BeyondTrust Privileged Remote Access Reviews

I work for a massive company. They have 6,000-plus servers integrated into the PRA solution. BeyondTrust is a remote solution for administrators and other privileged accounts across the organization. It controls access to critical servers, domain controllers, Active Directory, Exchange, or any client servers they'll be using. Right now, there are about 10 products on the market globally, and BeyondTrust is the market leader. Within BeyondTrust, there are multiple sub-products, including Password Safe, Privileged Remote Access (PRA), and Endpoint Protection. PRA is unique among BeyondTrust products and other solutions.

We use Password Safe to store all the passwords in a vault, indicating when a privileged user attempts to access a privileged account on a server. PRA doesn't provide direct access to the process. Instead, we'll provide PRA access to Password Safe through a connector. In other words, the user doesn't have access to the critical account via Password Safe. 

Whenever a user wants to initiate a session, they will log into Password Safe, which will inject the credentials. PRA limits access to Password Safe itself. Only a Password Safe engineer has access to that solution, and the engineer is responsible for onboarding the servers and end users. The user will initiate the session via PRA, which will retrieve the credentials. In addition to this core feature, it has reporting tools to record sessions, providing a list of clear logs. 

Right now, BeyondTrust is an on-premise solution. We have a cloud version, but we are not using it. Eventually, we plan to move it to the cloud. BeyondTrust is being used extensively in our organization. There are between 100 and 130 concurrent sessions daily. Our server can easily maintain that usage level, so we don't need to add another. 

Using BeyondTrust has made our end users happy because they have trouble logging into multiple sessions. Now, they only need to open the client to start a session. It has shortened and simplified various processes, like approval requests. They can do several sessions, with a session time of 15 minutes. 

From an administrative point of view, BeyondTrust has streamlined user onboarding, a never-ending process. Every day, we are onboarding and deactivating users on the server. It's easy, and I don't need to change passwords or worry about who has access. My users access the servers through PRA exclusively. It's enough to remove a user's access to the server from PRA. Later, I can clean up the password or access control.

I can remove user access with one click, then figure out the other offboarding activities later. It's convenient for an administrator and the end users. Every channel has been monitored and recorded, so it's highly secure.

After getting the password, a user can initiate a direct connection to the target server. Any user working on a server can log into Password Safe to pull the password and store it somewhere. Next time, they won't need to log in to Password Safe. After that, they will directly initiate the session. PRA has a connector that allows it to retrieve the password. 

PRA also doesn't require a VPN, which is a substantial cost saving for our organization. In the past, we needed a VPN license for every administrator operating from home to connect to the server. That's a massive expenditure. By implementing PRA, we could completely get rid of our VPN solution. It works like Microsoft but allows direct access, so I don't need to worry about a VPN. I log in to my PRA control and initiate the session. It's easy for any user. A domain name is more than enough. I can log into my PRA control, and I'll be able to access my server.

I like the enterprise credential manager. It's a connector that sits in PRA and tests the credentials for the end user with a process that will clean the password. This is one of PRA's primary features and simplifies user onboarding. There aren't many restrictions or complications. We can add the user while only opening one port, which is more than enough to access the PRA server. Every organization requires only four critical servers out of a hundred and some 50 production servers.

In PRA, it's easy to secure production and non-production environments. You can secure an organization's entire ecosystem. On a development server, we have privileged access and essential activities we will perform in production. The development server will be onboarded, and the consumed license will be less compact than other products.

Connecting to the target server takes at least 30 seconds with other tools. It is more straightforward in PRA, so the target connection takes five or ten seconds. Managing users, accounts, and services and upgrading the agents are all incredibly straightforward.

There are two methods of integration. We don't need to create accounts when it's onboarded to the PRA solution because the same server has already been onboarded to the process. You can initiate multiple sessions across the solution whenever your user wants. You can open the same server and various licenses. Users can unlock numerous servers and other products, features, and tasks. Users who don't want to access the server directly can initiate a connection without worrying about the desktop. 

Let's say I'm a user with access to the production server. I'll be using a privileged account with access to the development server. Usually, a PAM solution will try to secure one leader-created account so they don't need to worry about the development account. There is a single pane of glass so the user can be brought into the PRA solution in a fraction of a second. My area account will be given to the dynamic team to add some security groups, and the security group will be added to my PRA solution. If I'm in that security group, I'll be able to see all my servers easily.

Nobody can log in through my server without PRA access, so it maintains excellent access control. Even if I know the password, I cannot access the server because that is a restriction we can implement across the organization. We can ensure that any protocol—43, 00, SDP, 22, etc.—goes through PRA. This is a simple tool, and any access management person can easily handle it.

They can see the system information, including the voice operating system details. Everything will be flashed over there. There are two methods of connecting to PRA: jump client and jumpoint. The jumpoint method is agentless. If there's a critical server where the owner doesn't allow you to install an agent, you can still onboard that server into the PRA solution with the agentless method. 

Another great feature is built-in remote support. If an administrator needs help from the vendor, a third-party provider, or someone else within their organization, they can invite the person from within the PRA console. We can restrict the person's access to only what's necessary to provide support. With other tools, I would need to set up a video conference on WebEx or Teams and share my screen with them, and everything is in the picture. 

PRA lets you invite somebody immediately from within the console. There is a small tab on the right side. I can put the email address in and send an invitation to the other person's mailbox. They only need to launch the URL to join my session quickly.

This works on mobile devices. They can use their mobile phone to log into my session and access me. If they want to do mouse control, I can allow them to work on my screen. I can minimize my session and do other work. I can also see a complete recording of the third-party support's troubleshooting steps.  

