EXECUTIVE VIEW. CA Privileged Identity Manager. KuppingerCole Report

Transcription

1 KuppingerCole Report EXECUTIVE VIEW by Alexei Balaganski March 2015 is a comprehensive Privileged Identity Management solution for physical and virtual environments with a very broad range of supported target systems and impressive integration capabilities. by Alexei Balaganski ab@kuppingercole.com March 2015 Content 1 Introduction Product Description Strengths and Challenges Copyright... 5 Related Research Leadership Compass: Privilege Management Advisory Note: Privilege Management 70736

2 1 Introduction CA Technologies is a multinational publicly held software company headquartered in New York, USA. Founded in 1976 to develop and sell mainframe software, over the decades CA Technologies has grown significantly via a series of strategic acquisitions. Although it used to produce consumer software, currently CA Technologies is a major player in the B2B segment, offering a wide range of products and services for mainframe, cloud and mobile platforms in such areas as security, infrastructure management, automation and DevOps. The company employs over 13,000 people and reported revenues over $4.5bln in 2014, making it a Fortune 500 company and one of the world s largest independent software corporations. CA Technologies is a market leader in Identity and Access Management, providing a complete identity management ecosystem with its ca Securecenter portfolio. is the part of this portfolio responsible for Privileged Identity Management in both physical and virtual environments, providing such functionality as credentials management for shared accounts, user activity audit and fine-grained segregation of duties across the whole enterprise. Ongoing trends within the IT industry, such as continued deperimeterization of corporate networks, growing adoption of virtualization technologies, as well as increasing sophistication of advanced persistent threats have made the task of protecting sensitive corporate information more and more difficult. Since traditional perimeter security tools like firewalls are no longer efficient against hackers, the focus of information security has gradually shifted towards defense against insider threats, and privileged accounts continue to be the primary target for these threats. It is well known that compromised administrator credentials have been the cause of most recent data breaches, including the notorious NSA leak. Pressured by the increasing complexity of IT environments, rapidly growing cybercriminal activity, and the growing number of compliance regulations, IT security specialists are in desperate need of reliable and comprehensive tools to control and manage privileged identities. No wonder that PxM solutions have grown from a niche market into a mandatory component for every enterprise security infrastructure. The competition among PxM vendors is still strong, with innovative technologies being constantly developed, and CA Technologies is definitely one of the veteran players in this market. CA Technologies solutions are known for the broadest range of supported systems, including the most exotic and legacy ones, and a high degree of integration between individual products. is a comprehensive and mature solution that fits well in most organizations, especially those maintaining heavily virtualized environments. In KuppingerCole s Leadership Compass on Privilege Management 1 has been recognized as one of the overall leaders. Although current support for cloud PaaS platforms is limited, broader adoption of IaaS and PaaS is a strategic part of CA Technologies roadmap, so for organizations developing a long-term PxM deployment plan is definitely an obvious contender. 1 Page 2 of 6

3 2 Product Description is a suite that provides a comprehensive solution for privileged identity management in physical and virtual environments. enables centralized control and management of privileged user access to a broad range of servers, network devices and applications, provides fine-grained access controls beyond the native capabilities of operating systems and maintains accountability by providing an audit trail of all administration activities. Thus, CA Privileged Identity Manager helps to improve security and data protection, reduce administration costs and maintain regulatory compliance. The suite consists of the following components, which can be licensed separately or in various combinations: Shared Account Management: this core module provides secure storage and access to privileged user credentials. It implements the key functionality of a PxM product, such as: Workflows for regular and emergency access to privileged accounts Privileged access audit and reporting Automatic account discovery Password policy management Unified web management console Integration with 3 rd party ticketing and helpdesk systems Shared Account Management is a server-based agentless solution that handles connections to target systems via a number of connectors based on standard protocols. It supports over 20 connectors out of the box and additionally provides an SDK and a scripting framework for the development of custom connectors. Naturally, besides manual password checkout, supports various application checkout methods. It can, for example, automate management of service account credentials for Windows services and scheduled tasks, apply password reset policies to IIS or J2EE application servers, and automatically manage access to databases by intercepting ODBC and JDBC connections (without any modification to original applications). It also provides an agent for programmatic credential checkout from scripts and batch files, eliminating the need for hard-coded passwords. Fine-grained access controls: by deploying secure, hardened and self-healing endpoint agents on supported operating systems (which include all Windows versions and major UNIX and Linux variants), is capable of enforcing privileged access policies independently and far beyond the native capabilities of operating systems. It can regulate access to system resources on a finegrained level, for example, by limiting administrator privileges based on the user s original identity, assigned roles or access control lists. Because the agents operate on the OS kernel level, not even Administrator/root accounts can bypass these controls. Page 3 of 6

