Privileged access management, or PAM, is a security measure that allows organizations to control and monitor the activity of privileged users, including their access to key business systems and what they’re able to do once logged in. Most organizations order their systems in tiers according to the severity of the consequences should the system be breached or misused. Privileged accounts, such as domain admin and networking equipment accounts, provide administrative levels of access to high-tier systems, based on higher levels of permissions. PAM solutions help administrators to monitor access to critical business resources and ensure that these high-tier systems remain secure. This extra security layer protects critical business systems, but also encourages better governance and compliance with data regulations.
Verizon’s 2020 Data Breach Investigations report found that over 80% of hacking breaches involve brute force of the use of lost or stolen credentials, and a recent study by Centrify found that 74% of data breaches involved access to a privileged account. It’s absolutely crucial that organizations keep login credentials secure, particularly for high-tier, high-risk systems. PAM solutions provide this security by storing the login credentials of privileged administrative accounts in a secure repository, reducing the risk of those credentials being stolen. To gain access to these credentials, users have to go through an authentication process, which logs that they’ve accessed the account. This process allows organizations clear visibility into who is accessing which account and from where, which in turn helps them to monitor any suspicious or potentially malicious activity, both internal and external.
In this article, we’ll explore the top ten privilege access management solutions designed to secure an organization’s critical systems. We’ll look at features such as password management and multi-factor authentication, role-based security, real-time notifications and robust reporting. We’ll give you some background information on the provider and the key features of each solution, as well as the type of customer that they are most suitable for.
The Top Privileged Access Management (PAM) Solutions includes
- ARCON | BeyondTrust | Centrify | CyberArk | Foxpass | Hitachi ID Systems | JumpCloud | One Identity | Thycotic | WALLIX
ARCON | Privileged Access Management
ARCON’s risk-management solutions are designed to secure data and safeguard privacy through predicting risk situations, protecting organizations against those risks and preventing them from progressing into incidents. ARCON | Privileged Access Management (PAM) allows enterprise security teams to secure and manage the entire lifecycle of their privileged accounts. It protects privileged credentials from the exploits of compromised insider attacks and third-party cybercrime.
ARCON | PAM features a secure password vault that automates frequent password changes. The vault generates and stores strong, dynamic passwords, which can only be accessed by authorized users. Users must go through multi-factor authentication (MFA) in order to access the vault. ARCON offers native software-based one-time-password (OTP) validation to verify users’ identities, and this tool integrates with third-party authentication solutions should an organization want to build layers of authentication around the vault. The security of MFA allows ARCON | PAM to run single sign-on (SSO) access to all critical systems without users having to share their credentials. This makes the sign-on process more efficient, whilst protecting critical data from the threat of password breaches. Finally, all privileged access is just-in-time, which reduces the threat surface by favouring access as needed over standing privileges.
Advanced session monitoring allows admins complete insight as to who is using the privileged access environment and why, which enables faster risk mitigation. ARCON | PAM also provides a complete audit trail of privileged activities, as well as reports and analytics of the results, via the solution’s reporting engine. This allows managers and auditors to assess the organization’s compliance status as needed.
On top of the solution itself, ARCON offers 24/7 support to all of its clients as a base support offering, and they don’t differentiate between tiers for technical support. ARCON | PAM is also highly scalable. For these reasons, though using enterprise-level technology, we recommend ARCON | PAM for any sized organization looking for a robust PAM solution.
BeyondTrust Privileged Remote Access
BeyondTrust is a market-leading vendor in privileged access management. They offer a range of solutions that deliver high levels of visibility and security across endpoint, server, cloud, DevOps and network device environments. Privileged Remote Access is BeyondTrust’s solution for managing and auditing internal and third-party remote privileged access, without the need for a VPN. It’s designed to enable employee productivity, no matter their location, whilst keeping bad actors from accessing critical business systems.
