BeyondTrust Password Safe Reviews

BeyondTrust Password Safe is used to protect privileged accounts and record any activity when using those accounts. Password Safe is able to record and report anything in SSH. It's mainly used for auditing purposes.

We downloaded the virtual appliance and deployed the solution on-premises.

My company's goal is to have mature security and privileged account management. It's mainly used for security purposes and to avoid the usage of credentials.

The ability to manage privileged account passwords is the most valuable feature. It gives us the capability of rotating passwords as soon as an event is triggered. Even if Password Safe protects the privileged account, like an admin account, we can request the password from the profile. As soon as it detects that we have the password and it's used for the first time, the password will automatically change so it can't be used again. The strength of the password will be the same.

Smart Rules were created to automatically assign the credentials that belong to each user and their profile. We use the Smart Rules feature for automated privileged account management.

The Password Safe user interface is simple and very intuitive. I would rate it as a four and a half out of five. It just shows us what we need to see.

We weren't aware that the Password Safe virtual appliance runs on a Windows server. As part of our monthly patching process, we ran into an issue. BeyondTrust Password Safe wasn't compatible with the patching we used to put on our server.

We cannot download patches from the Microsoft Windows server and deploy them on the solution. The solution starts failing, and we run into incidents. This is a major issue that they need to fix. We have to wait for months for Microsoft to release security patches.

I used BeyondTrust Password Safe for less than one year.

In my previous organization, I worked on a project to manage all of the privileged account passwords and rotate the passwords to protect the usage of those accounts from unknown credentials.

The solution is stable. We had an issue with upgrading the operating system, but it has otherwise worked flawlessly.

I would rate technical support a three out of five. They take too long to fix issues, but that could be the fault of the person who opened the case.

Neutral

I have also used CyberArk. My privileged account was already onboarded, and I was just an end user. The user interface of CyberArk is less intuitive than BeyondTrust Password Safe. CyberArk is too IT-oriented for the interface, while BeyondTrust is easier to use.

The setup wasn't complex. Installation was straightforward, and we received training before we started to run the solution. We aren't experts on BeyondTrust, so we needed an expert to help with deployment.

BeyondTrust provided a single appliance with everything we needed for deployment. We were able to switch to the second data center where we installed BeyondTrust Password Safe. They accompanied us when we installed and configured it.

We used a third party for integration.

We have seen an ROI because we have audited evidence to show what has happened when there's an incident.

I would rate this solution a nine out of ten. 

We had some challenges with migrating admins to Password Safe. Before we started onboarding, we created a test and faced an issue with the GPU. It prevented Password Safe from rotating passwords. BeyondTrust needs to give more guidance on what to look at when we want to manage our privileged accounts. 

Overall, it's a very good, well-designed solution. You need to have a basic understanding of managed accounts, functional accounts, Smart Rules, and the capabilities to configure SSL and TLS.

Before making any changes to the platform, my advice is to ask BeyondTrust to make sure it won't cause any incidents.

I use Password Safe as a fully-fledged conventional PAM solution; for SSH and RDP brokering to servers, whether that's Linux or Windows, as well as SQL and Oracle.

I also use the product to publish applications using a jump box server and as a vault for user credentials to provide normal use and REST API through CI/CD integration.

We have active and passive appliances and an offsite cold spare.

The RDP and SSH session recording is good. The associated UI is  pretty straightforward, and Direct Connect is a good feature.

Integration with Active Directory is a handy feature. 

The CI/CD and REST API are also satisfactory; the solution has a full PAM feature set and they all work well. 

Password Safe is relatively straightforward to run. 

