Every now and then, some bright security pro has a flash of brilliance. Sometimes those flashes are hidden under mundane challenges. Passlogix's new Shared Accounts Manager (SAM) is one of those products. The mundane problem is password sharing. There are many, what I refer to as, password carvers. These are intended to take passwords – mostly administrator passwords – and make them available to multiple users without compromising the password.
Most of these are standalone products and I have seen some very good ones. Where the real challenge lies is in the enterprise. This, really, is a password management problem and it needs to be solved at the enterprise level. SAM does this very well. While I wish SAM could be a standalone product that would snap into any user management system, SAM works only within the v-GO family of products. That said, perhaps the greatest strength of this tool is that it is part of the v-GO suite and is nearly transparent as a separate product once implemented.
That said, the Passlogix suite is about as good as it gets, so there is really no great loss there for current v-GO users and organizations looking for their first authentication management tools. The tool is extremely competent and SAM does, in fact, simply snap into the v-GO suite. It works with the v-GO Single Sign-On and Provisioning Manager products. Implementation is a cakewalk once the rest of the suite is in place.
SAM's functionality is solid. It works on the principle that a user who needs access to a shared password simply checks the password out, uses it and checks it back in when finished. While it is possible for the administrator to set the policies up such that the user can see the actual password (often necessary for such applications as command line logins in Linux systems), the norm is that the password is hidden.
The user simply logs in with their own password – this is part of the v-GO Single Sign-On package – checks out the required shared password and, with a mouse click, logs into the shared application. There are lots of applications for this functionality besides superuser accounts. For example, temporary users may need one or two logins and there is no practical approach to set them up as regular users – think support contractors, security consultants conducting vulnerability testing or temporary office workers who need some database access for a couple of days.
Auditing is about the best I've seen in a product of this type. You can audit based on the actions of a particular user or the actions of multiple users checking out a particular password. Administration is very granular. SAM cannot change passwords on target systems directly. However, it has an API that hooks into several third-party products that complete the password management loop.
When a new user logs in and needs to access a shared password, SAM puts an agent on their computer that allows the process to continue. When the temporary user is finished, the agent is self-dissolving leaving no footprint remaining on the computer. This is part of SAM's creative use of Provisioning Manager to allow self-service by temporary workers. Multiple users can be authorized to access a shared password at the same time or access can be limited to a single user. Of couse, each unique access is logged for auditing.
Users can be managed by roles and groups, and the connection to Microsoft Active Directory is clean and operates properly to extend identity management to the whole enterprise There is no doubt that this is an enterprise solution for the challenge of managing shared passwords.
If you are using the v-GO suite or are considering it, take a close look at this useful addition to the line. For little money and almost no effort, it can solve one of security administrators' biggest headaches.
AT A GLANCE
Product: v-GO Shared Accounts Manager (v-GO SAM)
Price: Starts at $49.95 per user for up to 100 users. Requires v-GO Single Sign-On ($69.95 per user in the same quantities) and v-GO Provisioning Manager ($15/user).
What it does: Allows controlled and authorized sharing of passwords, complete with full granular auditing.
What we liked: Ease of use exceeds most products of this type, even though it really is in a class by itself. Functionality is solidly thought out to meet common shared password management challenges.
What we didn't like: I wish that this product could address Linux directly so that command line logins did not require users to view actual passwords on the target system or application. I expect that will be a future enhancement, though.