CyberArk Privileged Access Manager Reviews

Within our organization, our security requirements, which are set by our customers, require CIS compliance. Those requirements mandated securing privileged passwords with encryption, both in transit and at rest. CyberArk PAM was selected as our solution, and CyberArk's Professional Services team conducted the initial installation and implementation. 

Three years later, I was tasked with implementing the product more fully, integrating more of the out-of-the-box privileged password change management automation features of the product within our environment.  

The out-of-the-box functionality, Windows OS Privileged local account password change management, was the first automation feature implemented, and by itself, the automation reduced the man-hour requirement for quarterly local privileged password change management enough to provide a complete ROI on the initial licensing investment.

Continued implementation of more of the out-of-the-box PAM functionality continues to produce man-hour savings, which frees up our security operations group to have more time to monitor, investigate, and resolve potential security issues on the network.

Our implementation is air-gapped from the outside world, and as such, we utilize a completely on-prem solution. Our highest risk is from privileged insiders, and CyberArk's answer to this challenge was the implementation of a Privileged Session Manager (PSM). With PSM, we were able to secure, control, and more importantly, monitor privileged access to highly critical network servers by using PSM to manage accounts and create detailed session audits and video recordings of all IT administrator privileged sessions on our most critical servers. The established sessions on the target systems are fully isolated and the privileged account credentials are never exposed to the end-users or their client applications and devices.

CyberArk PAM is a very broad product as everyone's requirements for implementation are different. In our particular case, the initial implementation was planned and developed by people who didn't know our specific network requirements, so the initial implementation needed to be tweaked over time. While this is normal, at the time all these "major" changes required CyberArk professional services to come in-plant and "assist" with the changes.  

Over time, the CyberArk product team has made this process simpler and has enabled more local administrator configuration and update functionality, which doesn't require sub-contracts.

Our program has been using CyberArk since 2014, although it was not fully implementated until I took it over in 2017.  

The product is very stable, limited only by the Windows Operating System is it built upon.

This product seems to be scalable to any size. Providing vault cluster services, distributed vaults, and DR vault implementations, the product is truly ready for global implementation.

Tier One customer service is not as responsive or as knowledgeable as I would like, however, once your service request is sent to a Tier Two support engineer, the knowledge and experience level increases dramatically.

In addition, within the CyberArk support environment, Technical forums are available in which other customers are very willing to share their experience, and offer possible solutions to non-critical issues.

Positive

This was an initial implementation to meet the regulatory requirements of a federal customer.

In our specific case, the initial setup and configuration were very complex, which was a result of the initial design being developed by our internal engineers and CyberArk professional services, neither of which had the "tribal knowledge" of how the network functioned, or how the processes of network engineering and security had been implemented.

The initial implementation was a joint project with CyberArk Professional Services and our internal Systems Engineers. The Professional Services engineers were very knowledgeable regarding the implementation of their products.

Our program realized the total ROI after the implementation of policy-based automated password change management, which resulted in a significant reduction in man-hours required to conduct password change management (PCM) on a multitude of network elements. 

For licensing on a localized on-prem installation, the CorePAS licensing model enables the most critical component products within the PAM stack, enabling multiple layers of security which can take a while to implement.

At the time of the initial implementation (2013-2014), after looking at the field of available products, CyberArk PAM was significantly more mature than the other available products. For that reason, CyberArk PAM was selected.

The greatest issue that I experienced with the implementation of the CyberArk PAM solution was inter-departmental politics regarding change. To resolve this, I relied on the CyberArk Customer Success team to assist with developing a strategy to get all of the stakeholders to accept the changes. Every CyberArk administrator needs to spend time learning about their customer success team since their purpose is to assist with making sure you have the knowledge you need to make sure your implementation is successful.

I use the solution mainly for credential tasks. For instance, if the company I work for has recent data stored in a privileged report and needs security from cyber attackers, CyberArk Privileged Access Manager is used. The solution helps provide access only to authorized users and rotate passwords every sixty or ninety days. CyberArk Privileged Access Manager also allows the configuration of the password either manually or automatically. 

In our organization, Privileged Session Managers (PSM) assist in recording sessions of a particular server using the solution. The product allows users to utilize different permissions, such as end-user, auditor, and administrator permissions. For CyberArk Privileged Access Manager, administrators have the major access to implement tasks like creating, changing, rotating the password and adding new users. 

