SailPoint CyberArk Integration
– What You Should Know –

Why you should consider integrating, what it supports, and how to go beyond the out of the box functionality

When organizations ask us about integrating CyberArk with SailPoint’s IdentityIQ or IdentityNow solutions, it often means that they’ve figured out how to govern their typical user access. “Typical access” may include active directory user accounts located on-premises or in the cloud, access to time management tools, learning management suites, or physical access just to name a few.   

On the privileged access management side, they’re either already controlling access to privileged accounts like domain administrator accounts, admin user accounts, or local server accounts through a CyberArk Privileged Access Management (PAM) solution, or they are considering purchasing the solution to do so. 

Even with SailPoint and CyberArk solutions up and running successfully, there’s a good chance you’re still not as secure as you should be.  Forrester reports that 80% of security breaches are linked to privileged access.  If you’re managing PAM independent of your Identity governance program, you won’t have complete visibility of your organization’s access.  This can cause dangerous access combinations or oversights that ultimately result in unnecessary security risks. 

For this reason, it makes sense to consider including privileged access in your governance model through an integration between CyberArk and SailPoint.   

To help, here’s an overview of the process and possibilities.  

The SailPoint PAM Module

SailPoint offers a PAM integration module that creates an integrated, policy-driven approach to managing identity and access governance across both privileged and non-privileged accounts. When done correctly, it will help close security gaps, eliminate redundant processes, and further reduce privileged access risks.  

Although SailPoint’s integration module offers good functionality out-of-the-box, such as viewing and modifying user safe permissions, much more can be achieved with customizations to it including creating safes and vaulting privileged accounts. These capabilities are only made possible through integrating SailPoint and CyberArk. The diagram below illustrates the integration model.

Here’s an overview of key features that the SailPoint PAM Integration Module provides out of the Box  

• A centralized view of user permissions on safes containing privileged access 
• A centralized location for reviewing, approving, rejecting, delegating, or escalating requests for privileged access 
• Enforcement of preventative and detective controls to ensure access is within enterprise policies at all times 
• Immediate provisioning for privileged access once approved 
• Include privileged access in enterprise access certifications (attestations) 
• Include privileged access management in automated joiner workflows 
• Include privileged access management in automated leaver workflows including immediate credential rotation, account disablement, or removal 
• Establish a true Role Based Access Control (RBAC) model for privileged access and govern it from SailPoint 

Some of the benefits of integrating CyberArk with SailPoint

• Improved security by bringing privileged access management under the SailPoint enterprise governance umbrella 
• Improved governance by leveraging existing SailPoint workflows for privileged access requests 
• Reduced operational overhead by automating privileged user provisioning and deprovisioning 
• Improved user experience by unifying unprivileged and privileged user access requests 
• Reduced risk by eliminating access governance and reporting gaps for privileged access through dynamic privileged access analytics 

How does the integration work? 

SailPoint provides a separately licensed privileged access management (PAM) module that connects to CyberArk through the System for Cross-domain Identity Management (SCIM) interface, enabling complete privileged access management and governance.  

The SCIM API is a machine friendly interface that enables the exchange of user identity information between systems and makes it simpler to automate user management tasks:  

• Create/Enable/Disable user accounts 
• Add/Remove users from groups which permit safe access 
• Allow admins to set direct safe permissions for users 
• View direct or in-direct group-based permissions a user has on a safe 
• View managed accounts stored within safes 
• Remove encrypted passwords from IdentityIQ application definitions and pull those passwords real-time from CyberArk, alleviating the need for manual password rotation 

Going Beyond the Out-of-the-Box Integration

Although the standard PAM module covers the basic PAM governance use cases, organizations often need more functionality to support advanced use cases such as creating safes and vaulting accounts within those new safes from SailPoint.   

Customizing the SailPoint PAM module can enable features that go beyond what is provided OOTB.   To help our clients expand privileged access governance controls, we developed customizations that also enable: 

• End-to-End Service Account Request Workflow 
• User friendly forms and approval process 
• Proper ownership defined and easily updated 
• Automated provisioning of service accounts in Active Directory
• Automated vaulting of new accounts in a CyberArk safe
• Automated Provisioning of Privileged Domain Accounts
• Self-service privileged account request with appropriate approvals
• Automated creation of privileged domain account, new user-specific safe created in CyberArk, and the credentials of the new domain account vaulted in that safe 
• Granting normal domain account access to CyberArk to access their newly created safe with their privileged domain account credentials 

How can Integral Partners Help?

As trusted CyberArk and SailPoint Admiral partners, we have deep experience helping organizations implement and maximize their solutions.  Whether you’re early in your journey and need help choosing the right solutions and building a roadmap, or you’re more mature and need help with an integration, we can help. 

• Integration Preparation & Roadmap
  Review your current SailPoint and CyberArk environments to determine if you’re ready to integrate CyberArk with SailPoint IdentityIQ or IdentityNow. If you’re not, we can help build a roadmap to get you there.  

• Program Evaluation
  Evaluate your PAM or IAM program maturity and assess how you can further reduce risk  and plan for future access management needs 

• OOTB Integration 
  Implement the out-of-the-box PAM Module which includes the direct connector into CyberArk to manage users, groups, safe permissions, and dedicated views and workflows that go with it 
• Expand OOTB Functionality 
  Increase the value of the out-of-the-box SailPoint PAM module functionality by implementing custom workflows which allow for automated safe creation for new privileged accounts and storing newly created credentials in the safe
• Reduce Manual Password Rotation
  We can help you reduce manual password rotation for your SailPoint connectors by implementing automated credential cycling that SailPoint offers with the PAM module as well 

If you’re interested in learning more about CyberArk, SailPoint, integrating the two, or just have general IAM question, feel free to put 15 minutes on our calendar here.  We’d be happy to help. 

You can also find more information here about the integration and how we can help:  SailPoint CyberArk Integration Services