Share your experience using Stealthbits Privileged Activity Manager

The easiest route - we'll conduct a 15 minute phone interview and write up the review for you.

Use our online form to submit your review. It's quick and you can post anonymously.

Your review helps others learn about this solution
The PeerSpot community is built upon trust and sharing with peers.
It's good for your career
In today's digital world, your review shows you have valuable expertise.
You can influence the market
Vendors read their reviews and make improvements based on your feedback.
Examples of the 83,000+ reviews on PeerSpot:

NajibulIslam - PeerSpot reviewer
Technical Account Manager (Information Security) at Trustaira
Reseller
Top 5
Good pricing, easy to set up, and good reliability
Pros and Cons
  • "Support is helpful."
  • "We find the documentation hard to understand."

What is our primary use case?

We primarily use the solution for privileged access management. 

Delinea Secret Server is like a vault for the users to store their device passwords and is also used for auditing sessions monitoring password production, et cetera.

What is most valuable?

The most valuable feature is the subscription on offer.

We like the policies that can be put in place. The password duration backup part and even the pipeline are useful. 

The solution offers useful APIs as well. 

We find the initial setup to be simple. 

It's scalable. 

The stability is great. 

The pricing is good.

Support is helpful.

Account discovery and asset discovery is easier in Delinea than in other solutions.

What needs improvement?

Occasionally, the proxy does not work so well. For example, when the custom client application is integrated with a Teams solution.

The server integration needs improvement. 

We find the documentation hard to understand. 

Support can sometimes be slow. 

For how long have I used the solution?

I've been working with the solution for the last two years. 

What do I think about the stability of the solution?

The solution is stable. It's reliable. There are no bugs or glitches. It doesn't crash or freeze. 

What do I think about the scalability of the solution?

The solution would work well for medium to large organizations. The solution can scale. 

How are customer service and support?

While support is good, sometimes the documentation, especially for newer features, is not. That can be a challenge. 

The support team can sometimes take a while to solve issues. While they do tend to solve problems, it does take time. 

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We previously used BeyondTrust and WALLIX.

I found the licensing simpler with Delinea. BeyondTrust, for example, required the purchase of different licenses. WALLIX similarly needed more complex licensing. 

How was the initial setup?

It is pretty easy to set up the product. It's been straightforward, according to my experience. 

I can deploy the solution in eight hours. However, it takes five to six days for the full implementation. 

In terms of maintenance, if the team is good, it can be handled in-house. We have three people working on the solution currently.

What about the implementation team?

I handled the implementation myself. However, it depends on the organization's policy. If there's a team in place that understands the solution, it can be done internally. Otherwise, it should be handled by a vendor, for example. 

What's my experience with pricing, setup cost, and licensing?

While I cannot speak to the exact pricing, it is a bit cheaper than other options. 

I'd rate the affordability a five out of five. 

What other advice do I have?

We are the partner of Delinea. We are a reseller, and we have deployed for six clients already in Bangladesh there are many more POC contacts in the works for different customers.

I am working with the latest update of the solution. 

I'd recommend the solution. I'd rate it eight out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
PAM Architect at a tech services company with 11-50 employees
MSP
Top 10
Their discovery engine is off the charts, and the ease of administration and implementation they talk about is for real
Pros and Cons
  • "Its number one feature is discovery. The discovery engine in BeyondTrust is off the charts. When they perform a discovery, you know everything there is about a server, including what software is installed. For example, if you want to group all of your database servers together, you can do that by using discovery and Smart Rules. If a server has Microsoft SQL installed, it gets put into a group based on a Smart Rule. It makes it very easy to determine what is what in your environment. As organizations grow or acquire other companies and merge, they lose track of what they have. BeyondTrust can help you throw a rope around it very rapidly."
  • "If there was one thing, it would be having the documentation standardized. They should keep the documentation consistent. For example, when BeyondTrust updated one of their admin guides, they left out the information on the discovery account requirements, and then over a period of time, we ended up having to search multiple different documents to put together a string of information for a specific topic, which was problematic. It was minor, but it was problematic. Standardized documentation would be the one thing I would suggest."

What is our primary use case?

It is used primarily to adhere to SOC compliance and to provide what we call user/administrator segregation.

