“Privileged password management” is one of many names for a password administration system. Other terms applied to this type of software include “privileged credential management,” “enterprise password security,” and “enterprise password management.”
If you only have time to learn about the tools we review, here is our list of the best privileged password management tools:
- ManageEngine ADSelfService Plus EDITOR’S CHOICE This service improves the usability of Active Directory and automates password resets. Available for Windows Server, AWS, and Azure. Start a 30-day free trial.
- ManageEngine PAM360 (FREE TRIAL) This bundle of ManageEngine modules provides privileged access management, password controls, and key management. Available for Windows Server, Linux, and Azure. Access the 30-day free trial.
- N-able Passportal A cloud-based password manager combined with a document manager.
- BeyondTrust Password Safe A comprehensive password discovery, management, and session monitoring system.
- Thycotic Least privilege management and threat intelligence.
- CyberArk Privileged Access Security This tool discovers and manages privileged accounts and logs session activities.
The concept goes a little further than password management because it includes many more functions than just allocating, changing, and revoking user accounts. Privileged password management involves the administration of access rights for teams.
Companies need a range of user account types. A straightforward user account for all employees is not enough. For one thing, systems administrators on any IT resource need greater access to the operating systems and firmware of the equipment on the site than regular users need.
The distinction between admin and user accounts doesn’t fully describe privileged password management. The ability to create more user roles and allocate different access privileges to each will help administrators to create stronger security for all resources in the company’s IT infrastructure.
The increased access of privileged user account requires strong security procedures to ensure that those accounts with greater access cannot be hijacked. Thus, the password manager needs to enforce longer, stronger passwords that are composed of random characters. The manager also needs to force all account holders to change their passwords frequently.
Other measures that need to be implemented for privileged accounts are two-factor authentication and resource access logging. The audit logs don’t need to record the actions of the user, just the access times. If malicious events occur, other logging systems will record the time of the event and so cross-referencing those records with information on who was active on the resource at the time can help to identify insider threats or compromised accounts.
Identifying privileged accounts
Even if you are setting up a new company and creating accounts for new staff, you will still have privileged accounts on your system before you have created any new credentials. Many privileged accounts exist without the systems administrator knowing about them. IoT devices and even network equipment are shipped with default access account for managers and even firmware-enabled accounts that carry default passwords.
These embedded accounts present a serious security weakness and need to be tightened up by changing the allocated password. Finding those accounts can be difficult and an automated discovery function in the password manager is a great help.
So, stage one, when introducing a new privileged password manager is to locate all of those privileged accounts.
Password protection
All account passwords need to be stored. In most cases, the direct control over access to a resource is implemented by a controller that is related to that service. For example, Microsoft’s Active Directory governs access to a number of Microsoft products, such as Microsoft Exchange Server or SharePoint Server. Usually, a password manager sits on top of the native access rights controllers and coordinates accounts across the enterprise.
As the controlling access rights system is resident locally, storing the privileged password manager’s password vault in the same location loses an opportunity to have an off-site store that could be used for disaster recovery.
Wherever the password manager is installed, it is a good idea to have the data store associated with it in a different location. That means attaching the application to a server on a remote site or renting storage space on a cloud server.
Cloud-based privileged password management tools that are available in the cloud have a double advantage: first, they are bundled together with remote storage space and second, being charged for a subscription rather than the full fee for the software that would need to be paid upfront.
Vulnerable accounts
Abandoned accounts present opportunities for intruders and accounts that have high access privileges save hackers a lot of time and effort. Identifying those accounts and closing them is an important task for a privileged account manager. Accounts that rarely change their passwords are also vulnerable.
Privileged password managers should include enforced password changes and a system to ensure that strong passwords are used on those accounts.
Accounts previously used by staff who have left the company are easy to spot. However, the definition of abandoned accounts also applies to those accounts that were created but never used by users who are still on the payroll. Those accounts are harder to spot just by scanning through the records of HR. An activity logging system has a better chance of highlighting accounts that are not active.
