Publication Date: 6 April 2023

Abstract

Over the course of the past few years, CyberArk – arguably the global leader in Privileged Access Management (PAM) solutions has embarked on an aggressive journey to expand its enterprise footprint. In particular, the company has oriented its existing products and introduced new functionality to become much more competitive in the Access Management (AM) security space – in particular, through its SaaS subscription sales and deployment model.

Because CyberArk has developed such a large customer base for its PAM capabilities, there exists a compelling reason to now compare them with leading AM vendors such as Microsoft, Okta, Ping and ForgeRock. Furthermore, this propensity for stronger forms of authentication and authorization for enterprise knowledge workers who typically access large amounts of sensitive company information on a regular basis makes CyberArk’s privileged access pedigree worthy of consideration.

In this report, we provide a thorough inspection of CyberArk’s current product offerings and sales strategy. We then map the current CyberArk suite onto our IAM Reference Architecture to clearly show where they fit in the IAM landscape. Lastly, we conclude with a set of pragmatic recommendations and an enterprise action plan for potentially broader CyberArk deployment considerations.

Authors:

Doug Simmons Principal Consulting Analyst [email protected]

Gary Rowe CEO / Principal Consulting Analyst [email protected]

Executive Summary

TechVision Research consulting analysts have spent nearly three decades evaluating privileged access management (PAM) approaches, vendors, and solutions. The leading vendor in the PAM market has historically been CyberArk, a publicly traded company with over 5,000 customers, including more than 50 percent of the Fortune 500 and more than 30 percent of the Global 2000. CyberArk is headquartered in Israel, with U.S. headquarters located in Newton, Massachusetts.

CyberArk was an early pioneer in the PAM market, with their Enterprise Password Vault (EPV) being first introduced in 2003. Since then, they have become the pre-eminent purveyor of PAM solutions worldwide.

That said, there have been challenges in the path to global enterprise PAM deployment, such as:

1. Extensibility of on-premises PAM capabilities into the broader enterprises’ emerging Zero Trust, multi-cloud, hybrid IT landscape, and
2. Integration with enterprise Identity Governance and Administration (IGA) services to better manage and monitor who has access to what, for what reason(s) and for how long?

These challenges left many CyberArk customers with less-than-ideal PAM capabilities because of the traditionally disjointed nature of integration with cloud providers’ native access management services like Microsoft Azure, Google Cloud Platform (GCP) and Amazon Web Services (AWS). Coupled with this is the necessity to extend stronger, “PAM-like” authentication and access controls to the broader enterprises’ knowledge workers – not just system administrators, and in conjunction with the IAM-centric Zero Trust principles that are being widely adopted.

Additionally, IGA platforms, such as SailPoint IdentityIQ (on-premises) and Identity Security Cloud (SaaS) and Saviynt Enterprise Identity Cloud, both of which provide answers to the regulatory compliance driven question “who has access to what?” have required more integration histrionics than should be necessary to gain measured and effective visibility into the CyberArk privileged access ecosystem.

Lastly, a new access management paradigm called Cloud Infrastructure Entitlement Management (CIEM) has arrived on the scene to address the growingly significant security processes of managing access rights, permissions, or privileges for the identities of a single or multi-cloud environment. While CIEM sounds very similar to PAM (and it is), it focuses on the additional complexity of the typically multi-cloud IT environments now being deployed across most mid-go-large sized enterprises.

CyberArk has recognized this gap and subsequently invested in expanding their base PAM solution to become more cloud-centric and address the general enterprise knowledge worker access capabilities. Beginning in mid-2018, the company launched the subscription-based CyberArk Privilege Cloud to help provide a more simplified path to securely store, rotate and isolate credentials, and monitor sessions. This was a big step toward bona fide cloud awareness for CyberArk and with the acquisition of IDaptive in May 2020, CyberArk gained a mid-market Identity as a Service (IDaaS) vendor with its Next Generation Access Cloud solution that combines single sign-on (SSO), adaptive multi-factor authentication (MFA), endpoint and mobile context awareness, and user behavior analytics (UBA) capabilities. This acquisition brought an IDaaS environment that competes head-to-head with popular IDaaS solutions such as Okta into the CyberArk portfolio. (Please see the recent TechVision report titled “Okta Identity Platform Assessment” for a deeper dive into the Okta solution.)

