For as long as I’ve been in IT professionally, users have been local administrators on their machines. Time and time again, history has proven this approach undermines what might otherwise be successful IT strategies to improve an organization’s security posture. Introducing a change requires addressing some facts:
Fact: Users do not need admin rights to accomplish day to day tasks.
Fact: Users have grown accustomed to having certain privileges on their machines
Fact: Some legitimate changes initiated by users do require elevated rights
Fact: Bears eat beets. Bears. Beets. Battlestar Galactica.
Fortunately there are a sea of Privilege Account Management or Privilege Management solutions out there to control elevation rights eliminating the need to give users administrative rights.
I do want to highlight that although our research was done a few years back, the underlying concepts and organizational requirements continue to serve as the core framework for any future Privilege Management solutions we evaluate for implementation.
Adhering to the principle of least privilege allows the day to day user to continue to work efficiently without interruption while introducing several desirable benefits including but not limited to:
- Cost Savings – Successful vulnerability exploits often result in lost time, intellectual property, productivity, brand value and customers’ trust. System instability results in lost productivity. Lack of license compliance can result in unbudgeted expenses not to mention costly fines.
- Regulatory Compliance – When users have administrator rights they can change system settings, which affect compliance to regulatory standards. Failure to meet standards can result in more audits and remediation work.
- System Stability – When a user adds a new piece of software, installs a driver, or changes a setting, the stability of the system is affected.
- Threat Protection – Running software with reduced privileges can mitigate a majority of software vulnerabilities that take advantage of the privileges of the running user.
- License Compliance – When users have full control over what is installed on their computers, there is nothing to prevent them from intentionally or unintentionally using unlicensed software.
We identified the following five vendors (listed alphabetically) based on many factors including feature set, product maturity, industry reputation, community feedback and perceived position in the marketplace.
Avecto is a leader in Windows privilege management, helping organizations to deploy secure and compliant desktops and servers. With its Privilege Guard technology, organizations can empower all Windows based desktop and server users with the privileges they require to perform their roles, without compromising the integrity and security of their systems.
BeyondTrust offers a complete Privileged Account Management (PAM) portfolio and was one of the first products on the market in this area. BeyondTrust has a worldwide presence with a large market share in the US of which banking and securities and retail organizations make up a significant share of the company’s customers.
Bit9+Carbon Black offers a solution for advanced threat protection for endpoints and servers. Combined, it helps organizations protect themselves from advanced threats in two critical ways: by reducing their attack surface through new signature-less forms of prevention, and rapidly detecting and responding to threats.
Centrify Privilege Management allows administrators to manage privilege globally across windows, Linux and UNIX. It is a flexible, highly granular privilege management solution that allows users get work done, reduces risks and makes implementing a least-privilege approach easy with role-based access controls.
Viewfinity’s privilege management suite bolsters administrators’ ability to control user privileges on corporate desktops, helping to eliminate one of the biggest security holes on today’s enterprise networks: risky activities on corporate desktops that occur inside the firewall. Viewfinity is a suite of integrated management tools that simplify the processes involved in privilege management, enabling administrators to more effectively protect PCs from unauthorized use and providing granular control over who can do what on servers and endpoints across the enterprise.
We designed designed a scoring system based on key areas of interest:
- Solution deigned with mobility in mind (up to 15 points)
- Application control/features (up to 15 points)
- Experience in the legal vertical (up to 10 points)
- Reputation and footprint by way of endpoint count (up to 10 points)
- Client components (up to 5 points)
- Implementation options (up to 5 points)
- Considerations for VDI environments (up to 10 points)
- Depth and breadth of reporting (up to 10 points)
- Ease of use & management (up to 10 points)
- Integrations with existing technology (up to 5 points)
- Innovation (up to 5 points)
In addition, there were specific features and scenarios we were looking to cover in the demos:
- Details of the elevation process (e.g.: token based)
- Handling of products not explicitly whitelisted/blacklisted
- Capable of elevating ActiveX controls
- Whether or not it was offered some sort of sandboxing technology
- Data aggregation and correlation
- Level of customization for user facing elements
After reviewing each product and comparing notes we decided the following vendors were not best suited for our particular requirements.
