Coming October 25: PeerSpot Awards will be announced! Learn more
Buyer's Guide
Privileged Access Management (PAM)
September 2022
Get our free report covering Cisco, Microsoft, WALLIX, and other competitors of CyberArk Privileged Access Manager. Updated: September 2022.
632,611 professionals have used our research since 2012.

Read reviews of CyberArk Privileged Access Manager alternatives and competitors

PAM Architect at a tech services company with 11-50 employees
MSP
Top 5Leaderboard
Their discovery engine is off the charts, and the ease of administration and implementation they talk about is for real
Pros and Cons
  • "Its number one feature is discovery. The discovery engine in BeyondTrust is off the charts. When they perform a discovery, you know everything there is about a server, including what software is installed. For example, if you want to group all of your database servers together, you can do that by using discovery and Smart Rules. If a server has Microsoft SQL installed, it gets put into a group based on a Smart Rule. It makes it very easy to determine what is what in your environment. As organizations grow or acquire other companies and merge, they lose track of what they have. BeyondTrust can help you throw a rope around it very rapidly."
  • "If there was one thing, it would be having the documentation standardized. They should keep the documentation consistent. For example, when BeyondTrust updated one of their admin guides, they left out the information on the discovery account requirements, and then over a period of time, we ended up having to search multiple different documents to put together a string of information for a specific topic, which was problematic. It was minor, but it was problematic. Standardized documentation would be the one thing I would suggest."

What is our primary use case?

It is used primarily to adhere to SOC compliance and to provide what we call user/administrator segregation.

We are an MSP. We do manage services, but we also do a lot of other things. We implement as well as do ongoing managed services. We don't use it in our organization. We have it in our lab set up as a running service so that I can go there and test something just to see what'll happen because I can do a snapshot of my system and then revert if things go wrong. That's something that I don't want to experiment with in a client environment, even in a test or a dev environment. I just want to test something. I can do that in our lab, but our organization does not use Password Safe.

How has it helped my organization?

BeyondTrust's discovery is off the charts. It doesn't just discover servers and user accounts, it also discovers the services, such as Microsoft services, and scheduled tasks. For example, if you want to change a password on a Windows service, which is also linked to other scheduled tasks or IIS app pools, just changing the password on the service is going to break the scheduled task and break the IIS app pool. BeyondTrust is able to dynamically discover and manage all three tasks of synchronizing, stopping, and starting the services as the passwords are being rotated. It is quite intuitive.

When we have services and devices that are in a red zone, which includes the internet-facing devices or the devices in the direct internet compartment, the password vulnerability is what we are trying to handle. The primary factor that makes a lot of security officers feel better is that passwords can be made long and complex, but even a very long and complex password over a period of time can be cracked. BeyondTrust allows you to not only do long and complex passwords but also regularly schedule rotations that are well within the timeframes of being able to crack a password. A password with 26 characters, 8 to 10 special characters, and an uppercase/lowercase combination will take IBM Big Blue six months to crack. In those six months, we would have changed that password 10 times or more. So, the password that IBM Big Blue is crunching on to crack has already been changed, rendering the previous password that might have been compromised inert.

It is useful for segregating user accounts. A common scenario is that a user receives an email and even though the email comes from somebody the user doesn't know, the user opens a Word document. The user gets a macro virus and is compromised. If it is just a regular user in the environment, it is only a disaster, but if it turns out that in that client environment, that user also happens to be a domain administrator or a local server administrator, it is armageddon. So, we use BeyondTrust to segregate user accounts where the domain admin connects to BeyondTrust with his user account, which also has a counterpart matching ID in BeyondTrust. When he connects to the endpoint devices to perform his job, the account that he is connecting to in BeyondTrust has the privilege. So, when he connects to BeyondTrust, he authenticates with his user account and connects to what I refer to as a dedicated admin account. That dedicated admin account is session recorded and keystroke logged. You have all the tracking records and Windows logs. Everything is captured, and then when the user is done, he logs off and continues on his workstation as a regular user again. The session is completely segregated.

So, we're able to provide user/administrator segregation. The reason I do the dedicated admin account is that, with multi-user shared accounts, it is a little bit more difficult to quantify who did what. It can be done, but it is just more difficult. With a dedicated admin account, it is one-to-one rather than one-to-many or many-to-one. BeyondTrust Password Safe provides the ability to do all of this with rules. They have template capabilities built into the product. All you have to do is customize Smart Rules to perform your action. That's the beauty of BeyondTrust. I don't know what I would do if I had to go back to another solution that did not have them. I've worked with other privileged management solutions. For me, not having BeyondTrust Smart Rules would be taking a step backward.

