I think that one of the advantages of the CyberArk PAS suite is that it is modular. On top of the basics, you can implement modules to:
- Manage (verify, change and reset) privileged passwords and SSH keys
- Manage (isolate and monitor) privileged session to the different types of devices
- Control Applications (e.g., malware)
- Detect, e.g., backdoor use, unusual behavior, and Kerberos hacks of privileged accounts
- Avoid/remove hardcoded passwords in applications/scripts
- Implement the principle of least privilege
Even those components can extend their operational area by use of, e.g., plug-ins, making it possible to manage about any kind of privileged account or session.
Improvements to My Organization
I see companies that already have thought about their privileged accounts, while others have not (to that extent). Implementing the CyberArk solution, it helps (and sometimes forces) these companies to think about their privileged accounts. Are they really needed? Who needs access to them? What kind of privileges do these accounts need (service accounts/log on accounts/etc.)? And so on. Thinking about these things helps customers to organize their data/privilege accounts in the CyberArk solution. It then helps the organizations to get control of their privileged accounts and to safely store and manage these, knowing that only the correct persons can access these accounts and that the different devices can only be managed via one central entry point to the datacenter.
Room for Improvement
With every version, I can see that the product wins on functionality and user experience. On the latter though, I hear from customers that on the UI level, things could be better. CyberArk continuously asks for feedback on the product (e.g., via support, yearly summits) from customers and partners, and hence, with version 10, they are addressing these remarks already.
The web portal (and hence the user interface) has some legacy behavior:
- Some pages are created for past-generation monitors. With current resolutions, filling the pages and resizing some elements on the pages could be handled better.
- They are not consistent with the layout of different pages. Some have, let’s say, a Windows 7 look and feel, while others have the Windows 8 look and feel.
Nevertheless, even with those remarks, it does what it is supposed to do.
Use of Solution
I’m working as a partner of CyberArk for about four years now. I started on version v7.1 (currently on v9.7) and I have served about 20 happy customers.
As no software is perfect, I don’t think it is any different with CyberArk. Their support, however, is able to tackle most of the problems. Sometimes patches are distributed. The CyberArk solution highly integrates with different platforms (Windows/Linux) and applications (AD, SIEM, email, etc.). So, not configuring it well can result in unexpected behavior. You need to consider the limitations of the platforms it is installed on, as well.
As mentioned, one of the advantages of the CyberArk PAS suite is the modular build up; not only on covering the functional area, but also on size of your network/datacenter. If you, e.g., notice that the number of privileged accounts to manage increases, you can simply add an additional module/component that manages those passwords.
Customer Service and Technical Support
Their support is good. It is split up into different areas (technical, implementation, etc.) and I always have a quick answer. And they go all the way for their customers.
I saw customers using another product for their privileged accounts. Due to its limitations (e.g., on password and session management) and stability, they decided to switch to CyberArk.
This question goes both ways; initial setup can be straightforward and it can become complex. The architecture in the network and installation of the software itself is pretty straightforward. Most of the modules/components are agentless. This makes it possible to install the solution in the datacenter without impacting any existing devices (no impact on running systems, and simplifying change and release management). Integrating the systems (privileged accounts) in the CyberArk solution can happen gradually.
The flexibility of the product, on the other hand, has as a consequence that there is a lot to configure. Depending on the existing infrastructure and functional demands at the different organizations, care has to be taken to have a correct implementation.
Pricing, Setup Cost and Licensing
As far as pricing, personally, I’m not involved in the sales part. So, I cannot elaborate on this topic. For licensing, I can advise the same thing as mentioned elsewhere: Start small and gradually grow.
Other Solutions Considered
Before choosing this product, I did not evaluate other options (being a partner, not customer).
The Privileged Account Security product is a suite. That means that the product consists of different components/modules that cover a particular functional area (check their website) on privileged accounts. Plugging in more of those components in the environment results in covering a greater part of that area. Of course, there is a common layer that is used by all components. This is the security layer that holds and protects the privileged accounts.
Start small. Use first the basic components that, e.g., include password management. Gradually grow the number of components/modules/functional area to include, e.g., other types of accounts, session management, intrusion detection, end-point protection, etc. Having a project scope that is too large will make the step of using the solution too big. Make sure every stakeholder in the project is aware and let them gradually ‘grow’ with the product.
Disclosure: My company has a business relationship with this vendor other than being a customer: My company has a partnership with CyberArk.
Sep 25 2016