CyberArk Privileged Access Manager Reviews

I'm an integrator and we identify and provide performance discovery, and we select the best product for our clients.

We have users that are administrators in the environment, and we convert them into a shared account model. Many of the organizations have two accounts. One is a regular user account and the other gives them administrative rights.

CyberArk allows for a higher degree of segregation of duties, although CyberArk itself doesn't do that. You have to have knowledge of role-based access control and least privilege principles. It supports it, but you have to implement it.

There is also service recording, service accounts on Windows Systems, and Linux systems, to rotate their passwords.

You will find service accounts with passwords that are 5,000 to 8,000 days old, but not with CyberArk. It creates a very strong service to prevent attacks. 

When passwords don't change it makes them very vulnerable and allows attackers significant lateral mobility within an organization. It gives them the necessary time to scout the environment and choose what their attack will be, whether it's going to be a ransomware attack or a data exfiltration attack or if it's going to go in to cause defamation to the company like creating a denial of service to clients. Also, hacking their Facebook page or their Twitter page are common attacks.

CyberArk probably has probably the best vault on the market because of the multiple layered security and each password getting its own encryption. Each password gets individual encryption. By the time you are able to crack one of the passwords, it's already been changed a dozen times.

The attack surface on a CyberArk Vault is very nominal and in addition, CyberArk also has its own on-staff hackers where companies actually hire them to perform penetration testing, but within, inside the environment.

CyberArk has two disadvantages; the first is that it's insanely expensive and the other is it's very complex. 

That's the downside because CyberArk was not built organically. It was built systematically.

They're not built into the product. You have to shoehorn things in. You have to create programmatic interfaces to make things work, but that's why I said it's the most complex product.

CyberArk is still in the model of managing accounts and passwords. When you're logged in as a domain admin, you're leaving footprints everywhere you go. These footprints can be picked up and replicated. So, I think CyberArk is behind the curve in that area.

Customers are already having an issue with the cost of CyberArk and then you have to add another $100,000.00 to the bill for other application accounts.

I would like to see a more streamlined and built-in programmatic onboarding and offboarding process. Something a little bit less complex than what they're currently doing.

The price is the problem and also the architecture can be daunting because CyberArk really strongly encourages having hardware vaults. Most corporations are totally virtualized.

I use virtualized vaults on everything including the high availability configuration.

I started using Cyber-Ark Enterprise Password Vault when they were on version five or six, they are now on 11.5 or 11.6. I have been using this solution for a total of 15 years.

CyberArk is very stable.

If there is a problem, or if a problem does occur, unless you know exactly what to do and how to diagnose it, you may not be able to find it because there are so many moving parts. However, a good administrator can usually diagnose a problem fairly rapidly.

They determine the root cause by performing a root cause analysis. Also, you should inform CyberArk because sometimes a fix might be required. CyberArk stopped performing single sign-on.

CyberArk is very scalable. It's one of the things that I love and it's also one of the things that I hate about CyberArk.

For example, it's a standalone vault that is practically uncrackable. If you want to do a password rotation you need to have a central password manager. It's called a CPM.

If you want session recordings you have to have a PSM. They can be run on the same server, but eventually, the performance is going to be an extensive task. 

A CPM is performing verification on passwords continuously, and to start stacking server roles on top of each other. 

If you're a semi-vault in a small environment, with one server running CPM, PSM, and PDWA all on one box, it would be no problem with less than 10 administrators and only 70 servers.

With other small or larger organizations that have hundreds of servers rendering that capability or that flexibility, you would have to have a dedicated CPM and dedicated PDWAs, which is the administrator web interface.

For a medium-sized company where you want to do a session recording for all the administrator access, it will cause a problem. It will require multiple PSM servers and if you don't have a good administrator who documents the build process well, or they don't update it, then the problem shows when you build a new PSM. If they don't add all the applications to it then you're going to get an intermittent error across the low-balanced PFMs, where eight of the ten work, but two of them don't because they didn't install the SFQL agent. It's a very complex program, albeit very scalable.

