Our clients' primary use case for BeyondTrust Password Safe is managing Windows Privileged Accounts, Linux, and Fit client databases, and for accessing a different database, like Visual Studio, SQL Manager, and things like that.
We usually deploy it in a double server, high availability with disaster recovery.
It is the primary software architecture.
BeyondTrust Password Safe allows the client to standardize the onboarding of privileged users as well as dynamically onboarding newly discovered assets and privileged accounts and dynamically adding them into Password Safe. Based on administration models, they can dynamically apply policy based on those standards, like a Linux policy versus a Windows policy. Once you create it, it's set and forget until you need to add another platform.
Additionally, you can expand your domain if you need to support multiple domain directories, etc. For that you would need to go in and do some administration, but otherwise, the administration model is much lower. CyberArk's is pretty stiff. I told you the CyberArk administrators were very expensive to train and no sooner do you train them, then they get a job for $20,000 more to be an engineer because you trained them too well.
BeyondTrust Password Safe's features that I have found most valuable are really those that are knitted in. That is their Smart Rules and Smart Groups, where you design your administration model so you create your AD groups and your asset groups, and configure Password Safe. To onboard a new account you can run the discovery engine and use rules automatically to dynamically onboard the asset or the accounts and add them to particular groups based on naming conventions. For example, WADM for Windows Administrator, LIN for Linux Administrator. You'll have a user with their name plus LIN for Linux administrator or WADM for Windows Administrator and BeyondTrust uses those naming conventions for standards, dynamically adds them to the appropriate groups, and then links them dynamically based on them. They would not get added dynamically to Linux.
Because you do your administration design upfront, there are very few changes you need to make in the future unless you're adding additional platforms, which is actually what I'm going to do with a client. I'm going to be going there and expanding their platforms, adding network devices, adding application embedded accounts, and probably Windows because they currently are only managing a Linux platform. They have the ability for automatic connections using the remote app.
Remote app is like a Windows terminal session. So you do an RDP connection to a server, but when you connect the only thing you can run is a specific application like SQL Server Manager and you don't know the password. The ID and the password are automatically inserted and you connect, do your database work and log out. BeyondTrust has that very nicely, CyberArk has it, Xceedium has it. But not everybody has it.
There's always room for improvement. But as of right now, I believe BeyondTrust is one of the best kept secrets.
The only negative thing I can say is that BeyondTrust was recently bought by Bomgar and the marriage of the multiple companies coming together in the merger has caused a little bit of a hiccup right now in their software versions. For example, the online training courses are two revisions older than the currently released software and some of the guides don't match what you see on the screen. So it's a growing pain. Because they were purchased by Bomgar the people who used to make decisions in BeyondTrust are not necessarily the ones making them now or they've got other people to report to and get approval. Right now they're in a little bit of flux online with their BeyondTrust University.
I have been using BeyondTrust Password Safe for about six months.
BeyondTrust Password Safe's stability is like a rock.
BeyondTrust Password Safe's scalability is very good. Of course it's only dependent. The scalability and the horsepower are dependent upon how well you architect it, determining the number of assets and the number of concurrent users.
But you can run these on virtual servers, so you can allocate additional RAM or additional CPU's if you find you're running low on power or, like in the case I'm at, going up from two to six cores on the VM's when we add Windows. Windows requires a lot of overhead so we're going to bump up the CPU, probably to triple the RAM and probably expand the sum volume as well for the storage. This is because they have hundreds and hundreds, if not over a 1,000, Windows servers.
Each server is an asset maintained in a database, and the managed accounts are discovered on those assets. You basically just create the rules to add the managed accounts, which are the privileged accounts. Once you create them dynamically you basically do it in Windows platforms. I usually break them up into print servers, file servers, database servers, web servers, and usually application servers. Those will be the five different types of Windows platforms that will have different administrators. You're going to have an OS administrator across all of them, but the OS guy is not going to be able to get into SQL or into Apache Web Service. So you have a great adherence and excellent segregation of duties, and once you create the rules for each platform type, it all happens dynamically.
