CyberArk Privileged Access Manager Reviews

I started as a CyberArk administrator for a fairly large bank in the US. They are a large global company. They formed a US branch, and I was the sole CyberArk administrator there. They had a basic CyberArk setup, and that is where I gained my initial experience before moving on to consulting.

My first consulting gig was for two and a half years with a defense contractor. They had a very complex environment. The complexity is typically gauged, especially for PAM products, by the number of passwords being managed. Many organizations have 10,000 or 20,000, whereas this organization had 750,000. This included the number of machines required to rotate all these passwords and integrations with their API and SailPoint to provision and de-provision users. We initially helped them change from a standalone vault architecture to a clustered vault architecture for high availability failover. Once we completed that, our work expanded, similar to being the IT person for the family—each task leading to another. This extended our engagement.

CyberArk Privileged Access Manager provides granularity. You can break things down into individual safes. You have specific access to safes by individual or group. The interface is with AD, with LDAP, or with local CyberArk passwords. You also have the ability to establish policies for your individual credentials. If you want them rotated at a certain time of day or you want the password complexity to forbid certain characters, you can create a new policy and fine-tune those elements. It provides excellent granularity because you can control all the factors related to password complexity requirements, password rotations, allowed connections, etc.

CyberArk Privileged Access Manager’s ability to safeguard the infrastructure is extremely important. Otherwise, clients would be keeping passwords in Excel spreadsheets. Consider having an isolated, non-domain joined vault that cannot be accessed from DNS. The vault itself takes over control of the local Windows Firewall and even things as simple as emails. It keeps the ports closed. If it is time to send out a notification to someone, it opens the port, sends the email, and closes the port. It cannot get any more secure than the vault system of CyberArk. People who land on a user credential and try moving laterally throughout your network, scraping RDP connections or hashes, will never find any information about how to get to the vault because it is non-domain joined.

CyberArk Privileged Access Manager is excellent for meeting compliance and regulatory requirements. The need for compliance is the main reason why organizations implement a PAM solution in the first place. They have to be SOX compliant in terms of log retention, audits, and even video recordings of people's actions. They all have varying retention periods depending on the organization.

CyberArk Privileged Access Manager provides operational efficiency with automation. It saves a lot of time for password rotations, managing SSH key rotations, and doing automated discovery at periodic intervals to reach out to your servers and check which credentials are there on those servers. If they are not managed in CyberArk, they are added to your CyberArk queue to be onboarded and automatically managed. These things save a lot of time throughout the organization.

The primary use case for CyberArk Privileged Access Manager in our organization is to ensure we move away from named identity admin access, which lacks protection such as MFA and other features offered by cloud privileged identity management solutions. Our goal was to protect anything on-prem related to Active Directory privileged access, so we chose to go with CyberArk Privileged Access Manager.

I am the cybersecurity lead in my organization. Every single year when we do the audit, one of the things that consistently comes up is how there are hashes floating around the environment. Since switching over from named admin-privileged identities to CyberArk PAM identities, like PAM accounts, there have been almost no breadcrumbs left behind. There are no hashes and that sort of thing. We hardly see any hashes floating around the environment. We have not done the audit yet, which is due next month, but I have been keeping an eye on the hashes and it is looking promising.

We are a consulting company, and we provide consulting for solutions like CyberArk, HashiCorp, and similar offerings. I provide consultancy for various industries such as finance and hospitality.

Our clients use this solution for their critical assets and crown jewels. They want good identity and access management or privileged access management for their critical assets. A lot of mid-tier clients would have also implemented CyberArk on their servers if its pricing was better. Usually, they deploy it for their critical assets. They have implemented policies, just-in-time access, etc.

Having an efficient Privileged Access Management solution like CyberArk helps you stop bad actors early in the cyber attack chain process. You have an additional layer of security for your assets.

CyberArk Privileged Access Manager provides a good amount of granularity in giving access.

CyberArk Privileged Access Manager has a policy for blocking out everything as per the Zero Trust model, which can be helpful in a breach situation.

CyberArk Privileged Access Manager ensures data privacy by locking down your assets and recording each and every instance. That helps with the data information protection piece.

Privileged access management solutions like CyberArk Privileged Access Manager make it difficult for malicious entities to gain information or expose sensitive assets. Even if a specific asset not part of the PAM group gets breached, your critical information remains safe as access to specific resources or ports is not allowed. Implementing privileged access management in a way that blocks necessary threats makes it difficult for bad actors to access sensitive information.

The use case of privileged access management is self-explanatory. A large telecommunication company like ours needs to protect our privileged access because every attack cycle has privilege escalation, and we have to stop attackers at this point. 

We have a lot of vendors or third parties working with us. They need to access our resources. The trust level of external third parties is lower than direct employees, so we do not want to share our critical credentials with them. That is our primary use case. 

Another use case is managing internal employees, especially highly privileged administrators. Furthermore, the critical business applications and areas throughout our IT infrastructure involve privileged access, and we aim to protect those. We want the ability to audit and have real-time control.

I appreciate CyberArk's real-time capabilities. I can secure critical sessions, such as SSH or database sessions. As a security professional, I have real-time visibility into ongoing sessions. If anything suspicious occurs, I can terminate or freeze the session, which is part of user behavior analytics. 