If you're a multinational corporation, you can have your vault in one location and have PSMs distributed where the systems are in the data centers. Then, the PDWAs and the CPMs would be in the data centers and you would have the PDWAs where the user populations are. Rather than having one single appliance or one single box that does everything, you end up having boxes distributed all over. This means that they have to do synchronization and it works out very well most times.

We have small to large company clients. We have clients that have tens of thousands of administrative accounts and 1000 or so servers, to clients as small as having 70 servers with maybe only 750 to 1500 accounts.

Technical support is awesome!

CyberArk has excellent technical support. They may not be timely. They're not quick, but they're great.

I would rate the technical support a ten out of ten.

You have to follow the ticket creation process, which is in your benefit because you need screenshots and logs to be able to diagnose the problem. If you do that, then CyberArk comes back with some incredible support help and in most times it's something that I would have never been able to figure out because the product is very complex and it has a lot of moving parts.

I have not used any other solution previously. CyberArk is what I learned first.

The initial setup was very complex. There are a lot of moving parts. The skillsets for some of the advanced features require administrators to know how to program in specific APIs. 

The complexity to implement is very high. On a scale of one to 10, it's a 9.5.

CyberArk is very expensive and there are additional fees for add-ons.

CyberArk Password Vault is probably the top vault on the market and Thycotic would be a close second.

CyberArk is not always suited for our clients but it is the best solution. Eight out of 10 organizations don't implement it. Just because you know CyberArk doesn't mean you understand it.

The SaaS solution is sound but the on-premises is primarily what I have worked on. I am CyberArk certified. When I started off several years ago, I got my CIS as PE. I was put into a security group in EDS. 

Network admins who work for the company have to be administrators, with high skill levels. 

Before implementing CyberArk, I would say do a very aggressive use case creation of everything that you're expecting the vault to do. The security architecture should be able to create high-level bulleted use cases. Security administration should be able to take it down to the next level of detail.

They will have to add Conjure, which is another license for CyberArk.

I would rate this solution a nine out of ten.

Our primary use case is to control the technical accounts used in our DevOps environnment. The primary goal was to automate to the maximum all privileged accounts used by applications. It was a big issue because al dev guys were always using the same account/password couple. CyberArk is doing this for them transparently. Through time the scope was extended to all interactive users with the target to avoid them knowing the password. The automated password change was implemented to 99% of all accounts inside the company.

Before the CyberArk implementation passwords were never changed and known by everyone. We were also not able to track who is supposed to have access to what and who did what. With the successful CyberArk implementation, we are able now to:

- Guarantee the password is known by no one or for a maximum of eight hours.

- Full visibility about who is doing what.

- Full control about who is supposed to access what.

The risk of lost password and forbidden access to resources has been drastically reduced which increased the security level for the entire company,

In order to reduce the attack surface, the automated password change was pushed to the maximum. This way we know that no password is known or not for more than eight hours. It simplified the life of the operational teams because they do not need to take care of the secrets and keep their attention to maintain the infrastructure.

What also helped is the ability to constantly track who accessed which object. We took the opportunity to change our process in order to comply it. Now the activities can be done faster with better user experience.

CyberArk lacks the following functions for a better IAM like solution:

- Provision accounts for systems and directories.

- Create access to the systems.

- Monitor if any new account has been created into the system.

- Better GUI for the end-user and also for administrators. The learning curve is quite long and requires lots of training for good usage.

- More automated process for account provisioning into CyberArk. For example when a new DB is created.

- Better documentation with more examples for the configuration files and API/REST integration.

I have been using CyberArk PAS for eight years.

The stability is very good. We never had any crash in eight years.

Scalability is good because of the big variety of modules. Except for the redundancy which is quite limited with the not live replication. Also, the speed is quite slow for application accounts.

Very good always reactive. The commercial part was more difficult.

The initial setup is complex because it requires a clear company structure which was not the case. Technically also CyberArk is hard to address at the start because of its technical complexity and abilities.

In house. Very good.