It is important that Password Safe provides integrated password and session management in one solution. When you have it in one solution, you don't have two devices to manage because at a certain point, if you need a secondary component to perform something that the original solution does not perform, that's another managed system that you have in your network, which adds on a transparent cost. Having password and session management in one solution keeps all of your administration within one application.

Its customization features help us to manage most assets, databases, and applications, which is critical. We are able to work and visually connect with various platforms, such as Linux, Unix, Linux, Ubuntu, etc. Ubuntu is being used a lot for small edge solutions because it is inexpensive. It is also easy to manage because it is a Nix platform. People put a lot of Ubuntu-based solutions on their edge devices, such as secure remote access or an HTML5 gateway. We're able to manage all of that within one interface in BeyondTrust.

Team Passwords feature has been hugely helpful for securely storing credentials owned by small groups outside of traditional privileged user roles. When you go into an organization, you've got people who are storing passwords in KeePass, or they've got PW Safe, which are free downloadables. The next thing you know, you have got 200 or 300 developers and administrators with all these individual solutions, and sometimes, some of them need to share them with each other. Team Passwords is your one-stop shop for all IDs and passwords that are not necessarily dedicated to a specific device. Just the IDs and passwords can be stored and allowed access by groups. We're doing a huge migration to Team Passwords, and we've developed APIs for creating the environment and importing the passwords. Tens of thousands of IDs and passwords are going into it. It is amazing. I remember 20 years ago, somebody was bragging about a password safe solution they did in Lotus Notes. I still giggle about that because Lotus Notes is fat, and it was very complex. Team Passwords is visually intuitive. My teenage daughter could sit down and do it.

So, this client had multiple password storage solutions. They first ended up installing Thycotic Secret Server because they also had certificates and a couple of other different types of authentication solutions, but they were veering away from certificate-based and needed an ID and password solution. The Thycotic solution was also out of date. The SQL database was falling apart. It was used to its maximum extreme. Considering they were already using BeyondTrust Password Safe, Team Passwords was a natural blend. 

In one of the cases, an engineer had a fairly large key pass solution, and when he left the company, his workstation was re-imaged. They ended up losing information for a significant number of devices. They happened to be network-oriented devices such as routers and switches. To this day, they are gathering all those previous IDs and passwords. Now, with BeyondTrust Team Passwords, all they have to do is to add a user to a group, and they now have access to all those IDs and passwords rather than somebody walking out the door with them or them getting wiped in a system re-image. They are in one location where they could be backed up and secured.

What is most valuable?

It starts with discovery. Its number one feature is discovery. The discovery engine in BeyondTrust is off the charts. When they perform a discovery, you know everything there is about a server, including what software is installed. For example, if you want to group all of your database servers together, you can do that by using discovery and Smart Rules. If a server has Microsoft SQL installed, it gets put into a group based on a Smart Rule. It makes it very easy to determine what is what in your environment. As organizations grow or acquire other companies and merge, they lose track of what they have. BeyondTrust can help you throw a rope around it very rapidly.

Its user interface is really nice. It is very visual. When you first log in, based on your job role, you see what you have access to when you look at the screen. As an administrator, I see the configuration screen where I can go in and modify Active Directory and authentication connections. I can set up SAML, or I also have access to create Smart Rules. The access is based on the role that you have when you log in. I have six boxes or six categories of administration items, whereas when an admin user connects, he would only have one or two. So, based on your role, you see what you have access to. It is not like you click something and then it fails because you're not an administrator at that level. You actually see what you have access to, and BeyondTrust is very good at that.

BeyondTrust provides the ability to connect by using not just the web interface but also the admin tools such as MobaXterm, PuTTY, or a lengthy list of other types of tools. You can use the connection string and connect through BeyondTrust, and it will be session recorded, keystroke logged, and highly available. When you bring up MobaXterm, you probably bring up one of the most complex ones because MobaXterm has the ability to have two, three, or four concurrent connections, which makes BeyondTrust Password Safe ideal.

It is very easy to integrate session management into existing business processes. To make it easy for the engineers, we created templates of the connection strings and then used, believe it or not, Microsoft Excel to create custom strings for each of the engineers. We exported them to a text file that they could then import. In the case of PuTTY, because PuTTY stores the connections and the credentials in the registry, we had to do something different there, but the connection string is customizable enough to make the job fast and easily repeatable for all the other engineers. You don't have 20 or 30 engineers spending two or three days creating all these connection strings. I can create them in a matter of minutes with a Microsoft Excel spreadsheet and then save them to a text file or a CSV file. It is awesome.

