Turning the Spotlight on IT’s Dirty

Little Secret: Securing the Common

Point of Failure in IT Risk Controls
An ENTERPRISE MANAGEMENT ASSOCIATES® (EMA™) White Paper
Prepared for Cyber-Ark

August 2008

IT Management Research, Industry Analysis, and Consulting

Turning the Spotlight on IT’s Dirty Little Secret: Securing
the Common Point of Failure in IT Risk Controls

Table of Contents
Executive Summary..............................................................................................................................1

Effective IT Risk Control: How Far Does It Go in Your Enterprise?........................................2

Who Controls the Control?.................................................................................................................3

Empowering Confidence in Privileged Access: Cyber-Ark Enterprise Password Vault.........4

Better Security for Privilege Control............................................................................................5
Linking Individuals and Actions with Privileged Access.........................................................6
Automating Best Practices in Privilege Management...............................................................7
Integration with Accepted IT Management Processes............................................................8

EMA Perspective...................................................................................................................................9

About Cyber-Ark.................................................................................................................................10

©2008 Enterprise Management Associates, Inc. All Rights Reserved.

 Turning the Spotlight on IT’s Dirty Little Secret: Securing
the Common Point of Failure in IT Risk Controls

Executive Summary
The rise of identity and access management has revolutionized how the enterprise defines
a key domain of IT risk control. Access management has become a cornerstone of best
practice in IT governance, risk and compliance control—except for the most important
access of all, the privileged user for shared administrative accounts, and the embedded
application identities found within applications, scripts and application servers.
These high-privilege super-user and administrative accounts that directly control IT re-
sources and applications themselves have largely been overlooked by enterprises seeking
to mature their access management strategy. These accounts are often shared and may be
managed by the most minimal security controls—if not exposed outright, embedded as
plaintext in application and script code, or left unchanged from out-of-the-box defaults or
initial settings.
Poor controls over privileged access pose significant risks, if not some of the largest a busi-
ness could face. In a recent high-profile case, the municipal government of San Francisco
was literally locked out of control over one of its most important networking systems
by the actions of a disciplined administrator who apparently had sole control over this
environment, and who either refused or was unable to supply administrative passwords to
the City. Outright abuse of administrative control over critical business systems was central
in the case of disgruntled systems administrator Roger Duronio, convicted in 2006 of
sabotaging vital IT resources at UBS.
Recognizing the threat as well as the need, Cyber-Ark of-
fers a distinctive approach to greater security and efficiencies
Cyber-Ark’s Enterprise Password around privileged access management. Cyber-Ark’s Enterprise
Password Vault (EPV) offers a hardened and encrypted plat-
Vault (EPV) offers a hardened form for managing the most sensitive access controls, incor-
and encrypted platform for porating a wide range of security measures. These measures
managing the most sensitive yield high flexibility in defining and managing privileged access
to enterprise systems and applications. EPV typically delivers
access controls, incorporating a these values with little or no adverse impact on vital IT re-
wide range of security measures. sources, providing much more granular control over privileged
activity than traditional approaches. It provides linkage of indi-
vidual identity with high-privilege access and actions essential
to “audit-worthy” accountability and policy enforcement, auto-
mating key processes of privileged access provisioning and control. Enterprise Password
Vault supports IT process disciplines key to effective IT risk controls, through integration
with the service desk and support for best practices in IT policy management.
In this paper, Enterprise Management Associates (EMA) examines the paradox of IT’s
dirty little secret: the poor state of high-privilege access management that represents a
common point of failure in IT governance, risk and compliance controls. This potential se-
curity and audit failure point threatens organizations worldwide and stands in stark contrast
to enterprise maturity in other aspects of IT control. As regulators and malicious parties
alike expose this most sensitive IT business risk, executives will gain a new appreciation for
the values of what Cyber-Ark defines as Privileged Identity Management (PIM). Cyber-
Ark’s Enterprise Password Vault (EPV) gives the enterprise more effective control over a

 ©2008 Enterprise Management Associates, Inc. All Rights Reserved.

