Product Group Tests
Password management (2009)
Old but gold: the power and value of this venerable product's range make v-Go Access Accelerator Suite our Best Buy this month.
The full-featured, good value Ensim Unify Password Manager wins our Recommended award.
Full Group Summary
This maturing area still has a few pleasant surprises up its sleeve. By Peter Stephenson.
There comes a time in the lifecycle of every product type when it starts to become mature. When that happens, the number of fresh entries starts to decline and feature-sets start to become stable across most of the products in the group. That is what has happened to password management. We saw limited differences in feature-sets, so the big differentiators now are how well the product does what it does and how well it integrates into the rest of the enterprise.
Last year's market leaders remain so, largely because of creativity, innovation, solid integration across the enterprise and suites of complementary products. This, for password management, is a very interesting evolution; part of what makes it interesting is that the category ought to be dying instead of stabilising. That's a controversial statement, but it fits the facts.
First, security experts agree that multiple-use passwords are a thing of the past. They are far too easy to compromise. That leaves us with single-use passwords and tokens of various types. These markets - largely due to cost and complexity of implementation and management - are slow to take hold, so we're stuck for now with multiple-use passwords as the baseline for most users. Of course, high-risk accounts and systems that require highest security are beginning to use strong identification and authentication (I&A) routinely. But that does not apply, typically, to the average user in the average organisation.
So what is the answer? First, the question: can reusable/multi-use passwords survive over the near and medium term? The answer is that there needs to be systems that manage the use of these risky passwords. And that is what this month's group test is all about: how well the products in the review manage a very high-risk I&A process. We found that they all do a credible job - but there were a couple that stood out.
And these two products stood out because they each built very carefully on what is known about password management, what the enterprise has to offer and the other products the vendor is able to integrate into the mix. We need a solid way to manage very high risk passwords if tokens are not deployed. For reusable password systems, this is sometimes called "password carving" and it refers to breaking up high-risk accounts such as super user accounts into smaller, lower-risk pieces and removing the top-level administrator or root account.
Another issue is how well the product allows integration with or conversion to stronger I&A methods. This offers the enterprise a path forward as multiple-use passwords are phased out and strong I&A is phased in.
How to buy
First, decide on your identification and authentication strategy. Are you going to stick with reusable passwords? Do you plan to mix strong I&A such as tokens or single-user passwords with reusable passwords? Are you migrating to strong I&A across the enterprise? Your strategy will dictate what you need to manage passwords in your environment.
Next, look for a product that appears to support your strategy. You will probably find more than one, so look at how they integrate into the existing enterprise. This also includes intangibles: cost of deployment, cost of ownership and ease of admin/provisioning.
Now, start looking for exotica: what manufacturers of advanced/strong I&A products have that is compatible with your choice. Don't let yourself get boxed in: here there is no doubt that more is better. How easy is it going to be to deploy the product into your existing environment? Is there a suite of complementary products and do you need them? What about password carving?
How we tested
First, we set up an Active Directory domain. We then created various applications, such as databases and logins. We built a suite of users and administrative accounts and we were prepared to install and provision. We looked for ease of use, rapid, simple deployment and provisioning and how well the product integrated with our test environment and its components. We were concerned about both end-user and administrator tasks and how smoothly the product facilitated them.
Where complementary product suites were available for a product, we looked at how well the product integrates into them and how well it works on its own without them. How well it works implies both correct operation and functionality. If the product lost important functionality without the attached products, we were concerned.