Privileged Remote Access stores passwords in a secure cloud-based on-appliance vault. Alternatively, this solution integrates with BeyondTrust’s Password Safe, which is delivered as software. Both options enable BeyondTrust’s credential injection capabilities, which allow BeyondTrust to securely inject credentials from the vault directly into a session. This means that users don’t expose credentials at any point during sign in. The solution also features strong monitoring capabilities, with tracking and auditing capabilities all accessible in a single interface. Admins can set authorization and notification preferences to receive alerts when a user is accessing Privileged Remote Access. These notifications are also remote worker-friendly, so that admins can approve access requests and monitor usage on their mobile devices from any location. Comprehensive audit trails and session forensics allow IT teams to review and monitor privileged account use, as well as generate reports to prove compliance.
Privileged Remote Access features desktop consoles for Windows, Mac and Linux. It also allows privileged users to access critical systems via a web-based console or a mobile app for privileged access anytime, anywhere. This makes it a strong PAM solution for any organization with remote workers who need to access privileged systems.
Centrify Privileged Access Service
Centrify, currently merging with Thycotic, is a leader in providing enterprise-level access management. Their cloud-based solutions leverage a zero-trust approach to ensure complete security, and they serve over half of the Fortune 500. Centrify’s Privileged Access Service is their range of PAM solutions (including their Vault, Cloud and Server Suites, and thier Threat Analytics Service) that secure access to accounts on servers and network devices, on-prem and in the cloud. It delivers secure administrative access via workflow-driven access requests, ensuring that only verified users can sign in while bad actors are kept far away from business-critical systems.
The Privileged Access Service stores shared passwords and secrets (such as IP addresses) in a secure vault that only authorized users can access. The solution leverages MFA at vault-level to confirm users’ identities and analyses the context of each login attempt for suspicious activity such as an unusual location or login time. Privileged Access Service uses machine learning to continuously learn users’ login patterns, allowing it to accurately allow or block access, or require additional authentication. Once a use finishes their session, credentials are automatically rotated to ensure that users can’t use the same credentials twice and cybercriminals can’t access an account using stolen credentials. Robust session monitoring and recording capabilities give admins insight into what users are doing after they’ve logged into privileged systems, and all sessions are audited.
Centrify’s Privileged Access Service is delivered as a full SaaS solution, which reduces the strain on client system resources by eliminating the need for software installation. Because it’s cloud-based, it integrates seamlessly with other SaaS and IaaS platforms. It also provides secure access to remote workers, including outsourced IT and third-party vendors without the need for a VPN. Because of this, we recommend Privilege Access Service as a powerful PAM solution for enterprises already working in a hybrid or cloud IT environment.
CyberArk Core Privileged Access Security
CyberArk holds one of the largest shares of the PAM market, offering enterprise-level, policy-driven solutions that allow IT teams to secure, manage and record privileged account activities. Their Core Privilege Access Security (PAS) solution provides multi-layered access security for privileged accounts, and comes with over 500 “out of the box” integrations. Its centralized management and reporting gives admins a clear insight as to who is accessing critical systems, and why.
Core PAS scans the network continuously to detect privileged access. IT teams can choose to validate access attempts by adding them to a queue, or automatically rotate accounts and credentials based on the company’s policies. Credentials for accessing critical assets are isolated in a secure vault, helping to prevent credential exposure. From the central management console, IT teams can choose to record and audit privileged sessions within an encrypted repository. Recordings include video playback, so admins can view specific activities and keystrokes and monitor them for suspicious activity. If suspicious behavior is detected, Core PAS automatically suspends or terminates the privileged session based on the level of risk. Automatic credential rotation on suspension or termination ensures that bad actors or compromised inside account can’t re-gain access to the system.
CyberArk also offers an Advanced version of their Core Privileged Access Security, which includes centrally managed granular access controls for least privilege server protection and network monitoring for threats to domain controllers. Both of these modules integrate fully with the Standard solution. CyberArk’s solution comes with on-premises, cloud and SaaS deployment options, making it suitable for all organizations, no matter their state of cloud transition. We recommend Core Privileged Access Security for any enterprise looking for a trusted, flexible PAM solution.