 Turning the Spotlight on IT’s Dirty Little Secret: Securing
the Common Point of Failure in IT Risk Controls

broad range of comprehensive IT governance, risk and compliance priorities, and elevated
confidence in the management of privileged access to an organization’s most sensitive
information.

Effective IT Risk Control: How Far Does It Go in

Your Enterprise?
For many years, IT risk control has focused primarily on areas such as network perimeter
security, or identity and access management for the general user population. At present,
the concept of IT risk management embraces a much wider scope of issues. From opera-
tional risks such as mission-critical availability and performance threats, to high-profile data
privacy breaches, today’s most common objective is control of
the risk IT poses to the business. Privacy breaches have certainly
captured headlines—but serious as they are, they are only the
For many years, IT risk control tip of the iceberg.
has focused primarily on areas such
The recent case of a network administrator who effectively
as network perimeter security, or locked the City of San Francisco out of its own FiberWAN
identity and access management network is a provocative example of how an individual with
technical expertise and closely held control over the most sen-
for the general user population. sitive level of IT access can exploit that knowledge to effec-
At present, the concept of IT tively hold an enterprise hostage to its own IT systems. More
risk management embraces a importantly still, the case illustrates the enormous governance
risks facing many similar enterprises, where high technical and
much wider scope of issues. administrative privilege is not balanced with sane and effective
organizational as well as operational controls over high-privi-
lege IT access. Regardless whether they recognize it as a threat
or not, any business that does not take an enforceable approach to assuring more granular
control over high-privilege administrative access has only itself to blame if it finds itself in
a similar position.
Other aspects of the risk of poorly controlled high-privilege IT access are illustrated by the
case of one-time UBS systems administrator Roger Duronio, convicted in December 2006
of sabotaging key business systems in what prosecutors described as retaliation against
his employer over a compensation dispute. In both the San Francisco and UBS cases, a
common factor emerged: the enterprise had placed its faith in little more than blind trust
in the willingness of highly skilled professionals to cooperate with the best interests of the
business. When such blind trust is misplaced—regardless of the reason—the business may
find itself left holding a very expensive bag.
Given the attention paid to these events, such governance gaps can be expected to stand
out starkly in today’s more intensely regulated climate, as regulatory watchdogs seek to
close risk gaps by mandating a minimum standard of care. This, however, is belied by the
vague objectives of high-level measures such as COSO, or the generalized approach of IT
control frameworks such as COBIT. Even when mandates are technologically specific, as
with the highly prescriptive PCI standard, those who seek to exploit risk control gaps often
know the limits of required controls. This was made evident in the data security breach at

 ©2008 Enterprise Management Associates, Inc. All Rights Reserved.

 Turning the Spotlight on IT’s Dirty Little Secret: Securing
the Common Point of Failure in IT Risk Controls

northeastern U.S. grocery chain Hannaford, which had actually certified its PCI compliance
not long before.
Other examples illustrate even more gaps between compliance and actual security. For ex-
ample, high-level regulatory mandates rarely link directly to such technically granular issues
as the access credentials often embedded in application architectures. Though rarely dis-
cussed too openly—but as many system architects are well aware regardless—embedding
usernames and passwords into application integration code is a technique often used to
automate functionality between application components originally designed to be interac-
tive. Discovery and exploit of these embedded access credentials by the malicious remains
a risk to such environments—not to mention the sensitive data they may manage—unless
more secure alternatives can be employed.
Each of these cases reveals a fundamental flaw in many approaches to IT governance,
risk management and compliance: IT controls are only effective if they are truly resis-
tant to subversion. The business that predicates its IT risk and compliance strategy on a
framework of IT controls must therefore ask itself: What happens when the controls on which
this strategy depends are themselves unreliable? Many businesses have invested thousands if not
millions in IT controls, but the effectiveness of control often boils down to one important
question.

Who Controls the Control?

