There comes a time in the lifecycle of every product type when it starts to become mature. When that happens, the number of new entries starts to decline and feature sets start to become stable across most of the products in the group. That is what has happened to password management. We saw very limited differences in feature sets, so the big differentiators now are how well the product does what it does and how well it integrates into the rest of the enterprise.
The market leaders still are the market leaders, largely because of creativity, innovation and solid integration across the enterprise and suites of complementary products. This, for password management, is a very interesting evolution, however, and part of what makes it interesting is that the category ought to be dying instead of stabilizing. That's a pretty controversial statement, but it fits the facts.
First, security experts agree that multiple-use passwords need to become a thing of the past. They are far too easy to compromise. That leaves us with single-use passwords and tokens of various types. These markets - largely due to cost and complexity of implementation and management - are slow to take hold, so we're stuck for now with multiple-use passwords as the baseline for most users. Of course, high-risk accounts and systems that require the highest security are beginning to use strong identification and authentication routinely. But that does not apply, usually, to the average user in the average organization.
That is what this month's Group Test reviews are all about: How well do the participants manage a very high risk identity and access (I and A) process. The answer is that all do a credible job, but there were a couple of standouts.
These products were standouts because they built very carefully on what we know about password management, what the enterprise has to offer, and the other products that the vendor is able to integrate into the mix. For example, we need a solid way to manage very high-risk passwords if tokens are not deployed. For reusable password systems, this sometimes is called "password carving." It refers to breaking up high risk accounts, such as superuser accounts, into smaller, lower risk pieces, and removing the top level administrator or root account.
Another issue is how well the product allows integration with or conversion to stronger identification and authentication methods. This allows the enterprise a path forward as multiple-use passwords are phased out and strong I and A phased in.
How to buy
First, decide what your identification and authentication strategy is. Are you going to stick with reusable passwords? Do you plan to mix strong I and A, such as tokens or single-user passwords with reusable passwords? Are you migrating to strong I and A across the enterprise?
Next, look for a product that appears to support your strategy. You probably will find more than one. So look at how they integrate into the existing enterprise. This includes integration into the infrastructure of the security architecture, but it also includes such intangibles as cost of deployment, cost of ownership, and ease of administration and provisioning.
How we tested
First, we set up an Active Directory domain. We then created various applications, such as databases and logins. We built a suite of users and administrative accounts and we were prepared to install and provision. We looked for ease of use, rapid, simple deployment and provisioning, and how well the product integrated with our test environment and its components. We were concerned about both end-user and administrator tasks and how smoothly the particular product facilitated them.
Where we found complementary product suites available for a solution, we looked at how well the product integrates and how well it works on its own without them. "How well it works" implies both correct operation and functionality. If the product loses important functionality without other attached products, we were concerned.