I can provide direct access to the vendor through a separate app, but I have to open that domain. For example, if you are from XYZ domain, I can just add the domain to PRA and provide access, but creating an AD account for the vendor is a better option. However, most organizations will never give direct access to any third party. Instead, we'll create a dummy account that will be set up using my ID, and that account will be shared with you. I must access that secure area through my account whenever you want to log in. It's convenient for the third-party vendor, and the session is monitored, so you don't need to worry about complaints.

Third parties shouldn't have direct access, but maybe some guy also can log into the domain using this password. We create an account in our environment that provides access to the PRA control. They can easily access the solution using their account in my domain.

The vault functionality is straightforward. I have an account managed by Password Safe, which holds the password. Every password change is tracked in the vault, so I don't need to worry about that. I log into PRA and launch a server. Then it will prompt me for my service or local account. It's my only account. I can keep the service account, and this PRA solution will pull the service account's password from the vault. It is going to this credential over here when I log into the PRA solution, which works in this space.

BeyondTrust has multiple products, including Password Safe and PRA, integrated natively. Providing direct access to Password Safe might cause some issues, which is why PRA exists. We want to restrict the direct access to Password Safe for anyone except the password administrator. A user could be an administrator or end-user when they are onboarded to our service area, and the administrator will be onboarded for the accounts in Password Safe.

That's why we keep passwords in the vault and only provide access to the PRA solution. PRA will retrieve the passwords. If there is a server on which other services are running, PRA doesn't consider anything like it for the account. You can initiate the session and open the session server. You can see what services are running from there or whether the password has changed. 

Password Safe performs every job, and PRA is only an intermediary that takes the password from the person and opens the session. It's like a proxy server or a jump server.

Multiple areas can be improved. We've seen lots of updates in the past year.  They have a portal where we can submit our ideas. BeyondTrust is immediately implementing user suggestions. The UI could be more informative. Initially, there were two or three connectors, and now we have five or six. It would be nice if they added a few more connectors for third-party integration. There are multiple tools, but the clients may require more for their convenience.

I have been using BeyondTrust for around 18 months.

We haven't faced any issues in the past 18 months.

PRA should be scalable, but it depends on the client. We've never had any issues. We have 400-plus admins on the accounts. The total number of end users is huge, but no end users log into the privileged server. There are more than 400 admins onboarding and 6,000 trust servers.

I rate BeyondTrust support an eight out of ten. We are still in the initial stage, so we are building servers and onboarding. We have frequent calls to ensure that we are fully utilizing the product's features.

Positive

In my previous company, I worked with BeyondTrust, but I didn't use PRA.

I was not part of the initial setup, but I came on board toward the end of the deployment. I was involved in onboarding our client data. Setting up BeyondTrust PRA is simpler than other products. You have three or four servers and a primary server. Based on your recommendations, you can set up a gem server across multiple server types. It takes three or four hours, and you need to have the prerequisites in place.

It all depends on the company's requirement or the access session that is happening daily. We can use only one server or several, and it's easy to attend to those servers. I don't think integration is the hardest part. It's lightweight in terms of maintenance, but while implementing the solution, we should be careful about how we are pointing the solution so the DCD should be working properly. If you want to bring other appliances in, it's plug-and-play. 

I rate BeyondTrust Privileged Remote Access an eight out of ten. If you are using a BeyondTrust product and you want to secure that process, you should use PRA, which enables you to skip a step. You don't need to worry about users having direct access to the process. 

Our company has been growing, and we have many audits as well as SOX compliance requirements. We have different SOX requirements, and we wanted to ensure that every activity is monitored. That was the main reason for deploying this solution into the environment.

We are using it like a VPN access for our external users, such as vendors, to allow them to access the resources within the organization. Instead of providing them the regular VPN access, we give them access to the privileged access solution so that we can monitor what they are doing, and we are able to view back the recordings of all the activities they've done.

We have not integrated Privileged Remote Access (PRA) with other solutions at the moment. We also have another solution of BeyondTrust. We have integrated that solution with other solutions, but we haven’t integrated PRA with other solutions. We just use it for remote access and credential injection.

It has put us at the forefront when it comes to security, auditing, and meeting SOX requirements. It is a top-notch solution for us in these aspects. Security is the key to fulfilling SOX requirements. Ever since we deployed it, we are able to provide external auditors, who audit the company, with recordings of who is in the environment. We are able to see what is happening. We are able to provide access durations and show who is accessing what and who has been given permission to access. It has really helped us in those aspects.

The fact that PRA does not require a VPN goes a long way for us because instead of our external users installing different VPN applications and having different user names and passwords for different applications, they can just make use of it via the web. They don't need to install an application, which is a very cool and nice feature for us.

In terms of security provided by PRA when it comes to access for remote and privileged users, the users get to access only what they are permitted to access. They can't go beyond what they're allowed to access. You don't have to give anybody the credentials to privilege accounts. The solution allows you to do account injection while you are using the solution, which is really good for us. So, you can do credential injection while accessing the solution, which is a top-notch security feature for us where you get to manage privileged credentials within the organization.

It is available in multiple formats. It is available as a physical and virtual appliance, or as SaaS. When we did the PoC, it was before COVID. We did the on-prem deployment for the PoC, but immediately after the PoC, COVID came, and we started to think of what will happen when we are not physically present. So, we had to go for the cloud solution, which is quite cool as well. It takes the burden away from IT admins, and we don't have to think of how many servers we have to manage.

It is important that through the use of PRA, there is no need to share passwords with users. We are able to do credential injection where you don't get to give users privileged user accounts. With the solution, we're able to do the privilege injection, which makes it perfect for us. Nobody gets to hold onto the privileged accounts. With the solution, we are able to inject it, which is good for us.

