KuppingerCole Report
Executive View
By Graham Williamson

CyberArk Portfolio Overview

CyberArk is a pioneer in Privileged Account Security, and is widely recognized as the leader in this sector. Building upon a strong base product, CyberArk has enhanced its offering to include the capabilities that organizations need to secure and manage privileged accounts and their credentials associated with users, applications, and other system assets across an enterprise‘s entire technology environment including on-premises, cloud and hybrid environments, as well as securing CI/CD tools and DevOps environments.
By Graham Williamson

1 Introduction

An ongoing task for most organizations is managing access to systems and applications at an elevated permissions level. System administrators typically have powerful access rights that make their accounts a target for anyone wanting to cause damage to a company. A user with administrative privileges has complete control over a computer system whether it is on-premises or in the cloud; with admin rights to one system a hacker will attempt to spawn additional accounts in other systems and avoid detection by altering configuration settings in security monitoring devices or by modifying activity logs. Someone with full administrative rights can add accounts or change privileges on existing accounts such that they have unique access rights which can be difficult to detect and remove. Furthermore, a competent attacker can modify logs and virtually remove evidence of their activity. Similar challenges exist in cloud environments but can be even more damaging, as the management console for the public cloud, offered by vendors such as Amazon Web Services (AWS) or Microsoft Azure, provide an incredible level of capability to cloud administrators. As a result, privileged accounts are targeted in every advanced and internal attack, allowing attackers to gain access to sensitive assets and disrupt business.

It is therefore imperative that a company secures its administrative accounts, i.e. those accounts with elevated privileges that grant users the right to make systemic changes to a computing environment. But in many cases organizations don’t know how many privileged accounts they have nor who has access to them. Some organizations still use shared accounts for system admin functions and have no way to effectively audit administrative activities and obtain individual accountability. The lack of privileged account management is therefore an inherent security risk for many companies.

CyberArk created the category of Privileged Account Security nearly two decades ago. Today, the company is still widely recognized as one of the leading innovators and suppliers of privileged account management solutions, for on-premises, cloud computing, and DevOps environments. They have seen the market grow from a specialist sector providing access control for mainframe accounts to sector-wide solutions to manage all system administration and elevated-privileged account requirements across all hardware and software solutions located on-premises and in the cloud.

Service accounts are also an important concern for enterprise security administrators. In many cases there is reduced vigilance on application-to-application accounts that are used for multiple purposes, such as system back-up. However, in many cases the credentials for these service accounts reside in unencrypted configuration files and text scripts. Moreover, oftentimes these service accounts are overprovisioned, or are used for purposes other than the intended usage. These are bad practices that can be alleviated via a properly configured privileged account management solution.

While internally organizations need ensure that applications and staff accessing systems at a privileged level are authorized to do so, and that appropriate controls have been placed on this access, there is also an increasing need to control access from external sources. Business partners requiring access at an elevated level are a particular concern. They are not always authenticated to the corporate network and are potentially using a mobile device, with all the associated risks. Compromise and abuse of an account for the HVAC contractor that led to the release of sensitive information in a large retail organization. This aptly illustrates how important it is to ensure robust management and monitoring of remote-access accounts.

Operational technology provides another attack surface. An industrial computer system (ICS) represents a high-risk area that, in the past, was typically isolated from IT systems. As business imperatives encourage increased integration between operational and administrative networks, protection of PLC and SCADA systems becomes more important. Many organizations with ICSs delegate management of their operational infrastructure to the supplying vendor. This represents a high-risk to companies with ICS infrastructure.

CyberArk was formed in Israel in 1999 and its co-founder is still active in the company. The company listed on the NASDAQ Exchange in 2014 and since then it has extended its capabilities though acquisition of Cybertinel and Viewfinity in 2015. CyberArk’s longevity in this sector, and on-going product innovation and development has resulted in a comprehensive product offering for privileged account security.

2 Product Description

Protecting privileged accounts is one of the most important functions in IT security departments today. Most cyberattacks involve exploiting privileg ...

Login Get full Access

2.1 Privileged Account Security Solution

Privileged Account Management (PAM) solutions typically:

  • Encrypt and securely store passwords
  • Segregate users based on the assets to which they ...
Login Get full Access

2.1.1 Enterprise Password Vault

CyberArk’s traditional approach to managing privileged accounts is based on a password vault that intercepts login requests and logs the user into t ...

Login Get full Access

2.1.2 SSH Key Manager

CyberArk SSH Key Manager controls access to, manages, and securely stores SSH keys in a manner similar to the way it handles passwords. SSH keys are u ...

Login Get full Access

2.1.3 Privileged Session Manager

Managing sessions that are using elevated privileges is a core requirement for a PAM product. With the CyberArk solution, it is possible to monitor se ...

Login Get full Access

2.1.4 Application Identity Manager

The CyberArk Application Identity Manager is a core component that secures, manages and controls privileged account credentials used by applications a ...

Login Get full Access

2.1.5 Privileged Threat Analytics

Monitoring network activity and notifying of attack indicators is an important layer of cybersecurity protection. CyberArk’s Privileged Threat Analy ...

Login Get full Access

2.1.6 On-Demand Privileges Manager

CyberArk On-Demand Privileges Manager allows enterprise security administrators to set granular access control policies governing which users can run ...

Login Get full Access

2.1.7 Endpoint Privilege Manager

CyberArk Endpoint Privilege Manager is CyberArk’s solution for endpoint device vulnerabilities associated with the exploitation of privileged creden ...

Login Get full Access

3 Strengths and Challenges

The CyberArk Privileged Account Security Solution is built on the CyberArk Shared Technology Platform. This facilitates deployment of the CyberArk mod ...

Login Get full Access


©2021 KuppingerCole Analysts AG all rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole´s initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarks™ or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

KuppingerCole Analysts support IT professionals with outstanding expertise in defining IT strategies and in relevant decision-making processes. As a leading analyst ompany, KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business.

KuppingerCole, founded in 2004, is a global, independent analyst organization headquartered in Europe. We specialize in providing vendor-neutral advice, expertise, thought leadership, and practical relevance in Cybersecurity, Digital Identity & IAM (Identity and Access Management), Cloud Risk and Security, and Artificial Intelligence, as well as for all technologies fostering Digital Transformation. We support companies, corporate users, integrators and software manufacturers in meeting both tactical and strategic challenges and make better decisions for the success of their business. Maintaining a balance between immediate implementation and long-term viability is at the heart of our philosophy.

For further information, please contact clients@kuppingercole.com.