We use PowerShell and Shell scripting using the solution's libraries. We also use the .NET library, where I worked with developers to create .NET extensions for use in solutions built in-house. We used the product's software development kit to develop plugins to some extent, and mainly we integrated with the REST API for our Azure-developed CI/CD pipeline. This capability is essential because DevSecOps becomes a requirement at some point. We're dealing with privileged accounts to do releases, which must be carefully managed and require password rotation. Thus, we need a source system for these release management pipelines to provide passwords, allowing the user to continue with the following deployment steps. Highly privileged accounts, by their nature, require regular password changes, which is a critical element in our DevOps.

I'm not too fond of the Smart Rules feature, mainly because too many features can cause complexity.

There is a limited capacity on the appliance, which I wasn't informed about when I purchased the product. I can have a maximum of 150 rules per appliance; any more than that and rule processing becomes very complex, especially regarding password revision. Hitting a capacity limit you don't know about can be problematic. Ideally, we would not have a limited capacity, allowing us to be in a completely managed state with password rotation for every service account, not just the highly privileged ones.

The solution does not indicate an issue, but when we hit the capacity limit, rules can become erratic, resulting in password resets during the middle of the day when they're in use. This can be an issue, especially as there is no performance counter so we can track how close we are to the limit, nor is there an indication of when we cross it. This is an element that could use a redesign.

Another feature that could be improved is the password rotation schedule; as a financial organization, that's very important to us. We sometimes require the maintenance window to be on a Saturday instead of during the week. The solution gives the option for the fifth day of the month, the tenth day of the month, the first day of the week etc., but not more specific. I want to be able to set the rule that password changes only happen on a Saturday, for example, and I can't do that.

To compensate, BeyondTrust tells us we can write scripts to set the password resets. This needs to be improved because it results in additional work for us, and they could fix the small scheduling gap in their product.

The MSA element of the solution is fine; there are no significant issues implementing MSA with the interface. However, the interface can be somewhat complicated for admins, though not for end users. Precisely, when troubleshooting user issues, we encountered strange errors. We needed to go into the appliance log to understand what was happening, and the UI needed to be more intuitive to help us.

We were late refreshing the UI, so it had pretty old components until about 2020, and we experienced browser issues. After 2020, the UI improved, but the look and feel of the application are still dated. I carried out POCs for CyberArk and SafeGuard, and both of their interfaces are much better than Password Safe's. I liken the solution to a Toyota; it's a good all-rounder, and it isn't bad though it has some issues.

We had an issue with the Team Passwords feature: the privilege concept needed to be improved. There was no differentiation between contributors of privileged information and the consumers of it. Additionally, until very recently, there was no REST API integration with Team Passwords, so we couldn't publish secrets using REST API. This could have been better, as it meant we needed a different team for CI/CD and Team Passwords, resulting in some cases of duplication.

I've been using the solution for five years. 

The solution is relatively stable, though the stability could be improved as we often encounter issues of various kinds. As such, the tool requires a large team to manage it and stay on top of any problems that occur.

My experience with customer support has been mixed; the US and UK teams are the best, while the others could have been better. The UK and UK support staff are highly professional people who seem very close to the developers and have excellent knowledge of their products.

Some of our cases took up to four months to resolve because there is a difference between Password Safe, the software layer, and the UVM appliance layer, which BeyondTrust essentially treats as a separate product. There have been some significant problems with the UVM appliance layer, especially compared to Password Safe. The latter has some specific issues, but they are usually quick to resolve, whereas, with UVM, we can hit a dead end, even with support.

Positive

ROI is tough to measure, as the solution isn't generating profit. We implemented automation with CI/CD, reducing human effort and saving time on previously manual tasks. I can't tell if this has yielded an ROI, but we achieved a target in that we are more secure, our highly privileged accounts are rotated etc.

I rate the solution a six out of ten. 

The earliest version of the solution's interface could have been more intuitive, and we sometimes experienced issues with request check-ins and check-outs. However, the recent introduction of the Team Password feature allows users to collaborate and share passwords within a managed team. Some elements of this feature lagged in our first few weeks with it.

