Teleport Launches Identity Governance and Security
Read More
Learn > Other > Compare

CyberArk vs Teleport

Posted 22nd Mar 2023 by Michael Ferranti

What is CyberArk?

CyberArk is a privileged access management (PAM) solution. “Privileged access” refers to special access or abilities above and beyond that of a standard user, for example an database admin user or a site reliability engineer who needs access to a production server.  Restricting elevated access privileges allows businesses to secure their infrastructure, data and applications. Effective privileged access management is often a requirement for achieving compliance objectives like SOC2, ISO 27001, and FedRAMP.

Protecting critical infrastructure requires a well-thought-out PAM strategy. However, traditional Privileged Access Management solutions like CyberArk have not kept up with modern developer practices. Traditional PAM solutions are complex to run and scale, slows developers down, and encourages insecure workarounds that leave organizations exposed to security threats and compliance violations.  Read on for how Teleport differs from traditional PAM solutions like CyberArk.

What is Teleport?

Teleport is an open source, cloud native privileged access management for engineers and machines. Teleport delivers essential PAM capabilities such as zero standing privileges, just-in-time (JIT) access, activity logging, device attestation, and ability to act as an identity provider so that you can protect your critical infrastructure. For example, with Teleport, you can easily enforce MFA, RBAC, and access to infrastructure via specific client devices but in a developer-friendly and cloud native way.

Teleport vs CyberArk PAM

One of the number one complaints with PAM solutions is that they are complex to manage and hard to scale. Because Teleport was designed from the ground up to be run by modern DevOps teams using Infrastructure as Code practices, with Teleport you can run your PAM just like any other cloud native application.

Teleport’s architecture also differs from a traditional PAM solution like CyberArk.  CyberArk grants access to privileged resources like servers, databases and applications based on secrets like passwords and keys. Teleport is completely secretless, removing the #1 cause of data breach: stolen credentials. This modern architecture is similar to how Google famously run’s their BeyondCorp security model.

Additionally, Teleport was also built to maximize developer productivity. Instead of constantly checking out credentials from a centralized vault, Teleport enables identity-based, passwordless access to infrastructure resources directly.

Teleport has been recognized by the analyst community as a cloud-native PAM.  According to 451 Research “‘Shifting left’ has become a thing in security circles, and addressing the needs of developers is no less true in the privileged access management market. Teleport’s Access Platform combines connectivity, authentication, authorization and auditing functionality into a single PAM platform that could rightly be viewed as ‘Okta for infrastructure.'” Read more about how Teleport’s cloud native PAM differs from CyberArk.

In summary, when comparing Teleport to CyberArk, it is worth highlighting several key Teleport features:

1. Teleport is open-source

We believe that the best security solutions are built in the open. You can view the Teleport source code here and contribute in our open community.

2. Teleport is secretless

Secrets like passwords and keys are the number one cause of breach. Keeping secrets and passwords in a secrets manager like CyberArk is better than using Post-It notes, but they are still a breach waiting to happen. Teleport replaces secrets like passwords, keys and privileged accounts like “admin” with secure, short-lived certificates based on human and machine identity. Fundamentally, we believe that using secrets to access something as critical as infrastructure is a design flaw.

3. Teleport support privileged access to modern tools like Kubernetes and cloud databases

Teleport provides native privileged access management and audit of cloud native technologies like Kubernetes, Cloud CLIs with AWS IAM, GCP and Azure support and modern cloud databases (e.g Amazon RDS, AWS DynamoDB, AWS Aurora, GCP Cloud SQL MySQL, GCP Cloud SQL PostgreSQL, Microsoft Azure PostgreSQL, Microsoft Azure MySQL, Azure Cache for Redis and many more).

4. Teleport can be deployed and managed using modern DevOps practices

For example, Teleport has  a Terraform provider to easily configure and deploy the Teleleport .

5. Teleport is a full Zero Trust solution for your modern DevOps stack

Teleport combines an identity-aware access proxy with sophisticated authorization, audit and device attestation to provide a complete Zero Trust solution for infrastructure resources such as SSH, Kubernetes, modern databases, internal applications and even Windows.. Read about how Teleport fully implements a BeyondCorp and Federal Zero Trust Architecture Strategy and how we ensure that only trusted devices are used to access infrastructure.

6. Teleport provides advanced security & compliance capabilities required by PAM solutions

Teleport is used by organizations with sophisticated access control requirements needed to achieve FedRAMP, SOC2, ISO 27001 and other compliance standards. Below is a partial list of these capabilities which you would expect in a PAM solution.

  • Dual Authorization: Workflows that requires the approval of multiple team members to perform some critical actions
  • Session Moderation: Requires one or more other users to be present in a session. Depending on the requirements, these users can observe the session in real-time, participate in the session and terminate the session at will.
  • Device verification: Teleport Device Trust requires that only registered devices can be used to access infrastructure resources.
  • Kernel-level logging: By using eBPF, Teleport enhanced session recording doesn’t just record what happens in the terminal, which can be obfuscated, but what happens down the kernel level.
  • SSO Support: Teleport offers a range of support for SAML and OIDC SSO Providers. Including Okta, GitHub, Microsoft Azure AD and Google Workspace.
  • Session Locking: System administrators can disable a compromised user or node — or prevent access during cluster maintenance — by placing a lock on a session, user or host identity using Teleport’s API.
  • Per-session MFA: Teleport supports requiring additional multi-factor authentication checks when starting a new session to protect users against compromises of their on-disk Teleport certificates. One of many extra options as part of Teleport role-based access control system, along with Device Trust and IP Pinning.
  • Strict session recordings: Administrators can optionally elect to terminate ssh sessions if there is a problem with a recording, such as a full disk error.
  • Full Identity-provider: Teleport can be used as a complete replacement for existing identity management tools. As an SSO SAML identity provider, Teleport can be used by teams as an identity provider to access internal and Saas apps..

Teleport vs CyberArk

To conclude, both Teleport and CyberArk can be used to provide privileged access management to your infrastructure. If you are looking to manage access and audit for cloud-native applications like Kubernetes,cloud databases, over 100+ integrations and want to manage your PAM using the same DevOps tooling and processes as the rest of your stack, you can try Teleport for free and see for yourself.