GUIDEBOOK
CYBERARK PRIVILEGED
ACCOUNT SECURITY SOLUTION
ANALYST:
Rebecca WETTEMANN
April 2015
Document p52
© 2015 Nucleus Research, Inc. Reproduction in whole or in part without written permission is prohibited.
Nucleus Research is the leading provider of value-focused technology research and advice.
NucleusResearch.com
T H E B OT T O M L IN E
Managing security efficiently is an increasing concern for IT departments that must
mitigate risk while balancing control against the demands for access and productivity of
enterprise users. In looking at CyberArk, Nucleus found its suite of security tools drove a
centralized and consistent approach to managing access rights, driving greater
administrator productivity while reducing risk. Customers can rapidly achieve payback
from an initial CyberArk deployment, and take advantage of the suite approach to extend
the return on their investment on an ongoing basis.
T H E S IT U AT ION
As organizations become more dependent on networked applications to manage every
aspect of their business, they have also had to deal with the increased risk of a security
breach and the resulting damage to their business, image, and productivity. Although
much attention has been placed on individual end-user password security, even more
critical (and likely to be managed on an ad-hoc basis) is the security of privileged accounts
and passwords.
The privileged credentials of administrators enable access to and control of systems,
applications, routers, and databases and access, alter, and extract data and settings.
Unlike a single password that is linked to an account, privileged credentials are often
shared by many administrators or IT team members – meaning they don’t link a specific
person to a specific account. Most IT staffs depend on point solutions, home-built
applications, or spreadsheets to track and manage privileged credentials, which creates a
number of challenges, including:

Limited visibility and audit capabilities. Various regulations, as well as internal
company policies, require the tracking and auditing of changes to applications and
systems. Without centralized ongoing management of privileged credentials, it is
difficult – if not impossible – to satisfy even basic audit requirements.

Risk of rogue administrators or actions. Privileged credentials are often difficult to
disable, and because many administrators may use the same credentials, users that
gain authorized access may continue to do so when their authorization (or even
employment) ends.

Negative impacts on IT and end-user productivity and client satisfaction. Ineffective
management of the credentials needed to effectively manage systems and
applications can slow IT change management processes and negatively impact
accessibility for both internal and external users.
Nucleus Research Inc.
100 State Street
Boston, MA 02109
NucleusResearch.com
Phone: +1 617.720.2000
April 2015

Document P52
Risk of noncompliance. Without consistent and centralized privileged account
management processes and procedures, companies will struggle to meet internal and
external compliance requirements.
The proliferation of software-enabled devices and the extension of networks only
multiplies these risks. To better understand how a centralized approach helps mitigate
these problems while enabling business agility, Nucleus explored the experiences of a
number of users of the CyberArk Privileged Account Security Solution. The users included
customers in a number of industries including financial services, health care, engineering,
and security.
T H E S O LU TI ON
The CyberArk Privileged Account Security Solution provides centralized policy-based
privileged account and activity management. Components of the solution include:

Enterprise Password Vault securely stores privileged credential account information
and policies

SSH Key Manager stores and controls access to Secure Shell (SSH) keys used to access
privileged accounts

Application Identity Manager securely manages credentials in application scripts and
services

Privileged Session Manager monitors and records all privileged account activities
when users are accessing applications and data with privileged credentials

On-Demand Privileges Manager enables administrators to enforce least-privilege
policies

Privileged Threat Analytics analyzes privileged user and account behavior on an
ongoing basis to alert security teams to suspicious activity that may lead to a security
breach.
The components are delivered on the CyberArk Shared Technology Platform and leverage
a single digital vault infrastructure. This enables centralized management, monitoring, and
auditing of privileged accounts across all applications and systems. It also enables
organizations to deploy any individual component at any time and expand their CyberArk
footprint as needed to manage new requirements.
WH Y C Y BE R A RK
Nucleus found that CyberArk customers chose the solution for three main reasons:

Usability. Customers said that the solution’s ease of deployment, intuitive
administrative interface, and ability to manage all privileged credentials in one vault
enabled administrators to rapidly come up to speed on the application and gain
benefit.
© 2015 Nucleus Research, Inc. Reproduction in whole or part without written permission is prohibited.
Nucleus Research is the leading provider of value-focused technology research and advice.
NucleusResearch.com
Page 3
April 2015

Document P52
Flexibility. Because customers could choose one initial area or component to address
and extend the solution easily as they needed over time, they were able to flexibly
respond to changing security needs with limited additional investment or disruption.

CyberArk’s suite approach. Companies moving from multiple point solutions or
management workflows found the centralized platform drove greater management
efficiencies and ease of reporting.
Customers said:

“When we compared CyberArk to other solutions we felt that CyberArk had more robust
functionality and could change with our needs.”


“We needed peace of mind when it came to our system security. “
“We were still using 2003 and 2008 compliance measures to protect our systems, we
needed something more modern and more secure.”
Nucleus found the ability to deploy one centralized vault and then deploy and extend their
CyberArk solution flexibly over time as needed made the CyberArk solution attractive to IT
administrators and managers.
KE Y B EN EF ITS
Nucleus found key benefits companies achieved from deploying the CyberArk solution
included increased productivity, reduced audit time and cost, improved compliance, and
reduced risk.
INCREASED PRODUCTIVITY
Companies deploying CyberArk were able to increase IT administrator and security staff
productivity by providing a common framework for managing all privileged account
credentials, automating previously manual tasks and workflows, and streamlining the
reporting and auditing process. Customers said:

“Each administrator had their own way of guarding passwords, one even kept his in his
wallet. We needed a secure way to bring everything together.”