We used some of the solution's customization features, and it works fine; however, we had some significant issues when doing Discovery Scans. We encountered strange errors, especially on custom platforms, and it took a lot of work to understand the problems. As a result, we stepped away from customization as the issues around Discovery became extremely hard to deal with for us. 

We saw the benefits of using the solution very quickly, especially for the more basic elements at the beginning of the implementation. By targeting highly privileged accounts in the first round through the Active Directory, those can be up and running in two weeks maximum. The more complex and detailed configuration becomes, whether with discovery, dependency, or multiple-layer applications, the time to value increases correspondingly. 

I advise potential users to stay manageable and not try to do everything simultaneously. Build slowly and keep an eye on the capacity; only deploy with one appliance, or you are destined to fail and will run out of capacity fast. It's better to refresh the UVM appliance version every two to three years with a new image and migrate rather than upgrade because upgrading is the worst part of this product. It'll cost money to keep migrating to newer appliances, but it's worth it to avoid the experience of upgrading.

The use cases are essentially the same as those for any PAM solution. Like addressing security compliance, securing the network against threats, and protecting all identities with intelligence and minimal concerns.

It also includes cloud security management, handling different shifts, and addressing workforce access, passwords, and the likes of compiance. It simplifies analytics, reporting, and secret implementation.

Additionally, it reduces servers while increasing stability in privileged access. These are the general use cases that apply to all PAM solutions.

BeyondTrust Password Safe provides proper security for your network. Its primary feature is identity governance. It allows you to manage your users effectively and implement robust governance. The solution includes reporting, which aligns with the National Security standard and enhances cybersecurity resilience.

This protection safeguards against attacks. When discussing the management of essentials post-classification, BeyondTrust Password Safe also assists with this. It plays a critical role in preventing cyber identity theft. Without BeyondTrust Password Safe, your system is more susceptible to identity theft. It's an all-encompassing solution that significantly reduces such risks.

BeyondTrust Password Safe is specifically designed to limit cyber identity theft. It's highly effective in preventing incidents of identity theft.

It is very easy to deploy. It's easy to use. That's the major thing I like about it.

It is very easy to set up. It is very easy to deploy. Depending on the environment, it can be deployed quickly. So it's very good. I like it.

The deployment model depends on the customers.

The solution was implemented to secure privileged access management in a large-scale corporate environment.

Privilege access management protects the accounts that have administrative privileges and secures those in a secure and encrypted vault so that they are secured and protected. Not having the credentials "on the wire" is only one part of what the solution offers. If the credentials are exposed on the network, they can be exposed to various vulnerabilities and increase the attack surface areas.

Protecting privileged accounts reduces the attack surface area. It is estimated that around 70% to 80% of all compromises in cybersecurity are due to unauthorized privileged credential exposure, either by lateral movements or phishing attempts. By securing those accounts, we tackle a significant part of the problem. 

Additionally, knowing who, when, and how the privileged credential is being used via the reporting and analytics module allows visibility into a previously unknown area.  

The actual innovations offered by the vendor stand out to me. They are quick to respond to market demands and the changing environment of privileged access management. I see BeyondTrust Password Safe as an innovation leader compared to some of the other vendors in the market.

Documentation is the primary area of improvement. Their documentation has improved over the last three to five years, but there's still room for improvement. A more intuitive search and not having disparate documentation categories would be helpful.  

While they are quick to market for improved features, there are still additional features that other vendors have that they don't have like a credential injection for the users' web browser extension.  

I have been using this solution since 2013. 

The solution is very stable. Part of my role is to design and implement disaster recovery and business continuity planning. Although planning is important, these are rarely put to use.

The solution is very adaptable. The solution can be deployed in environments with a single domain and then scaled up to handle multiple domains positioned globally as well as adding cloud security. 

Customer service and support are great! 

Positive

I worked with Delinea, which used to be called Thycotic and CyberArk.