Not calculated. Users and administrators more happy than before which is the best RIO.

CyberArk is quite expensive and they should have a better pricing model.

BeyondTrust, Hitachi ID, CA.

Hard to implement and to get acceptance from the users and management. But when installed the solution is rock solid.

From an industry perspective, you continue to see the headlines in the media about how bad actors have been able to take advantage of weak policies and security controls around access management within companies.  In these cases, the focus has been around employees that can access the most sensitive information, or have access to the very controls that operate and protect the firm.  Products like CyberArk, that provide controls for privileged access, have helped mitigate the threat of taking over those accounts that have the greatest amount of risk to an organization, particularly for those who are system administrators and have the highest powers in being able to access all levels of the technology infrastructure.

When it comes to the product's ability to standardize security and reduce risk across the entire enterprise, standardization is all about simplifying the complexity of IT threats and risks and it's all about the standardization of the controls that you have in place. If you have a product set that enables you to provide security, and it is consistently applied across a specific user base, then you have standardization which drives both enhanced security through the privileged access controls, and efficiency through the standardization of your operating model.

Availability is an interesting challenge, but it is part of an IT Risk Strategy.  When it comes to Cybersecurity, Privileged Access control is the ability to manage IT risk associated with the most powerful access to your infrastructure services.  This IT Risk can manifest itself as compromised information, manipulated data, or disruption of your IT based services. A Privileged Access Security product reduces the threat of stolen credentials and account takeovers of those profiles that would have the power to take down your enterprise.   Therefore, it not only reduces the risk to your firm, but also drastically improves availability. 

The most valuable features are its simplicity and the ease of implementation. When you think about privileged access management and the complexity of solving privileged access for those system administrators in your organization, CyberArk is a product that helps you simplify that problem and implement a standard set of security controls to protect the enterprise.  

In terms of the products ability to manage Privileged Access control requirements at scale; scale is really a function of two influences, which would either be the size of your infrastructure, or the complexity of your organizations operating model for those that have privileged access to your infrastructure services.  CyberArk scales quite readily across a large organization and through proper design and engineering is capable of expanding across a variety of use cases.  Like any technology control implementation however, it is always important to ensure you review and optimize the organizations support operating model, in order to ensure that you have the most optimal design and implementation of CyberArk.  

CyberArk has captured the individual privileged access space well. They've captured the application-to-application and DEVOPS space quite well.. They should continue to invest in optimizing the services, and help companies drive down risk associated with application based passwords, as this is an industry that is being closely watched by external regulators. 

CyberArk continues to stay close to the industry and are always looking for ways to improve  their products and service offerings accordingly.  There are 3 areas that I would call out, that CyberArk should continue to focus on:

1) Continue to help organizations understand how they align their strategies and roadmaps to industry trends and the overall cybersecurity threat landscape. 

2) Continue to help the industry innovate on talent , and position customers to be more successful in supporting their CyberArk implementations. 

3) Continue to help customers understand the Risk reduction capabilities and scorecards associated with their deployments.  Initiatives like the CyberArk Blueprint will help enable enable informed customers. 

The perceived stability of CyberArk is quite dependent on the complexity of the environment it is implemented in, and the overall design of the infrastructure, including both PSM and Vault technologies.  As an infrastructure it is quite stable; however, in complex network infrastructure environments, sporadic network disruptions could create issues accessing the various CyberArk network devices.

Scalability is a function of both technology growth, and integration capability.  CyberArk has not only continued to advance the infrastructure robustness of their software solutions, but through the C3 alliance they have also created integration opportunities with other IT Security and Access Mgmt products that allow companies to provide a full ecosystem of IT controls within their organizations.    This also provides an opportunity for companies to consider best of breed products, like CyberArk, and not have to restrict their decisions to a small set of technology tools that do not provide comprehensive Privileged Access Services.

