CyberArk Endpoint Privilege Manager

Service scope

Service constraints: Limited to Microsoft Windows and Apple Mac OS Endpoints.
System requirements: Windows UAC enabled

Windows Desktop: minimum version MS Windows XP SP3

Windows Server: minimum version MS Windows Server 2003

Mac: minimum version High Sierra 10.13

User support

Email or online ticketing support: Email or online ticketing
Support response times: 1 hour.
User can manage status and priority of support tickets: Yes
Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
Phone support: Yes
Phone support availability: 24 hours, 7 days a week
Web chat support: No
Onsite support: Yes, at extra cost
Support levels: 24x7 Helpdesk support
Professional Services for deployment and post-installation modifications
Technical Account Management as an ongoing service
Customer Success assistance to guide the PAM Program
Support available to third parties: Yes

Onboarding and offboarding

Getting started: CyberArk provides detailed documentation on the CyberArk Docs site. CyberArk and it's partners can also provide Professional Services to new and existing customers for this purpose.
Service documentation: Yes
Documentation formats: HTML

PDF

Other
Other documentation formats: PowerPoint slide decks or Video
End-of-contract data extraction: Data can be extracted by the end user at any point using export functions, and can also be made available upon request.
End-of-contract process: After a specified period of time the tenant and the data is holds is deleted from the cloud service.

Using the service

Web browser interface: Yes
Using the web interface: The Web Interface of the service is the primary management mechanism of the solution and provides access to all features, functions and configuration.
Web interface accessibility standard: None or don’t know
How the web interface is accessible: Publicly accessible by supported browsers (Internet Explorer, Chrome, Firefox, Microsoft Edge.)
Web interface accessibility testing: Not applicable.
API: Yes
What users can and can't do using the API: The primary purpose of the API is to enable integration with Helpdesk/Ticketing and workflow solutions to automate the management of user requests. The API provides access to:
- Collect Events
- List, Create, update and delete policies
- Query Sets, Endpoints and Endpoint Groups
API automation tools: Other
Other API automation tools: Systems that supports REST API have a scripting engine

Helpdesk management solutions such as Service Now, Remedy, etc.
API documentation: Yes
API documentation formats: Open API (also known as Swagger)

Other
Command line interface: No

Scaling

Scaling available: Yes
Scaling type: Automatic
Independence of resources: Each customer is provisioned a single tenant separated by schema to ensure security and continuity of tenant. Tenants are hosted on an AWS cloud service which scales with demand. CyberArk makes use of 3 availability zones in AWS to ensure uptime. In addition, users can be segregated into sets based on their demands, each set is a discrete instance with associated resource.
Usage notifications: Yes
Usage reporting: Email

Analytics

Infrastructure or application metrics: Yes
Metrics types: Other
Other metrics: Service status
Reporting types: Real-time dashboards

Resellers

Supplier type: Reseller providing extra features and support
Organisation whose services are being resold: CyberArk

Staff security

Staff security clearance: Conforms to BS7858:2019
Government security clearance: Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations: Yes
Data storage and processing locations: European Economic Area (EEA)

Other locations
User control over data storage and processing locations: No
Datacentre security standards: Supplier-defined controls
Penetration testing frequency: At least once a year
Penetration testing approach: In-house
Protecting data at rest: Encryption of all physical media
Data sanitisation process: Yes
Data sanitisation type: Explicit overwriting of storage before reallocation

Deleted data can’t be directly accessed
Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

Backup and recovery: Yes
What’s backed up: All aspects of the service are backed up at datacentres
Backup controls: Users can take point in time backups of policy and configuration as data exports. All other aspects of backup are controlled by the vendor.
Datacentre setup: Multiple datacentres with disaster recovery
Scheduling backups: Supplier controls the whole backup schedule
Backup recovery: Users can recover backups themselves, for example through a web interface

Users contact the support team

Data-in-transit protection

Data protection between buyer and supplier networks: Private network or public sector network

Other
Other protection between networks: CyberArk proprietary VPN between SaaS and customer's infrastructure. Integrity360 also provides encryption and secure transit services.
Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability: 99.95%
Approach to resilience: Deployed on an AWS platform and resides in three different Availability Zones (AZ), in case of outages in one of the AZ data-centers. Each AZ includes the application and all the supported entities that are required for the proper functionality of the solution, and monitoring.
Outage reporting: Public dashboard and Email Alert.