We have a deal in the works for a company with less than a 100 employees. There are only 70 servers, but it is a multi-billion dollar retirement fund management company. They're responsible for billions of assets so they have stiff requirements for security. And their primary is PII. They have to be very careful with the privilege or personally identifiable information. If they get hacked, and there's lots of social numbers out there, there are addresses to banks, most likely bank accounts, because the retirement fund is being attached to somebody's bank so that they can transfer funds for their 401(k) or Roth IRA or whatever. They are very concerned about security. But they're a very small company. There is another one, which is a huge company with a very small footprint, but with an insanely large reach in size and complexity. I can't go into any detail about it.
Customer service is off the charts. It is awesome. CyberArk's can be really good as well. But CyberArk can also have a little bit more of a personality. Sometimes I feel like they just want to poke you in the eye. They're now a 150 person company. When I first met CyberArk I think there were only 33 employees.
I would give BeyondTrust Password Safe's tech support a 10 out of 10. No problems at all. Absolutely. Abso-freaking-lutely. They are company of human beings and treat you like a human being. CyberArk's is a little silicon, they have a little bit of a harder surface. They're very successful, a top player in the game and they act like it. But BeyondTrust is still a very competitive company to CyberArk, better in some ways. In fact, I would actually say better in most ways. The hardware footprint is significantly lower. But then again, that's also the disadvantage because if you have a disparate network, and let's say you have a global footprint, you're going to have multiple servers in each continent because you don't want the British accessing over here in America. The latency will be awkwardly terrible. So you would have a larger distribution.
One client that I was putting a bid together for had CyberArk. This company was very large, they had 13 CyberArk instances. They would distribute by corporate standards. They had a separate accounting which had tens of thousands of managed accounts and users. Then they had PAYE for the payroll, and they had accounts receivable, accounts payable, because they were so large, even CyberArk couldn't scale for it. And their hardware footprint at this bank had, I think, 120 total CyberArk servers.
I think BeyondTrust would have scaled better for them.
CyberArk requires has a huge footprint and BeyondTrust would not require that large a footprint.
The initial setup is straightforward. Practically, my daughter could have done it.
You can use a standard Windows build or you can use a Linux server. You unpack the files for Linux and run the install or you run the executable for Windows, then you install SQL on both and you're just about done. Then, when it starts, you begin getting ready to populate the database SQL.
You can have it "active active" with high availability so if one server fails the other one takes over. If two of them are up and going, you can do a load balanced pair, and then have a DR server set off in another environment that can take over in the event of a disaster.
BeyondTrust Password Safe is very robust and very powerful, very scalable, and very nimble.
My advice is to first make sure all their use cases match your need. Then I recommend to engage with their salespeople, get a good sales presentation and understanding of the cost, and then to get a technical presentation followed by a demo.
We have a client whose main use case is Rapid7 SIM with API integration. So far I have found that CyberArk is the only one that can do that. But CyberArk is too expensive for this client. You have to sit down with a client, find out what their use cases, business requirements, and technical requirements are because sometimes they may want you to integrate with ServiceNow, and it's not easy to do that. With CyberArk, Beyondtrust, Thycotic and Centrify it is. Actually BeyondTrust is really a leader. I call them the best kept secret.
It's a great product. I like it because the administrative overhead is so much lower. Remember how I said that CyberArk requires a very high administration overhead but because of the dynamic rules and smart rules you basically create a boolean if and then, and you can segregate. If your system or your name ends with dash ADM you're an administrator and you can access these assets and these accounts dynamically. Just by joining the company, getting a username with a dash ADM on the end, which I don't recommend by the way. I recommend having something nondescript because a user account with a _ADM, just screams, "I'm an administrator come and get me." Come up with something else, like an A-3-D. Come up with a different naming convention that would make it discreet.
On a scale of one to ten, I would rate it high. I would rate BeyondTrust Password Safe a 10 because the fruits of your labor during the implementation phase pay off for an extended period of time. Rather than the ongoing pretty stiff administration requirements of some tools.
I have used the solution on a couple of projects for a client, mainly for storing credentials and secrets, such as API keys and application or username passwords into the vault, as well as certificates.
