IT Central Station is now PeerSpot: Here's why
Buyer's Guide
Privileged Access Management (PAM)
July 2022
Get our free report covering BeyondTrust, Microsoft, CrowdStrike, and other competitors of CyberArk Endpoint Privilege Manager. Updated: July 2022.
621,327 professionals have used our research since 2012.

Read reviews of CyberArk Endpoint Privilege Manager alternatives and competitors

SatishIyer - PeerSpot reviewer
Assistant Vice President at a financial services firm with 10,001+ employees
Real User
Lets you ensure relevant, compliant access in good time and with an audit trail, yet lacks clarity on MITRE ATT&CK
Pros and Cons
  • "I'm no longer the product owner for PAM, but I can say that the most useful feature is the vault functionality, which keeps all your passwords secure in a digital vault."
  • "When I was a component owner for PAM's Privileged Threat Analytics (PTA) component, what I wanted was a clear mapping to the MITRE ATT&CK framework, a framework which has a comprehensive list of use cases. We reached out to the vendor and asked them how much coverage they have of the uses cases found on MITRE, which would have given us a better view of things while I was the product owner. Unfortunately they did not have the capability of mapping onto MITRE's framework at that time."

What is our primary use case?

I work with the infrastructure access team in my organization and we have CyberArk as a primary solution along with a number of components for Privileged Access Management (PAM) and monitoring within the privileged access sphere.

We began with CyberArk in 2018, when we procured the licenses for CyberArk and all its components including the PAM suite and Endpoint Privilege Management (EPM). Our management took a call and we had to do a proof of concept to evaluate the product and see what it was capable of. As a product owner, I had six months to complete this. We evaluated a few specific use cases and presented our findings of the CyberArk's capability to management around the end of the third month.

Since then, CyberArk's Privileged Access Management is still our central solution for the entire estate, including all our servers (Windows/Unix), databases, devices, and so on, with around 5,000 to 8,000 users globally. Essentially, all access is managed through Privileged Access Management. That said, I am not sure to what extent all of the findings were carried forward after our initial evaluation because a lot of changes have happened within the organization. Our overall threat assessment, criteria, and even the framework has changed, now leaning towards a Zero Trust kind of strategy.

For instance, even for the tools that are used within the Privileged Access Management suite, there is a tighter alignment towards enterprise architecture, and we currently have a highly-evolved enterprise architecture group from which everything is driven. Earlier, individual units would have had their own licenses to see what they can do with them, but now things are more closely aligned with the overall enterprise architecture strategy. Given this, some of CyberArk's tools such as EPM have somewhat dropped off from the list of our priorities.

As for how we have deployed CyberArk, it's currently all on-premises. We do have a roadmap for transformation to the cloud, but I am not sure what kind of place CyberArk will have in that, as it depends on the enterprise architect's view on the cloud transformation. We have had some discussions around what to do about the cloud portion of our assets (e.g. VMs and such), what kind of monitoring we need, and so on, and I think that, among other apps, Splunk will likely become part of our toolset when it comes to the cloud. I believe we are also evaluating CyberArk's Cloud Entitlements Manager on this roadmap.

How has it helped my organization?

From a functional point of view, I would not have a concrete idea of how CyberArk has improved our organization because that information is better provided by someone from the operations team. Those kind of evaluations are typically done at a much higher level, probably at COO or a similar level, and they have a close alignment with the enterprise architecture group.

On a practical note, with CyberArk there is integration with your identity management system such that, when done properly, you can ensure that anyone from an administrator to production support personnel will gain the relevant access they need in good time. PAM offers integration with Active Directory, LDAP, and so on, and is fairly compliant with these kinds of approaches to identity.

What is most valuable?

I'm no longer the product owner for PAM, but I can say that the most useful feature is the vault functionality, which keeps all your passwords secure in a digital vault.

The second most useful feature is the monitoring of your privileged sessions. So you have an audit trail, where any privileged access session has to be authorized, and you have access to all the relevant monitoring controls.

What needs improvement?

When I was a component owner for PAM's Privileged Threat Analytics (PTA) component, what I wanted was a clear mapping to the MITRE ATT&CK framework, a framework which has a comprehensive list of use cases. We reached out to the vendor and asked them how much coverage they have of the uses cases found on MITRE, which would have given us a better view of things while I was the product owner. Unfortunately they did not have the capability of mapping onto MITRE's framework at that time.

