Buyer's Guide
Privileged Access Management (PAM)
May 2023
Get our free report covering Microsoft, Cisco, Delinea, and other competitors of CyberArk Privileged Access Manager. Updated: May 2023.
708,544 professionals have used our research since 2012.

Read reviews of CyberArk Privileged Access Manager alternatives and competitors

PAM Architect at a tech services company with 11-50 employees
MSP
Top 5Leaderboard
Their discovery engine is off the charts, and the ease of administration and implementation they talk about is for real
Pros and Cons
  • "Its number one feature is discovery. The discovery engine in BeyondTrust is off the charts. When they perform a discovery, you know everything there is about a server, including what software is installed. For example, if you want to group all of your database servers together, you can do that by using discovery and Smart Rules. If a server has Microsoft SQL installed, it gets put into a group based on a Smart Rule. It makes it very easy to determine what is what in your environment. As organizations grow or acquire other companies and merge, they lose track of what they have. BeyondTrust can help you throw a rope around it very rapidly."
  • "If there was one thing, it would be having the documentation standardized. They should keep the documentation consistent. For example, when BeyondTrust updated one of their admin guides, they left out the information on the discovery account requirements, and then over a period of time, we ended up having to search multiple different documents to put together a string of information for a specific topic, which was problematic. It was minor, but it was problematic. Standardized documentation would be the one thing I would suggest."

What is our primary use case?

It is used primarily to adhere to SOC compliance and to provide what we call user/administrator segregation.

We are an MSP. We do manage services, but we also do a lot of other things. We implement as well as do ongoing managed services. We don't use it in our organization. We have it in our lab set up as a running service so that I can go there and test something just to see what'll happen because I can do a snapshot of my system and then revert if things go wrong. That's something that I don't want to experiment with in a client environment, even in a test or a dev environment. I just want to test something. I can do that in our lab, but our organization does not use Password Safe.

How has it helped my organization?

BeyondTrust's discovery is off the charts. It doesn't just discover servers and user accounts, it also discovers the services, such as Microsoft services, and scheduled tasks. For example, if you want to change a password on a Windows service, which is also linked to other scheduled tasks or IIS app pools, just changing the password on the service is going to break the scheduled task and break the IIS app pool. BeyondTrust is able to dynamically discover and manage all three tasks of synchronizing, stopping, and starting the services as the passwords are being rotated. It is quite intuitive.

When we have services and devices that are in a red zone, which includes the internet-facing devices or the devices in the direct internet compartment, the password vulnerability is what we are trying to handle. The primary factor that makes a lot of security officers feel better is that passwords can be made long and complex, but even a very long and complex password over a period of time can be cracked. BeyondTrust allows you to not only do long and complex passwords but also regularly schedule rotations that are well within the timeframes of being able to crack a password. A password with 26 characters, 8 to 10 special characters, and an uppercase/lowercase combination will take IBM Big Blue six months to crack. In those six months, we would have changed that password 10 times or more. So, the password that IBM Big Blue is crunching on to crack has already been changed, rendering the previous password that might have been compromised inert.

It is useful for segregating user accounts. A common scenario is that a user receives an email and even though the email comes from somebody the user doesn't know, the user opens a Word document. The user gets a macro virus and is compromised. If it is just a regular user in the environment, it is only a disaster, but if it turns out that in that client environment, that user also happens to be a domain administrator or a local server administrator, it is armageddon. So, we use BeyondTrust to segregate user accounts where the domain admin connects to BeyondTrust with his user account, which also has a counterpart matching ID in BeyondTrust. When he connects to the endpoint devices to perform his job, the account that he is connecting to in BeyondTrust has the privilege. So, when he connects to BeyondTrust, he authenticates with his user account and connects to what I refer to as a dedicated admin account. That dedicated admin account is session recorded and keystroke logged. You have all the tracking records and Windows logs. Everything is captured, and then when the user is done, he logs off and continues on his workstation as a regular user again. The session is completely segregated.

So, we're able to provide user/administrator segregation. The reason I do the dedicated admin account is that, with multi-user shared accounts, it is a little bit more difficult to quantify who did what. It can be done, but it is just more difficult. With a dedicated admin account, it is one-to-one rather than one-to-many or many-to-one. BeyondTrust Password Safe provides the ability to do all of this with rules. They have template capabilities built into the product. All you have to do is customize Smart Rules to perform your action. That's the beauty of BeyondTrust. I don't know what I would do if I had to go back to another solution that did not have them. I've worked with other privileged management solutions. For me, not having BeyondTrust Smart Rules would be taking a step backward.

It is important that Password Safe provides integrated password and session management in one solution. When you have it in one solution, you don't have two devices to manage because at a certain point, if you need a secondary component to perform something that the original solution does not perform, that's another managed system that you have in your network, which adds on a transparent cost. Having password and session management in one solution keeps all of your administration within one application.

Its customization features help us to manage most assets, databases, and applications, which is critical. We are able to work and visually connect with various platforms, such as Linux, Unix, Linux, Ubuntu, etc. Ubuntu is being used a lot for small edge solutions because it is inexpensive. It is also easy to manage because it is a Nix platform. People put a lot of Ubuntu-based solutions on their edge devices, such as secure remote access or an HTML5 gateway. We're able to manage all of that within one interface in BeyondTrust.

