Comparison for CyberArks Enterprise Password Vault, Thycotic Secret Server and NetIQ Privileged Access Manager Software
The Cyber-Ark Enterprise Password Vault, or EPV, Cyber-Ark is a high-end password management powerhouse. This product helps administrators manage privileged account passwords across several major platforms using an advanced FIPS 140-2 validated cryptography module. This Vault also keeps critical password information secure using AES 256-bit encryption, along with solid auditing and tracking.
Installation and deployment of this system is almost plug-and play. Once we did some initial configuration on the appliances, we were up and running. The web-based management interface is simple and intuitive to use, and a clear and organized dashboard provides a quick overview of managed systems by type, along with password usage statistics.
Enterprise Vault Management-
Flexibility and granularity is the best way to describe the performance of this system. The Enterprise Password Vaults can manage almost any system or service account. Some of these include operating systems, such as UNIX, Linux, AS/400, MVS and Windows; databases, such as Sybase, Oracle, MS Access and MS SQL; firewalls, such as Cisco, Checkpoint and Juniper; and network devices, routers and key systems, such as LDAP and Active Directory. This high amount of flexibility assures solid and secure management of all critical accounts across the entire environment.
Documentation provided with the Enterprise Password Vault includes an installation and upgrade guide, an implementation guide and an application identity management guide. All these were very well organized and included many screen shots and configuration examples.
Cyber-Ark provides no-cost basics Support for the Enterprise Password Vault via access to the online knowledge base and customer portal for a minimum of two years from the date of purchase. Customers can also have access to phone and email-based support as part of a support agreement.
With a price starting at $21,000, this product may seem quite pricey. However, we find it to be a solid value for the money. The Enterprise Password Vaults gives a high amount of granularity and flexibility across an entire enterprise of systems and accounts.
NetIQ Secret Server:
The NetIQ Privileged Account Manager offers a four-tiered approach to managing privileged access. This product allows for privilege elevation in order to complete a task, management of shared credentials through the use of policy and approval workflows, manage privileged remote sessions with a system and, finally, manage application-to-application passwords and credentials. This comprehensive approach allows for ultimate management and securing of privileged accounts and their associated passwords.
This tool comes as a software-based install that can be set up on a Windows server within the environment. The installation is quite straightforward and also includes a MySQL database backend, which is suitable for most deployments. At the conclusion of the install, all other management is done via a web-based management interface. We found this interface to be easy to use with an intuitive navigation structure and clean layout.
From a configuration perspective, this product can pull systems in from Active Directory or systems can be added manually. Once systems are configured within the interface, access to systems and accounts can be done using Active Directory users or groups, as well as providing easy integration with the already existing infrastructure.
On the user side, users access the Privileged Account Manager via a web-based user interface. This interface has an intuitive tab-top design and allows for easy navigation to access systems using RDP or SSH with one click and without exposing credentials to users.
This product includes excellent auditing and reporting features. All sessions are fully logged and can be reported on directly within the management console. Event logs are broken down and colour-coded to provide more clarity on event types and to make finding unauthorized behaviour easy.
Security administrators can also access full session recordings that include bookmarked keylogging so that it is quick and easy to get directly to the point when a change is made. Further, administrators can shadow a session without users knowing they are there and terminate the session in the case of unauthorized activity.
NetIQ includes the first year of basic support as part of the purchase price of the product. Basic support includes 8/5 phone- and email-based technical support as well as access to a small assistance area on the website which includes product documentation and a knowledge base. After the first year, support can be renewed as part of an annual agreement, which starts at $31 per managed endpoint. Premium 24/7 technical support is also offered at a higher cost.
At a price of $150 per managed endpoint, we find this product a reasonable value for the money. The NetIQ Privileged Account Manager provides a good amount of easy to use functionality with some solid reporting and auditing features.
Thycotic Secret Server:
It offers high scale distributed privileged account management. It is built on top of a secure vault that can not only lock up credentials but can be used to secure certificates and other valuable documents as well as control access through policy and auditing. Customizable workflows can be designed to easily integrate this product directly into any environment, including being able to launch a session – such as a remote desktop client – without ever showing the credentials to the end-user at all.
This solution comes as a software-based install and only requires that it be loaded onto a Windows Server with IIS installed. It also requires SQL Server for the backend database, but that can be installed locally or as part of an enterprise cluster. After installation is complete, all management is done via a web-based management console. This is well-organized and the layout is intuitive to navigate. Secret Server also fully integrates with Active Directory to pull in users and groups for setting access policy. From the user side, all access to assigned accounts, systems and passwords is done through an equally intuitive web interface. Users can also access systems directly with Remote Desktop and Putty while still working within the Secret Server.
Scale, distribution and integration are all strong points. The Thycotic Secret Server can be easily deployed in multiple locations or across several servers and configurations. It can be easily pushed out using the distributed engine. Aside from being easily scalable, this offering is also easily integrated for managing service accounts with scripted password changing and API level integration to remove clear text passwords out of configuration files.
Credentials can also be managed directly for vulnerability scanners, ensuring credential-based scanning is properly managed. Finally, it can be directly integrated into ticketing systems to allow for full process and change management. All of these functions, plus all user activity, is logged and archived for auditing, including session recordings of user RDP and SSH sessions.
Thycotic offers full standard phone-, email- and ticket-based technical support 12/7 at no additional cost. Customers also have access to a large online assistance portal which includes resources such as an online community and moderated user forum, knowledge base and full product documentation downloads. Premium 24/7 support is also available at an additional subscription cost of $2,500 per year.
At a price starting at $5,000, this product is an excellent value for the money. The Thycotic Secret Server provides high functionality and high scalability at a reasonable starting price. Couple that with really good, no-cost technical support and this product can be a great investment for almost any environment.