We are an MSP. We do manage services, but we also do a lot of other things. We implement as well as do ongoing managed services. We don't use it in our organization. We have it in our lab set up as a running service so that I can go there and test something just to see what'll happen because I can do a snapshot of my system and then revert if things go wrong. That's something that I don't want to experiment with in a client environment, even in a test or a dev environment. I just want to test something. I can do that in our lab, but our organization does not use Password Safe.

How has it helped my organization?

BeyondTrust's discovery is off the charts. It doesn't just discover servers and user accounts, it also discovers the services, such as Microsoft services, and scheduled tasks. For example, if you want to change a password on a Windows service, which is also linked to other scheduled tasks or IIS app pools, just changing the password on the service is going to break the scheduled task and break the IIS app pool. BeyondTrust is able to dynamically discover and manage all three tasks of synchronizing, stopping, and starting the services as the passwords are being rotated. It is quite intuitive.

When we have services and devices that are in a red zone, which includes the internet-facing devices or the devices in the direct internet compartment, the password vulnerability is what we are trying to handle. The primary factor that makes a lot of security officers feel better is that passwords can be made long and complex, but even a very long and complex password over a period of time can be cracked. BeyondTrust allows you to not only do long and complex passwords but also regularly schedule rotations that are well within the timeframes of being able to crack a password. A password with 26 characters, 8 to 10 special characters, and an uppercase/lowercase combination will take IBM Big Blue six months to crack. In those six months, we would have changed that password 10 times or more. So, the password that IBM Big Blue is crunching on to crack has already been changed, rendering the previous password that might have been compromised inert.

It is useful for segregating user accounts. A common scenario is that a user receives an email and even though the email comes from somebody the user doesn't know, the user opens a Word document. The user gets a macro virus and is compromised. If it is just a regular user in the environment, it is only a disaster, but if it turns out that in that client environment, that user also happens to be a domain administrator or a local server administrator, it is armageddon. So, we use BeyondTrust to segregate user accounts where the domain admin connects to BeyondTrust with his user account, which also has a counterpart matching ID in BeyondTrust. When he connects to the endpoint devices to perform his job, the account that he is connecting to in BeyondTrust has the privilege. So, when he connects to BeyondTrust, he authenticates with his user account and connects to what I refer to as a dedicated admin account. That dedicated admin account is session recorded and keystroke logged. You have all the tracking records and Windows logs. Everything is captured, and then when the user is done, he logs off and continues on his workstation as a regular user again. The session is completely segregated.

So, we're able to provide user/administrator segregation. The reason I do the dedicated admin account is that, with multi-user shared accounts, it is a little bit more difficult to quantify who did what. It can be done, but it is just more difficult. With a dedicated admin account, it is one-to-one rather than one-to-many or many-to-one. BeyondTrust Password Safe provides the ability to do all of this with rules. They have template capabilities built into the product. All you have to do is customize Smart Rules to perform your action. That's the beauty of BeyondTrust. I don't know what I would do if I had to go back to another solution that did not have them. I've worked with other privileged management solutions. For me, not having BeyondTrust Smart Rules would be taking a step backward.

It is important that Password Safe provides integrated password and session management in one solution. When you have it in one solution, you don't have two devices to manage because at a certain point, if you need a secondary component to perform something that the original solution does not perform, that's another managed system that you have in your network, which adds on a transparent cost. Having password and session management in one solution keeps all of your administration within one application.

Its customization features help us to manage most assets, databases, and applications, which is critical. We are able to work and visually connect with various platforms, such as Linux, Unix, Linux, Ubuntu, etc. Ubuntu is being used a lot for small edge solutions because it is inexpensive. It is also easy to manage because it is a Nix platform. People put a lot of Ubuntu-based solutions on their edge devices, such as secure remote access or an HTML5 gateway. We're able to manage all of that within one interface in BeyondTrust.

Team Passwords feature has been hugely helpful for securely storing credentials owned by small groups outside of traditional privileged user roles. When you go into an organization, you've got people who are storing passwords in KeePass, or they've got PW Safe, which are free downloadables. The next thing you know, you have got 200 or 300 developers and administrators with all these individual solutions, and sometimes, some of them need to share them with each other. Team Passwords is your one-stop shop for all IDs and passwords that are not necessarily dedicated to a specific device. Just the IDs and passwords can be stored and allowed access by groups. We're doing a huge migration to Team Passwords, and we've developed APIs for creating the environment and importing the passwords. Tens of thousands of IDs and passwords are going into it. It is amazing. I remember 20 years ago, somebody was bragging about a password safe solution they did in Lotus Notes. I still giggle about that because Lotus Notes is fat, and it was very complex. Team Passwords is visually intuitive. My teenage daughter could sit down and do it.

