Enterprise Password Managers
Published:
Browse All Articles > Enterprise Password Managers
Enterprise Password Manager Suites as well as Local Password managers are covered in this article.
Passwords-Xray by under a Public Domain Work license
This article is an adjunct to
personal password managers article.
Local Admin Passwords
SHIPS is a centralized password administration, targeted at the local administrator passwords of PC's and Servers. The goal of SHIPS is to create unique local admin passwords, that don't have to be known to anyone other than those who are delegated access.
LAPS from Microsoft is very similar to SHIPS, however the storage mechanism for the passwords is in Active Directory as opposed to SHIPS's server/db model. Passwords are stored in plain-text in a restricted and extended AD attribute. That attribute, much like Bit-Locker keys, is well protected.
Rotating these accounts is configurable in the above products, you can have the passwords changed at a scheduled interval or even after the next logon occurs from that account. Depends on the product above. Both products create unique passwords for each account, no more shared passwords.
Full Featured Password Suites - Enterprise
There are many products that offer to do more than just the local passwords, they can manage the 3rd party logins as well. Some with autofill functionality (see my other article), others feature authentication workflows. A authentication workflow is where you don't have access to a resource but want it, you use the Password Access Manager software to request the access. An automated workflow may approve/deny you, or a more manual workflow may require another person to take action with the request. Many people may know the concept if they have used SharePoint, and have been denied access to a certain area, page or site. Often there is an additional option on the access denied page to request access.
In addition to the workflows, the enterprise PM's add a level of auditing and accountability you don't have when sharing accounts ordinarily. If you or I were to logon to a computer with the Local Admin account, all the logs say is *someone* logged on with the local account-x, you and I know the password so each of us could deny we logged on if asked. PM's add their own audit logs to the mix, and they know that it was YOU that logged on using the local account because YOU made the request, and since the password is rotated often, you could not have known the password otherwise. The PM logged you (jdoe) using the credential "account-x", to access "PC-007" at 1-1-2017 06:02:58.
There are too many differentiating factors to get into, but below are about 30 solutions that are for the enterprise:
http://itsecurityleaders.com/wp-content/uploads/2015/09/BeyondTrust-Privileged-Account-Management-Research-Solutions-2015-Gartner-Market-Guide.pdf (2015)
https://www.gartner.com/technology/media-products/newsletters/beyondtrust/1-3B8FB2Z/gartner.html (2016)
Local Admin Passwords
SHIPS is a centralized password administration, targeted at the local administrator passwords of PC's and Servers. The goal of SHIPS is to create unique local admin passwords, that don't have to be known to anyone other than those who are delegated access.
LAPS from Microsoft is very similar to SHIPS, however the storage mechanism for the passwords is in Active Directory as opposed to SHIPS's server/db model. Passwords are stored in plain-text in a restricted and extended AD attribute. That attribute, much like Bit-Locker keys, is well protected.
Rotating these accounts is configurable in the above products, you can have the passwords changed at a scheduled interval or even after the next logon occurs from that account. Depends on the product above. Both products create unique passwords for each account, no more shared passwords.
Full Featured Password Suites - Enterprise
There are many products that offer to do more than just the local passwords, they can manage the 3rd party logins as well. Some with autofill functionality (see my other article), others feature authentication workflows. A authentication workflow is where you don't have access to a resource but want it, you use the Password Access Manager software to request the access. An automated workflow may approve/deny you, or a more manual workflow may require another person to take action with the request. Many people may know the concept if they have used SharePoint, and have been denied access to a certain area, page or site. Often there is an additional option on the access denied page to request access.
In addition to the workflows, the enterprise PM's add a level of auditing and accountability you don't have when sharing accounts ordinarily. If you or I were to logon to a computer with the Local Admin account, all the logs say is *someone* logged on with the local account-x, you and I know the password so each of us could deny we logged on if asked. PM's add their own audit logs to the mix, and they know that it was YOU that logged on using the local account because YOU made the request, and since the password is rotated often, you could not have known the password otherwise. The PM logged you (jdoe) using the credential "account-x", to access "PC-007" at 1-1-2017 06:02:58.
There are too many differentiating factors to get into, but below are about 30 solutions that are for the enterprise:
- Applecross Technologies (www.applecrosstech.com) offers its Privileged User Manager.
- Arcon (www.arconnet.com) offers the Access and Root Control Solution (ARCOS).
- BalaBit (www.balabit.com) offers Shell Control Box.
- BeyondTrust (www.beyondtrust.com a comprehensive range of PAM products under its PowerBroker.
- Bomgar (www.bomgar.com) offers a PSM solution called Bomgar Privileged Access Management.
- CA Technologies (www.ca.com) offers a comprehensive solution of PAM products under the CA Privileged Identity aka ControlMinder.
- Centrify (www.centrify.com) offers Centrify.
- CyberArk (www.cyberark.com) offers a comprehensive range of PAM products .
- Dell (www.dell.com) offers a comprehensive PAM solution
- Enforcive Enterprise Security (www.enforcive.com) .
- Fox Technologies (www.foxt.com) offers BoKS Server Control for Unix and Linux.
- HelpSystems (www.helpsystems.com) offers a PAM based solution.
- Hitachi ID Systems (www.hitachiid.com) offers a unified PAM solution called Hitachi ID Privileged Access Manager.
- IBM (www.ibm.com) offers the IBM Security Privileged Identity Manager (ISPIM).
- Lieberman Software (www.liebsoft.com) offers Enterprise Random Password Manager (ERPM).
- ManageEngine (www.manageengine.com) offers Password Manager Pro (PMP) as a unified PAM solution.
- MasterSAM (www.mastersam.com) offers a PAM solution.
- Micro Focus (NetIQ) (www.netiq.com) offers the NetIQ Privileged User Manager (PUM).
- NRI Secure Technologies (www.nrisecure.com) offers SecureCube Access Check to extend PowerBroker Password Safe from BeyondTrust.
- ObserveIT (www.observeit.com) provides a windows agent solution.
- Oracle (www.oracle.com) offers Oracle Privileged Account Manager (OPAM).
- Osirium (www.osirium.com) offers Osirium Enterprise solution.
- Pitbull Software (www.pitbullsoftware.net) offers its Pitbull KeyHolder .
- RazLee Security (www.razlee.com) offers the iSecurity.
- SecureLink (www.securelink.com) offers a specialized, cloudbased solutions.
- SSH Communications Security (www.ssh.com) offers a PAM solution.
- Thycotic (www.thycotic.com) offers its Secret Server solution.
- Wallix (www.wallix.com) offers Wallix AdminBastion (WAB).
- Xceedium (www.xceedium.com) offers its Xsuite.
http://itsecurityleaders.com/wp-content/uploads/2015/09/BeyondTrust-Privileged-Account-Management-Research-Solutions-2015-Gartner-Market-Guide.pdf (2015)
https://www.gartner.com/technology/media-products/newsletters/beyondtrust/1-3B8FB2Z/gartner.html (2016)
OSCP certified, need I say more?
Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.
Comments (0)