We are mainly using it to give access to third-party vendors. In order to ensure that we monitor the activities of what they're doing, we use PRA for their access. All our external users come in through PRA. For every internal user, we use the regular VPN. We are also looking into the cost of getting more PRA licenses if we are going to put every other user in the company on it.

We have integrated it with our Active Directory, which allows us to apply our Active Directory password policies. We don't need to create any other user account for whoever is coming in. We just get to create a user in Active Directory, and password policies are already applied. So, users come in by using the Active Directory credentials, which is another level of security as well.

One of the features that I really like about it is the ability to set a start date, time, and end date for the access. For example, you can set the access for a person from tomorrow, Monday, or Tuesday and ending on a specific period of the day or a specific date. That's really quite helpful.

You can use the solution to access not just the Windows environment; you can also access your Linux devices and even your network devices. That's a very cool feature for us.

At the moment, I don't see any major problems with it. If anything, they can just change the look and feel of the login screen because it looks too simple to me. It does not have so much information. When you get to the login screen of the solution, you should have more information. We also have BeyondTrust Remote Support, and the login page looks similar to BeyondTrust Privilege Remote Access. I would love to see more rich information on the login screen or landing page so that rather than having a regular sign-in screen or page where you just provide a username and password and get into the solution, you should have more insight into what the solution does. I've mentioned this to them every time I have had an opportunity.

It was deployed last year.

Its stability is good. It is top-notch. They are doing well because I can see the way they do release updates for the solution. They are also at the top in terms of security updates, vulnerability assessments, and other things that are currently happening. They are doing well in terms of updates, which are also helpful in stabilizing the solution. With regular updates, you get a stable solution and also more improvements and features.

We are using cloud deployment. When you have a cloud SaaS solution as compared to having it in your own cloud environment or on-prem, you do not get to have much say on scalability. If you have deployed it within your environment, you get to see how to scale it up or scale it down, but when it is a cloud solution, you don't get to see what happens on the provider side. However, you get to know that at least you have been provided what you have paid for, and it is working perfectly. So, for me, scalability comes into the picture if I am managing the infrastructure within my environment, but that doesn't mean you can't talk to your provider to tell them that you want to include other things in the solution.

Their technical support is good. At any point in time, when I needed support, they responded quickly. There was a time when the local vendor reached out to us that there is a new upgrade, but on logging onto the platform, we couldn't see the update available. We reached out to their support, and the support personnel who picked up the case told us to give him just five minutes, and he will ensure that the update is available. Their technical support is beyond cool. I would rate them a nine out of ten.

Positive

We didn't use any similar solution previously.

We went for the SaaS solution. They provided the platform and the access to the UI to the local vendor, who is a product partner. 

Three people were involved in its deployment. One engineer from the local vendor worked with two people from my end. One of them was from the server side, and the other one was from the networking side. 

We didn't evaluate any other solution. We were already using BeyondTrust Remote Support to support our client's computers. It was deployed during the COVID period. Initially, it was implemented because management was thinking about how IT would manage the situation when working from home. The users had no credentials. With remote support, we were able to do that perfectly, which also gave us assurance that BeyondTrust PRA would work well for us, and we won't have any issues with it. So, the management was able to sell PRA to the top management. There wasn’t much discussion about it because of the previous experience that we had with BeyondTrust Remote Support. It has already paved the way for PRA to come into the environment.

I would tell others to just go for it. If they are security conscious and are concerned about security within their environment, then just go for it.

I would rate this solution a nine out of ten.

We are an MSP, and we have customers actively using the solutions and the services. We do the backend administration and implementation, troubleshooting and incident handling, and other things like that.

Our use cases include adding users, adding environments to the system, and general and advanced configurations for users and environments. Those are just the standard regular use cases. Other than those, we handle platform maintenance, and platform restoration and recovery in case of an incident.

We also use PRA to provide access to third-party vendors. It restricts access only to the devices and only to a certain section of that device or environment that the vendor would need to access. It can also limit access in terms of time and time of day. Access can be subject to approval, which adds an additional layer of security, and we can also set in advance the number of days that that vendor will have access through PRA.

Since PRA eliminates the need for a VPN, this has translated into cost reduction and reduced complexity. PRA has eliminated the human factor from managing critical credentials; it has restricted access only to specified devices and only on specific ports. The solution provides very restricted and very specific access, both in terms of the endpoints of devices being accessed and in terms of the protocols that are available to initiate the session.

The auditing capabilities are valuable because of the fact that the Privileged Remote Access platform can track and record everything that happens within a session. The solution also has integration with authentication providers, which is critically important. It allows multiple-factor authentication and also allows us to configure access based on groups and organizational units.

One of the most critical features is that PRA eliminates the need for a VPN. The fact that PRA can establish secure encrypted connections and limit those connections only to certain protocols eliminates the need to have one or multiple VPNs and administer and manage all of them. 

Another critical feature of not needing to use VPNs is that it also reduces the number of individuals who would have access to critical information, like authentication for those VPNs. I rate the security provided by PRA when it comes to access for remote and privileged users a four out of five.

Lastly, managing access through PRA rather than VPN is much more convenient, much more granular, and more efficient.

Firstly, when doing protocol panel jumps, the tool does not restrict what is recorded on the user's computer. So if a user has, let's say, three desktop monitors, the tool will expand to the entire desktop and record everything that happens on those screens, and not in the PRA window alone. Since a lot of people hold sensitive information outside of the PRA window, this creates some friction because they do not want that information recorded.

Restricting the recording to the PRA window during a protocol tunnel jump will be an improvement.

The second improvement is that PRA could be more flexible with privilege elevation on Linux endpoints.

The third improvement is that PRA should have more connectors for the most common applications it integrates with.