The decision that clients typically make to choose BeyondTrust is often from a proof of concept (PoC) or through an extensive advisory engagement. One differentiator is shown between a user-centric environment versus an asset-centric environment. The two clear differences between BeyondTrust and CyberArk are that BeyondTrust is more asset-driven, while CyberArk is more user-driven. Both have their advantages, but it depends on the workflow and architecture that suits the client.  

As a person that has been involved in multiple deployments of BeyondTrust Password Safe for various companies, I can say the initial setup is fairly straightforward. 

In-house deployments can be challenging and so leveraging a delivery provider that specializes in PAM deployments provides numerous benefits. PAM/IGA/IAM are unlike many other security solutions as it has their own language and unique demands that are often not as intuitive. Knowing how to overcome project crawl, analysis paralysis, adoption challenges, and executive buy-in can be helpful.  

The ROI can be quickly realized for BeyondTrust vs. some of their competitors. The ease of implementation and the speed to get that initial return on investment is impressive.  

With the BeyondTrust solution, you have the capability to deploy the more secured layered solutions such as Secure Remote Access (SRA), Endpoint Privilege Management (EPM), and Identity Security Insights (recently released this month) that are all designed to protect the entire enterprise.

BeyondTrust has migrated towards subscription-based licensing/annual renewals. They remain competitive and on par with their pricing, often coming in under other competitors. Pricing is one of the reasons clients choose BeyondTrust, but it's not the only reason.

Overall, I would rate the solution an eight out of ten. 

One of the more important areas to focus on is knowing your environment pertaining to the assets and accounts before deployment is attempted. Not knowing what needs to be protected will make the deployment more challenging. Although BeyondTrust excels in the discovery of assets and accounts, knowing WHERE to look can be challenging. 

Deploying the product using only a percentage of its capabilities can lead to frustrations and reduced ROI. Not managing service accounts, networking, and database teams that are typically more challenging can lead to vulnerabilities as well.

You can't just focus on privileged access management. Privileged Remote Access, as well as solutions such as endpoint privilege management, are all part of a complete identity and access management solution that must be designed and deployed correctly. If not designed and deployed correctly, it will have the opposite of making the environment secure. 

Least privilege, zero trust, and cloud security awareness are all buzzwords we see often. Privileged Access Management (PAM) is a part of the layered security approach that will keep your company out of the cyber news headlines. 

We use this solution for password management. It allows us to control and manage passwords in a safe and secure way, and it records sessions.

The solution is deployed on-premises. It's being used extensively in my organization.

Before implementing BeyondTrust Password Safe, our server engineers and database engineers were storing passwords on an actual sheet, which is a plain text password. Since implementing BeyondTrust Password Safe, they're not doing that anymore. We eliminated the risks from storing passwords on plain text. We also have clear data that shows who modified a file.

We use the Team Passwords feature to securely store our passwords. Our team has a lot of shared passwords. Those passwords were shared in SharePoint or in the common share folder. We wanted to eliminate that because it's a risk. Team Passwords lets us securely save a password that's shared between a group of people so nobody else can see it. It's secure, and we don't have to save the password in an Excel sheet.

The Team Passwords feature has affected our level of security in a completely positive way. With a shared password, everybody could see it and someone could log in and change the password. They could also share it with someone else, like a third-party vendor or with someone outside the organization.

Team Passwords gives us better control over our passwords. Someone outside the team isn't able to get the password. Even if it's shared, we're able to see who checked the password.

It's more secure to use and better than using Excel or Notepad to save passwords. It's a really good option.

I like the session recording feature. I also like the analytics and reports. You can pull up a report, and the UI is fantastic. The system is recording when nobody's there, so we have a record of what's happening.

The Smart Rules feature is one of the coolest features. It allows us to automatically onboard accounts based on the criteria instead of manually onboarding. It allows us to manage assets or accounts based on the criteria we search for in Smart Rules. 

The UI is cool. They have different symbols and icons. I think the UI is better and more informative than other solutions.

