I was thinking about CyberArk for a while as it is related to my work in IAM area. When this landed on my table, I must admit, it was a nice coincidence and I took it immidiately.
In the beginning, it was about finding the best way how to integrate AD linked CyberArk to our IdentityIQ setup. There were a few options e.g. IIQ PAM module, Webservices connector and afterProvisioning rule for powershell.
I think it didn’t start so well, because the stakeholder didn’t have requirements on what they want to achieve and instead put it on me to tell them whats possible in each scenario ๐ I mean, no problem, I am happy to find out, but it was not a good sign.
Lets start with the current setup. Booked a meeting with an CyberArk expert. While waiting for a few days I did my research on objects, APIs and CyberArk fundamentals. After that I went through the posibilities in IIQ. After that documentation for PAM module. It made sense to integrate directly and sounded like the best option. Except…
Once I met the expert who was responsible for the solution for several years. He explained his suggestions on requirements and mainly the license optimization. It was actually pretty smart, but it didn’t fit the setup in IIQ. Mass deleting users from the target system didn’t make sense.
License optimization itself was pretty cool, at least for me. CyberArk accounts linked to AD accounts via AD group as basic permissions. Account is created with first login (if deleted, then recreated again)
Safes permissions are linked to AD groups too. Therefore all cyberark access to the UI and to safes are managed via AD groups and you can delete users in CyberArk any time. The next time user logs in, it is created again and keeps the same permissions to safe via AD.
After a few discussions, the PAM module was demo-ed to us from SailPoint and we agreed to have a followup after summer vacations. For me, the best outcome of the meeting was, that we could use 1 month PAM module for PoC for free.
I have got a good idea what is possible and what not, but it seems everyone wants to push it further and verify. I have suggested a worshop with right people so looking forward to it.
I can see realistically 2 outcomes, and maybe some hybrid option as third.
Change everything to CyberArk internal users and gain full governance and functionality from IIQ, but loose the license optimization.
Or implement afterProvisiong rule with powershell to create/remove users and safes in CyberArk. Gain automation, but not much else
Or some kind of hybrid, to manage some internal users and safes in PAM module and then the creation via powershell. Not sure yet how that could be split. But this is too complex, I would not recommend it.