I was certified by the vendor a year ago, but I used BeyondTrust Privileged Remote Access a little bit before I got certified. I do administration and implementation for the solution.

The solution is very stable, there is nothing to complain about there.

PRA is not very scalable in its current form. We currently have an active/passive configuration, but should we change that to an active/active configuration, the entire underlying infrastructure would become ten times more complex and would require significant costs with licensing and resources, having to configure that underlying infrastructure. That would make everything at least five times more complex and more costly, so PRA is not scalable in its current form.

We have 300 users in my company and 150 users from our customers using PRA.

We have regularly scheduled calls with a technical account representative every two weeks, and we are in constant contact with their support department, if not on a daily basis, at least every other day. The technical support is excellent.

Customer support is always very responsive, they are very customer-oriented in that they are always keen on understanding the use case, the fault and what solution would be best suited to the environment. They are always willing to take the extra step to go above and beyond to find some exotic solution or approach for our specific needs. And they are always very patient.

It wasn't just once that they stepped outside the contractual agreement, they went above and beyond to give us the best support and the best solution.

Positive

I used CyberArk, but very slightly. I also used ManageEngine.

Since we are a managed service provider, ManageEngine did not fit with our profile, and we needed a solution we can deliver to multiple customers at the same time in a shared or private manner. Secondly, from a licensing perspective, ManageEngine was slightly costlier, based on how it was implemented from our side.

The setup was mildly complex. It took four working days from the moment we received the appliance from BeyondTrust until we had the application ready to start onboarding stuff.

We implemented PRA in an active/passive configuration, integrated with Password Safe. It is not open to the Internet and can connect to only one destination via proxy.

Since PRA lacks connectors with applications it integrates with, we had to build them ourselves.

All implementation was done in-house with support and consultancy from BeyondTrust. We had three permanent people involved in the initial setup, myself included, with an individual from BeyondTrust providing advice and consultancy from time to time.

PRA's pricing is competitive, but since we are one of the major customers, we might be benefitting from different discounts and pricing.

Note that we do not use BeyondTrust Vault since it is not an enterprise-grade vaulting solution, which is why we use Password Safe since that is an enterprise-grade vaulting solution.

Initially, we only went for the SaaS solution, and customer-related constraints made us deploy it on-prem as well. But when we chose BeyondTrust PRA, we were only considering SaaS.

PRA can also be used to manage network devices. It brings the same level of security into managing networks. It eliminates VPNs, especially multiple VPNs. Through the use of PRA, there is no need to share passwords with users, which is critically important.

We don't necessarily use PRA as a full solution, but it adds an additional layer of security by having the enterprise vaulting solution, which is Password Safe, and PRA separate. That also makes things more efficient in that when configuring PRA, we only focus on the connectivity and the session from PRA, we don't worry about the account management.

If you compare PRA to CyberArk, it's just as good. There is nothing that one solution has over the other. These are the two market solutions that are usually compared since they are pretty much on par. ManageEngine, at least in the incarnation that we were using, was more limited when it came to auditing and reviewing sessions.

I advise engineers choosing a PAM solution to be very careful. One important aspect when reviewing is the high availability capabilities, and the second aspect is the integration capabilities with other BeyondTrust products or other products in that customer environment.

I rate PRA an eight out of ten.

It is used for remote access for all our partners. We bought it to replace our VPN connection for all our third-party partners and providers.

All our sensitive services are required to be hosted on-premises. That is why we needed something that offered an on-premises solution.

It has almost removed all the burdens that we had due to partner interactions via the VPN. The portal is easy to use and the self-service is really well-designed. End users are able to work without a lot of intervention from our teams. Also, when there is an issue with a password or two-factor authentication, they can reset it using the self-service option. There is not much to do now when supporting external partners.

Privileged Remote Access has improved external access to our network, which has had a positive impact on our network security.

It is very important to us that, through use of PRA, there isn't a need to share passwords with users. One of the basic best practices for securities is to avoid sharing passwords. We try to enforce this in our organization, so this is something that is mandatory for us.

It is used 90% of the time by external vendors and partners. That is the main reason why we bought this product. In terms of an attack in the network, PRA limits the possibility of access into our internal networks. The only point where they have access is PRA. According to its design, you can only access what has been configured. At the end of the day, we don't worry about what the external vendor can access on our internal network. We are just working on making sure that we give them the highest access to PRA.

In terms of security, PRA offers SSO authentication, which is a plus. It is very important to limit the use of multiple passwords, then we can just help a user focus on their jobs, not handling data passwords. 

I like the ability to have locks on every session and connection that happens on our system from the outside. So, we can do a review or investigation if something happens.

The proxy mode allows us to reproduce our attack surface.

It is really secure for remote and privileged users. It has helped us to go into detail on what someone can or cannot do on each system.

We can find real information that we need in terms of auditing and access using the Vault feature. In terms of visibility, we have all the information that we need.

PRA stands on its own as a full solution. This is important because it reduces the need to maintain a lot of different services. Also, the integration between those services are sometimes not easy to maintain. So, having a solution like BeyondTrust Privileged Remote Access reducing our workload gives us enough time to work on our other issues. The system just runs and does what it is supposed to do.

The solution's Vault is a nice feature. It helps to securely share a security password in teams, but it is not at the level of a password management solution. So, it is just really a vault. We were expecting to have more features to better manage passwords, but that is something that you can work around if you also have a password safe solution. I would like them to have features like password rotation or password auditing, e.g., old passwords.

I would like to improve access to the web application, simplifying the web jumps. I would also like them to improve the Vault, which should have features closer to a light password management solution.

I have been using it for two and a half years.

