as well as their protection of hybrid enterprise IT environments. They continue to maturetheir PAM capabilities for enterprises. 2021 Solutions Review 500 West Cummings Park Woburn, Massachusetts 01801 USA8
PRIVILEGED ACCESS MANAGEMENT BUYER’S GUIDECentrify transformed itself into an almost exclusively PAM-as-a-service solutionprovider since 2018; in fact, Gartner no longer considers them an accessmanagement provider. Centrify offers their Privileged Access Security solutionthrough a cloud architecture. Centrify’s capabilities include single sign-on, userprovisioning, and multi-factor authentication (MFA). Centrify is particularlynotable for its secure remote access capabilities, which are some of the strongestin the market. Centrify provides a broad set of user authentication methodsincluding out of band (OOB) push mode and mobile endpoint biometric modeswith remote access that supports different use cases including privileged users.Centrify3300 Tannery WaySanta Clara, CAUnited States 1 (669) 444-5200www.centrify.comKey FeaturesFederated Privilege AccessCentrify enables secure remote access for outsourced IT administrators and third-party developers to yourenterprise’s digital infrastructure through federated authentication. It also secures thousands of apps andenables access to network cloud and on-premises through consolidated login parameters.Enterprise-wide Multifactor AuthenticationCentrify prevents compromised credentials by implementing multi-factor authentication across every userand every IT resource, bypassing the password weaknesses inherent in single factor authentication and due topassword reuse or fatigue.Automated Account ManagementCentrify allows administrators to manage their employees’ access to all their applications from any source:Active Directory, LDAP, Cloud Directory or external identity. It also secures and manages the privileged accountsused to access cloud and mobile application databases.Bottom LineCentrify’s focus on PAM capabilities and solutions, spurred by its separation from Idapative, attracts plenty ofindustry attention. In the first Gartner 2018 Privileged Access Management Magic Quadrant, it received the title ofLeader for its SaaS-deliver full remote PAM, among other capabilities. It made a reappearance in the 2020 MagicQuadrant. Its solution remains lightweight and customers express appreciation for its customer service. DuringRSA 2020, it received an award for “Cutting Edge Privileged Account Security” from Cyber Defense Magazine. 2021 Solutions Review 500 West Cummings Park Woburn, Massachusetts 01801 USA9
PRIVILEGED ACCESS MANAGEMENT BUYER’S GUIDEFounded in Israel and based out of Massachusetts, CyberArk commands a largeshare of the modern PAM market. The solution provider’s Privileged AccountSecurity Solutions offer enterprise-grade, policy-based solutions that secure,manage, and log privileged accounts and activities for both protection andevaluation. CyberArk also uses behavioral analytics on privileged account usageto detect and flag potential anomalies from insider and external threats. Keycomponents of CyberArk’s PASS include an SSH Key Manager, Privileged SessionManager, Privileged Threat Analytics, and Endpoint Privilege Manager. They alsooffer the CyberArk Privilege Cloud as a cloud-delivered PAM solution to simplifythe storage and rotation of credentials and monitoring privileged access.CyberArk60 Wells AveNewton, MAUnited States 1 (888) 808-9005www.cyberark.comKey FeaturesEnterprise Password VaultCyberArk secures, rotates and controls access to privileged credentials in accordance with your enterprise’sprivilege credentials policies to prevent unauthorized access to superuser accounts. It also features detailedaudit reporting to prepare a clear view of privileged user activity.Privileged Session ManagerCyberArk’s PAM capabilities isolates, controls, and monitors privileged user access on critical Unix, Linux, andWindows-based systems, databases, and virtual machines. It also includes risk-based session review and theautomation of privileged tasks. It further offers compliance demonstration tools.On-Demand Privileges ManagerCyberArk eliminates unneeded root privileges and allows privileged users to run authorized administrativecommands from native sessions. They also allow enterprises to detect, alert, and respond to attacks on privilegedaccounts in real-time with privileged threat analytics.Bottom LineOne of the most recognized PAM solutions providers, CyberArk offers strong capabilities in an intuitive package.Customers praise them for its excellent technical support, its proactive assistance, and its mitigation of risks.Overall, it is known to be secure, compliant with most regulatory institutions, and possessing of strong passwordvaulting capabilities. Indeed, In 2020, CyberArk acquired IDaaS provider Idaptive and was named a Leader in the2020 KuppingerCole Leadership Compass for Privileged Access Management . It was again named a Leader inthe Gartner PAM 2020 Magic Quadrant. 2021 Solutions Review 500 West Cummings Park Woburn, Massachusetts 01801 USA10
