What is access management?
Access management (AM), also known as Identity and Access Management (IAM), is the practice of ensuring people in an organization have appropriate access to technology resources.
Good access management tools ensure your users can access areas of your network/systems needed to do their job whilst ensuring other areas are kept off-limits in order to protect the organization (e.g. data theft) and also to protect the users themselves (e.g. accidental data destruction).
There are lots of access management tools on the market to help you implement your policies, here is our list of the best access management software:
- SolarWinds Access Rights Manager (FREE TRIAL)– Manages resource access through Access Directory and installs on Windows Server.
- PRTG Active Directory Monitor (FREE TRIAL)– An Active Directory monitor that is part of a wider system management tool. Installs on Windows Server.
- ManageEngine AD360 (FREE TRIAL)– An Active Directory interface that runs on Windows Server.
- ManageEngine ADAudit Plus (FREE TRIAL)– An intrusion detection system that uses Active directory as a rights reference.
- Apache Directory – A free LDAP implementation that installs on Windows, Linux, Unix, and Mac OS.
- 389 Directory Server – A free LDAP-based access rights manager that runs on Linux GNOME environments.
- FreeIPA – An LDAP implementation for RHEL Linux and Mac OS. IPA stands for Identity – Policy – Audit.
- LDAP Account Manager – A free LDAP access rights manager for Fedora, Debian, and Suse Linux.
- AWS Directory Service – A cloud-based Active Directory manager provided by Amazon Web Services.
- JumpCloud DaaS – An Active Directory and LDAP blend that is based online but can monitor both Windows and Linux system on your premises.
The following sections give details on each of these options
SolarWinds is a leading producer of IT resource management tools and the Access Rights Manager is a top pick for those who want better control over Active Directory. This tool is only available for the Windows Server environment. However, it is capable of accessing AD directories for a range of services, including Microsoft Exchange Server and NTFS.
The Access Rights Manager keeps track of activities impacting the domain controllers operating on your network. It will alert you if any changes are made to records in the databases of AD. This is an important monitor because accessing Active Directory to change permissions is a strategy used by hackers and malware. The auditing features extend to listing changes to mailboxes, calendars, and shared folders in Microsoft Exchange.
You will be able to change the permissions in AD records through the Access Rights Manager. The interface also allows you to add, suspend, and delete permissions. The tool also includes a self-service module that is web-based and lets users create or alter their own accounts. This is a great cost saver because it reduces the calls to the Help Desk in the case of forgotten passwords.
The tool includes an analysis module, which will report on all of the activities of listed users. This is another cybersecurity feature because it will help you spot anomalous behavior that could signal a compromised account that is being used by a hacker.
A reporting tool in the Access Rights Manager helps you create documentation to demonstrate standards compliance and to communicate with other departments.
The SolarWinds Access Rights Manager is a great identity and access management tool and it will save you time and money when you are creating and monitoring user accounts on your network. The tool is not cheap, but you can get a 30-day free trial to test the system for yourself.
PRTG, by Paessler is one of the major network monitoring tools on the market. Fortunately, this very comprehensive management system is composed of modules, called sensors. You only pay for the sensors that you activate even though the software that you installed contains all of the sensors in the complete system. One of those sensors is an Active Directory monitor. The great thing about the Paessler charging structure is that you can use the software for free if you only activate up to 100 sensors.
So, even though this is a monitoring service with lots of features, you could just turn on the AD sensor and it will cost you nothing. However, if you ever decide to explore the infrastructure monitoring modules, you already have all of the software installed and you just need to turn all the other bits on. If you ever want to try the entire system, you can get free access to it for a 30-day trial.
The PRTG system only runs on Windows Server, so it focuses on monitoring Active Directory. PRTG is purely a monitoring system; it does not include management functions, so you will be able to supervise and audit your Active Directory forest, but you can’t use this tool to update your databases.
This monitor is particularly strong on the prevention, or identification of database replication errors. This tool provider is the only one on this list that stresses the frequency and dangers of faults and link failures that can occur when domain controllers propagate their databases to neighbors in the forest. The PRTG monitor spots differences in access permissions databases around the network and raises alerts to help you get those problems fixed as quickly as possible.
PRTG Active Directory Monitor has strong auditing procedures and would work well in partnership with an AD query and editing tool to provide you with a full identity and access management system.
ManageEngine offers a number of user authentication monitoring system. All of them are based on Active Directory. AD360 is the first of those tools in our list. The focus on Active Directory means that this tool will only be of any use to you on the Windows Server environment, although ManageEngine usually writes all of its software so that it can also run on Linux. This is a very comprehensive AD management system that not only accesses the AD files, but keeps an eye on them to protect them from hacker tampering.
