CyberArk eyes growth beyond PAM

CyberArk, known for its privileged access management (PAM) capabilities, has been expanding into other aspects of identity security to extend its reach in the broader identity and access management (IAM) market.

Speaking to Computer Weekly during a recent trip to Singapore, Matt Cohen, CEO of CyberArk, said the company’s business has been growing exponentially outside of PAM, in areas such as access and secrets management, endpoint privilege management (EPM) and, more lately, cloud security.

CyberArk takes a unique view around IAM – that is, to bring privileged controls to IAM capabilities such as single sign-on (SSO) and multifactor authentication (MFA). For example, it has capabilities to enable session management, isolation and step-up authentication to make single sign-on more secure, Cohen said.

“Our message across the board is if you bring a security-first mindset to the entire identity security landscape, then ultimately, we can differentiate our platform versus other providers in the market,” he added.

The IAM market is dotted with multiple suppliers, including Okta, Ping Identity, ForgeRock, SailPoint and Microsoft, each with strongholds in certain industries, use cases, market segments and deployment models.

Elaborating on CyberArk’s competitive edge in PAM, Cohen said privileged access was built on the idea that identities need to be secured, not managed.

“If you look at what Okta does, they manage identities from the perspective of making access more seamless. They were never a security company to begin with. They’re coming from a place of streamlining productivity and operations. And now, they’re trying to move into IGA [identity governance and administration] and PAM, but in PAM, they’re coming from operational efficiency into security,” he added.

Amid the identity sprawl, with users having to use multiple accounts and identities managed by different systems, Cohen noted that organisations would want to work with a supplier that understands privilege controls and helps them to apply the controls to their workforce. “That has allowed our growth to accelerate.”

IGA specialist SailPoint has been tackling the identity sprawl problem too, but Cohen does not view them as a competitor. “They’re big on IGA and they’re still our largest go-to-market partner in the space. We do more of what we call modern IGA, around light workflows, identity compliance and lifecycle management, and if somebody wants to go big on governance, we’ll point them to SailPoint.”

On Microsoft, Cohen claimed that while the software giant is a formidable player in cyber security, its PAM solutions don’t “go deep enough into core security controls”.

“They recently came out with a very light version of EPM, which is one of our core growth areas. I was happy when that happened because, for us, the biggest problem we have with EPM is awareness, and now Microsoft comes in and makes everybody aware that you should be implementing least privileges on the endpoint.

“But in a bake-off against Microsoft, we can still win in the POC [proof-of-concept] and the technology side for core enterprise security controls,” he said.

CyberArk currently has 8,000 customers worldwide – some 2,000 of them are using its Privilege Cloud while 5,000 customers, particularly those in regulated industries like financial services and government, are using its on-premise PAM offering.

Cohen said on-premise customers could also be using CyberArk’s cloud offerings, “because they understand that even if they want their [PAM] vault on-premise, they’re okay with consuming a service for other solutions”.

These include capabilities to secure cloud-native services through zero-standing privileges, a term coined by Gartner in 2019. “The idea is that the account should be set up with no privileges, but when I need to use the services, I will apply privileges just for that instance,” said Cohen.

“The minute I’m done using that, it goes back to a zero-standing privileged account. So, if someone steals that credential, there are no privileges associated with it when it’s not in use. That’s a much more secure way to manage controls in cloud environments,” he explained.

Even as CyberArk is broadening its IAM capabilities, Cohen said there are no plans to go into the business-to-consumer (B2C) market. “Our solutions are best equipped for the enterprise, and even on the CIAM [customer IAM] side of the of the business, our access technology is very strong in the B2B [business-to-business] space.”

Cohen said the company had seen over 40% growth in annual recurring revenue over the past several years and has been able to drive “expansive revenue growth over the last several quarters as we came out of the subscription transition”.