CyberArk is a growing company and their technical support has continued to grow and mature across the organization. The one thing I'll say that CyberArk has been able to do is to continue to keep in touch with its customers and look into areas where there's opportunity to continue improving their technical support across the organization. CyberArk works with an integrated model: They have integrators within firms that will implement the product. But at some point, you always need to refer back to the software owners of the product to make sure that you're comfortable that what you've designed and implemented is in keeping with what their blueprint would have recommended in the first place. In addition, their technical support has continued to mature and grow to help customers become successful in their deployments.

What is complex is privileged access management. When companies look at implementing a software solution for privileged access management, if they actually haven't looked at the complexities of privileged access within their own organization — and I'm speaking more in terms of the business processes for that type of access across the organization — then any software tool is going to look complex because it's not going to solve the problem.

If a firm focuses on understanding their existing Privileged Access operating model, the inherent business processes, and the risk & pervasiveness of Privileged Access across their enterprise, then they will be better positioned to understand the business problem they need to solve.  CyberArk will then become a capability that enables them to solve their IT Risk issues with privileged access, and capitalize on the efficiencies with their new operating model.  The complexity seldom ever lies in the technology. It always lies in how well it integrates with the business processes that the firm is trying to solve as part of its deployment.

Privileged Access Management is a business transformation program.  It forces business to look at their overall operating model for system administrative and application based access, and develop a strategy that reduces risk overall to the enterprise. Once this strategy is completed, and a new operating model is conceived, CyberArk software and services becomes a very effective series of controls that enable the business to secure the most sensitive access to services, and allows the organization to operate within their risk tolerance. 

Far too often companies will treat the CyberArk product set as a software implementation, that becomes overly complex and evolves into a multi-year program. This is due in part to the legacies of technology programs, where the implementation will force business to rethink their operating model, and therefore delays, scope changes and cost of overall program becomes associated with the software implementation initiative. This is a consequence of positioning a Privileged Access program as a security software implementation, and not a true business transformation initiative. 

While CyberArk continues to adjust its licensing costs and continues to look at the comparisons in the industry and the ability to effectively and affordably help companies and firms solve their privileged access problems, companies also have to look at the overall cost of what a privileged access program means to their firm, and what shareholder value they gain as a result of implementing those types of products or services or business processes. In that context, they should start to look at what the comparison is against the software that they're using to enable those very controls they're trying to implement.

I've spent some time with BeyondTrust. I've spent some time with Centrify. I've had their products in for different instances and different purposes. They play an interesting concentric role in some of the areas that they focus on, but I wouldn't say I have one-to-one experience in other product sets.

CyberArk continues to innovate, as they refine strategies based on industry research and trends in the cyber security landscape, and incorporate the necessary updates to both their roadmaps as well as their product sets. The creation of the customer implementation roadmap, acquisition of Conjur for DEVOPS and the development of  Alero to address 3rd party secured access, are examples of product innovation to address  emerging risks within the  industry.  

I would rate CyberArk 8 our of 10;  although I do remain impressed with their existing set of product offerings, their cyber security roadmap & strategy, and their overall corporate philosophy, I do feel it is necessary for them to ensure they remain vigilant and maintain pace with an evolving cyber industry.  Significant disruption in the technology industry brought on by advancements in Machine Learning / AI, commoditization of cyber attack tools, and rapid deployment of IoT based technologies, summon the need to ensure companies do not become complacent in the agility of their security tools.

I have several passions. One of the passions I've always had is in organizational transformation and leadership. A second is really around the space for identity and access management. CyberArk has allowed me to continue, even after I've retired from the industry after 35 years, to still live that passion through their customers. I've been given the opportunity to provide some keynotes around organizational transformation. It's an exciting industry to be in and CyberArk has allowed me the benefit of still continuing to enjoy that experience.

An example of one of the ways CyberArk has benefited our company is one of the simplest. And this one is something that a lot of companies struggle with: domain administrators and server administrators. These are among the top accounts that most companies need to protect. As part of our deployment, we decided to go with these first when we deployed PSM.