TechVision Research continues to work closely with its customers who are advancing their IAM architectures and strategies and many of these have already deployed CyberArk as their enterprise PAM solution. Should the long-standing pedigree of CyberArk PAM encourage these existing customers to consider whether CyberArk should be deployed further across the IT environment, especially with myriad challenges such as:

• Multi-cloud infrastructure
• Managed Service Providers (MSPs) and B2B partner IT administration
• Remote and itinerant workforce with administrative capabilities?

The answer is “it depends”. Like many IT vendors over the past few years, CyberArk saw the writing on the wall that myriad challenges identified above were making it increasingly difficult to expand their installed base. That is one reason the company acquired IDaptive. With the acquisition nearly three years on, it is becoming increasingly apparent that CyberArk is intent on becoming more than “just a PAM vendor”.

This is an interesting development because, truth be told, CyberArk has been a widely trusted PAM vendor for many years. They are perceived as being solidly focused on their development of truly secure administration access capabilities. It is very important that this commitment be maintained as their portfolio now expands into more wide-ranging IAM capabilities such as SSO, MFA, CIEM and IGA.

TechVision feels there is a burgeoning market for some potentially “lighter weight” – yet effective, identity lifecycle management, access management and governance tools, preferably made available as a cloud service (e.g., IDaaS). To this end, the CyberArk Identity Security Platform contains numerous capabilities that may appeal to organizations wanting to improve their overall IAM, PAM and IGA posture without bringing in multiple vendors whose “deeper” solutions in each area do not necessarily integrate with each other very easily.

Their level of existing entrenchment in a very large number of enterprises makes it hard to discount their ability to assist their current customers to expand CyberArk capabilities beyond PAM. Through IDaptive, they are able to provide non-administrative end users (and things) with services and capabilities that are well integrated with the CyberArk vaulting and secrets management knowledge and expertise. For example, existing CyberArk enterprise customers that are needing to expand PAM into the CIEM (multi-cloud) realm would be wise to give CyberArk serious consideration.

Introduction

TechVision Research consulting analysts have spent nearly three decades evaluating privileged access management (PAM) approaches, vendors, and solutions. The leading vendor in the PAM market has historically been CyberArk, a publicly traded company with over 5,000 customers, including more than 50 percent of the Fortune 500 and more than 30 percent of the Global 2000. CyberArk is headquartered in Israel, with U.S. headquarters located in Newton, Massachusetts. We provided a deep dive of CyberArk and their PAM solution in recent TechVision reports, notably “Privileged Access Management: Will We Never Learn?”, “Privileged Access Management: Developing a Reference Architecture for PAM” and “Privileged Access Management: More Necessary Than Ever as Cloud-Shift Intensifies”.  To recap, CyberArk was an early pioneer in the PAM market, with their Enterprise Password Vault (EPV) being first introduced in 2003. Since then, they have become the pre-eminent purveyor of PAM worldwide.

However, there have been challenges in the path to global enterprise deployment ubiquity, such as:

1. Extensibility of PAM capabilities into the broader enterprises’ emerging Zero Trust, multi-cloud, hybrid IT landscape, and
2. Integration with enterprise Identity Governance and Administration (IGA) services to better manage and monitor who has access to what, for what reason(s) and for how long?

These two challenges left many CyberArk customers with less-than-ideal PAM capabilities because of the traditionally disjointed nature of integration with cloud providers’ access management services like Microsoft Azure, Google Cloud Platform (GCP) and Amazon Web Services (AWS). Coupled with this is the necessity to extend PAM-like authentication and access controls to the broader enterprises’ knowledge workers – not just system administrators, and in conjunction with the IAM-centric Zero Trust principles that are being widely adopted.

Additionally, IGA platforms, such as SailPoint IdentityIQ (on-premises) and Identity Security Cloud (SaaS) and Saviynt Enterprise Identity Cloud, both of which provide answers to the regulatory compliance driven question “who has access to what?” have required more integration histrionics than should be necessary to gain visibility into the CyberArk privileged access ecosystem.

Lastly, a new access management paradigm called Cloud Infrastructure Entitlement Management (CIEM) has arrived on the scene to address the growingly significant security processes of managing access rights, permissions, or privileges for the identities of a single or multi-cloud environment. While CIEM sounds very similar to PAM (and it is), it focuses on the additional complexity of the typically multi-cloud IT environments now being deployed across most mid-go-large sized enterprises.

All these challenges can be seen as major inhibitors to fully effective CyberArk deployment because they may leave opportunities for malicious attackers to escape detection and access prevention. In other words, the percentage of access privileges left fully un-managed and un- monitored by PAM and/or IGA can be large enough to hurt an organization’s overall security posture.

