Enterprise Password Vault 4.0
REVIEWED BY TOM BOWERS
Price: EPV server, $25,000; user pricing starting at $220 per user
Privileged users hold the keys to your kingdom: passwords that control administrative access to devices and applications across your enterprise. Cyber-Ark's Enterprise Password Vault (EPV) is among a handful of specialized products designed to securely manage these sensitive passwords, controlling privileged accounts across a wide range of client/server and mainframe OSes, switches, databases, etc.
It provides the privileged account controls mandated by regulations, and its central repository makes it an ideal addition to identity/access management projects.
Overall, this was a tedious installation/configuration process. EPV is in serious need of an installation wizard and graphics-filled documentation to help users understand the purpose of each of its components and where it sits in the architecture. The documentation, while voluminous, is disjointed and difficult to follow.
The expectation is that the four components be distributed on at least two Windows 2003 servers, and we sorely missed an overall diagram to reference the separate installations.
We were somewhat vexed, for example, when we installed the last component, Password Vault Web Access. We belatedly realized that you need IIS installed on the second server--something the documentation didn't mention until then.
The EPV experience is superb once the system is installed. Operationally, the end user password management system is an intuitive, wizard-driven interface, requiring little to no training.
The system is organized around the vault, which contains multiple safes. Each safe is independent and may be connected to one user or group, or many of both. A person in one group or safe cannot see the existence of other safes nor access them without explicit permission. Each safe also has an owner or owners that control access. Via the safe, passwords are synchronized with the end products, such as routers, switches and servers; changing the password in the safe also changes it on them.
Essentially, the EPV takes control of the admin logon function. For example, an admin logs on to the EPV Web interface to access the password object associated with a switch they wish to manage. This object gives them the new password, they log on to the switch and conduct their maintenance. Passwords can be generated based on internal policies and/or regulations such as FFIEC or the Family Educational Rights and Privacy Act.
The architecture is very secure. That's obviously a critical point, but we don't see it often enough in enterprise security products. We encountered no way for password information to leak, either through the vault or the browser-based interfaces. A firewall on the PrivateArk server protects the host, opening a single port that allows only Cyber-Ark's proprietary protocol.
Reporting is very well executed, but lacks a cohesive export mechanism.
Reports are clear and concise. A nice dashboard presents reports and graphs that provide good auditing capabilities to help meet regulatory requirements.
The exporting mechanism is smooth yet somewhat disappointing. Reports can be exported only to Microsoft Access and Excel, or via CSV format.
EPV is a valuable tool and a maturing product that performs its privileged password management function very well.
Testing methodology: EPV was tested on multiple fully patched and hardened Windows 2003 servers and Windows XP workstations. We used a sample database of users and passwords, and scanned the system for weaknesses using standard penetration testing tools and forensic analysis software.