CyberArk Privileged Access Manager Reviews

We use this solution for the user ADM account onboarding process within our company. If they need server access, we create ADM accounts, and we onboard to CyberArk.

We use it also for the password protection process with other products. We can use this as a password wallet, and we create the password rotation in CyberArk.

We can grant access, check the system's health, and create policies for users.

Creating policies and the password rotation feature have been valuable. We don't have to memorize our password for the ADM account.

Security wise, it's really safe. The password expires within six to eight hours, so no one can get that password from us. Other users can't log in without our credentials, and also, the ADM account password will automatically rotate.

It's really user-friendly as well.

Report creation could be improved.

The policies could be more customized.

I've been working with this solution for almost nine months. It's deployed on the cloud.

The stability is really good.

We have more than 2000 users, and it's really easy to scale.

I have worked with Thycotic before. It is not user-friendly, although it has changed a lot.

Implementation was really hard, and the reporting was not as good as the users expected. In comparison to CyberArk, Thycotic was not better.

The deployment process is really easy, and I would give it a four out of five.

We got support from the CyberArk team but deployed it ourselves. It was easy to follow the documentation and user guide.

CyberArk is an expensive product.

If you can afford CyberArk Privileged Access Manager or you are looking 5 to 10 years in the future, it's a good investment. You will gain experience handling all these pieces using the one product. You can easily integrate with other products also.

You would have maintenance with other PAM products, and you won't with CyberArk. You can save that money by investing in a high quality product from the beginning itself.

Overall, I would rate CyberArk Privileged Access Manager at eight on a scale from one to ten.

We Enterprise Password Vault to manage privileged credentials as well as some server and activity logging.

Before we implemented CyberArk, we had no password vault, so it was challenging to keep a record of who made changes and had access. With CyberArk, everything is a click away for us. We don't need to worry about reporting and other things. We can on our server to check who had access and the changes they made. 

The logs and reporting features are impressive.

We've been using CyberArk for about five years now.

CyberArk is stable, and the performance is awesome.

CyberArk is highly scalable. You don't need to worry about being dependent on only one server because you can deploy to multiple ones and manage it with all of them. If one fails, you can still use your access, so I think it's scalable.

We aren't using the solution extensively, but we plan to expand, and we'll definitely we'll continue with the same solution.

I rate CyberArk support 10 out of 10. We have contacted tech support a few times for help with some of the cases, and the support was perfect.

Positive

We didn't have a password vault solution before CyberArk. 

The initial setup was straightforward for us, but it depends on how you want to use it. It will become a little complex, and you need to gain some knowledge to customize it how you want. That applies to any product. I'll rate CyberArk 10 out of 10 for ease of setup. 

It took us around five or six months to deploy because we were also testing out some other products at the same time. And after testing for a few months, we decided to go with CyberArk for the final production rollout. Once you complete the setup, you don't need much maintenance, but we have around 40 system administrators managing the CyberArk server. 

We did the deployment with our in-house team.

CyberArk's license is too expensive. I rate it seven out of 10 for affordability.

We tried a couple of solutions before selecting CyberArk. Some of them are highly secure, but the reporting functions were tricky. A few were highly scalable, but they required a lot of resources to manage. We preferred CybeArk because it's easy to use and set up. Once you complete the setup, you have everything at the click of a button.

I rate CyberArk Enterprise Password Vault nine out of 10. If you're worried about privileged ID management, security, and scalability, you should go with CyberArk.

I am using CyberArk Privileged Access Manager to protect our servers. It can be either a Windows or Linux Server. Additionally, we have some network devices, and databases, such as Oracle and MySQL Server being protected.

It's improved our organization a lot. It has fulfilled some guidelines from the Indian government. There is some Indian government guideline for anonymity and access management. Similarly, there are guidelines for GDPR, and where we have vendor's control. CyberArk Privileged Access Manager has helped us to meet all the requirements.

CyberArk Privileged Access Manager's main benefit is it provides secure access to our servers. There are features to capture the user activity, it provides video recording processing. If the users are logged in to the server, we can see what activities they are performing. It's a very nice tool for Privileged Access Management. They have plenty of useful services and the solution has fulfilled our needs.

