<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">

Alternatives to CyberArk

CyberArk Competitors
StrongDM manages and audits access to infrastructure.
  • Role-based, attribute-based, & just-in-time access to infrastructure
  • Connect any person or service to any infrastructure, anywhere
  • Logging like you've never seen

CyberArk’s Privileged Access Manager is a tool that allows organizations to secure access for privileged administrators (typically systems and database administrators) to Windows Servers, Linux servers, and some database management systems via a centralized authentication method. However, if you need to secure access to modern and cloud-native databases, Kubernetes clusters, cloud CLIs, switches, routers, or internal web applications, there are other options to consider. This blog post looks at a few CyberArk alternatives and discusses the pros and cons of each.

CyberArk

Brief product summary

CyberArk was founded in 1999 and is the most notable of companies that do Privileged Access Management (PAM). PAM is designed to provide access to specific resources for specific people in a company. End users are typically comprised of a small subset of the engineering or IT team and tend to be systems administrators (sysadmins) or databases administrators (DBAs). The toolset is designed primarily for legacy server operating systems, like Windows, or older database managements systems, such as Oracle, Sybase, or DB2. It was originally designed to run on Windows workstations and integrate with LDAP and Active Directory. It allows companies to more easily restrict access to systems they care most deeply about. If add-ons are purchased, it can also provide a credential vault and password rotation. Access is typically done through a web interface or locally installed utility. Components of the system include a password vault, central policy manager, and privileged session manager. In most cases, CyberArk is able to provide an audit trail of queries and session replays.

Use cases

  • Centralized access to Linux and Windows servers, and some legacy databases.

Pluses

  • SSH access available.
  • RDP access available.
  • Authenticates users via LDAP and Active Directory (AD).
  • Integrates with some machine groups.

Minuses

As a legacy system, CyberArk’s competency is for a specific set of highly privileged administrators. It is designed for Windows-based environments and does best with legacy databases and authentication methods (AD, LDAP). It is not designed for any cloud-native environments, newer database management systems (e.g. Kafka, Redis), or modern infrastructure tooling (like Kubernetes, Docker, and ephemeral environments) and often requires the end user to go through CyberArk-specific software. Finally, it does not cover all users within a company, most of whom require access to systems that contain privileged information (for example, financial analysts who might need access to transactional information). Furthermore, CyberArk has a complex pricing model, and it has been reported to be “shelfware” at many companies who have purchased it.

“We did a POC of Cyberark last year. It was like a 2000’s toolset for a 2021 problem” - Anonymous StrongDM customer

CyberArk vs. StrongDM

Brief product summary

StrongDM is a control plane to manage and monitor access to databases, servers, and Kubernetes. StrongDM's zero trust model means instead of distributing access across a combination of VPN, individual database credentials, and SSH keys, StrongDM unifies user management in your existing SSO (Google, Onelogin, Duo, Okta, SAML, etc...) and keeps the underlying credentials hidden. Neither credentials nor keys are accessible by end users. Because StrongDM deconstructs every protocol, it also logs all database queries, SSH and RDP sessions, and kubectl activity.

Use cases

Pluses

  • Easy deployment - self-healing mesh network of proxies.
  • No change to workflow- use any SQL client, CLI, or desktop BI tool.
  • Standardize logs across any database type, Linux or Windows server, and Kubernetes.
  • Graphical client for Windows and macOS.
  • See and replay all activity with session recordings.
  • Manage via a user-friendly web browser interface.
  • Simple, straightforward pricing.

Minuses

  • Requires continual access to StrongDM API for access to managed resources.

CyberArk vs. Delinea (fka Thycotic Centrify)

Brief product summary

Like CyberArk, Delinea is a tool that allows organizations to secure access for privileged administrators (typically systems and database administrators) to Windows Servers, Linux servers, and some database management systems via a centralized authentication method. And like CyberArk, it does not secure access to modern and cloud-native databases, Kubernetes clusters, cloud CLIs, switches, routers, or internal web applications.

Use cases

  • Centralized access to Linux and Windows servers, and some legacy databases.

Pluses

  • SSH access available.
  • RDP access available.
  • Authenticates users via LDAP and Active Directory (AD).
  • Integrates with some machine groups.
  • Cloud and on-premise deployable.
  • Simpler pricing.

Minuses

Like CyberArk, Delinea is designed for legacy systems and highly privileged administrators. It is designed for Windows-based environments and does best with legacy databases and authentication methods (AD, LDAP). And like CyberArk, it is not designed for any cloud-native environments, newer database management systems, nor modern infrastructure tooling like Kubernetes, Docker, and ephemeral environments). Finally, Delinea it does not cover all users within a company, most of whom require access to systems that contain privileged information (for example, financial analysts who might need access to transactional information).

For a deeper dive, visit CyberArk vs. Delinea (Thycotic Centrify): Which Is Better?


CyberArk vs. Okta ASA (ScaleFT)

Brief product summary

Okta’s Advanced Server Access (ASA) provides privileged access management (PAM) for cloud-native infrastructure. Okta did not build this capability in-house; it came from an acquisition Okta made in July 2018 of a company called ScaleFT. In general, it is an access and authentication proxy for RDP and SSH access. It allows administrators to set up access for users (grouped into teams) to servers, and implements role-based access control (RBAC) to allow differing levels of access per team to different servers. Individual server credentials are not available to users, reducing the administrative impact of rotating and removing credentials.

Use cases

  • Centralized access to SSH and RDP servers.

Pluses

  • SSH access is available.
  • RDP access is available.
  • Single sign-on (SSO) for SSH/RDP and your identities in Okta.
  • Authorized requests leverage single-use client certificate or web token scoped to the user and resource being accessed.