We are able to integrate session management without disrupting business processes. One of the niceties about BeyondTrust is the ability to integrate it with ticketing systems. For example, as per Sarbanes-Oxley, we have to have a reason for why an administrator is performing something. The integration with a ticketing system is ideal rather than manually typing the reason in the reason field through the GUI where most engineers, after a while, end up just typing in Work. They don't put in enough data to make it clearly visible why they connected. The integration with the ticketing system is ideal for that. Ticket-driven access makes the work very quantifiable.

What needs improvement?

If there was one thing, it would be having the documentation standardized. They should keep the documentation consistent. For example, when BeyondTrust updated one of their admin guides, they left out the information on the discovery account requirements, and then over a period of time, we ended up having to search multiple different documents to put together a string of information for a specific topic, which was problematic. It was minor, but it was problematic. Standardized documentation would be the one thing I would suggest.

For how long have I used the solution?

I have been using this solution for two years, but I also have previous experience with BeyondTrust. There were other BeyondTrust products that I was intimately familiar with that gave me the confidence to move forward with the BeyondTrust Password Safe. I previously worked with PowerBroker for Unix Linux, but it was not in the password space.

What do I think about the stability of the solution?

It is awesome. It is very good.

What do I think about the scalability of the solution?

It is very good. The scalability is dependent on how much CPU, memory, and space you want to put at it. There is a certain point of diminishing returns where it might prove better to have a high availability solution where it is active-active, and you have one part of the organization that is going to be primarily hitting one server, and one will hit the other for a load balance, but I haven't yet gotten to that requirement.

How are customer service and support?

I have interacted with them intimately and regularly. I would rate them a 10 out of 10 because they have not just one; they have staff to bounce things off with each other. They're very quick and very responsive and very good. You're not treated like a number. Once we were setting up a special configuration, and one of their engineers said, "Hey, send me your MeetMe, and I'll join your call." Wow, that was nice.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We manage other solutions, such as CyberArk. A lot of our clients are at various stages. Some of them were uncertain about their existing privilege management solution, and they weren't updating it. They didn't continue the support packages with the provider, and they were in a state where they were unsure about what they wanted to do. We've had both experiences where we've gone in and based on their organization, we recommended upgrading or continuing the support of their existing, CyberArk or Centrify, solution. In some organizations, we've recommended switching to BeyondTrust.

How was the initial setup?

When I went in, it was already set up, but I'm installing additional BeyondTrust Password Safe solutions. I manage services, and I'm also implementing Password Safe for new environments. 

It is a little bit of a blend of straightforward and complex. If there is something you leave out or you miss, you're going to feel it later. For example, you missed a step for configuring Windows component services because you went to lunch and forgot to click OK. Your screen went into the screen save mode, and you lost the information that you had put in, and you left that out. You're going to feel it later. However, luckily, they've got incredible logging built into the product, and you can look at the logs and be able to diagnose what went wrong. If you follow the installation uninterrupted, you can implement BeyondTrust Password Safe in a day. That would include integration with Active Directory and setting up the basic features like discovery. 

BeyondTrust can provide you with an appliance, which is a hardware device, or you can install an appliance-type image onto a Windows server and have your own appliance. It just won't be a dedicated appliance. Many organizations would like to have easily managed systems, and the BeyondTrust appliance methodology, even though superior, can make it more difficult to manage in an environment because it has to be handled as a specialty appliance. It is not a positive, but it is not a negative either. It is an organizational decision that needs to be made on how they want to manage the device, but either way, it can be done.

I will be implementing hybrid cloud environments as well. We are doing a blend with 80% full on-prem and the other 20% of the development is towards a cloud-based solution, primarily for a segregated environment. We are working with a lot of edge services with our clients. For example, they'll have a secure compartment for a specific application, where Windows, Linux databases are being run within this compartment, but they are managed by an external team. Most of the security has been focused on just preventing who has the access, but it doesn't answer the problem of what they are doing when they are in the compartment, and we're using BeyondTrust for that. So, we are having two layers of security. We not only have access control where getting into the compartment is taken care of, but once they're in, we can also granularly control what they have access to and what they can do. We have session recording and keystroke logging for audit records. So, we're blending. Currently, we're developing such a secure compartment, and we're going to have one BeyondTrust Password Safe server in the cloud. It is going to be an active high availability solution that'll have a paired server, but it is going to be on the local network. We will possibly be doing one complete cloud solution in the Amazon compartment.

In terms of duration, the longest part of my job is waiting for account provisioning. I'm usually waiting on Active Directory or Linux or database account provisioning. I spend more time waiting than implementing, but then I just move on to another organization or another environment and continue. I keep a rapid rotation, but account provisioning is the lead time.

