What is our primary use case?
Our primary use case is to control the technical accounts used in our DevOps environnment. The primary goal was to automate to the maximum all privileged accounts used by applications. It was a big issue because al dev guys were always using the same account/password couple. CyberArk is doing this for them transparently. Through time the scope was extended to all interactive users with the target to avoid them knowing the password. The automated password change was implemented to 99% of all accounts inside the company.
How has it helped my organization?
Before the CyberArk implementation passwords were never changed and known by everyone. We were also not able to track who is supposed to have access to what and who did what. With the successful CyberArk implementation, we are able now to:
- Guarantee the password is known by no one or for a maximum of eight hours.
- Full visibility about who is doing what.
- Full control about who is supposed to access what.
The risk of lost password and forbidden access to resources has been drastically reduced which increased the security level for the entire company,
What is most valuable?
In order to reduce the attack surface, the automated password change was pushed to the maximum. This way we know that no password is known or not for more than eight hours. It simplified the life of the operational teams because they do not need to take care of the secrets and keep their attention to maintain the infrastructure.
What also helped is the ability to constantly track who accessed which object. We took the opportunity to change our process in order to comply it. Now the activities can be done faster with better user experience.
What needs improvement?
CyberArk lacks the following functions for a better IAM like solution:
- Provision accounts for systems and directories.
- Create access to the systems.
- Monitor if any new account has been created into the system.
- Better GUI for the end-user and also for administrators. The learning curve is quite long and requires lots of training for good usage.
- More automated process for account provisioning into CyberArk. For example when a new DB is created.
- Better documentation with more examples for the configuration files and API/REST integration.
For how long have I used the solution?
I have been using CyberArk PAS for eight years.
What do I think about the stability of the solution?
The stability is very good. We never had any crash in eight years.
What do I think about the scalability of the solution?
Scalability is good because of the big variety of modules. Except for the redundancy which is quite limited with the not live replication. Also, the speed is quite slow for application accounts.
How are customer service and technical support?
Very good always reactive. The commercial part was more difficult.
How was the initial setup?
The initial setup is complex because it requires a clear company structure which was not the case. Technically also CyberArk is hard to address at the start because of its technical complexity and abilities.
What about the implementation team?
What was our ROI?
Not calculated. Users and administrators more happy than before which is the best RIO.
What's my experience with pricing, setup cost, and licensing?
CyberArk is quite expensive and they should have a better pricing model.
Which other solutions did I evaluate?
BeyondTrust, Hitachi ID, CA.
What other advice do I have?
Hard to implement and to get acceptance from the users and management. But when installed the solution is rock solid.
Which deployment model are you using for this solution?
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Which version of this solution are you currently using?