The CA PAM’s ability to seamlessly integrate and provide a demarcation between users and systems is the most attractive aspect. It:
- Enables all control to start with Xsuite’s Deny All, Permit by Exception (DAPE) approach to limit privilege access controls.
- Enables all privileged users to see only those systems and access methods to which they’re expressly allowed access. Privileged users include Vendor Integration and Partners.
- Enables and verifies all system policies, providing an additional level of control by selectively filtering commands issued.
- Enables unauthorized commands to be blocked, with optional user warnings and policy violation alerts to security teams and logs.
- Enables sessions of users attempting to violate policies to be terminated, or accounts deactivated; enterprise policy control.
- Enables “leapfrogging” prevention, which allows one system to be used as a launch point for additional attacks / lateral movement.
- Enables full stack and system integration.
- Enables service integration with all systems using APIs or application to application.
These features greatly assist us and our clients in protecting their data privacy.
Improvements to My Organization:
In retrospect, we and our clients have seen a reduction in service-related issues for application server and mainframe environments, a reduction in the provisioning lifecycle and requirements for systems such as mainframes, and a substantial increase in security flow and protection.
Room for Improvement:
I believe continued expansion of integration to multiple systems including SSO and SAML technologies will provide a more-expansive, enterprise view of access orchestration, which will in turn strengthen the security of the environment.
Use of Solution:
I have been involved with this product for three years, both using and implementing for client architectures.
I have not encountered any issues with stability.
I have not encountered any issues with scalability; this is a true enterprise expandable product for mid-market and beyond.
In my experience with the CA PAM, their support apparatus has improved immensely over the past 12 months and continues to improve based on client feedback. Indications from my clients are that CA Technologies actually listens to their concerns and takes action.
Being in the technology sector for many years, we did not initially use products such as the CA PAM. We relied on common architecture, such as Microsoft and Oracle. As the need for more segregation of duties became prevalent, we looked to enhance our security with privileged access management. The feedback from most clients surrounding PAM is it provides a segregated extension of access control framework to enable better protection of customer privacy/data.
The initial setup is not complex. The design and integration can become complex without the proper solution architecture and understanding the impacts changes in technology place on a companies operational process and employee behavioral management. These topics became more complex to manage and establish than the product itself.
Cost and Licensing Advice:
Product pricing and licensing is related to short-term or long-term business planning. In many cases, this solution should be looked at as a long-term solution. Therefore, considering the long-term savings in perpetual vs annual licensing is paramount to a progressive architecture. Therefore, I believe it is in the interest of the business to make these decisions prior to OEM engagement; they need to be vetted and defined as a value to the company at large.
Other Solutions Considered:
No other options were evaluated because this PAM has made substantial gains in system integration, which outweigh industry choices.
I am a proponent of the product in many ways but most importantly, I believe a solid, well-thought-out strategy and solid architectural plan for the future needs to be the priority, not buying a product to fit the unknown.
Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: My company is a CA Technologies OEM partner.