What about the implementation team?

You pretty much do it yourself, but BeyondTrust has an incredible case system where you can submit requests. You can do it for information where you're just asking a question about something, which I did for discovery accounts, or you can submit that your server is having an error and something is not working properly. You can create a higher priority ticket and submit it. BeyondTrust has a way to export a package that will provide them with the files that they need from the system to perform a diagnostic, and then they can tell you what you need to do. It is pretty cool.

For migrating end users to Password Safe, an organization needs to make several decisions. They first have to decide whether they're going to use multi-user shared accounts, where they will have one account that six or eight people can use, or they're going to have dedicated admin accounts, which is my preference. It is slightly more complex, but it makes it much more secure. So, that would vary from organization to organization.

For upgrades, they have an incredible updater. That's what it is called. It automatically detects and is connected to BeyondTrust, and you'll be notified that upgrades are available. You can set them to be automatic or not. There are some updates that you don't want to be automatic because you might want to do a snapshot of the appliance before the update because some updates can cause problems. I haven't experienced that yet, but you have the option of automatic or manual provisioning of the updates. You can schedule them based on off hours, for example.

It is very robust in the area of maintenance. Part of the problem is when things are going so well for so long, you forget about it. That's why we schedule all of our activities so that all of a sudden or six months later, we don't discover that a server is having severe issues. We just manage by the clock, but BeyondTrust Password Safe is very robust in the area of keep running. It runs, and it also has other types of capabilities that are built into it. For example, if the session recording and keystroke logs are stored on the actual appliance or server, they eventually will take up a lot of disk space. In my lab, I experienced a crash because I ran out of disk space. BeyondTrust has the ability to very easily redirect the storage of session recordings and keystroke logging to a network drive and off the appliance. I'm glad I was able to experience that in my lab rather than getting a call from the client that their server is crashing. If you have a high volume and a lengthy time frame for which you want to save the session recordings, being able to save them to a network drive is incredible.

What was our ROI?

The time to value, or the amount of time it takes to see benefits, varies by the organization because some organizations have a different plan right up front, but the time to value with BeyondTrust is fast. It is a very rapid return on a visual inspection of whether you are meeting your goals and objectives. You'll see it very fast.

What's my experience with pricing, setup cost, and licensing?

When you buy Password Safe and perform your initial Discovery, you have all these servers that are added to your assets in BeyondTrust, but you're not using a license until you actually start managing the systems. BeyondTrust's licensing is based on the systems when they're managed, which means when an administrator is able to connect to the server through BeyondTrust with a managed account. There would be a privileged account on the endpoint when the licensing starts. A significant advantage to that is that there are many organizations that want to evaluate their environment prior to automatic management. For example, they are going to be upgrading to a larger router instead of having two routers. They are going to have one so that would be one managed license rather than two. It gives them a chance of seeing their environment before they commit to managed systems and licenses.

What other advice do I have?

I would recommend this solution. My advice to others looking into implementing BeyondTrust Password Safe is to follow the instructions, scan broadly, and manage specifically. That's what BeyondTrust allows you to do. You can scan everything, but then select what you want to manage. With some applications, the licensing starts right at discovery, but BeyondTrust licensing is by managed systems. So, I recommend scanning broadly, finding everything you've got, and making your decisions based on the actual numbers. That's one of the advantages of BeyondTrust. So, use it.

One organization I went into was primarily concerned with 50 specific servers. They had thousands. When all was said and done and we asked them what about the other servers, they did not specify what they wanted to do with those. They were only concerned about getting those 50, whereas BeyondTrust allows you to handle 10,000 as easily as 50. It is crazy not to leverage that. What you want to do is scan broadly and then manage according to plan. If you've got 1,500 servers and you're only looking at 50, that's like looking through a toilet paper tube. You will have a very narrow view. So, what you do is scan and discover broadly, find out what you have, and then come up with the administration model that'll work for them all. Start with 50, and then roll out the other 950 automatically. If you design it right, the minute a new administrator is added during that night's discovery, that user is ready to start working the next morning, or that server gets discovered and added based on the Smart Rules. So, a new Linux server or a new Windows server becomes available the next morning. A newly hired administrator's account is discovered, and as a member of the administrator group, he is automatically ready to start work first thing in the morning. No intervention is required.

We have not used the solution's software development kit to create a plugin to support new systems or applications, but they do have them that you can modify. We're looking at making a modification to an existing platform connector. Their platform connectors are very visual, and you have the ability to compare. We're looking at the original Linux connector, and we want to connect to an SCO server. We have a template to work from. We will speak to the experts regarding SCO and make modifications to another connector to create a new connector. It is pretty dynamic.