CyberArk has recognized this problematic gap and subsequently invested in expanding their base PAM solution to encompass more of the general enterprise knowledge worker access capabilities. Beginning in mid-2018, the company launched the subscription-based CyberArk Privilege Cloud to help provide a more simplified path to securely store, rotate and isolate credentials, and monitor sessions.

This was a big step toward bona fide cloud awareness for CyberArk and with the acquisition of IDaptive in May 2020, CyberArk gained a mid-market Identity as a Service (IDaaS) vendor with its Next Generation Access Cloud solution that combines single sign-on (SSO), adaptive multi-factor authentication (MFA), endpoint and mobile context awareness, and user behavior analytics (UBA) capabilities. This acquisition brought an IDaaS environment that competes head-to-head with Okta into the CyberArk portfolio. (Please see the recent TechVision report titled “Okta Identity Platform Assessment” for a deeper dive into the Okta solution.)

In effect, CyberArk is extending their “intelligent privilege controls” beyond system, application, and network administrators – both on premises and in the cloud. Furthermore, by offering their new suite of capabilities through a subscription-based SaaS model, CyberArk has increased their financial bottom line substantially. As evidence of this, their recently released Financial Summary for the full year ended December 31, 2022, pointed to subscription revenue at $280.6 million in the full year 2022, an increase of 108 percent from $134.6 million in the full year 2021. This is not your grandfather’s CyberArk: it is clear the company is embarking on an ambitious journey to continue growth and fight off competition in the rapidly evolving Identity Management market.

Amazon Web Services (AWS) calls CyberArk “an AWS partner” and as such, its IDaaS and Privileged Access Cloud run on AWS. At CyberArk, the solution delivery team handles enterprise customer onboarding and tenant management. Besides creating tenants, the delivery team needs access to a unified view of tenants’ subscription configuration. This allows the team to add or remove products from a tenant per the customer’s needs. AWS hosts CyberArk customer tenants in 9 regions around the globe, including the U.S., Canada, UK, EU, APAC, and India.

In the following section, we review CyberArk’s current product strategy taking this backdrop to light.

A Pathway for Zero Trust

In large part, these past two years have seen CyberArk endeavor to be known as a leading provider of Zero Trust solutions in the Identity and Security marketplace – rather than “just a PAM vendor”. With all the hype surrounding Zero Trust, many will likely roll their eyes and attribute this move by CyberArk as a mere marketing ploy. But TechVision has written extensively about Zero Trust and its dependence on IAM and its impact on networking and data controls. (Please see the TechVision report titled “Architecting and Managing Hybrid and Cloud-based Identity Services” for more information.) TechVision’s independent definition of Zero Trust is as follows:

Zero Trust is an architectural approach built on the premise that no person, device, or application is entitled by default. Properly implemented, Zero Trust delivers frictionless secure access to the right resources across any device, anywhere, at just the right time.

Further supporting this concept, NIST describes Zero Trust Architecture as “an end-to-end approach to network/data security that encompasses identity, credentials, access management, operations, endpoints, hosting environments, and the interconnecting infrastructure.”

What this definition implies is that an enterprise should only trust someone or something that is granted and reestablished/verified through Identity and Access Management (IAM) services designed to:

• provide proper controls to securely onboard, manage, and offboard identities,
• enable sufficient authentication and authorization mechanisms as per enterprise risk management, and
• provide an extensive proactive alerting and reactive audit trail of all user, device, and application access to the enterprise resources.

Because Zero Trust is not a product or even a prescribed implementation strategy, it makes sense that the decisions made about solving for Zero Trust across the digital enterprise demonstrate the consistent application of the following capabilities:

• Least Privilege – An identity is granted the appropriate access and entitlements for a resource based on the need to perform its intended function and only during the time the function is being performed.
• Strong Verification – Move beyond passwords into advanced methods of authentication and practice progressive collection and disposal of credentials required to achieve least-privilege functional execution.
• Risk-based enforcement – Evolve to decision making based on factors beyond a strongly verified identity. Factors such as resource value, location, device and network security postures, and user behavior are included in access/entitlement decisions in a least privilege regime.
• Continuous Evaluation of Assurance –Identify and assess levels of risk to the achievement of business objectives. Considers a combination of monitoring and auditing capabilities, such as:

• Analyzing trends
• Correlating outliers
• Highlighting potential exposures
• Evaluating and remediating exposures

• Continuous Evaluation of Entitlement – Monitor and review the application of policies that grant, resolve, enforce, revoke, and administer fine-grained access entitlements for resources.

