How do I decide which vendor is right for me?
Both CyberArk and BeyondTrust are market leaders, so they both have mature products that cover virtually all use cases you may have.
Answering the “Which is the right vendor and solution for me?” question is an important part of what we do at Integral Partners. For Privileged Access Management solutions, understanding a few key concepts provides a good place to start.
- PASM vs PEDM
- Asset vs Account focused
- Your needs and supporting tools
Let’s discuss each of these topics to help you understand the differences and why that matters.
PASM vs. PEDM – What are they and which do I need?
Privileged Account and Session Management (PASM)
Privilege in an environment can be hard to define and control. As you think about what constitutes privileged access, one or more of these administration categories may come to mind:
- Server Admins
- Domain Admins
- Desktop Admins
- Network Admins
- Database admins
- Application Owners
- Encoded credentials in script or code
- Dev-Sec-Ops Teams using encoded or clear text credentials in script or code
For these groups of administrators, the typical approach is to employ a Privileged Access Management (PAM) solution. A secure location or appliance is setup, with the ability to request and check-out privileged credentials. When a request is approved, the administrator’s activity is monitored and logged. The credentials are either checked-in or expire, and the PAM solution rotates the password for the next use.
For encoded credentials, the request and usage of credentials is managed with connectivity to the PAM solution via API or installed agent. This overall approach to privilege is called Privileged Account and Session Management (PASM). As the title implies, the approach is about securing privileged accounts when not in use and managing/monitoring the session when they are in use. There is a recommended focus on approval flow and monitoring because these credentials often have very powerful rights, so the use of the credentials needs to be monitored.
Privileged Elevation and Delegation Management (PEDM)
There are additional areas of privilege to think about, in addition to the groups listed above. Privilege can also apply for other types of access, and not necessarily bound to an account:
- Privileged or sensitive data, and every user that has access to it
- Privileged tasks an end user might need to carry out (installing an app, adding a printer, etc.)
This privilege is often harder to manage using the PASM approach. You are trying to protect data rather than accounts. You are managing secrets that do not follow PASM workflows. A different approach is needed. The other approach to PAM is Privileged Elevation and Delegation Management (PEDM).
PEDM tools assign policies to a managed device like a desktop or server. These policies allow certain users to elevate access when needed as described in the policy. When the elevation is needed, the solution manages the elevation and ties it to the specific action.
For example, a person adding a printer would be elevated for that one task and then the elevation would no longer apply. Monitoring is not as much of a concern, as the user is using their own credentials and not an administrator account, and the task is scoped by the PAM solution so that only that task is allowed. Because of the extensibility of these tools, they can also manage additional areas, such as controlling what applications can be installed and run.
PASM vs PEDM – Which do I need? Do I need both to be secure?
Both approaches have value and are both needed to obtain coverage of privileged access. You want both capabilities because they treat privilege differently based on the context of the use case. These different approaches are the right tools for what they were designed for and trying to use one to do the other is akin to using a shoe as your hammer in a construction project. It would technically work but would be frustrating and not as productive an approach.
The right tool for the right job is paramount in PAM. Plan on both being included in your overall PAM strategy. The key is understanding the right mix of PASM vs. PEDM, and where best to apply each.
We are often asked as a PAM Advisor to help develop this mix, and the advice given is different from client to client (as it should be given the different approaches).
A recent client worked with us to develop a PAM strategy that mapped PASM as the first approach to deploy. Another decided that PEDM management of end devices was their key risk area to tackle. Both were the right approach for them individually. It is important to understand what your needs are so that a strategy can be designed specific to those needs.
The general best practice approach: It’s usually prudent to start with PASM and lock down administrator credentials. Then deploy PEDM to manage endpoints and user elevation needs. We agree with this as a baseline approach, which should then be analyzed against your organization’s needs (which could change the answer).
CyberArk and BeyondTrust handle PASM and PEDM with different approaches
CyberArk and BeyondTrust, longtime leaders in PAM solutions, offer options for both PASM and PEDM, but their specific approach is different.