The solution could improve by adding more connectors. 

I have been using CyberArk Privileged Access Manager for two and a half years.

CyberArk Privileged Access Manager is a stable and reliable solution.

We have approximately 200 people using this solution.

The support team from CyberArk Privileged Access Manager is very good.

I have not used other solutions.

CyberArk Privileged Access Manager's initial setup is straightforward. However, it can depend on many factors, such as architecture.

I used a partner for the implementation of the CyberArk Privileged Access Manager.

The number of people required for the implementation of CyberArk Privileged Access Manager depends on the number of applications. However, for my team, we have two to four people who were involved in the development of our architecture. 

From a technology perspective, CyberArk Privileged Access Manager has helped us to improve our services. It helped us to meet our requirements or guidelines. Whether it's audit perspective, internal, or external, whatever the guideline is, it meets our needs. If there are any independent agencies that need to be involved we meet those requirements.

The price of CyberArk Privileged Access Manager is expensive. There are no other fees other than the standard licensing fees.

As part of our company's policies, we have to evaluate other solutions.

I would advise others that requirements should be discussed properly with all the stakeholders to understand their expectations. Additionally, it is important to explore our tool limitations. We should more focus on solution designing.

I rate CyberArk Privileged Access Manager a nine out of ten.

It is for the lab. We just onboard all the privileged accounts and then try to make them compliant and provide access to end-users. We are CyberArk administrators, and our responsibility is to onboard the accounts and provide access to end-users so that there is no business impact and the users are able to connect to their target services.

I started with version 10.6, and now, the current version of CyberArk is 12.1. It is deployed on-prem, but in my lab, it is my virtual setup.

It is one of the best solutions in the market. Ever since I started using this solution, there has not been any compromise when it comes to our lab.

There is a lot of room for improvement in the report section. I also work on other tools, such as Thycotic, which allows you to create customized reports for your organization's needs. In CyberArk, there are limited reports, whereas in Thycotic or some of the other PAM tools, because the database is different, you can customize the report based on your needs through SQL queries.

The GUI part can be better. Previously, they had a classic one, and then they upgraded to the new one, but it is less user-friendly than other PAM solutions. Its GUI is a little bit complex.

I have been using this solution for almost five years.

It is a stable solution. It is a top PAM solution as per Gartner.

Its scalability is good.

I have contacted them multiple times. They helped me in a good way. Whenever I raised a ticket, depending on the ticket priority, they provided good support. Sometimes, I got a response within two hours.

CyberArk has a distributed architecture. Therefore, as compared to other PAM solutions, it is a little bit complex. You first need to understand the environment and then install the individual components, whereas, in other PAM solutions, you have to build the database and then simply run the application and directly connect to the application. You can then start using the application.

If you are using this solution for the first time, you need to be a little bit aware of Windows, Linux, and AD. Otherwise, it might be complex for you.

I would rate it a nine out of ten. 

Our use case for CyberArk Enterprise Password Vault is managing privileged accounts. These are local accounts, e.g. local desktops, laptops, or servers. They have a built-in administration account, so part of the solution is to ensure that that account's username and password are stored in the vault and managed by CyberArk Enterprise Password Vault.

The most valuable feature of CyberArk Enterprise Password Vault is the auto password recycling feature, which works this way: previous accounts which are managed by this solution get their password reset every time, based on our given parameters, e.g. every two days, every five days, every week, etc. You give CyberArk Enterprise Password Vault the number of days that you want the passwords to be changed, so users won't need to have their passwords written somewhere. They can just log on to the solution and retrieve the password. They may even be able to remotely connect to the devices that they want to connect to via the PSM function of CyberArk Enterprise Password Vault.

What needs to be improved in CyberArk Enterprise Password Vault is their customer support, because as administrative engineers, since we're not experts in the solution, we have to rely on customer support.

Their customer support needs improvement in terms of being responsive and being understanding. They are knowledgeable, but responding and willingness to come and help knowing that it's their tool, rather than relying on the engineers from the customer side, e.g. our side, to do all the technical things.