The system is stable. Updates don't require a lot of work to implement. I haven't had to do a callback after a deployment or upgrade.

Two people from our team are needed for deployment and maintenance.

It is scalable, though we haven't utilized that yet.

We have around 50 users utilizing the system. Four of those are admins.

We are using the solution extensively for 100% of our needs. We are not looking to add more users to the solution at this time. If we extend our partnership to more vendors, then we might consider extending our use of the solution.

The technical support is good. Their knowledge base is well-documented. I would rate the support as nine out of 10.

Positive

We were using a VPN solution that allowed external parties to have more access and capabilities on our network. Whereas, with PRA, all access is handled by the server, though there isn't a direct connection to the end server. This limits the access and capabilities of external checks on our Internet networks. 

The initial setup was straightforward.

It took about a week to have all our systems up and running on PRA as well as have our vendors connected to the system.

We went from training to the initial deployment with BeyondTrust's Professional Services. Then, our teams handled the next step of the deployment, which was onboarding all our systems. After that, we started the migration from all our VPN solutions to PRA with our end users. We did a few parallel runs between PRA and the old solution, then we went full-on into production.

PRA was one of the cheapest solutions that we evaluated.

We did tests before purchasing the solution. We tested three other solutions. PRA's auditing was the best. It provides a lot of information. It even lets you search through video logs, which was something that we really liked.

I recommend testing some other solutions then trying Privileged Remote Access. You will notice the difference. It is robust and easy to use with many good features, like the SSO.

I would rate the solution between eight and a half and nine (out of 10).

It is used for server access. I am using the latest version. Initially, I started with 10.6, and now, I am on the latest version.

It is currently on-premises, and down the line, we will be moving to the cloud. As of now, we have physical appliances for PRA. We do have plans to move the cloud. We've added two more servers at our end, and they will be moved to the cloud. 

Our client was using a different product, and they were not able to manage some critical parts. So, they started looking for a replacement, and they found BeyondTrust. As soon as they brought in this product, it was a very easy configuration. Implementing this product was very easy. It doesn't require much. It is very simple, and we can implement it in a week or two, which is what I like about BeyondTrust. It takes much longer to bring in other products. It is also very easy to bring privileged accounts into the product. It is much easier to do management and operational tasks as compared to other solutions.

It is very simple. You just open the URL, and you'll be able to see all your servers. Previously, it was a very tough task. There was either direct access or a VPN. There were a lot of restrictions for connecting to the VPN. There were also some other restrictions to access other products, such as if they want to go for SSO and other things. BeyondTrust is very easy. The users can open a URL, and they will be able to see all their servers. It is very easy for the users, and we are getting very good feedback from the users as well. Previously, there were multiple steps to connect, and now, there is only one step to connect to the servers remotely.

It is a very secure product, which is very important for us. For example, there are 5 to 10 users of an application, and everybody has access to a different machine. With this product, we can easily do segregation of duties and segregation of the server connectivity. Everybody is able to see the servers, but only those people who have access will be able to log into a server with a single click. It is a great tool, and everything has improved over here. Until now, we haven't faced any issues with this product. It is very simple and secure.

We use the vault for service account management. All the passwords and all the credentials get vaulted. In the PRA console, users can select the correct credential and log in. They don't have to know or see the actual password. Whenever a privileged account is managed by a PAM solution, there is a connector between the PRA solution and the PAM solution. This connector gets the credentials and injects them without any manual intervention. Other solutions also have this feature, but in BeyondTrust, it is very simple and different. The connector does all the work in the background.

It does good discovery. When we are trying to pull the local accounts, every local account is visible in the scanned report, and we can easily identify that this is a local account. We'll also be able to get a list of the domain accounts parallelly. There is a clear set of data indicating whether an account is a domain account or a local account. For cross verification, we also check with the application team whether these accounts are domain accounts or local accounts. The scanner works very well for us.

We can bring all kinds of accounts into the solution. Most products target privileged accounts or the accounts with privileged access. With this product, you can segregate a privileged account, a local account, and a normal account or a user account with the least privilege. All these accounts can be brought into the solution.

Through the use of PRA, there is no need to share passwords with users. There is no password sharing. Everything is vaulted. There are two types of integration in PRA. One is with the privileged accounts that are already managed by the PAM solution. The other one is with the least privileged accounts, such as a local account or a test account. Those accounts will be managed by the end-users. If I have the access to the privileged account, my password will be injected from the other solution by using the connector from PAM to PRA. If I have a local account on a test server or a development environment, the connection will be initiated from the PRA solution, and it'll be encrypted and monitored. All other features will also be there. I only have to key in the password.

We use the solution to provide access to third-party vendors. We can't create an AD account or some other account for the vendors in my organization because of some security and violation concerns. With the PRA solution, it is very easy. I can just add or create an account, and I can map this account only for the PRA solution. Whenever they log in, all the sessions are recorded. In case of any violation or issue, I have the recorded session. I can go and check what happened to the server. This way, it helps the vendors a lot, and a vendor doesn't need my intervention whenever they want to log in, even if he is in a different timezone. Previously, I had to be available for the session. I used to share the session via some other third-party platform, such as Teams or Skype, and my availability was very important. If I close the session, the session would get closed for them too.

It offers SSO authentication. We have multi-factor authentication, and we have RADIUS and other authentications. Multi-factor authentication is mandatory across any application or any URL.

In terms of session auditing and monitoring of third-party and remote work access, I have worked with another solution that was only for privileged accounts or privileged servers. PRA can be used for both privileged accounts and non-privileged accounts in the development environment. All transactions or accesses get checked and recorded. So, it is very easy for an administrator to manage the solution across the organization.

