Cyber-Ark's product was sent to us in pre-configured VMware-format virtual machines. While it's Cyber-Ark's policy to install 100 per cent of its products, we requested this optional product delivery mode that allowed us to install the product ourselves.
Enterprise Password Vault (EPV) stunned us with the breadth of server operating systems, devices and applications for which it can supply privileged password system support.
EPV, because of its comparatively deep LDAP support, could work with virtually everything in our lab, ranging from virtualized Windows, Linux, FreeBSD, and MacOS servers to Microsoft SQL Server and Cisco IOS devices. The examples of how to connect to these devices and customize EPV 'Vaults' and 'Safes' gave us templates to use that didn't mandate becoming experts in how this privilege account manager works. EPV's infrastructure 'intelligence' and its integration level are a cut above the competition.
Everything we used in our test bed was covered. Linux? Check. Solaris? Check. MacOS? Check. FreeBSD? Check. If LDAP (this includes Windows LDAP) is correctly configured, the integration is very fast. If you've got a quirky LDAP deployment, then the user interface helps you configure generic privileged password objects to be used across the network. EPV also created vaults and safes for secure data storage, as well as secure network directories under LDAP, with ease.
There are four components to the EPV system, its Enterprise Password Vault (the password and access storage system), its Central Password Manager (CPM -- the core privileged account management application), its Password Vault Web Access System (PVWA -- which provides the method by which users request passwords and high-level administrators approve the requests), and EPV's Application Identity Management component (AIM -- which performs application-to-application password management.)
EPV uses a vault -- and safes within the vault where passwords are kept for specific resources on the network -- a metaphor to allow administrators to aggregate access groups by like-type.
Inside each vault are groups that use a common methodology to gain access to a resource requiring privileged access. For instance, we tapped recommended vaults provided by Cyber-Ark and used them to create access to our test Windows 2003, Linux, and BSD servers with relative ease, as the settings are understandable and rapidly replicated.
We tested access to each of our hosts and devices using correct and incorrect credentials to see how EPV reacted. EPV responded to requests almost instantly (or alternatively it could be tweaked to delay requests, if it's needed for security reasons) and within the time needed to also make our RSA SecureID dongles valid (as their numbers expire quickly). All of our use case tests were satisfied correctly and each were documented within EPV's logs. We were also able to set alarms with regard to failed attempts and have them sent to us quickly via e-mail.
Overall, Cyber-Ark's approach to the PAM issue is simpler than those taken by other products tested in number of ways. First, numerous 'sample' vaults with brand/type-specific access rules are supplied as templates. These templates covered the wide breadth of EPV's use cases, including everything from Cisco wireless access points and Microsoft's Active Directory, as well as our extensive LDAP network that includes directory shares, FreeBSD, Solaris 10 and various flavors of MacOS 10.