PTA is essentially the monitoring interface of the broker (e.g. Privileged Access Management, the Vault, CPM, PSM, etc.), and it's where you can capture your broker bypass and perform related actions. For this reason, we thought that this kind of mapping would be required, but CyberArk informed us that they did not have the capability we had in mind with regard to MITRE ATT&CK.

I am not sure what the situation is now, but it would definitely help to have that kind of alignment with one of the more well-known frameworks like MITRE. For CyberArk as a vendor, it would also help them to clearly spell out in which areas they have full functionality and in which ares they have partial or none. Of course, it also greatly benefits the customers when they're evaluating the product.

For how long have I used the solution?

I've been using CyberArk Privileged Access Management since 2018.

What do I think about the stability of the solution?

CyberArk's PAM does what it's supposed to do, based on the interactions I've had with the folks from operations. There are the usual operational challenges, but it fulfills its basic purpose.

Stability assessments are conducted by a separate team that does risk assessments, so I don't have a lot of insight into this aspect, but considering that the product has been running for quite some time now and it's still the central solution for access management, I would reckon that it's a pretty stable product.

What do I think about the scalability of the solution?

There are different categories out there when it comes to scalability. In the case of bringing in new target systems, then sure, you can bring in what you need based on your licensing criteria. In terms of bringing in target systems which are not covered by the list of connectors that you have, this too is possible as there is scope for customization. Overall, I think it's fairly scalable and it does give decent support on the scalability front.

Our onboarding is progressing smoothly and at a steady pace. With the onboarding, you have new users coming on, and because it's a central solution, the rollout is global. There are even plans for extending the department in terms of increasing the redundancy of components, which is largely determined by operational performance reviews and so forth.

How are customer service and support?

In my personal experience as product owner assigned to various components, there have been challenges with the support at times. I would say that it has scope for improvement.

How would you rate customer service and support?

Neutral

Which solution did I use previously and why did I switch?

I have used a similar solution, but it was closer to a desktop password manager kind of tool. It was made by IBM and it was something you could actually install on your desktop and manage your passwords around that.

Later on IBM developed the tool into something more enterprise-oriented, and it turned into what we would classify as a privileged access management solution. But otherwise, CyberArk was probably the first fully-fledged solution in this sphere that I have used.

How was the initial setup?

The initial part of the setup was quite good. When it came to Windows, we had success in the beginning stages, but later on we had to have a number of discussions with CyberArk with respect to the 'groups' nomenclature, as we wanted to have a very clear standard that could be used consistently throughout the organization.

The first iteration was mostly fast and easy, however at one point we realized that there was much more detailing needed to be done. So we went through another iteration with a more detailed design and came up with more comprehensive coverage of groups, or roles, as you might say. In total, I think it was around two years before the Windows part was comprehensively addressed, but after that, it was covered quite quickly. 

Before CyberArk's PAM, we had a legacy tool that was managing the privileged access for Windows and we had that decommissioned around this time, which was a victory of sorts.

What about the implementation team?

The first step of the implementation strategy was putting all the passwords in the vault, thereby securing them. We also had a tool called Application Identity Manager, which we used for mitigation of the hard-coded passwords. Only after the vault was in place alongside Application Identity Manager, were steps taken to deploy the PAM suite.

Back in 2015, we had about three or four full-time CyberArk Professional Services folks undertake an effort to implement it, but that project failed. All that was achieved was the central vault deployment, and I think they also had Application Identity Manager installed at the time, but nothing apart from that. So it didn't take off the way it was supposed to, possibly due to a misalignment with the top management and the enterprise architecture viewpoint. But later on, and toward the second half of 2016, things started picking up again and further steps were taken from 2017 onward to deploy the Privileged Access Management functionality.

Throughout the PAM deployment, there was a fairly large vendor team that we were working with. I reckon the vendor team size was around 45 to 50 people. Within the organization, there was another large team that was supporting with various roles, such as in engineering, architecture, operations, governance, and so on. In total, there were around 50 of the vendor's team and maybe 20 to 30 roles from within the organization. There were other layers of responsibility, such as the risk team, but all those were kind of on the outside of the deployment.

What was our ROI?

I don't have much access to the facts and figures surrounding ROI, but I would reckon that with the Zero Trust risk strategy that we have, the product does match some of our key challenges. For one, we have the vault solution, so the passwords are safe up there. And then we have brokering in place for some of the key platforms, so I would say that these positives, along with our strategy and roadmap, will decide the fate of the future of CyberArk within the organization.