The initial setup and upgrade process for CyberArk Enterprise Password Vault is complex and can only be done by CyberArk, so this is another area for improvement.

My experience with CyberArk Enterprise Password Vault is almost three years.

CyberArk Enterprise Password Vault stability is good. If it's properly set up, it can just run by itself. It's a very solid tool, but it has to be properly set up because a simple misconfiguration can create a lot of pain. Once set up, it's really good.

Customer support for this product still needs some improvement.

The initial setup for CyberArk Enterprise Password Vault is another pain point, because the setup, including upgrading the solution, can only be done by CyberArk themselves. They have professional services involved to get an initial setup done, and to even do an upgrade, because of the complexity of the product itself.

The SaaS version of CyberArk Enterprise Password Vault is very expensive, but the on-premises version is relative, e.g. depending on the size of the environment, it can be a bit pricey, but it's relatively okay compared to the others. It's their SaaS solution that's expensive.

We're using version 11.1 of CyberArk Enterprise Password Vault.

It's probably not fair to judge CyberArk Enterprise Password Vault based on my overall experience with it, because the tool itself is brilliant, though it's a little bit complex in terms of how it is set up. The customer service could still be improved to meet the standards, but I'm giving CyberArk Enterprise Password Vault a score of seven out of ten.

We have clients that ask us to implement CyberArk PAM. There are two kinds:

1. Greenfield installation and setup. 
2. They already have CyberArk and want to extend their usage to protect different types of accounts and passwords.

CyberArk PAM protects privileged accounts and passwords. Privileged account means that those accounts have particular authorization that can span all the features of the system. For example, usually on network devices, they come out out-of-the-box with administrator accounts. Windows has an administrator account built-in so you need to protect that. Also, Active Directory has some accounts, like domain administrators, who can do whatever on the platform. These accounts are used for administration.

CyberArk stores and rotates the password/credential. They can rotate SSH keys as well. This protects the attack surface. By way of CyberArk, you can allow sessions, isolation, and recording. The main aim is to protect privileged accounts and their credentials.

I started with version 9.7, and now I am working with version 10.10, but the latest version is 12.

The automatic change of the password and Privileged Session Manager (PSM) are the most valuable features. With Privileged Session Manager, you can control the password management in a centralized way. You can activate these features in a session; the session isolation and recording. You apply the full intermediation principle. So, you must pass through CyberArk PAM to get access to the target system. You don't need to know the password, and everything that you do is registered and auditable. In this case, no one gets to touch the password directly. Also, you can implement detection and response behavior in case of a breach.

With CyberArk, you have a centralized store. With Privileged Session Manager, you can just look by the browser, looking through the name of the account, the name of the system, and the host name. In this case, you get the password and can then get through. Therefore, it is easier to get access to the system because it is easier to search the system for what you want using the user interface/browser of CyberArk. You also have an auditable action because the password is unknown to the administrator.

Some aspects of the administration need improvement, though they have recently made improvements to the API. However, the management with the interface and configuration are not so user-friendly. It has not changed much during all the years that CyberArk has been on the market. The management part, like platform management as well as PSM connectors definition and management, could be improved, even if it has already been done with the API.

Onboarding is always a difficult path for every PAM solution. It is not immediate.

We have been using it for six years, usually in delivery projects.

The stability is very good. There are no problems with it.

It has good scalability. Though, because the architecture is modular, you must plan a bit. In terms of performance, it is very scalable, but you need to pay attention to the architecture because it is not like having Kubernetes that moves laterally. While you can deploy it in a second, you need to be careful. 

They have a good response time. 

Sometimes, on the development side, for some components, it does not respond for PSM connectors and CPM plugins. They don't tend to take responsibility for those. While clients tend to develop some PSM connector and CPM plugin, I would like a more flexible response on these types of issues being raised. Because while I am developing those components, I am developing on their product.

