This article can also be found in the Premium Editorial Download "Information Security magazine: Tips for navigating the maze of global security regulations."
Download it now to read this article plus other related content.
Enterprise Password Vault 4.0
REVIEWED BY TOM BOWERS
Price: EPV server, $25,000; user pricing starting at $220 per user
Privileged users hold the keys to your kingdom: passwords that control administrative access to devices and applications across your enterprise. Cyber-Ark's Enterprise Password Vault (EPV) is among a handful of specialized products designed to securely manage these sensitive passwords, controlling privileged accounts across a wide range of client/server and mainframe OSes, switches, databases, etc.
It provides the privileged account controls mandated by regulations, and its central repository makes it an ideal addition to identity/access management projects.
The expectation is that the four components be distributed on at least two Windows 2003 servers, and we sorely missed an overall diagram to reference the separate installations.
We were somewhat vexed, for example, when we installed the last component, Password Vault Web Access. We belatedly realized that you need IIS installed on the second server--something the documentation didn't mention until then.
The system is organized around the vault, which contains multiple safes. Each safe is independent and may be connected to one user or group, or many of both. A person in one group or safe cannot see the existence of other safes nor access them without explicit permission. Each safe also has an owner or owners that control access. Via the safe, passwords are synchronized with the end products, such as routers, switches and servers; changing the password in the safe also changes it on them.
Essentially, the EPV takes control of the admin logon function. For example, an admin logs on to the EPV Web interface to access the password object associated with a switch they wish to manage. This object gives them the new password, they log on to the switch and conduct their maintenance. Passwords can be generated based on internal policies and/or regulations such as FFIEC or the Family Educational Rights and Privacy Act.
The architecture is very secure. That's obviously a critical point, but we don't see it often enough in enterprise security products. We encountered no way for password information to leak, either through the vault or the browser-based interfaces. A firewall on the PrivateArk server protects the host, opening a single port that allows only Cyber-Ark's proprietary protocol.
Reports are clear and concise. A nice dashboard presents reports and graphs that provide good auditing capabilities to help meet regulatory requirements.
The exporting mechanism is smooth yet somewhat disappointing. Reports can be exported only to Microsoft Access and Excel, or via CSV format.
Testing methodology: EPV was tested on multiple fully patched and hardened Windows 2003 servers and Windows XP workstations. We used a sample database of users and passwords, and scanned the system for weaknesses using standard penetration testing tools and forensic analysis software.
This was first published in February 2007