PRIVILEGED ACCESS MANAGEMENT BUYER’S GUIDEDevolutions positions itself as a privileged access management specificallygeared for SMBs. In fact, Devolutions has worked with small businesses for adecade. As such, it offer companion features and tools to meet organizations’specific use cases for its Devolutions Password Server. These include theDevolutions Launcher for fast launching of remote sessions and the DevolutionsWeb Login, which allows for the secure injection of passwords into websites viaa secure credentials vault. The Password Server itself is a full-featured sharedaccount and password management solution. It can be used in combinationwith Remote Desktop Manager for privileged account and session managementtools integrating over 150 integrations and technologies.Devolutions1000 Notre-DameLavaltrie, QCJ5T 1M1, Canada 1 (888) 935-0608www.devolutions.netKey FeaturesVault Privileged AccountsDevolutions enables enterprises to store, manage, and share privileged accounts, passwords, and credentials ina secure centralized vault. Also, it manages and controls access to all your privileged entries in your encrypted,on-premise vault.Launch Privileged SessionsDevolutions establishes privileged sessions and remote connections to servers, websites, and applications. Itfeatures account brokering to launch remote sessions and inject credentials without ever exposing passwordswith our account brokering system.Secure Passwords & AccessDevolutions automatically rotates credentials on various account types and enforce system-wide passwordpolicies. Also, it can rotate passwords to enable automatic password randomization on privileged accounts afterbeing used.Bottom LineDevolutions received an Honorable Mention in the 2018 Gartner Magic Quadrant for Privileged Access Management.The companion features, including the Launcher and Remote Session Storage, enable enterprises of all sizes tobenefit from privileged access management. Users describe Devolutions’ solutions as user-friendly and praise itscloud-based deployment. Devolutions announced the Devolutions Password Server for SMB privileged accessmanagement earlier in 2020. 2021 Solutions Review 500 West Cummings Park Woburn, Massachusetts 01801 USA11
PRIVILEGED ACCESS MANAGEMENT BUYER’S GUIDEEkran System is an insider threat protection platform that provides propersecurity control over your enterprise’s privileged accounts. It offers lightweightsoftware agents for all kinds of endpoints, supporting any access scheme andnetwork architecture, including hybrid. Agents combine access managementfunctionality with comprehensive activity monitoring, recording, and alerting andenable essential incident response capabilities. Ekran System’s solution servesto enhance third-party vendor management, remote and on-site employeecontrol, and other security tasks.Ekran System3500 South DuPont HwyDover, DEUnited States 1 (952) 217-7041www.ekransystem.comKey FeaturesPASM Toolset for Jump ServersEkran System enables a full set of privileged account and session management features with its jump serversoftware clients and centralized secure password vault. The Ekran System jump server client allows your securityteam to control a whole segment of your infrastructure via unlimited concurrent sessions.One-time Passwords and Manual Login ApprovalEkran System provides one-time password functionality to protect critical endpoints, provide access to thirdparty vendors, and handle emergency access scenarios. These credentials may be generated by securityadministrators or requested by a user and manually approved by an administrator. Once access is granted, asecurity administrator may connect to the session and follow it in real time.Multi-factor Authentication and Secondary AuthenticationEkran System clients enable multi-factor authentication on protected endpoints. They also support secondaryauthentication, identifying users of shared accounts with individual credentials.Bottom LineEkran System is a flexible software platform supporting a wide range of operating systems, virtual and physicalinfrastructures, servers, and desktops. Offering a combination of clients with various configurations, Ekran Systemcan fit your enterprise’s infrastructure and security requirements. All parts are managed via a single web-basedcontrol center, enabling easy maintenance and multi-tenant and high-availability deployments. Ekran Systemdelivers powerful activity monitoring and session recording capabilities, allowing supervisors to control securityafter access is granted. It also integrates well with other SIEM and ticketing systems. 2021 Solutions Review 500 West Cummings Park Woburn, Massachusetts 01801 USA12