At this time, my opinion is that it is a 10 out of 10. Based on having experience with three or four other competing solutions, I would give BeyondTrust a 10 out of 10. I normally don't give this sort of a rating, but I do give BeyondTrust a 10. If you read two or three of their advertising and website blurbs and that's what you need, you're going to get it. When they talk about the ease of administration and the ease of implementation, it is all for real.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Flag as inappropriate
Sr. Manager Cyber Security at a manufacturing company with 10,001+ employees
Real User
Top 20
A simple and flexible solution for controlling the access and improving the security posture
Pros and Cons
  • "The privileged access and the application control are helpful in making sure we have good, robust challenge responses. Blacklisting with trusted application protection is also beneficial for us."
  • "Reporting analytics is one of the areas that can be improved. It is a new cloud-based solution. So, many more specific reports can come out natively. Currently, we get all the events, and we put them in plug-ins. From there, we generate our own design of reports. If there is a much more solid or robust reporting analytics framework within the product itself, it would be helpful."

What is our primary use case?

Its use cases are mostly around all the 65,000 endpoints. The use cases are mostly for privileged access and the application control across all endpoints throughout the organization to make sure we have the least privileged model with zero-trust enabled at the endpoints.

We started with on-prem, but now, we've moved to the SaaS cloud.

How has it helped my organization?

It has helped in multiple ways. We have more than 30 years of legacy of having local admins on our endpoints. With this solution, we have removed the local admins from the users. Now, we are giving them privileges on their machine only for the applications and not for everything. It has reduced the unwanted risk and increased the security posture. 

It also helps with some robotic process automation. It helps with certain actions that we have been engaged in for certain RPA-type behaviors.

We are able to increase the security by blocking a lot of applications, such as encrypted chat applications and blacklisted applications. Data exfiltration is a big concern in our company, and this solution helps us to tighten up those controls in many different ways. We are able to control the access.

What is most valuable?

The privileged access and the application control are helpful in making sure we have good, robust challenge responses. Blacklisting with trusted application protection is also beneficial for us.

What needs improvement?

Reporting analytics is one of the areas that can be improved. It is a new cloud-based solution. So, many more specific reports can come out natively. Currently, we get all the events, and we put them in plug-ins. From there, we generate our own design of reports. If there is a much more solid or robust reporting analytics framework within the product itself, it would be helpful.

One of the requirements that I've already expressed is that they can unify the clients. We have got two clients: one for the iC3 adapter and one for the Defendpoint client itself within the EPM product. iC3 is used for connection to the SaaS or cloud, and Defendpoint is the actual product that does all the local admin privilege management. They can just unify them. 

For how long have I used the solution?

We've probably been using this solution for three years.

What do I think about the stability of the solution?

In the on-premise version, stability is okay. However, it takes time to sync up policies. That's because it depends on the environment that you have. From the Active Directory perspective, it depends on how the group policies are going to be advertised back to the endpoints. So, there was some delay, but it was completely because of our environment. 

In the cloud version, the deployments are pretty quick. Policies get deployed pretty quickly. Overall, the cloud experience has been good. However, because it's a SaaS service in the cloud, we often have to reach out to the BeyondTrust team to make sure that our backend compute, which is not visible to us, is completely solid. The databases, servers, and other things are running in the cloud, and they're properly, adequately beefed up to have the right resources because we don't have visibility on that. With on-prem, we know how much compute, memory, or CPU cores we are putting to the servers at the backend. On the SaaS cloud compute, we don't know that. The initial few registrations took a toll. It was because BeyondTrust was also trying to figure out the volume of traffic that was coming their way. It took a while to baseline the compute configuration at their end, but once it was all figured out and resolved, the performance has been fairly consistent.

What do I think about the scalability of the solution?

The solution is scalable to the level of security posture that we wanted to deploy in our environment. From a scalability perspective, we are pretty good with the way we have used the product so far.

How are customer service and support?

Their support line is good. They're familiar with the product, and they have expertise with the product. So far, any tickets raised by my team have been dealt with fairly with the right solutions. I would give them an eight out of 10 because there is always room for improvement. There are instances where you expect a solution to come faster with more accurate details. There are always back and forth conversations, until and unless you figure out the final solution.

Which solution did I use previously and why did I switch?

We didn't use any other solution previously. This was the first time we were trying to do an endpoint privilege management solution. 

How was the initial setup?

