The main use of CyberArk Privileged Access Manager is to manage identities and access for our clients. We mainly focus on use cases like managing shared accounts, automatic password rotation, and recording sessions.
Its quite difficult to track for client who has access and at what time, which activity was done with that account, especially for built-in administrator accounts and Shared accounts.
Automatic password rotation is another use case. CyberArk Privileged Access Manager has the capability to rotate automatic passwords in the defined period of time. CyberArk Privileged Access Manager is also used for recording and session monitoring .
With CyberArk DNA, we can discover the accounts and their associated dependencies and usage.
Data is secure. The passwords are stored in an encrypted format. The data privacy is very high, and it is quite challenging for someone to retrieve credentials from CyberArk Privileged Access Manager.
With Privileged Threat Analytics (PTA), which is a different component in CyberArk, you can put some additional control. For example, you have an account onboarded on CyberArk. If someone wants to access the system without using CyberArk and copying a password, which they might have stored in the notepad or their system, an alert gets triggered. There is also an additional control for ad hoc admin access if someone wants to access an admin privilege or and want to access some critical application after business hours. PTA provides more control.
It improves the overall security posture and provides more control. We have better governance. Credentials are stored in the safe vault.
It reduces the need for IT and help desk resources. There is a streamlined change process without relying on the L1 team to reset the admin account credentials. There is also better compliance and segregation of duties. We can meet the compliance requirement for retention of logs, password rotations, etc. It helps client to meet different compliance requirement / standards, such as HIPAA, SOX, ISO 27001, etc.
With no manual intervention, there is also a reduction in human errors. Based on the number of available accounts for the organization and the user entitlement, that is 300 to 400 hours.
It improves operational efficiency. With the control that we have with CyberArk Privileged Access Manager, there is a reduction in the manual effort for validation of the admin accounts. Without it, a person has to extract the accounts from the servers and revalidate them with the owners or approvers. That is quite tricky.
It can help to reduce the number of privileged accounts. For example, if the Windows team has 10 or 15 members with individual accounts. It is better to create one shared account based on their role such as L1, L2, or L3, reducing it to 2 accounts. It will reduce the number of privileged accounts in the organization as well as threats.