We can monitor and have real-time control over our environment with sessions coming from around the world, ensuring security. We have visibility and control through real-time user behavior analytics. That is my favorite feature.

My first use case is seamless recording and seamless connection to the area target, as well as the recording of ten sessions with command restriction. This is the first use case. 

Secondly, I can perform password rotation without needing to know or use the password of the privileged account. I can connect and rotate my password as needed. Various customers have password rotation for each day. 

These are the two main use cases currently employed: password rotation and a seamless connection to end targets with the recording feature.

It's a one-stop solution. Whatever I need, whether securing identity, web applications, privileged accounts, RDP, Windows, Linux, or other devices like switches or firewalls, CyberArk supports it fully. It eliminates the need for me to search for other solutions.

Its identity compatibility with CyberArk Identity Solution provides extra security, including free MFA with the licensing cost. Premium accounts can increase security using the EnCon Privileged Manager. CyberArk's integration with PaaS solutions makes it the most comprehensive solution, eliminating the need for me to explore other Gartner solutions.

I use CyberArk Privileged Access Manager to manage privileged access within the organization.

By implementing CyberArk Privileged Access Manager, we wanted the management of periodic password rotation, management of privileged access, and discovery of privileged access.

CyberArk Privileged Access Manager’s ability to safeguard credentials for our organization is very important because it helps in managing the keys to the kingdom, especially the privileged access for various platforms. It is quite important for the organization, and it is one of the must-have applications. It plays a key role in managing privileged access for the organization.

We are able to manage close to 20,000 accounts without many cases by using out-of-the-box features available in CyberArk Privileged Access Manager.

CyberArk Privileged Access Manager helps in meeting certain compliance and regulatory requirements and closing any gaps.

CyberArk Privileged Access Manager has not helped reduce MTTR. When we have an incident with CyberArk, it takes time for us to recover. There is always an increase in MTTR because of the complexity of the CyberArk infrastructure itself.

From an operational efficiency perspective, CyberArk Privileged Access Manager has reduced a lot of manual work, such as changing passwords and managing privileged access accounts manually. By automatically rotating passwords within a set period of time, it streamlines many processes. It has improved operational efficiency for privileged access, but managing the infrastructure is one of the things that we are working on. It is a complex product. 

CyberArk Privileged Access Manager has not helped reduce the number of privileged accounts in our organization. Privileged accounts are the key entities within CyberArk. There has not been any decrease in the number of privileged accounts, but there are areas that we, as an organization, have not touched, such as cloud infrastructure, etc. We are working closely with CyberArk engineers to have them onboarded and manage those privileged accounts through CyberArk. That is in our road map.

I use CyberArk Privileged Access Manager to manage the privileged credentials of our environment.

When I arrived at my company, CyberArk Privileged Access Manager was already deployed, so I didn't set it up myself. However, I've increasingly taken over its management during the past five and a half years. I saw its benefits almost immediately. Much of the value is tied to user adoption; as the end-user base becomes more familiar with CyberArk and embraces it, the benefits increase. Conversely, when we have users who know CyberArk exists but don't trust it, prefer their own methods, and avoid using it, its effectiveness is reduced. Ultimately, the more users embrace CyberArk, the greater the benefits I observe.

With CyberArk Privileged Access Manager, the main idea is to control third parties of the organizations. A lot of banks usually work with integrators abroad, and they want to control those connections from the third party to their infrastructure, including the ability for the CISO or security officer to watch online the session of technical support provided by the integrator. That was the most common use case. 

Another use case is to control IT personnel, where the information security team manages what actions they perform at higher privilege levels in the infrastructure. So, those two use cases are the most common.

The most valuable features in CyberArk Privileged Access Manager are session recording, role management, and access control division. Different groups can use all the abilities of the administrative role, and customers can divide their teams into auditors, administrators, and CISOs. 

The storage of passwords is also brilliant. Everything is stored in a highly protected area, allowing customers to use a single sign-on approach to connect to infrastructure servers necessary for their daily activities.

The impact of CyberArk Privileged Access Manager on customer operational efficiency is quite positive. While we cannot provide exact figures, the effectiveness is apparent, though we lack specific data.

Assessing CyberArk Privileged Access Manager's ability to prevent attacks on financial services infrastructure is quite complicated, as customers usually do not share information about attacks or prevention. During POCs, before selling the solution, we run common attack simulations that typically occur in the financial sector, such as lateral movement. We have tested various attack scenarios in testing mode where CyberArk is installed, and we have shown to our customers that CyberArk successfully mitigates those attempts.

CyberArk Privileged Access Manager has helped reduce the number of privileged accounts to a minimum over the years. When we start working with CyberArk in customer infrastructure, the first thing we do is run the Discovery feature, which shows all the administrative accounts in different information systems. The next step involves addressing accounts that are unnecessary or could be used for malicious activities, so reducing administrative accounts is typically the second or third step after integrating the system.

CyberArk Privileged Access Manager indeed helps meet compliance and regulatory requirements for customers, especially in the financial sector, by aligning with PCI DSS standards. Consequently, customers are very satisfied when auditors evaluate their compliance. When assessing CyberArk Privileged Access Manager for ensuring data privacy, the focus mainly lies on password management. I have not encountered customers using the storage solutions for anything other than passwords, making it challenging to discuss broader data privacy. The primary data customers prefer to store consists solely of passwords.