The customization features help me manage most assets, databases, and applications. It's more than sufficient for us. The default connectors and plugins are capable of managing the database in the server, units, and systems.

The banners could be improved because they aren't informative. For example, if something is not correct and I open the error notification, the dialogue box simply says, "This is an error." It would be great if they could provide some valuable comments about how to fix the errors. If I try to remove something, the error box says it cannot be removed, which isn't helpful. I have to wait for the account to check in, and then it will be removed. 

The information description in the logs and the error reporting could be improved. For someone who's inexperienced, it's hard to understand.

I have used this solution for more than three years.

The stability is really good. Our setup is Active/Active, so we have more than eight appliances, and everything works well. It might differ for companies that decide to choose Active/Passive and only have two appliances. 

We have enough appliances in our organization, so we don't feel that the stability is lagging.

The scalability is good.

I would rate technical support as nine out of ten. 

Technical support is really good. If we need help, we contact somebody from the customer portal. We don't need to wait. We get a reply from an engineer right away, telling us what we need to do. If somebody's not available, a senior engineer will respond.

I'm amazed by the response time. They are as quick as possible. They have enough support people across the globe.

Positive

Before using this solution, I used Hitachi ID PAM.

There are multiple reasons why we switched. They don't have 24/7 support. We're on Asia Pacific Time, but most of their technical support staff are in Canada and the United States. If something happened in our time zone, they weren't available. Their product is very expensive, but they don't have as many features as BeyondTrust.

Comparatively, BeyondTrust has a lot of features and database inclusion. I would say BeyondTrust is 100 times better than Hitachi ID.

The setup isn't a complex process. There are two different setups. They provide the UVM-based installation and software-based installation. We selected the UVM-based installation.

The installation itself is pretty easy. The documentation is very structured. It's not complicated.

Migrating end users to Password Safe was hard in our case because no one in our organization knew about the solution. People were using Excel or Notepad and manually changing passwords. We created an internal document system, but migrating the accounts was a difficult task. As soon as the host was set up, it was pretty easy.

It's easy to maintain. All our appliances are connected to the internet. We receive patches and updates directly from BeyondTrust. We don't need to ask anyone to provide an update or patch. It's up to us to choose and schedule a proper time for updates.

We did the implementation in-house, but we had a consultant assist us from BeyondTrust. We had a good experience with him. 

We have definitely seen ROI. It's worth buying.

We only pay for Password Safe. Session management is included, but we don't use it. 

There aren't any additional costs besides the standard licensing fees. We pay for an annual license.

We also evaluated CyberArk, but we chose BeyondTrust because of the cost. It's affordable compared to CyberArk.

I would rate this solution a nine out of ten.

The installation is straightforward. If you just follow their instructions, you don't need any experience. They also provide automated ways to onboard accounts. The documentation is very structured.

Typically, we would allow users to connect with their regular user ID, a non-privileged user account, and automatically connect to a designated privileged account managed by BeyondTrust. This account would be onboarded to target systems or databases, preventing users from using their user account as a privileged account. Instead, it would act as a surrogate, using only a managed, dedicated account the user could access.

The platform's most valuable feature is its architecture capabilities, which allow for creating and supporting high availability and failover through designated server components.

The initial server implementation tasks could be easier to process. 

I have been working with BeyondTrust Password Safe for four years.

While some initial server implementation tasks may appear to hang, they are simply processes communicating with each other. 

Overall, the solution is very stable and intuitive.

Thousands of users were utilizing the product across our sites. I rate the scalability a nine and a half out of ten. 

The technical support and customer services are phenomenal. There were instances when we experienced outages during scheduled updates in the middle of the night. On one occasion, an update hung, and we couldn't resolve it. We got technical support that night, which was extremely impressive.

Positive

The initial setup is very straightforward if you understand network architecture. 