The most valuable feature of this tool is the password rotation feature. Another vital feature of the solution is the Safe feature, which acts as a container. Only accounts included within the Safe can access a particular server. 

The solution allows the distinguished use of PSM and PSMP for a Windows and Linux server, respectively. The tool makes all session recordings compulsory and cannot be tampered with. It also eliminates hard-coded credentials and supports demand-based applications.  

CyberArk is very popular and provides a lot of features compared to competitors' PAM tools, which is why many customers are migrating to CyberArk's Privileged Access Manager. 

The solution should be able to completely mitigate internal threats. For instance, if an employee of a company saves the CyberArk passwords in a system, then another employee might be able to use it and log in, so there remains an internal threat when using the solution.  

The feature of giving user access through a Safe should be modified. The solution should allow users access directly through an account, and the Safe concept needs to be improved. 

I have been using CyberArk Privileged Access Manager for the past two years. 

In my organization, about ninety to one hundred people are using CyberArk Privileged Access Manager. 

It's easy to setup and install CyberArk Privileged Access Manager. Multiple components need to be installed for the solution. Often, the PVWA, PSM, and CPM need to be installed. If an organization has a Linux account, then PSMP needs to be installed for using the solution. While installing the solution, the Vaults need to be defined, if it's a standalone Vault or a cluster Vault. A cluster Vault is mostly implemented for disaster recovery to replicate data when something happens to the main Vault. 

CyberArk Privileged Access Manager comes at a high cost. But the solution is worth its price. 

I would recommend the solution to others depending on their goals. If the aim is to protect an organization's data and use PAM, then one should use CyberArk Privileged Access Manager. If the goals include detecting malicious activity, onboarding privileged accounts, and maintaining data accounts, then an organization should adopt the solution.   

I have used the solution's session monitoring capabilities to monitor user activities. The solution's session monitoring feature can be useful for monitoring a user while the person logs in or performs other molecular activities.  

CyberArk Privileged Access Manager is difficult and time-consuming to learn in comparison to other IAM tools. There are multiple components, like the vault, that need to be understood before using the solution. But basic administrator tasks like onboarding accounts and rotating passwords will be easy for a beginner user of CyberArk Privileged Access Manager. A beginner-level user of the solution may face challenges with secret rotating, management and AIM handling.  

I would rate CyberArk Privileged Access Manager an eight out of ten. 

My company uses CyberArk Enterprise Password Vault for privileged access management, a domain that the product fits under. CyberArk Enterprise Password Vault involves password rotations, recording of sessions, keystrokes, and securing sessions, which all come under the same category in the solution.

The most valuable feature of the solution stems from the fact that it's the best in the market. I haven't seen any other PAM solutions better than CyberArk Enterprise Password Vault.

CyberArk Enterprise Password Vault's GUI has certain shortcomings that need improvement.

I have been using CyberArk Enterprise Password Vault for two years. I use the solution's latest version.

It is a stable solution, but sometimes its GUI lags if the load gets too much. If you try to click some buttons, responding will take five seconds instead of just responding immediately.

It is a highly scalable solution.

My company has around 500 uses of the solution and 3,000 to 4,000 accounts, which can be scaled up to 10,000 or 15,000 accounts.

My company does not have plans to increase the usage of the solution.

I am not an admirer of the product's technical support team. The product's technical support team doesn't know the product well enough to give customers suggestions, so they need to work on that part.

BeyondTrust and LastPass were the two solutions I had used in the past.

The initial setup of CyberArk Enterprise Password Vault is quite complicated, but if you follow the documentation, I don't think you should have any issues. The issues are only with the solution's support team and the GUI.

The initial deployment just takes about five days to a week if you have got all the network architecture right.

If you don't get the network architecture right, then the deployment could take two or three weeks.

For the deployment process, you should ensure you have some open IP ranges because CyberArk needs to talk to the cloud at its end, so you need to allow certain IPs to make certain connections, after which you need infrastructure and servers in place.

There is a Zip file for your environment, like an image you download from their website, which CyberArk's partners can access. Once you download the Zip file, there are a few scripts to run, and if the scripts run properly, your environment will be set up properly, after which you deploy the connector.

