What is our primary use case?
I started as a CyberArk administrator for a fairly large bank in the US. They are a large global company. They formed a US branch, and I was the sole CyberArk administrator there. They had a basic CyberArk setup, and that is where I gained my initial experience before moving on to consulting.
My first consulting gig was for two and a half years with a defense contractor. They had a very complex environment. The complexity is typically gauged, especially for PAM products, by the number of passwords being managed. Many organizations have 10,000 or 20,000, whereas this organization had 750,000. This included the number of machines required to rotate all these passwords and integrations with their API and SailPoint to provision and de-provision users. We initially helped them change from a standalone vault architecture to a clustered vault architecture for high availability failover. Once we completed that, our work expanded, similar to being the IT person for the family—each task leading to another. This extended our engagement.
How has it helped my organization?
CyberArk Privileged Access Manager provides granularity. You can break things down into individual safes. You have specific access to safes by individual or group. The interface is with AD, with LDAP, or with local CyberArk passwords. You also have the ability to establish policies for your individual credentials. If you want them rotated at a certain time of day or you want the password complexity to forbid certain characters, you can create a new policy and fine-tune those elements. It provides excellent granularity because you can control all the factors related to password complexity requirements, password rotations, allowed connections, etc.
CyberArk Privileged Access Manager’s ability to safeguard the infrastructure is extremely important. Otherwise, clients would be keeping passwords in Excel spreadsheets. Consider having an isolated, non-domain joined vault that cannot be accessed from DNS. The vault itself takes over control of the local Windows Firewall and even things as simple as emails. It keeps the ports closed. If it is time to send out a notification to someone, it opens the port, sends the email, and closes the port. It cannot get any more secure than the vault system of CyberArk. People who land on a user credential and try moving laterally throughout your network, scraping RDP connections or hashes, will never find any information about how to get to the vault because it is non-domain joined.
CyberArk Privileged Access Manager is excellent for meeting compliance and regulatory requirements. The need for compliance is the main reason why organizations implement a PAM solution in the first place. They have to be SOX compliant in terms of log retention, audits, and even video recordings of people's actions. They all have varying retention periods depending on the organization.
CyberArk Privileged Access Manager provides operational efficiency with automation. It saves a lot of time for password rotations, managing SSH key rotations, and doing automated discovery at periodic intervals to reach out to your servers and check which credentials are there on those servers. If they are not managed in CyberArk, they are added to your CyberArk queue to be onboarded and automatically managed. These things save a lot of time throughout the organization.
What is most valuable?
Many people underestimate the value of these tools because they treat them as simple automated password management. Once you realize the volume of passwords in your organization and factor in nonhuman passwords, you realize its value. Last year, CyberArk Impact cited 45 nonhuman passwords for every human password. If you have 10,000 employees, you can imagine the number of passwords. There are also many other operations. For example, you have a Qualys scanner that needs to reach out and touch all your endpoints and scan them for vulnerabilities. They use an API call to CyberArk to pull out a Privileged credential that allows them to log in to that target. This is an automated machine call. It is tapping into CyberArk to get that credential. There can be hundreds of thousands of those operations a day. You do not want to manage those passwords by hand. Some people marginalize the significance of such a solution by saying that it is just a fancy password changer. It goes well beyond that, especially with API calls and automation. Its importance extends beyond merely changing passwords; it involves automation, API calls, and process integration, crucial in agile environments for standing up new Amazon servers or other processes needing privileged credentials. CyberArk can automate these tasks into their build processes.
Another critical feature is the proxy service via Privileged Session Manager (PSM), providing not only a proxy between your user and the target servers, protecting against malware but also offering session recording. Many companies I have worked with implemented a PAM product as a knee-jerk reaction to SOX audit requirements. They discovered they needed session recording and retention for regulatory compliance. This has become a major factor for clients instituting CyberArk, so PSM is a big deal in addition to regular password rotation.
What needs improvement?
CyberArk reporting is notoriously poor, offering about 5 reports out of the box. I am certified in Delinea, which includes 60 reports plus a custom report generator out of the box. Improved reporting would be beneficial.