So, this client had multiple password storage solutions. They first ended up installing Thycotic Secret Server because they also had certificates and a couple of other different types of authentication solutions, but they were veering away from certificate-based and needed an ID and password solution. The Thycotic solution was also out of date. The SQL database was falling apart. It was used to its maximum extreme. Considering they were already using BeyondTrust Password Safe, Team Passwords was a natural blend. 

In one of the cases, an engineer had a fairly large key pass solution, and when he left the company, his workstation was re-imaged. They ended up losing information for a significant number of devices. They happened to be network-oriented devices such as routers and switches. To this day, they are gathering all those previous IDs and passwords. Now, with BeyondTrust Team Passwords, all they have to do is to add a user to a group, and they now have access to all those IDs and passwords rather than somebody walking out the door with them or them getting wiped in a system re-image. They are in one location where they could be backed up and secured.

What is most valuable?

It starts with discovery. Its number one feature is discovery. The discovery engine in BeyondTrust is off the charts. When they perform a discovery, you know everything there is about a server, including what software is installed. For example, if you want to group all of your database servers together, you can do that by using discovery and Smart Rules. If a server has Microsoft SQL installed, it gets put into a group based on a Smart Rule. It makes it very easy to determine what is what in your environment. As organizations grow or acquire other companies and merge, they lose track of what they have. BeyondTrust can help you throw a rope around it very rapidly.

Its user interface is really nice. It is very visual. When you first log in, based on your job role, you see what you have access to when you look at the screen. As an administrator, I see the configuration screen where I can go in and modify Active Directory and authentication connections. I can set up SAML, or I also have access to create Smart Rules. The access is based on the role that you have when you log in. I have six boxes or six categories of administration items, whereas when an admin user connects, he would only have one or two. So, based on your role, you see what you have access to. It is not like you click something and then it fails because you're not an administrator at that level. You actually see what you have access to, and BeyondTrust is very good at that.

BeyondTrust provides the ability to connect by using not just the web interface but also the admin tools such as MobaXterm, PuTTY, or a lengthy list of other types of tools. You can use the connection string and connect through BeyondTrust, and it will be session recorded, keystroke logged, and highly available. When you bring up MobaXterm, you probably bring up one of the most complex ones because MobaXterm has the ability to have two, three, or four concurrent connections, which makes BeyondTrust Password Safe ideal.

It is very easy to integrate session management into existing business processes. To make it easy for the engineers, we created templates of the connection strings and then used, believe it or not, Microsoft Excel to create custom strings for each of the engineers. We exported them to a text file that they could then import. In the case of PuTTY, because PuTTY stores the connections and the credentials in the registry, we had to do something different there, but the connection string is customizable enough to make the job fast and easily repeatable for all the other engineers. You don't have 20 or 30 engineers spending two or three days creating all these connection strings. I can create them in a matter of minutes with a Microsoft Excel spreadsheet and then save them to a text file or a CSV file. It is awesome.

We are able to integrate session management without disrupting business processes. One of the niceties about BeyondTrust is the ability to integrate it with ticketing systems. For example, as per Sarbanes-Oxley, we have to have a reason for why an administrator is performing something. The integration with a ticketing system is ideal rather than manually typing the reason in the reason field through the GUI where most engineers, after a while, end up just typing in Work. They don't put in enough data to make it clearly visible why they connected. The integration with the ticketing system is ideal for that. Ticket-driven access makes the work very quantifiable.

What needs improvement?

If there was one thing, it would be having the documentation standardized. They should keep the documentation consistent. For example, when BeyondTrust updated one of their admin guides, they left out the information on the discovery account requirements, and then over a period of time, we ended up having to search multiple different documents to put together a string of information for a specific topic, which was problematic. It was minor, but it was problematic. Standardized documentation would be the one thing I would suggest.

For how long have I used the solution?

I have been using this solution for two years, but I also have previous experience with BeyondTrust. There were other BeyondTrust products that I was intimately familiar with that gave me the confidence to move forward with the BeyondTrust Password Safe. I previously worked with PowerBroker for Unix Linux, but it was not in the password space.

