What is our primary use case?
I'm an integrator and we identify and provide performance discovery, and we select the best product for our clients.
We have users that are administrators in the environment, and we convert them into a shared account model. Many of the organizations have two accounts. One is a regular user account and the other gives them administrative rights.
CyberArk allows for a higher degree of segregation of duties, although CyberArk itself doesn't do that. You have to have knowledge of role-based access control and least privilege principles. It supports it, but you have to implement it.
There is also service recording, service accounts on Windows Systems, and Linux systems, to rotate their passwords.
You will find service accounts with passwords that are 5,000 to 8,000 days old, but not with CyberArk. It creates a very strong service to prevent attacks.
When passwords don't change it makes them very vulnerable and allows attackers significant lateral mobility within an organization. It gives them the necessary time to scout the environment and choose what their attack will be, whether it's going to be a ransomware attack or a data exfiltration attack or if it's going to go in to cause defamation to the company like creating a denial of service to clients. Also, hacking their Facebook page or their Twitter page are common attacks.
What is most valuable?
CyberArk probably has probably the best vault on the market because of the multiple layered security and each password getting its own encryption. Each password gets individual encryption. By the time you are able to crack one of the passwords, it's already been changed a dozen times.
The attack surface on a CyberArk Vault is very nominal and in addition, CyberArk also has its own on-staff hackers where companies actually hire them to perform penetration testing, but within, inside the environment.
What needs improvement?
CyberArk has two disadvantages; the first is that it's insanely expensive and the other is it's very complex.
That's the downside because CyberArk was not built organically. It was built systematically.
They're not built into the product. You have to shoehorn things in. You have to create programmatic interfaces to make things work, but that's why I said it's the most complex product.
CyberArk is still in the model of managing accounts and passwords. When you're logged in as a domain admin, you're leaving footprints everywhere you go. These footprints can be picked up and replicated. So, I think CyberArk is behind the curve in that area.
Customers are already having an issue with the cost of CyberArk and then you have to add another $100,000.00 to the bill for other application accounts.
I would like to see a more streamlined and built-in programmatic onboarding and offboarding process. Something a little bit less complex than what they're currently doing.
The price is the problem and also the architecture can be daunting because CyberArk really strongly encourages having hardware vaults. Most corporations are totally virtualized.
I use virtualized vaults on everything including the high availability configuration.
For how long have I used the solution?
I started using Cyber-Ark Enterprise Password Vault when they were on version five or six, they are now on 11.5 or 11.6. I have been using this solution for a total of 15 years.
What do I think about the stability of the solution?
CyberArk is very stable.
If there is a problem, or if a problem does occur, unless you know exactly what to do and how to diagnose it, you may not be able to find it because there are so many moving parts. However, a good administrator can usually diagnose a problem fairly rapidly.
They determine the root cause by performing a root cause analysis. Also, you should inform CyberArk because sometimes a fix might be required. CyberArk stopped performing single sign-on.
What do I think about the scalability of the solution?
CyberArk is very scalable. It's one of the things that I love and it's also one of the things that I hate about CyberArk.
For example, it's a standalone vault that is practically uncrackable. If you want to do a password rotation you need to have a central password manager. It's called a CPM.
If you want session recordings you have to have a PSM. They can be run on the same server, but eventually, the performance is going to be an extensive task.
A CPM is performing verification on passwords continuously, and to start stacking server roles on top of each other.
If you're a semi-vault in a small environment, with one server running CPM, PSM, and PDWA all on one box, it would be no problem with less than 10 administrators and only 70 servers.
With other small or larger organizations that have hundreds of servers rendering that capability or that flexibility, you would have to have a dedicated CPM and dedicated PDWAs, which is the administrator web interface.
For a medium-sized company where you want to do a session recording for all the administrator access, it will cause a problem. It will require multiple PSM servers and if you don't have a good administrator who documents the build process well, or they don't update it, then the problem shows when you build a new PSM. If they don't add all the applications to it then you're going to get an intermittent error across the low-balanced PFMs, where eight of the ten work, but two of them don't because they didn't install the SFQL agent. It's a very complex program, albeit very scalable.
If you're a multinational corporation, you can have your vault in one location and have PSMs distributed where the systems are in the data centers. Then, the PDWAs and the CPMs would be in the data centers and you would have the PDWAs where the user populations are. Rather than having one single appliance or one single box that does everything, you end up having boxes distributed all over. This means that they have to do synchronization and it works out very well most times.
We have small to large company clients. We have clients that have tens of thousands of administrative accounts and 1000 or so servers, to clients as small as having 70 servers with maybe only 750 to 1500 accounts.
How are customer service and technical support?
Technical support is awesome!
CyberArk has excellent technical support. They may not be timely. They're not quick, but they're great.
I would rate the technical support a ten out of ten.
You have to follow the ticket creation process, which is in your benefit because you need screenshots and logs to be able to diagnose the problem. If you do that, then CyberArk comes back with some incredible support help and in most times it's something that I would have never been able to figure out because the product is very complex and it has a lot of moving parts.
Which solution did I use previously and why did I switch?
I have not used any other solution previously. CyberArk is what I learned first.
How was the initial setup?
The initial setup was very complex. There are a lot of moving parts. The skillsets for some of the advanced features require administrators to know how to program in specific APIs.
The complexity to implement is very high. On a scale of one to 10, it's a 9.5.
What's my experience with pricing, setup cost, and licensing?
CyberArk is very expensive and there are additional fees for add-ons.
What other advice do I have?
CyberArk Password Vault is probably the top vault on the market and Thycotic would be a close second.
CyberArk is not always suited for our clients but it is the best solution. Eight out of 10 organizations don't implement it. Just because you know CyberArk doesn't mean you understand it.
The SaaS solution is sound but the on-premises is primarily what I have worked on. I am CyberArk certified. When I started off several years ago, I got my CIS as PE. I was put into a security group in EDS.
Network admins who work for the company have to be administrators, with high skill levels.
Before implementing CyberArk, I would say do a very aggressive use case creation of everything that you're expecting the vault to do. The security architecture should be able to create high-level bulleted use cases. Security administration should be able to take it down to the next level of detail.
They will have to add Conjure, which is another license for CyberArk.
I would rate this solution a nine out of ten.
Which deployment model are you using for this solution?