Many IT risk and compliance controls are themselves applications or systems that require
management or configuration by technically knowledgeable individuals. This means that
high-privilege users often wield enormous influence over these controls, through root or
administrative accounts that directly access the most sensitive aspects of functionality.
Typically, these accounts themselves have few controls. In more than a few cases, only a
simple password stands guard on unauthorized access—access that is often shared among
a number of individuals or applications, making it all the more challenging to track and
enforce accountability for actions when these accounts are used—or abused.
While most high-privilege users are skilled professionals of high integrity, the business that
quite literally bets the farm on integrity alone essentially believes in trust without verifica-
tion. Without effective controls on high-privilege access, little stands between the business
and disaster. Business-critical IT resources such as revenue-generating systems and applica-
tions, sales and customer resource management, payment rec-
onciliation systems, financial performance platforms, and other
vital IT resources are all subject to high-privilege control—or
Without effective controls on manipulation—while virtually every database is subject to the
high-privilege access, little stands actions of the DBA.
between the business and disaster. As the examples highlighted in this paper illustrate, EMA iden-
tifies two key factors in particular which should give the enter-
prise pause:
•T
 he risks exposed by poor privilege control can be found almost everywhere. The
business that does not know exactly how many Web sites, databases and business
applications it has, has not done a very thorough job of looking—nor does it know just
how important many of these are to the business.

 ©2008 Enterprise Management Associates, Inc. All Rights Reserved.

 Turning the Spotlight on IT’s Dirty Little Secret: Securing
the Common Point of Failure in IT Risk Controls

•N
 early all these resources have some form of administrative access that controls
configuration, functionality—and risk. Sometimes this access is enabled by an
administrative-level user account. In other instances, access is exposed in the form
of scripts or embedded passwords woven into system integration code—often in
plaintext—just to make functionality possible.
The business that underestimates the impact of poorly controlled high-privilege access to
critical business systems should take a second look at the significant financial repercussions
of major security events within large financial organizations that continue to be widely
raised and reported within the media.
Just as significant is the increasingly worrisome threat posed
by more sophisticated attackers. Organized crime plays a much
Organized crime plays a much larger role in IT threats, while the infiltration of high-sensitivity
larger role in IT threats, while IT systems for espionage or strategic military advantage appears
to be on the rise. These factors have made threats far more
the infiltration of high-sensitivity malicious than ever before—and they are in a much better posi-
IT systems for espionage or tion both to penetrate the enterprise, as well as to exploit high-
privilege access if techniques such as passwords embedded in
strategic military advantage applications or stored in plaintext scripts are discovered in an
appears to be on the rise. attack.
Even when legitimately used, high-privilege accounts are often
shared among multiple users, making the tracking of activities
and the traceability of specific actions a challenge all by itself. Businesses have long ap-
plied this level of granularity to individual user accounts. Paradoxically, they have typically
neglected to apply the same level of discipline to accounts that have the highest impact on
business risk.
Throughout all these issues runs the common thread of poorly managed high-privilege ac-
cess that has a direct impact on business risk exposure in IT. Most enterprises have been so
concerned with the threat on the outside that they may have turned a blind eye to this soft
underbelly, where the poor state of control over the most sensitive and critical functionality
is one of IT’s most pernicious dirty little secrets. This has created an environment where
the potential for financially devastating and headline creating events is greatly increased,
both from the risks posed by an insider gone bad, as well as from the inadvertent misuse by
a well-intentioned administrator causing wide ranging unintended consequences.

Empowering Confidence in Privileged Access:

Cyber-Ark Enterprise Password Vault
Recognizing these needs, Cyber-Ark has directly taken on many of the most critical gaps in
privileged access control, with a product offering that specifically targets:
•B
 etter security for privileged access and user accounts, including the security of the
Cyber-Ark platform itself;
•E
 ffective linkage of high-privilege access and actions with specific individuals or
applications;

 ©2008 Enterprise Management Associates, Inc. All Rights Reserved.