Duplicate accounts
A large organization with several IT support departments on different sites has a strong possibility of creating more than one account for the same person to access the same system. Those extra, unused user accounts offer opportunities for intruders.
Centralizing the administration of passwords and maintaining an alphabetical list of employees with user accounts should reduce the incidences of duplicated accounts. Putting that list in a searchable database reduces the likelihood of creating more than one account for the same person. Privileged password managers give administrators the ability to keep tight control over the allocation of user accounts.
Account management oversight
One problem of focusing all account controls in one application in one location and giving access to those controls to a very limited number of people is that those favored administrators accumulate a lot of power. That power can be abused. The actions of administrators in charge of managing privileged accounts need to be supervised.
The oversight of password management administrators doesn’t require a company director to watch over the shoulder of IT technicians all day. Logging and auditing functions built into the privileged password management tool should take care of that.
Naturally, password manager access and the actions occurring in each session need to be analyzed. So, the company needs a cybersecurity officer who is able to deploy more tools to properly spot malicious activity. Those investigations will be greatly aided by a security information and management tool.
These auditing functions are essential if the company is implementing a data protection standard. User account controls are stipulated in many data security standards, such as HIPAA and PCI-DSS.
Password policy consistency
Even highly experienced and qualified staff sometimes make mistakes. Computers are much better at performing repetitive administration tasks faultlessly. Privileged password management systems can periodically audit password records, monitor for account login sessions, trigger alerts, write to logs, and shut down suspicious activity effortlessly.
A privileged password manager should be able to help you formulate a password policy and should also have the utility to implement those decisions through settings and automated workflows. Tight password policies, accurate policy implementation, activity tracking, and automated remediation are also essential services for system security.
Implementing privileged password management
Many system administrators still rely on spreadsheets to record user accounts and passwords. Nowadays, the risk of litigation triggered by data disclosure means that these manual systems just aren’t sufficient anymore.
Just as manual password management processes aren’t viable, manually planning the implementation of a comprehensive privileged password management system isn’t good enough. You need to choose a password management tool and use it to clear up historical account errors, such as duplicated accounts and to search the company’s IT resources for hidden, embedded privileged accounts.
A comprehensive password manager should be able to guide the administrator through the process of defining a comprehensive password policy and should also be able to implement that strategy.
Going forward, once the system has been cleaned up and policies are in place, the password manager will take care of most of the account administration tasks. It will take a lot of the strain off your technical staff and providing accountability for auditing and data protection conformance.
Here is our list of the five best-privileged password management tools.
The best privileged password management tools
There are many password management tools available and not all of them are good. It can take a lot of time to investigate all of the password managers for suitability. The following shortlist of five excellent privileged password managers will help you find the ideal system for your company in a short space of time.
Using this set of criteria, we looked for flexible access rights management tools that can implement privileged password management.
Our methodology for selecting a privileged password management system
We reviewed the market for IoT update management tools and analyzed the options based on the following criteria:
- An access rights manager that can cover a range of systems
- A single sign-on (SSO) option
- User groups to segment access rights
- Permission levels to restrict the actions that each group can make
- The ability to revoke rights or set them with an end date
- A free trial or a demo package that provides an assessment opportunity without paying
- Good value for money from a reliable ARM with a reasonable price tag
You can read more about each of these options in the following sections.
1. ManageEngine ADSelfService Plus (FREE TRIAL)
ManageEngine ADSelfService Plus runs on top of Active Directory, providing better password management functions. The system manages password complexity rules and multi-factor authentication. The service will roll out passwords to multiple AD domains be they on premises or cloud systems, such as Microsoft 365, and Google Workspaces.
Key Features:
- Creates a single sign-on environment
- Manages passwords for Active Directory
- Watches failed logins
- Enforces password strength
- User-commanded password resents
The “self-service” element in this package is a user portal that can be set up as a screen lock on a desktop or an app on a mobile device that lets the user login once and then permits access to a menu of allowed applications. The portal also includes a service that allows users to reset their accounts without recourse to technical support staff.