Remember, Zero Trust is about always asking if this activity/action is “appropriate.” To determine that level of appropriateness, you need to consider the risk, the activity, and the identity and the associated credentials to determine authentication, access, and entitlements.

The CyberArk Zero Trust value proposition grows when we consider how the IDaptive capabilities enable a broader spectrum of Zero Trust beyond privileged access management. When we consider the “yellow” circle in Figure 1 below, that describes “sensitive or secret” enterprise data, we should understand that a much more robust identity management capability must be in place.

Figure 1:  Enterprise Resource Types

As further illustrated below, this means that the “identity is the perimeter” and it is the one piece of the puzzle that must be secured with the utmost care to preserve the integrity of the information ecosystem as the user “identity” traverses from the device, over the network to the actual data.

Figure 2:  Identity Based Zero Trust

With IDaptive, CyberArk now has a portfolio of capabilities that may provide a viable and credible Zero Trust offering. Leveraging CyberArk’s traditional strength in PAM combined with strong IAM capabilities can enable a more compelling enterprise Identity Security model that is Zero Trust-worthy. Now, let’s look at the CyberArk Identity Security platform in more detail.

The CyberArk Identity Security Platform

The CyberArk Identity Security Platform enables protection of digital identities – human or machine – across a wide range of devices and environments from a single platform. It includes CyberArk Identity, which provides access to enterprise applications and endpoints required by various constituencies – employees, business partners, vendors, and customers. With its longstanding PAM pedigree, the CyberArk platform is intended to provide intelligent privilege controls to the point of authentication, high-risk user sessions and more, across the entire range of identity capabilities.

Today, CyberArk has been expanded into a more comprehensive on-premises and cloud-based workforce authentication, access control and identity lifecycle management platform. This solution suite may now provide the cornerstone for the identity based Zero Trust security infrastructure that most present-day enterprises are aspiring to deploy. Illustrated below is CyberArk’s “modern identity security blueprint”, which shows the capabilities of its current “Zero Trust enabling” platform.

Figure 3:  CyberArk’s Modern Identity Security Blueprint (Source: CyberArk)

The components of the CyberArk Identity Security Platform (solution suite) are described below, along with our explanations of how the component’s capabilities may enable Zero Trust.

Single Sign-On

Using CyberArk Single Sign-On (SSO), enterprise users enter one set of credentials to access all their cloud and on-premises apps in one place. This feature also reduces IT burden with self-service password reset. The CyberArk SSO solution enhances Zero Trust by ensuring the user authentication event is secured according to information access risk management and in accordance with access control policies governed and configured by the enterprise. The figure below illustrates how the system leverages authoritative identity stores, such as the CyberArk Identity Cloud Directory, Microsoft Active Directory/Azure Active Directory, Google Cloud Directory and enterprise LDAP directories to create a CyberArk Login token that is passed to target applications – enabling SSO.

Figure 4:  CyberArk Login and SSO (Source: CyberArk)

Of interest to many potential enterprise customers is the ability for CyberArk SSO to allow Microsoft Active Directory users login access to workstations and servers secured by CyberArk Identity Windows Cloud Agent (IWCA). Historically, the ability to leverage existing AD accounts for SSO has been a “table stakes” requirement for nearly every mid-to-large enterprise.

Adaptive Multi Factor Authentication

While SSO is a necessary and important feature for both improved user experience and overall security, to enable identity based Zero Trust it is necessary to couple SSO with Adaptive Multi Factor Authentication (MFA) to strengthen access controls with adaptive secondary authentication. This means a user can be required to re-authenticate or provide additional authentication attributes such as biometrics or text-message based one-time passcodes (among many other options) as the user attempts to access more sensitive information than the original authentication event allows. The figure below illustrates this capability.

Figure 5:  CyberArk Adaptive MFA (Source: CyberArk)

Note that enterprise Active Directory users can access IWCA-protected windows workstations and servers using any of the supported authentication factors, including passwordless factors such as push notifications, emails, and SMS messages. For example, a user can access a Windows server without entering a password by selected Mobile Authenticator at the login screen and approving the login request using the CyberArk Identity app. Just as with SSO leveraging AD user credentials, the capability enabled through this module is often of significant value to enterprises working diligently to strengthen their authentication environment.