 Turning the Spotlight on IT’s Dirty Little Secret: Securing
the Common Point of Failure in IT Risk Controls

•A
 utomation and auditing of the privileged access management lifecycle, including
provisioning and de-provisioning of access for specific users, as well as measures specific
to high-privilege access such as dual-control and emergency response procedures;
• I ntegration of privileged account management with IT management processes such as
the service desk, help desk or ticketing system, in line with industry best practices that
have a decided and positive impact on IT governance priorities and effective risk and
compliance management.

Privileged Password Privileged

Management SSO

ONAL ACCOU
ERS NT
P N A
T IO C CO
CA
IT

S
LI

UN
A PP

TS
Privileged User SHARED Privileged Session
Provisioning ACCOUNTS Monitoring

Application Credential On-Demand Privileges

Management (SUPM)

Figure 1: Cyber-Ark’s Enterprise Password Vault increases the security and reliability of management for a
wide range of privileged access and identities. Together, these capabilities address a common and critical
risk management failure across much of IT: poor controls over privileges that directly control IT itself.

Better Security for Privilege Control

At the heart of the company’s Enterprise Password Vault (EPV) is the Digital Vault, a
hardened and encrypted repository purpose-built for managing highly sensitive data such
as privileged access information. The Cyber-Ark Digital Vault limits network communi-
cations to a single SSL-encrypted channel that restricts interaction and rejects malicious
or malformed commands. Measures such as source address limitations and time-of-day
restrictions provide additional control over access to the Enterprise Password Vault itself.
These measures enhance security for sensitive privileged access information at rest as well
as in motion or in use.
Segregation of duties is built into the management of Cyber-Ark’s EPV platform to assure
that no individual has over-broad access to this most sensitive functionality, and that all
access and activity done within the Vault is personalized to a specific individual, and tracked
and recorded in a secure audit record kept in a segregated area of the Vault with its own set
of restrictions and access controls.
User accounts are individualized with specific access controls and capabilities, and associ-
ated with specific EPV management roles such as Vault Administrator, Auditor or End-

 ©2008 Enterprise Management Associates, Inc. All Rights Reserved.

 Turning the Spotlight on IT’s Dirty Little Secret: Securing
the Common Point of Failure in IT Risk Controls

User, carrying the concept of user-specific granularity in the control of privileged actions
into the functionality of the Cyber-Ark Vault itself.
Roles such as Vault Administrator and Auditor are separated, with Vault Administrators
able to add users, objects and individual secure individual information stores within the
Vault (what Cyber-Ark calls “safes”), but without access to underlying data, audit records,
or other sensitive information. Auditors can see specific audit records, but cannot add or
modify users, objects, or underlying data, while Vault users can access specific objects and
information at or below their individual level of privilege, and nothing else.
EPV Master Administrator access can be mediated by a number of security measures,
such as cryptographic tokens, multi-factor authentication, and the limiting of access to
the physical EPV environment, for example. Dual-control measures can be employed to
further assure that no individual has broad control over this sensitive capability, while dual-
control and “fire call” procedures can be integrated with access definition to facilitate the
level of access administrators needed to meet any IT management contingency.
By themselves, each of these measures are an improvement from typical, high-privilege ac-
cess management, which may be as simple as a password hash stored in an unencrypted and
readily accessed filesystem, or even a password stored in plaintext. Combined, the capabili-
ties of the Cyber-Ark Vault are a significant integration of measures to more systematically
secure high-privilege access capability.