When it comes to the Privileged Remote Access (PRA) solution, instead of depending on a VPN client, from Cisco or any other vendor, we can directly use this product from the internet. It is very easy to do the implementation, and it is easy for every user to access the server from outside of their organization. They can open the URL and put their name and password, and it'll do the multi-factor authentication. They can easily access the server. Prior to this solution, the users had to log into the VPN, which is not required with BeyondTrust. Now, they can use their computer over the internet. In Privileged Access Management (PAM), the AD bridging feature where you can bring all your Linux boxes into the tool is an important feature.

I have been using this solution for close to three years.

Its stability is good.

Its scalability is very good. It makes things easier for the end-users.

I am an administrator of the PRA here. All the users in my organization are using this. There are more than 900 users, and there are some 4,000 or 5,000 servers. It is being used on a daily basis. We are in the process of increasing its usage.

Their support is very good. As soon as we log a case, their support engineers respond and help us out. The response time depends on the severity of the case. For a severity C case, they get back in a day or two. For a severity B case, they get back within 24 hours, and for severity A case, they get back immediately. They respond and resolve the issue within defined SLAs. I would rate them an eight out of ten.

Positive

I have worked on another solution previously, which is a market leader. I wanted to get into a product that was booming in the market. I was very focused on this solution because I knew this is going to be a market leader in the coming days. I was going through some articles on the internet, and suddenly, I got the opportunity in my company to work with BeyondTrust. I was very happy to get into this. It is working very well.

I was not a part of the complete deployment. When I joined this organization, deployment was already done. Some fine-tuning was happening, and I was part of that. It took about two weeks to fine-tune it based on the requirements, and that's all.

Overall, its setup is very simple. It would take us a week or two to bring other solutions into the organization, but we can bring in this solution within a week. We can easily bring 10 to 20 servers into the product.

For its implementation, probably there was someone who helped us remotely.

I have got a very good impression of BeyondTrust. It is a very good and booming product across the globe. I have been using this solution for close to three years, and I am still learning about its full capability. There is a lot to be explored.

They provide a lot of updates, and I am able to see a lot of fine-tuning happening. We can bring our own tool, and if we have an RDP tool, that can also be integrated. They are adding many features related to reporting, connectivity, and stabilization of connectivity. They are improving their product in every aspect.

BeyondTrust has many products such as PAM and PRA. AD bridging is also there. Specifically, with the PRA, you can ignore VPN. You don't have to pay for a license for the VPN. You can use this product.

All servers, with privileged activities as well as those without privileged activities, are assets of the organization. They all also should be monitored and should be in the control of the organization. PRA is helpful there because you can also onboard the least privileged servers. This helps a lot because everything is recorded and monitored. The management will have a crystal clear report about who accessed them and for what. Everything will be very clear.

I would rate this solution an eight out of ten. It makes the life of end-users easier.

We use the solution to give the network access to third-party vendors or remote basis employees. It helps us authenticate their credentials directly without a VPN connection.

The solution has the best screen-sharing feature. We can invite external vendors without exposing any credentials or network access to them using it.

The solution's access process for third-party vendors needs to be simplified. It should eliminate the process of installing client applications on users' machines for better security. Instead, we can publish a URL link for them. Also, its web interface needs enhancement as well.

We have been using the solution for four years.

It is a stable solution. I rate its stability an eight out of ten.

The solution's scalability is a five or six out of ten.

The solution's technical support is good. Whenever we raise any case, they try to solve it as soon as possible.

Positive

The solution's initial setup process is straightforward. It is developed and managed by BeyondTrust itself. They provide us with the virtual appliance, and we ask the customer to deploy that profile on their server. Once the appliance is deployed, we can access the URL and start with the initial configuration. Further, it integrates with the active directory and the customer's NTP server to configure two-factor authentication. The users can easily enable it for their IDs by scanning the QR code using any authenticator app or mobile device.

I advise others to use BeyondTrust if they have an existing PAM solution. It will help them with seamless access to privileged accounts and credentials. I rate the solution a seven out of ten.

We primarily use the solution for Privileged Remote Access. The primary use case is to let the suppliers connect in a very, very secure way on privileged endpoints and internal privilege endpoints or internal operators, probably from Azure. They operate something in the Azure cloud, and that's a very secure way to connect to the Azure cloud.

It's one of the most secure products in the market. 

They have very good support. They have really have great support.

It's everything that we need. It's like a Swiss knife. We can do everything with that to produce what we need for Privileged Remote Access reasons. 

Every three to six months they bring new features like processes, access processes, and things like that, which are unique in the market. I have not seen other solutions offering what they offer.

The documentation is really great. It's cool. You can download all the documentation you need at any time. They've done it in a great way.

The API is great and we can automate anything that we need with the product.  

If you know what you are doing, it's not a difficult setup.

The solution is stable.

The scalability is excellent. 

The solution offers many great integrations.

I cannot say that the solution is lacking any features. It has everything we need right now.

They could probably integrate a wizard or something like that to add a new use case. It could be something that makes it easier to add a new use case. That's something they could probably improve. I'm not sure about this, however, as the direction is anyway going more and more in the direction of automation. That said, for a beginner customer who is starting from scratch, probably a wizard would be a good feature to add.

The on-premises version is not as easy to set up as a cloud deployment,

We've used the solution for about five years. We started using it pretty much from the moment it came out. We have worked with the solution for a while. We've benn BeyondTrust resellers, however, for 15 years.

It's got great stability. It's really great. In all the 15 years I used the remote support solution, and the five years we used the PRA solution, we never have seen an unstable situation with any of the components of the product. There are no bugs or glitches. It doesn't crash or freeze.

The solution is scalable. You can do a worldwide rollout of the product. This is an Enterprise product, and so the scalability allows you to expand over multiple countries, over multiple locations, with their technology. 