Foxpass Privileged Access Management
Foxpass Privilege Access Management automates server and network access, protecting critical business systems whilst reducing the strain on an IT team’s resources. It is designed to integrate seamlessly with any systems that an organization already has in place, including cloud mail systems and existing SSO solutions, so that customers can set up their protection in just a few minutes.
Foxpass Privileged Access Management offers self-service SSH Key and password management with MFA and password rotation. Admins can set password requirements within an easy-to-use interface. The solution also offers a full API that allows admins to automate server access control, changer user information and manage group memberships. The API logs authentication requests so that admins have clear visibility into who is accessing critical systems, and these logs can also be used as proof of compliance. Cloud-hosted LDAP and RADIUS allow Foxpass PAM to provide single sign-on across an organization’s entire application stack, reducing the need for passwords. Admins can also enable MFA at this level for added security, and logging for LDAP and RADIUS requests for automated threat detection and response.
Foxpass’ PAM solution offers enterprise-grade security but is highly scalable and available both on-prem or in the cloud. It also integrates seamlessly with existing third-party products such as Google Workspace, Office 365 and Okta. Customers praise Foxpass for their 24/7 technical support, particularly their live video support calls. Because of this, we recommend Foxpass Privileged Access Management as a strong solution for any sized organization looking for user-friendly PAM security that’s easy to integrate and deploy.
Hitachi ID Systems Bravura Privilege
Hitachi ID Systems delivers easily deployable, user-friendly identity, entitlement and credential governance solutions. Their solutions enable organizations to strengthen internal controls and harden their network security, as well as lower their operating costs by offering cloud deployment and management. Bravura Privilege, their PAM solution, secures privileged users, applications and services. Highly scalable, it supports over a million password changes every day across the world.
Bravura Privilege randomizes passwords and stores them in an encrypted vault that requires users to verify their identities before they’re able to access them. The solution enforces pre-authorized, one-time access so that users have just-in-time access to critical accounts, and can’t stay signed in when they don’t need to be. Login extensions are launched automatically through a browser extension, and all access requests and sessions are logged with video capture and keylogging. This allows admins full visibility into privileged account activities. Bravura Privilege uses special agent-based application fingerprinting and automatically rotates one-time keys to eliminate shared and static credentials, reducing the risk of a breach due to credential theft. The solutions also logs all user access cases, creating strong accountability and allowing admins visibility into who’s accessing which systems.
Hitachi ID Systems’ Bravura Privilege simplifies the challenge of coordinating password changes and access to shared accounts across multiple platforms. It can integrate with all clients, servers, hypervisors, guest operating systems, databases and applications, and can be deployed on-premises or in the cloud. This versatile solution provides strong access management for any enterprise looking to secure a large number of privileged accounts.
JumpCloud User Management with Cloud Directory Services
JumpCloud User Management with Cloud Directory Services securely connects privileged users to critical systems, applications, files and networks. It integrates seamlessly with Google Workload, MS O365 and on-premises Active Directories. JumpCloud User Management leverages cloud-based directory services, which reduces strain on system resources whilst providing the scalability of the cloud.
JumpCloud User Management controls all access to users’ resources with a secure MFA single sign-on feature that reduces the need for multiple passwords and decreases the threat surface. Once signed in, users can access all workstations and servers, cloud and on-prem apps and services and networks. JumpCloud User Management also features robust password and SSH Key management, with password rotation to eliminate security risks associated with static passwords. Admins can set policies for password complexity, and receive alerts for approaching expiries and brute force lockouts. From the JumpCloud console, admins can also create and manage users, configuring differing levels of access and privilege as needed. Admins can also use user attributes to verify their end users’ identities and monitor their access behaviors.
For the first 10 days, organizations receive live support from JumpCloud’s technical support engineers to help them get used to the system an troubleshoot any challenges that arise. The solution is highly scalable and flexible, and integrates seamlessly with Google Workload and Azure AD so that organizations can manage the access to critical third party employee services. We recommend JumpCloud User Management for mid-sized organizations and enterprises looking for a secure directory and access management solution.
