EXECUTIVE VIEW. One Identity SafeGuard 2.0. KuppingerCole Report

Similar documents
EXECUTIVE VIEW. KuppingerCole Report

the SWIFT Customer Security

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

Next Generation Privilege Identity Management

KuppingerCole Whitepaper. by Dave Kearns February 2013

WHITE PAPER. Meeting GDPR Challenges with Delphix. KuppingerCole Report

1 Introduction Product Description Strengths and Challenges Copyright... 6

Security Fundamentals for your Privileged Account Security Deployment

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Digital Risk and Security Awareness Survey

Achieving Digital Transformation: FOUR MUST-HAVES FOR A MODERN VIRTUALIZATION PLATFORM WHITE PAPER

Managing the Risk of Privileged Accounts and Passwords

Managing Your Privileged Identities: The Choke Point of Advanced Attacks

BEYOND AUTHENTICATION IDENTITY AND ACCESS MANAGEMENT FOR THE MODERN ENTERPRISE

hidglobal.com HID ActivOne USER FRIENDLY STRONG AUTHENTICATION

Feature Comparison Summary

Cybersecurity Roadmap: Global Healthcare Security Architecture

TECHNICAL OVERVIEW OF NEW AND IMPROVED FEATURES OF EMC ISILON ONEFS 7.1.1

Privilege Security & Next-Generation Technology. Morey J. Haber Chief Technology Officer

HIPAA Regulatory Compliance

Implementing Your BYOD Mobility Strategy An IT Checklist and Guide

Two-Factor Authentication over Mobile: Simplifying Security and Authentication

Mapping BeyondTrust Solutions to

Oracle API Platform Cloud Service

Cracking the Access Management Code for Your Business

Best Practices in Securing a Multicloud World

CyberArk Privileged Threat Analytics

Understand & Prepare for EU GDPR Requirements

Secure Access & SWIFT Customer Security Controls Framework

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

WHITE PAPER AUTHENTICATION YOUR WAY SECURING ACCESS IN A CHANGING WORLD

NIST Revision 2: Guide to Industrial Control Systems (ICS) Security

SOLUTION OVERVIEW. Enterprise-grade security management solution providing visibility, management and reporting across all OSes.

INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.1 SUCCESS AKAMAI SOLUTIONS BRIEF INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.

CS 356 Operating System Security. Fall 2013

The Common Access Card The problems it solves (and the ones it doesn t) Quest Software/One Identity Dan Conrad Federal CTO

CipherCloud CASB+ Connector for ServiceNow

SailPoint IdentityIQ Integration with the BeyondInsight Platform. Providing Complete Visibility and Auditing of Identities

1 Modular architecture

Data Breach Risk Scanning and Reporting

IT infrastructure layers requiring Privileged Identity Management

locuz.com SOC Services

Ending the Confusion About Software- Defined Networking: A Taxonomy

PowerBroker Password Safe Version 6.6

DEFINING SECURITY FOR TODAY S CLOUD ENVIRONMENTS. Security Without Compromise

NEXT-GENERATION DATACENTER MANAGEMENT

Office 365 Buyers Guide: Best Practices for Securing Office 365

The Emerging Role of a CDN in Facilitating Secure Cloud Deployments

5 OAuth Essentials for API Access Control

Pasiruoškite ateičiai: modernus duomenų centras. Laurynas Dovydaitis Microsoft Azure MVP

Zero Trust in Healthcare Centrify Corporations. All Rights Reserved.

Brochure. Security. Fortify on Demand Dynamic Application Security Testing

Securing Your Amazon Web Services Virtual Networks

Privileged Account Security: A Balanced Approach to Securing Unix Environments

SYMANTEC DATA CENTER SECURITY

Risk Intelligence. Quick Start Guide - Data Breach Risk

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

2 Me. 3 The Problem. Speaker. Company. Ed Breay Sr. Sales Engineer, Hitachi ID Systems.

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

EMC Storage Resource Management

Mobile Security Overview Rob Greer, VP Endpoint Management and Mobility Product Management Dave Cole, Sr. Director Consumer Mobile Product Management

Dell EMC Isolated Recovery

10 FOCUS AREAS FOR BREACH PREVENTION

Ekran System v Program Overview

What to Look for in a Partner for Software-Defined Data Center (SDDC)

2018 Trends in Hosting & Cloud Managed Services

Oracle Communications Services Gatekeeper

HOLISTIC NETWORK PROTECTION: INNOVATIONS IN SOFTWARE DEFINED NETWORKS

ELIMINATE SECURITY BLIND SPOTS WITH THE VENAFI AGENT

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

NEXT GENERATION SECURITY OPERATIONS CENTER

A Practical Guide to Efficient Security Response

CA Security Management

LTI Security Services. Intelligent & integrated Approach to Cyber & Digital Security

CommandCenter Secure Gateway

Borderless security engineered for your elastic hybrid cloud. Kaspersky Hybrid Cloud Security. #truecybersecurity