Identity Lifecycle Management

This is an area that focuses on the “Joiner/Mover/Leaver” (JML) set of processes that support automation of user and thing provisioning, access control rights and de-provisioning. It uses a combination of real-time event triggering, batch file updating, delegated administration, self-service, access requests, workflow approvals, and periodic identity governance. All these capabilities are necessary in a robust enterprise Identity Management ecosystem to ensure people and devices are productive, secure and auditable with minimal delay or manual intervention. The foundation of an identity based Zero Trust approach requires that the enterprise know unequivocally who can access what. The Identity Lifecycle Management component is the set of tools that can help make this happen. The figure below illustrates these processes and data flows.

Figure 6:  CyberArk Identity Lifecycle Management Model (Source: CyberArk)

To aid real-time integration with leading SaaS-based Human Capital Management (HCM) platforms currently in widespread use among enterprises, CyberArk’s Secure Identity platform’s lifecycle management feature supports connectors to these systems:

Figure 7:  CyberArk Joiner/Mover/Leaver (JML) Model (Source: CyberArk)

Such HCM solutions have become integral in most enterprise environments, with Workday and SAP SuccessFactors being market leaders. Like many other IAM vendors today, the ability to integrate these authoritative source systems quickly and securely for identity has proven to be a critical requirement.

Directory Services

Directory services are comprised of the repositories that store and provide the identity information necessary to deploy a modern, secure identity infrastructure that enables Zero Trust. Within Directory Services, enterprises create users and groups in the CyberArk Cloud Directory, federate identities from on-premises and cloud-based directories, or use any combination of integrated user directories (e.g., Microsoft Active Directory, Azure Active Directory, IDaptive LDAP, etc.)  to meet enterprise-specific requirements. As illustrated below, the AWS-hosted CyberArk Identity Cloud Directory is the logically centralized identity repository linking these authoritative source identity stores together.

Figure 8:  CyberArk Identity Cloud Directory (Source: CyberArk)

Additionally, the CyberArk Identity Cloud Directory supports identity federation to enable access via social login (e.g., LinkedIn, Facebook, etc.) to enterprise applications without the need to authenticate, duplicate and manage the lifecycle of external users – predicated on information sensitivity and risk management policy.

Endpoint Authentication

Endpoint security entails several interwoven technologies and processes that work together to ensure endpoints are known, trusted, secure from hacking, properly monitored and functioning within endpoint security policies. In a modern enterprise, traditional network segmentation designs are giving way to more dynamic, micro-segmentation principles that incorporate the principles of Zero Trust. This means that the endpoints connecting to the enterprise network must be highly secure and trusted, as the network perimeter itself becomes a more virtual concept that extends to the endpoints themselves. This topic will be highlighted in TechVision’s upcoming research report on End Point Management and Security.

Device registration, credential management, configuration management, patch management, audit and reporting functions are important security functions supported by a typical enterprise endpoint management strategy. However, often overlooked is endpoint privilege management, which focuses specifically on the local application and operating system administrative rights held by the user of the endpoint. CyberArk has developed the CyberArk Endpoint Privilege Manager (EPM) solution specifically for this purpose, with crucial Zero Trust capabilities that include:

• The ability to remove local admin rights from end users
• Implementation of least privilege access on the endpoint
• Protection of credential stores on the endpoint
• Control of all applications running on the endpoint, supporting white/black/gray listing
• Securing and rotating local admin passwords on the desktops when implemented in conjunction with CyberArk PAM
• Adaptive MFA and passwordless authentication to endpoint devices when implemented with CyberArk Adaptive MFA

Furthermore, when CyberArk EPM is enabled in conjunction with the Secure Web Sessions (SWS) solution, EPM protects the endpoint browser access to sensitive applications based on endpoint policies. This is crucial in the deployment of the identity-based Zero Trust infrastructure necessary to protect not only infrastructure systems and services, but sensitive applications and data as well.

With EPM and SWS working in concert with identity based Zero Trust, an attacker who has infiltrated an endpoint will not be able to elevate their access and move laterally out of that device to access sensitive information assets. This effectively expands the zero trust “architecture” out of the network layer (Layer 3 of the OSI 7-Layer Reference Model) to the application layer (Layer 7), where identity information is used to potentially implement finer-grained access to information assets. Such a strategy aligns the enterprise’s identity and access management (IAM) processes to control contextualized Zero Trust policies applied to each user/device combination.

App Gateway

This component of the CyberArk Identity Security platform enables end users to access on-premises apps alongside cloud-based apps without the use of a Virtual Private Network (VPN).

Figure 9:  CyberArk App Gateway Model (Source: CyberArk)

Requiring only a single agent installed on any Windows or domain-joined server behind the enterprise firewall, the App Gateway enables Zero Trust by directing all access to enterprise information through a comprehensive, risk-based, intelligent, and auditable gateway that enforces access policies for sensitive information, including SSO with adaptive MFA, User Behavior Analytics, Endpoint Authentication, Directory Services, and Secure Web Services.