4 endpoint agents also provide multiple server hardening capabilities, such as file system and registry protection, trusted application lists, Windows service protection, application jailing, etc. In this regard, they partially overlap with traditional antimalware solutions, that s why special care is taken not to cause conflicts with other vendors endpoint protection products. UNIX Authentication Bridge: a lightweight Pluggable Authentication Module (PAM) that enables management of *nix users through Microsoft Active Directory. This module not only provides centralized authentication for *nix users, but can also retrieve user attributes such as home directory or shell from Active Directory (AD). This enables consolidated account management across various server platforms, as well as centralized logging and integration with third-party SIEM tools. The module supports various integration scenarios depending on requirements and available AD schema, provides optional offline login support in case AD is unavailable and can even serve as a Single Sign-On solution for hosts supporting the Kerberos authentication protocol. for Virtual Environments: this product extends privileged identity management to virtual environments. It includes a HyTrust appliance for hypervisor hardening along with CA Technologies own module that provides management of hypervisor privileged accounts as well as virtualization-aware automation of security controls. Currently, the product provides full integration with VMware products (facilitated by the HyTrust appliance), as well as basic support for Microsoft Hyper-V and Citrix XenServer. also offers a complete reference architecture for Amazon AWS and support for managing Debian- and Ubuntu-based instances commonly used on the Amazon EC2 platform. for Virtual Environments has a separate management console. CA Session Recording: although technically a standalone product, it is deeply integrated with CA Privileged Identity Manager and is not sold separately. This module provides recording of privileged user sessions, along with searchable metadata for forensic analysis. Without the CA Session Recording module, is still able to provide basic reporting on privileged user activities. Although can be deployed as a standalone product without dependencies, integration with other products from the IAM portfolio is another big highlight for CA Technologies. For example, adding CA Strong Authentication to the infrastructure enables strong twofactor authentication both for endpoints and for the enterprise management console. By integrating with CA Identity Governance, provides a complete Privileged Identity Governance solution, addressing such issues as orphaned accounts, privilege creep and low visibility into privileged account usage. Page 4 of 6

5 3 Strengths and Challenges is a comprehensive and mature Privileged Identity Management solution with flexible licensing and deployment options, a very broad range of supported target systems and impressive integration capabilities with both CA Technologies and third party products. This makes it a natural fit for most organizations, especially those with heterogeneous and heavily virtualized environments. Relatively limited support for cloud platforms in the current release could be a setback for some, but broader adoption of IaaS and PaaS is a strategic part of CA Technologies roadmap, so for organizations developing a long-term PxM deployment plan is definitely an obvious contender. Strengths Support for a broad range of target systems Kernel-based fine grained access control Privilege management and security automation for virtualized environments Unix authentication bridging for managing Unix accounts in Active Directory Integrates with CA Identity Governance to provide a complete Privileged Identity Governance solution Integrates with other CA Technologies products and 3 rd party SIEM solutions (service desk integration coming in the next release) Challenges Relatively small partner ecosystem Support for cloud environments currently limited to Amazon AWS (other platforms planned in a future release) Not all components are integrated into a single management console yet 4 Copyright 2015 Kuppinger Cole Ltd. All rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole s initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarks or registered trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them. Page 5 of 6

6 The Future of Information Security Today KuppingerCole supports IT professionals with outstanding expertise in defining IT strategies and in relevant decision-making processes. As a leading analyst company, KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business. KuppingerCole, founded in 2004, is a leading Europe-based analyst company for identity focused information security, both in classical and in cloud environments. KuppingerCole stands for expertise, thought leadership, and a vendor-neutral view on these information security market segments, covering all relevant aspects like Identity and Access Management (IAM), Governance, Risk Management and Compliance (GRC), IT Risk Management, Authentication and Authorization, Single Sign-On, Federation, User Centric Identity Management, eid cards, Cloud Security and Management, and Virtualization. For further information, please contact clients@kuppingercole.com Kuppinger Cole Ltd. Sonnenberger Straße Wiesbaden Germany Phone +49 (211) Fax +49 (211)