PRIVILEGED ACCESS MANAGEMENT BUYER’S GUIDEManageEngine is primarily based out of California and is the IT managementdivision of the Zoho Corporation. Their privileged identity management solutionincorporates their Password Manager Pro product, which can discover, store,control, audit, and monitor privileged accounts. ManageEngine also offers easeof-use with an intuitive user interface for their PAM solutions which supportsapproval workflows and real-time alerts on password access. ManageEngine’sdiscovery engine is capable of discovering and enumerating Windows local anddomain accounts on the enterprise network, virtual environment, and on Linuxdevices with equal efficiency. The Manager Pro product acts as a centralizedcredentials vault and can manage shared accounts across operating systems.ManageEngine4141 Hacienda DrPleasanton, CAUnited States 1 (925) 924-9500www.manageengine.comKey FeaturesPassword Manager ProThis can centralize password storage, and automate frequent password changes in critical systems to improveIT productivity and help with compliance mandates. It can also control access to IT resources and applicationsbased on roles and job responsibilities to ensure the Principle of Least Privileges.Key Manager PlusThis allows for the discovery of all SSH keys and SSL certificates in your network and then consolidate them ina secure, centralized repository. Given the difficulty in establishing visibility over privileges, this proves critical formany enterprises. It can also create and deploy new key pairs on target systems and rotate them periodically.Password Manager Pro MSPFor enterprises with stretched cybersecurity talent and resources, this can securely store and manage clients’privileged accounts from a centralized console, backed with multi-tenant architecture for clear data segregation.It can also exhibit 24/7 monitoring to watch for credentials abuse and potential infiltration.Bottom LineThe ManageEngine Password Manager Pro is a solution best suited to small to mid-sized businesses. According tocustomer feedback, it is reportedly easy to install and configure, relieving the burden on enterprise’s IT help-desks.Overall its implementation is described as easy and the solution as having a strong feature set. ManageEnginewill work well in hybrid systems. ManageEngine appeared in the Privileged Access Management Magic Quadrantfor 2020. 2021 Solutions Review 500 West Cummings Park Woburn, Massachusetts 01801 USA13
PRIVILEGED ACCESS MANAGEMENT BUYER’S GUIDEMicro Focus owns the NetIQ identity and access management suite, a highlyscalable set of solutions. These include NetIQ Privileged Account Manager,the NetIQ Directory and Resource Administrator, the NetIQ Group PolicyAdministrator, and the NetIQ Change Guardian. These allow for the streamlinedprivileged access management in the hybrid enterprise and simplify delegatedadministration of Microsoft Active Directory. Further, Micro Focus’s NetIQChange Guardian can monitor critical files, systems, and applications in realtime to detect unauthorized privileged activity.Micro Focus4555 Great America PkwySanta Clara, CAUnited States 1 (650) 258-6827www.microfocus.comKey FeaturesAdvanced AuthenticationMicro Focus also provides an intelligent and flexible multifactor authentication solution built to meet today’senterprise-level challenges and scale with your enterprise. It can also harden your environment and integratewith Azure MFA capabilities.Zero TrustNetIQ provides oversight and automation required to implement a comprehensive Zero Trust Strategy. It alsoprovides active session management to identify suspicious activity and allows for just-in-time termination.Continuous MonitoringThe NetIQ Privileged Account Manager provides activity recording and remediation to prevent breaches andsupport governance and compliance. It can monitor privileged activity to identify potential threats throughoutthe identity lifecycle.Bottom LineThrough the NetIQ suite, Micro Focus offers a robust yet affordable privileged access management andadministration-focused solution with a large network of channel partners, ideal for small to mid-sized businesses.Recently, they appeared in the 2019 and 2020 KuppingerCole Leadership Compass for Privileged AccessManagement and the 2018 Gartner Privileged Access Management Magic Quadrant. 2021 Solutions Review 500 West Cummings Park Woburn, Massachusetts 01801 USA14
PRIVILEGED ACCESS MANAGEMENT BUYER’S GUIDEOne Identity’s Privileged Password Manager solution lets enterprises enablesecure automated control and auditing on their privileged accounts. ThePrivileged Password Manager offers session management features, as well asactive directory bridge between different operating systems across the enterprisenetwork. One Identity’s products are offered via a modular and integratedapproach, allowing customers to add new capabilities quickly by building onexisting investments; as an example, by integrating their Identity ManagerSolution with Privileged Password Manager, users can request, provision, andattest to privileged and general-user access within the same console.One Identity 1 (800) 306-9329www.oneidentity.comKey FeaturesSelf Service Access PortalOne Identity reduces IT effort via a customizable online intuitive “shopping cart” portal, which enables users torequest access to network resources, physical assets, groups and distribution lists. It also controls access rightsand permissions for their entire identity lifecycle while leveraging predefined approval processes and workflows.Risk ReducerOne Identity facilitates better security decisions by combining security information and policies from multipleexpert sources and intelligence ne
According to Centrify, 74 percent of all breaches begin with compromised or stolen privileged credentials. . PAM solutions can also limit the authority of privileged access users over their assigned enterprise systems and the commands . Through BeyondTrust’s capabilities, users can control access to Uni
