FOR
eTrust Access Control
is easy to use and full featured.
AGAINST
Nothing.
VERDICT
eTrust Access Control is a feature-rich
product that will appeal particularly to enterprise customers because it
also works across platforms and is highly scalable.
eTrust Access Control is a full-featured
policy-based access control system that works across UNIX, Windows and
mainframe platforms. An additional product extends eTrust's access control
features to CA's Unicenter enterprise management platform. Other eTrust
products add single sign-on, risk assessment and policy audit.
Security violations often occur due to
poorly maintained security settings at the operating system level, and
hacking tools do most damage when they get access to privileged
administrative accounts. eTrust Access Control provides access control
right down to the file level using, for example, the ACL features inherent
in Windows NT/2000. It allows security roles to be based on group
membership and individual user access can have day-of-week and time-of-day
controls. eTrust Access Control has the ability to prevent users from
'hiding behind' the superuser account and performing untraceable actions (superusers
can delete audit trails). It traces each action to a specific user who can
be named and held accountable. eTrust Access Control lets you grant
ordinary users the necessary rights and privileges so that these users can
perform administrative tasks. This is called task delegation. The ability
to delegate administrator tasks and restrict superuser privileges in this
granular way is one of the most significant advantages of eTrust Access
Control.
eTrust Access Control enables you to
create additional rules that force users to choose safer, more secure
passwords. For instance, you can demand that users select a minimum number
of alphabetic, numeric, special, lowercase, or uppercase characters. You
can also ensure that the new password selected by a user does not contain,
and is not contained by, the password being replaced. It is also easier if
users need to remember only one password that can be used throughout the
system. eTrust Access Control can enforce one set of password rules and
enable password synchronization between many systems. The policy model
database (PMDB) can propagate rules defining good passwords. The PMDB can
also propagate new and changed passwords throughout the enterprise,
including mainframe computers.
A self-defense mechanism prevents
hackers or other users from bringing down access control services. A
feature called Stack Overflow Protection prevents hackers from using stack
overflow exploits, which can enable them to execute arbitrary commands in
order to break into systems.
eTrust Access Control is easy to install
and configure. It integrates particularly well with CA's other security
and enterprise management products. On Intel PCs, all common file systems
are supported for ACL purposes: FAT, NTFS, HPFS (OS/2), and CDFS
(CD-ROMs). The management console is graphical and easy to use. Existing
users are easily imported and password synchronization can be implemented
quickly.