User Behavior Analytics

Artificial Intelligence (AI) plays an important role in runtime access management. People and things exhibit ‘normal’ patterns when accessing and interacting with applications and information. CyberArk’s User Behavior Analytics capability within the Identity Security platform uses AI to collect, analyze, and visualize user behavior insights in real-time. It provides interactive dashboards to drill into the context behind security events and pinpoint root cause. This component eliminates manual review of log data and uses AI to identify patterns of risky access conditions. This feature enables Zero Trust by dynamically adjusting risk profiles for individual users as well as invoking Adaptive SSO and MFA to leverage user-specific contextual attributes and risk scores to dynamically trigger access policies. A high-level illustration of User Behavior Analytics is shown in the figure below.

Figure 10:  CyberArk User Behavior Analytics (UBA) Model (Source: CyberArk)

Secure Web Sessions

Secure Web Sessions (SWS) is an add-on to CyberArk Identity Security Platform Single Sign-On and serves as an authentication factor for accessing protected web applications. Using the capabilities afforded by the SSO, adaptive MFA, Identity Lifecycle Management, Directory Services, App Gateway, and UBA, SWS automatically grants and revokes access to hundreds of pre-integrated cloud applications from the CyberArk App Catalog.

This is the pinnacle of sensitive information protection enabled by CyberArk Identity Security Platform, which utilizes many of the same techniques as their Privileged Access Manager to ensure access to corporate information is managed in an initial least privilege mode that can be elevated through the integration of each of the Identity Security Platform components. The figure below illustrates the user ‘flow’ from authentication to the CyberArk Identity SSO component to the resource protected by SWS.

Figure 11:  CyberArk Secure Web Sessions (SWS) Model

Cloud Infrastructure Entitlement Management (CIEM)

CyberArk Cloud Entitlements Manager is a SaaS solution that reduces risk by implementing least privilege across cloud environments. From a centralized dashboard, Cloud Entitlements Manager provides visibility and control of permissions across an organization’s cloud estate. Within this single dashboard display, Cloud Entitlements Manager provides security administrators recommended remediations to remove excessive permissions without disrupting cloud operations.

Cloud Entitlements Manager collects data on IAM entities and applies artificial intelligence (AI) to assign an exposure level score for each unique identity, environment, and platform. This allows organizations to continuously assess their permissions exposure and identify quicker paths to risk reduction. The dashboard provides the means to detect and controlall permissions to access resources across Amazon Web Services (AWS), AWS Elastic Kubernetes Service, Azure, and Google Cloud Platform (GCP). This includes the ability to apply granular, code-level IAM policy recommendations for human and machine identities and monitor quantifiable exposure/risk level scores for all identities and platforms.

Figure 12:  CyberArk Cloud Infrastructure Entitlement Management (CIEM) Model

Through the Identity Lifecycle component, CyberArk CIEM can provide near-immediate, automatic onboarding of cloud accounts. TechVision Research knows through experience working with our customers that this is a significant requirement for improving multi-cloud security postures with more intelligent automation such as this. And, while we have not seen this claim supported directly, CyberArk says it can often “take less than 1 hour to full deployment and solution value for CIEM.” Nevertheless, if you are already a CyberArk PAM customer and need a CIEM solution sooner rather than later, this could be a beneficial set of capabilities to consider.

What About CIAM?

Many of these features may be extended to Customer IAM (i.e., CIAM) use cases, as well. However, the focus of this report is mainly on Enterprise (or “workforce”) IAM, because that is the market CyberArk has an extremely large PAM footprint already and is the market most likely to be receptive to its expanding IAM capabilities – at least for the next few years. It does bear mentioning that the CyberArk platform does address a growing number of B2B use cases – specifically where Managed Service Providers (MSPs) perform much of an enterprise’s IT administration. For a much more in-depth report on this topic, please see the TechVision Research report titled “Digital B2B Requires Updated IAM”.

CyberArk In the IAM Reference Architecture

Now that we’ve described CyberArk’s current platform direction, we can focus on major architectural principles enterprises should be considering as the develop their IAM and PAM programs. To do this, let’s view the TechVision IAM Reference Architecture with our “CyberArk glasses” on. The TechVision Research Reference Architecture for IAM is this starting point; a master template, shown in Figure 1, below, identifies the IAM capabilities (rather than technologies) that can be improved or enabled, allowing business stakeholders and technical architects to achieve a common language for IAM functions, which can then be refined over time.