Team Passwords feature has been hugely helpful for securely storing credentials owned by small groups outside of traditional privileged user roles. When you go into an organization, you've got people who are storing passwords in KeePass, or they've got PW Safe, which are free downloadables. The next thing you know, you have got 200 or 300 developers and administrators with all these individual solutions, and sometimes, some of them need to share them with each other. Team Passwords is your one-stop shop for all IDs and passwords that are not necessarily dedicated to a specific device. Just the IDs and passwords can be stored and allowed access by groups. We're doing a huge migration to Team Passwords, and we've developed APIs for creating the environment and importing the passwords. Tens of thousands of IDs and passwords are going into it. It is amazing. I remember 20 years ago, somebody was bragging about a password safe solution they did in Lotus Notes. I still giggle about that because Lotus Notes is fat, and it was very complex. Team Passwords is visually intuitive. My teenage daughter could sit down and do it.

So, this client had multiple password storage solutions. They first ended up installing Thycotic Secret Server because they also had certificates and a couple of other different types of authentication solutions, but they were veering away from certificate-based and needed an ID and password solution. The Thycotic solution was also out of date. The SQL database was falling apart. It was used to its maximum extreme. Considering they were already using BeyondTrust Password Safe, Team Passwords was a natural blend. 

In one of the cases, an engineer had a fairly large key pass solution, and when he left the company, his workstation was re-imaged. They ended up losing information for a significant number of devices. They happened to be network-oriented devices such as routers and switches. To this day, they are gathering all those previous IDs and passwords. Now, with BeyondTrust Team Passwords, all they have to do is to add a user to a group, and they now have access to all those IDs and passwords rather than somebody walking out the door with them or them getting wiped in a system re-image. They are in one location where they could be backed up and secured.

What is most valuable?

It starts with discovery. Its number one feature is discovery. The discovery engine in BeyondTrust is off the charts. When they perform a discovery, you know everything there is about a server, including what software is installed. For example, if you want to group all of your database servers together, you can do that by using discovery and Smart Rules. If a server has Microsoft SQL installed, it gets put into a group based on a Smart Rule. It makes it very easy to determine what is what in your environment. As organizations grow or acquire other companies and merge, they lose track of what they have. BeyondTrust can help you throw a rope around it very rapidly.

Its user interface is really nice. It is very visual. When you first log in, based on your job role, you see what you have access to when you look at the screen. As an administrator, I see the configuration screen where I can go in and modify Active Directory and authentication connections. I can set up SAML, or I also have access to create Smart Rules. The access is based on the role that you have when you log in. I have six boxes or six categories of administration items, whereas when an admin user connects, he would only have one or two. So, based on your role, you see what you have access to. It is not like you click something and then it fails because you're not an administrator at that level. You actually see what you have access to, and BeyondTrust is very good at that.

BeyondTrust provides the ability to connect by using not just the web interface but also the admin tools such as MobaXterm, PuTTY, or a lengthy list of other types of tools. You can use the connection string and connect through BeyondTrust, and it will be session recorded, keystroke logged, and highly available. When you bring up MobaXterm, you probably bring up one of the most complex ones because MobaXterm has the ability to have two, three, or four concurrent connections, which makes BeyondTrust Password Safe ideal.

It is very easy to integrate session management into existing business processes. To make it easy for the engineers, we created templates of the connection strings and then used, believe it or not, Microsoft Excel to create custom strings for each of the engineers. We exported them to a text file that they could then import. In the case of PuTTY, because PuTTY stores the connections and the credentials in the registry, we had to do something different there, but the connection string is customizable enough to make the job fast and easily repeatable for all the other engineers. You don't have 20 or 30 engineers spending two or three days creating all these connection strings. I can create them in a matter of minutes with a Microsoft Excel spreadsheet and then save them to a text file or a CSV file. It is awesome.

We are able to integrate session management without disrupting business processes. One of the niceties about BeyondTrust is the ability to integrate it with ticketing systems. For example, as per Sarbanes-Oxley, we have to have a reason for why an administrator is performing something. The integration with a ticketing system is ideal rather than manually typing the reason in the reason field through the GUI where most engineers, after a while, end up just typing in Work. They don't put in enough data to make it clearly visible why they connected. The integration with the ticketing system is ideal for that. Ticket-driven access makes the work very quantifiable.

What needs improvement?

If there was one thing, it would be having the documentation standardized. They should keep the documentation consistent. For example, when BeyondTrust updated one of their admin guides, they left out the information on the discovery account requirements, and then over a period of time, we ended up having to search multiple different documents to put together a string of information for a specific topic, which was problematic. It was minor, but it was problematic. Standardized documentation would be the one thing I would suggest.

For how long have I used the solution?

I have been using this solution for two years, but I also have previous experience with BeyondTrust. There were other BeyondTrust products that I was intimately familiar with that gave me the confidence to move forward with the BeyondTrust Password Safe. I previously worked with PowerBroker for Unix Linux, but it was not in the password space.