What we found out was that there's always that friction with operational teams where they don't want to do this kind of work because it is another thing they have to do. But once the product was deployed and we were able to give them all the tools that they have today, and they did not have to go through attestations and audits anymore and, when team members were coming in and leaving, all they had to do was put in a ServiceNow request to complete all the work, it was just something so different for them that all that friction just went away. It was one of those simplest things, but one of the biggest things that you can do in your company to protect it.

I don't know if CyberArk really helps with meeting our availability requirements, but it definitely helps a lot with managing the accounts and managing the credentials. Availability? It helps to an extent. If there is an event of some sort, yes, you can always go back and look at the logs and you can figure out through recordings what happened. But it's more about manageability than availability.

In addition, when we started with RPA, there was a requirement that every credential and the bots themselves be protected through the PAM system. From the get-go, we've had CyberArk in the middle. We use standard products for RPA and all credentials are managed through CyberArk. All bots are protected via CyberArk, through PSM, and also through CCP calls. We've got a pretty robust RPA implementation with our PAM platform. Users, bots, the credentials — everything is managed via our PAM solution. From a cost perspective, this was something that was a requirement, so cost was never really an issue here.

The solution's ability to secure robots’ privileged access is pretty good. We've been able to secure our bots. In fact, we take care of our bots right from a development environment, using our development instances. So when our developers are building the scripts around those bots, they're already aware of what's going to happen when things finally go into production. Obviously, the level of security doesn't need to be the same, but we do it through the complete lifecycle.

PSM has been one of the most valuable features. We started on this journey a while back. Initially, when we did not have PSM, we started with AIM and that was our first use case. But an audit came along and we had to go towards something a little bit better and we had to migrate more applications. PSM came along and did exactly what we needed it to do. To take care of all the deficiencies that we had, PSM was the right thing to do.

We work with CyberArk's customer success team and we work with its engineering team back in Israel. We've been doing things on CyberArk which a lot of its customers, we know, have not been doing.

The one place where we found that this product really needs to improve is the cloud. Simple integrations don't exist, even today. We don't have anything specific on CyberArk for managing SaaS products, SaaS vendors, and SaaS credentials. I understand it's a vendor-based thing and that they have to coordinate with the other vendors to be able to do that, and there are integrations coming, but these are the major places where CyberArk definitely needs to invest some more time. Because this is what the future is. You're not going to have a lot of on-prem applications. Most stuff is going to the cloud.

Not every product is 100 percent stable. CyberArk does have some issues once in a while. But the core product, the vault system, has been extremely stable. We haven't had a single problem since we got this thing deployed, and it's been more than six years now. We've not had a single problem with the vault. 

Related to the software, there are other things that can cause problems. You could have clusters going down or you could have issues with hardware, but the product itself has been very stable. 

There are the usual quirks you have sometimes with PSM, but it's been a very stable product for what we need it to be.

In terms of the product's ability to manage all our access requirements at scale, about 80 percent of it can be managed. There is no product in the market which can say, "We can do 100 percent, we can do everything." Or, they say that they can, but when it comes to it, it doesn't really happen. But with CyberArk, we've had the benefit of it being a little scalable, plus very easy to configure for the different use cases we have. So we can cover around 80 percent. But then we have to put some compensating controls around the other 20 percent.

It has scaled for our use cases. We built it according to the very large specification and it has scaled. It has done exactly what we need it to do. We've not yet had a performance issue to date.

We've had good relationships with their technical department. My team usually does more engineering. We work with CyberArk's customer success team more often than the regular technical support. My operations team usually deals more with tech support.

When it has really come down to major issues, if we've ever had a Sev 1, they've been on point. They have picked up the phone, they've called us and they've helped us.

We did not use a different product. We had an in-built vaulting system for managing our own credentials. We've been a CyberArk customer for a while. We had the document vault. Privileged Access had just come out and CyberArk was one of the easiest choices we could make at that time. That's how we decided to go with it.

The initial setup was not straightforward. The very first setup that we did was specifically for AIM, which was obviously simpler. We had an in-built vault which we replaced with the AIM setup. 

Our PSM setup was very complex. We had about 450 applications that we had to onboard over a period of one year, and we had to remove close to 16,000 accounts. It was a very complicated setup. We built close to 35 different connection components to get this product in.

