“Privileged password management” is one of many names for a password administration system. Other terms applied to this type of software include “privileged credential management,” “enterprise password security,” and “enterprise password management.”
If you only have time to learn about the tools we review, here is our list of the best privileged password management tools:
- SolarWinds Passportal (GET DEMO) A cloud-based password manager combined with a document manager.
- ManageEngine Password Manager Pro On-premises password management software that runs on Windows and Linux servers.
- BeyondTrust Password Safe A comprehensive password discovery, management, and session monitoring system.
- Thycotic Least privilege management and threat intelligence.
- CyberArk Privileged Access Security This tool discovers and manages privileged accounts and logs session activities.
The concept goes a little further than password management because it includes many more functions than just allocating, changing, and revoking user accounts. Privileged password management involves the administration of access rights for teams.
Companies need a range of user account types. A straightforward user account for all employees is not enough. For one thing, systems administrators on any IT resource need greater access to the operating systems and firmware of the equipment on the site than regular users need.
The distinction between admin and user accounts doesn’t fully describe privileged password management. The ability to create more user roles and allocate different access privileges to each will help administrators to create stronger security for all resources in the company’s IT infrastructure.
The increased access of privileged user account requires strong security procedures to ensure that those accounts with greater access cannot be hijacked. Thus, the password manager needs to enforce longer, stronger passwords that are composed of random characters. The manager also needs to force all account holders to change their passwords frequently.
Other measures that need to be implemented for privileged accounts are two-factor authentication and resource access logging. The audit logs don’t need to record the actions of the user, just the access times. If malicious events occur, other logging systems will record the time of the event and so cross-referencing those records with information on who was active on the resource at the time can help to identify insider threats or compromised accounts.
Identifying privileged accounts
Even if you are setting up a new company and creating accounts for new staff, you will still have privileged accounts on your system before you have created any new credentials. Many privileged accounts exist without the systems administrator knowing about them. IoT devices and even network equipment are shipped with default access account for managers and even firmware-enabled accounts that carry default passwords.
These embedded accounts present a serious security weakness and need to be tightened up by changing the allocated password. Finding those accounts can be difficult and an automated discovery function in the password manager is a great help.
So, stage one, when introducing a new privileged password manager is to locate all of those privileged accounts.
All account passwords need to be stored. In most cases, the direct control over access to a resource is implemented by a controller that is related to that service. For example, Microsoft’s Active Directory governs access to a number of Microsoft products, such as Microsoft Exchange Server or SharePoint Server. Usually, a password manager sits on top of the native access rights controllers and coordinates accounts across the enterprise.
As the controlling access rights system is resident locally, storing the privileged password manager’s password vault in the same location loses an opportunity to have an off-site store that could be used for disaster recovery.
Wherever the password manager is installed, it is a good idea to have the data store associated with it in a different location. That means attaching the application to a server on a remote site or renting storage space on a cloud server.
Cloud-based privileged password management tools that are available in the cloud have a double advantage: first, they are bundled together with remote storage space and second, being charged for a subscription rather than the full fee for the software that would need to be paid upfront.
Abandoned accounts present opportunities for intruders and accounts that have high access privileges save hackers a lot of time and effort. Identifying those accounts and closing them is an important task for a privileged account manager. Accounts that rarely change their passwords are also vulnerable.
Privileged password managers should include enforced password changes and a system to ensure that strong passwords are used on those accounts.
Accounts previously used by staff who have left the company are easy to spot. However, the definition of abandoned accounts also applies to those accounts that were created but never used by users who are still on the payroll. Those accounts are harder to spot just by scanning through the records of HR. An activity logging system has a better chance of highlighting accounts that are not active.
A large organization with several IT support departments on different sites has a strong possibility of creating more than one account for the same person to access the same system. Those extra, unused user accounts offer opportunities for intruders.
Centralizing the administration of passwords and maintaining an alphabetical list of employees with user accounts should reduce the incidences of duplicated accounts. Putting that list in a searchable database reduces the likelihood of creating more than one account for the same person. Privileged password managers give administrators the ability to keep tight control over the allocation of user accounts.
Account management oversight
One problem of focusing all account controls in one application in one location and giving access to those controls to a very limited number of people is that those favored administrators accumulate a lot of power. That power can be abused. The actions of administrators in charge of managing privileged accounts need to be supervised.
The oversight of password management administrators doesn’t require a company director to watch over the shoulder of IT technicians all day. Logging and auditing functions built into the privileged password management tool should take care of that.
Naturally, password manager access and the actions occurring in each session need to be analyzed. So, the company needs a cybersecurity officer who is able to deploy more tools to properly spot malicious activity. Those investigations will be greatly aided by a security information and management tool.
These auditing functions are essential if the company is implementing a data protection standard. User account controls are stipulated in many data security standards, such as HIPAA and PCI-DSS.
Password policy consistency
Even highly experienced and qualified staff sometimes make mistakes. Computers are much better at performing repetitive administration tasks faultlessly. Privileged password management systems can periodically audit password records, monitor for account login sessions, trigger alerts, write to logs, and shut down suspicious activity effortlessly.
A privileged password manager should be able to help you formulate a password policy and should also have the utility to implement those decisions through settings and automated workflows. Tight password policies, accurate policy implementation, activity tracking, and automated remediation are also essential services for system security.
Implementing privileged password management
Many system administrators still rely on spreadsheets to record user accounts and passwords. Nowadays, the risk of litigation triggered by data disclosure means that these manual systems just aren’t sufficient anymore.
