CyberArk Privileged Access Manager Reviews

Account discovery, account rotation, and account management features make it a well-rounded application.

Account discovery allows for auto-detection to search for new accounts in a specific environment such as an LDAP domain. This allows CyberArk to automatically vault workstations, heightened IDs, servers, and other accounts. Once the account is automatically vaulted, the system then manages the account by verifying the account on a regular basis or reconciling the account if it has been checked out and used. The settings for the window that account is using is configurable to the type of account being used.

CyberArk is constantly coming up with new ways to perform auditing, bulk loading accounts, quicker access between accounts and live connections, as well as different ways to monitor account usage and look for outliers.

As companies move further toward a “least privilege” account structure, CyberArk sets the bar for heightened account management.

In the past, standard practice was to assign role-based rights to standard accounts. Moving away from this structure allows us to require that all heightened access accounts be “checked out” and only operate within a set window. CyberArk analytics provide real-time monitoring to ensure accounts are only used by the correct people at the correct time.

Like any software, improvements and upgrades are a necessity. As CyberArk is used by many Fortune 100 and Global 2000 companies, they offer custom solutions that need to be continuously improved as the company changes. I am looking forward to new ways to utilize accounts within the current CyberArk system allowing a more seamless flow for technicians.

I have used it for 19 months.

Beyond the servers and security devices necessary to run CyberArk, it maintains surprisingly few dependencies. It is capable of secure hardening with the capacity for multiple failovers that can exist and work without the use of LDAPs or external databases. CyberArk has been the most stable platform I have ever worked on and our redundancies allow for 100% uptime.

Scalability has not been a problem. I have worked on multiple improvements and increases, as we continuously increase the number of domains and types of accounts CyberArk manages. There is not currently an end in sight for the number and types of accounts we are adding.

CyberArk technical support is top notch. They provide ticketing and immediate escalation of issues, as well as direct resources for more immediate problems. CyberArk R&D has also provided valued updates to custom applications we use internally.

With data breaches and ransomware becoming the standard that companies now face, a more elegant solution was desired from standard network and physical security. Accounts that can be found or socially engineered out of people has been a long-standing tradition for criminals and bored teenagers. Reducing the window any account can be used provides a more secure network.

Setting up and learning a new platform is always a complex undertaking. This is why CyberArk provides local hands-on support to get the system set up and the company’s techs trained. The base setup will differ from company to company, based on their immediate needs and what they wish to accomplish immediately. Heightened IDs, local workstation IDs, off-network server accounts, service IDs… the list goes on and on.

There are a handful of options out there providing similar services. However, none of them are as far along or provide as much stability and innovation as CyberArk. Pricing and licensing are going to depend on a great many factors and can be split up from when the system is originally implemented, and upgrades and new software down the line. All that being said, the money in question was not a deterrent in picking CyberArk for our solution.

We have tested a great deal of products, many of which are being used in the company for various other purposes; Avecto, Dell, Thycotic, to name a few. Centrify was the other primary system that we really carefully reviewed. In the end, the features and interface of CyberArk won out.

CyberArk is an innovative set of tools that are easily learned. Getting deeper into the product allows for a great deal of complex settings that can be learned via high level implementation guides as well as a CyberArk certification.

The ability to create custom connector components is the most valuable feature of the product. Once the organisation matures in their privileged access strategy, CyberArk’s customisation capability allows you to target application-level access (e.g., web-based management consoles) as opposed to just the underlying operating system. The API allows operational efficiency improvements, through being able to programmatically provision accounts into the Vault.

It has improved our organization by being able to consolidate several privileged access technologies into a unified tool. Session recording and auditing capability, and approval workflows allow a high degree of control over the organisation’s privileged access requirements for compliance purposes.

• Authentication to the solution: Authentication to the PVWA utilises integration to IIS. Therefore, it is not as strong as desired.
• Reporting capability and customisation: Reporting utilises predefined templates with limited customisation capability.

I have used it for 15 months; approximately nine months in a large enterprise.

I have not encountered any stability issues.

I have not encountered any scalability issues. The solution is fairly scalable. All presentation-level components are operable in highly available configurations.

Technical support is 8/10; level of engagement depends on severity of problem.