Positive

We had clients who had quite a lot of SAP systems, something like 900. At first, their change management practice, i.e., the changing of the administrators' passwords was not so frequent, e.g., once a year instead of once a month or every two months. Their password management was usually done by storing those passwords on an Excel. Therefore, if they needed to connect to a system, they had to access the Excel file to find the machine and accounts to then receive the passwords for access to the system. This was unwieldy since they needed to look through an Excel spreadsheet with more than 900 entries. This is also not very secure since you have an Excel file with a clear password on your workstation. 

It was a bit complex because the architecture is complex. At the same time, this is also an advantage in relation to other competitors in the market because CyberArk's architecture is inherently secure. So, while it is a bit more complex to set up initially, it is necessary for reaching the security that other solutions do not give you.

The installation can easily be done. It is the architecture part that is complex, possibly because you need to size the machines. 

It depends greatly on the project. Usually, the best approach is a modular one. You start with a set of users, then move on to expanding the solution with size in mind. 

CyberArk's architecture is peculiar. It is the most secure on the market because they have a hard-end computer out of the domain that stores passwords with multiple cryptography. Then, there are the default components that dialogue with Password Vaults. Only CyberArk has this. The other solutions usually give you an encrypted database on an appliance, and this is a very different scenario. Therefore, CyberArk has an inherently secure architecture.

Broadcom PAM is not as stable versus CyberArk. 

Plan wisely and you will have a very good product. The approach should be modular and step by step. Start with the UNIX administrators, network device administrator, Windows administrator, and Active Directory administrator, then move onto more complex scenarios, like web server administrators, sub-administrators, etc. 

I would rate CyberArk PAM as nine out of 10. It could be more manageable.

I've deployed Password Vault for various use cases across different industries from finance to healthcare and manufacturing. 

I love how easily we could operate within Password Vault and get things done. It was almost effortless. After we went through the implementation phase, it did what was promised, and we did not have to call support. It was a flawless install. All of us had experience as well because we got our certifications. We'd worked with it for at least a year.

There was a situation when one of our presidents had an issue, but I can't recall the specifics.

I've been using Password Vault for three years now.

For scalability, I'd give it a 13 on a scale of one to 10.

The installation was very smooth. 

At my previous company, my budget amount was $15,000, and we didn't spend all of that. It was a larger company than the one I'm with now. It was global. We didn't spend that or come anywhere near it. They're still adding on, and I know that CyberArk will be the solution that they're going to stick with. They were hybrid, and now they're all cloud.

I rate Password Vault 10 out of 10. If you're planning to implement Password Vault, my advice is to just let it work. Do all your use cases up front, and make sure you throw everything at them that you think will happen in your environment. Make sure that that's all addressed, so when you go to deployment, it's just easy. 

I have been working with CyberArk for the past five years. I do installations, support, and presales.

We have installed the CyberArk solution and have been using it as a PAM solution.

The main reason for having the solution in place is to isolate and monitor all previous activities that have taken place within the organization. The second thing is to make sure all the previous accounts have been onboarded to the solution and accurately monitored as well as passwords have been managed as per the policies defined. The third thing is to make sure users are unaware of their previous account passwords. Those should be centrally stored and located in one of the solutions where we can manage them per our policy or ask users to raise a request for internal workflows on the solution, in case of any emergencies. The last thing is for managing the service account passwords.

Initially, the IT team and other teams used to access the servers manually. Now, because of this solution, everyone is onboarded on the PAM and we can direct all sessions to the PAM. Also, we have control of all decisions and activities being performed. Along with that, we are satisfying audit requirements with this because we are getting reports to track what we need to comply with any regulated requirements. 

We have an option for protecting various kinds of identities. It also provides you with a medium for authenticating your systems, not only with passwords, but also with the PKI certificates and RSA Tokens. There is also Azure MFA. So, there are many options for doing this. It has a wide range for managing all security identities. 

The most valuable feature is CyberArk DNA, which is an open-source tool used for scanning all servers, like Linux or Unix. We can get a very broad idea of the scope and picture of the servers as well as their predefined vulnerabilities, the service accounts running on them, and the dependent accounts running on those services. We get a very wide scope for all our servers and environments. 

There are some other options like Privileged Threat Analytics (PTA), which is a threat analytics tool of CyberArk that detects violations or any abnormal activities done by users in the privileged solution. This tool is very unique, since other PAM program solutions don't have this. This makes CyberArk the unique provider of this feature in the market.