For how long have I used the solution?
I have used CyberArk Privileged Access Manager for seven years.
What do I think about the scalability of the solution?
I encountered some unique challenges while working with a client managing 750,000 credentials because the underlying MySQL database is not exactly enterprise-level, unlike Oracle and Microsoft SQL Server. MySQL is free, and CyberArk's updates are infrequent. They went through many iterations starting with version 7 but did not update the underlying database version until version 12. We experienced database response and connectivity issues due to having too many credentials. That was a very unique case and a very large implementation, but they did have to do some tweaks to the database.
They also had an issue where they had too many passwords in a single safe. It is like the old Windows limitation where you can only have 512 entries in a particular folder. I had never seen that before, and that was because CyberArk retains the previous x number of password revisions for any given password. If you have 20,000 passwords in a safe, it also saves the last ten iterations of that password for each one, so you technically have 200,000 passwords in that safe. CyberArk literally issues a warning if you exceed 300,000. I have never seen that in my life, and it happened with one client. It caused the replication to the DR server to fail. We saw that in the logs, and then we had to do the math. They had 40,000 passwords in this one safe, and it was saving the last ten iterations of each password object. That means they had 400,000 password objects in this safe. They exceeded the limit. I do not expect to see this kind of issue again, but it happened.
How are customer service and support?
When your client base grows from a few hundred to over three thousand, the number of tech support calls increases drastically, which is understandable. The support structure is tiered: L1, L2, and L3. L1 personnel follow a set procedure to gather information and logs. If they cannot solve the issue, it escalates to L2, possibly involving live sessions. Only complex problems reach the L3 experts in Israel. This normal tiered support approach can delay resolution, resulting in frustration. Response time is not ideal, and reaching someone knowledgeable can take time. It could be forever until you talk to someone who knows what they are doing.
How would you rate customer service and support?
Which solution did I use previously and why did I switch?
Its primary competitor is BeyondTrust, which is not very highly rated based on the feature set. There is senhasegura, a company from Brazil. They are new to America. They are barely making their way in now. ForgeRock has been around for a while, but CyberArk's closest competitor in terms of feature set and Gartner ratings would be Delinea. I am currently assigned to Delinea at my client. I have been working with that for the past year. I do see some benefits. There are certain things I like better about CyberArk, and there are certain things that are better about Delinea, but both of them are pretty competent.
How was the initial setup?
It is quick because CyberArk follows the 80:20 rule. If you can get domain admins and local administrators into CyberArk, that is 80% of your exposure. That is a very quick turnaround. That can be a matter of a couple of months.
There is a specific order required to implement components: the vault is installed first, followed by CPMs, PVWA, and then PSMs. It is a fairly straightforward process, with some necessary preparation for the servers. CyberArk has incorporated scripts over the years, particularly for complex PSM setups because you have to utilize AppLocker scripts to enforce or specifically allow executables. Customization requires file reconfiguration and rerunning server hardening scripts. PowerShell scripts are now available to aid automation. Understanding the configuration and exceptions in scripts remains important for effective customization.
In terms of integration, out of the box, it has integration with Windows and Linux. They have a Telnet connector. It is a matter of CPM connectors being able to talk to the various systems and rotate their credentials because each operating system is different. AIX is different from HP. UNIX is different from Linux which is different from Windows. Windows is different from the mainframe. They have a lot of connectors out of the box, and they also have a plethora of additional connectors on their marketplace, which is their common website. Some of them are verified by CyberArk and some are not. They periodically review the ones that are uploaded based on the amount of time they have. Eventually, a connector could be certified by CyberArk. The big difference is whether a connector is officially supported by CyberArk or not. CyberArk does not address your support ticket if it is not a vetted connector.
Connectivity from SailPoint to CyberArk is done through SCIM servers. CyberArk has its own SCIM server set up, complete with documentation, for establishing that. I have done that before. When people are onboarded, most people in a lot of organizations get assigned an administrative credential so that they are not reaching out to target servers with the same credentials they use to log into their computers. As soon as they are onboarded, SailPoint sends over REST API calls through this SCIM server to create a safe for this person based on agreed-upon nomenclature. The account creation and assignment of permissions are done through calls and are automated.