There is a need for an architect who is an expert in CyberArk and networking for the deployment and maintenance, along with one senior engineer.

The ROI for the solution is good because if you deploy the product, then you will not face any issues for five to ten years, especially if you manage it well.

Payments have to be made on a yearly basis toward the licensing costs of the solution.

I would say that the solution is expensive because it's only preferred by the top-tier companies involved in banking or insurance who have no problem with budgets for their cybersecurity. A medium or small-sized company would prefer to use some other solution over CyberArk Enterprise Password Vault.

was not part of the evaluation process in my company. I wouldn't know why my company chose CyberArk Enterprise Password Vault over other products. I can say that I am comfortable with CyberArk Enterprise Password Vault.

I recommend the solution to those planning to use it. I suggest that CyberArk's potential users invest in getting their own IT environments working perfectly before involving a team of CyberArk-certified engineers since it makes the process a lot easier. If you don't follow the aforementioned steps, then you will find yourself going back and forth to the product's support team, which will take you ages because they take time to respond.

I rate the overall solution a seven out of ten.

I work with the infrastructure access team in my organization and we have CyberArk as a primary solution along with a number of components for Privileged Access Management (PAM) and monitoring within the privileged access sphere.

We began with CyberArk in 2018, when we procured the licenses for CyberArk and all its components including the PAM suite and Endpoint Privilege Management (EPM). Our management took a call and we had to do a proof of concept to evaluate the product and see what it was capable of. As a product owner, I had six months to complete this. We evaluated a few specific use cases and presented our findings of the CyberArk's capability to management around the end of the third month.

Since then, CyberArk's Privileged Access Management is still our central solution for the entire estate, including all our servers (Windows/Unix), databases, devices, and so on, with around 5,000 to 8,000 users globally. Essentially, all access is managed through Privileged Access Management. That said, I am not sure to what extent all of the findings were carried forward after our initial evaluation because a lot of changes have happened within the organization. Our overall threat assessment, criteria, and even the framework has changed, now leaning towards a Zero Trust kind of strategy.

For instance, even for the tools that are used within the Privileged Access Management suite, there is a tighter alignment towards enterprise architecture, and we currently have a highly-evolved enterprise architecture group from which everything is driven. Earlier, individual units would have had their own licenses to see what they can do with them, but now things are more closely aligned with the overall enterprise architecture strategy. Given this, some of CyberArk's tools such as EPM have somewhat dropped off from the list of our priorities.

As for how we have deployed CyberArk, it's currently all on-premises. We do have a roadmap for transformation to the cloud, but I am not sure what kind of place CyberArk will have in that, as it depends on the enterprise architect's view on the cloud transformation. We have had some discussions around what to do about the cloud portion of our assets (e.g. VMs and such), what kind of monitoring we need, and so on, and I think that, among other apps, Splunk will likely become part of our toolset when it comes to the cloud. I believe we are also evaluating CyberArk's Cloud Entitlements Manager on this roadmap.

From a functional point of view, I would not have a concrete idea of how CyberArk has improved our organization because that information is better provided by someone from the operations team. Those kind of evaluations are typically done at a much higher level, probably at COO or a similar level, and they have a close alignment with the enterprise architecture group.

On a practical note, with CyberArk there is integration with your identity management system such that, when done properly, you can ensure that anyone from an administrator to production support personnel will gain the relevant access they need in good time. PAM offers integration with Active Directory, LDAP, and so on, and is fairly compliant with these kinds of approaches to identity.

I'm no longer the product owner for PAM, but I can say that the most useful feature is the vault functionality, which keeps all your passwords secure in a digital vault.

The second most useful feature is the monitoring of your privileged sessions. So you have an audit trail, where any privileged access session has to be authorized, and you have access to all the relevant monitoring controls.

When I was a component owner for PAM's Privileged Threat Analytics (PTA) component, what I wanted was a clear mapping to the MITRE ATT&CK framework, a framework which has a comprehensive list of use cases. We reached out to the vendor and asked them how much coverage they have of the uses cases found on MITRE, which would have given us a better view of things while I was the product owner. Unfortunately they did not have the capability of mapping onto MITRE's framework at that time.