First, let’s outline their “toolsets” and put them into PASM and PEDM groups.
Core Privileged Access Security
CyberArk’s Core Privileged Access Security product takes a PASM approach to PAM. The components are designed for the core features of PASM:
- Enterprise Password Vault: Stores and provides privileged credentials.
- Privileged Vault Web Access: A front end for users to request and check-out privileged credentials
- Privileged Session Manager: Used to manage and record password
- Central Policy Manager: Used to rotate passwords once they are checked in
- Application Access Manager: A separate tool for managing application specific accounts and provides APIs and other methods to call and use credentials inside of applications.
Endpoint Privilege Manager
EPM are the PEDM tools in the CyberArk suite. EPM allows for enforcement of least privilege on endpoints and elevation of privileged only when needed for that specific task. As an endpoint management tool, it also has features to control application usage, ransomware defense, and related capabilities.
Universal Privileged Management Suite
BeyondTrust’s Universal Privileged Management Suite uses a PASM approach to PAM. It includes several solutions that are integrated into the overall suite:
- Password Safe and Secure Credential Storage: Store credentials in the solution and manages the request and approval process as well as rotating the credential when it is check in or expires.
- Retina Scanner: Used to scan the environment and enroll devices into management. Requests are made and managed in the web interface, and monitoring is managed through the solution.
- Privileged Remote Access: Manages remote access for users and vendors alike.
Endpoint Privilege Management
EPM uses a PEDM approach to PAM. This solution enforces least privilege and allows for an approved temporary elevation of rights for specific tasks, like installing a printer or launching an application. This solution works across Windows, Mac, and Unix/Linux, with both desktops and servers covered.
BeyondTrust also has some additional helpful tools such as Active Directory Bridge, to allow AD to be used for authenticating into Unix/Linux.
How do I decide which vendor approach is right for me?
Both CyberArk and BeyondTrust offer PASM and PEDM solutions. The difference is in the approach to deploying and managing privilege.
Specific to PASM, here is how each vendor approaches deployment and management.
BeyondTrust – Asset Focused
The BeyondTrust approach utilizes a strong scanning capability to scan the environment on regular intervals. These powerful scans are then used to automatically on-board assets. Users are also aggregated from directories like AD and LDAP.
Users are then assigned privileged rights specific to an asset. When an administrator logs into the solution, they see the servers they have access to, and can launch a session via RDP or SSH to connect to the server. The activity is monitored and recorded on the solution during the session, and then the passwords are rotated after they expire.
This asset focused approach to privilege helps a lot of organizations understand what it is in their environments via powerful scans and applying access rules based on the asset.
CyberArk – Account Focused
The CyberArk approach is to identify accounts rather than assets. CyberArk provides a scanner so that you can view your environment and see what accounts exist. The tool can then help move the accounts into management. From there, you can look at privileged access usage, and with the tool you can reduce the total number of accounts needed for privileged tasks.
Once all privileged tasks are being managed via the CyberArk tool, new accounts created for users do not need to have special privileges, as all privileged activity and credentials are managed with the CyberArk tool. Approved requests for access in the solution start a managed session, which is recorded in the tool for future reference. Once the session is terminated or expires, the password is rotated for the next use.
This account focused approach helps a lot of organizations that want the flexibility of a powerful tool that offers configuration flexibility and powerful enforcement of privilege policies.
Next Steps – Picking the right tools and approaches to fit your needs
Privilege is a wide and deep topic. How and where it lives in your organization is undoubtedly varied and not necessarily apparent. Here are some things to keep in mind:
- PASM and PEDM are 2 different, complimentary approaches to PAM
- Both should be included in your PAM program and strategy
- Leading vendors provide both approaches in the solution sets
- They approach it differently, with an asset vs. account approach
- Finding the best fit for you depends upon a lot of factors. There is no single ultimate solution, just the solution that is the best fit for your needs
Integral Partners also offers free workshops on a variety of IAM topics, PAM included. Please don’t hesitate to reach out – we’re happy to help.