ADSelfService Plus is available for installation on Windows Server or as a service on the marketplaces of Azure and AWS. There are three editions: Free, Standard, and Professional. The top plan provides local cache management and a password policy enforcement system as well as the features of the Standard plan. The Free edition is the same as the Professional package but limited to managing 50 user accounts. You can get the Professional edition with a 30-day free trial.
Pros:
- Tighter access rules
- User controls
- Security monitoring
- Interface for mobile apps and desktops
Cons:
- The cloud version isn’t a SaaS package
2. ManageEngine PAM360 (FREE TRIAL)
EDITOR’S CHOICE
ManageEngine ADSelfService Plus is our top pick for a privileged password management solution because it tightens controls and makes passwords more complex while simultaneously making access to users simpler. Multi-factor authentication locks out password cracking and self-service reset requests make users less nervous about using original and complex passwords. This system creates a single sign-on environment and coordinates with multiple instances of Active Directory, including cloud implementations.
Download: Get a 30-day FREE Trial
Official Site: https://www.manageengine.com/products/self-service-password/download.html
OS: Windows Server, AWS, and Azure
ManageEngine PAM360 is a unified package of three tools that are also available individually from the provider. These are Password Manager Pro, Access Manager Plus, and Key Manager Plus. This combination keeps user passwords confidential, providing a secure, encrypted password vault. The package also gives you management of privileged accounts and monitoring for privileged account usage.
- Password protection
- Remote access controls
- Privileged account activity monitoring
- Security key management
The PAM360 system is particularly interesting for businesses that operate a central IT support team that needs to access endpoints and resources on remote sites. The tool provides the login credentials for these remote, managed devices automatically, which removes the need for each user to be able to know and disclose the passwords. Protection of privileged accounts is extremely important because the power that this level of access provides makes them prime targets for hackers.
The account protection and SSH key management features in this package make PAM360 an essential service for businesses that need to provide compliance with HIPAA, SOX, and PCI DSS. The service can be tuned to deploy workflow pre-sets by specifying the standard that you need to follow in the setup screens of the console. The service will produce an audit trail and generate appropriate reports.
There is only one plan for PAM360, which is called the Enterprise Edition. There is no free version. The software for this package runs on Windows Server or Linux or you can take it as a service in your Azure account. ManageEngine offers PAM360 on a 30-day free trial.
Good for development teams and well as support technicians
Ensures connection security for remote access and file movements
SSH and SSL key management
Privileged user activity tracking
Not a SaaS package
ManageEngine PAM360 Access 30-day FREE Trial
3. N-able Passportal
N-able Passportal is a cloud-based password manager, charged by subscription, that is paired with a document management tool plus secure cloud storage space. The package is covered by encryption for all communication between the client site and the Passportal servers. Storage space is also secured by encryption.
- Cloud-based
- Connection security
- Documentation manager
- Password generator
The Passportal system includes an auto-discovery function that discovers all applications and resources on Windows-managed systems where password protection is implemented. The service then compiles its own register, referring to the local Active Directory system. Once that setup phase has been completed, you can implement your password policy in the Passportal interface and all those changes immediately get rolled out to Active Directory.
The password management system includes a password generator to create complicated passwords from random strings of characters. It can enforce password rotation and implement those changes automatically. It can also implement multi-factor authentication. The tool will also update the system tools on your network that require privileged access so that they have the new password available to them.
The service includes an auditing and reporting module, which is able to demonstrate the freshness of passwords and their usage.
An add-on available with this password manager, called Passportal Blink is a self-service portal that enables users to reset their passwords when they forget them. That feature will drastically reduce the number of support calls that your IT team has to field. You can get a closer look with a free demo.