It is used for anything we need to keep safe and secure and not have users access, except via applications that programmatically access Key Vault and retrieve the secrets and connect to other APIs. That way, we don't supply usernames and passwords within application code or to people. We vault them in Key Vault and those secrets can be used within an application without human intervention.
Azure Key Vault is a SaaS solution.
You have to have this to make sure that you're compliant with security and governance. One of the main concerns with compliance is how you manage keys and secrets in your cloud environments. You're encrypting your data at rest and in transit, but where do you store the encryption key itself to not become compromised? Key Vault addresses all those concerns. This is one of the main tools and, without it, it's hard to implement and address one of the main pillars of cloud architecture, which is security.
The whole nature of it is to help make things autonomous, because you can run infrastructure as code. That really takes away the human factor and you can fully automate the creation and management of, and access to, the keys, including the rotation of the keys. By taking away the human element, it's really secure. And, implementation-wise, when you're using Key Vault, Microsoft is behind it and they're using the best methods for encryption and ciphering of keys. You don't have to worry about those things.
It really simplifies the whole process, in contrast to needing in-house experts to help you facilitate key management. When it comes to two main concerns, encryption of the data in transit and at rest, it is a service that is with you all the time. It has a low cost and it's ready to implement. You don't have to have 10 developers build something that you don't even know will be successful, versus a service that has already been tested across global enterprise companies.
All its features are really valuable. It's really well thought-out. It's a complete turnkey solution that has all the concerns taken care of, such as access control and management. You can use it in infrastructure as code to create key vaults, APIs, PowerShells, CLIs, even Terraform.
You can also use it in different services across the board. If you have app services, or virtual machines, Kubernetes, or Databricks, they can all use Key Vault effectively. In my opinion, in a DevSecOps, DevOps, or even in a modern Azure implementation, you have to use Azure Key Vault to make sure you're addressing security and identity management concerns. By "identity" I mean usernames, passwords, cryptography, et cetera.
It's also a regional solution and it frees you up from using third parties like HashiCorp Vault, for example.
In addition, there is a feature in Azure called managed identities, and when storing your credential or any keys or secrets in that you can have your code use managed identities to access Key Vault. That simplifies the whole process of connecting to Key Vault and retrieving your secrets, passwords, and credentials.
It's a full-blown solution and it supports most breeds of key management: how you store keys and certify.
I can't say that one of its features is better than others. You have to have all of them to make it a competent service, although one of the especially important features is the connection with monitoring and logging, so you can see who had access to what.
If you check the capabilities of other key management services across Amazon, HashiCorp, and Google, there are features that Key Vault doesn't have. It could be the case that when you use Key Vault, you might be forced to use a third-party solution to get certain services. If those services could be included in Key Vault, there would be diminished reasons to go for a third-party key management system.
I was using Microsoft Azure Key Vault until two years ago, but since then I've been actively using it for two or three different projects.
It's stable. There is the SLA and the resiliency that goes with Azure. Because many services are dependent on Key Vault, if it's highly available and redundant, it helps a lot. You can imagine how many times applications would go down if Key Vault were not available. It is one of the high-demand services. Anything that needs to access a key or a certification is dependent on Azure Key Vault.
So far, compared to other services that are available in the Azure environment, I haven't seen anything surprising with the stability or availability of Key Vault.
It's scalable and global in its performance. I have implemented it for one of the largest pharmaceutical companies in the whole world, a company that operates on a global scale. Key Vault is a main ingredient for every one of their infrastructure pieces that is tied to it. The scale of that company in its use of Key Vault was phenomenal.
I haven't needed to contact Microsoft support about Key Vault. There have been instances when I have had to talk with Microsoft support about Graph API for Active Directory and other services, and even to the cloud adoption framework team, but never for Key Vault. It is just so straightforward.
The complexity depends on what you're trying to do with Key Vault. It can get complex or it can be simple. You don't expect advanced scenarios to be easy to implement because it has many ingredients. If someone is simply going to Azure portal to create a secret and retrieve it, it's simple. But if you want to tie in your services, and have role-based control over who can access keys, and what services are tied to the keys, it gets complicated. But that's not just Azure. That complexity comes with the level of complexity of the scenario.
