CA PAM vs Cyberark vs Ekran System

Managing privileged users’ access to sensitive data helps you make sure that such data can be accessed only by those who legitimately need it. But relying solely on access management software isn’t enough to protect your organization from insider threats. To do that, you’ll need software that also includes insider risk management capabilities.

In this product review, we compare three solutions that provide extensive privileged access management (PAM) capabilities: CyberArk vs CA PAM vs Ekran System. We analyze their capabilities, deployment schemes, and licensing options. We also take a look at essential components of insider risk management: activity monitoring, incident response, and reporting.

Product Review: Summary

CA PAM by Broadcom has an extensive set of privileged access management capabilities. But you’ll need to purchase other Broadcom applications to obtain all-round access control. This makes CA PAM quite costly. Additionally, managing privileged access is the only real use case for this software. It has a very limited user activity monitoring and incident response feature set.

CA PAM is a suitable choice for large organizations looking for a dedicated privileged access management tool with a rich feature set.

CyberArk provides limited monitoring and response capabilities in addition to its strong privileged access and identity management toolset. The bastion host is the key weakness of CyberArk, making deployment complex. It also can become a bottleneck in high-load environments.

However, CyberArk is still a good option for large organizations that have the resources to manage it.

Ekran System is the most balanced of the three solutions. While providing an extensive PAM toolset, it ensures continuous user activity monitoring and quick and efficient incident response. And Ekran System is easy to deploy, since it doesn’t require changes in your environment. Maintenance is also quite simple thanks to automatic updates and helpful support.

With a flexible licensing scheme based on the number of monitored endpoints, Ekran System is a good choice for organizations of any size that need to both secure privileged user access and protect against insider threats.

Market and Focus Overview

	CA PAM	CyberArk	Ekran System
Description	Identity and access management software	Identity security and privileged access management software	Insider risk management platform
Target audience	Large organizations	Large organizations	Businesses of all sizes
Technical approach	Agent-based software	Bastion–host solution	Agent-based software
Deployment	Rack-mounted hardware appliance Open Virtual Appliance Amazon Machine Instance	Agent-based deployment Jump server deployment Open Virtual Appliance	Agent-based deployment (Windows agents can be installed remotely) Jump server deployment Optimized for virtual environments
Maintenance	Manual updates Subscription-based paid support	Manual updates	Manual control panel updates Automatic client updates 24/7 support
Price (average deployment cost)	$$$	$$$	$
Licensing	Base fee for system management infrastructure Additional fee based on number of monitored endpoints, users, or sessions	Base fee for system management infrastructure Additional fee based on number of monitored endpoints, users, or sessions	Pricing based on number of monitored endpoints Several licensing tiers

CA PAM, CyberArk, and Ekran System all help you prevent insider risks by controlling user access. In terms of licensing and deployment, there are several key differences between these solutions.

CyberArk and CA PAM are more suitable for large organizations because of their costly licensing schemes with fees based on system management infrastructure, endpoints, and users. CA PAM and CyberArk are tools that require significant effort to deploy and manage. The key difference between CA PAM and CyberArk is the deployment scheme.

CyberArk is the only bastion-based software in this comparison. It requires you to install a bastion host — a separate virtual or physical appliance that records all the data that goes through it. CA PAM is agent-based software, so it doesn’t require such an appliance. However, CA PAM users say that this solution is also challenging to deploy, as doing so requires DevOps knowledge and complex configurations.

Compared to CyberArk and CA PAM, Ekran System has simple licensing and deployment options. It offers flexible licensing schemes based only on the number of monitored endpoints, which is why small and midsize organizations as well as large enterprises can benefit from Ekran System.

Implementing Ekran System is a straightforward process that doesn’t require any specific knowledge or infrastructure configuration. The whole deployment process usually takes around 20 minutes. Also, you can always contact the Ekran support team if you need help with deployment or specific software configurations.

Deployment scheme for Ekran System Server Client

Deployment scheme for Ekran System Server Client

Overview of features and use cases

	CA PAM	CyberArk	Ekran System
Monitoring	Privileged user event recording and playback	Video recording of remote sessions Extensive collection of additional metadata	Full video recording of every local and remote session Opportunity to review user sessions in real time Extensive collection of metadata
Reporting	Customized audit and compliance reports for any user-initiated events	Privileged threat analytics Behavior analytics	Advanced report generation system for all user events
Incident response	Automated and manual incident response	Automatic session blocking	Custom and predefined real-time alerts Live session view Forced user messaging Automatic and manual user blocking Automatic application kill Automatic USB device blocking User and entity behavior analytics
Integrations	Active Directory SIEM Ticketing systems	Active Directory SIEM Ticketing systems	Active Directory SIEM Ticketing systems
Additional benefits	Support for CISCO networking devices Support for tokens and smart cards	Extensive privileged account security functionality Permission-based account management Tool for autonomous suspicious event detection	Lightweight agent with great performance High availability and disaster recovery Advanced driver-level agent protection Multi-tenant mode Automatic license provisioning for virtual environments Support for a free database Tools for autonomous suspicious event detection Employee privacy protection with anonymization Ability to brand reports and notifications