The total cost of ownership, over credentials, is definitely something that goes down if you have a vaulting system. But if you have deployed it correctly, that's the only time you can get that. We've definitely seen some improvements. There are additional costs associated with getting every application onboarded, but in the long run, it keeps the company secure and I don't think you can put a price on that.

We use the solution with AWS. In fact, we set up a custom setup for AWS. We worked with the CyberArk engineering team to get it working, to come up with a custom solution to integrate our AWS EC2 instances. There were some limitations, as I mentioned earlier, with how the product integrates with AWS, so we had to make some major changes to how the integration works. As far as monitoring is concerned, it's standard CyberArk monitoring. We don't see anything specific to AWS, as far as the monitoring is concerned. This is the one place where CyberArk can improve.

Privileged access management is one part of IM. Anything that goes through has to get approved through the IM team, and our product of choice for privilege access is CyberArk. When we decided to go to the cloud, this was the natural choice because this was the product that the enterprise uses. We've had challenges. We've had to customize the product to meet our requirements. It might not be the same for every customer because our requirements are a little unique. But it eventually worked out. We've been able to meet most of our use cases.

CyberArk is an eight out of 10. It can do a lot. But there is definitely scope for improvement.

I come from the IM world, but I was more into access management. CyberArk was just one of those products which was thrust on me. Now I'm head of privileged access management, so CyberArk has been pretty good for me, going from the access management space to privileged access management. It's definitely had an impact on my career.

We're a small IT shop of a few hundred people and the company has only a couple of thousand employees. We had some SharePoint workflows that people had used to get access via submitting a ticket. We had updated those processes by using some DevOps, some JAMS jobs that run in Azure, and they were breaking frequently. We have gotten people to understand now that they can just go to CyberArk. They don't have to submit a ticket, they don't have to go through a workflow, they don't have to put in the right server name or wait for an approval. It's just there. People really like that.

The solution standardizes security and reduces risk-access across the company. It's what the solution does. It's just a requirement. Standardizing access is taking away the "onesie-twosies." With the DNA scan, you're running a full report of everything on all your servers that you're targeting, or all the servers period, and finding those onesie-twosies accounts and getting rid of them. Standardizing and making local accounts on the servers, accounts that have least privilege and that don't have access to anything else, and giving people only that access when they log onto a box; that's pretty cool standardization.

In terms of being able to have a quick win using the solution, we were given a ridiculous deadline to meet an external customer requirement to have privileged access management in place within a couple of months. That was to include signing the purchase order, getting it installed, and having it up day one to take in what we thought were 17 servers. Actually, we found out it was 53 and, two weeks after we had it running, we found out there were upwards of 60 to 70 servers. Getting all those servers in, the accounts in place, by the deadline — even just installing it — was all an immediate win. People said it couldn't be done.

Right off the bat, the most valuable feature is the DNA scan. It gives us the ability to scan our environment and find the accounts that we're going to need to take under control.

We're quite new with CyberArk. We've just installed it this past summer and we've taken off with the Microsoft tier model. Tier 0 is our domain admin accounts and our local admin accounts on some applications are specific to SOX requirements. That's been amazing. It's basic-use PAM, but it's been really fast and easy because of the DNA scan. We knew what was there and we were able to go find who owned those accounts. Step one, step two, step three are really easy.

We're pretty excited about Alero, the third-party access management. As a small company we lean on vendors quite a bit and we do that in multiple areas. That's going to be a big one for us. It's just gone from beta to production. It's one of those things that's on our roadmap, but being so new to the toolset, we're just growing into the tool. We're not quite there yet.

The product has been around forever. In a way, it's a bit old-school. I came from a Windows Server environment, so I get how it's built. It's INI files, it's apps that run on Windows Servers. I'm sure there are other ways that it runs, such as in the cloud as well. There are other directions. But the base of the product is old-school. It just works. So the stability is there. My new engineers can do the install, they can understand how it works. It's quite stable.