Supports automatic Active Directory sync via LDAP
Can run access audits to easily identify internal changes made during a period of time
Supports compliance reporting to identify weak passwords and force changes based on policy
Users generate their own encryption key, securing their cloud data from third parties, including Passportal
Includes a document manager – great for helpdesk teams
Better suited for small organizations and growing MSPs
4. BeyondTrust Password Safe
Password Safe from BeyondTrust is a cloud-based password management service. This tool has an autodiscovery feature that will find all of the account-protected resources and all of the passwords issued against them. The discovered passwords get stored in an encrypted, secure password vault. That autodiscovery continues throughout the service life of the software and stems from contact with the local access rights controllers on the client’s system. The interaction with those controllers keeps them updated with any changes made in the Password Safe dashboard.
- Password vault
- Password strength enforcement
- Compulsory password rotation
The password manager tracks down embedded accounts and removes them. It also enforces strong passwords and periodic password renewal. The tool can monitor resources both on the client’s site and on the cloud. This application is also a cloud resource.
Auditing and reporting functions in the tool monitor the sessions of privileged users, leaving an audit trail to help show compliance to data protection standards. The service provides all the same level of protection for non-privileged accounts. The auditing and logging features of the service feed into an analysis module that helps systems designers spot weaknesses in the security of the network.
Uses autodiscovery to find privileged accounts for management
Offered as a highly scalable cloud solution
Features a great UI without sacrificing any important features
Supports auditing for compliance and investigations
Must contact sales for pricing
Would like to see a free trial for testing
5. Thycotic
Thycotic produces a number of account protection systems and two of those are particularly relevant in the search for the best-privileged password management tools. The first of these is Secret Server, which includes an autodiscovery process that gathers all privileged accounts and stores their passwords in a secure vault. This tool is available as on-premises software or as a cloud-based service.
- Account autodiscovery
- Deployment options
- Endpoint access control
This tool covers network devices, security devices, software, virtualizations, and databases. It also enforces password rotation for network accounts and logs the activities of privileged accounts.
The second tool that would be of interest to privileged password management is Privilege Manager. This tool focuses on protecting privileged accounts that have access to endpoints and system applications. Privilege Manager is available for installation or can be accessed as a cloud service. The tool monitors computers that have Windows and MacOS operating systems. It controls accounts and logs account activities.
Both Secret Server and Privilege Manager can be tested on free trials.
Continuously discovers new accounts for credential management
Has a wide range of policies and settings for custom password policy enforcement
Supports Windows and macOS – great for hybrid OS environments
Offers a suite of other security tools that integrate nicely with tool
Better suited for larger environments
6. CyberArk Privileged Access Security
CyberArk has several password management products. The one that has the widest coverage is the Core Privileged Access Security system (PAS). This package is a bundle of CyberArk products: Enterprise Password Vault, Privileged Session Manager, and Privileged Threat Analytics. The software can be installed on-premises or accessed as a cloud service.
- Password vault
- Session logging
- Password policy enforcement
The PAS system is able to scan a client’s system for resources that require access credentials and it then interfaces with the local access rights system to acquire all of the privileged account passwords and stores them in a vault.
The service can enforce password rotation and it constantly monitors activity, logging the actions taken with each privileged account. Other features of this system are risk assessment and automated threat remediation. This tool has many features that are usually encountered in an intrusion threat prevention package.
Can manage access rights and alert to improper access by privileged users
Autodiscovery quickly discovers resources to monitor
Makes it easy to create and enforce custom credential polices
Available as a SaaS or on-premise solution
Would like to see a full trial rather than a demo
Pricing isn’t publically available, must contact their sales team
Choosing a privileged password management tool
Protecting privileged accounts is essential for any business because failure to protect the business’s data and information held on the system about others can create legal problems. Data loss can lose your company its trade secrets, it can get you sued by the people whose information you store and it can also get you fines from authorities. Data protection is often a pre-requisite in order to be allowed to bid for work and non-compliance with data security standards can lose you customers.
The five privileged password management systems in this guide are the industry leaders. If you spent time looking at the entire selection of available software tools in this category you would waste a lot of time and end up shortlisting these same five. Check out the demos and the free trials that these service offer in order to make a decision about which to buy.
Image by Peggy und Marco Lachmann-Anke from Pixabay