Once all the documentation was created, the deployment took about two to three days per site. As the security architect, I was responsible for the documentation, while another team member typically handled the actual implementation. I did step in to handle some implementations myself when one team member had an emergency.

It requires maintenance, typically a weekly manual process or monitoring updates. While most updates can be done automatically, some require manual triggering. One person per site handles the weekly updates, though one person could manage all five sites.

The task of managing the updates is relatively low-level and is often assigned to newer team members. I created very detailed documentation, so they needed to log in, follow the instructions, and let the processes occur. The most time-consuming aspect is waiting for the update processes to complete, which occurs only once a month or every two weeks.

Four team members were involved in the deployment because we managed five separate international locations.

I rate BeyondTrust Password Safe a nine out of ten. 

Our use case was allowing users to connect with their regular, non-privileged user ID and automatically connect to a designated privileged account for target systems or databases. This prevented users from using their regular account as a privileged account. Instead, it used a managed, dedicated account in BeyondTrust Password Safe that only that the user could use. For example, my account "Gary.Jolley" might have a domain admin account "dam-Gary.Jolley" that I'd automatically connect to.

The most valuable feature is the architecture capabilities, which allow designated server components for high availability and failover. It works well with identity and access management solutions, allowing users to be automatically onboarded and offboarded. The account mapping feature makes rollout seamless. The session monitoring capabilities are excellent, with keystroke and graphical monitoring. This enhanced our security posture by providing detailed accounts of user actions. It helped us pass our SOX audits.

The only improvement I could suggest would be standardizing documentation, but that's more the responsibility of the implementing engineer rather than BeyondTrust Password Trust itself. The documentation must be specific and narrow for implementation, not just broad guidelines.

I have been using the product for four years. 

BeyondTrust Password Safe is incredibly stable. During initial server implementation, some processes might appear to hang, but they're actually communicating with each other. It's very intuitive.

On a scale of one to ten, I'd rate the scalability as nine and a half. BeyondTrust Password Safe's scalability allows different roles and strategically placed servers for better failover. We had thousands of end users across our sites.

The technical support is phenomenal. They were available even for middle-of-the-night outages during scheduled updates.

Positive

BeyondTrust Password Trust's main advantage is its network architecture implementation. It's similar to CyberArk, but CyberArk has some features, like privileged threat analytics, that the solution doesn't.

The initial setup is straightforward if you understand network architecture. Four people helped with deployment across five international locations, taking about two to three days per site after documentation was created. It requires weekly maintenance, which can mostly be done automatically, but some updates need manual triggering. One person could maintain all five sites, and we often assigned this task to new employees as the process was well-documented.

We use the solution as a password safe to keep the privileged credentials secret to make sure they aren't stolen or lost.

We don't have to remember passwords. It's automated. There is a rotation of privileged passwords, which keeps me from memorizing things. 

I like that I don't have to memorize passwords. The whole process is fully automated.

Advanced auditing and forensic features are great.

It simplifies your compliance and tracking to benchmark other credentials and analytics.

The solution can scale.

Their support is not good.

The extensible API is the feature that I like to learn. However, we aren't using it at the moment. 

It has crashed on us in the past.

I've used the solution for about a year.

I'd rate stability six out of ten. It has crashed a couple of times on us.

The solution can scale. I'd rate the scalability eight out of ten. 

We have a user base of less than 250. We do not have plans to increase usage. 

We were down early Friday, and we tried to get a team to help us. It took a whole weekend. They need to be better at supporting and helping fix issues quickly.

Neutral

We previously had other solutions, including Tenable. 

I was not part of the initial setup process. 

We have a three-year license.

The pricing isn't part of my scope. I don't directly deal with licensing.  

We are using the latest version of the solution. 

It's important to do a POC for over a month and negotiate on the pricing. There are other powerful tools that are out there that are easier to use.

Your deployment tends to involve other tools, so check its ability to integrate with them.

I'd rate the solution seven out of ten.