One Identity Safeguard
One Identity is a provider of identity-centric security solutions designed to reduce organizations’ attack surface from internal and external threats. All of One Identity’s PAM products are available as modules or as an integrated package, so that customers can build new capabilities onto their existing measures. Their Safeguard solution allows organizations to secure, control and audit privileged accounts for the entire duration of the session. It features powerful auto discovery and provisioning capabilities, which make it easy for admins to monitor and address suspicious or unauthorized behavior.
With One Identity’s Safeguard solution, users can access their privileged and non-privileged resources from a single account, which removes the risk of error in provisioning access. This also reduces the strain on help desk workloads, automating the process of granting privileged credentials according to the user’s role. Privileged accounts are stored in a secure vault for enhanced security, with centralized authentication and SSO for added protection and increased efficiency. Safeguard uses machine learning to analyze user activity both at the time of access and throughout the session. It also records keystrokes, mouse movement and windows viewed in order to detect unauthorized use of critical business systems and increase accountability. Admins can review these recordings remotely and search them like a database for specific events across sessions. They can also be used for governance and compliance purposes.
Safeguard enables admins to configure the level of authentication required from each user, from requiring full credentials through to limiting access with granular delegation for just-in-time or least-privileged access. This ensures security without compromising on employee productivity. Safeguard’s powerful recording and analysis tools make this a strong PAM solution for larger enterprises looking for more control over privileged activities.
Thycotic Secret Server
Thycotic, currently merging with Centrify, is a recognized by both Gartner and Forrester as a market leader in privileged access management. Their Secret Server PA solution ensures complete protection though a strong set of security features, from endpoint discovery to password management. Secret Server is available in the cloud or on-prem, giving it the flexibility to secure all enterprises, no matter their state of cloud transition.
Secret Server stores all privileged credentials in an encrypted, centralized vault that users can only access via a two-factor authentication process. Once verified, users can only view the passwords they need to be able to do their job. From a centralized management portal, admins can provision and deprovision privileges for just-in-time access, as well as configure policies for password complexity and credential rotation. This eliminates weak and static passwords, reducing the risk of password theft. Admins can also set up a custom workflow to delegate access requests, including for third parties. Powerful session recording capabilities enable organizations to monitor privileged activities, both to ensure compliance and to detect the source of any fraudulent or suspicious activity.
Thycotic’s zero downtime upgrade process allows continuous access to Secret Server, even during system upgrades, to minimize disruption to end users and ensure that accounts are always protected. As many of this solution’s features are available though scripting rather than offered out of the box, it’s important that customers’ IT teams have the ability and resources available to create them. Overall, Secret Server is a strong solution for enterprises looking for centralized management for their critical systems, accounts and applications.
WALLIX is a European cybersecurity vendor specializing in access and identity management solutions to protect organizations’ IT infrastructure, applications and data. Bastion is WALLIX’s simplified PAM solution, available as both a software and as a virtual or physical appliance. WALLIX’s recent acquisition of Simarks has bolstered Bastion’s privilege elevation and delegation management (PEDM) for Windows, and these capabilities are also available as a software. The solution is easy to use, but doesn’t compromise on security, providing organizations with full control over their privileged access.
Bastion stores all passwords and secrets in a secure encrypted vault, eliminating the need for multiple passwords per user. Organizations can leverage high-level password security controls and Application-to-Application password management to reduce the risk of credential theft. Bastion’s PEDM capabilities allow admins to grant privileges as needed so that passwords are never static and users can only access accounts necessary for the to be able to carry out their work, eliminating the risk of overprivileged users. As well as granting access permissions, admins can monitor all session activity with the help of the WALLIX access manager. This tool offers enhanced session forensic analysis and search capabilities so that admins can quickly locate recordings of specific activities, making threat detection simple and fast.
WALLIX Bastion is available both on-premises and in the cloud, making it highly flexible and giving it the ability to scale to meet an organization’s needs. It also delivers secure remote access via any browser, and remote sessions benefit from the same level of control and monitoring as internal sessions. This allows admins to monitor privilege access and session activity from anywhere. For these reasons, we recommend Bastion as a strong PAM solution for enterprises with a large number of remote employees, or offices spread across different locations.