It is important that your IAM (and PAM) programs fit within this overarching architectural context. This high-level template starts the journey:

Figure 13:  TechVision Research IAM Reference Architecture Master Template

The capabilities illustrated above are described at the highest level as:

Interact – how end-users and application developers interact with the IAM platform.

Access – the rules that define the roles, rights, and obligations of any actor wishing to access enterprise or connected external assets.

Change – the capability to define and manage the relationships between the user/ application developer and the enterprise assets.

Manage – the capabilities required to manage and upgrade the IAM solution itself.

Measure – the capabilities required to audit and improve IAM activities.

Store – the capabilities required to share identity information and relationships between the components of the IAM solution.

The next level of the architecture outlines the functional capabilities that are the foundation for a best-in-class IAM Reference Architecture. Each category is broken up into multiple capabilities at a level of greater detail. For example, interfaces can be for applications / developers (APIs, messaging services), Lines of Business, self-service, or even robotic processes. This applies to each category and, based on stakeholder input, use cases and priorities can be further developed into Reference Architecture patterns or templates for specific services.

It is important to understand that these functional capabilities consider all type of objects and use cases within the IAM foundation. For example, identifying, securing, and collecting data pertaining to IoT devices is expected to be accommodated within the IAM Reference Architecture.

As ultimately implemented, different enterprises use different IAM capabilities in different ways to meet different protection needs. And they do so differently for different content and business functions because of the different risks and potential consequences associated with failures and costs associated with protection. One size does not fit all.

Once the required business capabilities are identified, the next layer of the TechVision Research Reference Architecture for IAM allows us to explore each of the specific technology or process elements comprising each capability in the form of a combined portfolio architecture. This is illustrated below.

Figure 14:  TechVision Research IAM Reference Architecture Capabilities Portfolio

Note that this representation includes a typical ‘user story’ in the form of “As an Application Administrator, I want to…”. User stories help keep the focus on the capabilities necessary to support it and we highly recommend you work through your key user stories. An example of such a user story is provided below.

Figure 15:  Typical Capabilities Mapping Example

This is intended to give you a sense for how to apply the IAM Reference Architecture to specific capabilities and to give you a sense for typical relative timing. As an example, we have determined that the IAM-related capabilities necessary to support, for instance, the PAM Service for a large organization can be color-coded as follows:

• Rose – requires significant investment over next 2 years. This typical organization does not currently support these IAM capabilities. An example is JIT PAM (Just in Time access).
• Orange – requires investment over next 2 years. The organization either currently does not support these IAM capabilities or they may require additional investment and deployment in order to achieve a requisite level of functionality. For example, most organizations currently support some form of MFA, but additional investments will generally be required.
• Grey – indicates capabilities that the organization IAM has in place in some capacity, although it could be likely that some augmentation may be required to improve functionality and ubiquity to fully meet the organization’s requirements. An example here is Federation/SSO which may be relatively mature in many organizations – but could be enhanced over the next few years.

Please recognize that your Capabilities Map is likely going to be different than the one shown. The important point is to start with the complete list of IAM capabilities “building blocks” and pare that down to represent what your organization requires, color-coding to show where you will likely need additional investment or attention. TechVision can – via dialogues or full consulting engagements, work through this process with your team.

With our focus on IAM capabilities, a typical Enterprise IAM (EIAM) architecture is described in the following pattern. This describes the key functions and flows to achieve the desired future state provisioning, authentication, authorization, administration, identity governance and data/system/multi-cloud integration capabilities and how these capabilities fit together.

Figure 16:  TechVision Research IAM Reference Architecture Enterprise Example

Taking the CyberArk Identity Security Platform portfolio of IAM and PAM capabilities we described previously in this document, we can now map their individual capabilities to the Enterprise IAM Reference Architecture. This is illustrated below.

Figure 17:  CyberArk Platform in the TechVision Research IAM Reference Architecture

The CyberArk Platform fits neatly within the Reference Architecture and illustrates how CyberArk has an opportunity to become much more than “just” an enterprise PAM solution.

Summary and Recommendations

TechVision Research continues to work closely with its customers who are advancing their IAM architectures and strategies. Many of TechVision’s customers have already deployed CyberArk as their PAM solution. Should the long-standing pedigree of CyberArk PAM encourage these existing customers to consider whether CyberArk should be deployed further across the IT environment, especially with myriad challenges such as:

• Multi-cloud infrastructure
• MSP and B2B IT administration
• Remote and itinerant workforce with administrative capabilities?