What's my experience with pricing, setup cost, and licensing?

I'm aware that the organization had purchased licensing for almost all of CyberArk's solutions including licensing for PTA, EPM, and the Application Identity Manager. But when it comes to PSM, this is one of the components where there's an additional charge for any extra PSMs that you want to deploy. I believe that there's some rider where the vendor has a bit of leeway to, at times, charge a premium on whatever additional services you may require above the board.

What other advice do I have?

Based on my experience as a product owner, I would advise, firstly, to set up an enterprise security architecture as authority within the organization, and ensure that it is closely aligned with your business. Once that is set up, then the enterprise security architecture should determine the priorities of the business and, accordingly, you can lay out a roadmap and strategy.

From a product perspective, CyberArk may or may not fit into your organization based on what strategy you have detailed, or it may or may not fit your requirements. So I would definitely not recommend purchasing the tool first and then determining what to do with it next.

Regarding automation, we are adopting DevOps for the positives it brings, such as cost savings, efficiency, etc., yet there needs to be some checks and balances. Having a fully automated solution would require you to think through the security aspects very carefully. That is why alignment with the enterprise security architecture is of great importance when it comes to securing access across environments in an identity management solution.

CyberArk's PAM is based on the concept of identity, such that a user logs in with his or her identity. So whatever systems the user accesses, there is an audit trail that is tied back to that same identity. This can happen across multiple environments based on factors such as the separation of duties, where certain engineers may not be allowed access to certain areas of development. These checks and balances occur when we give access to those kinds of rules and permissions. There are some targets we have for automation, but if it's fully automated it wouldn't be all throughout our organization as we have found there are some pitfalls with full automation.

Now, when you bring the cloud into the picture, as with our own transformation roadmap, you can't just put a tool in front of you and then expect everything to fall into place from on-premises to the cloud. It does not work that way. You need to have a sound strategy from your enterprise security perspective and only then can you ensure that things will fall into place.

Concerning the UI, PAM has an administrative dashboard and everything, but from a monitoring perspective, we also rely on additional tools apart from what CyberArk offers. For least privilege and managing secrets, there's a tool from CyberArk for that, but I'm not sure we have any plans on using that solution.

Overall, I would rate CyberArk Privileged Access Management a seven out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
Meo Ist - PeerSpot reviewer
Senior Product Manager and Technology Consultant at Barikat
Real User
Top 5Leaderboard
The native integration is crucial
Pros and Cons
  • "Delinea's network integration is the most useful. For example, I use a Check Point firewall connect to SmartConsole, so I need to do a lot of configuration in Delinea Secret Server. Native integration with Check Point is valuable. You can also go download whatever API you need from the cloud, whether you're using Check Point, Palo Alto, etc. Enriched discovery is another good feature. If you are dealing with several kinds of systems, you can see which system requires privileged access to my network."
  • "I formerly used only one service: the remote server. For example, I connected to the Active Directory user and the computer's console. But now, I need to do a remote connection to the domain controller. Maybe it only connects to that tool, the Active Directory users, and the computer management console, but not to the domain controller. Another thing Delinea could add is multi-factor authentication."

What is our primary use case?

The primary use case for Delinea Secret Server is to sort the privileged passwords. It can also change passwords after a set period or revoke passwords when someone leaves the company. Delinea needs to be on-premises because Turkish regulations do not allow cloud-based security solutions for some sectors. 

What is most valuable?

Delinea's network integration is the most useful. For example, I use a Check Point firewall connect to SmartConsole, so I need to do a lot of configuration in Delinea Secret Server. Native integration with Check Point is valuable. You can also go download whatever API you need from the cloud, whether you're using Check Point, Palo Alto, etc.  Enriched discovery is another good feature. If you are dealing with several kinds of systems, you can see which system requires privileged access to my network.

What needs improvement?

I formerly used only one service: the remote server. For example, I connected to the Active Directory user and the computer's console. But now, I need to do a remote connection to the domain controller. Maybe it only connects to that tool, the Active Directory users, and the computer management console, but not to the domain controller. Another thing Delinea could add is multi-factor authentication.

For how long have I used the solution?

I've been using Delinea Secret Server for five years.

What do I think about the stability of the solution?

Delinea is highly stable.

What do I think about the scalability of the solution?

It's incredibly easy to scale up Delinea. You can install a new vendor server and deploy the Delinea Secret Server application if you have performance issues. We have 120 admin users and around 5,000 privileged passwords stored in the vault on the Secret Server.