- The SaaS/Web solution for a mobile workforce, it wasn’t as easy to use as Avecto and Viewfinity.
- Insignificant presence in the legal vertical.
Bit9 + Carbon Black:
- Lack of a method for elevating the execution of processes. Users would not be able to install applications, even those approved to be installed.
- Core focus is application whitelisting (i.e.: whether or not a process can execute) versus allowing process that require elevation to elevate automatically based on a ruleset.
- Application control functionally was not nearly as robust as their competitors.
- Product is best suited for environments where Mac’s are deployed
- PAM is only part of a much larger product versus the primary focus of the product.
- Lack of an appreciable presence in the legal vertical.
I want to be clear:
- These were not bad solutions by any means.
- They just didn’t meet enough of our core requirements for us to move forward to the next phase.
- Also, again, this being a fairly dated review, it’s quite possible things have changed since we originally evaluated them so do your due diligence.
We received a list of references from both Avecto and ViewFinity, setup calls and included those findings for consideration in our recommendation.
- The “best of breed” and innovative solution compared to other products on the market.
- Integration with existing A/V and HIPS solutions allowing for centralized management and reporting
- Able to easily workaround special handling scenarios needed for certain users and applications.
- Support has been great, fast turn around for critical issues and the product is well documented.
- Successful implementations not just from the IT perspective but also from the user perspective as it was completely transparent.
- Works as designed and is easy to work with.
- Smooth transition from another competitors on-prem solution to ViewFinity’s hosted solution.
- SaaS solution works well, delivers updated configuration to clients faster than GPO
- No issues they couldn’t work through or around.
- Works well for a highly mobile workforce
- Support is responsive with no gaps in communication
- Easy and straightforward to use with little ongoing management required
We tested each solution for one month at a time on our primary systems (aka our daily driver machine). Although they were both different, there were a lot of similarities that carried over between each product.
- Only vendor with a completely separate SaaS/Web PAM solution and we were impressed with it. Viewfinity seems to better understand the differences of a mobile user and their Saas/Web product is solely built for a mobile population.
- Established presence in law firms of significant size
- Has grown substantially in install count and product maturity over the past few years.
- Has a mechanism to distribute updates, but it’s built on a traditional group policy based management delivery approach.
- Appears to be the strongest and fastest innovator the PAM vertical.
- Had features in product that Viewfinity didn’t have yet.
These findings were then added to our success criteria.
Before I reveal the results, I want to point out a few very important items:
- This review took place a few years ago so I imagine that each of the products mentioned here have matured for the better since then and that there may be new players in this space.
- Both solutions are very solid products, each with their own set of features that clearly distinguished it from the other in a few key categories.
- We ultimately did not move forward with either product because of a change in strategic initiatives.
Having said that we said we gave:
- Avecto: 79 out of 100
- ViewFinity: 81 out of 100
From a scoring perspective, the difference was almost negligible and after some discussion we made a recommendation to move forward with one vendor. However, it was not solely based on the numerical score but on, what I feel is, an oft overlooked point: The level of expertise of the vendor’s technical lead assisting with the implementation. Their technical lead driving these demos and Q&A’s demonstrated a deep level of understanding and was able to think and respond quickly when in ‘uncharted territory’; atypical use cases, examples etc. After putting each vendor through the ringer, one gave us the confidence that they would be able to assist us in meeting the our objective to make this a successful implementation.
This was probably one of the more fun projects we took on and some part of me was disappointed we didn’t move forward with any of the recommended products. But on the other hand, after removing local Administrator rights and implementing Microsoft’s Local Administrator Password Solution (LAPS) we learned that we really didn’t need a solution to achieve our primary objective.
I’m eager to hear from others who are in the process of implementing – or have just implemented – a PM/PAM solution, so please let me know in the comments.