Identity security vendor CyberArk has strengthened their Machine Identity Security portfolio with major enhancements to their discovery and context capabilities. CyberArk Secrets Hub, CyberArk Certificate Manager, SaaS, and CyberArk SSH Manager for Machines all received significant upgrades. The new discovery and context capabilities will enable security teams to automatically find, understand and secure machine identities – spanning certificates, keys, secrets and workloads – to reduce risk and simplify compliance at scale.
CyberArk, an Israeli-based company which has been around since 1999, and who signed a deal to be acquired by Palo Alto Networks in July, used to manage individual pieces of what became known as machine identity security like secrets management, and certificate management.
“We decided to stop solving these individual little items, and pulled it together into a platform,” said Kurt Sand, GM of Machine Identity Security at CyberArk. “We were originally mostly focused within CyberArk on application secrets, like how an application communicates with a target like a database, and how you securely enforce an application accessing a database using a secret, like a token, or even an account password. Now machine identity security is the material part of our business, for sure.
“How we evolved is when we set our vision to secure all machine identities,” Sand added. “We needed to look at other mechanisms that we didn’t currently cover. This is why, about a year ago, we acquired a company called Venafi to help even create a more comprehensive portfolio within CyberArk. They added items like PKI, certificate lifecycle management, and a more comprehensive solution for SSH keys and certificates. That complemented our current portfolio so that we could have the widest possible range of identities.”
There are many companies in the space, including Hashicorp, recently acquired by IBM, IoT identity platform provider Keyfactor, long-running competitors from the PAM (Privilege Account Management) space, as some of them have some basic capabilities in machine identities, and many startups.
“They all just have a piece of what we do,” Sand said. “We have the widest solution.”
It is also an area where there is presently a lot of pressure on vendors. Machine identities outnumber human identities by an estimated 82 to 1, driven by increased AI adoption and cloud native growth. As a result, machine identity-related security incidents are on the rise, with 72% of security leaders reporting certificate-related outages and 50% experiencing security incidents or breaches from compromised machine identities, according to CyberArk research. Manual processes can no longer keep up, and organizations need an automated discovery and context-driven approach to stay ahead.
“Implementing machine identity security programs has become increasingly complex as organizations grapple with shrinking certificate lifespans, the rise of AI agents, vault sprawl and vulnerable software supply chains. With these new discovery, context and remediation capabilities, customers gain the visibility and control they need to tame sprawl, enforce policy and secure their environments more efficiently,” Sand said. “This milestone, just one year after our acquisition of Venafi, marks a significant step forward in our commitment to delivering the industry’s most comprehensive, end-to-end machine identity security solution.”
Sand noted, however, that you can’t secure what you can’t find, or don’t know about.
“It’s more than just getting an individual machine identity identified, and trying to get as much context that you can observe around it to figure out things like how risky is it, and what priority should you make it to address. Then if you’re going to need to remediate something, we do our best to automate that remediation. A remediation might be to bring it into our vault so that you could rotate it. A remediation might be to delete the identity because you found out it wasn’t even being used. Our remediation could also be that the identity is being used but overprivileged, so let’s right-side its privileges. So the overall concept is we want to try to automate as much of that as possible. To make that happen, we have a series of new capabilities, across the portfolio.”
CyberArk’s expanded Machine Identity Security portfolio delivers centralized visibility, automated policy enforcement and context-driven insights to help organizations monitor and secure every machine identity, anywhere, across the enterprise.
“There has been basic discovery out there for quite some time,” Sand said. “These new advanced concepts are the ones that we introduced is adding more context to what’s discovered. Doing a better job at automating wider, knowing how many weak machine identity types we can find, and then I think, most importantly, automating based on that context. What should you do? What action should you take to make your organization more secure?”
One key enhancement is to the CyberArk Secrets Hub.