5 OAuth EssEntiAls for APi AccEss control layer7.com

1. Introduction. 2. Why Mi-Token? Product Overview

BUILDING SECURITY INTO YOUR DATA CENTER MODERNIZATION STRATEGY

Locking down a Hitachi ID Suite server

SOLUTION BRIEF RSA SECURID SUITE ACCELERATE BUSINESS WHILE MANAGING IDENTITY RISK

CA Test Data Manager Key Scenarios

Control-M and Payment Card Industry Data Security Standard (PCI DSS)

Protecting organisations from the ever evolving Cyber Threat

How to Deliver Privilege Access Management

Poor PAM processes and policies leave the crown jewels susceptible to security breaches Global Survey of IT Security Professionals

Powerful Insights with Every Click. FixStream. Agentless Infrastructure Auto-Discovery for Modern IT Operations

8 Must Have. Features for Risk-Based Vulnerability Management and More

Survey Results: Virtual Insecurity

CIO Update: Security Platforms Will Transform the Network Security Arena

SECURING AWS ACCESS WITH MODERN IDENTITY SOLUTIONS

PKI is Alive and Well: The Symantec Managed PKI Service

Feature Comparison Summary

Secure VFX in the Cloud. Microsoft Azure

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Windows 7 Done Right: From Migration to Implementation

The Privileged Appliance and Modules (TPAM) 1.0. Diagnostics and Troubleshooting Guide

Crash course in Azure Active Directory

Security in Bomgar Remote Support

Asset Discovery with Symantec Control Compliance Suite WHITE PAPER

Transcription:

KuppingerCole Report EXECUTIVE VIEW by Martin Kuppinger August 2017 One Identity SafeGuard 2.0 One Identity SafeGuard 2.0 is a re-architected, modular solution for Privilege Management, supporting both Shared & Privileged Account Password Management and Session Management, plus several additional capabilities. The product excels with its architecture, integration capabilities, and other features such as very strong workflow support. by Martin Kuppinger mk@kuppingercole.com August 2017 Content 1 Introduction... 2 2 Product Description... 3 3 Strengths and Challenges... 4 4 Copyright... 5 Related Research Leadership Compass: Privilege Management - 72330 Advisory Note: Privilege Management - 70736 Executive View: One Identity Manager v7.0.1-70894 Executive View: Dell One Identity Cloud Access Manager - 71250

1 Introduction In the age of digital transformation, the requirements on IT, but also the ways IT is done, are changing. Organizations need to reinvent themselves and become agile and more innovative, while meeting ever increasing regulation all in addition to constantly improving security, by having the right counter measures and preventing attacks. On the other hand, with the vast number of attacks that organizations are facing and the burgeoning of regulations, organizations must invent new methods of meeting these needs while still perfectly serving their customers. In addition, smart manufacturing and the internet of things massively expand the attack surface of organizations. Among the various countermeasures Privilege Management plays a central role. Privilege Management describes the domain of technologies that help better manage and control socalled privileged accounts, i.e. accounts having elevated privileges and thus imposing a higher risk. Such accounts also include shared accounts, which frequently have elevated privileges, but are at higher risk per se due to the nature of shared credentials. The capabilities of Privilege Management nowadays range from Shared Account Password Management to Session Management and Privileged Behavior Analytics. Privilege Management can be considered a domain of Cybersecurity since attackers usually go after the high privilege accounts. The users of the privileged accounts have the broadest access to sensitive company data such as HR records, financial information, payroll details or a company s IP. Therefore, a strong emphasis needs to be placed on protecting these accounts, which eventually results in a reduced risk of breaches. Furthermore, Privilege Management is an essential element in protecting organizations against attacks that are not yet identified. What commonly is called zero-day attack in fact has been running for a shorter or longer while, sometimes for years. All attacks go through a phase where they are run but are not yet detected. Traditional technologies such as signature-based Anti-Malware don t help in these scenarios. New Cybersecurity tools looking for anomalies and outliers can help identifying such longrunning attacks. Privilege Management helps in two ways in these situations. On the one hand, it increases the protection of digital assets by protecting the most critical accounts and access to these systems. On the other hand, Privileged Behavior Analytics helps in identifying anomalies in privileged user behavior. Additionally, Privilege Management also is part of the IAM (Identity and Access Management) domain, because it is about managing accounts and their passwords, as well as their access at runtime, e.g. by monitoring sessions. Privilege Management thus is an essential element of both Cybersecurity and IAM infrastructures of organizations. It helps in mitigating risks and in protecting the crown jewels of organizations, their valuable digital assets and systems. Thus, it is no surprise that the market for Privilege Management is evolving, with new vendors entering and new and modernized offerings delivering better ways to tackle the challenges of Privilege Management. Page 2 of 6