PTA is essentially the monitoring interface of the broker (e.g. Privileged Access Management, the Vault, CPM, PSM, etc.), and it's where you can capture your broker bypass and perform related actions. For this reason, we thought that this kind of mapping would be required, but CyberArk informed us that they did not have the capability we had in mind with regard to MITRE ATT&CK.

I am not sure what the situation is now, but it would definitely help to have that kind of alignment with one of the more well-known frameworks like MITRE. For CyberArk as a vendor, it would also help them to clearly spell out in which areas they have full functionality and in which ares they have partial or none. Of course, it also greatly benefits the customers when they're evaluating the product.

I've been using CyberArk Privileged Access Management since 2018.

CyberArk's PAM does what it's supposed to do, based on the interactions I've had with the folks from operations. There are the usual operational challenges, but it fulfills its basic purpose.

Stability assessments are conducted by a separate team that does risk assessments, so I don't have a lot of insight into this aspect, but considering that the product has been running for quite some time now and it's still the central solution for access management, I would reckon that it's a pretty stable product.

There are different categories out there when it comes to scalability. In the case of bringing in new target systems, then sure, you can bring in what you need based on your licensing criteria. In terms of bringing in target systems which are not covered by the list of connectors that you have, this too is possible as there is scope for customization. Overall, I think it's fairly scalable and it does give decent support on the scalability front.

Our onboarding is progressing smoothly and at a steady pace. With the onboarding, you have new users coming on, and because it's a central solution, the rollout is global. There are even plans for extending the department in terms of increasing the redundancy of components, which is largely determined by operational performance reviews and so forth.

In my personal experience as product owner assigned to various components, there have been challenges with the support at times. I would say that it has scope for improvement.

Neutral

I have used a similar solution, but it was closer to a desktop password manager kind of tool. It was made by IBM and it was something you could actually install on your desktop and manage your passwords around that.

Later on IBM developed the tool into something more enterprise-oriented, and it turned into what we would classify as a privileged access management solution. But otherwise, CyberArk was probably the first fully-fledged solution in this sphere that I have used.

The initial part of the setup was quite good. When it came to Windows, we had success in the beginning stages, but later on we had to have a number of discussions with CyberArk with respect to the 'groups' nomenclature, as we wanted to have a very clear standard that could be used consistently throughout the organization.

The first iteration was mostly fast and easy, however at one point we realized that there was much more detailing needed to be done. So we went through another iteration with a more detailed design and came up with more comprehensive coverage of groups, or roles, as you might say. In total, I think it was around two years before the Windows part was comprehensively addressed, but after that, it was covered quite quickly. 

Before CyberArk's PAM, we had a legacy tool that was managing the privileged access for Windows and we had that decommissioned around this time, which was a victory of sorts.

The first step of the implementation strategy was putting all the passwords in the vault, thereby securing them. We also had a tool called Application Identity Manager, which we used for mitigation of the hard-coded passwords. Only after the vault was in place alongside Application Identity Manager, were steps taken to deploy the PAM suite.

Back in 2015, we had about three or four full-time CyberArk Professional Services folks undertake an effort to implement it, but that project failed. All that was achieved was the central vault deployment, and I think they also had Application Identity Manager installed at the time, but nothing apart from that. So it didn't take off the way it was supposed to, possibly due to a misalignment with the top management and the enterprise architecture viewpoint. But later on, and toward the second half of 2016, things started picking up again and further steps were taken from 2017 onward to deploy the Privileged Access Management functionality.

Throughout the PAM deployment, there was a fairly large vendor team that we were working with. I reckon the vendor team size was around 45 to 50 people. Within the organization, there was another large team that was supporting with various roles, such as in engineering, architecture, operations, governance, and so on. In total, there were around 50 of the vendor's team and maybe 20 to 30 roles from within the organization. There were other layers of responsibility, such as the risk team, but all those were kind of on the outside of the deployment.

I don't have much access to the facts and figures surrounding ROI, but I would reckon that with the Zero Trust risk strategy that we have, the product does match some of our key challenges. For one, we have the vault solution, so the passwords are safe up there. And then we have brokering in place for some of the key platforms, so I would say that these positives, along with our strategy and roadmap, will decide the fate of the future of CyberArk within the organization.