The answer is “it depends”, but CyberArk is clearly moving in the right direction. Like many IT vendors over the past few years, CyberArk saw the writing on the wall that myriad challenges identified above were making it increasingly difficult to deploy their solution. That is why the company acquired IDaptive. With the acquisition nearly three years on, it is becoming increasingly apparent that CyberArk is intent on becoming more than “just a PAM vendor”.

CyberArk has been a widely trusted PAM vendor for many years and is adding to this core capability via acquisition and development. They are perceived as being solidly focused on their development of truly secure administration access capabilities. This commitment has transferred over to their portfolio expansion into more wide-ranging IAM capabilities such as SSO, MFA, CIEM and IGA. This is the direction TechVision continues to emphasize with our clients as we believe the industry needs to move towards a more integrated IAM/IGA “platform”.

Their level of existing entrenchment in a very large number of enterprises makes it hard to discount their ability to assist their current customers to expand CyberArk capabilities beyond PAM. This is not your grandfather’s CyberArk: through IDaptive, they are able to provide non-administrative end users (and things) with services and capabilities that are well integrated with the CyberArk vaulting and secrets management knowledge and expertise. CyberArk enterprise customers needing to expand PAM into the CIEM (multi-cloud) realm would be wise to give CyberArk serious consideration.

TechVision feels there is a burgeoning market for some potentially “lighter weight” – yet effective, identity lifecycle management, and access management and governance tools, preferably made available as a cloud service (e.g., IDaaS). To this end, the CyberArk Identity Security Platform contains numerous capabilities that may appeal to organizations wanting to improve their overall IAM, PAM and IGA posture without bringing in multiple vendors whose “deeper” solutions in each area do not necessarily integrate with each other very easily.

Of course, every enterprise is different and have varying degrees of security maturity and risk management profiles. As a result, requirements often differ and so should be clearly defined to determine whether CyberArk’s Identity Security Platform is right for your organization.

TechVision generally recommends a structured approach to such a critical infrastructure element like IAM and has developed a Reference Architecture that may be useful in evaluating the set of capabilities necessary for your future state IAM foundation. TechVision can help with this process. By doing this, you can better ensure portability of important IAM capabilities should product directions shift as have indicated.

 

About TechVision

World-class research requires world-class consulting analysts and our team is just that. Gaining value from research also means having access to research. All TechVision Research licenses are enterprise licenses; this means everyone that needs access to content can have access to content. We know major technology initiatives involve many different skillsets across an organization and limiting content to a few can compromise the effectiveness of the team and the success of the initiative. Our research leverages our team’s in-depth knowledge as well as their real-world consulting experience. We combine great analyst skills with real world client experiences to provide a deep and balanced perspective.

TechVision Consulting builds off our research with specific projects to help organizations better understand, architect, select, build, and deploy infrastructure technologies. Our well-rounded experience and strong analytical skills help us separate the “hype” from the reality. This provides organizations with a deeper understanding of the full scope of vendor capabilities, product life cycles, and a basis for making more informed decisions. We also support vendors in areas such as product and strategy reviews and assessments, requirement analysis, target market assessment, technology trend analysis, go-to-market plan assessment, and gap analysis.

TechVision will provide regular updates on the latest developments with respect to the issues addressed in this report.

 

About the Authors

Doug Simmons brings more than 25 years of experience in IT security, risk management and identity and access management (IAM). He focuses on IT security, risk management and IAM. Doug holds a double major in Computer Science and Business Administration.

While leading consulting at Burton Group for 10 years and security, and identity management consulting at Gartner for 5 years, Doug has performed hundreds of engagements for large enterprise clients in multiple vertical industries including financial services, health care, higher education, federal and state government, manufacturing, aerospace, energy, utilities and critical infrastructure.

Gary Rowe is a seasoned technology analyst, consultant, advisor, executive and entrepreneur. Mr. Rowe helped architect, build and sell two companies and has been on the forefront the standardization and business application of core infrastructure technologies over the past 35 years. Core areas of focus include identity and access management, blockchain, Internet of Things, cloud computing, security/risk management, privacy, innovation, AI, new IT/business models and organizational strategies.

He was President of Burton Group from 1999 to 2010, the leading technology infrastructure research and consulting firm. Mr. Rowe grew Burton to over $30+ million in revenue on a self-funded basis, sold Burton to Gartner in 2010 and supported the acquisition as Burton President at Gartner.