A privilege management solution needs to do much more than simply manage user and application privileges for it to be adopted by the most demanding organizations. The Privilege Guard (Edit: now Defendpoint) solution has been architected around 4 key principles (or pillars), with every new release of Privilege Guard building on these core foundations.
Scalable Management Framework
While many solutions look to build their own proprietary systems to deploy policies and agents to the endpoints, Privilege Guard has been integrated tightly with Active Directory and Group Policy, and therefore requires no additional backend infrastructure to deploy the solution. This has enabled Privilege Guard to be deployed to some of largest organizations in the world, including many implementations with over 100,000 endpoints, with the biggest implementation spanning 450,000 endpoints. This tight integration with Active Directory and Group Policy gives many additional benefits, including hierarchical policy management and a strong security model that includes delegated administration.
Adaptable Privilege Management
Adaptability is crucial when dealing with the varying needs of users across an organization. Privilege Guard is extremely flexible and is built on a powerful policy engine. Discovering privileged users and applications is an important first step, which feeds into the initial creation and the on-going refinement of policies. Policies are built around applications and Privilege Guard supports a wide range of application types and criteria. The policies themselves are structured like firewall rules, where policies are evaluated in precedence order, enabling Privilege Guard to deal with highly complex scenarios with a clear and concise set of policies. In order to handle the most challenging scenarios, Privilege Guard can provide both seamless elevation of applications, as they launch, or on-demand elevation, where the user initiates the elevation of an application.
End User Experience
The user experience is often the most over-looked aspect of any endpoint security solution, and yet a poor user experience will inevitably lead to unhappy users and rejection of the solution, regardless of whether it makes the endpoint more secure. For this reason, the end user experience is at the heart of Privilege Guard. Where user interaction is required, Privilege Guard provides a highly customizable environment, ensuring the user is given clear feedback and guidance. All end user messages are fully configurable, with stylish corporate branding and full localization of all text. Users can be prompted for re-authentication, which includes support for two factor authentication, in the form of smart card and pin number.
Alternatively a secure challenge/response mechanism can be used to grant users access to specific applications on a temporary or permanent basis. The solution can also link to help desks, through a message hyperlink, email integration or scripting. The comprehensive end user experience capabilities in Privilege Guard have been fundamental to the solution being rolled out across the entire organization in most implementations.
Auditing and Reporting
No privilege management solution would be complete without a comprehensive audit trail and a centralized reporting solution. Privilege Guard provides two enterprise class reporting solutions. The Enterprise Reporting Pack is built on top of Windows Event Forwarding and Windows Remote Management, providing a scalable and secure architecture, which can cope with high volumes of events and handle the largest enterprise environments.
These events are consolidated to a SQL Server database with reporting provided through SQL Server Reporting Services. For organizations that use McAfee ePolicy Orchestrator (ePO) on the endpoints, the McAfee ePO Integration Pack enables Privilege Guard to forward events to ePO through the McAfee Agent and report on them through a range of integrated dashboards in the ePO console. In addition to reporting on privileged activity, the events stored in both of these reporting solutions can be used to create or refine policies from an integrated wizard in the Privilege Guard management console.
So there you have it – the 4 pillars of enterprise privilege management, which underpin the Privilege Guard solution. Security is a given, and must be built in at every stage, from the secure elevation of applications to the sophisticated anti-tamper mechanism that protects the solution.
Edit: Privilege Guard has now evolved into the brand new security suite, Defendpoint, which encompasses Privilege Management, Application Control and Sandboxing. For more information, please visit www.avecto.com/defendpoint.