I'm aware that the organization had purchased licensing for almost all of CyberArk's solutions including licensing for PTA, EPM, and the Application Identity Manager. But when it comes to PSM, this is one of the components where there's an additional charge for any extra PSMs that you want to deploy. I believe that there's some rider where the vendor has a bit of leeway to, at times, charge a premium on whatever additional services you may require above the board.

Based on my experience as a product owner, I would advise, firstly, to set up an enterprise security architecture as authority within the organization, and ensure that it is closely aligned with your business. Once that is set up, then the enterprise security architecture should determine the priorities of the business and, accordingly, you can lay out a roadmap and strategy.

From a product perspective, CyberArk may or may not fit into your organization based on what strategy you have detailed, or it may or may not fit your requirements. So I would definitely not recommend purchasing the tool first and then determining what to do with it next.

Regarding automation, we are adopting DevOps for the positives it brings, such as cost savings, efficiency, etc., yet there needs to be some checks and balances. Having a fully automated solution would require you to think through the security aspects very carefully. That is why alignment with the enterprise security architecture is of great importance when it comes to securing access across environments in an identity management solution.

CyberArk's PAM is based on the concept of identity, such that a user logs in with his or her identity. So whatever systems the user accesses, there is an audit trail that is tied back to that same identity. This can happen across multiple environments based on factors such as the separation of duties, where certain engineers may not be allowed access to certain areas of development. These checks and balances occur when we give access to those kinds of rules and permissions. There are some targets we have for automation, but if it's fully automated it wouldn't be all throughout our organization as we have found there are some pitfalls with full automation.

Now, when you bring the cloud into the picture, as with our own transformation roadmap, you can't just put a tool in front of you and then expect everything to fall into place from on-premises to the cloud. It does not work that way. You need to have a sound strategy from your enterprise security perspective and only then can you ensure that things will fall into place.

Concerning the UI, PAM has an administrative dashboard and everything, but from a monitoring perspective, we also rely on additional tools apart from what CyberArk offers. For least privilege and managing secrets, there's a tool from CyberArk for that, but I'm not sure we have any plans on using that solution.

Overall, I would rate CyberArk Privileged Access Management a seven out of ten.

We use CyberArk to secure the last resort accounts by introducing dual control approval, ticket validation, temporary access, and regular password rotation.

It also allows us to introduce location-aware access controls with multiple sites having access to specific location-protected content.

Finally, the session management capabilities allowed us to introduce delegated accounts to secure access to all sorts of devices in an easy way, but without losing the individual traceability. 

It allows us to comply with the regulator requirements allowing us to operate in the different countries and to fulfil the security and compliance requirements.

In the end, it secures all the highly privileged accounts and protects the company from internal and external threat actors.

The solution is multifaceted and includes session management, password management, temporary access, ticketing validation, API access, single sign-on integration, load balancing, and high availability principles.

The credentials management capability is key to ensuring that the credentials are kept secure and that access to them is done on a temporary and event-driven basis.

The session isolation reduces the risk of exposure of the credentials and applying simpler network controls.

Web access allows the introduction of location-aware controlled access so that different locations can only access the data that is allowed to be retrieved from their sites allowing centralisation but fulfilling the regional requirements.

The product is very vaulting-focused. I'd love to see it expanding its capabilities a bit further into areas like just-in-time elevation, and access with non-vaulted credentials.

The upgrade options are good but could be further simplified.

The high availability options could be improved, and the load distribution as well for both the vaults and the credentials managers.

The web interface should allow having multiple sites for location-aware access control within the same web server.

I've used the solution for more than ten years.

I use the solution for administration. If the customer requires Alero or HTML, we will deploy the solution in that particular environment. Otherwise, if the end users are accessing the solution via VPN or from inside the network, we will not deploy Alero or HTML. We will instead focus on CyberArk's core PAM, which includes the vault password rotation component, the web interface component, the jump server, and PPA. These are CyberArk's four main components which we deploy for every customer.

CyberArk has a lot of modules, such as Enterprise Password Vault, which is the heart of the solution and needs to be up and running at any time. Privileged accounts and session recordings get stored inside the vault itself.

Likewise, we can configure high availability for the vault, like an active/passive or an active/active configuration. Replication disaster recovery is also supported.

CyberArk is also capable of rotating the credentials for a lot of endpoints. It has the CPM plugins by default for password management, Windows and Linux, as well as databases like Oracle and MS SQL, and can also rotate to some network devices like Cisco 9000.