What do I think about the stability of the solution?

It is awesome. It is very good.

What do I think about the scalability of the solution?

It is very good. The scalability is dependent on how much CPU, memory, and space you want to put at it. There is a certain point of diminishing returns where it might prove better to have a high availability solution where it is active-active, and you have one part of the organization that is going to be primarily hitting one server, and one will hit the other for a load balance, but I haven't yet gotten to that requirement.

How are customer service and support?

I have interacted with them intimately and regularly. I would rate them a 10 out of 10 because they have not just one; they have staff to bounce things off with each other. They're very quick and very responsive and very good. You're not treated like a number. Once we were setting up a special configuration, and one of their engineers said, "Hey, send me your MeetMe, and I'll join your call." Wow, that was nice.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We manage other solutions, such as CyberArk. A lot of our clients are at various stages. Some of them were uncertain about their existing privilege management solution, and they weren't updating it. They didn't continue the support packages with the provider, and they were in a state where they were unsure about what they wanted to do. We've had both experiences where we've gone in and based on their organization, we recommended upgrading or continuing the support of their existing, CyberArk or Centrify, solution. In some organizations, we've recommended switching to BeyondTrust.

How was the initial setup?

When I went in, it was already set up, but I'm installing additional BeyondTrust Password Safe solutions. I manage services, and I'm also implementing Password Safe for new environments. 

It is a little bit of a blend of straightforward and complex. If there is something you leave out or you miss, you're going to feel it later. For example, you missed a step for configuring Windows component services because you went to lunch and forgot to click OK. Your screen went into the screen save mode, and you lost the information that you had put in, and you left that out. You're going to feel it later. However, luckily, they've got incredible logging built into the product, and you can look at the logs and be able to diagnose what went wrong. If you follow the installation uninterrupted, you can implement BeyondTrust Password Safe in a day. That would include integration with Active Directory and setting up the basic features like discovery. 

BeyondTrust can provide you with an appliance, which is a hardware device, or you can install an appliance-type image onto a Windows server and have your own appliance. It just won't be a dedicated appliance. Many organizations would like to have easily managed systems, and the BeyondTrust appliance methodology, even though superior, can make it more difficult to manage in an environment because it has to be handled as a specialty appliance. It is not a positive, but it is not a negative either. It is an organizational decision that needs to be made on how they want to manage the device, but either way, it can be done.

I will be implementing hybrid cloud environments as well. We are doing a blend with 80% full on-prem and the other 20% of the development is towards a cloud-based solution, primarily for a segregated environment. We are working with a lot of edge services with our clients. For example, they'll have a secure compartment for a specific application, where Windows, Linux databases are being run within this compartment, but they are managed by an external team. Most of the security has been focused on just preventing who has the access, but it doesn't answer the problem of what they are doing when they are in the compartment, and we're using BeyondTrust for that. So, we are having two layers of security. We not only have access control where getting into the compartment is taken care of, but once they're in, we can also granularly control what they have access to and what they can do. We have session recording and keystroke logging for audit records. So, we're blending. Currently, we're developing such a secure compartment, and we're going to have one BeyondTrust Password Safe server in the cloud. It is going to be an active high availability solution that'll have a paired server, but it is going to be on the local network. We will possibly be doing one complete cloud solution in the Amazon compartment.

In terms of duration, the longest part of my job is waiting for account provisioning. I'm usually waiting on Active Directory or Linux or database account provisioning. I spend more time waiting than implementing, but then I just move on to another organization or another environment and continue. I keep a rapid rotation, but account provisioning is the lead time.

What about the implementation team?

You pretty much do it yourself, but BeyondTrust has an incredible case system where you can submit requests. You can do it for information where you're just asking a question about something, which I did for discovery accounts, or you can submit that your server is having an error and something is not working properly. You can create a higher priority ticket and submit it. BeyondTrust has a way to export a package that will provide them with the files that they need from the system to perform a diagnostic, and then they can tell you what you need to do. It is pretty cool.

For migrating end users to Password Safe, an organization needs to make several decisions. They first have to decide whether they're going to use multi-user shared accounts, where they will have one account that six or eight people can use, or they're going to have dedicated admin accounts, which is my preference. It is slightly more complex, but it makes it much more secure. So, that would vary from organization to organization.

For upgrades, they have an incredible updater. That's what it is called. It automatically detects and is connected to BeyondTrust, and you'll be notified that upgrades are available. You can set them to be automatic or not. There are some updates that you don't want to be automatic because you might want to do a snapshot of the appliance before the update because some updates can cause problems. I haven't experienced that yet, but you have the option of automatic or manual provisioning of the updates. You can schedule them based on off hours, for example.

