Comparison Report on Password Management Vaults

Brief Description with Comparison for CyberArks Enterprise Password Vault, Thycotic Secret Server and NetIQ Privileged Access Manager Software


The Cyber-Ark Enterprise Password Vault, or EPV,

Cyber-Ark is a high-end password management powerhouse. This product helps administrators manage privi­leged account passwords across several major platforms using an advanced FIPS 140-2 validated cryptography module. This Vault also keeps critical password information secure using AES 256-bit encryption, along with solid auditing and tracking.

Installation and deployment of this system is almost plug-and ­play. Once we did some initial configuration on the appliances, we were up and running. The web-based management interface is simple and intuitive to use, and a clear and organized dashboard provides a quick overview of man­aged systems by type, along with password usage statistics.

Flexibility and granularity is the best way to describe the performance of this system. The EPV can manage almost any sys­tem or service account. Some of these include operating systems, such as UNIX, Linux, AS/400, MVS and Windows; databases, such as Sybase, Oracle, MS Access and MS SQL; firewalls, such as Cisco, Checkpoint and Juniper; and network devices, routers and key systems, such as LDAP and Active Directory. This high amount of flexibility assures solid and secure management of all critical accounts across the entire environment.

Documentation provided with the EPV includes an installation and upgrade guide, an implemen­tation guide and an application identity management guide. All these were very well organized and included many screen shots and configuration examples.

Cyber-Ark provides no-cost basics Support for the Enterprise Password Vault via access to the online knowledge base and cus­tomer portal for a minimum of two years from date of purchase. Customers can also have access to phone and email-based support as part of a support agreement.

With a price starting at $21,000, this product may seem quite pricey. However, we find it to be a solid value for the money.

The EPV gives a high amount of granularity and flexibility across an entire enterprise of systems and accounts



NetIQ Secret Server.

The NetIQ Privileged Account Manager offers a four-tiered approach to managing privileged access. This product allows for privilege elevation in order to complete a task, management of shared credentials through the use of policy and approval workflows, manage privileged remote sessions with a system and, finally, manage application-to-application passwords and credentials. This comprehensive approach allows for ultimate management and securing of privileged accounts and their associated passwords.

This tool comes as a software-based install that can be set up on a Windows server within the environment. The installation is quite straightforward and also includes a MySQL database backend, which is suitable for most deployments. At the conclusion of the install, all other management is done via a web-based management interface. We found this interface to be easy to use with an intuitive navigation structure and clean layout. From a configuration perspective, this product can pull systems in from Active Directory or systems can be added manually. Once systems are configured within the interface, access to systems and accounts can be done using Active Directory users or groups, as well providing easy integration with the already existing infrastructure. On the user side, users access Privileged Account Manager via a web-based user interface. This interface has an intuitive tab-top design and allows for easy navigation to access systems using RDP or SSH with one click and without exposing credentials to users.

This product includes excellent auditing and reporting features. All sessions are fully logged and can be reported on directly within the management console. Event logs are broken down and color-coded to provide more clarity on event types and to make finding unauthorized behavior easy. Security administrators can also access full session recordings that include bookmarked keylogging so that it is quick and easy to get directly to the point when a change is made. Further, administrators can shadow a session without users knowing they are there and terminate the session in the case of unauthorized activity.

Documentation includes an installation guide and an administrator guide both in PDF format. These are well-organized and include many clear, step-by-step instructions. However, there was a lack of diagrams, screen shots and other visuals to enhance and clarify configuration procedures. This can cause a bit of confusion during installation or configuration resulting in later troubleshooting.

NetIQ includes the first year of basic support as part of the purchase price of the product. Basic support includes 8/5 phone- and email-based technical support as well as access to a small assistance area on the website which includes product documentation and a knowledge base. After the first year, support can be renewed as part of an annual agreement, which starts at $31 per managed endpoint. Premium 24/7 technical support is also offered at a higher cost.

At a price of $150 per managed endpoint, we find this product a reasonable value for the money. The NetIQ Privileged Account Manager provides a good amount of easy to use functionality with some solid reporting and auditing features.




Thycotic Secret Server:

offers highly scalable distributed privileged account management. It is built on top of a secure vault that can not only lock up credentials, but can be used to secure certificates and other valuable documents as well as control access through policy and auditing. It also features credential check-out, remote session management and randomizing of passwords for privileged accounts. Customizable workflows can be designed to easily integrate this product directly into any environment, including being able to launch a session – such as a remote desktop client – without ever showing the credentials to the end-user at all.

This solution comes as a software-based install and only requires that it be loaded onto a Windows Server with IIS installed. It also requires SQL Server for the backend database, but that can be installed locally or as part of an enterprise cluster. After installation is complete, all management is done via a web-based management console. This is well-organized and the layout is intuitive to navigate. Secret Server also fully integrates with Active Directory to pull in users and groups for setting access policy. From the user side, all access to assigned accounts, systems and passwords is done through an equally intuitive web interface. Users can also access systems directly with Remote Desktop and Putty while still working within the Secret Server.

Scale, distribution and integration are all strong points. The Thycotic Secret Server can be easily deployed in multiple locations or across several servers and configurations. It can be easily pushed out using the distributed engine. Aside from being easily scalable, this offering is also easily integrated for managing service accounts with scripted password changing and API level integration to remove clear text passwords out of configuration files. Credentials can also be managed directly for vulnerability scanners, ensuring credential-based scanning is properly managed. Finally, it can be directly integrated into ticketing systems to allow for full process and change management. All of these functions, plus all user activity, is logged and archived for auditing, including session recordings of user RDP and SSH sessions.

Documentation included installation, getting started and full user guides. We found all documentation to be well-organized and easy to follow with clear, step-by-step configuration instructions. It also includes an excellent amount of detail and screen shots.

Thycotic offers full standard phone-, email- and ticket-based technical support 12/7 at no additional cost. Customers also have access to a large online assistance portal which includes resources such as an online community and moderated user forum, knowledge base and full product documentation downloads. Premium 24/7 support is also available at an additional subscription cost of $2,500 per year.

At a price starting at $5,000, this product is an excellent value for the money. The Thycotic Secret Server provides high functionality and high scalability at a reasonable starting price. Couple that with really good, no-cost technical support and this product can be a great investment for almost any environment.