We have Privileged Access Management, a general server between the user's and the target's machine. All of the sessions go from that server to the target endpoints. Once the end user disconnects the session, the session recordings and live monitoring will be uploaded to the vault. That recording will be stored for 180 days for auditing.

Another component is Privileged Threat Analytics. It detects any threats on target machines. For example, an end user might connect to a Linux endpoint and try to run privileged commands. Those commands are customizable and can be defined in the PTA as well. Whenever those users run those particular commands on the target, the PTA will report suspicious activity and report to security admins in the organization via mail or even on the web portal. We have a separate tab for security.

Within security events, these particular suspicious activities will be detected as threats and attain a risk score, "This is the user who connected to this particular target and ran these particular commands or applications."

CyberArk has a remote access solution called CyberArk Remote Access Alero. CyberArk also supports HTML gateways so that users can connect from outside the network without a VPN connection.

The solution has many advantages, such as the user interfaces and remote app features when using local applications when sessions are getting established over RDP, SSH, database, and web browsers. It is easy for administration as well.

Password management for all the endpoints needs improvement.

CyberArk can handle password management for Windows, Linux, databases, and network devices. However, there are solutions like Tenable or Skybox, Palo Alto, and other security devices for which we cannot provide password rotations on CyberArk. CyberArk should look into development for those particular plugins. I heard they had developed them, but they are not widely available. So if, for example, a customer requires CPM's password management plugin for Tenable, they need to send a request to CyberArk themselves so that the CyberArk team will then sell it to the customer. It does not come with an implementation license. It's a separate thing that a customer needs to purchase. CyberArk will assign it to that particular customer ID, and that plugin will not be supported for other customers. But those are their business tactics. They will not reveal all their plugins, only the basic ones.

I have worked with CyberArk Enterprise Password Vault for four years on a regular basis.

I rate the solution's stability an eight out of ten.

I rate the solution's scalability an eight out of ten.

The technical support is very poor. We handle implementation for our clients, so we do not handle support after. We do the knowledge transfer and if they face some challenges, we will show them how to troubleshoot as well as the documentation. We provide everything to the customer as they are not experts in CyberArk.

If the customer faces any issue, they will raise a case with CyberArk in the technical portal. But once they raise a case, CyberArk will not respond.

Let us say I opened a case this morning. Initially, they will respond, "I am the technical expert handling this particular case. Please provide me the logs." Their first reply will be that they want the logs. The customer will then gather the logs somehow and attach those logs to the case.

However, it will take two days for technical support to investigate their logs and reply. Even after two days, they will reply, and will say, "I am transferring this case to the higher level expert" that is, L2 or L3, "they will get back to you." 

The initial reply will be given by the L1 engineer who doesn't know the product or how to troubleshoot that situation, so every case will go to the L2 level or L3. The time taken in the process is too heavy. So even if I open the case as a "severe" case, even if it is not severe, they will reply to say that this particular case is not severe, so I have to keep it as "medium" or "low." As a result, customers consider hiring support from my company.

Neutral

With CyberArk, we have the direct installer file and setup files for each component, such as Password Vault Web Access, CPM, PSM, and PTA. The implementation engineer should install every component. We also need to have servers for each component. We need to request a set of servers per the architecture and the components count. Once we get those servers, Windows or Linux servers, we need to copy the setup files onto them. We need to deploy the setup files by installing and taking some steps. It contains manual and automatic installation, with CyberArk providing some PowerShell scripts themselves. With those scripts, we can do the installation automatically. 

By comparison, with BeyondTrust, whatever the module is, the virtual appliance is built by the BeyondTrust team itself with all the configurations. We just need to deploy it in our organization network and do the initial networking configuration, and later, we can directly do the integrations.

Also, CyberArk recommends we do hardening for each component for security purposes. After hardening, unwanted firewalls and services will be disabled on the operating systems, which makes the product more secure.

Though there are some efforts required from the implementation engineer, the installation is straightforward. I rate the initial setup a seven out of ten.

Users will clearly understand the solution once they go through the architecture diagram.

To connect to the target systems and view the accounts, view the session recordings, and check if the system health of all the components is working well. Any admin-related task will be done in the web portal, Password Vault Web Access, a separate component in CyberArk.