Linking Individuals and Actions with Privileged Access

Because of the anonymous nature of administrative-level user accounts in IT systems, a
frequent risk control challenge is the inability to clearly identify who did what with high-privi-
lege access. When dealing with shared privileges such as system-level root or administrator
accounts, for example, such access may not be clearly—or auditably—linked to a specific
individual.
Application architectures are another example of hard-to-track anonymous access. When
an application accesses a database as part of normal functionality, it can be difficult to prove
that a specific instance or aspect of an application accessed sensitive data—or that an indi-
vidual had unauthorized access and exploited the privileges embedded in an application.
By leveraging the Cyber-Ark Enterprise Password Vault to mediate privilege, EPV forces
an authentication to the secure Vault repository, establishing
the identity of the access user, and launching an audit trail that
By leveraging the Cyber-Ark links who with a specific case of privileged access. This also links
access to a specific target, at a specific point in time. The audit
Enterprise Password Vault to trail is secured within the Vault environment, controlled by
mediate privilege, EPV forces an EPV’s own internal access and encryption layers. This provides
authentication to the secure Vault a higher degree of confidence in tracking the actions of privi-
leged users as well as privileged functionality, and better defense
repository, establishing the identity against attempts to conceal unauthorized activity.
of the access user, and launching With the Enterprise Password Vault, organizations now have
an audit trail that links who with an approach to address the challenges surrounding embedded
a specific case of privileged access. application identities. By leveraging the programmatic inter-
faces to the Digital Vault, C, C++, Perl, JAVA, .NET, and other

 ©2008 Enterprise Management Associates, Inc. All Rights Reserved.

 Turning the Spotlight on IT’s Dirty Little Secret: Securing
the Common Point of Failure in IT Risk Controls

programming techniques can be used to eliminate embedded application passwords from

scripts, applications and application servers, securely storing them instead within the EPV.
When an application needs to access a target system, it programmatically authenticates to
the Vault to ‘prove’ and identify that it is the proper calling application. If policy permits,
the password is then provided via an encrypted link to the script or application, which can
then continue its login process.
The EPV provides multiple mechanisms to ensure that the requesting application is actually
the correct application, and not a rogue application or a human user acting as the applica-
tion. These methods include checking that the request is using the proper secured creden-
tials file and correct pathname, and that it originates from the proper operating system, as
well as ensuring that the request is coming from the proper IP address.
Once the access session is completed, the password is returned to the Vault and ultimately
changed on the target system, and all audit records are updated accordingly. The next time
the application needs access, the process is repeated and the application thereupon secured
and protected. The process is fully auditable to verify that the target system is being ac-
cessed from the proper application, and not via some “man in the middle” or spoofing
technique.
EPV support for addressing embedded application passwords extends as well to application
servers such as IBM WebSphere, BEA WebLogic and JBoss, where the passwords are often
stored unencrypted in a configuration file. With Cyber-Ark’s patent-pending approach,
these application server accounts can now be fully secured via a configuration change, and
without the need for taking down or restarting the application server.

Automating Best Practices in Privilege Management

Driven by compliance as well as security, many organizations have spent considerable effort
to make sure that ordinary user passwords conform to specific requirements for length,
complexity, and frequency of password change. Seldom are these organizational policies
applied with the same constraint and frequency on the privileged accounts within that same
organization.
Because of the potential impact on IT operations as well as on critical functionality, it is not
uncommon for privileged account passwords to remain unchanged from a vendor default
or initial setting. This may be especially true with application account passwords, since to
change them may require updating code embedded in an application or script. This often
leaves the highest degree of privilege exposed to the lowest level of diligence in due care.
The Cyber-Ark Enterprise Password Vault can close these gaps by automating the mainte-
nance of privileged accounts in ways that reduce a number of risks. Password changes for
interactive accounts can be automated by EPV according to organization-defined policy.
For application accounts, this capability can be delivered such that, after the initial change,
no further application updates are needed to support future automated password changes.
For application servers, Cyber-Ark provides a “no-code-change” capability that minimizes
downtime risks to mission-critical applications while introducing a higher standard of
policy, compliance or security enforcement. This balance helps organizations achieve an
elusive goal: assuring more effective control of multiple IT risks while assuring smooth IT
operations management.

 ©2008 Enterprise Management Associates, Inc. All Rights Reserved.

 Turning the Spotlight on IT’s Dirty Little Secret: Securing
the Common Point of Failure in IT Risk Controls

The Cyber-Ark Enterprise Password Vault also facilitates more granular control over when,
where and how privileged access is granted. In addition to automating access provisioning
and approval processes, specific time constraints, time windows and length of access can
be defined. More specifically, EPV can help to limit access based on the location of the
requester to a specific machine, IP address or geographic location.