I did not previously use a different solution.

Initial configuration is quite complex and takes a considerable amount of time. However, this depends on the management requirements of the organisation. An example of this is connectors to mainframes, which might require a degree of customisation and knowledge of how the password manager functions (and relevant training). Setup regarding installation is straightforward, as the provided guides are quite expansive and include several installation possibilities (e.g., standalone, HA, DR, etc.)

Appropriately scope the organisation’s requirements to ensure licenses are not over-provisioned.

I was not part of the selection process.

If an organisation has not utilised a PAM tool before, it is a large cultural change fundamentally in how a user works, and should be taken into consideration accordingly. The solution is complex depending on the requirements; therefore, the implementation should not be rushed and it should be tested appropriately.

I see the Auto IT integration as the most valuable feature.

I have seen improvements compared to the older versions and the integration of Auto IT provided the flexibility to add thick clients and websites.

Session recording search capability has to be improved. It should include more platforms for password management. It should include more thick client integrations.

I used it for almost six years.

There is dependency on Windows tasks and if any AD GPO changes are pushed, it affects the system and stops working.

I have not encountered any scalability issues. The product scales as the organisation grows.

Technical support from the vendor is the worst and that is one reason I stopped using CyberArk.

The initial setup is not so complex, but CyberArk does require more servers for a full-fledged installation.

The solution is costly and the licensing is very complex.

I was using CyberArk for more than six years and I have now switched to ARCOS. I was impressed with ARCOS because of the following reasons:

• Cost-effective solution
• Fewer servers required
• Flexibility, performance
• More features
• Simple licensing
• Good support

I evaluated other solutions such as Leiberman, ManageEngine, TPAM, and Xceedium.

ARCOS seems to be very promising and cost effective. Also, ARCOS doesn’t have a traditional jump server concept, which saves the customer from spending more on hardware. The licensing is very simple (number of admins & target IPs), where most of the features are available by default with the basic license.

CyberArk architecture is good and more secure, but I see the solution as expensive. Support is the worst; CyberArkstaff is not supportive, their professional service team charges for each and every thing.

As a security engineer, I mostly implement the Enterprise Password Vault Suite (Vault Server, Central Policy Manager, Password Vault Web Access) as this is the base upon which every additional component is built. I am using and implementing the additional components, such as the Privileged Session Manager and Application Identity Manager, more and more.

When implementing CyberArk, I see that a lot of security issues are addressed by the solution. For example, audit issues for privileged (non-personal) accounts, which have a sufficient amount of impact on the organization when being compromised or misused.

A major benefit next to the auditing capabilities is the secure storage of the accounts in questions. CyberArk has the most extensive hardening and encryption techniques I have seen in a product, with equal intentions.

Additionally, CyberArk can reduce the attack surface of these accounts by retaining the privileged accounts (protecting the credentials) within a secure environment only to be accessed through a secured proxy server (Privileged Session Manager). What I have also seen is that the Privileged Session Manager can aid in the adoption of CyberArk within an organization as it allows the end user to keep using his personal way of working (e.g., Remote Desktop Manager, Customized Putty).

Another burden that organizations have is the need to manage hard-coded credentials. CyberArk also has a solution for this, allowing the credentials to be stored in the vault, where they can be retrieved by a script or applications through the execution of a command instead of hard-coding the credentials. There is also a solution available for accounts used in Windows scheduled tasks, services and more.

The last generic, relatively new improvement for customers is the ability to monitor and identify the usage of the accounts managed by the suite. By using Privileged Threat Analytics, you can match the usage of CyberArk against the actual (logon) events retrieved from the corporate SIEM. Next to this, PTA profiles privileged account usage to discover malicious patterns such as different IP addresses or usage of an account on an unusual day. This is a very useful practice to gain an enhanced view on these privileged accounts and can eventually limit the impact of any malicious usage because of early detection.

In every product, there is room for improvement. Within CyberArk, I would like to see more support for personal accounts. It can be done right now, but I can imagine changing a few aspects would make this easier and more foolproof.

Next to that, the REST API is not as capable as I would like. CyberArk is getting close, though.

