Commercial products for "breakglass" account control

Q: Commercial products for "breakglass" account control
Has anyone reviewed commercially available "breakglass" tools for account control of privileged system and application accounts?. If so, please advise.

A: Hi ......,
There are several ways to achieve your goals. Entitlement and Privilege Management (Authorization Management) is a very active topic and there are several creative approaches to deliver the solution. You can control privilege at the client level, network level and application level.

I will skip the client level applications (yes there are plenty of VB magic out there), and discuss the network and agent based policy/audit/privilege control tools for centralized management.

The idea is very simple, targets systems lack required native controls or the native controls are not centrally manageable, or granularity of the controls are not deep enough for security/compliance requirements, so you need to proxy the authentication requests and authorize the privileged access based on your policy.

Basically all “identity management” shops (IAM, SSO, Entitlements) offer some sort of privilege control (CA, IBM Tivoli, BMC, Novell, EMC (RSA), SUN, Oracle and Microsoft - http://static7.userland.com/oracle/gems/nishantKaushik/gartnerUPQ07.jpg). But the solutions may require some tweaking and coding.

But if all you need is “break-glass” control, you can use some specific applications/appliances like CA’s Access Control, Symark PowerBroker, Cyber-Ark, Securent, Password Auto Repository or Bayshore Networks etc.. These solutions also integrate closely with the applications for entitlements management as well..

If you need a quick and dirty solution, build a SSH proxy server (public domain) with strong authentication, and authorize all system management access via SSH Proxy. But that won’t be a complete solutions like runas, sudo variants

In the past I worked with CA, they have an extensible solution.

cheers,
- yinal