In terms of scaling, we're not there yet. We have a number of offices, we're a small company but we're spread globally and we're installing servers in Brazil. We also have servers in London, so we can scale geographically quite easily because it's applications running on servers. There's also a DR capability, having those vaults where needed, so we can scale that way.

There are a lot of new things coming out about endpoints, and third-party management is going to be big. We can scale geographically and we can scale outside of our borders and that's going to be cool.

We had no PAM program when I came to this company.

The initial setup is very straightforward. It's well-documented. We sought to have external advisors and third-party consultants help, in addition to CyberArk's help, because we had such tight deadlines. We were installing multiple environments with a turnaround in weeks and had to complete the training at the same time. Junior engineers were coming in and they could walk through it. We found out that it's almost self-doable. But that's probably not advised in any solution. The help was appreciated but it's straight-away easy.

In a previous life, I worked with TPAM, Quest products, and Safeguard. We evaluated five different toolsets when it came to my new role here — all the major players. The last two were Quest and CyberArk and I had a strong relationship with both groups. A lot of it came down to dollars and cents, but CyberArk also had that marketplace that told us that we could do certain things out-of-the-box. That was very important to us, enabling us to get stakeholders' buy-in: strategic alliances within our customers or the companies that we own. We got them bought-in to the idea that they were going to be using this tool. It came down to the marketplace.

I'd never ever rate anything a 10. I'd probably never rate anything a one. I'd rate CyberArk as 7.5 out of 10. We actually did surveys of all the people that saw all the demos of all the new solutions we looked at. CyberArk was a seven or eight consistently, from all the people who watched it. The benefit of it is it's stable, it's old-school, it just works. The downside is that it's a big program. To scale excessively, locally, on an on-prem application, takes a lot of servers. Those are the highs and lows. It could be amazing if it all ran in the cloud, but that wouldn't be possible.

I started as a PAM engineer eight years ago. Learning PAM and understanding how it protects people and being the liaison who needs to take passwords away from engineers is really tough. But it put me in a good spot. I grew from a PAM engineer to an identity engineer to identity team lead to identity manager. Within the last year-and-a-half, I came into this company because of a PAM role. They hired me as an identity manager because I knew PAM and because I had a relationship; I was working on bringing CyberArk in as part of my previous role and they wanted me to come in and do that same evaluation here. So knowing CyberArk got me my job and, within three months, they said, "We don't need just one team like this doing these assessments. We need multiple teams. So you're an associate director." I said, "Thanks, I don't want to do that. I just want to play with PAM."

Previously, we used to share passwords for service and normal admin accounts among team members. However, since we started managing it through the product, we've transitioned to individual admin accounts or implemented dual control for shared accounts. With dual control, exclusive checking and checkout options are available, and passwords are not stored in clear text anywhere in the credentials.

The solution's most valuable features are automatic password rotation, privilege manager, and secret manager. Previously, IT personnel had admin rights on their regular accounts, allowing them to log in to domain controllers. However, this posed a security risk as compromised accounts could grant unauthorized access to domain controllers. To mitigate this risk, we implemented separate DA accounts for IT staff. These DA accounts were restricted from logging in to domain controllers and did not have associated email addresses. They were dedicated AD accounts solely for accessing domain controllers, and the solution handled their management.

Previously, manually rotating admin credentials was a time-consuming task. However, implementing the tool's automatic password management feature has made this process easier. We've configured defined policies within the solution to dictate when these credentials should be changed.

The tool's UI has bugs and lags. It needs to be improved. The deployment process can be complex due to multiple components for various functionalities, each requiring separate infrastructure management. To simplify this process, consolidating all these components into a single platform could be beneficial. The product's pricing could be cheaper. 

I have been using the product for eight to nine years. 

I rate the product's stability a seven out of ten. 

I rate the tool's scalability a seven out of ten. 

The tool's support gets worse each year. Support is outsourced to smaller companies, which doesn't work fine. Its support was good eight to nine years back. Over the years, it hasn't improved but degraded. 