Lastly, I would love to see a password filler that can provide raw input (like a keyboard). There are scenarios where administrators do not have the ability to copy and paste a password from the clipboard. As typing over a long random password is a tricky job, a raw password filler would be a solution that could overcome this issue.

I have been involved with CyberArk for three years now. During this period, I have designed, implemented and supported multiple CyberArk environments.

During the time that I have worked with CyberArk, I was able to conclude - based on experience and colleague stories - that this is one of the most stable products I have ever encountered. I have never seen any stability issue that was not related to a human error or a configuration issue.

As far as I’m aware, we have not encountered any scalability issues. I have heard of some issues with the database of CyberArk when scaling to excessive amounts of entries, a long time ago. These issues have been fixed, as far as I know.

In addition, it is possible to have issues with the Central Policy Manager when you configure it wrong.

The technical support for our customers is primarily handled by ourselves, with CyberArk technical support to fall back to. I have seen great improvements in the quality of support over the years and they continue to do so. The response is fast and the quality is good.

There is room for improvement in bug tracking. When a bug is confirmed, it is hard to track when or if it will be released in one of the future releases. As CyberArk is building an entire new support portal, I hope that this will be improved someday.

My company did not previously use a different solution. My company has had CyberArk in their portfolio for more than 10 years now.

Our company has set up a ‘generic’ and fast implementation plan based on our experiences and best practices. This plan provides a straightforward approach, which can be customized into a complex solution to suit every customer's needs.

In general, the installation is quick, but the actual work is found in the process of onboarding new account(type)s as this requires a significant amount of communication and coordination.

Try to create a good design with a CyberArk partner before you start thinking about licensing. Then, you will have a good view on the components needed to suit your environment from the start towards a fully mature environment.

Do not think too big at the start.

Every feature of this product - Password Management, Session Management and so on has its own value depending on different use cases, but I like:

• It's a clientless product and does not require any third-party product for any of its operations (Password Management, Privileged Session Management).
• For password and session management, it can integrate with any device/script with a password OOB or via a custom plugin.
• Compared to other products, CyberArk is extremely easy to install and configure.

Due to regular growth of an organization infrastructure, managing passwords within the organization becomes extremely difficult.

In larger organizations with a large user and infrastructure base, it can be very difficult to ensure that the passwords for privileged accounts are changed according to the organization security policy. This can be especially true in case of local admins for Windows and Unix boxes. Unmanaged/neglected local admins accounts lead to a major security threat.

Another major risk is to monitor activities and usages associated with privileged accounts to hold people accountable for their actions.

CyberArk helps organizations to manage all the privileged account passwords (server or workstation) in a centralization location as per organizational security policies. It also helps to hold people accountable by controlling and managing password usage using privileged session management.

Accountability is set up using CyberArk OOB temper-proof reports.

CyberArk has evolved a lot in the last 16 years and has nearly all the features required for effective operation. The only area for improvement is using a native client while connecting to the target device instead of the current method of using a web portal (PVWA). CyberArk seems to be working on this area and we expect these features in coming versions.

It would be great if in the future CyberArk considers launching an installer for Unix-based OSs.

I have been using this product since 2010.

In my seven years of experience with CyberArk products, I have never seen an unstable environment due to product functionality. It's always lack of proper planning, inexperience and faulty configuration that leads to an unstable environment.

CyberArk can be horizontally and vertically scaled, if it is well thought out during panning phase. As an example, if an organization feels that they may need high availability of Vault servers (CyberArk’s centralized storage for passwords and audit data) in the foreseeable future, they should consider installing CyberArk Vault in cluster mode instead of standalone mode. One can't use a standalone vault as a cluster vault or convert a standalone vault to a cluster vault, but in terms of increasing the number of passwords and session recording, underlying hardware can be scale to achieve desired size.

Three-year support (unlimited case and call support) is free with license purchase but I would say sometimes it's not sufficient to resolve the issues with this model.

Nonetheless, CyberArk Profession Services is quite impressive, even though it's a costly affair.

I was part of the PIM product evaluation team at my previous organization. I stayed with CyberArk because is it's extremely easy to implement, and very stable when implemented with well-thought-out planning and experience. It has all of the required features for a PIM product, it does not have dependencies on third-party products for it to function and it is clientless.