What was our ROI?
Last year's Impact estimated the cost of an average breach to be nine million dollars. Once you have a breach, customers are hesitant to use your goods and services because you have had a major issue. It is difficult to put a price on your name going downhill.
The time savings primarily come from shifting from manual to automated management for all your passwords. With other tools such as Okta where you have self-service for resetting your own passwords and things like that, the average savings is 12 minutes, which is six dollars for a password reset, and you can extrapolate that over your organization. You do not really do that with CyberArk because it is managing the credentials. The manual work of managing all these credentials as opposed to the automation is where your time savings come in, but savings are difficult to calculate.
What's my experience with pricing, setup cost, and licensing?
CyberArk has been Gartner's number-one pick for the past ten years, so you can infer that their pricing is higher than everyone else. When you are the best, you will charge appropriately for it. It does get fairly granular because they have separate licensing based on the number of users, the number of API call accounts that you can have, and the number of disaster recovery servers you can have in the system. A license is broken down into so many subcomponents.
They have a core product covered in the license. It includes the vault, the CPM that rotates the passwords, the PSM that does the proxying and the session management, and the PVWA, which is the web interface. Other things like Privileged Threat Analytics, Endpoint Privilege Manager, and other tools are bolt-ons with their own licensing. It gets a little hectic. At one point, they were offering a flat fee that was exorbitant at the time, like a million dollars, and you got everything, but they do not do that anymore. It is piecemeal now, and you have to pay for all different areas of licensing, which is problematic.
What other advice do I have?
CyberArk recently introduced an identity bolt-on product. PAM tools and IAM tools are broadening their horizons to become a one-stop shop. Okta has a PAM solution which is not very effective but it is an attempt to be an all-in-one shop. CyberArk Cloud has gained traction, particularly among small to mid-size companies not needing the full customization and feature set of the tool. As with most cloud offerings, CyberArk's Cloud service expects out-of-the-box usage, with vendors maintaining and upgrading the system, limiting customization. This offers a viable solution for companies without significant on-premises needs, saving costs on servers and full-time employees.
I would advise evaluating whether you can manage with the cloud version's feature set, as it is simplified and requires minimal on-premises resources. An on-premises connector minimizes firewall rules and facilitates cloud communication, allowing the on-premises connector to interact with other targets. Delinea's cloud offering similarly requires an on-prem component called a site connector. If a simplified cloud feature set suffices without extensive customization needs, choose the cloud version to potentially save money, eliminating the need for assets on-premises and full-time employees for upkeep.
If someone thinks that they do not need a privileged access management tool because they are already using other security tools, I would wonder what features their tool is providing. Does it have account discovery and onboarding? Does it have proxying, web recording, and retention for videos of people accessing their assets? Does it support automatic pass or remote rotation? I would like to compare feature sets.
CyberArk Privileged Access Manager has not helped reduce the number of privileged accounts. In most organizations I have joined, users have their own account for logging in, and in the interest of security, a separate administrative account is created that gets vaulted in CyberArk. So, they have doubled credentials because people have a normal login plus an administrative login for doing privileged activities. You also have to factor in roughly 45 nonhuman privileged accounts or identities for every human identity because of your scanners, robotic process automation, and automatic agile builds from your CI/CD tools. All of these nonhuman factors are also reaching out and getting credentials from CyberArk. The point of a PAM system is not to reduce the number of privileged accounts. The point is to find accounts that are already in your system with account discovery and make sure they are managed by the tool. That extends to things like SSH keys. Most organizations have no clue how many SSH keys they have in their environment. CyberArk offers SSH key management as well. So, it does not reduce the number of privileged accounts. If anything, it encourages people to have more because they now have a tool to do all this work for them, and they do not have to do it manually.
I would rate CyberArk Privileged Access Manager an eight out of ten.
