CA Technologies Privileged Access Manager
Strengths: Good feature set with highly scalable architecture and API-level automation.
Weaknesses: High cost.
Verdict: CA typically has addressed the larger enterprises well and this is no exception. The price, feature set and assumed integration all are hallmarks of large enterprises. In that environment, worth your consideration.
Privileged Access Manager from CA Technologies is an appliance-based access gateway for securing access to systems using privileged accounts. This product comes as an appliance, but is available in physical, virtual or cloud versions. Once deployed, this tool can control transparent login to systems with privileged credentials through a Java-based applet in a browser window or integration with native applications. Further, CA Privileged Access Manager allows developers to integrate authentication directly into code to enable dynamic changing of passwords without the need to store passwords in clear text within the application or automated scripts. It also has capability to integrate at the API level for highly customizable automation and scripting.
From a deployment standpoint, this offering provides many options. Aside from a physical appliance, the Privileged Access Manager is available as a ready-to-deploy OVF virtual appliance or Amazon Virtual Machine Image for cloud deployments. Once deployed, authentication and policy can be set up directly through integration with Active Directory. The appliance comes with many roles predefined for different types of users and access, but it is also quite easy to create custom roles and permissions to systems, credentials and applications. It also features session containment rules which can keep a user from accessing certain applications or making changes to specific files. If a user violates the set policy a configured number of times, the session is automatically terminated. Along with containment, policy can also be set so that even as a privileged user, users cannot make changes that are unauthorized through the server protection functionality. For the end-user, the web-based interface is intuitive to navigate with a simple layout. Access types are clearly displayed and easy to understand.
Aside from containment policy, this product includes a number of reporting, auditing and monitoring options. All user sessions are fully recorded and indexed by session activity. Privileged Access Manager also integrates directly with security information and event managers (SIEM), including deep integration with Splunk for full auditing and event correlation. However, a SIEM is not necessary to access detailed logs and audit events.
Documentation included several PDF guides. Among these were implementation and planning guides as well as API integration guides. We found all submitted documentation to be well-organized and easy to follow. Much of the documentation included diagrams and configuration examples as well.
CA offers no-cost basic support during installation and evaluation of the product. Once the tool is purchased, customers can also buy standard eight-hours-a-day/five-days-a-week or 24/7 premium assistance through a support agreement. Support subscriptions include phone and email-based technical aid as well as access to a large online customer support portal. This includes resources, such as product guides and documentation, a knowledge base and online tutorials and videos.
At a starting price of $25,000, the CA Privileged Access Manager carries quite the price tag for its feature set. We do find this solution to be a good value for the money, especially for larger environments. It offers some very flexible integration options that may be required in certain networks with direct API-level automation and high scalability.