CA Privileged Access Manager Review

We can separate the management of accounts with and without elevated privileges. It integrates with our identity management system.


What is most valuable?

So far the best value is the centralized management of all administrative accounts. Before PAM, domain administrators, Unix administrators with root access, end-users with elevated desktop privileges, and so on, were managed by those individual groups themselves. Now we have a way to separate the management of accounts with and without elevated privileges. This provides better control over who can see what information, and who can perform which actions.

So all the different roles (such as database admin, Unix admin, network administrator), are now centralized into one system. Users are authenticated with a single sign-on to access only what is appropriate for their role. It also enables us to take a generic role, like an administrator, and grant certain access rights to that role. Then you can apply the generic role, but go inside and make it granular. That isn't available in the product off the shelf, like in Microsoft or Red Hat.

It also integrates with our identity management system in which the roles and responsibilities are defined. Syncing the two systems is very helpful as well.

How has it helped my organization?

It is very helpful with passing audits. It’s one thing to say you have a control; it’s another to show your control. This is very easy to show. It also simplifies the security team's role in that we aren't chasing as many accounts with elevated privileges. We have a central place to go look for them.

A secondary feature is that it tracks normal behavior, and then sends notifications about anything out of the norm. An example of that is: a network administrator would add accounts on a regular basis at a rate of 10 a day; if 50 were to show up in one day, it would automatically flag it and say, "Something's not right, take a look."

What needs improvement?

I would like to see better integration with Security Incident Management solutions, a SIM, like a Splunk.

The integration with IBM’s Guardian is useful, but it is not a specific plug-in or API. It is just log information; so a little more detail would be useful there.

What do I think about the stability of the solution?

So far, so good. It is new. We haven’t had any issues yet.

What do I think about the scalability of the solution?

So far, so good. It is new. We haven’t had any issues yet.

How is customer service and technical support?

Technical support been good too. We had professional services onsite with us, so that made things easy. We have transitioned away from that, but so far things have been fine. We haven't had any major issues.

Which solutions did we use previously?

We were not using anything else previously.

How was the initial setup?

It was a little bit of both. There's some internal politics, and the internal infrastructures, as well as bringing in a new product,; but overall it was fine.

There was lack of knowledge from my team; and then learning from the other team, as well as the professional services team learning our infrastructure and its intricacies.

How do you get a change control approved so we could do something quickly?

Which other solutions did I evaluate?

We went with it because of internal customer needs, the regulatory and audit requirements, ease of installation, and auditor funding.

What other advice do I have?

I would say do your research. We did, and that's why I said there weren't any real competitors. There always; but in this space, I don't think so – not today.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Add a Comment
Guest
Sign Up with Email