The company is best suited to enterprise level organizations - specifically medium and large ones. 

They have really great support. If you have to call, for example, someone at Microsoft, you need to wait in a queue about 30 minutes, or here in Switzerland, some companies, have outsourced the support to other countries. Then you have to wait in a queue and wait for a person which is helping you. At BeyondTrust in all these 15 years, normally you have a wait of one or two minutes, and almost immediately you have a person in the chat, which helps you, and a competent person. They are very quick and very responsive. 

This is an on-premise product. You cannot really compare with the other products from the cloud, which you just click and then work. There is a setup process, and you need an admin with a certification. It's not so easy, however, if you have the right guys in place, then it's no problem. 

Normally, anyway, this is an Enterprise product, and in the company, you have a person which is administrating this product. BeyondTrust is an Enterprise solution, and therefore, you have to do some kind of rollout as well.

Typically, users will see an ROI within about a year or so. It gives you the best tool to your employees they can have in that area. And therefore the return of investment comes very fast.

The pricing depends on the model you choose. You can have it as a cloud version or you can have it as an on-premise version and therefore the prices vary. The initial costs are normally a little bit higher than with other products, however, after two or three years, it's a bargain. It's just that the initial cost is a little bit higher. That said, due to the functionality it gives to your team, the return of investment comes very fast.

We are a reseller, not an end-user.

While we do use different deployment models, many of our clients are government-related and therefore we deal a lot with on-premises deployments. 

I'd rate the solution at a nine out of ten. It's definitely on the upper level, well above what else is available.

I would recommend that those considering using the solution do a certification course similar to when you install Windows server or something like that from Microsoft where you can become a Microsoft certified professional, and you can attend a class and then you can do an exam about the product. 

I recommend that a company which uses the product has also a certified admin. It makes it lot easier. That way, they can really profit from all the functionality the product has. The product has many functions however, you need to give it to a person with enough know-how. Otherwise, the company will not use all the features the product offers. 

Initially, we had a different VPN set up for our external vendors, and working for a pharmaceutical company, we had a lot of equipment vendors telecommuting in to do maintenance on the equipment. Using BeyondTrust PRA streamlined this process; it made it easy for us to manage and distribute the proper certificates and assign privileges to all external users. If one of the remote parties got a new employee, we would set up an access account using their name, providing the same permissions as their coworkers to manage parts of our infrastructure. This was an excellent addition to our company and alleviated a lot of pressure from our support staff.

We signed a contract with a new IT management firm that took over our IT support. That's 300 new employees that needed access to the right groups, et cetera. It took just one day to create the 300 accounts and assign them to the proper teams. PRA streamlines the onboarding process, even for large groups of new remote helpers, setting up the correct templates, having the Discovery in place, and assigning and revoking access.

We like the integration with Active Directory. It allows us to discover the endpoints and user accounts that need protection. It's a good way of securing our privileged access.

Another feature I like is the approach to jump points. Jump points are the external-facing proxies, which use the same outbound HTTPS connection method as the jump client but allow the initiation of RDP connections, et cetera, into the downstream networks. This feature was the key selling point for us in choosing BeyondTrust PRA. 

The security provided by the solution regarding remote and privileged access is about as good as we can get without completely locking down permissions. Going with PRA is the best step if a client is looking to lock down administrative access with a remote solution while applying the principle of least privilege. 

We used the solution's Vault to add not just service accounts but also the users' main administrative accounts discovered through Active Directory. We limited permissions, so users couldn't even review their account passwords. This was managed in the Vault and injected into each session. 

Compared to other products, PRA is one of the better ones. We need to start the discovery manually, but it's comprehensive and clear. It allows us to select what to import and has the automation behind it to manage endpoints and accounts, which is a valuable feature for any enterprise business.

The physical solution wasn't as important to us; our architecture strategy was SaaS first, virtual later. If BeyondTrust didn't have a SaaS offering, we would look at availability to install it in one of the public cloud offerings on the market. Having the SaaS option available, especially for medium-sized businesses, is very much something that gives BeyondTrust an edge in the market. 

The solution improved our network security. Especially regarding remote vendors, it allowed us to complete our network segregation goals. We could close down all external access to that network and leverage PRA as the single entry point. 

Not needing to share passwords is essential to us. We have peace of mind knowing nobody can view passwords, share credentials, and operate outside their defined context within the network unless they have explicit permissions. That helps us sleep at night.  

Previously, third parties had VPN access, and it was important for us to shut that down. Now that the entry point is closed, there is only one dimension for us to consider; which vendor has access to what. This makes management and the general security picture clearer.  

SSO authentication was one of our main requirements, so that integration was crucial. It allows us to provide quick access to the tool itself using the same credentials. 

The solution stands above its competitors in this regard. Using the team functionality allows us to create groups of users with a team leader who can monitor those sessions. This functionality works great, and PRA is at the top of the spectrum here. Having somebody at a physical station and someone remotely accessing the station works very well, especially for training purposes. The recording functionality is another nice feature; the video view is small but can be expanded to a larger view. 

The integration client, backup solution, and SSO setup and provisioning could be improved. There isn't any documented or supported user provisioning currently, which slows down the processes of onboarding and assigning permissions. I would like to see this improved soon.

The Vault could use some attention, specifically in managing named administrative accounts. I have to assign permissions to my named admin account during sessions manually, but I think that should be the default. Admin account permissions could use some more automation and be adjusted to be more user-centric.

BeyondTrust could improve text-based auditing; it's not very readable. I can get the details through the jump client and other tools, but if I run a simple PowerShell command, the solution generates multiple lines for that specific session in the text audit, which doesn't make sense.