Integration with Accepted IT Management Processes

For some time, IT organizations have sought to resolve conflicts between IT operations
and security teams, who are often seen as having different agendas. Businesses that are
succeeding in resolving these differences often find that the harmonization of management
processes across security and operations teams is one of the most effective ways to close
these gaps. Vulnerability assessment, for example, often results in awareness of exposures
that must be jointly prioritized between security and operations teams. The remediation is
then often handed off to operations in order to assure that closing a security gap does not
expose the business to disruption of critical IT services.
The management of access control is another such process, not only affecting IT opera-
tions and security teams but individual users as well. Nowhere is granting access a more
sensitive issue than with high-privilege access to direct control over sensitive IT informa-
tion, where user interaction is vital to both IT performance and risk control. Yet here again,
as with other paradoxical gaps in the granular control of privileged accounts, processes for
the provisioning of high-privilege access are seldom as mature or well defined as they are
for ordinary users.
One of the most accepted methods of provisioning access is to leverage IT’s central focus
of process control: the service desk. Often, an individual user’s request for a user account or
access to specific resources is entered as a service ticket, which launches a defined process
for evaluating, approving and provisioning the access requested. While this has become an
accepted practice for managing ordinary user accounts, it is typically not as widely adopted
for managing privileged access.
Cyber-Ark closes this gap by integrating with ticketing systems,
supporting IT process management initiatives that seek to opti-
mize IT performance by clearly defining critical processes, and
Recent EMA research indicates leveraging technology to automate process controls and assure
that enterprises who place a high their consistency. Cyber-Ark’s Enterprise Password Vault ac-
emphasis on the definition of IT cepts ticketing details and supplemental information such as the
reason for the request as part of the approval process. It also
management processes, assure that feeds audit-relevant detail back to ticketing systems regarding
they are followed, and enforce the progress of the request, who acted on it, when and how.
consequences if they are not Recent EMA research indicates that enterprises who place a high
followed, tend to be the highest emphasis on the definition of IT management processes, assure
that they are followed, and enforce consequences if they are not
performers in IT governance, risk followed, tend to be the highest performers in IT governance,
management and compliance. risk management and compliance. These high performers also
have the most positive outcomes in terms of IT security and
risk control effectiveness. Leveraging the service desk as the
focus of process discipline central to multiple IT management

 ©2008 Enterprise Management Associates, Inc. All Rights Reserved.

 Turning the Spotlight on IT’s Dirty Little Secret: Securing
the Common Point of Failure in IT Risk Controls

objectives—from security and compliance to optimizing IT operations—unifies these ef-

forts and helps assure their consistency, making the service desk a priority of IT manage-
ment best practices. By integrating the privilege management lifecycle with the service desk,
Cyber-Ark supports accepted practices that have a significant bearing on positive outcomes
in IT risk and compliance control.