Negative

I work with BeyondTrust. BeyondTrust's UI and support are good and never lag. BeyondTrust is also cheaper. 

CyberArk Enterprise Password Vault's implementation timeline largely depends on the size and complexity of the infrastructure. A smaller infrastructure with around a thousand servers can typically be implemented within a week or two. However, the implementation process may extend to four or five months for more extensive infrastructures with tens or hundreds of thousands of workstations and accounts. The tool's transition into a security-focused product necessitates strong integration with security orchestration platforms. Prebuilt packages with ready-made integrations are required instead of developing everything from scratch. It lags in automation. 

We have seen 40-50 percent improvements after using the solution. 

I rate the product a seven out of ten.

To securely manage privileged accounts within the enterprise and automate password compliance where possible. Bringing multiple account types all into a single central repository with an intuitive user interface has greatly improved our security standing. Instead of managing each account in its disparate location like Database, Active Directory, LDAP, and Mainframe, we can now do it from a single solution. This has enabled great strides in standardizations across account types for password and access management.

CyberArk has enabled my organization to monitor and manage privileged accounts in a secure manner while also giving the ability to adhere to password compliance automatically. CyberArk has helped us to remove hard-coded credentials in applications and scripts. Traditional password policies often fall short of providing adequate protection, but CyberArk's PAM has allowed my organization to set robust password policies that require a combination of uppercase and lowercase letters, numbers, and special characters.

AIM has been a great help in automating password retrieval which removes the need for hard-coded credentials. Hard-coded credentials are a risk to organizations as they are easy for attackers to target. Therefore less hard-coded credentials increase the security stance of the enterprise. We have greatly utilized the out-of-the-box usage automation like Windows Scheduled tasks and password config files. The reconcile feature is another must-have to give users the ability to not only change their password but to unlock it as well where needed. 

CyberArk's Privileged Access Management (PAM) stands out as an industry leader, and it is often considered at the top of its class. This comprehensive solution has consistently delivered robust features and innovative security measures that make it an essential component of any organization's cybersecurity strategy. While no system is without room for advancement, CyberArk has continuously demonstrated its commitment to innovation and improvement, and many of the potential areas of improvement are already being actively addressed.

I have been using this solution for 13 years.

This solution is very stable with the ability of satellite vaults and HA.

CyberArk is incredibly scalable. Make sure to check out the unlimited option.

Excellent service and quick responses with engineers who understand the product.

Positive

We started out with CyberArk. When we started to look into using a PAM solution they were the leader in the space (and still are).

For the time saved and security added, the benefit far outweighs the cost.

Check out the unlimited model as it can save money and make for a more scalable solution depending on the size and needs of your organization.

My company evaluated other options, but I was not with the company when this occurred.

Contact the professional help for a demo, and you will not be disappointed. Even if you do not choose CyberArk, they can help identify current security gaps.

We currently employ CyberArk Privileged Access Management, which involves extremely complex processes for ensuring the secure management, verification, and guarantee of credentials. Implementing the professional installation tool represents another challenging aspect of this task.

The most valuable feature of CyberArk Privileged Access Manager is privileged threat analytics.

The support could improve for CyberArk Privileged Access Manager.

I have been using CyberArk Privileged Access Manager for approximately three years.

The solution has high availability.

CyberArk Privileged Access Manager is highly scalable. When compared to other solutions it scales well.

I plan to use the solution more in the future.

The issue of technical support is crucial, as there are not many specialized partners available in Brazil to provide this service. While English language support is of good quality, there is a significant shortage of partners capable of meeting the demand locally.

The initial setup of CyberArk Privileged Access Manager is easy.

We have received a high ROI using CyberArk Privileged Access Manager.

The price of the solution is reasonable.

I rate the price CyberArk Privileged Access Manager a seven out of ten.

Individuals who wish to utilize CyberArk should be cautious when selecting a partner to implement the solution, as proper architecture design is essential to ensure a streamlined and effective implementation.

I rate CyberArk Privileged Access Manager a nine out of ten.