“CyberArk has allowed me to take on more work because it has reduced the time that I
spend managing passwords by 20-25 percent.”

“[Before CyberArk] we would roll out new passwords throughout each quarter. Every
time we did, we would have a large line of people needing to ask what their new
password was to regain access; we called it ‘the trail of tears’.”

“One employee was in charge of changing and distributing passwords. Before using
CyberArk, this consumed about 10 hours a week of her time. Now it only takes her
about 4 hours to manage everything.”
© 2015 Nucleus Research, Inc. Reproduction in whole or part without written permission is prohibited.
Nucleus Research is the leading provider of value-focused technology research and advice.
NucleusResearch.com
Page 4
April 2015
Document P52
Automating privileged credentials management and password change processes enabled
CyberArk customers to reduce administrator time spent on credentials management by 20
to 50 percent; some organizations experienced even greater savings.
REDUCED AUDIT COSTS
Nucleus found that because CyberArk provides a centralized platform for logging and
recording all activities executed by privileged account users, organizations can reduce the
time they spend managing the various facets of audit requirements. Customers said:

“With our first audit using CyberArk, we saved 30-40 percent in time and resource
requirements over the previous year. We expect that next year we will save even more.”

“Without CyberArk, our compliance information would be harder to collect. There
would be a lot of back-and-forth with administrators.”

“Before, we would run a report and request that administrators follow up with
compliance materials. The report would take a couple of hours, but the follow up would
take weeks.”
Nucleus found CyberArk customers could reduce the resources and time dedicated to
auditing by up to 40 percent.
IMPROVED COMPLIANCE
Although compliance requirements vary by industry sector and geography, Nucleus found
improved compliance was a common benefit shared by all CyberArk customers. Even
those that weren’t in highly-regulated industries with specific compliance requirements
found that the security documentation and other requirements outlined in SarbanesOxley, for example, could be more easily and effectively met on an ongoing basis using
the CyberArk solution. They were able to use the solution to provide detailed consistent
accounting of access and monitoring controls, systems operations, and risk and change
management practices to auditors:

“Auditors want to see an established framework; with CyberArk it is easy for us to show
it, the controls around it, and who has access to it.”

“Now we are able to automate password changes and our administrators aren’t given
the chance to be non-compliant.”
REDUCED RISK
Nucleus found there were a number of main ways CyberArk customers were able to
reduce risk:

Centralizing and automating privileged credential management reduced the
likelihood of credential misuse and compromise by controlling access, establishing
individual accountability, and regularly rotating passwords.

On an ongoing basis, administrators could take advantage of the CyberArk
application to remove embedded passwords from scripts and applications that would
potentially expose them to risk. As one customer said, “In using CyberArk, we were
© 2015 Nucleus Research, Inc. Reproduction in whole or part without written permission is prohibited.
Nucleus Research is the leading provider of value-focused technology research and advice.
NucleusResearch.com
Page 5
April 2015
Document P52
able to go through the remove clear-text and embedded passwords from applications.
This allows us to achieve a higher level of security.”

Administrators could also automate alerts, so if users try to access unauthorized areas
or use old passwords, they are notified and can take action.

Users could isolate privileged sessions and record and monitor actions taken during
those sessions. Because employees are aware of the recording and monitoring
functionality, they are likely to be more cautious about their activities when using
privileged credentials.

On a tactical basis, administrators could grant temporary access to individuals, ensure
used or old credentials expire, or provide those with limited privileges with limited
visibility into their credentials. Customers said:

“When we started going through our credentials, we found people who had active
credentials but have not needed them in years.”

“When we have interns, we give them dark passwords [credentials that they cannot
view]. We like to keep password information on a need-to-know basis.”

“Occasionally, a third-party contractor will need emergency access to the system to
correct a problem. [With CyberArk] we can give them temporary access and they never
see their password.”
The financial impact of risk exposure varies greatly from sector to sector and company to
company and depends on many factors including the dependence on IT systems and
security. That said, customers cited reduced risk as one of the most important benefits of
deploying CyberArk. Customers said:

“We manage about $36 billion. I can’t put a number on exactly how much a breach
would cost us, but it would be a lot.”

“Our entire business model is based on customer trust; if we were hacked, I don’t think
we would be able to earn that trust back. A breach of our systems would ruin us.”
From a purely financial perspective, the benefit of reduced risk is quantified by multipliying
the probability of a risk-related loss multiplied by the cost of an expected loss.
CON C L US ION
As organizations increase their dependence on systems and applications to support every
aspect of their business, and the number of endpoints and application-to-application
communications proliferate, the importance of securing privileged credentials continues to
grow. In examining the experiences of CyberArk customers, Nucleus found that they were
likely to identify an initial security risk associated with one area of privileged credential
management, achieve a rapid payback from their initial investment, and then take
advantage of the CyberArk suite approach to address other security concerns in their IT
operations. Most customers achieved payback from CyberArk based on increased
administrator productivity alone in six months or fewer and then achieved a greater ROI
© 2015 Nucleus Research, Inc. Reproduction in whole or part without written permission is prohibited.
Nucleus Research is the leading provider of value-focused technology research and advice.
NucleusResearch.com
Page 6
April 2015
Document P52
over time by using a centralized platform to address both tactical and strategic security
challenges on an ongoing basis.
© 2015 Nucleus Research, Inc. Reproduction in whole or part without written permission is prohibited.
Nucleus Research is the leading provider of value-focused technology research and advice.
NucleusResearch.com
Page 7