Just as manual password management processes aren’t viable, manually planning the implementation of a comprehensive privileged password management system isn’t good enough. You need to choose a password management tool and use it to clear up historical account errors, such as duplicated accounts and to search the company’s IT resources for hidden, embedded privileged accounts.
A comprehensive password manager should be able to guide the administrator through the process of defining a comprehensive password policy and should also be able to implement that strategy.
Going forward, once the system has been cleaned up and policies are in place, the password manager will take care of most of the account administration tasks. It will take a lot of the strain off your technical staff and providing accountability for auditing and data protection conformance.
The best privileged password management tools
There are many password management tools available and not all of them are good. It can take a lot of time to investigate all of the password managers for suitability. The following shortlist of five excellent privileged password managers will help you find the ideal system for your company in a short space of time.
You can read more about each of these options in the following sections.
SolarWinds Passportal is a cloud-based password manager, charged by subscription, that is paired with a document management tool plus secure cloud storage space. The package is covered by encryption for all communication between the client site and the Passportal servers. Storage space is also secured by encryption.
The Passportal system includes an auto-discovery function that discovers all applications and resources on Windows-managed systems where password protection is implemented. The service then compiles its own register, referring to the local Active Directory system. Once that setup phase has been completed, you can implement your password policy in the Passportal interface and all those changes immediately get rolled out to Active Directory.
The password management system includes a password generator to create complicated passwords from random strings of characters. It can enforce password rotation and implement those changes automatically. It can also implement multi-factor authentication. The tool will also update the system tools on your network that require privileged access so that they have the new password available to them.
The service includes an auditing and reporting module, which is able to demonstrate the freshness of passwords and their usage.
An add-on available with this password manager, called Passportal Blink is a self-service portal that enables users to reset their passwords when they forget them. That feature will drastically reduce the number of support calls that your IT team has to field. You can get a closer look with a free demo.
Password manager pro is probably the best on-site privileged password management system around. The software installs on Windows and Linux systems. However, its operations extend beyond the host on which it is installed. The manager includes an autodiscovery tool, which will track down all of the resources in the business that requires passwords and compile a password register from information about system users. The discovered passwords are stored in an encrypted vault.
This password manager can also administer passwords on Windows, Linux, MacOS, Unix, Oracle, Sybase, MySQL, SQL Server, Juniper Networks, and Cisco Systems devices. It is able to enforce password renewal, implement multi-factor authentication, and it also includes session logging and access monitoring.
It is possible to use the Password Manager Pro for free permanently. However, the free version of the manager is limited to the monitoring of ten resources. There are three paid editions: Standard, Premium, and Enterprise. ManageEngine offers a 30-day free trial of the Enterprise edition with a limit of two administrators.
Password Safe from BeyondTrust is a cloud-based password management service. This tool has an autodiscovery feature that will find all of the account-protected resources and all of the passwords issued against them. The discovered passwords get stored in an encrypted, secure password vault. That autodiscovery continues throughout the service life of the software and stems from contact with the local access rights controllers on the client’s system. The interaction with those controllers keeps them updated with any changes made in the Password Safe dashboard.
The password manager tracks down embedded accounts and removes them. It also enforces strong passwords and periodic password renewal. The tool can monitor resources both on the client’s site and on the cloud. This application is also a cloud resource.
Auditing and reporting functions in the tool monitor the sessions of privileged users, leaving an audit trail to help show compliance to data protection standards. The service provides all the same level of protection for non-privileged accounts. The auditing and logging features of the service feed into an analysis module that helps systems designers spot weaknesses in the security of the network.
Thycotic produces a number of account protection systems and two of those are particularly relevant in the search for the best-privileged password management tools. The first of these is Secret Server, which includes an autodiscovery process that gathers all privileged accounts and stores their passwords in a secure vault. This tool is available as on-premises software or as a cloud-based service.
This tool covers network devices, security devices, software, virtualizations, and databases. It also enforces password rotation for network accounts and logs the activities of privileged accounts.
The second tool that would be of interest to privileged password management is Privilege Manager. This tool focuses on protecting privileged accounts that have access to endpoints and system applications. Privilege Manager is available for installation or can be accessed as a cloud service. The tool monitors computers that have Windows and MacOS operating systems. It controls accounts and logs account activities.
Both Secret Server and Privilege Manager can be tested on free trials.
CyberArk has several password management products. The one that has the widest coverage is the Core Privileged Access Security system (PAS). This package is a bundle of CyberArk products: Enterprise Password Vault, Privileged Session Manager, and Privileged Threat Analytics. The software can be installed on-premises or accessed as a cloud service.
The PAS system is able to scan a client’s system for resources that require access credentials and it then interfaces with the local access rights system to acquire all of the privileged account passwords and stores them in a vault.
The service can enforce password rotation and it constantly monitors activity, logging the actions taken with each privileged account. Other features of this system are risk assessment and automated threat remediation. This tool has many features that are usually encountered in an intrusion threat prevention package.
Choosing a privileged password management tool
Protecting privileged accounts is essential for any business because failure to protect the business’s data and information held on the system about others can create legal problems. Data loss can lose your company its trade secrets, it can get you sued by the people whose information you store and it can also get you fines from authorities. Data protection is often a pre-requisite in order to be allowed to bid for work and non-compliance with data security standards can lose you customers.
The five privileged password management systems in this guide are the industry leaders. If you spent time looking at the entire selection of available software tools in this category you would waste a lot of time and end up shortlisting these same five. Check out the demos and the free trials that these service offer in order to make a decision about which to buy.