CyberArk is one of the better solutions which users will want to implement in their organization for securing their privileged accounts and access, and session monitoring for auditing. If they can deploy CyberArk, it's a good product.

We have the identity provider for all the authentication processes. However, sometimes, we need access to different applications for customers or clients that are not integrated into the identity provider. For these, we need to store a password to gain access. For example, we use the CyberArk Password Vault for third-party services. This vault needs to be shared with many people in our company. 

This allows us to store passwords and create privileged access for some users without them needing to know the password. The system inputs the password into the endpoint URLs they use for authentication, but the users never see the password. This is crucial because people may leave the company, posing a high risk. If we had integrated it into the identity provider, we would have policies for active directory users but not for users outside the company.

For example, our development teams need to connect to databases, systems, and cloud services during development. The developers don’t get access to third-party services. We use the solution to manage this access. The application being developed and deployed integrates with CyberArk Password Vault services.

The main challenge was integrating with in-house IT and business applications, which are not standard. We needed to create special updates for that kind of integration.

I have been working with the product for three to four years. 

The solution is 99 percent scalable. 

Sometimes, support is not easy because you need to share the company's architecture. Maybe they are on time, but they don't understand the specifics we're talking about. Communication can be an issue, especially when speaking with people whose first language isn't English. There can be difficulties with understanding and making sense of conversations. So, outsourcing support can sometimes be challenging.

Neutral

CyberArk Enterprise Password Vault's deployment is complex. 

I have been working with the new services and don't see any additional issues at this hour. The key requirement is to have people who understand not only the tool but also the concepts and how to view it from an architectural perspective. 

One problem is that people may not know how to work with the tool, and another is that they don't understand the concepts. So, I think focusing on proof of concepts is good. For example, what I do at first is request information for identity providers and key management services.

I rate the overall solution a nine out of ten. 

We use the solution for the full automation of tens of thousands of credentials across hundreds of different integrations. Our use case includes Windows, Linux, networks, security, storage, mainframe, and cloud (both Software as a Service and Azure platform based). In addition to the credential rotation, we use credential providers and privileged session management to greatly reduce the use of passwords in the environment. Users authenticate using MFA, Multi-Factor Authentication, and are able to access systems based on Role Bases authentication rules. 

The solution has improved security posture while greatly reducing administrative burden. We leverage CyberArk to deploy applications without the use of secrets.  

Applications authenticate securely to CyberArk using a combination of certificates and other extended application-identifying parameters to promote a secure DevSecOps environment.   

The extensibility of CyberArk has enabled us to develop custom integrations into Microsoft Azure leveraging KeyVault to synchronize on-premise and cloud secrets in a consistent hybrid credential management architecture.

Credential rotation automation combined with privileged session management are great aspects of the solution. It enables highly complex passwords that the end user never knows or sees. We have some use cases where administrative users will log in to highly privileged systems using a one-time use secret and immediately following their administrative session the password is rotated

The ability to develop and deploy applications with no stored secrets is very valuable. This keeps code repositories free of secrets and application authentication is centrally controlled and monitored.

The greatest area of improvement is with the user interface of the Password Vault Web Access component. The latest long-term support version of CyberArk (12.x)  still includes and still leverages the version 9.x UI in order to maintain some of the administrative functionality.   

The performance of the 9.x UI leaves much to be desired and there are still some administrative tasks that require the use of a thick "PrivateArk" client.   

Many improvements have been made over time, however, there is still work needed.

I've used the solution for eight years.

The solution has been quite stable for many years and includes the functionality for clustering the multiple site replication, both of which we leverage for a high level of uptime.

The solution is very scalable, however, with scale, there are certainly performance considerations.

Support has been a mixed bag. First-level support has been extremely time-consuming to get to an escalation resource that can help us resolve our reported issue. In all fairness, we have a very experienced staff and generally only contact support for more complex issues. There have been improvements made over the years and the commitment to improving support. Still, there is work needed in that department.

Positive

I did not previously use a different solution. 

Setup depends on the complexity of the solution. A simple configuration could be up and running in a day.

Our environment is run in-house by a contract team with expertise in CyberArk.  However, we do leverage the vendor for major upgrades and have used their technical account manager services in the past