Compare /

Alternatives to CyberArk

Alternatives to CyberArkAlternatives to CyberArk

CyberArk’s Privileged Access Manager is a tool that allows organizations to secure access for privileged administrators (typically systems and database administrators) to Windows Servers, Linux servers, and some database management systems via a centralized authentication method.  However, if you need to secure access to modern and cloud-native databases, Kubernetes clusters, cloud CLIs, switches, routers, or internal web applications, there are other options to consider.  This blog post looks at a few alternatives and discusses the pros and cons of each. For the impatient, I’ve put together a quick feature matrix that might answer your questions right away. For all the rest, read on.

TL;DR

Feature CyberArk strongDM Thycotic Bastion Hosts
Credential rotation ✔️   ✔️  
Credential leasing   ✔️    
Protects access to SSH servers ✔️ ✔️ ✔️ ✔️
Protects access to databases ✔️ ✔️ ✔️ ✔️
Protects access to K8s   ✔️    
Protects access to RDP ✔️ ✔️ ✔️  
Web SSH sessions ✔️ ✔️ ✔️  
Audit log and session replay ✔️ ✔️ ✔️  
RBAC   ✔️    
SSO integration   ✔️    
MFA integration   ✔️ ✔️  
Technical support   ✔️ ✔️  
Simple, straightforward pricing   ✔️    
Free       ✔️

CyberArk

Brief product summary

CyberArk was founded in 1999 and is the most notable of companies that do Privileged Access Management (PAM). PAM is designed to provide access to specific resources for specific people in a company. End users are typically comprised of a small subset of the engineering or IT team and tend to be systems administrators (sysadmins) or databases administrators (DBAs). The toolset is designed primarily for legacy server operating systems, like Windows, or older database managements systems, such as Oracle, Sybase, or DB2. It was originally designed to run on Windows workstations and integrate with LDAP and Active Directory. It allows companies to more easily restrict access to systems they care most deeply about. If add-ons are purchased, it can also provide a credential vault and password rotation. Access is typically done through a web interface or locally installed utility. Components of the system include a password vault, central policy manager, and privileged session manager. In most cases, CyberArk is able to provide an audit trail of queries and session replays.

Use cases

  • Centralized access to Linux and Windows servers, and some legacy databases.

Pluses

  • SSH access available.
  • RDP access available.
  • Authenticates users via LDAP and Active Directory (AD).
  • Integrates with some machine groups.

Minuses

As a legacy system, CyberArk’s competency is for a specific set of highly privileged administrators. It is designed for Windows-based environments and does best with legacy databases and authentication methods (AD, LDAP).  It is not designed for any cloud-native environments, newer database management systems (e.g. Kafka, Redis), or modern infrastructure tooling (like Kubernetes, Docker, and ephemeral environments) and often requires the end user to go through CyberArk-specific software. Finally, it does not cover all users within a company, most of whom require access to systems that contain privileged information (for example, financial analysts who might need access to transactional information). Furthermore, CyberArk has a complex pricing model, and it has been reported to be “shelfware” at many companies who have purchased it.

strongDM

Brief product summary

strongDM is a control plane to manage and monitor access to databases, servers, and Kubernetes. Their zero trust model means instead of distributing access across a combination of VPN, individual database credentials, and SSH keys, strongDM unifies user management in your existing SSO (Google, Onelogin, Duo, Okta, etc...) and keeps the underlying credentials hidden. Neither credentials nor keys are accessible by end users. Because strongDM deconstructs every protocol, it also logs all database queries, complete SSH and RDP sessions, and kubectl activity.

Use cases

  • Faster on-boarding- no need to provision database credentials, ssh keys, VPN passwords for each new hire.
  • Secure off-boarding- suspend SSO access once to revoke all database, server access.
  • Automatically adopt security best practices- least privilege, ephemeral permissions, audit trail.
  • Comprehensive logs- log every permission change, database query, ssh & kubectl command.

Pluses

  • Easy deployment - self healing mesh network of proxies that auto-discovers available database, ssh nodes & kubernetes clusters.
  • No change to workflow- use any SQL client, CLI, or desktop BI tool.
  • Standardize logs across any database type, Linux or Windows server, and Kubernetes.
  • Graphical client for Windows and MacOS.
  • See and replay all activity with session recordings.
  • Manage via a user-friendly web browser interface.
  • Simple, straightforward pricing.

Minuses

  • Requires continual access to strongDM API for access to managed resources.

Thycotic

Brief product summary

Like CyberArk, Thycotic’s Privilege Manager is a tool that allows organizations to secure access for privileged administrators (typically systems and database administrators) to Windows Servers, Linux servers, and some database management systems via a centralized authentication method. And like CyberArk, it does not secure access to modern and cloud-native databases, Kubernetes clusters, cloud CLIs, switches, routers, or internal web applications.

Use cases

  • Centralized access to Linux and Windows servers, and some legacy databases.

Pluses

  • SSH access available.
  • RDP access available.
  • Authenticates users via LDAP and Active Directory (AD).
  • Integrates with some machine groups.
  • Cloud and on-premise deployable.
  • Simpler pricing.

Minuses

Like CyberArk, Thycotic is designed for legacy systems and highly privileged administrators. It is designed for Windows-based environments and does best with legacy databases and authentication methods (AD, LDAP).  And like CyberArk, it is not designed for any cloud-native environments, newer database management systems, nor modern infrastructure tooling like Kubernetes, Docker, and ephemeral environments). Finally, like CyberArk, it does not cover all users within a company, most of whom require access to systems that contain privileged information (for example, financial analysts who might need access to transactional information).

Bastion Hosts

Brief product summary

A bastion, or jump, host is simply a Linux/UNIX server that mediates access to sensitive servers/database access by requiring the user to first log into the bastion host then ‘jump’ to additional resources in the network controlled by the bastion. Organizations simply need to set up an additional server that is both accessible from external sources and is able to connect to internal resources.

Use cases

  • Mediate access to protected resources on a restricted network segment.
  • Database clients and similar tools can work via bastion host by using port forwarding over the SSH connection.

Pluses

  • Free, or nearly so: the only requirement is the cost for the hardware (or virtual server) underlying the bastion host.
  • Straightforward access for users who are familiar with SSH.

Minuses

  • Because all access to protected resources requires first logging in via command line to the bastion host, the user must have an account on the bastion and a certain level of technical acumen, especially if employing port forwarding for database access.
  • The bastion host represents a single point of failure; if it is unavailable all resources behind it are inaccessible. Setting up multiple bastion hosts to mitigate against this possibility means another set of credentials to manage.
  • In the case of problems, support is limited to whatever support may be available for the underlying OS running on the bastion host.
  • Session logs and database/other protocol activity are not captured.

Abbreviated strongDM logo

You May Also Like