AD360 controls Active Directory coverage of file systems, network resources, Microsoft Office, and Microsoft Exchange Server email systems. It can also track access to cloud-based services through remote domain controllers. The interface of this management tool gives you access to AD records. You can add, delete, alter, and suspend access rights through AD360.
You can create a single sign-on environment through AD360 and employ the tool’s multi-factor authentication management capabilities. The control console layout can be adapted. That makes it possible to give partial views to junior staff and Help Desk staff, so they can complete delegated tasks without getting full access to your user permissions system.
The actions needed to create a new user account are made easier by user templates. These also control the creation of user groups. New accounts can also be created in bulk by loading data from a CSV file. Account suspension and deletion can also be carried out in bulk.
AD360 is a great IAM package that includes auditing, analysis, and reporting tools. ManageEngine lets you take a 60-day free trial of the software so that you can test it out without risk.
ManageEngine ADAudit Plus is a little different to the other access management tools on this list because it is concerned with monitoring activities for the purposes of security rather than enabling access to permission-editing tools for administration.
The key activities of this tool are to track user activities, such as log on and log off times, and failed login attempts. The tool monitors changes on domain controllers and any alterations to the user permissions database of Active Directory. These changes are written to a log to be reported and they will also trigger an alert. Alerts are shown in the software’s dashboard and they can also be sent to you by email. The auditing reporter stores the previous values of the AD directories, making it easy to restore earlier settings.
The audit trail of ADAudit Plus offers you two activity perspectives simultaneously. These are user activities and hardware/file system utilization. These audits record the team member who implemented each data change. For standards compliance, audit data needs to be stored in archives for three years. This is a requirement of HIPAA, PCI-DSS, SOX, GLBA, and FISMA. ADAudit Plus compresses these audit files, while also indexing them for rapid access.
A reporting module includes more than a 150 pre-written report formats, but it is also possible to build your own. Reports can be scheduled to run periodically and they can be mailed out automatically. Reports can be generated in CSV, XLS, HTML, and PDF formats.
The ADAudit Plus tool isn’t free, but you can get it on a 30-day free trial. ManageEngine offers a number of free tools for working Active Directory. These include a CSV Generator, which will extract AD records, the Active Directory Query Tool, the Last Login Reporter, and the AD Replication Manager.
Apache Directory runs on Windows, Linux, Unix, and Mac OS. This is an LDAP implementation, which is the top pick for Linux users. Apache is well-known for its web server system. Apache Directory is open source like Apache HTTP Server, but the two projects are not linked. A big attraction of this access rights management system is that it is free to use.
The software for this application creates two modules. The server part of the package is called Apache DirectoryDS. This is the main engine of the access management system and includes the permissions database. The other part of the package is a client, called Apache Directory Studio. This is the user interface for the directory and enables you to view records. The front-end also gives you the ability to add records, amend them, and delete them.
Other elements can be added onto the basic Apache Directory package. These extensions are all free of charge. Apache Fortress adds attribute and role-based access control and it also facilitates delegated administration and password policy services. Apache Kerby is a Kerberos implementation that adds encryption to your directory communications. Two other options are the Apache Directory API and Mavibot, which is a multi-version concurrency control BTree system (MVCC), written in Java, which could replace the Apache DirectoryDS module.
Apache DirectoryDS uses a multi-master replication system. This means that the database can be distributed, in that different domain controllers contain different records. However, each database can be replicated to make them available in closer proximity to the user access points.
389 Directory Server is a simple but efficient LDAP implementation for Linux. This is a free piece of software developed by the Fedora Project. This is an open source project, so you won’t get any support from the software provider, because it is developed by volunteers on a shoestring budget.
The software download includes a GUI interface for the GNOME environment. However, to get the best out of this service, you should pair it up with a more comprehensive identity and access management tool. The big benefit of LDAP being a protocol, rather than a piece of software is that anyone can develop LDAP applications. As long as it complies with the protocol, it will be compatible with all other software written to those guidelines.
An example of independently-developed companion applications that can work well with 389 Directory Server is the next access management tool in our list.
FreeIPA is a clever combination of LDAP applications developed by others. The directory manager for FreeIPA is 389 Directory Server, which you just read about. The FreeIPA strategy of bundling together compatible free applications is a good idea. The fact that most of this tool is already being used all over the world means those components have all undergone real-world testing and so have been proven to work.