Key Vault is easy to use because there are many APIs and mechanisms to create and retrieve. The concepts are easy. I use it in many scenarios, such as building infrastructure as code, consuming it in Kubernetes. Everything seems to be straightforward. It is really the de facto for key management and vaulting secrets.
For example, one of the applications recently we developed needed to store the username and password of the service that connects to SQL Server. I found it was super-easy to tie the credentials within the application configuration files to Key Vault to retrieve the keys. It was a no-brainer for a developer to learn and do it. It took about 15 to 30 minutes to follow the documentation. And it has really nice documentation. Performing any action using the features of Key Vault is really easy as it's user-friendly. Depending on your level of skill, the deeper you get, the more features you can use.
Key Vault, like every Azure service, has a cost associated with it, but you don't have to spend thousands of dollars to spin up an environment to build a key management system. It's already there.
You pay as you go, similar to other services in Azure.
There are many other tools that I am still using, including AWS Secrets Manager, CyberArk, and Conjur, but none of them is close to Key Vault.
One of the benefits of Azure Key Vault is its integration with Active Directory, as is the case with most of the services in Azure. That really adds something to all the services.
Also, Managed HSM is not available in those other solutions. You have to go with HashiCorp Vault to get that.
In addition, the key rotation feature of Key Vault is a lot better than in AWS Secrets Manager. CyberArk and Conjur, are more one-off products for specific use cases. You have to purchase a license and implement and manage them yourself, and not everything works seamlessly in CyberArk.
Conjur was good until Key Vault supported containerization. Azure created services for using blob storage, and those features of Key Vault came naturally as part of the whole cloud stack.
Key Vault covers different problems for various personas and roles. As a developer, you get a lot of benefits that you don't get when you start developing with other tools, excluding HashiCorp Vault. HashiCorp Vault is really neat, and the only downside is that you have to manage the infrastructure yourself.
I'm a cloud architect. If I don't see that Key Vault has been included in a proposed architecture, I don't approve it. It's a main ingredient in any cloud enterprise infrastructure and architecture. When you're using Azure, you have to have this or a third-party solution. If someone shows me a third-party solution, I have to ask, "What's the cost of owning this component that you're adding to the architecture? Is it included, like Key Vault, or do you have to pay for it like with HashiCorp Vault?" With Azure Key Vault you have something that is free, enterprise-level, global, and it just works.
I don't know if we could survive without Key Vault in a cloud implementation and still call it a secure platform. These days, you have to have Azure Key Vault or some third-party mechanism such as HashiCorp Vault. You need something that addresses key management in your cloud environment. But why should you pay for extra resources, costs, and management overhead, if everything is managed by Azure itself?
I primarily use the solution for PRAM management, privileged access management, and other similar tasks as well. We submit credentials and replicate and post them directly behind the scenes. There's also some session monitoring and issue recording, etc. that we handle.
The session monitoring and session recording aspects of the solution are valuable to us. The fact that, as a support, you can actually monitor sessions on the fly is really helpful. A lot of sessions are live. Therefore, if anything happens within the session, there is an alert, and the security can terminate the session.
The fact that you can go back to any other session according to user or sequence, is quite useful. You can get a nice audit of the recording sessions. It's quite deep and quite useful.
Users are able to whitelist commands. It's very helpful.
The solution provides security for certain tasks as well. There's also regression on items like passwords.
The user interface is quite good. It's very straightforward.
The reporting is very powerful.
The solution is very good at improving based on customer feedback. If, for example, a customer asks for updated functionality, the next version will likely fit the requirements or requests. They're very responsive in that sense.
There could be tweaks here and there. For example, instead of going to one main function to do this and another main function to do that, the solution could remap the user interface so that a person only has to go through one function. The way that function branches off should make a bit more sense.
I'd like to see more automation on parts of the solution that cover APIs and disk space. There should be more automation in terms of what's out-of-the-box. It would help some customers as not all of them are knowledgable and well-skilled. It would make it easier for the layman.
I've been using the solution for one year.
The solution is pretty stable.