It was a straightforward process. We were on-premise. We were using group policies to manage this whole EPM solution, and it was easy to move to the cloud. Wherever you have agent-based deployments, there is always a little bit of complication, but we were able to make it work.

On-prem deployment took almost three to four months. We had a very large and wide-scale environment. A lot of legacies were also built-in, so it took a while to build the policies around, get the local admins out from the endpoints, and take over with Defendpoint or the BeyondTrust EPM solution.

The migration to the cloud was pretty good. It wasn't that bad. When we had it on-prem, it was a single client. When we had to go to the cloud, two clients were needed. One was the iC3 web adapter that makes a connection to the SaaS cloud, and the second one was the existing Defendpoint client. Having an extra client adapter needed a little bit more packaging on the endpoint side, which added a little bit more to the transition to the cloud. Policy-wise, everything was straightforward.

What about the implementation team?

We did it by ourselves. In the initial deployment, it was a team of six or seven people. They came from different groups. We had group policy administrators, Windows administrators, and security administrators from my team. There was also the endpoint provisioning team that does the packaging work.

In the cloud migration, the same team was there, but we didn't have the Windows team and the admin team. That's because they weren't required from a group policy perspective. It mostly had security administrators. The packaging team was also very important. We also have a test team that does the validation from a testing perspective across a variety of endpoints in different regions. So, there were around six or seven people during the cloud migration.

What was our ROI?

We have definitely been getting an ROI, and we want to maximize that ROI. We have a zero-trust adoption process going on continuously for the next two to three years, so we are trying to maximize the ROI. We haven't yet got the full ROI, and we will try to maximize the ROI from the product going forward.

What's my experience with pricing, setup cost, and licensing?

Its pricing and licensing are okay. We were in the perpetual model when it was on-prem, and now, with the SaaS service, we have a subscription model. As a customer, I would always like to see a lower price, but it seems to be priced at the right model currently, and we are trying to get the maximum benefits out of it.

In addition to their standard licensing fees, there is just the internal infrastructure cost for the license, indexing, etc. There is nothing additional from any other components that we use for the job. These are the resources for managing the solution at our end.

Which other solutions did I evaluate?

We did take a look at several other products, but we finalized on BeyondTrust. We looked at some of the Microsoft solutions, and we also looked at some of the CyberArk solutions to do a comparison. What was more interesting with BeyondTrust was the flexibility in the policies. The clarity in the policy writing was a little better, and the deployment of the solution was easier. The overall product simplicity was fairly okay. When you're going from a hardcore local admin to a zero local admin stage, simplicity in the product is extremely important. So, simplicity and flexibility were the key factors.

What other advice do I have?

I would advise going for the cloud-based solution. The cloud-based solution has come a long way from its initial stage. 

It is a very simplified solution. Their licenses are very straightforward, simple, and accommodating. The support has been really good, and their flexible policy model has really been instrumental in going for a stage-by-stage approach. You don't have to go all the way to impact your environment from day one. You can define your policies using their quick policy wizard and other processes to simplify your environment. You should proceed step-by-step to get rid of the local admin and the environment. Evaluation with their simplistic and flexible model is going to make it much easier and faster for you to pick up the solution.

I would rate it a nine out of 10. There is always a scope for improvement.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Flag as inappropriate
Technical Engineer at a tech services company with 11-50 employees
Real User
Top 20
Inbuilt password vault, good auditing features, and integrates well with other vendors
Pros and Cons
  • "The reporting is excellent."
  • "Although the interface is intuitive, it could be a little more user-friendly."

What is our primary use case?

This product is primarily used for Privileged Access Management and Identity Access Management. You can manage all of your service accounts through Delinea. For example, if you start services on Windows, you can manage that using this solution.

It provides remote logins whereby everyone can log in safely while remote, so it's a work-from-home solution as well.

What is most valuable?

The most valuable feature is auditing. That's a big plus.

The Privileged Credential Management feature is a password vault and they integrate with a lot of other vendors.

The integration with other vendors is another big plus.

The reporting is excellent.

What needs improvement?

Although the interface is intuitive, it could be a little more user-friendly.

For how long have I used the solution?

I have been working with Delinea Privileged Access Service for five years.

What do I think about the stability of the solution?

The stability and performance are excellent.

As an example, if you run into problems with authentication then you can just create a new connector. That said, it's very stable. You can theoretically leave it to run on it's own for months but that's obviously not the idea because you need to check if there are any breaches or any other issues in your environment.

What do I think about the scalability of the solution?

This product is easy to scale. Once you've set it up and everything is installed correctly, you can just plug in new systems and new environments. It can scale to thousands of servers quite easily.