Identity and authentication

User authentication: 2-factor authentication

Public key authentication (including by TLS client certificate)

Identity federation with existing provider (for example Google apps)

Other
Other user authentication: Agents running on the client computer authenticate to the EPM command and control interface using TLS encryption.
Access restrictions in management interfaces and support channels: Management interface is controlled by RBAC. Support access with CyberArk requires users to be registered and also take have completed training and passed the appropriate examinations.
Access restriction testing frequency: At least every 6 months
Management access authentication: 2-factor authentication

Identity federation with existing provider (for example Google Apps)

Username or password

Other
Description of management access authentication: While users can authenticate to the service using the built in identity service (username and password), we recommend that it is integrated with an existing identity provider that provides SAML. In that configuration users will authenticate to the web service using their identity provider, answer the 2FA challenge, and the EPM console will then consume the SAML request.
Devices users manage the service through: Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

Access to user activity audit information: Users have access to real-time audit information
How long user audit data is stored for: User-defined
Access to supplier activity audit information: Users have access to real-time audit information
How long supplier audit data is stored for: User-defined
How long system logs are stored for: User-defined

Standards and certifications

ISO/IEC 27001 certification: Yes
Who accredited the ISO/IEC 27001: Standards Institute Israel
ISO/IEC 27001 accreditation date: 31/12/2020
What the ISO/IEC 27001 doesn’t cover: Not applicable - the certificate is applicable to Business processes: Research, development, sales and support of information security solutions and technologies.
ISO 28000:2007 certification: No
CSA STAR certification: Yes
CSA STAR accreditation date: 31/12/2020
CSA STAR certification level: Level 1: CSA STAR Self-Assessment
What the CSA STAR doesn’t cover: Not applicable - CyberArk’s products are listed as level 1 on the Cloud Security Alliance’s Security Trust Assurance and Risk (STAR) registry. This encompasses key principles of transparency, rigorous auditing, cloud security, and privacy best practices. This information can be found here: https://cloudsecurityalliance.org/star/registry/cyberark/.
PCI certification: No
Cyber essentials: Yes
Cyber essentials plus: No
Other security certifications: Yes
Any other security certifications: SOC2 certified

NIST 800

FIPS 140-2

VPAT 508

NISA certified

Security governance

Named board-level person responsible for service security: Yes
Security governance certified: Yes
Security governance standards: ISO/IEC 27001
Information security policies and processes: ISO 27001

Operational security

Configuration and change management standard: Supplier-defined controls
Configuration and change management approach: Supplier-defined controls
Vulnerability management type: Supplier-defined controls
Vulnerability management approach: As opposed to other cloud service providers who only provide a service but use 3rd-party technologies, CyberArk developed all the technologies it uses from scratch and only uses standard servers and routers (no 3rd-party technologies). This allows much more flexibility and rapid reaction to new threats and attack vectors as we do not have to wait for updates and patches – we do them ourselves immediately. In order to fight todays sophisticated and constantly changing attack patterns we have CyberArk’s 24x7 SOC - manned with security experts that can handle any attack in real time.
Protective monitoring type: Supplier-defined controls
Protective monitoring approach: Available on request
Incident management type: Supplier-defined controls
Incident management approach: We have defined process of incident response and an incident response team whose responsibilities include: Analysis of the security issue risk (based on Severity Matrix and CVSS), remediation and recommendation. SLA of handling the issue according to the risk level. In case the decision is to fix, the fix is like any standard feature\bug development, including validation (QA) and automation. Security bulletin - in case a security issue found risky, and requires patch, we have a mechanism of publishing "security bulleting" to our customers. This bulletin contains explanation of the issue, and mitigation steps (including patch if needed).

Secure development

Approach to secure software development best practice: Supplier-defined process

Separation between users

Virtualisation technology used to keep applications and users sharing the same infrastructure apart: No

Energy efficiency

Energy-efficient datacentres: Yes
Description of energy efficient datacentres: CyberArk SaaS solutions are hosted on AWS. AWS is continuously working to increase the efficiency of our facilities, and our scale allows us to achieve higher resource utilization and efficiency than typical on-premises data centers. When possible, we incorporate direct evaporative technology for cooling our data centers, reducing energy and water consumption. During cooler months, outside air is directly supplied to the data center without using any water. During the hottest months of the year, outside air is cooled through an evaporative process using water before being pushed into the server rooms, and we have optimized our cooling systems to minimize water usage. AWS has also demonstrated our commitment to water stewardship by using reclaimed or recycled water instead of potable water in multiple regions, and we are working with local utilities to expand the use of reclaimed water.

Social Value

Fighting climate change

We recognize the importance of reducing our impact on the environment and maximizing sustainable business practices. As an enterprise software company, our environmental footprint is smaller than organizations of comparable size in other industries. Most of our IT infrastructure runs in a public cloud environment, which reduces our total environmental impact dramatically. As we think about our data center planning, one of the considerations that we take into account is the environmental footprint and our overall computing capacity, which includes moving 85% of our applications to SaaS. In early 2021, we expanded our local efforts and created a global environmental team to implement a more comprehensive environmental employee-led stewardship program, an important part of our ESG Program. The Nominating and Corporate Governance Committee has oversight over our Environmental Stewardship as part of the ESG Program.

Pricing

Price: £93 a device
Discount for educational organisations: No
Free trial available: No

CyberArk Endpoint Privilege Manager

Features

Benefits

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Backup and recovery

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Separation between users

Energy efficiency

Pricing

Service documents

Cookies on Digital Marketplace

CyberArk Endpoint Privilege Manager

Features

Benefits

Pricing

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Backup and recovery

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Separation between users

Energy efficiency

Social Value

Pricing

Service documents