This identity and access management tool can be installed on Red Hat Enterprise Linux (RHEL) and Mac OS. The “Free” in the name speaks for itself and “IPA” stands for “Identity, Policy, and Audit.” That name tells you all of the functions of this application. The “identity” part of the name is covered by the LDAP access permissions database. This is the basic access manager.
For data security conformance, you really need to have auditing functions added to your resource access controller and that’s what Free IPA provides. It also enables you to set system-wide configurations and standardize user access through templates. This is what the “policy” part of the FreeIPA name refers to.
The package includes a user interface that interacts with the 389 Directory Server, providing an easier way to update, add, and remove records than the native front end that is bundled in with the server program. You also get a Kerberos implementation, which will enable you to add encryption and authentication procedures to your access management communications. This extra security is very important if you want to get remote access to domain controllers on other sites, or if you employ cloud resources in your network.
LDAP Account Manager is a free access management tool with a paid alternative, called LDAP Account Manager Pro. Both versions of the software run on Fedora, Debian, and Suse Linux.
The free LDAP Account Manager includes a server, which guards the permissions database and acts as a domain controller. There is also a client program included in the package and that is an interface that enables administrators to add, delete, and alter access permissions.
The paid version of the tool has more functions in it. These include a facility to manage multi-factor authentication and a self-service system that also has a lost password reset feature.
LDAP Account Manager falls short of being an identity and access management tool because it doesn’t include audit functions. However, as this an LDAP implementation, it will be compatible with other LDAP utilities and you could add on audit capabilities from other sources.
AWS stands for Amazon Web Services. This very popular cloud provider offers storage space, Web hosting and a very wide range of services, including a cloud-based Active Directory manager. Although the Directory Service is a great option for those who host their Amazon Web Services or application and file servers on AWS.
AWS’s Active Directory implementation is compliant with HIPAA and PCI DSS requirements because it includes auditing functions to help ensure data integrity. System snapshots are taken daily, but you can also get them on demand at critical points, such as just before an application update.
This AD enables group policy implementation and can also manage a single sign-on strategy. You can merge different server subscription into a single forest, or choose to keep some domain controllers separate.
Although the online platform can be accessed through a browser, making its interface operating system-neutral, the access management service only interacts with Active Directory, so it can only be of use to those operating a Windows environment onsite.
The charging methodology is very scalable because fees are levied as a metered service. The great thing about that is that you don’t have to pick through different subscription plans and worry that you might be locked into a service volume that your business might outgrow. Another great aspect of the charging structure is that you pay at the end of the month once the throughput of the month has been calculated, so you don’t have to pay large amounts of money up front as you would with a yearly subscription plan.
The minimum service level caters to two domains and additional domains are charged at a lower hourly rate. Amazon offers the AWS Directory Service on a 30-day free trial.
JumpCloud Daas is a very interesting service that probably points the way to the future of access management systems. This is an online service, just like the AWS Directory Service. However, unlike the AWS service, JumpCloud can manage your onsite resources and the services of any cloud provider that you integrated into your network.
DaaS stands for “directory as a service.” The concept of this service is that it is just as though you are running Active Directory on your own server, except that all of the processing is actually done on JumpCloud’s server remotely. This is a useful advancement on the traditional AD concept because it means your audit files are automatically written to a remote location, keeping them safe from potential onsite environmental disasters. Your audit data’s safety is the responsibility of JumpCloud.
The JumpCloud service model recognizes that a large part of network activity now happens across the internet. Consider the number of employees that now work off site – agents, delivery staff, client site consultants, artisans, and operatives and add on the growth in telecommuting. You can see how much of your network traffic actually takes place offsite and how often authentication and access rights are really negotiated over the internet. So, moving the Active Directory server to the cloud makes no difference at all to processing efficiency.
Another unusual feature of the JumpCloud service is that it has managed to emulate Active Directory so that it can operate on Linux. This is really a dressed-up LDAP service, but it’s very convincing, and helps you use both Windows and Linux servers in a mixed environment, administered with one skillset.
The JumpCloud DaaS system is well worth the time to investigate and you can use the system for free permanently to server up to 10 users. This is great news for startups and large organizations can use this free service to investigate the system and expand to full coverage once the trial works out well.
Implementing access management
The options on our list should give you plenty to explore. This guide can only give you a taste of each of these great tools, but hopefully, with just the brief descriptions, you can start to narrow down your options, making provisioning decisions a lot easier. All of the tools on this list are either free or offer a free trial, so you won’t waste any money trying out a few off them.
Do you already have an access management system? Which tool did you go for? Have you tried any of the tools on this list? Leave a message in the Comments section below and share your experience with the community.