Rollout: Cyber-Ark's Enterprise Password Vault

Do you know where your passwords are? What about the passwords that protect the Web server's SSL key or allow access to the database that hosts the applications data? If you're just storing those words in a filing cabinet or encrypting them with a master password, your systems are at risk. Cyber-Ark's Enterprise Password Vault (EPV) tracks the passwords and credentials used between services and devices--including those that can't be integrated into Active Directory, LDAP or other authentication systems.

Cyber-Ark's EPV stores credentials on a secured server, offering a robust system for granting access and providing a component to change passwords for you. Although EPV has some competition from Cloakware's Server Password Manager, e-DMZ Security's Password Auto Repository and Symark's PowerKeeper, it compares well to them.

Four-Piece Orchestra

EPV comprises the Vault Server for password storage; a CPM (Central Password Manager) that changes passwords on other devices; a Windows client that manages the Vault Server and access credentials; and an end-user Web application that gives quick access to credentials.We installed the Vault Server on a Windows 2003 SP1 Dual Xeon 3.0 with 3 GB of RAM. An identical server running Ubuntu Linux and VMWare Server was loaded with Windows Server 2003 SP1, and the Web interface, client and CPM. Setup was quick and painless. The included documentation wasn't even necessary, as each step of the installation is straightforward.

The vault stores everything (even configuration files and settings) using AES 256-bit encryption and SHA-1 for hashing. Although SHA-1 has some cryptographic weaknesses, it's used to verify data already inside of the encryption and therefore not susceptible to some attacks. Still, Cyber-Ark says it's investigating moving to more secure SHA-256 or other protocols. The vault is further protected by an automated hardening process that locks down default settings during the installation. EPV, like most of its competitors, includes a built-in firewall. However, instead of the hardware firewall offered in Symark's and e-DMZ's appliances, EPV's firewall is loaded as a network driver to provide additional protection against attacks to the vault.

EPV's biggest strength is the CPMs' ability to change passwords on their own. Although competing products also provide this capability, EPV is especially flexible. The CPM is loaded with scripts that let it remotely change passwords on a variety of OSs and devices, and the samples can be used to create your own password-changing script. With these scripts and a configuration defining exactly how often to change the password, the EPV and CPM can continually rotate random passwords. Administrators can log in to the server over the Windows client or the Web interface to check the current password. That said, we found it easier to change passwords on our Windows server than on our Linux server.

Cyber-Ark has improved EPV's Web interface. Meant to provide access to the passwords without having to install a bulky GUI, the interface was designed with both Firefox and IE in mind. Despite a few minor presentation flaws, the Web interface is strong. It makes good use of Dynamic HTML to re-render portions of the page without reloading and keeps your most recent and most frequently accessed passwords quickly and easily available from anywhere. The Web interface would benefit from high-level browsing that's possible with the Windows client. Although all Safes and passwords aren't visible from the Web interface, a search box provides quick access if you remember what to search for.Safe Backup Mechanisms

Given that the EPV contains all the keys to the kingdom, it makes sense to put it on highly redundant hardware and back it up. To that end, Cyber-Ark has a variety of mechanisms, including clustering, a hot-spare backup kept in constant synchronization, and a separate backup client that can be scripted to maintain backup sets of data in other locations.

To help customers with regulatory compliance needs, EPV includes a complete set of audit trails for all actions and a simple reporting interface--essentially a log export tool--that makes it easy to export the necessary information into other tools for analysis.

The starting price for the typical EPV bundle is $60,000 and includes a CPM, 50 admin accounts, and on-site training and setup. Although the Vault Server alone lists for $25,000, it lacks Cyber-Ark's most useful features: automated password changing, disaster-recovery backup scripts and the Web interface. Furthermore, each additional administrator account adds $220 to the price.

In comparison, Cloakware's device is priced at $225 per password (which can reside on any number of servers), and Symark's PowerKeeper appliance starts at $25,000 for 100 users. The e-DMZ Password Auto Repository appliance starts at $15,000, but covers only 50 servers (and any number of admins).If you're managing a relatively small number of servers, but have regulatory requirements that mandate better tracking of shared credentials, the entry-level devices make sense. For enterprises that manage a large number of servers and passwords, pricing is based on the ratio of administrators to servers or passwords.

Jordan Wiens is a network security engineer at the University Of Florida. WErite to him at [email protected].