The solution is highly scalable. The architectural deployment is quite flexible. You can deploy it on multiple sites, you can do your load balancing, you can do your SQL storing, etc. It gives you various architectural deployment and flexibility options. It's very powerful.
We've been in touch with technical support in the past and they've been very helpful. We've been satisfied with their level of support.
We didn't previously use a different solution. This is my first foray into PRAM management and enterprise solutions.
The initial setup is pretty straightforward. We didn't find it to be overly complex in any way.
I did look at a few other companies and compared a few different features before choosing this solution. I looked at FireEye, BeyondTrust, and CyberArk.
I have a lot of hands-on experience with the solution and I present it to customers and do all the POCs for them.
I'd recommend the solution and advise others to look at cloud options, as most companies are moving to the cloud anyway right now. It's flexible, so users can deploy it both on-prem or on the cloud. There are lots of great custom features and network monitoring capabilities.
You can also patch the privileged behavior and it will, on the fly, give you nice digital printouts with privileged behavior also. If your system admin or one of your admins suddenly acts strangely, even at 2 AM on a Sunday, it will flag that because that's not normal behavior. That's due to the fact it has a lot of powerful machine learning built into the solution as well.
The endpoint application control of the privileged manager is powerful because of the authorizations, etc. The privileged manager can ensure that you actually are able to manage everything very well - everything from user privileges to admin. You can even escalate items easily.
I'd rate it nine out of ten, just because there's always room for improvement. However, for my purposes, it's a fantastic solution.
We recently had to reset every company password globally, which I am in the process of undertaking at the moment.
It seems to be working well for us. While we did encounter several glitches, I believe this owed itself to the solution not having been fully deployed, even though they owned it for some time. We have since deployed it fully and are learning as we go, especially as concerns the various international laws, such as the GDPR. Yet, it works well for us.
We recently had to do a global reset of every company password, something we are still in the process of doing. While we had a few glitches, this likely attributes itself to them not having fully deployed, even as they owned the solution for a while. Now that we have done so, we find ourselves to be learning as we go, especially as concerns the various international laws, such as the GDPR. This said, it works well for us.
As I am partial to CyberArk, I rate Thycotic Password Reset Server as a nine out of ten, owing to the minor glitches I mentioned.
The initial setup was very straightforward for us. However, as it would not deploy easily with our 2019 servers, we were forced to make a few code changes. It continued to deploy for 2012, something I found to be odd, but started working flawlessly only after I made a few code changes.
My only negative thing to say about Thycotic would involve the servicing not having been written for 2019.
I have, perhaps, a year-and-a-half worth of experience with Thycotic Password Reset Server.
As I am partial to CyberArk, I rate Thycotic Password Reset Server as a nine out of ten, owing to the minor glitches I mentioned.
This said, the solution's stability is flawless. It's very stable.
We have had dealings with technical support, but have not encountered any problems with them. They helped walk us through so many things that we simply did not know. My only negative thing to say about Thycotic would involve the servicing not having been written for 2019.
I did a PLC with them while at IQVIA, but when I came over to CNHI, they actually owned 400-license, so I went ahead with its implementation.
We are trying to capture feedback with CyberArk, as well.
I started my certifications in CyberArk, but I deal with identity and access management.
As I am partial to CyberArk, I rate Thycotic Password Reset Server as a nine out of ten, owing to the minor glitches I mentioned. I would likely rate it as a ten, but one tends to stick with what he knows.
The initial setup was very straightforward for us. Since it would not deploy easily with our 2019 servers, we were forced to make a few code changes. It continued to deploy for 2012, something I found to be odd, but, once I went in and made some code changes, it worked flawlessly. It took us about two days to work through this, but we got it done.
It seems to be working well for us. While we did encounter several glitches, I believe this owed itself to the solution not having been fully deployed, even though they owned it for some time. We have since deployed it fully and are learning as we go, especially as concerns the various international laws, such as the GDPR. Yet, it works well for us.
I am not aware of the licensing costs, as they already owned everything but had not put it in the infrastructure. I am simply unaware at the moment, but will find out, as I am the director of the area.
At present, the solution is a hybrid, but we plan to put it totally in the cloud.
I rate Thycotic Password Reset Server as a nine out of ten.
