I had the pleasure to attend the Analyst sessions at CyberArk Impact on 23rd May 2019 in Amsterdam, with my partner in crime Arjan Timmerman. The sessions consisted of an intro an discussion with Udi Mokady, CEO & Co-Founder of CyberArk, a session on container security by Lavi Lazarovitz, Group Research Manager at CyberArk Labs, two NDA customer sessions (which will obviously not be covered) and finally a session about red teams by Shay Nahari, Director of Red-Team services at CyberArk.
Each of those topics will be covered separately, starting with this piece on the CEO discussion & strategy. We’ll also be publishing soon related content in the form of videos and a podcast episode.
The setup for these sessions was relatively intimate, which helped a lot to have valuable and meaningful interactions with Udi, and subsequently with Lavi and Shay as well. Putting that in contrast with very large press/analyst sessions I’ve attended in the past at major events, it really made a huge difference. I’d love to have this level of interaction again at different events, although I must also acknowledge that CyberArk Impact was a smaller event with approximately 1,000 attendees – not bad for a smaller & very focused company, if you compare to heavyweight events.
Udi provided some information about CyberArk, stating that the company was founded 20 years ago, in 1999. They currently have 1,200 employees, 4,600 customers with a strong presence in the enterprise segment. CyberArk went public in 2014, and reported USD 95 million of revenue in Q1-19, up 34% compared to Q1-18. Regarding the leadership, Udi Mokady leads the organization as CEO since 2005, prior to this he was COO between 1999 and 2005. He was also elected Chairman of the Board in 2016.
Udi remarked that as a sign of the times, there is growing awareness in security. The market in which CyberArk operates is very fractured, but not by lack of demand. Rather, there seems to be no real competition – or rather, acquisitions in that space have somehow brought competition to a halt for a time.
Approximately 30% of their customers are in financial services, with the remaining evenly distributed across industries / verticals. The finance industry is heavily regulated, which brings an interesting point about how security is deployed in those organisations (and in other regulated industries) – it usually starts with a desire -or an obligation- to adhere to regulation and compliance, but it then develops into a fully-fledged discipline.
This topic has been recurrent during all of the analyst sessions: security starts from a defensive posture (« we must implement security measures to comply with X, Y, Z ») and then develops into a proactive posture (« we need to secure our critical data and assets »).
CyberArk focus has been so far primarily on privileged access. Privileged access is by the way a very often misunderstood term which goes way beyond determining who has administrative access and who doesn’t – but perhaps we’ll cover that later.
“Behind the scenes, there’s always a credential” – Udi Mokady
So far, human-based privileged access has been the key focus area, but with the direction is to support machine-to-machine based authentication mechanisms. While this already works for traditional three-tier infrastructures, the advent of DevOps requires a different security posture, such as secret management (to overly simplify, secret refers here to various API access keys that are used with public cloud providers, container infrastructures, and certain types of NoSQL databases).
Innovation at CyberArk
Talking about CyberArk’s future, Udi sees three threads of innovation:
- Continuous simplification of apps & tools, primarily via transparent integration, in other words « invisible » privileged access control mechanisms with as less friction as possible for the operators
- Enable the customer cloud journey by developing & providing adequate privileged access management mechanisms
- Looking and reporting on anomalous behavior, with the ability to lock suspicious sessions & credentials – a lot of discussion happened here (but also on the other sessions) about what can possibly constitute anomalous behavior, whether we relate to humans or system accounts
“no credentials left behind” is the future that Udi Mokady foresees for privileged access management
Beyond those three threads of innovation, Udi also provided feedback on other topics of importance to him:
- CyberArk has developed a « hygiene plan » that it proposes to its customers to help them sanitize their environment
- Continuous Authentication was also discussed as next step beyond 2FA (Two-Factor Authentication) – see it as a way not only to prove that an operator is actually a human and not a machine that has been compromised, but also as a way to avoid « security degradation » of an authenticated session over time. The longer a session is opened, the more likely it may be prone to compromission. Continuous authentication requires users to regularly prove that they are actually still there and that they have the appropriate privileges (by authenticating with their credentials). There is literature available about this topic which I recommend to research.
- Solutions for remote vendor access – CyberArk made an announcement on a new product that will be available immediately to early adopters, and that will likely become Generally Available in 3 months. The goal here is to avoid agent-based / VPN-based access methods. We’ll update this section once the product name is provided.
IT infrastructure professionals tend to have a « schizophrenic » approach to security. They would like to ensure compliance with security, but on the other hand they’re not quite ready to let go of the old ways. And we can’t really blame them, because IT infrastructure people -especially Operations people- are the « survivors of the psychic wars », they have seen so many things go wrong that they are inherently affected by a sort of « catastrophic failure bias ». I vividly recall an article written by Tom Hollingsworth on a similar matter.
Take 10 IT professionals, throw at them any improvement proposal, and I swear that all of them will get back at you with various technical justifications about what will go wrong with your proposal, and why you shouldn’t even consider it. I’ve been one of those people, and yet even if things can -and will- go wrong, it is still not an excuse to not comprehensively review existing access management mechanisms. When properly architected and planned, overhauling privileged access management into a sustainable and modern framework can be of great benefit to organisations.
What the CyberArk team didn’t know when they invited me is that I have prolonged operational and architectural exposure to one of their products; exposure that goes beyond the product features and into the deeper ramifications of privileged access management and how infrastructure access is affected by access management controls. That was hugely beneficial to me in the discussion, since I could relate to how these new paradigms can potentially impact enterprise access management.
There was a lot of consistency in the discussion we had with Udi Mokady about security challenges and the approaches being taken to tackle them. My impression was that of a focused company which knows its craft exceptionally well and is headed by a visionary leadership team. I left CyberArk Impact with a very reinforced confidence about CyberArk privileged access management solutions and capabilities.
The next article will cover container security with Lavi Lazarovitz, Group Research Manager at CyberArk Labs.