Initial set up is super simple and if planned properly, can be installed within a couple of hours.

I cannot comment much on this because CyberArk has different pricing for its partners or resellers, and might also vary according to size of procurement.

Before choosing this product, I also I evaluated NetIQ PIM, Dell TPAM, CA PIM and ARCOS.

Invest as much as possible in the planning and design phase. Consider at least future three-year growth in password and user base such as growth in virtual environments, and size accordingly. Also consider requirements like high availability of vaults, PSM and other components.

• Password vaulting
• Granular commands profiling with OPM

• Sys/DB admins no longer need to have system credentials (and the same for third parties)
• Access profiling
• Request demands from domain groups

The management console has a lot of functionalities, but is a little bit complex to use.

Customer support and technical support can be better, compared with the level of products.

I have used it for one year.

I have not encountered any stability issues.

I have not encountered any scalability issues, technically speaking. Issues with the licenses can occur; the pricing model is not easy to understand.

Technical support is 7/10.

I did not previously use a different solution.

Initial setup was very easy. We started integrating systems and providing access to systems within few days.

From my experience, for small environments, the subscription licensing model is very cheap.

We also evaluate other solutions in the Magic Quadrant for PAM solutions.

Before defining the solution’s architecture, clearly define your requirements and the kind of systems in scope. Some systems/device can be integrated out-of-the-box, others need customization.

Plus: easy to deploy, highly customizable
Minus: a little bit complex to integrate in large environment, complex rules/customization takes time

EPV (Enterprise Password Vault) is the most valuable feature of the product to me. It is the core of the product, where it stores the passwords it needs to protect. It protects privileged IDs within a secure digital vault.

User friendliness and reporting: While the PVWA (Password Vault Web Access) provides a web console for the end user and administrator to access the solution, there is room for improvement. (E.g.: show tips when the mouse hovers over.) Reportingprovides very detailed information; however, it requires customization before it is presentable.

I first got introduced to CyberArk around 2012.

No issue with stability. The solution provides an HA option.

I would say there are scalability issues. After the solution is deployed, resizing it is difficult. Therefore, proper sizing at the planning stage is important.

Technical support is excellent; one of the most knowledgeable and well-trained support staff.

I did not previously use a different solution.

Initial setup was complex. A typical deployment will require at least two months of full-time planning. In a large deployment, it can be over six months.

Before choosing this product, I did not evaluate other options.

A well-trained and experienced deployment team is critical. Sizing, safe design, and access management need to be discussed beforehand.

reason for not being a 10 is, there is always rooms for improvements.

With the Privileged Session Manager, we can monitor sessions in real time and terminate the session if there's any unnecessary activity found. For example: We give access to user to access the server only to update patches, but if we find any activity not related to patch updates, we can terminate the session.

Actually my company/previous company does not use this product, but we sold it to our customer. This product helped our customer manage their privileged accounts. It’s easier to them to manage and control the privileged accounts.

It needs more plugin connectors for all devices. CyberArk currently can manage or make it easier to manage about 80% of our total devices. The rest still need R&D to develop the plugin. If CyberArk had more plugin connectors, the customer would not need to raise plugin development requests for several devices and CyberArk could easily connect to these devices.

What I mean with CyberArk needing to improve plugin connector is that currently CyberArk is able to manage almost all devices (server, network devices, security devices etc.) which are more than 80% of all devices. In my experience device such as IBM OS/390 and Cisco TACACS still need custom plugin connectors developed by CyberArk R&D.

If CyberArk IS able manage more than 95% from total devices it would help the customer to using it without raising a support ticket to create a plugin connector. CyberArk will more easier to manage all devices with no compromise

I used this solution from mid-2013 until mid-2015.

So far, it is stable.

This product is scales easily.

Technical support is good. They have good technical teams around the world including southeast Asia.

Most customers using a different solution switch to CyberArk because CyberArk is more user-friendly than its competitors and have more plugins compared to the others.

Initial setup was actually easier.

Start small.

Yes, we evaluate other options. The issue was about price, stability, scalability and the development of this product to ensure support.

Contact the local distributor for help.