It is very robust in the area of maintenance. Part of the problem is when things are going so well for so long, you forget about it. That's why we schedule all of our activities so that all of a sudden or six months later, we don't discover that a server is having severe issues. We just manage by the clock, but BeyondTrust Password Safe is very robust in the area of keep running. It runs, and it also has other types of capabilities that are built into it. For example, if the session recording and keystroke logs are stored on the actual appliance or server, they eventually will take up a lot of disk space. In my lab, I experienced a crash because I ran out of disk space. BeyondTrust has the ability to very easily redirect the storage of session recordings and keystroke logging to a network drive and off the appliance. I'm glad I was able to experience that in my lab rather than getting a call from the client that their server is crashing. If you have a high volume and a lengthy time frame for which you want to save the session recordings, being able to save them to a network drive is incredible.

What was our ROI?

The time to value, or the amount of time it takes to see benefits, varies by the organization because some organizations have a different plan right up front, but the time to value with BeyondTrust is fast. It is a very rapid return on a visual inspection of whether you are meeting your goals and objectives. You'll see it very fast.

What's my experience with pricing, setup cost, and licensing?

When you buy Password Safe and perform your initial Discovery, you have all these servers that are added to your assets in BeyondTrust, but you're not using a license until you actually start managing the systems. BeyondTrust's licensing is based on the systems when they're managed, which means when an administrator is able to connect to the server through BeyondTrust with a managed account. There would be a privileged account on the endpoint when the licensing starts. A significant advantage to that is that there are many organizations that want to evaluate their environment prior to automatic management. For example, they are going to be upgrading to a larger router instead of having two routers. They are going to have one so that would be one managed license rather than two. It gives them a chance of seeing their environment before they commit to managed systems and licenses.

What other advice do I have?

I would recommend this solution. My advice to others looking into implementing BeyondTrust Password Safe is to follow the instructions, scan broadly, and manage specifically. That's what BeyondTrust allows you to do. You can scan everything, but then select what you want to manage. With some applications, the licensing starts right at discovery, but BeyondTrust licensing is by managed systems. So, I recommend scanning broadly, finding everything you've got, and making your decisions based on the actual numbers. That's one of the advantages of BeyondTrust. So, use it.

One organization I went into was primarily concerned with 50 specific servers. They had thousands. When all was said and done and we asked them what about the other servers, they did not specify what they wanted to do with those. They were only concerned about getting those 50, whereas BeyondTrust allows you to handle 10,000 as easily as 50. It is crazy not to leverage that. What you want to do is scan broadly and then manage according to plan. If you've got 1,500 servers and you're only looking at 50, that's like looking through a toilet paper tube. You will have a very narrow view. So, what you do is scan and discover broadly, find out what you have, and then come up with the administration model that'll work for them all. Start with 50, and then roll out the other 950 automatically. If you design it right, the minute a new administrator is added during that night's discovery, that user is ready to start working the next morning, or that server gets discovered and added based on the Smart Rules. So, a new Linux server or a new Windows server becomes available the next morning. A newly hired administrator's account is discovered, and as a member of the administrator group, he is automatically ready to start work first thing in the morning. No intervention is required.

We have not used the solution's software development kit to create a plugin to support new systems or applications, but they do have them that you can modify. We're looking at making a modification to an existing platform connector. Their platform connectors are very visual, and you have the ability to compare. We're looking at the original Linux connector, and we want to connect to an SCO server. We have a template to work from. We will speak to the experts regarding SCO and make modifications to another connector to create a new connector. It is pretty dynamic.

At this time, my opinion is that it is a 10 out of 10. Based on having experience with three or four other competing solutions, I would give BeyondTrust a 10 out of 10. I normally don't give this sort of a rating, but I do give BeyondTrust a 10. If you read two or three of their advertising and website blurbs and that's what you need, you're going to get it. When they talk about the ease of administration and the ease of implementation, it is all for real.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Sr. Manager Cyber Security at a manufacturing company with 10,001+ employees
Real User
Top 20
A simple and flexible solution for controlling the access and improving the security posture
Pros and Cons
  • "The privileged access and the application control are helpful in making sure we have good, robust challenge responses. Blacklisting with trusted application protection is also beneficial for us."
  • "Reporting analytics is one of the areas that can be improved. It is a new cloud-based solution. So, many more specific reports can come out natively. Currently, we get all the events, and we put them in plug-ins. From there, we generate our own design of reports. If there is a much more solid or robust reporting analytics framework within the product itself, it would be helpful."

What is our primary use case?

Its use cases are mostly around all the 65,000 endpoints. The use cases are mostly for privileged access and the application control across all endpoints throughout the organization to make sure we have the least privileged model with zero-trust enabled at the endpoints.

We started with on-prem, but now, we've moved to the SaaS cloud.

How has it helped my organization?

It has helped in multiple ways. We have more than 30 years of legacy of having local admins on our endpoints. With this solution, we have removed the local admins from the users. Now, we are giving them privileges on their machine only for the applications and not for everything. It has reduced the unwanted risk and increased the security posture. 

It also helps with some robotic process automation. It helps with certain actions that we have been engaged in for certain RPA-type behaviors.

We are able to increase the security by blocking a lot of applications, such as encrypted chat applications and blacklisted applications. Data exfiltration is a big concern in our company, and this solution helps us to tighten up those controls in many different ways. We are able to control the access.

What is most valuable?

The privileged access and the application control are helpful in making sure we have good, robust challenge responses. Blacklisting with trusted application protection is also beneficial for us.

What needs improvement?

Reporting analytics is one of the areas that can be improved. It is a new cloud-based solution. So, many more specific reports can come out natively. Currently, we get all the events, and we put them in plug-ins. From there, we generate our own design of reports. If there is a much more solid or robust reporting analytics framework within the product itself, it would be helpful.

One of the requirements that I've already expressed is that they can unify the clients. We have got two clients: one for the iC3 adapter and one for the Defendpoint client itself within the EPM product. iC3 is used for connection to the SaaS or cloud, and Defendpoint is the actual product that does all the local admin privilege management. They can just unify them. 

For how long have I used the solution?

We've probably been using this solution for three years.

What do I think about the stability of the solution?

In the on-premise version, stability is okay. However, it takes time to sync up policies. That's because it depends on the environment that you have. From the Active Directory perspective, it depends on how the group policies are going to be advertised back to the endpoints. So, there was some delay, but it was completely because of our environment. 

In the cloud version, the deployments are pretty quick. Policies get deployed pretty quickly. Overall, the cloud experience has been good. However, because it's a SaaS service in the cloud, we often have to reach out to the BeyondTrust team to make sure that our backend compute, which is not visible to us, is completely solid. The databases, servers, and other things are running in the cloud, and they're properly, adequately beefed up to have the right resources because we don't have visibility on that. With on-prem, we know how much compute, memory, or CPU cores we are putting to the servers at the backend. On the SaaS cloud compute, we don't know that. The initial few registrations took a toll. It was because BeyondTrust was also trying to figure out the volume of traffic that was coming their way. It took a while to baseline the compute configuration at their end, but once it was all figured out and resolved, the performance has been fairly consistent.

What do I think about the scalability of the solution?

The solution is scalable to the level of security posture that we wanted to deploy in our environment. From a scalability perspective, we are pretty good with the way we have used the product so far.

How are customer service and support?

Their support line is good. They're familiar with the product, and they have expertise with the product. So far, any tickets raised by my team have been dealt with fairly with the right solutions. I would give them an eight out of 10 because there is always room for improvement. There are instances where you expect a solution to come faster with more accurate details. There are always back and forth conversations, until and unless you figure out the final solution.

Which solution did I use previously and why did I switch?

We didn't use any other solution previously. This was the first time we were trying to do an endpoint privilege management solution. 

How was the initial setup?

It was a straightforward process. We were on-premise. We were using group policies to manage this whole EPM solution, and it was easy to move to the cloud. Wherever you have agent-based deployments, there is always a little bit of complication, but we were able to make it work.

On-prem deployment took almost three to four months. We had a very large and wide-scale environment. A lot of legacies were also built-in, so it took a while to build the policies around, get the local admins out from the endpoints, and take over with Defendpoint or the BeyondTrust EPM solution.

The migration to the cloud was pretty good. It wasn't that bad. When we had it on-prem, it was a single client. When we had to go to the cloud, two clients were needed. One was the iC3 web adapter that makes a connection to the SaaS cloud, and the second one was the existing Defendpoint client. Having an extra client adapter needed a little bit more packaging on the endpoint side, which added a little bit more to the transition to the cloud. Policy-wise, everything was straightforward.

What about the implementation team?

We did it by ourselves. In the initial deployment, it was a team of six or seven people. They came from different groups. We had group policy administrators, Windows administrators, and security administrators from my team. There was also the endpoint provisioning team that does the packaging work.

In the cloud migration, the same team was there, but we didn't have the Windows team and the admin team. That's because they weren't required from a group policy perspective. It mostly had security administrators. The packaging team was also very important. We also have a test team that does the validation from a testing perspective across a variety of endpoints in different regions. So, there were around six or seven people during the cloud migration.

What was our ROI?

We have definitely been getting an ROI, and we want to maximize that ROI. We have a zero-trust adoption process going on continuously for the next two to three years, so we are trying to maximize the ROI. We haven't yet got the full ROI, and we will try to maximize the ROI from the product going forward.

What's my experience with pricing, setup cost, and licensing?

Its pricing and licensing are okay. We were in the perpetual model when it was on-prem, and now, with the SaaS service, we have a subscription model. As a customer, I would always like to see a lower price, but it seems to be priced at the right model currently, and we are trying to get the maximum benefits out of it.

In addition to their standard licensing fees, there is just the internal infrastructure cost for the license, indexing, etc. There is nothing additional from any other components that we use for the job. These are the resources for managing the solution at our end.

Which other solutions did I evaluate?

We did take a look at several other products, but we finalized on BeyondTrust. We looked at some of the Microsoft solutions, and we also looked at some of the CyberArk solutions to do a comparison. What was more interesting with BeyondTrust was the flexibility in the policies. The clarity in the policy writing was a little better, and the deployment of the solution was easier. The overall product simplicity was fairly okay. When you're going from a hardcore local admin to a zero local admin stage, simplicity in the product is extremely important. So, simplicity and flexibility were the key factors.

What other advice do I have?

I would advise going for the cloud-based solution. The cloud-based solution has come a long way from its initial stage. 

It is a very simplified solution. Their licenses are very straightforward, simple, and accommodating. The support has been really good, and their flexible policy model has really been instrumental in going for a stage-by-stage approach. You don't have to go all the way to impact your environment from day one. You can define your policies using their quick policy wizard and other processes to simplify your environment. You should proceed step-by-step to get rid of the local admin and the environment. Evaluation with their simplistic and flexible model is going to make it much easier and faster for you to pick up the solution.

I would rate it a nine out of 10. There is always a scope for improvement.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Oluwajuwon Olorunlona - PeerSpot reviewer
Cyber Security Engineer at eprocessconsulting
Real User
Top 5Leaderboard
Easy to manage, has an application whitelisting feature and a dashboard that shows you which software is suspicious, but there's no way to check credential theft from a text file
Pros and Cons
  • "CyberArk Endpoint Privilege Manager is very easy to manage, which I like. The solution also has a dashboard where you can see which software is suspicious, which I find valuable."
  • "CyberArk Endpoint Privilege Manager is a perfect solution, but CyberArk Endpoint Privilege Manager for Linux has many issues. Another area for improvement in CyberArk Endpoint Privilege Manager, specifically for Windows, is that there's no way for you to check credential theft from a text file, such as a notepad file."

What is our primary use case?

My primary use case for CyberArk Endpoint Privilege Manager is malware prevention. The solution enables malware detonation, which helps you solve ransomware problems. For example, suppose an unknown application comes into your environment, and you have installed a CyberArk Endpoint Privilege Manager agent. In that case, the solution will filter the unknown traffic from an unknown publisher and stop it from infiltrating. The solution dashboard also lets you know that specific software is suspicious. Still, it depends on the category, but malware prevention is one use case of CyberArk Endpoint Privilege Manager.

Classifying a trusted or whitelisted application is also a use case of the solution.

Another use case of CyberArk Endpoint Privilege Manager is stopping credential theft. For example, you have credential stores all around, whether you know it or not. You have credential stores in web browsers like Chrome and Microsoft Edge. The solution protects you against an attacker that has already gained access to your environment, an internal person that leverages your system and wants to go to your web browser, or probably there's a browser path attack where the person has access to your browser. He can check your credential store, but if CyberArk Endpoint Privilege Manager is in place, that situation will be prevented.

Just-In-Time Access is another use case of the solution. For example, there's no administrator privilege on the system, but let's say a database administrator or application administrator wants to use the credential. You can provide that person with Just-In-Time Access so he can use the credential for thirty minutes, then that credential expires once the time is up.

CyberArk Endpoint Privilege Manager also separates the privileges. For example, a team of application managers receives access to specific software that the network team can't access.

What is most valuable?

CyberArk Endpoint Privilege Manager is very easy to manage, which I like.

I also found credential detection the most valuable feature of the solution. For example, if I put a credential on my desktop and name the file administrator credential, and a person has access to my system and clicks the file under the history section of the system to steal the credential, CyberArk Endpoint Privilege Manager will flag that activity.

The solution also has a dashboard where you can see which software is suspicious, which I find valuable.

Other valuable features of CyberArk Endpoint Privilege Manager include application whitelisting and Just-In-Time Access.

What needs improvement?

CyberArk Endpoint Privilege Manager is a perfect solution, but CyberArk Endpoint Privilege Manager for Linux has many issues. One issue I observed while using it is that it needs to synchronize from an agent to a cloud because the agent does not update configurations or settings from the cloud. When I change some settings on the cloud, the changes don't synchronize into the system, and the policies won't come back unless I reinstall all the services. This is an area for improvement in CyberArk Endpoint Privilege Manager.

Another area for improvement in CyberArk Endpoint Privilege Manager, specifically for Windows, is that there's no way for you to check credential theft from a text file, such as a notepad file. Suppose I have a text file that contains passwords, for instance. In that case, I'm doing an application configuration that needs a password. CyberArk Endpoint Privilege Manager won't be able to help you locate that file, which means there's still an opportunity for an attacker to look into that text file and steal the passwords.

You can leverage the CyberArk Application Access Manager with CyberArk Endpoint Privilege Manager, but that aspect also needs improvement.

An additional feature I want to see in CyberArk Endpoint Privilege Manager is XDR, where you can trace how an attack can happen on an endpoint, how traffic was initiated, or if a person tried to access your computer and whether he was denied or allowed. CyberArk Endpoint Privilege Manager should be able to track such activities. The solution should allow you to see a specific event ID and use it to correlate whatever activity the malicious person was trying to do.

For how long have I used the solution?

I've been familiar with CyberArk Endpoint Privilege Manager for nearly two years, but I haven't been steadily working on it. For example, I've not worked with the solution for three months, then I'll work on it for two months, then I'll stop working with it again, but I'm very familiar with CyberArk Endpoint Privilege Manager.

I last worked with CyberArk Endpoint Privilege Manager three months ago.

What do I think about the stability of the solution?

CyberArk Endpoint Privilege Manager is stable, particularly for the Windows version, not the Linux version. The solution is an eight out of ten for me, stability-wise.

How are customer service and support?

I've contacted CyberArk Endpoint Privilege Manager technical support, and I'd rate support as seven out of ten.

Response time is three out of five.

Regarding how knowledgeable the level one support of CyberArk Endpoint Privilege Manager is, it always seems like the support person doesn't know what he's doing. I've already done what he was asking me to do. I'm not a CyberArk Endpoint Privilege Manager novice, so support is frustrating and a waste of time. Though the issue will be resolved eventually, CyberArk Endpoint Privilege Manager has already wasted my time, and that's uncool.

How would you rate customer service and support?

Neutral

Which solution did I use previously and why did I switch?

CyberArk Endpoint Privilege Manager is the best solution. However, One Identity Safeguard is trying as a solution, and it has special features which make it almost equal to CyberArk Endpoint Privilege Manager. Still, CyberArk Endpoint Privilege Manager is the best.

CyberArk has been in the market for a long time and keeps improving. CyberArk Endpoint Privilege Manager has a hundred percent effectiveness against ransomware, which you can't get anywhere. The CyberArk team researched and knows the angle, the flaws, and the central point of attack. An attacker usually infiltrates or compromises your system by elevating the credentials or permissions and then leveraging that elevation to compromise the system. CyberArk Endpoint Privilege Manager removes User Access Control on the endpoint, so it takes away the attacker's means to elevate permissions, so CyberArk Endpoint Privilege Manager is simply the best.

How was the initial setup?

Setting up CyberArk Endpoint Privilege Manager was pretty straightforward.

What's my experience with pricing, setup cost, and licensing?

CyberArk Endpoint Privilege Manager has a very high price, so it's a one out of ten for me in terms of pricing.

What other advice do I have?

I've used CyberArk Privileged Access Manager and One Identity Safeguard. I also have experience with CyberArk Endpoint Privilege Manager, One Identity Safeguard for Privileged Passwords, and One Identity Safeguard for Privileged Sessions.

CyberArk Endpoint Privilege Manager is cloud-based, but its agent is on-premises. The on-premise version is no longer supported, but it will still be supported if you're an old customer with an on-premise version. However, by 2024, CyberArk will no longer support the on-premises version of CyberArk Endpoint Privilege Manager.

Right now, there's no CyberArk Endpoint Privilege Manager within my company. I created quotes for customers to try the solution, but it's expensive. I just gathered my colleagues to simulate my use cases, and that's it.

What I'd tell others about CyberArk Endpoint Privilege Manager is that if you have the budget, you definitely should get it. The solution is excellent, and it's as if you're insured because CyberArk Endpoint Privilege Manager provides security. This is the advice I'd give anyone trying to implement CyberArk Endpoint Privilege Manager.

I'm rating the solution as seven out of ten because there's room for improvement in the Linux version, and the pricing needs to be more flexible.

My company is a CyberArk partner.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Flag as inappropriate
ChrisMorrison - PeerSpot reviewer
Technical Engineer at Footprint Africa Business Solutions
Reseller
Top 5
Inbuilt password vault, good auditing features, and integrates well with other vendors
Pros and Cons
  • "The reporting is excellent."
  • "Although the interface is intuitive, it could be a little more user-friendly."

What is our primary use case?

This product is primarily used for Privileged Access Management and Identity Access Management. You can manage all of your service accounts through Delinea. For example, if you start services on Windows, you can manage that using this solution.

It provides remote logins whereby everyone can log in safely while remote, so it's a work-from-home solution as well.

What is most valuable?

The most valuable feature is auditing. That's a big plus.

The Privileged Credential Management feature is a password vault and they integrate with a lot of other vendors.

The integration with other vendors is another big plus.

The reporting is excellent.

What needs improvement?

Although the interface is intuitive, it could be a little more user-friendly.

For how long have I used the solution?

I have been working with Delinea Privileged Access Service for five years.

What do I think about the stability of the solution?

The stability and performance are excellent.

As an example, if you run into problems with authentication then you can just create a new connector. That said, it's very stable. You can theoretically leave it to run on it's own for months but that's obviously not the idea because you need to check if there are any breaches or any other issues in your environment.

What do I think about the scalability of the solution?

This product is easy to scale. Once you've set it up and everything is installed correctly, you can just plug in new systems and new environments. It can scale to thousands of servers quite easily.

Delinea is suitable for any size of company, from small to large.

How are customer service and support?

Their technical support is very good. If you run into problems with the deployment, for example, then they will help you with that.

Which solution did I use previously and why did I switch?

I have experience with a few privileged access service solutions. One of them is CyberArk, although I haven't worked with it enough to say whether it's good or bad.

The main reason we chose Delinea is the ease of implementation. Initially, it's a lot of hard work, but then it's easy to work with and maintain. Once it's running, you can hand it over to someone whose job it is just to check the environment. They don't need to monitor the systems to ensure that Delinea is running properly.

How was the initial setup?

As a security solution that accesses Active Directory, it's a complicated implementation process. For instance, this isn't something that you can do in five minutes. You have to do your homework and plan everything. However, if you plan everything well, then there aren't any major issues.

To get the system up and running, it's less than a week. You can download and install the software in five hours, but then comes the customization and configuring of the portal. Everything has to be done correctly. I'd say that after two days, you can start playing with everything.

What about the implementation team?

For the most part, our deployment was done internally. With some of our issues, we had used the vendor. They provide manuals and the support is excellent, but most of the stuff, you can do yourself.

There is also a little bit of maintenance that you have to do. It is a cloud-based system but there are still underlying software applications installed in your servers that you have to maintain to make sure are working properly.

I am the only person that works on it in the company.

What's my experience with pricing, setup cost, and licensing?

The price of this solution has come down quite a bit. Now that they have merged with Thycotic, the Thycotic Secret Server also comes included in the package.

The product comes at a very good price and it's quite competitive, although you need to buy add-ons for certain things. 

Being in Africa, the cost is always an issue for our customers. This is one of the reasons that we recommend Delinea to them.

What other advice do I have?

I am not quite on the most recent version. However, I am busy upgrading so I soon will be.

It is difficult for me to think about what new features I would like to see because usually when we think of something that's missing, they assist us in getting it fixed.

There are a lot of features. For example, they have an API available, although I don't understand very much about it.

My advice for anybody who is looking to implement this product is to, first of all, check if it's a correct fit for you. Then, do your planning. Plan for all of the contingencies and then it should be fine. But again, if you run into problems, support is there to help you.

I would rate this solution a ten out of ten.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Other
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Cyber security consultant at a tech services company with 1,001-5,000 employees
Consultant
Top 20
Performs all the functionalities of a PAM solution and you can access a server without a proxy
Pros and Cons
  • "As a PAM solution, Secret Server performs all the use cases in our environment."
  • "Secret Server should have the ability to discover privileged accounts in the servers, like the administrator or users, from SQL and Oracle without having to import a script."

What is our primary use case?

IBM Security Secret Server is a PAM solution with five main functionalities that we use, including:

  • Save passwords and encrypt them so that no one can access any privileged account or server
  • Record all of our sessions for all of our servers that are critical for our company
  • Mix or white list some of the common applications
  • Make workflows to access any server and apply any approvals
  • Use as a jump server to access any applications or main servers.

What is most valuable?

As a PAM solution, Secret Server performs all the use cases in our environment. We can use it as a proxy and without a proxy allowing us to access servers directly without Secret Server just to get the username and password.

What needs improvement?

There are improvements that IBM Security Secret Server could make with respect to shared storage. For example, if you have two servers with the same users and passwords, and a user changes their password in one server, it should automatically change in the other server. With IBM Security Secret Server, you need to write some scripts to handle this. It would be beneficial if the process was simplified and had a dependency where changes on both servers would automatically occur without having to write a script.

I would like to see Secret Server have the ability to discover privileged accounts in the servers, like the administrator or users, from SQL and Oracle without having to import a script, making the solution more of an out-of-the-box solution.

For how long have I used the solution?

I have been working with IBM Security Secret Server for one year.

What do I think about the stability of the solution?

The solution is stable, other than the issue previously mentioned regarding RabbitMQ. 

Maintenance is only required when we publish a new version. The upgrades usually solve any performance issues, however, you need to double-check.

What do I think about the scalability of the solution?

IBM Security Secret Server is very scalable.

How are customer service and support?

Whenever we have an issue, we open a ticket with IBM. They are very supportive. If our system is down, someone from IBM will always engage with you.

The experience with technical support does depend on the person you are working with. Sometimes you encounter someone good, and other times you find the person just wants to close the gate to make the error come from our side.

Overall, I would rate customer service and support a three and a half out of five. 

How would you rate customer service and support?

Neutral

Which solution did I use previously and why did I switch?

I have worked with CyberArk. CyberArk has a jump server as a proxy, while Secret Server can be used as a proxy without a proxy.

Secret Server is using an SQL database. If you have experience with SQL, you can get some information, maybe even some critical information. I'm using a non-SQL database, which is very difficult because no one can understand it without being very technical. 

With CyberArk, you would face challenges. With Secret Server, it's really easy because it is a SQL query, anyone can understand SQL.

How was the initial setup?

The initial installation took three days. It was straightforward without any issues.

However, the ease of the initial setup of IBM Security Secret Server depends on the environment. The biggest issue is something called RabbitMQ. When Secret Server uses RabbitMQ to handle the request and the background work, we faced some issues like clustering. Sometimes the surfaces were not working normally.

Overall, I would rate the ease of deployment a three and a half out of five.

What about the implementation team?

I deployed the solution myself.

What other advice do I have?

I recommend to anyone that is looking to implement Security Secret Server into their organization that they understand the environment, including how many servers they have and the tools they are going to use to implement the solution. This will help them design the environment correctly.

Overall, I would rate the solution a nine out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Flag as inappropriate
Buyer's Guide
Privileged Access Management (PAM)
May 2023
Get our free report covering Microsoft, Cisco, Delinea, and other competitors of CyberArk Privileged Access Manager. Updated: May 2023.
708,544 professionals have used our research since 2012.