CyberArk Secrets Hub Licensing Details

An in-depth guide to determining the number of licenses needed and key considerations

cyberark secrets technology infrastructure

Key Highlights

Secrets and Environment Complexity: The required licenses depend on the number of secrets, the organization’s structure, and different environments involved.
Connector and Safe Limitations: Each tenant supports up to 5 connectors, and each safe can hold up to 500 secrets, with an overall limit of 10,000 secrets per tenant.
Integration and Use Cases: The integration with systems such as AWS Secrets Manager and the various features in different environments also influence the licensing model.

Understanding Licensing Factors

Secrets Count and Organizational Setup

One of the most important factors influencing the number of CyberArk Secrets Hub licenses required is the total number of secrets that your organization manages. CyberArk Secrets Hub is engineered to handle up to 10,000 CyberArk accounts (or secrets) per tenant. In practical deployments, it is necessary to evaluate whether your secrets are centralized in one environment or spread out across multiple environments.

Additionally, if your organization is segmented into multiple environments such as production, development, testing, and staging, you might consider either dedicated tenants for each environment or a license model that can accommodate variations in access and management needs. The division of environments may require multiple licenses to ensure that there are no service limits exceeded and that each environment is adequately managed.

Connector and Safe Limitations

The platform has built-in constraints that directly impact how many licenses you might need. Specifically, CyberArk Secrets Hub supports up to 5 connectors per tenant. This means that if you need to integrate with several different systems or cloud environments (such as AWS Secrets Manager, other cloud providers, or on-premises systems), you must plan your connector strategy accordingly.

Moreover, each safe within the Secrets Hub is designed to support up to 500 CyberArk accounts (secrets). If an organization manages a significant volume of secrets that exceed these limits, additional licensing or even compensation through scaling options, such as creating multiple safes, may be necessary. Each safe’s capacity should be taken into account when designing your overall security architecture.

Integration with Other Systems

In cases where CyberArk Secrets Hub serves as an integrative bridge, for example, between CyberArk Privileged Access Manager and external systems like AWS Secrets Manager, its role expands beyond simple secret storage. This integration not only provides centralized management and automatic rotation of secrets but also enhances security across multiple cloud accounts or regions.

For such integrations, especially in environments with extensive use of cloud services, you might need additional licenses to facilitate comprehensive coverage. It is important to align the number of licenses with the number of integrations and to evaluate whether each integration uses one or more connectors. This might entail licensing per connector or per integrated system, and thus, detailed planning is necessary.

Internal Considerations Affecting Licensing Decisions

User Count and Access Requirements

Another critical consideration involves the number of administrators or users who require access to manage secrets. Every individual involved in the configuration, auditing, and maintenance of secrets might necessitate their own dedicated license. If multiple teams within your organization require access, the aggregate user count could significantly affect licensing needs.

Some enterprise setups operate with stringent controls where licenses are mapped to individual users or roles. Evaluate how many corporate groups or team roles need to interact with the Secrets Hub. Such a detailed assessment ensures that you are not over-provisioning or missing out on necessary functionalities. In environments where high compliance or audit needs are present, a broader license allocation might be necessary.

Environment Segmentation and Scaling

Many organizations operate in segmented environments—separating production, staging, and development to minimize risks. Each segment may require its own dedicated tenant under licensing rules, particularly if there is a need to maintain isolated environments for security, performance, and compliance reasons.

Planning for scalability is also paramount. While CyberArk Secrets Hub is designed to operate efficiently even in large-scale environments, redundancy, high availability, and disaster recovery requirements may lead to planning for multiple installations or tenants. This in turn impacts the overall numbers of licenses you would require.

Case Study: Multi-Environment Deployment

Consider a scenario where an enterprise operates with distinct environments: one for development, one for testing, and one for production. In this case, the organization might opt for either a multi-tenant architecture, with each environment requiring its own separate setup, or a consolidated model where environments share resources. The former typically requires more licenses because each tenant has its own limit of secrets and connectors. On the other hand, a consolidated model might reduce the number of overall licenses but requires careful planning to avoid exceeding the operational limits of Secrets Hub.

Practical Table: Evaluating Your Requirements

The following table outlines various factors and guidelines that can help you determine the number of licenses your organization might need:

Factor	Considerations	Impact on Licensing
Number of Secrets	Evaluate total secrets managed across the organization. Max per tenant: 10,000 secrets.	High secret volumes may require multiple tenants or safes, affecting license counts.
Connector Limitations	Up to 5 connectors per tenant.	Multiple external systems or cloud integrations can push connector limits and require extra configuration or licensing.
Safe Capacity	Each safe can manage up to 500 secrets.	Distribution of secrets across multiple safes may lead to additional licenses if safe limits are exceeded.
User Access	Different user groups for administration and maintenance.	Essential to ensure every user has a license if licensing is user-based.
Environment Segmentation	Separate considerations for production, development, and testing.	May require additional licenses to isolate environments effectively.
External Integrations	Integration with AWS Secrets Manager and others.	Centralized management needs and connector usage might increase license consumption.

Additional Licensing Considerations

Consulting CyberArk Documentation and Support

While this guide provides a structured approach to evaluating the number of licenses needed, the definitive method to determine the exact number is by consulting directly with CyberArk or through their up-to-date documentation. Licensing policies can evolve, and CyberArk may offer additional licensing models, bundles, or special conditions based on evolving cybersecurity needs.

CyberArk’s official documentation and support channels provide nuanced insights, particularly for organizations with extensive security landscapes. Moreover, authorized vendors such as Insight or CDW can also offer guidance tailored to your specific deployment scenarios.

Integration with AWS Secrets Manager and Other Services

For organizations leveraging AWS Secrets Manager alongside CyberArk Secrets Hub, it is essential to note that integrating with multiple AWS accounts or services may introduce additional licensing considerations. These integrations are designed to streamline the management and rotation of secrets and enhance security across various platforms.

As CyberArk Secrets Hub acts as the bridge between CyberArk’s privileged access management and external secret management services, the corresponding licensing might scale based on the number of integrated services and the complexity of the integration strategy.

Scalability and Future-Proofing

Security needs evolve, and planning ahead for scalability is crucial. The current licensing requirements might be sufficient for today's needs, but as your organization grows and new integration opportunities develop, it might become necessary to reassess your deployments. Adopt a flexible strategy that permits scaling the system while keeping costs and licensing overhead reasonable.

It is also wise to periodically review your architecture, especially if you are adding new business units or deploying additional services that will increase the total number of secrets or require more connectors. This proactive approach ensures that you're not caught off guard by licensing limitations.

Summary of Key Licensing Determinants

Critical Determinants in a Nutshell

Licensing follows a multi-dimensional evaluation based on:

Total Secret Volume: Maximum secret limits per tenant, safe configurations, and distribution strategies play a pivotal role.
Connector Integration: With a limit of 5 connectors, the design of your integration with other systems will heavily dictate licensing distribution.
User Access Management: The number of users, their functional requirements, and the operational scope likewise influence the licensing needs.
Environment Segmentation: Isolated environments for production, development, and testing may require separate licenses to maintain operational integrity.
Third-party Integration: The inclusion of external secret management tools, like AWS Secrets Manager, introduces another layer of complexity that may necessitate additional licenses.

Each of these aspects should be weighed together when creating a comprehensive licensing strategy, ensuring that you are both compliant with CyberArk's policy and optimized in your asset management.