EMA Perspective
The paradox of poorly managed, high-privilege access is striking when compared to the
substantial progress made in recent years in the management of ordinary user identity
and access control. Driven by security and compliance concerns as well as by the need to
reduce IT support costs, identity and access management for the general user population
has defined best practices that have helped enterprises reduce risk and improve operational
performance.
Yet when it comes to the most sensitive access of all—that which has a direct bearing on
the effectiveness of IT risk control, as well as the integrity, availability and performance of
critical IT resources—this discipline remains strangely lacking in many organizations. If
the assumption that trust without verification is poor practice when it comes to the general
user population, why should it matter less when it comes to the highest level of privilege
in IT?
Cyber-Ark helps solve the challenges of bringing greater security, discipline and control
to privileged access management, with minimal invasiveness to existing applications or
resources. Founded on Cyber-Ark’s solid Digital Vault ap-
proach to building a hardened platform for securing privileged
access information, the flexibility of the company’s Enterprise
Cyber-Ark helps solve the Password Vault solution is well adapted to system superuser
challenges of bringing greater as well as application environments, offering more effective
linkage of individual actions with granularity of control and
security, discipline and control visibility into activity detail.
to privileged access management, EPV can be integrated with these environments without requir-
with minimal invasiveness to ing re-engineering of application systems or IT assets, and in
existing applications or resources. ways that directly support IT service management best prac-
tices, such as integration with the service desk and automating
the privileged access management lifecycle with high granularity
in control.
Without adequate management of the single points of failure posed by poor controls over
high-privilege access risks, businesses are quite literally gambling on becoming the next
headline. Recent events have turned a spotlight on what has been one of IT’s most uncom-
fortable little secrets, bringing these gaps into sharper focus among auditors and security
professionals worldwide as never before.
In Enterprise Password Vault, Cyber-Ark offers a solution that addresses the most impor-
tant concerns of privileged access control: high security for access information, extensive
granularity in visibility and control over privileged access definition, detailed and accurate
tracking of access for audit and risk management, and ease of integration with existing
resources and best practices. Together, these capabilities meet multiple IT governance, risk

 ©2008 Enterprise Management Associates, Inc. All Rights Reserved.

 Turning the Spotlight on IT’s Dirty Little Secret: Securing
the Common Point of Failure in IT Risk Controls

and compliance objectives for balancing more effective control while assuring essential IT
performance is aligned with the top priorities of today’s technology-centric business.

About Cyber-Ark
Cyber-Ark® Software is a leading provider of Privileged Identity Management (PIM) solu-
tions for securing privileged user accounts and highly-sensitive information across the en-
terprise. Long recognized as an industry innovator for its patented Vaulting Technology®,
Cyber-Ark’s digital vault products include: The Enterprise Password Vault™ for the se-
cure management of administrative, application and privileged user passwords; the Inter-
Business Vault®, a secure infrastructure for cross-enterprise data exchange of highly-sensi-
tive information, and the Sensitive Document Vault™ for secure storage and management
of highly-sensitive documents. Cyber-Ark’s award-winning technology is deployed by more
than 400 global customers, including 100 of the world’s largest banks and financial institu-
tions. Headquartered in Newton, MA, Cyber-Ark has offices and authorized partners in
North America, Europe and Asia Pacific. For more information, visit www.cyber-ark.com.

10 ©2008 Enterprise Management Associates, Inc. All Rights Reserved.

About Enterprise Management Associates, Inc.
Founded in 1996, Enterprise Management Associates (EMA) is a leading industry analyst and consulting firm dedicated to the IT management market.
The firm provides IT vendors and enterprise IT professionals with objective insight into the real-world business value of long-established and emerging
technologies, ranging from security, storage and IT Service Management (ITSM) to the Configuration Management Database (CMDB), virtualization and
service-oriented architecture (SOA). Even with its rapid growth, EMA has never lost sight of the client, and continues to offer personalized support and
convenient access to its analysts. For more information on the firm’s extensive library of IT management research, free online IT Management Solutions
Center and IT consulting offerings, visit www.enterprisemanagement.com.

This report in whole or in part may not be duplicated, reproduced, stored in a retrieval system or retransmitted without prior written permission of
Enterprise Management Associates, Inc. All opinions and estimates herein constitute our judgement as of this date and are subject to change without notice.
Product names mentioned herein may be trademarks and/or registered trademarks of their respective companies. “EMA” and “Enterprise Management
Associates” are trademarks of Enterprise Management Associates, Inc. in the United States and other countries.
©2008 Enterprise Management Associates, Inc. All Rights Reserved. EMA™, ENTERPRISE MANAGEMENT ASSOCIATES®, and the mobius
symbol are registered trademarks or common-law trademarks of Enterprise Management Associates, Inc.

Corporate Headquarters:
5777 Central Avenue, Suite 105
Boulder, CO 80301
Phone: +1 303.543.9500
Fax: +1 303.543.7687
www.enterprisemanagement.com 1702.080608