Session recording and monitoring

Monitoring and recording of privileged user activity in your environment is the key element of robust insider risk management. Among the three solutions under consideration, Ekran System provides the most extensive monitoring capabilities.

Ekran System monitors all user sessions, including local and remote. It also records user audio inputs and outputs. You can easily search through user activity records and review user sessions via a built-in YouTube-like player. User session records contain lots of metadata that provide context for a user’s actions:

Opened files and folders
Opened URLs
Launched applications
Connected USB devices
Executed commands
Keystrokes
And more

Reviewing user session records in Ekran System

Reviewing user session records in Ekran System

As Ekran System alternatives, CA PAM and CyberArk provide far fewer activity monitoring options. CyberArk only monitors and records sessions that go through its bastion, which means it has no knowledge of local and remote sessions. Also, it can be difficult to search through CyberArk’s records because this software stores them as plain video files.

CA PAM has the most limited monitoring capabilities. It only records certain events in privileged user sessions, which isn’t enough for establishing comprehensive insider threat protection.

Incident response and reporting

The faster your security team responds to a potential security incident, the better the chance you can stop it at the outset. All three solutions in our comparison offer features to respond to security violations.

When comparing CA PAM vs CyberArk, CA PAM provides more response options. CyberArk can automatically block a suspicious user only if it detects a security violation while monitoring user sessions. It does allow you to review behavior and privilege threat analytics.

CA PAM enables security officers to block user sessions manually or automatically. This solution also generates audit and compliance reports based on detected security events. Still, you can’t consider CA PAM’s response features complete, since CA PAM doesn’t continuously monitor all user activity and therefore can’t detect all security incidents.

Like CA PAM and CyberArk, Ekran System allows for manual and automated incident response. You can configure security rules to make the software automatically block a forbidden application or USB device. If you choose to manually respond to potential security incidents, your security team will receive alerts on suspicious user activity. Each alert has a link to a user session so security officers can review the suspicious session in real time, determine whether the user is doing something harmful, and block the user if needed.

Ekran System alerts on suspicious user activity

Ekran System alerts on suspicious user activity

Ekran System employs a user and entity behavior analytics (UEBA) module powered by artificial intelligence to detect unusual user behavior and alert security officers to it. For example, it sends an alert when the UEBA module detects a log-in during non-working hours, which can be an indicator of an insider threat.

You also can generate a number of reports in Ekran System or configure it to automatically send periodic reports to you.

Overview of privileged access management (PAM) features

	CA PAM	CyberArk	Ekran System
Secondary authentication
Multi-factor authentication
Control of shared accounts
One-time passwords
Administrator login approval
Privileged user accounts and session management (PASM)
Password management		(CyberArk Password Vault)
Account expiration control
Autodiscovery of privileged accounts
Password rotation

All three solutions provide extensive privileged access management (PAM) functionalities. As a CA PAM and CyberArk alternative, Ekran System provides you with features including:

Multi-factor authentication to verify user identities
One-time passwords and time-based access to allow users to interact with data for a limited time
Manual access approval to increase control over access to protected resources
Password management functionality for creating, storing, rotating, and disposing of privileged user credentials

Configuring multi-factor authentication in Ekran System

Configuring multi-factor authentication in Ekran System

CyberArk has a similar feature set with several exceptions. It provides password management in the form of a separate tool called CyberArk Password Vault. CyberArk also controls account expiration and automatically cancels all access rights for expired accounts. Additionally, this software automatically discovers privileged accounts in your environment.

Compared to CyberArk and Ekran System, CA PAM provides more PAM capabilities. In addition to the features mentioned above, CA PAM has extended password management capabilities. It supports password complexity and view policies that allow it to automatically reject weak passwords and change credentials if a user sees them.

However, CA PAM isn’t a standalone tool. You can ensure all-round access protection only by deploying additional Broadcom applications. For example, to manage privileged user identities or access to your servers, you’ll also need to purchase CA Privileged Access Manager Server Control and CA Privileged Identity Manager, deploy these tools, and configure their integration with CA PAM.