2 Product Description One Identity is part of Quest Software and has been a player in the Privilege Management market for many years, with some offerings such as their Unix-to-Active Directory integration (formerly Vintela) being renowned and available for quite a long time. One Identity as a company was started after Quest Software was split from Dell and runs the IAM business, with the flagship product One Identity Manager and offerings in a variety of other areas. One of these is 2.0, which covers the Privilege Management market. 2.0 has been built from the ground up in a new architecture. The decision to rearchitect the One Identity solution for Privilege Management has various targets. One is decreasing the time-to-value for customers by simplifying both deployment and integration. The other major target was delivering a fully integrated solution with a consistent architecture and UI, which can be easily expanded by adding further modules. The architecture follows the microservices paradigm, with central services such as console interfaces, APIs, authentication capabilities, workflows, internal security and access management, and reporting being delivered as central services. These services then are used by the functional modules, with three modules being available right now and additional modules being under construction. Two modules are available as of now: Password Module (Shared Account Password Management) Session Module (Session Management) Furthermore, One Identity already plans for a third module, the Unix Security Module (Unix Session and Privilege Elevation Management), which will become available later. The platform exposes a comprehensive set of REST APIs, uses a modern HTML5-based console also supporting mobile devices, supports standards such as OATH2, and other features. At least in the first release, the solution is available only as a hardware appliance, built on a hardened software stack, starting with an embedded OS. Particularly for the highly sensitive area of Privilege Management with storing and managing shared credentials, such an approach mitigates risks of attacks through other software components such as the host OS, guest OS, or hypervisor. The architecture is designed to be horizontally scalable, includes pre-configured clustering capabilities and active-/active configurations with multiple nodes out-of-the-box. The latter capability is rarely found, with active-/active configurations either not being supported at all or requiring massive extra effort in configuration in most other solutions in the market. Other important areas of common functionality across the modules include a flexible workflow engine, e.g. supporting access requests and approvals for privileged accounts, and advanced audit features. The workflow engine also supports areas such as changes in access configuration settings and session settings. It also can be used for configuring emergency access. With this broad support, One Identity Safeguard excels in workflow support compared to many of the other players in the Privilege Management market. Page 3 of 6

also provides strong integration capabilities. Privilege Management is not isolated, but has various touchpoints with other solutions. One Identity starts with integration to the 2FA (Two Factor Authentication) capabilities of its cloud-based Starling platform and the Approval Anywhere capability, which works flexibly across different types of devices. Safeguard also provides out-of-the-box integration to Servicenow and BMC Remedy as leading ticketing systems and, also based on the comprehensive set of APIs, allows for integration into existing IT Service Management workflows. In the field of Shared & Privileged Account Password Management, the solution delivers the expected features such as 2FA for access to privileged sessions, discovery of privileged accounts, one-time passwords for shared accounts, and support for a broad range of target systems including servers, network devices, and applications. This area has evolved well beyond just providing one-time passwords for shared accounts nowadays. The target is to protect all access via privileged accounts. In Session Management, builds on a protocol-proxy technology. Communication via common protocols such as SSH or RDP is proxied through the appliance. This allows for implementing the common Session Management features such as auditing and recording sessions, but on the other hand leaves the administrative workstations unaffected. For command-line session, command detection is supported. Other features such as auto-login are supported as well. 3 Strengths and Challenges In sum, 2.0 is a well-thought-out solution for tackling the Privilege Management challenges organizations are facing today. The product supports the key capabilities required by customers with the initial modules, those capabilities being the management of access to privileged and shared accounts and the entire area of Session Management. Further modules covering Unix privilege elevation management as well as additional capabilities are planned. While the hardware appliance form factor might be considered a challenge for customers focusing on highly virtualized IT infrastructures, it provides significant advantages in security through its hardened platform and ability for rapid deployments. A particular strength of is its integration capabilities, with out-of-the-box integrations to various systems being available. Other features such as the workflow capabilities and support for active-/active architectures also are above what is delivered by most other players in the market. On the other hand, not all functional modules are available yet. In particular, there is no Privileged Behavior Analytics module yet. However, this is commonly one of the features to be deployed by customers after the other capabilities, and integration to Identity Analytics is already planned. In sum, One Identity is back as one of the vendors in the Privilege Management market that should be considered when evaluating products in this market segment. While there are some gaps in breadth and depth of functionality, the product excels with its modern, well-thought-out architecture, the integration capabilities, and the potential of being expanded by additional modules in a consistent manner. Page 4 of 6

Strengths Strong support for discovery of accounts, Shared & Privileged Account Password Management, and Session Management Modern, well-thought-out and expandable architecture with functional modules Strong integrated workflow capabilities, specifically targeted at Privilege Management requirements Supports active-/active replication between various instances out-of-the-box Strong integration capabilities based on a comprehensive set of APIs Integrations to ticketing systems, cloud-based 2FA and other systems out-of-the-box Rapid deployment based on hardware appliance form factor Modern UI supporting all types of devices Challenges Currently only available in a hardware appliance form factor, which increases security of the solution but might be an inhibitor in some customer s IT infrastructures No support for Privileged Behavior Analytics yet, but integration into Identity Analytics already announced Some gaps in the depth of functionality, e.g. in support of older protocols for Session Management 4 Copyright 2017 Kuppinger Cole Ltd. All rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole s initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarks or registered trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them. Page 5 of 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback