CyberArk Privileged Access Manager OverviewUNIXBusinessApplication

CyberArk Privileged Access Manager is the #1 ranked solution in top User Activity Monitoring tools and top Privileged Access Management (PAM) tools. PeerSpot users give CyberArk Privileged Access Manager an average rating of 8.2 out of 10. CyberArk Privileged Access Manager is most commonly compared to Azure Active Directory (Azure AD): CyberArk Privileged Access Manager vs Azure Active Directory (Azure AD). CyberArk Privileged Access Manager is popular among the large enterprise segment, accounting for 68% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a computer software company, accounting for 19% of all views.
CyberArk Privileged Access Manager Buyer's Guide

Download the CyberArk Privileged Access Manager Buyer's Guide including reviews and more. Updated: December 2022

What is CyberArk Privileged Access Manager?

CyberArk Privileged Access Manager is a next-generation solution that allows users to secure both their applications and their confidential corporate information. It is extremely flexible and can be implemented across a variety of environments. This program runs with equal efficiency in a fully cloud-based, hybrid, or on-premises environment. Users can now protect their critical infrastructure and access it in any way that best meets their needs.

CyberArk Privileged Access Manager possesses a simplified and unified user interface. Users are able to manage the solution from one place. The UI allows users to view and manage all of the information and controls that administrators need to be able to easily access. Very often, management UIs do not have all of the controls and information streamlined in a single location. This platform provides a level of visibility that ensures users will be able to view all of their system’s most critical information at any time that they wish.

Benefits of CyberArk Privileged Access Manager

Some of CyberArk Privileged Access Manager’s benefits include:

  • The ability to manage IDs and permissions across a cloud environment. In a world where being able to work remotely is becoming increasingly important, CyberArk Privileged Access Manager is a very valuable tool. Administrators do not need to worry about infrastructure security when they are away from the office. They can assign and manage security credentials from anywhere in the world.
  • The ability to manage the program from a single centralized UI. CyberArk Privileged Access Manager’s UI contains all of the system controls and information. Users now have the ability to view and use all of their system’s most critical information and controls from one place.
  • The ability to automate user management tasks. Administrators can save valuable time by assigning certain management tasks to be fulfilled by the system itself. Users can now reserve their time for tasks that are most pressing. It can also allow for the system to simplify the management process by having the platform perform the most complex functions.

Reviews from Real Users

CyberArk Privileged Access Manager’s software stands out among its competitors for one very fundamental reason. CyberArk Privileged Access Manager is an all-in-one solution. Users are given the ability to accomplish with a single platform what might usually only be accomplished with multiple solutions.

PeerSpot users note the truly all-in-one nature of this solution. Mateusz K., IT Manager at a financial services firm, wrote, "It improves security in our company. We have more than 10,000 accounts that we manage in CyberArk. We use these accounts for SQLs, Windows Server, and Unix. Therefore, keeping these passwords up-to-date in another solution or software would be impossible. Now, we have some sort of a platform to manage passwords, distribute the inflow, and manage IT teams as well as making regular changes to it according to the internal security policies in our bank."

Hichem T.-B., CDO & Co-Founder at ELYTIK, noted that “This is a complete solution that can detect cyber attacks well. I have found the proxy features most valuable for fast password web access.”

CyberArk Privileged Access Manager was previously known as CyberArk Privileged Access Security.

CyberArk Privileged Access Manager Customers

Rockwell Automation

CyberArk Privileged Access Manager Pricing Advice

What users are saying about CyberArk Privileged Access Manager pricing:
  • "I'm aware that the organization had purchased licensing for almost all of CyberArk's solutions including licensing for PTA, EPM, and the Application Identity Manager. But when it comes to PSM, this is one of the components where there's an additional charge for any extra PSMs that you want to deploy. I believe that there's some rider where the vendor has a bit of leeway to, at times, charge a premium on whatever additional services you may require above the board."
  • "Before we bought it, they were licensing each function individually, which got complicated and very expensive. When we decided to buy it, it was much more straightforward and still quite expensive, but it brings a lot of value and risk reduction to the organization."
  • "The main problem for the tool is its licensing. I work for a really big company. When you try to develop this as a service, usually you work with leverage teams who are formed with dozens of members. You might dedicate one FTE, or less, for something, e.g., an antivirus administrator. You might have half an FTE's effort dedicated to administering the antivirus, but then you have a team of about 30 users who might access that ticket. The problem is that CyberArk eliminated the possibility of concurrent users years ago. This is a big problem for companies who work with leverage teams. You need to pay for everyone. 40 licenses are used by 20 or 30 people. This is a big problem because licenses are not precisely cheap."
  • "It's expensive, certainly. But CyberArk is the leader in the market with regards to privileged access management. You pay a lot, but you are paying for the value that is being delivered."
  • "CyberArk DNA is free if you purchase the CyberArk solution. There is no additional charge for CyberArk DNA, which is great."
  • "I haven't seen the numbers. I know it is not cheap, but I don't know what it is. I would rate it a six out of ten in terms of pricing. It is definitely more expensive than the other product, but it also provides more functionality, and it is modular too. So, we pay for the functionality we're actually going to use, and that's nice."
  • CyberArk Privileged Access Manager Reviews

    Filter by:
    Filter Reviews
    Industry
    Loading...
    Filter Unavailable
    Company Size
    Loading...
    Filter Unavailable
    Job Level
    Loading...
    Filter Unavailable
    Rating
    Loading...
    Filter Unavailable
    Considered
    Loading...
    Filter Unavailable
    Order by:
    Loading...
    • Date
    • Highest Rating
    • Lowest Rating
    • Review Length
    Search:
    Showingreviews based on the current filters. Reset all filters
    SatishIyer - PeerSpot reviewer
    Assistant Vice President at a financial services firm with 10,001+ employees
    Real User
    Lets you ensure relevant, compliant access in good time and with an audit trail, yet lacks clarity on MITRE ATT&CK
    Pros and Cons
    • "I'm no longer the product owner for PAM, but I can say that the most useful feature is the vault functionality, which keeps all your passwords secure in a digital vault."
    • "When I was a component owner for PAM's Privileged Threat Analytics (PTA) component, what I wanted was a clear mapping to the MITRE ATT&CK framework, a framework which has a comprehensive list of use cases. We reached out to the vendor and asked them how much coverage they have of the uses cases found on MITRE, which would have given us a better view of things while I was the product owner. Unfortunately they did not have the capability of mapping onto MITRE's framework at that time."

    What is our primary use case?

    I work with the infrastructure access team in my organization and we have CyberArk as a primary solution along with a number of components for Privileged Access Management (PAM) and monitoring within the privileged access sphere.

    We began with CyberArk in 2018, when we procured the licenses for CyberArk and all its components including the PAM suite and Endpoint Privilege Management (EPM). Our management took a call and we had to do a proof of concept to evaluate the product and see what it was capable of. As a product owner, I had six months to complete this. We evaluated a few specific use cases and presented our findings of the CyberArk's capability to management around the end of the third month.

    Since then, CyberArk's Privileged Access Management is still our central solution for the entire estate, including all our servers (Windows/Unix), databases, devices, and so on, with around 5,000 to 8,000 users globally. Essentially, all access is managed through Privileged Access Management. That said, I am not sure to what extent all of the findings were carried forward after our initial evaluation because a lot of changes have happened within the organization. Our overall threat assessment, criteria, and even the framework has changed, now leaning towards a Zero Trust kind of strategy.

    For instance, even for the tools that are used within the Privileged Access Management suite, there is a tighter alignment towards enterprise architecture, and we currently have a highly-evolved enterprise architecture group from which everything is driven. Earlier, individual units would have had their own licenses to see what they can do with them, but now things are more closely aligned with the overall enterprise architecture strategy. Given this, some of CyberArk's tools such as EPM have somewhat dropped off from the list of our priorities.

    As for how we have deployed CyberArk, it's currently all on-premises. We do have a roadmap for transformation to the cloud, but I am not sure what kind of place CyberArk will have in that, as it depends on the enterprise architect's view on the cloud transformation. We have had some discussions around what to do about the cloud portion of our assets (e.g. VMs and such), what kind of monitoring we need, and so on, and I think that, among other apps, Splunk will likely become part of our toolset when it comes to the cloud. I believe we are also evaluating CyberArk's Cloud Entitlements Manager on this roadmap.

    How has it helped my organization?

    From a functional point of view, I would not have a concrete idea of how CyberArk has improved our organization because that information is better provided by someone from the operations team. Those kind of evaluations are typically done at a much higher level, probably at COO or a similar level, and they have a close alignment with the enterprise architecture group.

    On a practical note, with CyberArk there is integration with your identity management system such that, when done properly, you can ensure that anyone from an administrator to production support personnel will gain the relevant access they need in good time. PAM offers integration with Active Directory, LDAP, and so on, and is fairly compliant with these kinds of approaches to identity.

    What is most valuable?

    I'm no longer the product owner for PAM, but I can say that the most useful feature is the vault functionality, which keeps all your passwords secure in a digital vault.

    The second most useful feature is the monitoring of your privileged sessions. So you have an audit trail, where any privileged access session has to be authorized, and you have access to all the relevant monitoring controls.

    What needs improvement?

    When I was a component owner for PAM's Privileged Threat Analytics (PTA) component, what I wanted was a clear mapping to the MITRE ATT&CK framework, a framework which has a comprehensive list of use cases. We reached out to the vendor and asked them how much coverage they have of the uses cases found on MITRE, which would have given us a better view of things while I was the product owner. Unfortunately they did not have the capability of mapping onto MITRE's framework at that time.

    PTA is essentially the monitoring interface of the broker (e.g. Privileged Access Management, the Vault, CPM, PSM, etc.), and it's where you can capture your broker bypass and perform related actions. For this reason, we thought that this kind of mapping would be required, but CyberArk informed us that they did not have the capability we had in mind with regard to MITRE ATT&CK.

    I am not sure what the situation is now, but it would definitely help to have that kind of alignment with one of the more well-known frameworks like MITRE. For CyberArk as a vendor, it would also help them to clearly spell out in which areas they have full functionality and in which ares they have partial or none. Of course, it also greatly benefits the customers when they're evaluating the product.

    Buyer's Guide
    CyberArk Privileged Access Manager
    December 2022
    Learn what your peers think about CyberArk Privileged Access Manager. Get advice and tips from experienced pros sharing their opinions. Updated: December 2022.
    656,474 professionals have used our research since 2012.

    For how long have I used the solution?

    I've been using CyberArk Privileged Access Management since 2018.

    What do I think about the stability of the solution?

    CyberArk's PAM does what it's supposed to do, based on the interactions I've had with the folks from operations. There are the usual operational challenges, but it fulfills its basic purpose.

    Stability assessments are conducted by a separate team that does risk assessments, so I don't have a lot of insight into this aspect, but considering that the product has been running for quite some time now and it's still the central solution for access management, I would reckon that it's a pretty stable product.

    What do I think about the scalability of the solution?

    There are different categories out there when it comes to scalability. In the case of bringing in new target systems, then sure, you can bring in what you need based on your licensing criteria. In terms of bringing in target systems which are not covered by the list of connectors that you have, this too is possible as there is scope for customization. Overall, I think it's fairly scalable and it does give decent support on the scalability front.

    Our onboarding is progressing smoothly and at a steady pace. With the onboarding, you have new users coming on, and because it's a central solution, the rollout is global. There are even plans for extending the department in terms of increasing the redundancy of components, which is largely determined by operational performance reviews and so forth.

    How are customer service and support?

    In my personal experience as product owner assigned to various components, there have been challenges with the support at times. I would say that it has scope for improvement.

    How would you rate customer service and support?

    Neutral

    Which solution did I use previously and why did I switch?

    I have used a similar solution, but it was closer to a desktop password manager kind of tool. It was made by IBM and it was something you could actually install on your desktop and manage your passwords around that.

    Later on IBM developed the tool into something more enterprise-oriented, and it turned into what we would classify as a privileged access management solution. But otherwise, CyberArk was probably the first fully-fledged solution in this sphere that I have used.

    How was the initial setup?

    The initial part of the setup was quite good. When it came to Windows, we had success in the beginning stages, but later on we had to have a number of discussions with CyberArk with respect to the 'groups' nomenclature, as we wanted to have a very clear standard that could be used consistently throughout the organization.

    The first iteration was mostly fast and easy, however at one point we realized that there was much more detailing needed to be done. So we went through another iteration with a more detailed design and came up with more comprehensive coverage of groups, or roles, as you might say. In total, I think it was around two years before the Windows part was comprehensively addressed, but after that, it was covered quite quickly. 

    Before CyberArk's PAM, we had a legacy tool that was managing the privileged access for Windows and we had that decommissioned around this time, which was a victory of sorts.

    What about the implementation team?

    The first step of the implementation strategy was putting all the passwords in the vault, thereby securing them. We also had a tool called Application Identity Manager, which we used for mitigation of the hard-coded passwords. Only after the vault was in place alongside Application Identity Manager, were steps taken to deploy the PAM suite.

    Back in 2015, we had about three or four full-time CyberArk Professional Services folks undertake an effort to implement it, but that project failed. All that was achieved was the central vault deployment, and I think they also had Application Identity Manager installed at the time, but nothing apart from that. So it didn't take off the way it was supposed to, possibly due to a misalignment with the top management and the enterprise architecture viewpoint. But later on, and toward the second half of 2016, things started picking up again and further steps were taken from 2017 onward to deploy the Privileged Access Management functionality.

    Throughout the PAM deployment, there was a fairly large vendor team that we were working with. I reckon the vendor team size was around 45 to 50 people. Within the organization, there was another large team that was supporting with various roles, such as in engineering, architecture, operations, governance, and so on. In total, there were around 50 of the vendor's team and maybe 20 to 30 roles from within the organization. There were other layers of responsibility, such as the risk team, but all those were kind of on the outside of the deployment.

    What was our ROI?

    I don't have much access to the facts and figures surrounding ROI, but I would reckon that with the Zero Trust risk strategy that we have, the product does match some of our key challenges. For one, we have the vault solution, so the passwords are safe up there. And then we have brokering in place for some of the key platforms, so I would say that these positives, along with our strategy and roadmap, will decide the fate of the future of CyberArk within the organization.

    What's my experience with pricing, setup cost, and licensing?

    I'm aware that the organization had purchased licensing for almost all of CyberArk's solutions including licensing for PTA, EPM, and the Application Identity Manager. But when it comes to PSM, this is one of the components where there's an additional charge for any extra PSMs that you want to deploy. I believe that there's some rider where the vendor has a bit of leeway to, at times, charge a premium on whatever additional services you may require above the board.

    What other advice do I have?

    Based on my experience as a product owner, I would advise, firstly, to set up an enterprise security architecture as authority within the organization, and ensure that it is closely aligned with your business. Once that is set up, then the enterprise security architecture should determine the priorities of the business and, accordingly, you can lay out a roadmap and strategy.

    From a product perspective, CyberArk may or may not fit into your organization based on what strategy you have detailed, or it may or may not fit your requirements. So I would definitely not recommend purchasing the tool first and then determining what to do with it next.

    Regarding automation, we are adopting DevOps for the positives it brings, such as cost savings, efficiency, etc., yet there needs to be some checks and balances. Having a fully automated solution would require you to think through the security aspects very carefully. That is why alignment with the enterprise security architecture is of great importance when it comes to securing access across environments in an identity management solution.

    CyberArk's PAM is based on the concept of identity, such that a user logs in with his or her identity. So whatever systems the user accesses, there is an audit trail that is tied back to that same identity. This can happen across multiple environments based on factors such as the separation of duties, where certain engineers may not be allowed access to certain areas of development. These checks and balances occur when we give access to those kinds of rules and permissions. There are some targets we have for automation, but if it's fully automated it wouldn't be all throughout our organization as we have found there are some pitfalls with full automation.

    Now, when you bring the cloud into the picture, as with our own transformation roadmap, you can't just put a tool in front of you and then expect everything to fall into place from on-premises to the cloud. It does not work that way. You need to have a sound strategy from your enterprise security perspective and only then can you ensure that things will fall into place.

    Concerning the UI, PAM has an administrative dashboard and everything, but from a monitoring perspective, we also rely on additional tools apart from what CyberArk offers. For least privilege and managing secrets, there's a tool from CyberArk for that, but I'm not sure we have any plans on using that solution.

    Overall, I would rate CyberArk Privileged Access Management a seven out of ten.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    Security Lead at a insurance company with 1,001-5,000 employees
    Real User
    Top 20
    Its architecture is much more secure compared to competitors
    Pros and Cons
    • "We've written over a hundred custom connectors ourselves that allow us to do all types of privileged session management for various applications. On top of that, the rest of the API-based central credential providers allow us to get away from credentials that may be hard-coded in the script or some application."
    • "Many of the infrastructure folks who use the product dislike it because it complicates their workflow. They get a little less control, and they have to go through a specific solution. It proactively logs in for them, which obfuscates some of the issues that they may be troubleshooting."

    What is our primary use case?

    CyberArk's Privileged Access Management solution covers a whole range of features, like privileged web access, private vault, privileged session manager rights for a session in isolation, privileged threat analytics for analytics, and private sessions. We also use CyberArk's Application Access Manager, which includes their credential providers, such as agents and run servers. Then there is a central credential provider, which is API-based credential retrieval, and DAP or Conjur. This is more of a DevOps model for credential provisioning. We also have the Central Policy Manager, which rotates the credentials associated with unprivileged or servers accounts. It's a huge environment. 

    Those are all the different functions we use. We initially purchased CyberArk for privileged access manager and session isolation of privileged users. By privileged users, I mean main admins, global admins, and preps like Azure or Office 365. Our initial use case was to manage those users who could drastically impact the environment if their credentials were compromised.

    After we purchased the product, we had a third party on it. They suggested we also leverage CyberArk as part of the platform for managing service accounts, i.e. go out and proactively rotate credentials that are running or ordering services. That's another kind of big use case that we started implementing a couple of years. It's long work. It is tough to do, there's a lot of cases where it just doesn't work right, but overall it's been pretty valuable.

    How has it helped my organization?

    From a security perspective, CyberArk PAM gives us a lot of control and visibility into what our privileged users are doing. In terms of securing our cloud-native apps, we're just getting into deploying things to Azure, AWS, etc., and DAP brings a lot of value to that because it is cloud-agnostic credential retrieval. Azure has their key vaults, and AWS has their version if you are a multi-cloud solution. CyberArk's Secrets Manager, or DAP, brings a lot of value because you only have to learn how to integrate your apps with one solution that can be deployed across multiple clouds. 

    I will say that CyberArk is struggling with some of the cloud integrations. For instance, Azure has a native identity solution, and Microsoft keeps causing issues with their ability to identify the hosts calling back. Some cloud providers are trying to lock CyberArk and other tools out of their environment and force you to use their native one. With that said, I don't use the other functions. I don't use the containerization Kubernetes integration or anything like that. We're not at that point yet. One of my significant concerns about investing a lot of time in CyberArk Conjur or DAP solution is that Microsoft seems to be trying to push them out of that space, and if they do that, then all of that work is null and void.

    What is most valuable?

    In our initial use case, we found CyberArk's privileged session management functionality to be incredibly flexible. It's challenging to write these plug-ins, but if you have somebody with a development background, you can write all sorts of custom connections to support different functional applications. We've written over a hundred custom connectors ourselves that allow us to do all types of privileged session management for various applications. On top of that, the rest of the API-based central credential providers allow us to get away from credentials that may be hard-coded in the script or some application. 

    What needs improvement?

    CyberArk's web console isn't in a great state. Over the last three years, if not more, it has been transitioning from what they call the "classic UI" to its modern interface. However, there are a lot of features that you can only use in the classic interface. Hence, each version seems to put more makeup on the modern interface, but all of the complex functionality you need is still in the classic UI. 

    I'm not sure they've figured out how to transition, and they're kind of in a weird state. So, while CyberArk has made strides, the web interface is painful, particularly as an administrator, because you have to bounce between these different user interfaces. It is an incredibly complex solution that requires at least a dedicated employee or more to maintain it, support it, and understand it thoroughly. If you don't have that, it's just not the right solution for you because it is very complicated. 

    Many of the infrastructure folks who use the product dislike it because it complicates their workflow. They get a little less control, and they have to go through a specific solution. It proactively logs in for them, which obfuscates some of the issues that they may be troubleshooting. And I think some of the consumers aren't big fans of the product. Also, I feel that in the last year or so, CyberArk has been pushing very hard for customers to go to their cloud solution. It doesn't have the same flexibility as the on-premise version, which is problematic because that's where I see a lot of value in the solution.

    For how long have I used the solution?

    I've been using CyberArk PAM for about four years now.

    How are customer service and support?

    CyberArk support isn't the worst, but it's certainly not the best. I'd give it a six out of 10. They were responsive. After you submit a ticket, you get the typical response. You gather all the logs and send them, and then they do some analysis. They typically send you back to get more specific logs, so it's a standard support experience. I would not say it's great, but it is not terrible either.

    Overall, as a partner in our digital transformation, CyberArk has been great. The technology adds a lot of value, but they're also very much engaged and concerned. The customer success manager very much wants to make sure we're getting value out of the tool. I guess my only concern there is that they are pushing very heavily for customers to switch to their new cloud solutions that may or may not fit our needs or expectations. I am worried that they're going to push even harder. For example, CyberArk might start offering features only available in the cloud solution that would make our future somewhat tenuous depending on what's going on. So my only hangup is that they're pushing cloud solutions that I don't think are very mature yet.

    How would you rate customer service and support?

    Neutral

    How was the initial setup?

    The environment's architecture is very complex, depending on your use cases, and I'm talking about CyberArk as a whole. Their past solution — their AM solution — and all of the other solutions bundled together are straightforward, and it all needs to work together. Depending on your use case and the connected components you need to have or build, you must learn a lot. So, it's not as simple a thing to deploy — at least on-premise. It isn't straightforward. Our environment comprises 20 to 30 servers that we had to spin up and connect. Disaster recovery has to be thoroughly vetted, discussed, and documented because as you onboard and manage those privileged accounts, you need a way to get to them if something goes wrong.

    It took about a month to get the product running and several months to onboard users. And when we start talking about Application Access Manager, that's ongoing, and I think that'll probably be ongoing for a very long time. We were targeting our specific use cases, so we started with interactive users. The whole idea was to restrict, manage, and monitor those interactive users. Our rollout proceeded from the most privileged users to the less privileged users. Then we started targeting service accounts and that kind of stuff. So it was a phased approach from highest risk to lowest risk to lower risk.

    CyberArk PAM requires a lot of maintenance. Right now, we have about one and a half people, but I would say we need to add several more people to do a better job and add a lot of functionality. It requires a lot of maintenance and monitoring. They've relied on many different Microsoft features to secure the privileged session manager. It requires a lot of tuning, monitoring, and managing those solutions. They use AppLocker to restrict and isolate these running sessions, and AppLocker breaks all the time, so you have to go in and troubleshoot why it's broken and tweak it. That could mean adding a new rule or updating an application. It is a lot of maintenance, depending on your use case. But then again, we have gone very hard into privileged session management and developed over a hundred custom connectors. Another customer might deploy RDP and call it a day, drastically reducing maintenance.

    What was our ROI?

    If you ask me the ROI, I'm not sure I could give you an exact number. Security tools are pretty tricky when it comes to that. But if you're adopting a risk-based approach, this substantially reduces risk. It brought a lot of visibility and allowed us to monitor all of our privileged users, so it is valuable from the perspective of KPI, modern solutions, and risk reduction. If we were to score this on an internal risk review, our previous risk would rank four out of five, and we've lowered this to a low severity risk.

    What's my experience with pricing, setup cost, and licensing?

    CyberArk had just changed switched their licensing model to perpetual licenses when we purchased, including the whole PAM Suite. Before we bought it, they were licensing each function individually, which got complicated and very expensive. When we decided to buy it, it was much more straightforward and still quite expensive, but it brings a lot of value and risk reduction to the organization. 

    In the last year or so, it's my understanding that they have switched from a perpetual licensing model to pushing companies to a subscription-based model. I have not dealt with this yet, so I'm not sure my feedback on licensing would be too valuable because they've moved away from the license type we purchased.

    Which other solutions did I evaluate?

    This was our first foray into the PAM space. We did a proof of concept evaluating three different solutions, so CyberArk was the clear winner. I don't want to speak ill of any other solutions, but I will say that CyberArk's architecture was much more secure. Other competing solutions may leverage an agent that is installed on your local machine and runs your privileged applications locally, leaving a lot to be desired from a security perspective. 

    CyberArk uses remote desktop gateways similar to Microsoft's RDS functionality, and it abstracts that privileged application from your workstation. So even if you're compromised, a malicious actor on your laptop or workstation would not be able to get to that privileged application. This was very valuable to us. Other solutions did not have that functionality.

    What other advice do I have?

    As it stands today, I would rate CyberArk PAM nine out of 10. However, I'm concerned about the future of the platform. While I've had nothing but great experiences so far, I have concerns about how they've been pushing that cloud solution in the last year and a half. I feel like they're going to pressure us to move to the cloud even though they're not mature enough in the cloud. 

    Rather than create a cloud-native version, they've migrated their on-premise solution to the cloud, but they don't allow cloud customers to access the backend, which I recommend all the time as an on-premise user. Instead, you have to submit a support ticket and have their support do things on your behalf, which delays your ability to work with the tool. Furthermore, they may not be willing to make the modifications you want because it would affect their ability to impact the solution consistently. CyberArk designed the on-premise version to be incredibly flexible, and I have never found a use case where I can't do the work I want to do. Their cloud model discards a lot of that flexibility, which is where I see a lot of value, so I have concerns about the future of the tool.

    Also, I'd like to point out that service account management is incredibly hard, particularly in a company that's been around for a while. Any company looking to adopt service account management needs to know that it's not as easy as vendors make it sound. Many things don't work right out of the box, so the most important lesson we've learned is to calibrate the expectations of senior management when it comes to service account management because it is a lot harder than anybody thinks. You're likely to break things in the process of trying to manage these accounts. 

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
    PeerSpot user
    Buyer's Guide
    CyberArk Privileged Access Manager
    December 2022
    Learn what your peers think about CyberArk Privileged Access Manager. Get advice and tips from experienced pros sharing their opinions. Updated: December 2022.
    656,474 professionals have used our research since 2012.
    Information Security Leader at a government with 10,001+ employees
    Real User
    Helps us quickly adapt and secure modern technology through integrations with solutions that we are moving toward or already had
    Pros and Cons
    • "We also use CyberArk’s Secrets Manager. Because AWS is the biggest area for us, we have accounts in AWS that are being rotated by CyberArk. We also have a manual process for the most sensitive of our AWS accounts, like root accounts. We've used Secrets Manager on those and that has resulted in a significant risk reduction, as well."
    • "If there is an area that has room for improvement, it's probably working with their support and getting people on the phone. That is hard to do with most products in general, but that seems to be the difficult area. The product is fantastic, but sometimes we want somebody on the phone."

    What is our primary use case?

    We use it to control privileged access within the environment, including domain admins and server admins.

    We're using the CyberArk Privilege Cloud version, which is the PaaS.

    How has it helped my organization?

    It provides a one-stop shop for the majority of our administrators to get the privileged access they need. It has enabled us to reduce risk as well, and that is the largest benefit that we've encountered through the solution. We've reduced the number of admins in our environment significantly.

    It provides an automated and unified approach for securing access across environments, including hybrid, multi-cloud, RPA, and DevOps, as well as for SaaS applications. For what we're using it for, it's doing all of that seamlessly in one place. It helps us to quickly adapt and secure modern technology, and that's another reason we chose CyberArk. They already had integrations with solutions that we were either moving toward or that we already had. We weren't going to have to do them as customizations.

    The ability, with Secrets Manager, to secure secrets and credentials for mission-critical applications means people don't have to go searching for them. They know where they are—they're in CyberArk—so they don't have to go to a separate place. They have one identity to manage, which is their single sign-on identity. From there, they can go into CyberArk to get the access they need. That's an area that has been very helpful. And from a risk perspective, the multifactor authentication to get to those accounts has also been awesome. That helps us to be in compliance, as well as secure.

    What is most valuable?

    The Privileged Session Manager has been the most useful feature because we're able to pull back information on how an account is used and a session is run. We're also able to pull training sessions and do reviews of what types of access have been used.

    We also use CyberArk’s Secrets Manager. Because AWS is the biggest area for us, we have accounts in AWS that are being rotated by CyberArk. We also have a manual process for the most sensitive of our AWS accounts, like root accounts. We've used Secrets Manager on those and that has resulted in a significant risk reduction, as well. There's a lot to it, but from a high level, we've been able to get some things under control that would have been difficult otherwise.

    For DevOps, we've integrated some automation with CyberArk to be able to onboard those systems. There are some native tools like the CFTs that we're using with CyberArk to get CyberArk deployed automatically to them.

    It also gives us a single pane of glass to manage and secure identities across multiple environments; a single view with all of the accounts. It's super important for us to be able to see all of that in one place and have that one-stop shop with access to different environments. We have lots of domains because a lot of acquisitions have happened. It's important for us to be able to manage all of those environments with one solution and we do have that capability with CyberArk.

    For how long have I used the solution?

    I've been using CyberArk Privileged Access Manager at this company for two years, and all together for the past six years.

    What do I think about the stability of the solution?

    The stability is great. We haven't had problems with it.

    What do I think about the scalability of the solution?

    The scalability is very good. I'm surprised they keep as many logs and video recordings as they do on their side. But scalability hasn't been a problem. If we wanted to scale up, we could certainly do so. All we would have to do is add more servers on our side, with our PSMs (Privileged Session Managers). The way the solution is built out, you can expand it elastically pretty easily.

    We have around 400 users right now who are mostly in IT. There are developers, database administrators, as well as our Active Directory enterprise teams, and some of our cloud implementation and infrastructure teams. We have some in incident response people, from information security, who use it as well.

    We're looking to expand it in the coming year. We've already started that expansion. It's the developers we're targeting next and there are a lot of them. We're looking at a couple of hundred more users within a year.

    How are customer service and support?

    If there is an area that has room for improvement, it's probably working with their support and getting people on the phone. That is hard to do with most products in general, but that seems to be the difficult area. The product is fantastic, but sometimes we want somebody on the phone. I would rate their support at eight out of 10, whereas the rest of the solution is a nine or 10.

    From a technical support perspective, they've been really good. There has just been a little bit of trouble with the database stuff, but that's because ours is a very aggressive deployment. Sometimes, when working with support, they aren't as aggressive as we are.

    How would you rate customer service and support?

    Positive

    Which solution did I use previously and why did I switch?

    I've used Thycotic and Hitachi HiPAM, and we've used some custom in-house build solutions.

    The reason we switched is that Thycotic opened up the door to that possibility when we talked about pricing. The price came out to be something similar to what we were spending. We were basically going to have to redeploy the whole Thycotic solution to get what we needed, and that opened it up for us to evaluate the landscape.

    How was the initial setup?

    There were some complexities about the setup, but deploying a solution like this is going to be complex, no matter what solution you go with. CyberArk did an excellent job of making sure that we had everything we needed. They had checklists and the prerequisites we had to do before we got to the next steps. Although it was complex, they were complex "knowns," and we were able to get everything organized fairly easily.

    Our initial deployment took about two weeks.

    We broke the deployment into four phases. The first phase was called Rapid Risk Reduction, and with that we were getting our domain admins under control, where we went with domain admin, server admin, and link admin. A part of that was the server administrators and Linux administrators. All of that was part of a very short-term goal that we had. 

    Phase two was called risk reduction, where we were focused on Microsoft SQL, the database administrators, and Oracle Database administrators. It also included bringing in some infrastructure support as well. 

    Phase three was enterprise-grade security, and with that we've been pushing the network tools and AWS admins, along with some other controls. 

    And our last phase, which we've just recently started on, is one where we are going to be pushing hard to get developers onboarded into CyberArk. There are a whole lot of little details that go along with all of that. The initial auto onboarding happened in phase three, but we also have auto onboarding that we're looking to roll out across a larger group.

    We implement least privilege entitlements as well. We started out from a high level of not going the least privilege route and, rather, we locked things down in a way that they were managed, at least. Then we started knocking down the least privileged path. You have to start somewhere, and least privilege is not going to be the first option, out of the gate. You're going to have to take stepping stones to the best practices. And that's what we've done. We took this large amount of high-risk access and brought it into CyberArk and then pulled access away over time and have been making things more granular, when it comes to access to the systems. The access within the systems, within CyberArk, is absolutely granular and we have been very granular with that from the beginning.

    For maintenance of it we need about one and a half people. My team supports it and, while one full-time person is probably enough to support the solution, my team is split up. The general operations of CyberArk are what take up the most time. The actual running of the solution, from an engineering perspective, is very lightweight; it's hardly anything.

    What about the implementation team?

    We did not use a third party for the deployment.

    Which other solutions did I evaluate?

    We started doing some comparisons of different tools and that's why we ended up switching to CyberArk, after discussions with both Thycotic and CyberArk. When looking at the capabilities, we ended up moving towards CyberArk. We felt it was a more mature solution and that some of the connectivity and reporting was done in a way that we would prefer, for a company of our size.

    Thycotic is a good tool. A lot of IT people already understand the structure of how it runs. The upgradability is nice as well. You can just click an "upgrade" button and it upgrades the solution for you. The cons of Thycotic include the way that the recorded sessions are done. In addition, proxy server connections were not available. Maybe they are now, but at the time we were building out custom connectors and we had to go through a third party to get those developed. It was very bad and every step of the way was like pulling teeth. That really soured our relationship with them a bit because we couldn't seem to execute with that solution. When we started talking with them about what we needed it to do to make things easier, they ended up recommending a full redeploy. That's not ideal under any circumstances for anyone. That's why we took a step back and evaluated other solutions.

    With CyberArk, some of the pros were that their sales team and engineers were very quick to come in and help us understand exactly what we needed. The deployment timeframe was  also much shorter. We didn't have to work through a third party, as we would have had to with Thycotic. And the type of relationship we've had with CyberArk is one that I wish we had with other vendors we use. They've been phenomenal working with us.

    What other advice do I have?

    CyberArk's abilities are amazing. We're just starting to hit some limits, but we're able to get through the majority of them. Some of the database stuff is a little bit more involved. The other things, like cloud and all of the Linux and Windows, have not been a problem at all. It's not that the database stuff is a problem, but it's just more complex.

    If you want to talk about CyberArk providing an automated and unified approach for securing access for all types of identity, "all types" is a strong claim. I wouldn't ascribe "all types" of identities to anything. But for everything that we're doing with it, it has been a great tool and it's doing that for us.

    Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
    PeerSpot user
    Miguel Angel Muñoz - PeerSpot reviewer
    Security Advisory Services (SAS) Business Growth Lead for Iberia at a computer software company with 10,001+ employees
    Real User
    Protects servers from inappropriate access and ransomware
    Pros and Cons
    • "It is a single tool that isolates possible kinds of malware. You get lateral movement blocking and auditing information, e.g., you know who is doing what. You are getting protections from the service as well as a useful environment. All your admins can easily go in and out of your company while accessing your servers in a secure way, even if they are working abroad."
    • "They are sometimes not flexible with things. For instance, from one day to another, there might be something that had been done years ago by CyberArk, then they say, "We do not support that." You then have to initiate a complaint and start working with them. Things might become complicated and months pass while you are working with them. Usually, they are good and fast, but sometimes they seem to be blocked with problems, e.g., you will suddenly be working with another team instead of the team that you were working with the day before."

    What is our primary use case?

    We mainly use it to protect servers from inappropriate access and ransomware.

    We started with on-prem solutions years ago. Our most recent implementations were done in data centers and the cloud. However, we are not in the cloud for CyberArk.

    How has it helped my organization?

    It is a really valuable tool. From the very beginning of my career in cybersecurity, I found that CyberArk is one of the best solutions that I could recommend to our customers. While it is usually seen as an access and identity management solution, it is a cybersecurity and cyber defense tool from my colleague's and my point of view.

    It is a single tool that isolates possible kinds of malware. You get lateral movement blocking and auditing information, e.g., you know who is doing what. You are getting protections from the service as well as a useful environment. All your admins can easily go in and out of your company while accessing your servers in a secure way, even if they are working abroad.

    What is most valuable?

    One of the best points is that it gives you full control for all the use cases in your infrastructure, in terms of servers, applications, social networks, batch processes, etc. 

    It gives you the ability to know what is happening, who is executing everything, and recover that information over time. Everything is recorded there. This is useful, not only for auditing proposes, but for admins and users. This also helps with troubleshooting. For instance, an application or system starts failing at 4:30 in the morning on a Sunday. Usually, the first questions that you ask yourself is, "What changed at 4:30? What has happened? Who was touching that server?" WIth CyberArk, you have the ability to search for that information and find it in minutes. It is really useful for troubleshooting.

    The PPA from CyberArk provides a lot of information about access and allows for possible detection of fraudulent use or different tries of accessing, even for family Internet users. Thus, it gives you another source of information regarding risk.

    We are using Secrets Manager with some of our customers. We are using it mainly for containers and DevOps. This secure access is really important, and becoming more important every day. We are constantly moving customers to the cloud. Every day, containers are more important for our customers as they extend into microservices, etc. 

    The possibility to integrate with the DevOps cycle is vital right now. Sometimes, containers are deployed while some clients have them very protected. They have a lot of things with Panorama, Microsoft, etc. That is a risk because you are deploying things quickly, along with errors and other things that you are developing. So, having to use hard-coded passwords here would be a big mistake. 

    Secrets Manager accelerates a lot of the possibilities and simplifies the process, since development teams just need to use credentials. When they arrive on a project, there are new people or resources in their development teams. Thanks to CyberArk, they just need to manage their identities to have access to everything. They don't need to receive credentials nor search for them. They have everything the day that they start working.

    We find it easy to use CyberArk PAM to implement least privilege entitlements. We usually do some interviews at the very beginning with different teams to understand their real needs. We define saves and different AV groups for the kind of users that we are going to prepare. Then, the process to assign permissions to different groups is really easy and straightforward. If you want to change or reduce access, that can be easily changed at any moment.

    For how long have I used the solution?

    I have been using it for more than 10 years.

    What do I think about the stability of the solution?

    In the last year, it has been a very stable platform.

    What do I think about the scalability of the solution?

    Scalability is fantastic. It has been really easy to scale. In fact, most of our customers who start, or have doubts about how to start, we propose to them, "Well, if you are not sure or don't have the budget right now, you can start with a small deployment, then we will grow." It easily grows and you can add components. 

    Other customers have started with a small CPD deployment, then replicated. We put high availability on another CPD. It is really good for public clouds.

    We have some customer environments that are over 10,000 servers as well as some environments with more than 50,000 managed identities.

    How are customer service and support?

    I would rate their technical support as eight out of 10. They are usually really good and quick about answering any questions that you raise. However, they are sometimes not flexible with things. For instance, from one day to another, there might be something that had been done years ago by CyberArk, then they say, "We do not support that." You then have to initiate a complaint and start working with them. Things might become complicated and months pass while you are working with them. Usually, they are good and fast, but sometimes they seem to be blocked with problems, e.g., you will suddenly be working with another team instead of the team that you were working with the day before.

    How would you rate customer service and support?

    Positive

    Which solution did I use previously and why did I switch?

    I have been working with CyberArk and with the CyberArk teams for years. They have been able to adapt the solutions that they have developed or bought. They have grown a lot with the acquisition of different companies. They have been able to adapt them, make them valuable, and helpful.

    How was the initial setup?

    The initial setup is straightforward because we have a lot of experience with it. While there are a lot of components, I don't find it difficult.

    A deployment can typically be done in less than a week, but it does depend on the environment.

    We have developed our own methodology for the implementation and deployment of CyberArk. We put the final users at the center of their strategy. One of the things that we have found that fails when deploying a PAM solution is that everyone focuses on the tool. CyberArk works and we know the tool is there, so we just focus on how the different groups are working with their servers, applications, etc. We focus on adapting the deployment in a way that does not disrupt their jobs. We try to be non-disruptive and not change the way users work.

    We adapt the solution to already existing workflow processes, tools, accesses, etc. This is one of the best parts of CyberArk. It provides a lot of flexibility to adapt.

    What's my experience with pricing, setup cost, and licensing?

    The main problem for the tool is its licensing. I work for a really big company. When you try to develop this as a service, usually you work with leverage teams who are formed with dozens of members. You might dedicate one FTE, or less, for something, e.g., an antivirus administrator. You might have half an FTE's effort dedicated to administering the antivirus, but then you have a team of about 30 users who might access that ticket. The problem is that CyberArk eliminated the possibility of concurrent users years ago. This is a big problem for companies who work with leverage teams.

    You need to pay for everyone. 40 licenses are used by 20 or 30 people. This is a big problem because licenses are not precisely cheap.

    Which other solutions did I evaluate?

    It provides the broadest point of view for privileged access management solutions in the market. We have tested several other proposals and tools for our customers and ourselves. There is a huge difference with using CyberArk.

    We evaluated CA PAM and another solution. The main difference is that they cover just a part of the solution. They promise the solution will be very simple to deploy because they only have a simple appliance. However, they are actually really difficult to deploy for an entire project as well as give you value. We have experienced a lot of support and integration problems. You need to do a lot of things by yourself. Whereas, in CyberArk, you have plenty of plugins and developed material in the marketplace. 

    This is the big difference at the moment. When you are deploying, it seems like a very simple project, and the other solutions will tell you, "Well, it's just an appliance," and then it becomes a nightmare. Whereas, CyberArk does what it does. You need to deploy several servers, but it works.

    From time to time, people in the market are like, "Wow, it was born as a cloud-native solution." Sometimes, this is real and means something, but usually it is mostly a marketing thing. Why would we ignore all a solution's previous experience just for something born in the cloud? Most of the IT solutions that we use in the cybersecurity market are not born in the cloud. For instance, if you go with Securonix or Sentinel, there is a huge difference in the way they were conceived and the way they were born. Just because something is cloud-native or new doesn't mean that it is good. I wouldn't go for something that is cloud-native, just because it is.

    What other advice do I have?

    I would rate CyberArk as nine out of 10. I won't give the 10 because I have my problems with the licensing. However, the solution is completely recommendable and a must-have in every environment.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
    PeerSpot user
    Product Owner at a tech services company with 1,001-5,000 employees
    Real User
    Automated password management and controls mean we can manage risks associated with high privileges
    Pros and Cons
    • "The automatic password management is the most important feature. The second most important feature is the ability to enforce dual control on the release of those passwords. The combination of these two features is the most important thing for us because we can show that we're in control of who uses any non-personal account, and when they do so."
    • "The major pain point that we have is the capacity of CyberArk due to the sheer volume of NPAs that we are managing. We are a large organization and we have hundreds of thousands of non-personal accounts to manage. We have already found out that there are certain capacity limitations within CyberArk that might introduce performance issues. From my perspective, something that would be valuable would be if the vault could hold more passwords and be more scalable."

    What is our primary use case?

    The major use case for us is to securely release and manage passwords for non-personal accounts.

    CyberArk provides an automated and unified approach for securing access across environments. It's a work in progress but that is the goal, for us, of implementing CyberArk. We want to provide a unified way to access all environments. We are in transition, like most big companies, into cloud solutions. So this is also something that is being discussed and analyzed. But that, overall, is the mission of CyberArk in our organization.

    How has it helped my organization?

    CyberArk has made it possible to work with non-personal accounts. Before, there was a much more focus on having privileges associated with personal accounts, and non-personal accounts were scarcely used because doing so required a lot of manual work. That work has been replaced with automated password management and the controls that come with CyberArk. It allows our organization to control the risks associated with high privileges. Previously, anyone could do whatever they wanted, on their own, but now we can enforce dual control. That is very important from a risk perspective. And the fact that we have it automated means it doesn't require that much effort to maintain things.

    Also, when we onboard new employees, the solution saves us time, to a certain extent, when it comes to providing them with secure access to the applications and IT systems they will be working with. Those savings are not directly thanks to CyberArk, but it can be considered part of the bigger solution to make sure that employees have the correct access to the resources they need as soon as possible. That is true after they have been onboarded or when their position has changed and they need to be granted new access.

    What is most valuable?

    The automatic password management is the most important feature. The second most important feature is the ability to enforce dual control on the release of those passwords. The combination of these two features is the most important thing for us because we can show that we're in control of who uses any non-personal account, and when they do so.

    For how long have I used the solution?

    I have been using CyberArk Privileged Access Manager for five years.

    What do I think about the stability of the solution?

    My impression of the solution's stability, in general, is very positive. It's quite robust. There are mechanisms in place that allow you to have high availability and that allow you to have proper disaster recovery. Those mechanisms are very solid, as we have tested them extensively within our processes to assess the risk associated with the use of CyberArk. They have performed very well.

    The only thing that is lacking with respect to the stability is the scalability issue. The amount of data we need processed is too big for CyberArk to manage properly. That mostly impacts performance, not the stability, but to some extent the stability has suffered due to that. 

    But overall, I would rate it very good in terms of stability. We had a minor issue once and, other than that, we have been online the whole time that I have been here. We have tested it thoroughly and have not found any situation where it would become too unstable to perform our tasks.

    What do I think about the scalability of the solution?

    The major pain point that we have is the capacity of CyberArk due to the sheer volume of NPAs that we are managing. We are a large organization and we have hundreds of thousands of non-personal accounts to manage. We have already found out that there are certain capacity limitations within CyberArk that might introduce performance issues. From my perspective, something that would be valuable would be if the Vault could hold more passwords and be more scalable.

    How are customer service and support?

    We have used their tech support extensively and there has been a lot of improvement in the way that CyberArk support operates over the last few years, but it still leaves somewhat to be desired. That is particularly true given the pricing. You would expect, for the amount of money that they charge for their support, and for their product in general, that it would be better. 

    But I've seen major improvements in the last couple of years. I think they are aware of this issue and that it is an area that they are lacking in and they're working towards improving it.

    They need to better recognize who they are dealing with. CyberArk has an extensive training program, the CyberArk University. You put in a lot of effort, resources, and money, to attend the training and become a professional in terms of your knowledge and ability to manage the Vault, and the solution in general. But then, when you require support, you are asked very simple questions, which you have already answered based on the knowledge that you've obtained from CyberArk. It takes a lot of time and effort to convince their support that you indeed have a more complex case to resolve, rather than a very simple fire-and-forget solution. It's generally not the kind of thing where they can give you a link to their knowledge base and look through it to find a solution yourself.

    I have been working with CyberArk for five years and have all the possible certificates, and have extensive knowledge about it. Any time that I report a case to support, it seems the general gist of how such services operate is that they're trying to get rid of you. They give you a solution that, maybe, vaguely resembles the issue, or a solution that you specifically stated that you tried already and it does not work, just to get rid of you. They probably have customers who would be happy with that, but because of the importance of that software within our organization and the level of maturity that we have within my team as administrators of CyberArk, we expect, and we've communicated this to them, that they will approach our requests in a more advanced way. 

    They should recognize that we have probably already done what the first line of support would suggest be done, and that we require some more involved support, but it seems very difficult to communicate this to them. Even if we get through to further lines of support, we often have the feeling that we still know more than they do about their own tools. I think there has been some sort of knowledge drain from CyberArk. We often have the feeling that they are learning on the job. They don't inspire a lot of confidence when it comes to their support.

    How would you rate customer service and support?

    Neutral

    What was our ROI?

    There is a lot of return on investment in CyberArk. Being a financial institution, we are responsible for managing risks, and CyberArk really helps us to be in control with the usage of NPAs. That, in turn, translates into a proper risk score for the organization, and that directly translates into actual money being saved.

    What's my experience with pricing, setup cost, and licensing?

    It's expensive, certainly. But CyberArk is the leader in the market with regards to privileged access management. You pay a lot, but you are paying for the value that is being delivered. 

    It's not a tool for small companies. You need to be a large company with a lot of resources to implement it. But the price tag can be justified, even though it's always hard to quantify these things. It really brings value, regardless of the level at which you implement it. If you use it at a very basic level, as just a password manager, or you go further with all the other elements of the tool, it's expensive, but it's worth the price.

    What other advice do I have?

    We only use it on-prem, but for someone who only wants to solve cloud security challenges with a born-in-the-cloud security solution, I would still tell them CyberArk is one of the potential solutions. I would also tell them to do their assessment because it costs a lot. So it depends on the scale of use and the use cases. It certainly has the most capabilities that could be of use, but it depends on whether you only have some small deployments in the cloud and on the size of the risks involved. For certain scenarios, I would say they should immediately go with CyberArk, and that they shouldn't bother with others' solutions. In other scenarios, I would say they should do a very thorough assessment of the market before they decide because there might be cheaper options that will be sufficient for them.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Information Security Administrator at a insurance company with 501-1,000 employees
    Real User
    Top 20
    It has a centralized page where you can manage everything
    Pros and Cons
    • "It has a centralized page where you can manage everything. This makes work easier. You don't have to remember different module URLs or browser applications. It is very easy to get all the secure identities of other environments into a single page, which is very important for us as it helps a lot in terms of operations, e.g., reduces management time. This is a single page where you can manage all accounts and onboard them to the CyberArk. You can then secure and see passwords from everywhere. So, there is a single pane of glass where you can manage all the identities across environments as well as across different types of identities."
    • "The continuous scanning of the assets is limited to Windows and Unix. We like to have the solution scan any databases, network devices, and security devices for privileged accounts. That would be very helpful."

    What is our primary use case?

    I have been working with CyberArk for the past five years. I do installations, support, and presales.

    We have installed the CyberArk solution and have been using it as a PAM solution.

    The main reason for having the solution in place is to isolate and monitor all previous activities that have taken place within the organization. The second thing is to make sure all the previous accounts have been onboarded to the solution and accurately monitored as well as passwords have been managed as per the policies defined. The third thing is to make sure users are unaware of their previous account passwords. Those should be centrally stored and located in one of the solutions where we can manage them per our policy or ask users to raise a request for internal workflows on the solution, in case of any emergencies. The last thing is for managing the service account passwords.

    How has it helped my organization?

    Initially, the IT team and other teams used to access the servers manually. Now, because of this solution, everyone is onboarded on the PAM and we can direct all sessions to the PAM. Also, we have control of all decisions and activities being performed. Along with that, we are satisfying audit requirements with this because we are getting reports to track what we need to comply with any regulated requirements. 

    We have an option for protecting various kinds of identities. It also provides you with a medium for authenticating your systems, not only with passwords, but also with the PKI certificates and RSA Tokens. There is also Azure MFA. So, there are many options for doing this. It has a wide range for managing all security identities. 

    What is most valuable?

    The most valuable feature is CyberArk DNA, which is an open-source tool used for scanning all servers, like Linux or Unix. We can get a very broad idea of the scope and picture of the servers as well as their predefined vulnerabilities, the service accounts running on them, and the dependent accounts running on those services. We get a very wide scope for all our servers and environments. 

    There are some other options like Privileged Threat Analytics (PTA), which is a threat analytics tool of CyberArk that detects violations or any abnormal activities done by users in the privileged solution. This tool is very unique, since other PAM program solutions don't have this. This makes CyberArk the unique provider of this feature in the market.

    It is very easy to maintain passwords in the solution, instead of changing them manually or using other tools. So, it is a centralized location where we have accounts and passwords in a database based on our defined policies. 

    Product-wise, CyberArk is continuously improving. For the last two years, it has brought on new modules, like Alero and Cloud Entitlements Manager. Alero gives VPN-less access to the environment. So, there are many new things coming into the market from CyberArk. This shows us that it is improving its modules and technology.

    We can integrate the solution with any other technologies. This is straightforward and mostly out-of-the-box.

    For DevOps, we are using Conjur with a Dynamic Access Provider. We use those modules to make sure identities on other environments have been secured. For Azure and other cloud environments, we have out-of-box options where we can do some little configuration changes to get those identities secured. We have a process of managing these identities for RPA as well.

    It has a centralized page where you can manage everything. This makes work easier. You don't have to remember different module URLs or browser applications. It is very easy to get all the secure identities of other environments into a single page, which is very important for us as it helps a lot in terms of operations, e.g., reduces management time. This is a single page where you can manage all accounts and onboard them to the CyberArk. You can then secure and see passwords from everywhere. So, there is a single pane of glass where you can manage all the identities across environments as well as across different types of identities.

    We have a module called Endpoint Privilege Manager (EPM) that is used for the endpoint, managing the least privilege concept on Windows and Mac devices. We also have On-Demand Privilege Manager (OPM), which is used on UNIX and AIX machines. Using these modules, we can achieve the least privilege management on endpoints as well deploying on servers, if required. 

    What needs improvement?

    The continuous scanning of the assets is limited to Windows and Unix. We like to have the solution scan any databases, network devices, and security devices for privileged accounts. That would be very helpful. 

    For least privilege management, we need a different level of certification from privileged management. Least privilege management comes under endpoint management. It takes time to get used to it, as it is not straightforward.

    For how long have I used the solution?

    I have been well-versed with the CyberArk product for the last five years of my career.

    What do I think about the stability of the solution?

    The solution is very stable. 

    Once the project installation was done, we put this product into the environment based on the policies that we defined, but it had initial hiccups. The policies that we defined might have hampered and raised issues, but the product is very stable.

    What do I think about the scalability of the solution?

    The solution is very scalable. The landscape gets improved every day. It is scalable because it integrates with Azure, AWS, and other cloud solutions. Also, we have modules that work for DevOps, Secrets Manager, and Endpoint Privilege Manager. So, CyberArk is not just a PAM. It covers most of the products in the threat landscape. We do not worry about scalability in terms of CyberArk.

    How are customer service and support?

    Our primary support is partners with whom we are interacting throughout the project. Then, if an issue is not yet resolved, we will raise a case with CyberArk support. They have certain SLAs that they are following based on the seriousness of an issue. The response will be according to that. 

    The support is good.

    How would you rate customer service and support?

    Positive

    Which solution did I use previously and why did I switch?

    We didn't use another solution before we bought this one.

    How was the initial setup?

    The initial setup is straightforward. They have done major reforms on the installation process, so now we have automatic installations. We just have to run a particular script, and that does the installation for us. We also have a manual installation and that is our legacy process. So, we have both options. It is up to the customer how to move forward, but it is pretty straightforward. 

    What about the implementation team?

    RNS did the installation for us. Our experience with them was pretty good. They followed all the processes per project management standard. They tracked all the activities, making sure the project was delivered on time, which was good.

    One dedicated person is enough for the solution's maintenance.

    What's my experience with pricing, setup cost, and licensing?

    CyberArk DNA is free if you purchase the CyberArk solution. There is no additional charge for CyberArk DNA, which is great.

    Which other solutions did I evaluate?

    Before, I used to work as a system integrator. I looked into other PAM solutions, like ARCON and BeyondTrust.

    What other advice do I have?

    Make sure your use cases are covered. Go for a small PoC, if possible, to make sure that all your use cases are covered and delivered per your expectations. Check whether the solution is on-prem or Azure and the resource utilization needed for implementation. For your IT expansions in future, check whether you will need any additional modules in future or if the existing ones will meet your future requirements.

    With Secure Web Solutions, we could access any web applications from a PC. It was like a native tool where you could browse from your Chrome or any web applications, and the applications would be routed to the CyberArk where it was securing the web applications and access. However, this product was deprecated last year so it is no longer supported from CyberArk's point of view.

    I would rate CyberArk PAM as nine out of 10.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Network Engineer at CalSTRS
    Real User
    Top 20
    Supports automated password rotations, does a ton of things, and does them well
    Pros and Cons
    • "We like it for the ability to automatically change passwords. At least for my group, that's the best thing."
    • "It should be easier to install. It is a comprehensive product, which makes it difficult to install. You need to have their consulting services in order to get it all installed and set up correctly because there is so much going on. It would be nice if there were an easier way to do the installation without professional services. I suspect they get a fair amount of their money from professional services. So, there is not a huge incentive."

    What is our primary use case?

    We're in the process of rolling it out. We haven't finished our rollout yet. Most of my co-workers have been doing a lot of hands-on, and I haven't been the one with the most hands-on.

    We're not in production yet. We're still in tests, but it will give us the ability to manage the privileged accounts. It'll make that a lot easier. One of the things that we've been having trouble with is that we haven't been changing the passwords on our service accounts, for instance, for a long time, because it is so difficult to do. That was one of the main reasons we started down this road. We decided we would also expand out into managing things like the local administrator accounts on our laptops, etc. We've started there with local administrator accounts because it is an easier thing to tackle, rather than doing the service accounts and all of that. We're going to start there, and then we'll move into service accounts, and then we're going to move into administrative accounts that are human-owned rather than service accounts. At this point, we're still dealing with the things related to local administrators.

    I'm pretty sure we are using its latest version. In terms of deployment, we're split between an on-prem and public cloud setup.

    What is most valuable?

    We like it for the ability to automatically change passwords. At least for my group, that's the best thing.

    What needs improvement?

    It should be easier to install. It is a comprehensive product, which makes it difficult to install. You need to have their consulting services in order to get it all installed and set up correctly because there is so much going on. It would be nice if there were an easier way to do the installation without professional services. I suspect they get a fair amount of their money from professional services. So, there is not a huge incentive.

    It would be nice to do personal password management so that we could roll something out to the entire organization to manage people's passwords. At the moment, we're rolling out LastPass to do that, at least to some groups. I'm not sure if everybody in the organization is going to get it because most people only have a couple of accounts that we're concerned about. We're using LastPass because it is significantly less money than the CyberArk solution. CyberArk has one, but it is rather expensive. The LastPass solution is integrated into browsers. So, you can use it in your browser. I don't remember if I had to install a client on my machine or not. I probably just installed a browser extension. So, I'm not sure how that'll work with some of the other things. There must be a client that I didn't get around to because that's also in the very beginning currently. They have sent me links to training on how to use it and set it up, but I haven't had time to take the training yet.

    For how long have I used the solution?

    It has been a little over six months.

    What do I think about the stability of the solution?

    It seems to be doing everything it is supposed to, and we haven't had any serious issues. The few issues we have had were pretty quickly resolved.

    What do I think about the scalability of the solution?

    It certainly appears to be scalable. Because we're still in the rollout stage, we don't know for sure, but it doesn't look like there will be an issue with scaling.

    Its usage is limited to under 50 people. There are 12 people in my group. SSA has another 8, and the service desk has probably 20. Then, the Information Security Office probably has another 15 or so. Overall, we're under 50. We're only looking at privileged accounts and not everything.

    How are customer service and support?

    I haven't used them myself, but I've been in the loop. The person driving the project at this point is somebody from the Information Security Office, but he has been keeping everybody else in the deployment team in the loop about what's going on. So far, the support seems to have been pretty good. When he reaches out to them, they seem to be able to resolve the issue pretty quickly.

    Which solution did I use previously and why did I switch?

    We weren't using anything before. 

    How was the initial setup?

    It is difficult to install. You need to have their consulting services to get it installed and set up correctly.

    What's my experience with pricing, setup cost, and licensing?

    I haven't seen the numbers. I know it is not cheap, but I don't know what it is. I would rate it a six out of ten in terms of pricing. It is definitely more expensive than the other product, but it also provides more functionality, and it is modular too. So, we pay for the functionality we're actually going to use, and that's nice.

    Which other solutions did I evaluate?

    We looked really hard at another option, but I can't remember their name. We almost went with them until we got the ISO involved, and they said, "We like CyberArk better because they're more flexible. They do more, even though it is going to be a little bit harder to manage." So, we reassessed and decided on CyberArk instead of the other solution. We had looked at a third one, but the third one wasn't close to CyberArk and the other one we evaluated. They just didn't have the breadth of capability of doing all the things we were looking for.

    We did a real quick proof of concept of the other software, and then it changed names, which is why I can't remember it. We've been working on this for about three years now. We couldn't get traction with management to do anything. The thing that really got management interested was when ISO said, "We really need to do something here." Then management decided that they were willing to spend some money, but we did a really quick proof of concept with the other product. We installed it on a server, on-prem, and we did a quick run-through on some test servers that were immediately erased right after we finished the PoC, and it worked really well. It was also really easy to install, but it didn't have the flexibility to do all of the things that CyberArk is doing for us or will be doing for us in the end.

    What other advice do I have?

    Before you get started, make sure that you know what it is that you're looking for from the product. That's one of the things that we went through. We had all of the groups involved, which included the Information Security Office, my team with the servers and the networks, and people who were managing the accounts. We all got together and submitted scenarios for what we wanted out of the product, and then we went to CyberArk and asked them how they were going to meet these needs, and they were able to meet pretty much every need. There were only one or two minor things that they couldn't manage, and those weren't that important. So, we were willing to go with it. I don't know if the other company was able to meet those either. My advice would be to make sure what it is that you want first before you go talk to them because they have a huge list of things that they can do for you, and you don't want to buy the things you don't need.

    I would rate it an eight out of ten in terms of flexibility in everything because it does almost everything. The biggest drawback is because of the complexity, it is hard to manage. It is not impossible by any means, but it is not the simplest thing to manage. Cost-wise, it is not a cheap product, but it does a ton of things, and it does them well.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    Rohan Basu - PeerSpot reviewer
    IT Manager at a tech services company with 10,001+ employees
    Real User
    Top 5
    Integrates with privileged threat analytics and gives alerts on login risks, risky behaviors, and other risk signs
    Pros and Cons
    • "I found it valuable that CyberArk Privileged Access Manager can be integrated with PTA (privileged threat analytics), and this means that it will tell you if there's a risk to the logins and signs of risk and if risky behavior is observed. It's a good feature. Another good feature is the CPM (central password manager) because it helps you rotate the passwords automatically without involving the admins. It can go and update the scheduled tasks and the services. At the same time, if there's an application where it cannot do all of these, CPM will trigger an automatic email to the application owners, telling them that they should go ahead and change the password. This allows you to manage the account password that CyberArk cannot manage, which helps mitigate the risk of old passwords, where the password gets compromised, and also allows you to manage the security of the domain."
    • "What could be improved in CyberArk Privileged Access Manager is the licensing model. It should be more flexible in terms of the users. Currently, it's based on the number of users, but many users only log in once in four months or once in five months. It would be great if the licensing model could be modified based on user needs. We even have users who have not logged in even once."

    What is our primary use case?

    Our main use cases for CyberArk Privileged Access Manager are privileged access management and privileged session management. Another use case of the solution is password rotation.

    How has it helped my organization?

    CyberArk Privileged Access Manager improved our organization by identifying the owners of the service accounts. Each service account should be associated with an owner because without an owner, that account becomes an orphan account that nobody can take ownership of, so this means nobody would know what that account is doing. When we brought in CyberArk Privileged Access Manager, it helped us have a roadmap that allowed account ownership and account onboarding. CyberArk Privileged Access Manager gave us a roadmap, a plan to follow, and a guide on how to manage privileged access, and this is very important because we don't want privileged access to be compromised or breached.

    Realizing the benefits of CyberArk Privileged Access Manager was a long journey. It was not an easy journey. It was a long journey to put things in place and get them onboarded because not all applications were compatible. It took six months to a year at least, to start the process properly.

    The applications which were in Active Directory were easy, for example, it was easy to onboard the accounts and rotate the passwords because that meant only running scheduled tasks. There were a few accounts, however, where the applications weren't compatible with password rotation, particularly old applications or legacy applications that would break if the passwords were changed. To get all those sorted and to get all those in place, and explain what those changes were, took a lot of time, but for accounts that were just running scheduled tasks or services, those were onboarded easily and had their passwords rotated, particularly those which had identified owners.

    What is most valuable?

    One of the features I found valuable in CyberArk Privileged Access Manager is privileged session management. It's a feature that allows you to record the session, so if there's a risk, that risk can be highlighted.

    I also found it valuable that CyberArk Privileged Access Manager can be integrated with PTA, and this means that it will tell you if there's a risk to the logins and signs of risk and if risky behavior is observed. It's a good feature.

    Another good feature is the CPM because it helps you rotate the passwords automatically without involving the admins. It can go and update the scheduled tasks and the services. At the same time, if there's an application where it cannot do all of these, CPM will trigger an automatic email to the application owners, telling them that they should go ahead and change the password. This allows you to manage the account password that CyberArk cannot manage, which helps mitigate the risk of old passwords, where the password gets compromised, and also allows you to manage the security of the domain.

    Integration is also a valuable feature of CyberArk Privileged Access Manager. It has an application access module function that allows you to integrate and manage applications, including BOT accounts. It also allows you to manage ServiceNow and many other applications.

    What needs improvement?

    What could be improved in CyberArk Privileged Access Manager is the licensing model. It should be more flexible in terms of the users. Currently, it's based on the number of users, but many users only log in once in four months or once in five months. It would be great if the licensing model could be modified based on user needs. We even have users who have not logged in even once.

    Another area for improvement in CyberArk Privileged Access Manager is the release of vulnerability patches because they don't release it for all versions. They would say: "Okay, you should upgrade it to this point. The patches are available", but sometimes it is not feasible to do an upgrade instantly for any environment, because it has to go through the change management process and also have other application dependencies. If that can be sorted out, that would be nice.

    For how long have I used the solution?

    I've been using CyberArk Privileged Access Manager for around six years now.

    What do I think about the stability of the solution?

    CyberArk Privileged Access Manager is a stable solution.

    What do I think about the scalability of the solution?

    CyberArk Privileged Access Manager is deployed on-premises in the company, so I'm unable to comment on scalability, but they do have a software as a service model, so that's scalable.

    How are customer service and support?

    Technical support for CyberArk Privileged Access Manager is responsive. As for their timelines for completing tickets, it would depend on the process. Sometimes it takes them less time to respond, and sometimes it takes them longer. They have different levels of support, so if level one is not able to resolve it, they escalate the issue in due time to the next level of support. They're mostly able to help.

    On a scale of one to ten, with ten being the best, I'm giving their support an eight. There's always room for improvement, and in their case, in terms of support, what they could improve is their response time, especially their response to business-critical activities or issues.

    Which solution did I use previously and why did I switch?

    The company was probably using LockBox before using CyberArk Privileged Access Manager, but I'm not sure about that.

    How was the initial setup?

    Installing CyberArk Privileged Access Manager was easy. It's only the firewall you need to introduce into the environment that takes time, particularly if you're doing an on-premises model.

    What was our ROI?

    I saw a return on investment from using CyberArk Privileged Access Manager. It's a good privilege access management solution and identity and access management solution as a whole. It's a really good product.

    The solution was definitely implemented because it saves you time and money, for example, access management and privileged access management are now automated when in the past, those processes were done manually. The new feature CyberArk DNA was also given free of charge, so that DNA tool can scan the environment for all the vulnerable accounts for password hash attacks, for accounts where the passwords were not changed. That definitely saves time, because that type of scanning would be very difficult for someone to do manually, and the report that comes out of that scan is very objective.

    What's my experience with pricing, setup cost, and licensing?

    I'm not involved in the purchase of the CyberArk Privileged Access Manager licenses, so I'm unable to comment.

    Which other solutions did I evaluate?

    I was not part of the evaluation process.

    What other advice do I have?

    I recently switched jobs, so I was working with CyberArk Privileged Access Manager in my previous organization, and also using it in my current organization. I'm using version 12.2 of the solution.

    In terms of maintenance, it can be monitored through SCOM Monitoring, but the vault is standalone. CyberArk Privileged Access Manager can enable SNMP Traps so that the vault can be monitored automatically and it can trigger an incident to the ticketing tool the teams are using. It has the ability for automated monitoring.

    My advice to others looking into implementing CyberArk Privileged Access Manager is to know their network properly. If they're doing an on-premises deployment, they should know their network properly, and they should first audit their environment in terms of the accounts they're going to manage on CyberArk Privileged Access Manager. They should also assign the owners and assign everything beforehand to help make implementation faster.

    I'm rating CyberArk Privileged Access Manager nine out of ten.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
    Flag as inappropriate
    PeerSpot user
    Buyer's Guide
    Download our free CyberArk Privileged Access Manager Report and get advice and tips from experienced pros sharing their opinions.
    Updated: December 2022
    Buyer's Guide
    Download our free CyberArk Privileged Access Manager Report and get advice and tips from experienced pros sharing their opinions.