It is very easy to maintain passwords in the solution, instead of changing them manually or using other tools. So, it is a centralized location where we have accounts and passwords in a database based on our defined policies. 

Product-wise, CyberArk is continuously improving. For the last two years, it has brought on new modules, like Alero and Cloud Entitlements Manager. Alero gives VPN-less access to the environment. So, there are many new things coming into the market from CyberArk. This shows us that it is improving its modules and technology.

We can integrate the solution with any other technologies. This is straightforward and mostly out-of-the-box.

For DevOps, we are using Conjur with a Dynamic Access Provider. We use those modules to make sure identities on other environments have been secured. For Azure and other cloud environments, we have out-of-box options where we can do some little configuration changes to get those identities secured. We have a process of managing these identities for RPA as well.

It has a centralized page where you can manage everything. This makes work easier. You don't have to remember different module URLs or browser applications. It is very easy to get all the secure identities of other environments into a single page, which is very important for us as it helps a lot in terms of operations, e.g., reduces management time. This is a single page where you can manage all accounts and onboard them to the CyberArk. You can then secure and see passwords from everywhere. So, there is a single pane of glass where you can manage all the identities across environments as well as across different types of identities.

We have a module called Endpoint Privilege Manager (EPM) that is used for the endpoint, managing the least privilege concept on Windows and Mac devices. We also have On-Demand Privilege Manager (OPM), which is used on UNIX and AIX machines. Using these modules, we can achieve the least privilege management on endpoints as well deploying on servers, if required. 

The continuous scanning of the assets is limited to Windows and Unix. We like to have the solution scan any databases, network devices, and security devices for privileged accounts. That would be very helpful. 

For least privilege management, we need a different level of certification from privileged management. Least privilege management comes under endpoint management. It takes time to get used to it, as it is not straightforward.

I have been well-versed with the CyberArk product for the last five years of my career.

The solution is very stable. 

Once the project installation was done, we put this product into the environment based on the policies that we defined, but it had initial hiccups. The policies that we defined might have hampered and raised issues, but the product is very stable.

The solution is very scalable. The landscape gets improved every day. It is scalable because it integrates with Azure, AWS, and other cloud solutions. Also, we have modules that work for DevOps, Secrets Manager, and Endpoint Privilege Manager. So, CyberArk is not just a PAM. It covers most of the products in the threat landscape. We do not worry about scalability in terms of CyberArk.

Our primary support is partners with whom we are interacting throughout the project. Then, if an issue is not yet resolved, we will raise a case with CyberArk support. They have certain SLAs that they are following based on the seriousness of an issue. The response will be according to that. 

The support is good.

Positive

We didn't use another solution before we bought this one.

The initial setup is straightforward. They have done major reforms on the installation process, so now we have automatic installations. We just have to run a particular script, and that does the installation for us. We also have a manual installation and that is our legacy process. So, we have both options. It is up to the customer how to move forward, but it is pretty straightforward. 

RNS did the installation for us. Our experience with them was pretty good. They followed all the processes per project management standard. They tracked all the activities, making sure the project was delivered on time, which was good.

One dedicated person is enough for the solution's maintenance.

CyberArk DNA is free if you purchase the CyberArk solution. There is no additional charge for CyberArk DNA, which is great.

Before, I used to work as a system integrator. I looked into other PAM solutions, like ARCON and BeyondTrust.

Make sure your use cases are covered. Go for a small PoC, if possible, to make sure that all your use cases are covered and delivered per your expectations. Check whether the solution is on-prem or Azure and the resource utilization needed for implementation. For your IT expansions in future, check whether you will need any additional modules in future or if the existing ones will meet your future requirements.

With Secure Web Solutions, we could access any web applications from a PC. It was like a native tool where you could browse from your Chrome or any web applications, and the applications would be routed to the CyberArk where it was securing the web applications and access. However, this product was deprecated last year so it is no longer supported from CyberArk's point of view.

I would rate CyberArk PAM as nine out of 10.