How are customer service and support?

I rate Delinea support 10 out of 10. It's good, but I don't need it often. Sometimes I need help with configuration. If you need a custom configuration, you can pay for professional services, but it's expensive.

Which solution did I use previously and why did I switch?

I've also used CyberArk. CyberArk has more features, but they are minor. Some customers may need them, but others don't. The main difference is pricing. CyberArk is more expensive. 

A Delinea license costs about a dollar per admin, whereas it's $5 for CyberArk.

How was the initial setup?

The installation is pretty basic, and it doesn't require advanced knowledge. It takes a day to install and configure CyberArk, but Delinea is done in an hour. But you need an escrow database. I requested a cluster system from the customer site.

After deployment, the solution doesn't require much maintenance because the Delinea is stable. I sometimes have a connection problem due to configuration, but I never have an issue with the database. You don't need to spend much time on maintenance or have a lot of technical knowledge.

What about the implementation team?

We deployed Delinea in-house. 

What's my experience with pricing, setup cost, and licensing?

I would rate Delinea 10 out of 10 for affordability.

What other advice do I have?

I rate Delinea Secret Server 10 out of 10. If your customer uses a privileged access solution, they need to sort all the passwords. They should do a session recording and change the password, then do workflow delegation. Delinea can do it all, so I strongly recommend it.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
Yacov Ben-Moshe - PeerSpot reviewer
Software Consultant at a financial services firm with 10,001+ employees
Consultant
Integrates well between AD and Unix, scalable, and easy to use
Pros and Cons
  • "The most valuable features of BeyondTrust DevOps Secrets Safe are the ease of use and the API is very nice. Additionally, the interface is very good between AD and Unix."
  • "We had some issues with the solution and once we contacted support they eventually solved the problem. They could improve their response time."

What is our primary use case?

We are using BeyondTrust DevOps Secrets Safe for all the security, such as logins, minimum privileges, Safe, and VPN.

How has it helped my organization?

BeyondTrust DevOps Secrets Safe has made companies a lot safer.

What is most valuable?

The most valuable features of BeyondTrust DevOps Secrets Safe are the ease of use and the API is very nice. Additionally, the interface is very good between AD and Unix.

For how long have I used the solution?

I have been using BeyondTrust DevOps Secrets Safe for approximately three years.

What do I think about the stability of the solution?

BeyondTrust DevOps Secrets Safe stability in the AD Bridge has been not good, we have had many issues. I recently received a new version a few weeks ago and it looks like they solved most of the problems. Some of the issues we had, lasted a very long time until they found a solution. 

What do I think about the scalability of the solution?

I have found BeyondTrust DevOps Secrets Safe scalable.

We have a few thousand users using this solution.

How are customer service and support?

We had some issues with the solution and once we contacted support they eventually solved the problem. They could improve their response time.

Which solution did I use previously and why did I switch?

We were using Pseudo and only Unix previously. For Microsoft Windows systems we used CyberArk. We switched to BeyondTrust DevOps Secrets Safe because we felt it would provide a better overall solution.

How was the initial setup?

The installation of BeyondTrust DevOps Secrets Safe could be made easier sometimes it is difficult. It can take a long time to configure properly.

The full deployment took a long time. For example, the AD Bridge took us at least eight months to finish.

What about the implementation team?

BeyondTrust helped us to scan all the assets that we have and we onboarded all the assets and we had to reeducate all the people on how to use them. It was quite a long process. 

We did the implementation in-house but for our South Africa implementation, we used the help from BeyondTrust.

We had a five-person Unix team maintaining BeyondTrust DevOps Secrets Safe. However, they were not maintaining on BeyondTrust DevOps Secrets Safe, they were maintaining the operating system, and other things.

What was our ROI?

I am not sure if companies have received a return on investment. However, the companies are enjoying the solution and it has kept them safe.

What other advice do I have?

My advice to those wanting to implement BeyondTrust DevOps Secrets Safe is for them to plan it very well before making a decision. If they are changing from another solution to BeyondTrust DevOps Secrets Safe or doing a fresh without any history, planning is important. They should use BeyondTrust people to help them install it and make it work.

I rate BeyondTrust DevOps Secrets Safe an eight out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
Buyer's Guide
Privileged Access Management (PAM)
July 2022
Get our free report covering BeyondTrust, Microsoft, CrowdStrike, and other competitors of CyberArk Endpoint Privilege Manager. Updated: July 2022.
621,327 professionals have used our research since 2012.