Delinea is suitable for any size of company, from small to large.

How are customer service and support?

Their technical support is very good. If you run into problems with the deployment, for example, then they will help you with that.

Which solution did I use previously and why did I switch?

I have experience with a few privileged access service solutions. One of them is CyberArk, although I haven't worked with it enough to say whether it's good or bad.

The main reason we chose Delinea is the ease of implementation. Initially, it's a lot of hard work, but then it's easy to work with and maintain. Once it's running, you can hand it over to someone whose job it is just to check the environment. They don't need to monitor the systems to ensure that Delinea is running properly.

How was the initial setup?

As a security solution that accesses Active Directory, it's a complicated implementation process. For instance, this isn't something that you can do in five minutes. You have to do your homework and plan everything. However, if you plan everything well, then there aren't any major issues.

To get the system up and running, it's less than a week. You can download and install the software in five hours, but then comes the customization and configuring of the portal. Everything has to be done correctly. I'd say that after two days, you can start playing with everything.

What about the implementation team?

For the most part, our deployment was done internally. With some of our issues, we had used the vendor. They provide manuals and the support is excellent, but most of the stuff, you can do yourself.

There is also a little bit of maintenance that you have to do. It is a cloud-based system but there are still underlying software applications installed in your servers that you have to maintain to make sure are working properly.

I am the only person that works on it in the company.

What's my experience with pricing, setup cost, and licensing?

The price of this solution has come down quite a bit. Now that they have merged with Thycotic, the Thycotic Secret Server also comes included in the package.

The product comes at a very good price and it's quite competitive, although you need to buy add-ons for certain things. 

Being in Africa, the cost is always an issue for our customers. This is one of the reasons that we recommend Delinea to them.

What other advice do I have?

I am not quite on the most recent version. However, I am busy upgrading so I soon will be.

It is difficult for me to think about what new features I would like to see because usually when we think of something that's missing, they assist us in getting it fixed.

There are a lot of features. For example, they have an API available, although I don't understand very much about it.

My advice for anybody who is looking to implement this product is to, first of all, check if it's a correct fit for you. Then, do your planning. Plan for all of the contingencies and then it should be fine. But again, if you run into problems, support is there to help you.

I would rate this solution a ten out of ten.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Other
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Flag as inappropriate
Security Business Consultant at a tech services company with 201-500 employees
Real User
Top 20
Defines and updates processes and procedures into the security framework of a company
Pros and Cons
  • "Safeguard can define and update processes and procedures into the security framework of a company, including mobile. It allows us to change the policies and configurations on a mass scale in regards to security."
  • "I just received a question from a customer in regards to a connection with Oracle OID. I tried to integrate Safeguard with the Oracle YAML as well as something else to manage the groups and users from a different system, like AD or LDAP. This one feature could be better. At this moment, the platform system can only use the integration with LDAP or AD. The software for research and development to create a connector to a YAML platform can be very complicated."

What is our primary use case?

We primarily use the solution to manage passwords and use for the RDP access. 

Our infrastructure is three SPPs and two SPSs. This is across 1,000 users and approximately 500 targets. 

How has it helped my organization?

Safeguard can define and update processes and procedures into the security framework of a company, including mobile. It allows us to change the policies and configurations on a mass scale in regards to security.

What is most valuable?

The most interesting thing about this product is it is very easy to implement and configure as well as its usability. Also, for the final user, the work experience doesn't change when using the SPS for the Linux administrator, which is fantastic. You change only a little bit of the connection. Everything else is really easy.

What needs improvement?

I just received a question from a customer in regards to a connection with Oracle OID. I tried to integrate Safeguard with the Oracle YAML as well as something else to manage the groups and users from a different system, like AD or LDAP. This one feature could be better. At this moment, the platform system can only use the integration with LDAP or AD. The software for research and development to create a connector to a YAML platform can be very complicated.

For how long have I used the solution?

I started using it two years ago.

What do I think about the stability of the solution?

It is a very stable system. There are no problems when using the platform.

What do I think about the scalability of the solution?

The scalability is fantastic. It is very easy to connect and use the solution, if you need it.

How are customer service and technical support?

There are two different supports: one for SPS and another for SPP. The technical preparation of the support is very high. They have very quickly given me the solution for a couple of issues that I have seen.

Which solution did I use previously and why did I switch?

We switched from CyberArk to Safeguard. In order to manage CyberArk, it is a very big effort. The platform is very complex. The management system of Safeguard is very easy. Also, the configuration for the targeted user is easier in Safeguard rather than CyberArk. Lastly, the cost of CyberArk's licensing is very expensive.