“The way Secrets Hub works, the predominant use case is that a software developer is building an application in the cloud, whether that be AWS, or Azure, or GCP, and they need a place to store the application secret that gives them access to some endpoint,” Sand stated. “So we encourage the use of those vaults for secrets across the cloud. The problem is that in order to have a good security posture, you typically want something like three vaults per application, one for development, one for test, one for production. If you have this in a large enterprise, you often get many of these cloud vaults. Now, they’re super efficient for developers to use, but somewhat worrisome for security teams. Are they actually deleting unused secrets? Are they rotating secrets regularly? Are they putting the right privileges on these secrets? What Secrets Hub does is examine those vaults, and help you understand the contents, and then offer remedies, if one is necessary. For example, we might find a very highly privileged secret actively being used, but it’s, like, three years old. It’s dangerous. You haven’t rotated it in a long time, so we would offer to onboard it into our platform and rotate it. Some people call it the concept of transparent security. The security posture is being improved, but it’s transparent to the developer and the cloud workloads.”
It has added Discovery and Context for HashiCorp Vault, which helps address critical vault sprawl challenges by providing visibility into dispersed HashiCorp Vault instances and ensuring enterprise-wide policy compliance without disrupting developer workflows.
It has also added a Risk Management and Remediation Dashboard, which centralizes observability across secrets vaults and integrates third-party scanner data to identify high-risk areas, enabling organizations to prioritize remediation and track compliance progress.
“We’ve built a framework to continuously add more and more remediation methods that are also automated, and this is a net-new capability in Secrets Hub,” Sand noted.
CyberArk Certificate Manager, SaaS, was prompted by the CAB Forum, the group of the world’s largest manufacturers of browsers
“The CAB Forum is a very intense driving force right now behind certificate management,” Sand said. “They get together and define browser standards, and they declared that they want to shrink the lifespan of the certificate, which is 398 days today, down to 47 days by 2029. With thousands of certificates in an enterprise, it’s just impossible to do it manually. So there’s a large driver behind people wanting to use our solutions to automate that complete certificate life cycle in order to stay ahead of this shrinking milestone of the shrinking lifespans. This is our solution for managing the certificate lifecycle. It’s installed at its endpoint, let’s say, like, a load balancer. It automates that end-to-end process. The CAB forms milestones that you need to reissue, and hopefully you onboard it and automate it and get it out of your way.”
CyberArk SSH Manager for Machines has also been enhanced, with new authorization and policy controls that grant real-time authorization tracking and discovery for centralized visibility, risk reduction and audit compliance to help better manage SSH key sprawl and unmitigated access.
“This solution, which is widely in use today, discovers that SSH keys give you an inventory, and then helps you work through them,” Sand stated. “But it’s challenging at times, because when you find an SSH key, you don’t understand what it’s being used for. You just found it on a server. So the significant improvement that we’ve made here is actually observing the SSH keys in use. By observing them in use, we can look at what used it, when it was used, and how it was used. And then from that, you can make much better decisions on what you do. For example, you may observe it’s never been used, so delete it. Or you can rotate the keys and set up a process, on your endpoint to rotate those keys.
“It’s also been significant help to customers that have failed an audit because auditors can pretty easily search different servers, because there’s known locations where the keys will be, and just grab the key and ask that customer, what is this key for?” Sand continued. And if you can’t answer it, it’s an audit flag. So, now that we’re actually watching that SSH key in use, they can say, I know why this key is here, and I know who’s using it, and I can actually prove to you that it’s, for example, rotating at the appropriate policy.”
Sand emphasized their channel partners are likely to be delighted by the new announcements.
“In the five years since I joined CyberArk, it’s been a continuous upswing of our channel partners also covering machine identity security as part of what they do. We were making pretty good progress on our own, and then adding the Venafi capabilities really just supercharged the number of partners that have joined forces with us. They are a critical part of our go-to-market, and our services delivery to help customers. Our channel spans a wide variety of partners, everything from your large global system integrators to small boutique services partners around the world. It’s growing every day.
“This one’s, like, a 10 out of 10 on the excitement meter for partners,” Sand concluded. And the reason is that the very first thing you need to do as a partner when you drop into a new customer’s environment is discover where their issues are and help them create, and then from there, scope some kind of initiative. So, this helps them very quickly understand the customer’s as-is state, scope it and try to move forward with a project with a customer. So since it’s very front-end loaded in their sales cycle, I think they’re particularly excited about it.”