> > Anyone have any experience with CyberArk? > A bit - we went through a POC (primarily led by the Active Directory folks) and are starting to deploy it. I haven't migrated any of our shared/admin accounts into it aside from a few test boxes. From what I have seen, it has some nice features and works pretty well, but it is quite complex and the management isn't terribly intuitive. I would really place it in a different category from other password managers, since its model is more that you authenticate into Cyberark and then launch your connection from there (although displaying/copying the password is an option). The tool is also designed to be able to automatically change your passwords everywhere they need to be changed (in case passwords are stored in configurations or scripts), on whatever schedule you configure. It supports session recording. It also has workflow support - for example, I think you can configure it such that EmployeeA can access the account at any time, EmployeeB can access the account only between 9am-5pm, and ContractorC can only access the account after requesting and receiving approval from managerM.
Out of the box, I ran into an issue with using a "login account" for SSH connections - I didn't want to enable root SSH login, so you can configure a normal helper account that Cyberark will use to log in and then su to root. Unfortunately they had some bad regex in their "expect"-type program, so I spent an hour or so on the phone with our installation consultant trying different things to get it work. Also, while WinSCP is supported for file transfers, you don't have any option to configure it directly, so the "login account" isn't an option for file transfers. It has a lot of capabilities, but I'm still figuring out how to work it into our Linux environment (where we already have a lot of controls with granular sudo access and PAM settings). For us, I don't see it replacing the convenience of sudo for day-to-day work, but if it gives me a way to take away "anybody" needing to know the password for shared accounts after they are initially set, then it should help us avoid some ugly one-offs. Feel free to ping me if you have other questions. Christina
_______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
