Cyber-Ark Software Inc has added a monitoring system to its privileged ID management suite so that access to sensitive applications and databases can be tracked and recorded.

The system will ensure privileged accounts are not abused, it will display what was done by which administrator, and it will prove to the auditors that every super-user access is being fully monitored, the company claimed.

Adam Bosnian, VP at the Newton, Massachusetts-based company told us that companies are beginning to understand the threats that can stem from power users and systems administrators with privileged access rights. Headline-making incidents like that of Terry Childs, an administrator with the City of San Francisco, and more recently Fannie Mae, were the result of disgruntled employees abusing their password privileges, he said.

Cyber-Ark is one of the pioneers in the fast-growing shared-account password management (SAPM) market, a segment that is being pushed along by mounting compliance obligations and regulations like SOX and the payment card industry (PCI) data security standard which require personal accountability. 

“It started out as a security issue, but audit has now become a market driver” Bosnian confirmed. “The controls that are needed over business systems are getting wider and they are getting deeper. Organisations also need a log of all people who have accessed all of their critical business systems. That means having to control privilege access, just as we have moved to control end-user access.”

The company’s Privileged Session Manager enables organisations to control and monitor privileged access to sensitive systems and devices, and provides privileged session recording with DVR-like play back. Recordings are stored and protected in a digital vault which is accessible to entitled auditors.

This Digital Vault is a key part of the Cyber-Ark PIM suite, and holds and enforces enterprise policies for credential management. 

It sits alongside an Application Identity Manager that provides secure access and eliminates the usage of embedded and hard-coded privileged credentials in applications, scripts and services, and a Privileged Session Manager that records all activities performed within the privileged session.

“The system records who is doing what and holds everything in a secure vault” Bosnian said. He explained that the system is normally deployed against an LDAP or directory system from which is takes group, role and user information to manage access rights to applications, as well as databases. 

This makes for a tamper-proof, long-term archive for privileged session recordings. “The vault also provisions a one-time password to administrators or power users each time they need to access a sensitive system” Bosnian explained, and this eliminates hard-coded/embedded credentials from applications. This is important because a standard like PCI will insist that organisations remove embedded passwords from payment applications.

The company has also announced a couple of new plug-ins with Version 5. One of tese will provide generic pushes for updating passwords stored inside Windows Registry values, while a plug-in for SAP Application Server will support automatic change, verification and reconciliation of certain SAP accounts:

Gartner reckons that such SAPM tools help minimise the risks associated with the use of shared accounts, improve regulatory compliance and reduce operational costs. 

The analyst group estimates that as many as half of all large organisations will soon be using SAPM tools to manage security and operational risks for password-protected access to applications and databases. Bosnian claims Cyber-Ark now has around 500 enterprise accounts, and that 130 new customers were added in 2008.