I was the lead implementer for the solution for one of my clients, a global pharmaceutical company. The project took over a year, and I used the product for another six months as both an end user and an admin before leaving that job. I used the solution for almost two years in total.

The solution never let me down during the entire implementation; though the integration client was the opposite, I was never satisfied with it. I recall some stability issues stemming from significant database actions that slowed down the system. There was also a bug that took both our team and the BeyondTrust team three business days to resolve, which didn't help with our impression of the tool.

I would say the SaaS offering isn't particularly scalable. The more endpoints we added, the more sluggish the tool became. However, BeyondTrust's high availability approach offers much better scalability on the backend side, and endpoints with added jump points can be clustered for higher availability. The sky is the limit by improving the database size and storage at the backend.

We had over 600 total users; mostly IT support and admin teams. There were also 10 to 20 vendors each with three to ten users that used the tool to remotely manage equipment. 

The product is used daily by a large number of users simultaneously. Before I left the company, the highest number of concurrent sessions I saw was 25. If I had to estimate, I would say PRA is used for over 300 sessions daily with the same number of users.

I would like to differentiate the implementation team and the technical support as they are two separate entities. The implementation team could improve how they guide the customer through the process. The technical support staff are knowledgeable and do everything they can to help, but they aren't the easiest to reach. They don't do user-to-user sessions, and the only way to reach them is through tickets. There is a chat function, but that's more for gleaning more details of the issue; I often just wanted to pick up the phone and ask someone a question or explain my problem to them. BeyondTrust's documentation appears to be aimed more toward executives than technicians, and that doesn't help the situation either.

This may have been specific to how we wanted to implement the solution, but a lot of technical information was missing. It took some back and forth through the ticket system to finally get that information via a member of support staff doing a screen-sharing session. Screen sharing is much more effective than only having a text chat, but it took too long for us to get there.

I would still give them a seven out of ten because they're very knowledgeable and do everything they can to help. The support system is impersonal; especially when we were starting out, that personal touch makes all the difference. Ultimately, this is about the security of our organization; we don't want to go back and forth with bots and tickets before finally reaching a member of staff who can help us.

Neutral

The initial setup was complex because we didn't know precisely what we wanted to achieve and neither did BeyondTrust, and the communication between us wasn't the best. It took a while for us to realize what we wanted to achieve, how the solution could deliver that, and in what configuration, and they could have helped us out more with that. It isn't easy to fill out the integration sheet; it requires a fair amount of product knowledge.

It took us six months to understand the basics and set up the tool according to our requirements. It took another six months to get the implementation going. That is partly because the pharmaceutical company required the solution to be qualified. That process took time because BeyondTrust didn't have much relevant documentation; we had to write much of it ourselves.

Deployment can be completed with one engineer and one server admin, with the latter deploying the clients and jump points. Once we understood the basic principles of the product, it became straightforward to implement. BeyondTrust could better convey that to new customers unfamiliar with their solution. A dedicated team of three to four staff is sufficient for deploying and maintaining the solution for an enterprise business.

I wasn't directly involved in the licensing and pricing, but I can say that PRA is licensed per endpoint added to the Vault. I would advise users to take frequent exports of their license usage package; it's a simple feature that provides a spreadsheet of every machine in the Vault. This helps to cut down on duplicate licenses, which can happen by adding the same endpoint using an IP address and a fully qualified domain name, for instance.

The implementation is an additional cost, and they offer several tiers, so the price varies. There are also some optional add-ons, so I would advise people to research the product well and find out precisely what they need regarding features. The Advanced Web Access add-on provides some required functionality when interfacing with websites; that's one to consider.

We reviewed two other vendors: CyberArk and Devolutions, but we eventually went with BeyondTrust for several reasons. Devolutions fell off quickly because it's too small, which is a risk. We liked the approach of operating over an outbound HTTPS connection to the SaaS appliance, which was more of a security benefit for us than the CyberArk solution, so we went with PRA.

I would rate this solution an eight out of ten. 

I would advise potential customers to have an excellent understanding of their requirements and what their landscape will look like five years down the line. Consider if the SaaS offering is appropriate, as I understand switching to a self-hosted instance isn't a straightforward process, so it's essential to plan.

If I need a privileged remote access solution in my future endeavors, BeyondTrust's offering will be my go-to, and I recommend it for any size of business.

We went with the SaaS version of the solution and had some regrets about that. Pharmaceutical companies must comply with a host of rules and regulations, and one of the requirements was to keep recordings of every session for over 90 days. The SaaS solution's storage did not meet our needs in a large enterprise environment. We had to use a third-party backup tool provided by BeyondTrust to download sessions to our local storage, but it was a poor tool; the error handling and logging functions were sub-standard.

The ability to operate without a VPN wasn't particularly a requirement. Our project aimed to secure administrative access, so our focus was more on user accounts than endpoints and connections. During our market research, we discovered that few solutions focus on privileged identity management; they're usually integrated with PAM tools like BeyondTrust PRA.

As a technician, I can vouch for both ends of that spectrum. The benefit of PRA being a standalone solution in our case is the ability to quickly and definitively sever that tie into our network. That being said, the solution currently doesn't solve all of our privileged access difficulties; we still have to manage roles and privileges in cloud solutions. I don't think there is a product on the market that allows for efficient management of both worlds; the cloud SaaS product and on-premises remote access.

Regarding leveraging service accounts as a password manager, there are better solutions, including BeyondTrust's own Password Safe, which integrates well. In terms of managing remote access accounts, PRA does an excellent job and provides relatively fine-grain policy permissions customization. We can have users operating accounts where they cannot view the password, and other users can access the password if needed to access some legacy applications, for example.