Minuses

  • Okta’s software must be running on every server it manages access to.
  • Complex setup: in addition to the ScaleFT software on each server, a ScaleFT Gateway and ScaleFT local client must also be built and maintained for each cluster.
  • CLI-only client scares off non-engineers.
  • User credentials are assigned ephemerally adding complexity to deployments and uptime.
  • Backend configuration required to export audit logs to any 3rd-party.
  • ScaleFT agent audit logs are only accessible through an early access enablement.
  • Audit logs only cover SSH.
  • No auditing for RDP.
  • Complex pricing model.
  • Pricing based per server, which gets extremely expensive in ephemeral environments or those with high-n servers.

CyberArk vs. HashiCorp Vault

Brief product summary

HashiCorp Vault is a complete secrets management product, allowing end users to interact with a secure vault (server) to store, retrieve, and generate credentials for a wide variety of systems, including databases, various cloud providers, and SSH. It is built on a client-server model and is accessible via a command-line tool, a REST API, and a web interface. Its capability of creating and deleting ephemeral credentials allows users to build secure automation functionality with minimal risk of leaking credentials.

Use Cases

  • Storing sensitive credentials that can be accessed manually, via a CLI, or an API.
  • Generating ephemeral credentials for one-time access to databases, cloud environments, and a variety of other secure environments.
  • Securing automated processes that require secrets to connect to secure environments.

Pluses

  • Because it has a fully functional API, it is well-suited for integrating with automated tools and processes.
  • Ephemeral credentials increase security by existing only long enough to be used and then discarded.
  • Any form of data can be stored via the API, CLI, or web UI, making it a very flexible method of protecting a wide variety of secrets: credentials, API keys, tokens, and even binary data via Base64 encoding.

Minuses

  • API and command-line utility, not user-transparent.
  • Not suitable for end-user credential management.
  • Requires custom integration work to fit into existing workflows.
  • Complex pricing model.


CyberArk vs. Bastion Host

Brief product summary

A bastion host is simply a Linux/UNIX server that mediates access to sensitive servers/database access by requiring the user to first log into the bastion host then ‘jump’ to additional resources in the network controlled by the bastion. Organizations simply need to set up an additional server that is both accessible from external sources and is able to connect to internal resources.

Use cases

  • Mediate access to protected resources on a restricted network segment.
  • Database clients and similar tools can work via bastion host by using port forwarding over the SSH connection.

Pluses

  • Free, or nearly so: the only requirement is the cost for the hardware (or virtual server) underlying the bastion host.
  • Straightforward access for users who are familiar with SSH.

Minuses

  • Because all access to protected resources requires first logging in via command line to the bastion host, the user must have an account on the bastion and a certain level of technical acumen, especially if employing port forwarding for database access.
  • The bastion host represents a single point of failure; if it is unavailable all resources behind it are inaccessible. Setting up multiple bastion hosts to mitigate against this possibility means another set of credentials to manage.
  • In the case of problems, support is limited to whatever support may be available for the underlying OS running on the bastion host.
  • Session logs and database/other protocol activity are not captured.

About the Author

, Director, Global Customer Engineering, has worked in the information security industry for 20 years on tasks ranging from firewall administration to network security monitoring. His obsession with getting people access to answers led him to publish Practical Vulnerability Management with No Starch Press in 2020. He holds a B.A. in Philosophy from Clark University, an M.A. in Philosophy from the University of Connecticut, and an M.S. in Information Management from the University of Washington. To contact Andy, visit him on LinkedIn.

StrongDM logo
💙 this post?
Then get all that StrongDM goodness, right in your inbox.

You May Also Like

Competitors & Alternatives to Saviynt
Competitors & Alternatives to Saviynt
Saviynt is a popular identity and access management solution (IAM), but it may not be the best choice for every organization. In this article, we’ll explore powerful alternatives to Saviynt for companies with cloud-first IT infrastructure. By the end of this article, you’ll know whether Saviynt or one of these Saviynt competitors is the right fit for you.
CyberArk Pricing: How Much Does It Cost and Is It Worth It?
CyberArk Pricing: How Much Does It Cost and Is It Worth It?
Examining the CyberArk pricing model to discover how it fits with your organization’s budget will help you make the case for a PAM solution. Here’s how CyberArk PAM pricing breaks down.
BeyondTrust vs. Delinea (Thycotic): Which Solution Is Better?
BeyondTrust vs. Delinea (Thycotic): Which Solution Is Better?
This article compares two Privileged Access Management (PAM) solutions, BeyondTrust vs. Thycotic (Delinea). It takes a closer look at how these PAM products work and how they fit in with your organization’s access management strategy. We’ll examine product summaries, use cases, and pros and cons. By the time you’re done reading this article, you’ll have a clear understanding of the similarities and differences between these PAM tools and be able to choose the tool that best fits your organization.
CyberArk vs. BeyondTrust: Which PAM Solution is Better?
CyberArk vs. BeyondTrust: Which PAM Solution is Better?
This article compares two Privileged Access Management (PAM) solutions, CyberArk vs. BeyondTrust. It takes a closer look at what these two PAM products are, how they work, and what may make them fit well with your organization. We’ll explore product summaries, use cases, pros and cons, PAM features, and pricing. By the time you’re done reading this article, you’ll have a clear understanding of how these PAM tools operate and be able to choose the one that will work best for you.
Competitors & Alternatives to ManageEngine PAM360
Alternatives to ManageEngine PAM360
ManageEngine’s PAM360 gives system administrators a centralized way to manage and audit user and privileged accounts within network resources. However, teams that need to manage secure access to Kubernetes environments or enforce password policies within their privileged access management (PAM) system may want to consider other options. This blog post will cover ManageEngine PAM 360 and some solid alternatives, along with the pros and cons of each.