How was the initial setup?

We try to understand what the customer needs in order to fit the solution for what they want, then we plan all the activities based on that.

What about the implementation team?

We can deploy the system in a couple of days, then the system is up and running. The next step is importing the whole system. The time frame of this depends on many targets the customer has, but it doesn't take too long.

What was our ROI?

I work at a system integrator, designing and implementing the solution for our customers. I think our customers see a return of the investment using this solution.

What's my experience with pricing, setup cost, and licensing?

Safeguard is cheaper than CyberArk.

What other advice do I have?

It is a good solution. There is no limit to its usage in a company, e.g., IT or financial.

Check the basic rules in the documentation because the solution is easy to use.

I would rate the solution as 10 out of 10.

Which deployment model are you using for this solution?

On-premises
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: System Integrator
Meo Ist - PeerSpot reviewer
Senior Product Manager and Technology Consultant at Barikat
Real User
Top 5Leaderboard
The native integration is crucial
Pros and Cons
  • "Delinea's network integration is the most useful. For example, I use a Check Point firewall connect to SmartConsole, so I need to do a lot of configuration in Delinea Secret Server. Native integration with Check Point is valuable. You can also go download whatever API you need from the cloud, whether you're using Check Point, Palo Alto, etc. Enriched discovery is another good feature. If you are dealing with several kinds of systems, you can see which system requires privileged access to my network."
  • "I formerly used only one service: the remote server. For example, I connected to the Active Directory user and the computer's console. But now, I need to do a remote connection to the domain controller. Maybe it only connects to that tool, the Active Directory users, and the computer management console, but not to the domain controller. Another thing Delinea could add is multi-factor authentication."

What is our primary use case?

The primary use case for Delinea Secret Server is to sort the privileged passwords. It can also change passwords after a set period or revoke passwords when someone leaves the company. Delinea needs to be on-premises because Turkish regulations do not allow cloud-based security solutions for some sectors. 

What is most valuable?

Delinea's network integration is the most useful. For example, I use a Check Point firewall connect to SmartConsole, so I need to do a lot of configuration in Delinea Secret Server. Native integration with Check Point is valuable. You can also go download whatever API you need from the cloud, whether you're using Check Point, Palo Alto, etc.  Enriched discovery is another good feature. If you are dealing with several kinds of systems, you can see which system requires privileged access to my network.

What needs improvement?

I formerly used only one service: the remote server. For example, I connected to the Active Directory user and the computer's console. But now, I need to do a remote connection to the domain controller. Maybe it only connects to that tool, the Active Directory users, and the computer management console, but not to the domain controller. Another thing Delinea could add is multi-factor authentication.

For how long have I used the solution?

I've been using Delinea Secret Server for five years.

What do I think about the stability of the solution?

Delinea is highly stable.

What do I think about the scalability of the solution?

It's incredibly easy to scale up Delinea. You can install a new vendor server and deploy the Delinea Secret Server application if you have performance issues. We have 120 admin users and around 5,000 privileged passwords stored in the vault on the Secret Server.

How are customer service and support?

I rate Delinea support 10 out of 10. It's good, but I don't need it often. Sometimes I need help with configuration. If you need a custom configuration, you can pay for professional services, but it's expensive.

Which solution did I use previously and why did I switch?

I've also used CyberArk. CyberArk has more features, but they are minor. Some customers may need them, but others don't. The main difference is pricing. CyberArk is more expensive. 

A Delinea license costs about a dollar per admin, whereas it's $5 for CyberArk.

How was the initial setup?

The installation is pretty basic, and it doesn't require advanced knowledge. It takes a day to install and configure CyberArk, but Delinea is done in an hour. But you need an escrow database. I requested a cluster system from the customer site.

After deployment, the solution doesn't require much maintenance because the Delinea is stable. I sometimes have a connection problem due to configuration, but I never have an issue with the database. You don't need to spend much time on maintenance or have a lot of technical knowledge.

What about the implementation team?

We deployed Delinea in-house. 

What's my experience with pricing, setup cost, and licensing?

I would rate Delinea 10 out of 10 for affordability.

What other advice do I have?

I rate Delinea Secret Server 10 out of 10. If your customer uses a privileged access solution, they need to sort all the passwords. They should do a session recording and change the password, then do workflow delegation. Delinea can do it all, so I strongly recommend it.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
Buyer's Guide
Privileged Access Management (PAM)
September 2022
Get our free report covering Cisco, Microsoft, WALLIX, and other competitors of CyberArk Privileged Access Manager. Updated: September 2022.
632,611 professionals have used our research since 2012.