What do I think about the stability of the solution?

It is awesome. It is very good.

What do I think about the scalability of the solution?

It is very good. The scalability is dependent on how much CPU, memory, and space you want to put at it. There is a certain point of diminishing returns where it might prove better to have a high availability solution where it is active-active, and you have one part of the organization that is going to be primarily hitting one server, and one will hit the other for a load balance, but I haven't yet gotten to that requirement.

How are customer service and support?

I have interacted with them intimately and regularly. I would rate them a 10 out of 10 because they have not just one; they have staff to bounce things off with each other. They're very quick and very responsive and very good. You're not treated like a number. Once we were setting up a special configuration, and one of their engineers said, "Hey, send me your MeetMe, and I'll join your call." Wow, that was nice.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We manage other solutions, such as CyberArk. A lot of our clients are at various stages. Some of them were uncertain about their existing privilege management solution, and they weren't updating it. They didn't continue the support packages with the provider, and they were in a state where they were unsure about what they wanted to do. We've had both experiences where we've gone in and based on their organization, we recommended upgrading or continuing the support of their existing, CyberArk or Centrify, solution. In some organizations, we've recommended switching to BeyondTrust.

How was the initial setup?

When I went in, it was already set up, but I'm installing additional BeyondTrust Password Safe solutions. I manage services, and I'm also implementing Password Safe for new environments. 

It is a little bit of a blend of straightforward and complex. If there is something you leave out or you miss, you're going to feel it later. For example, you missed a step for configuring Windows component services because you went to lunch and forgot to click OK. Your screen went into the screen save mode, and you lost the information that you had put in, and you left that out. You're going to feel it later. However, luckily, they've got incredible logging built into the product, and you can look at the logs and be able to diagnose what went wrong. If you follow the installation uninterrupted, you can implement BeyondTrust Password Safe in a day. That would include integration with Active Directory and setting up the basic features like discovery. 

BeyondTrust can provide you with an appliance, which is a hardware device, or you can install an appliance-type image onto a Windows server and have your own appliance. It just won't be a dedicated appliance. Many organizations would like to have easily managed systems, and the BeyondTrust appliance methodology, even though superior, can make it more difficult to manage in an environment because it has to be handled as a specialty appliance. It is not a positive, but it is not a negative either. It is an organizational decision that needs to be made on how they want to manage the device, but either way, it can be done.

I will be implementing hybrid cloud environments as well. We are doing a blend with 80% full on-prem and the other 20% of the development is towards a cloud-based solution, primarily for a segregated environment. We are working with a lot of edge services with our clients. For example, they'll have a secure compartment for a specific application, where Windows, Linux databases are being run within this compartment, but they are managed by an external team. Most of the security has been focused on just preventing who has the access, but it doesn't answer the problem of what they are doing when they are in the compartment, and we're using BeyondTrust for that. So, we are having two layers of security. We not only have access control where getting into the compartment is taken care of, but once they're in, we can also granularly control what they have access to and what they can do. We have session recording and keystroke logging for audit records. So, we're blending. Currently, we're developing such a secure compartment, and we're going to have one BeyondTrust Password Safe server in the cloud. It is going to be an active high availability solution that'll have a paired server, but it is going to be on the local network. We will possibly be doing one complete cloud solution in the Amazon compartment.

In terms of duration, the longest part of my job is waiting for account provisioning. I'm usually waiting on Active Directory or Linux or database account provisioning. I spend more time waiting than implementing, but then I just move on to another organization or another environment and continue. I keep a rapid rotation, but account provisioning is the lead time.

What about the implementation team?

You pretty much do it yourself, but BeyondTrust has an incredible case system where you can submit requests. You can do it for information where you're just asking a question about something, which I did for discovery accounts, or you can submit that your server is having an error and something is not working properly. You can create a higher priority ticket and submit it. BeyondTrust has a way to export a package that will provide them with the files that they need from the system to perform a diagnostic, and then they can tell you what you need to do. It is pretty cool.

For migrating end users to Password Safe, an organization needs to make several decisions. They first have to decide whether they're going to use multi-user shared accounts, where they will have one account that six or eight people can use, or they're going to have dedicated admin accounts, which is my preference. It is slightly more complex, but it makes it much more secure. So, that would vary from organization to organization.

For upgrades, they have an incredible updater. That's what it is called. It automatically detects and is connected to BeyondTrust, and you'll be notified that upgrades are available. You can set them to be automatic or not. There are some updates that you don't want to be automatic because you might want to do a snapshot of the appliance before the update because some updates can cause problems. I haven't experienced that yet, but you have the option of automatic or manual provisioning of the updates. You can schedule them based on off hours, for example.

It is very robust in the area of maintenance. Part of the problem is when things are going so well for so long, you forget about it. That's why we schedule all of our activities so that all of a sudden or six months later, we don't discover that a server is having severe issues. We just manage by the clock, but BeyondTrust Password Safe is very robust in the area of keep running. It runs, and it also has other types of capabilities that are built into it. For example, if the session recording and keystroke logs are stored on the actual appliance or server, they eventually will take up a lot of disk space. In my lab, I experienced a crash because I ran out of disk space. BeyondTrust has the ability to very easily redirect the storage of session recordings and keystroke logging to a network drive and off the appliance. I'm glad I was able to experience that in my lab rather than getting a call from the client that their server is crashing. If you have a high volume and a lengthy time frame for which you want to save the session recordings, being able to save them to a network drive is incredible.

What was our ROI?

The time to value, or the amount of time it takes to see benefits, varies by the organization because some organizations have a different plan right up front, but the time to value with BeyondTrust is fast. It is a very rapid return on a visual inspection of whether you are meeting your goals and objectives. You'll see it very fast.

What's my experience with pricing, setup cost, and licensing?

When you buy Password Safe and perform your initial Discovery, you have all these servers that are added to your assets in BeyondTrust, but you're not using a license until you actually start managing the systems. BeyondTrust's licensing is based on the systems when they're managed, which means when an administrator is able to connect to the server through BeyondTrust with a managed account. There would be a privileged account on the endpoint when the licensing starts. A significant advantage to that is that there are many organizations that want to evaluate their environment prior to automatic management. For example, they are going to be upgrading to a larger router instead of having two routers. They are going to have one so that would be one managed license rather than two. It gives them a chance of seeing their environment before they commit to managed systems and licenses.

What other advice do I have?

I would recommend this solution. My advice to others looking into implementing BeyondTrust Password Safe is to follow the instructions, scan broadly, and manage specifically. That's what BeyondTrust allows you to do. You can scan everything, but then select what you want to manage. With some applications, the licensing starts right at discovery, but BeyondTrust licensing is by managed systems. So, I recommend scanning broadly, finding everything you've got, and making your decisions based on the actual numbers. That's one of the advantages of BeyondTrust. So, use it.

One organization I went into was primarily concerned with 50 specific servers. They had thousands. When all was said and done and we asked them what about the other servers, they did not specify what they wanted to do with those. They were only concerned about getting those 50, whereas BeyondTrust allows you to handle 10,000 as easily as 50. It is crazy not to leverage that. What you want to do is scan broadly and then manage according to plan. If you've got 1,500 servers and you're only looking at 50, that's like looking through a toilet paper tube. You will have a very narrow view. So, what you do is scan and discover broadly, find out what you have, and then come up with the administration model that'll work for them all. Start with 50, and then roll out the other 950 automatically. If you design it right, the minute a new administrator is added during that night's discovery, that user is ready to start working the next morning, or that server gets discovered and added based on the Smart Rules. So, a new Linux server or a new Windows server becomes available the next morning. A newly hired administrator's account is discovered, and as a member of the administrator group, he is automatically ready to start work first thing in the morning. No intervention is required.

We have not used the solution's software development kit to create a plugin to support new systems or applications, but they do have them that you can modify. We're looking at making a modification to an existing platform connector. Their platform connectors are very visual, and you have the ability to compare. We're looking at the original Linux connector, and we want to connect to an SCO server. We have a template to work from. We will speak to the experts regarding SCO and make modifications to another connector to create a new connector. It is pretty dynamic.

At this time, my opinion is that it is a 10 out of 10. Based on having experience with three or four other competing solutions, I would give BeyondTrust a 10 out of 10. I normally don't give this sort of a rating, but I do give BeyondTrust a 10. If you read two or three of their advertising and website blurbs and that's what you need, you're going to get it. When they talk about the ease of administration and the ease of implementation, it is all for real.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner