CyberArk Privileged Access Manager Reviews

Primarily, I import accounts from our critical systems.  

Knowing that our passwords are stored securely within the vault has been a big improvement. It eliminates the need for users to store passwords in less secure locations.

We want to integrate it with our IT service management platform and our SOC solution, but that's a future project.

The password protection itself is the most important feature. It's something we didn't have before.

Moreover, the interface is intuitive. It is clear and user-friendly. 

The session monitoring and recording feature is also a good feature feature, but we're currently experiencing an issue with session monitoring not working correctly. We're working with CyberArk to resolve it.

We aren't able to view active sessions or historical recordings of sessions.

It is complex, which is something I know CyberArk is working on. They're trying to simplify certain administration tasks because a common critique is the level of complexity. But overall, we can do everything we need with it.

So, CyberArk could still focus on making it more user-friendly.

I have been using it for a year. 

So far, we haven't had any scalability problems.

We have around 50 licensed users – primarily administrators. We currently manage about 5,000 accounts with CyberArk.

Sometimes, the initial response time is a bit slow, but once the customer service and support take on a case, they resolve issues quickly.

Positive

CyberArk handled the primary setup tasks. We worked with a partner to implement additional components and now have the knowledge to manage the solution ourselves.

The implementation process took around eight months. 

There has been an ROI. 

We expect to see a full return on investment within the next three years. This was part of our long-term security plan.

It is expensive, but the cost is justified considering the security it provides. Compared to other solutions, it is costly. We have not tried other solutions, but the price is high. 

We only license Password Vault.

My company evaluated another solution like Delinea but preferred CyberArk due to its robustness and flexibility.

I like its flexibility, while adding some complexity, allows us to fully customize the solution to our needs.

One of the main advantages is the way we can connect from outside. We use a portal that provides secure access to our systems without needing a VPN. We just scan a QR code, and we're connected. We do not need to use a password and we are in through the QR code scan. 

I would recommend using it. Overall, I would rate the solution a nine out of ten.

It's a very complete solution for what we need.

In my organization, we are using CyberArk Privileged Access Manager to enhance the security of an organization's critical systems, mainly by securing privileged accounts (e.g. administrator passwords, SSH keys, and API tokens). 

We are also using Cyber-Ark for access control by ensuring that only authorized personnel can access privileged accounts and sensitive systems. 

very important for us is also Session Recording and Monitoring. We can record and monitor privileged user sessions in real time for auditing purposes. 

CyberArk Privileged Access Manager significantly improved our organization's security. Mainly, it has enhanced our ability to secure privileged accounts. Centralized management of identities ensures that credentials are stored securely. Also, the automated rotation of passwords reduces the risk of leaks.

The session recording feature adds great value and helps with auditing administrative activities.

CyberArk PAM can be easily automated, which saves a lot of time and administrative effort.

For our organization, the most valuable features of CyberArk PAM are:

• Credential Management. The automation of the retrieval and injection of credentials into sessions, and automation of password rotation.
• Session Recording. It gives us the possibility to record privileged user sessions for auditing and compliance purposes. 
• Ease of integration. CyberArk can by integrated with multiple systems and applications.
• The possibility of using Multi Factor Authentication (MFA) which increases security
• Reporting module. This allows us to generate reports based on session activity

Cost management. There should be more models and licensing plans for this software. They should also be flexible, allowing you to purchase selected features at a favorable price.

User Experience. The current interface is OK, however, sometimes it is not very intuitive. There is also no possibility of advanced modification and adaptation to your own needs and requirements.

Performance. The performance of the application could be a bit better, especially in the case of remote sessions - delays in remote sessions can be annoying.

I've used the solution for about five years. 

Our primary use case is the scheduled password change management of Windows, Linux, and Cisco privileged local user passwords, as well as providing internal applications using the REST API credentials to access and maintain network elements.

Utilizing the CyberArk Password Vault DR implementation, we have a ready resource as a hedge against network issues caused by seasonal hurricanes through having a replicated DR vault in an out-of-state facility.

The implementation of the CyberArk Privileged Access Management has reduced the total labor cost of doing quarterly password change management (PCM) on the thousands of network elements (routers & switches), servers, and workstations throughout our nationwide network.

In addition to reducing the direct labor cost of the PCM procedures, the automation aspect has reduced risk that has previously resulted in many lost man-days resolving issues which previously was attributed to human-factor error during PCM procedures.

Utilizing the Central Policy Manager to provide policy programmable password change management automation, which can be configured either globally, or by using the individual PlatformIDs which limits the effect of human error on a nationwide implementation of network devices that are remotely co-located and not readily accessible. 

The implementation of the PSM proxy has reduced the specific risk of "insider attacks" on our domain controllers and SLDAP servers by eliminating direct user login by an open secure connection on the user's behalf without ever revealing the privileged credentials.

My personal wishlist of features has been fulfilled with versions 12.6 and 13.2, which provide a host of improvements that the administrator community has been asking for.  

With these version releases, that leaves my only "unfulfilled" product improvement request to be the creation of some kind of memo field for each device account, which could be used, in our network at least, to leave a note about the device for either the security or network engineering team members.

We originally implemented the product in 2014 as a compliance mandate and fully integrated the application and functionality in 2017. We have just finished our fourth product upgrade and expanded our enterprise vault space to meet growing demand.

My implementation has been very stable over the past seven years, only having minor hiccups caused by "human error" during the "accidental" editing of a configuration file.

We currently store over 50,000 privileged passwords, and I know if our network doubled tomorrow, the product would scale to meet the increased demand.

There are two specific organizations within CyberArk that can provide customer assistance.

The customer success team is there with serious advanced knowledge to assist when things are not flowing. In my specific case, while I was learning to be a PAM administrator, I routinely contacted our customer success team with questions related to "Where can I find this documentation?", "How does this work?" and my favorite, "How can I put my permission back onto a safe?"

The other team is the professional services team, whose job is to be able to come in, analyze an issue, and correct it with the utmost speed. These are also highly experienced individuals that can be brought in the expand your implementation as needed.

Positive

Prior to the implementation of the CyberArk Privileged Access Manager, the security operations utilized unencrypted spreadsheets to store privileged passwords, which became a POAM when discovered during a routine security audit.

Our organization utilized the CyberArk professional support team to come in and provide a local, hands-on planning and implementation approach. This implementation methodology actually reduced long-term costs by making sure the implementation was done according to CyberArk's Best Practices.

Our organization utilized CyberArk's professional support team to come in and provide a local, hands-on planning and implementation approach. This implementation methodology actually reduced long-term costs by making sure the implementation was done according to CyberArk's Best Practices.

Our annual support costs are offset by the reduced labor costs within the SOCC environment, as the product has automated most of the password change management procedures, allowing labor to be focused on other topics.

While the IAM space is heating up with new vendors, both CyberArk development and the product team seem to be ahead of the curve, with features and products to enable enterprise customers the ability to secure their networks and break the intrusion cycle.

CyberArk was our first venture into a secure password vault and was implemented at the recommendation of our federal customer.

The product takes some time to learn. That said, CyberArk Software offers both a customer success team as well as paid professional support to assist.  

The customer success team has always seemed to be in my corner when needed, bringing insight and assistance when I was unable to resolve some of my "self-created issues".

Within our organization, our security requirements, which are set by our customers, require CIS compliance. Those requirements mandated securing privileged passwords with encryption, both in transit and at rest. CyberArk PAM was selected as our solution, and CyberArk's Professional Services team conducted the initial installation and implementation. 

Three years later, I was tasked with implementing the product more fully, integrating more of the out-of-the-box privileged password change management automation features of the product within our environment.  

The out-of-the-box functionality, Windows OS Privileged local account password change management, was the first automation feature implemented, and by itself, the automation reduced the man-hour requirement for quarterly local privileged password change management enough to provide a complete ROI on the initial licensing investment.

Continued implementation of more of the out-of-the-box PAM functionality continues to produce man-hour savings, which frees up our security operations group to have more time to monitor, investigate, and resolve potential security issues on the network.

Our implementation is air-gapped from the outside world, and as such, we utilize a completely on-prem solution. Our highest risk is from privileged insiders, and CyberArk's answer to this challenge was the implementation of a Privileged Session Manager (PSM). With PSM, we were able to secure, control, and more importantly, monitor privileged access to highly critical network servers by using PSM to manage accounts and create detailed session audits and video recordings of all IT administrator privileged sessions on our most critical servers. The established sessions on the target systems are fully isolated and the privileged account credentials are never exposed to the end-users or their client applications and devices.

CyberArk PAM is a very broad product as everyone's requirements for implementation are different. In our particular case, the initial implementation was planned and developed by people who didn't know our specific network requirements, so the initial implementation needed to be tweaked over time. While this is normal, at the time all these "major" changes required CyberArk professional services to come in-plant and "assist" with the changes.  

Over time, the CyberArk product team has made this process simpler and has enabled more local administrator configuration and update functionality, which doesn't require sub-contracts.

Our program has been using CyberArk since 2014, although it was not fully implementated until I took it over in 2017.  

The product is very stable, limited only by the Windows Operating System is it built upon.

This product seems to be scalable to any size. Providing vault cluster services, distributed vaults, and DR vault implementations, the product is truly ready for global implementation.

Tier One customer service is not as responsive or as knowledgeable as I would like, however, once your service request is sent to a Tier Two support engineer, the knowledge and experience level increases dramatically.

In addition, within the CyberArk support environment, Technical forums are available in which other customers are very willing to share their experience, and offer possible solutions to non-critical issues.

Positive

This was an initial implementation to meet the regulatory requirements of a federal customer.

In our specific case, the initial setup and configuration were very complex, which was a result of the initial design being developed by our internal engineers and CyberArk professional services, neither of which had the "tribal knowledge" of how the network functioned, or how the processes of network engineering and security had been implemented.

The initial implementation was a joint project with CyberArk Professional Services and our internal Systems Engineers. The Professional Services engineers were very knowledgeable regarding the implementation of their products.

Our program realized the total ROI after the implementation of policy-based automated password change management, which resulted in a significant reduction in man-hours required to conduct password change management (PCM) on a multitude of network elements. 

For licensing on a localized on-prem installation, the CorePAS licensing model enables the most critical component products within the PAM stack, enabling multiple layers of security which can take a while to implement.

At the time of the initial implementation (2013-2014), after looking at the field of available products, CyberArk PAM was significantly more mature than the other available products. For that reason, CyberArk PAM was selected.

The greatest issue that I experienced with the implementation of the CyberArk PAM solution was inter-departmental politics regarding change. To resolve this, I relied on the CyberArk Customer Success team to assist with developing a strategy to get all of the stakeholders to accept the changes. Every CyberArk administrator needs to spend time learning about their customer success team since their purpose is to assist with making sure you have the knowledge you need to make sure your implementation is successful.

We use the product to store system accounts. 

CyberArk is a good and adaptive solution. It is easy to adopt and install. It is easy for every use case. 

The challenge with the product is pricing since it's expensive. It also needs to improve the customization. We encountered some stability issues as well. 

I have been working with the product for more than 10 years. 

I would rate the solution's stability a seven out of ten. 

My company has more than 20,000 users for the product. I would rate the product's stability an eight out of ten. 

We have a direct connection with the CyberArk leadership. However, the tool's support is not user-friendly. They will charge you for premium support and push you towards it. 

Neutral

I have used BeyondTrust before. 

The solution's setup is easy. There were some challenges while managing from environment to environment. We experienced some glitches during the installation process. 

The product's licensing is yearly. I would rate the solution's pricing a six out of ten. 

I would rate the product an eight out of ten. We only have the licensing contract with the product and everything else is managed in-house with a team size of four members. 

We're in the process of rolling it out. We haven't finished our rollout yet. Most of my co-workers have been doing a lot of hands-on, and I haven't been the one with the most hands-on.

We're not in production yet. We're still in tests, but it will give us the ability to manage the privileged accounts. It'll make that a lot easier. One of the things that we've been having trouble with is that we haven't been changing the passwords on our service accounts, for instance, for a long time, because it is so difficult to do. That was one of the main reasons we started down this road. We decided we would also expand out into managing things like the local administrator accounts on our laptops, etc. We've started there with local administrator accounts because it is an easier thing to tackle, rather than doing the service accounts and all of that. We're going to start there, and then we'll move into service accounts, and then we're going to move into administrative accounts that are human-owned rather than service accounts. At this point, we're still dealing with the things related to local administrators.

I'm pretty sure we are using its latest version. In terms of deployment, we're split between an on-prem and public cloud setup.

We like it for the ability to automatically change passwords. At least for my group, that's the best thing.

It should be easier to install. It is a comprehensive product, which makes it difficult to install. You need to have their consulting services in order to get it all installed and set up correctly because there is so much going on. It would be nice if there were an easier way to do the installation without professional services. I suspect they get a fair amount of their money from professional services. So, there is not a huge incentive.

It would be nice to do personal password management so that we could roll something out to the entire organization to manage people's passwords. At the moment, we're rolling out LastPass to do that, at least to some groups. I'm not sure if everybody in the organization is going to get it because most people only have a couple of accounts that we're concerned about. We're using LastPass because it is significantly less money than the CyberArk solution. CyberArk has one, but it is rather expensive. The LastPass solution is integrated into browsers. So, you can use it in your browser. I don't remember if I had to install a client on my machine or not. I probably just installed a browser extension. So, I'm not sure how that'll work with some of the other things. There must be a client that I didn't get around to because that's also in the very beginning currently. They have sent me links to training on how to use it and set it up, but I haven't had time to take the training yet.

It has been a little over six months.

It seems to be doing everything it is supposed to, and we haven't had any serious issues. The few issues we have had were pretty quickly resolved.

It certainly appears to be scalable. Because we're still in the rollout stage, we don't know for sure, but it doesn't look like there will be an issue with scaling.

Its usage is limited to under 50 people. There are 12 people in my group. SSA has another 8, and the service desk has probably 20. Then, the Information Security Office probably has another 15 or so. Overall, we're under 50. We're only looking at privileged accounts and not everything.

I haven't used them myself, but I've been in the loop. The person driving the project at this point is somebody from the Information Security Office, but he has been keeping everybody else in the deployment team in the loop about what's going on. So far, the support seems to have been pretty good. When he reaches out to them, they seem to be able to resolve the issue pretty quickly.

We weren't using anything before. 

It is difficult to install. You need to have their consulting services to get it installed and set up correctly.

I haven't seen the numbers. I know it is not cheap, but I don't know what it is. I would rate it a six out of ten in terms of pricing. It is definitely more expensive than the other product, but it also provides more functionality, and it is modular too. So, we pay for the functionality we're actually going to use, and that's nice.

We looked really hard at another option, but I can't remember their name. We almost went with them until we got the ISO involved, and they said, "We like CyberArk better because they're more flexible. They do more, even though it is going to be a little bit harder to manage." So, we reassessed and decided on CyberArk instead of the other solution. We had looked at a third one, but the third one wasn't close to CyberArk and the other one we evaluated. They just didn't have the breadth of capability of doing all the things we were looking for.

We did a real quick proof of concept of the other software, and then it changed names, which is why I can't remember it. We've been working on this for about three years now. We couldn't get traction with management to do anything. The thing that really got management interested was when ISO said, "We really need to do something here." Then management decided that they were willing to spend some money, but we did a really quick proof of concept with the other product. We installed it on a server, on-prem, and we did a quick run-through on some test servers that were immediately erased right after we finished the PoC, and it worked really well. It was also really easy to install, but it didn't have the flexibility to do all of the things that CyberArk is doing for us or will be doing for us in the end.

Before you get started, make sure that you know what it is that you're looking for from the product. That's one of the things that we went through. We had all of the groups involved, which included the Information Security Office, my team with the servers and the networks, and people who were managing the accounts. We all got together and submitted scenarios for what we wanted out of the product, and then we went to CyberArk and asked them how they were going to meet these needs, and they were able to meet pretty much every need. There were only one or two minor things that they couldn't manage, and those weren't that important. So, we were willing to go with it. I don't know if the other company was able to meet those either. My advice would be to make sure what it is that you want first before you go talk to them because they have a huge list of things that they can do for you, and you don't want to buy the things you don't need.

I would rate it an eight out of ten in terms of flexibility in everything because it does almost everything. The biggest drawback is because of the complexity, it is hard to manage. It is not impossible by any means, but it is not the simplest thing to manage. Cost-wise, it is not a cheap product, but it does a ton of things, and it does them well.

I work with the infrastructure access team in my organization and we have CyberArk as a primary solution along with a number of components for Privileged Access Management (PAM) and monitoring within the privileged access sphere.

We began with CyberArk in 2018, when we procured the licenses for CyberArk and all its components including the PAM suite and Endpoint Privilege Management (EPM). Our management took a call and we had to do a proof of concept to evaluate the product and see what it was capable of. As a product owner, I had six months to complete this. We evaluated a few specific use cases and presented our findings of the CyberArk's capability to management around the end of the third month.

Since then, CyberArk's Privileged Access Management is still our central solution for the entire estate, including all our servers (Windows/Unix), databases, devices, and so on, with around 5,000 to 8,000 users globally. Essentially, all access is managed through Privileged Access Management. That said, I am not sure to what extent all of the findings were carried forward after our initial evaluation because a lot of changes have happened within the organization. Our overall threat assessment, criteria, and even the framework has changed, now leaning towards a Zero Trust kind of strategy.

For instance, even for the tools that are used within the Privileged Access Management suite, there is a tighter alignment towards enterprise architecture, and we currently have a highly-evolved enterprise architecture group from which everything is driven. Earlier, individual units would have had their own licenses to see what they can do with them, but now things are more closely aligned with the overall enterprise architecture strategy. Given this, some of CyberArk's tools such as EPM have somewhat dropped off from the list of our priorities.

As for how we have deployed CyberArk, it's currently all on-premises. We do have a roadmap for transformation to the cloud, but I am not sure what kind of place CyberArk will have in that, as it depends on the enterprise architect's view on the cloud transformation. We have had some discussions around what to do about the cloud portion of our assets (e.g. VMs and such), what kind of monitoring we need, and so on, and I think that, among other apps, Splunk will likely become part of our toolset when it comes to the cloud. I believe we are also evaluating CyberArk's Cloud Entitlements Manager on this roadmap.

From a functional point of view, I would not have a concrete idea of how CyberArk has improved our organization because that information is better provided by someone from the operations team. Those kind of evaluations are typically done at a much higher level, probably at COO or a similar level, and they have a close alignment with the enterprise architecture group.

On a practical note, with CyberArk there is integration with your identity management system such that, when done properly, you can ensure that anyone from an administrator to production support personnel will gain the relevant access they need in good time. PAM offers integration with Active Directory, LDAP, and so on, and is fairly compliant with these kinds of approaches to identity.

I'm no longer the product owner for PAM, but I can say that the most useful feature is the vault functionality, which keeps all your passwords secure in a digital vault.

The second most useful feature is the monitoring of your privileged sessions. So you have an audit trail, where any privileged access session has to be authorized, and you have access to all the relevant monitoring controls.

When I was a component owner for PAM's Privileged Threat Analytics (PTA) component, what I wanted was a clear mapping to the MITRE ATT&CK framework, a framework which has a comprehensive list of use cases. We reached out to the vendor and asked them how much coverage they have of the uses cases found on MITRE, which would have given us a better view of things while I was the product owner. Unfortunately they did not have the capability of mapping onto MITRE's framework at that time.

PTA is essentially the monitoring interface of the broker (e.g. Privileged Access Management, the Vault, CPM, PSM, etc.), and it's where you can capture your broker bypass and perform related actions. For this reason, we thought that this kind of mapping would be required, but CyberArk informed us that they did not have the capability we had in mind with regard to MITRE ATT&CK.

I am not sure what the situation is now, but it would definitely help to have that kind of alignment with one of the more well-known frameworks like MITRE. For CyberArk as a vendor, it would also help them to clearly spell out in which areas they have full functionality and in which ares they have partial or none. Of course, it also greatly benefits the customers when they're evaluating the product.

I've been using CyberArk Privileged Access Management since 2018.

CyberArk's PAM does what it's supposed to do, based on the interactions I've had with the folks from operations. There are the usual operational challenges, but it fulfills its basic purpose.

Stability assessments are conducted by a separate team that does risk assessments, so I don't have a lot of insight into this aspect, but considering that the product has been running for quite some time now and it's still the central solution for access management, I would reckon that it's a pretty stable product.

There are different categories out there when it comes to scalability. In the case of bringing in new target systems, then sure, you can bring in what you need based on your licensing criteria. In terms of bringing in target systems which are not covered by the list of connectors that you have, this too is possible as there is scope for customization. Overall, I think it's fairly scalable and it does give decent support on the scalability front.

Our onboarding is progressing smoothly and at a steady pace. With the onboarding, you have new users coming on, and because it's a central solution, the rollout is global. There are even plans for extending the department in terms of increasing the redundancy of components, which is largely determined by operational performance reviews and so forth.

In my personal experience as product owner assigned to various components, there have been challenges with the support at times. I would say that it has scope for improvement.

Neutral

I have used a similar solution, but it was closer to a desktop password manager kind of tool. It was made by IBM and it was something you could actually install on your desktop and manage your passwords around that.

Later on IBM developed the tool into something more enterprise-oriented, and it turned into what we would classify as a privileged access management solution. But otherwise, CyberArk was probably the first fully-fledged solution in this sphere that I have used.

The initial part of the setup was quite good. When it came to Windows, we had success in the beginning stages, but later on we had to have a number of discussions with CyberArk with respect to the 'groups' nomenclature, as we wanted to have a very clear standard that could be used consistently throughout the organization.

The first iteration was mostly fast and easy, however at one point we realized that there was much more detailing needed to be done. So we went through another iteration with a more detailed design and came up with more comprehensive coverage of groups, or roles, as you might say. In total, I think it was around two years before the Windows part was comprehensively addressed, but after that, it was covered quite quickly. 

Before CyberArk's PAM, we had a legacy tool that was managing the privileged access for Windows and we had that decommissioned around this time, which was a victory of sorts.

The first step of the implementation strategy was putting all the passwords in the vault, thereby securing them. We also had a tool called Application Identity Manager, which we used for mitigation of the hard-coded passwords. Only after the vault was in place alongside Application Identity Manager, were steps taken to deploy the PAM suite.

Back in 2015, we had about three or four full-time CyberArk Professional Services folks undertake an effort to implement it, but that project failed. All that was achieved was the central vault deployment, and I think they also had Application Identity Manager installed at the time, but nothing apart from that. So it didn't take off the way it was supposed to, possibly due to a misalignment with the top management and the enterprise architecture viewpoint. But later on, and toward the second half of 2016, things started picking up again and further steps were taken from 2017 onward to deploy the Privileged Access Management functionality.

Throughout the PAM deployment, there was a fairly large vendor team that we were working with. I reckon the vendor team size was around 45 to 50 people. Within the organization, there was another large team that was supporting with various roles, such as in engineering, architecture, operations, governance, and so on. In total, there were around 50 of the vendor's team and maybe 20 to 30 roles from within the organization. There were other layers of responsibility, such as the risk team, but all those were kind of on the outside of the deployment.

I don't have much access to the facts and figures surrounding ROI, but I would reckon that with the Zero Trust risk strategy that we have, the product does match some of our key challenges. For one, we have the vault solution, so the passwords are safe up there. And then we have brokering in place for some of the key platforms, so I would say that these positives, along with our strategy and roadmap, will decide the fate of the future of CyberArk within the organization.

I'm aware that the organization had purchased licensing for almost all of CyberArk's solutions including licensing for PTA, EPM, and the Application Identity Manager. But when it comes to PSM, this is one of the components where there's an additional charge for any extra PSMs that you want to deploy. I believe that there's some rider where the vendor has a bit of leeway to, at times, charge a premium on whatever additional services you may require above the board.

Based on my experience as a product owner, I would advise, firstly, to set up an enterprise security architecture as authority within the organization, and ensure that it is closely aligned with your business. Once that is set up, then the enterprise security architecture should determine the priorities of the business and, accordingly, you can lay out a roadmap and strategy.

From a product perspective, CyberArk may or may not fit into your organization based on what strategy you have detailed, or it may or may not fit your requirements. So I would definitely not recommend purchasing the tool first and then determining what to do with it next.

Regarding automation, we are adopting DevOps for the positives it brings, such as cost savings, efficiency, etc., yet there needs to be some checks and balances. Having a fully automated solution would require you to think through the security aspects very carefully. That is why alignment with the enterprise security architecture is of great importance when it comes to securing access across environments in an identity management solution.

CyberArk's PAM is based on the concept of identity, such that a user logs in with his or her identity. So whatever systems the user accesses, there is an audit trail that is tied back to that same identity. This can happen across multiple environments based on factors such as the separation of duties, where certain engineers may not be allowed access to certain areas of development. These checks and balances occur when we give access to those kinds of rules and permissions. There are some targets we have for automation, but if it's fully automated it wouldn't be all throughout our organization as we have found there are some pitfalls with full automation.

Now, when you bring the cloud into the picture, as with our own transformation roadmap, you can't just put a tool in front of you and then expect everything to fall into place from on-premises to the cloud. It does not work that way. You need to have a sound strategy from your enterprise security perspective and only then can you ensure that things will fall into place.

Concerning the UI, PAM has an administrative dashboard and everything, but from a monitoring perspective, we also rely on additional tools apart from what CyberArk offers. For least privilege and managing secrets, there's a tool from CyberArk for that, but I'm not sure we have any plans on using that solution.

Overall, I would rate CyberArk Privileged Access Management a seven out of ten.

We use the solution for the full automation of tens of thousands of credentials across hundreds of different integrations. Our use case includes Windows, Linux, networks, security, storage, mainframe, and cloud (both Software as a Service and Azure platform based). In addition to the credential rotation, we use credential providers and privileged session management to greatly reduce the use of passwords in the environment. Users authenticate using MFA, Multi-Factor Authentication, and are able to access systems based on Role Bases authentication rules. 

The solution has improved security posture while greatly reducing administrative burden. We leverage CyberArk to deploy applications without the use of secrets.  

Applications authenticate securely to CyberArk using a combination of certificates and other extended application-identifying parameters to promote a secure DevSecOps environment.   

The extensibility of CyberArk has enabled us to develop custom integrations into Microsoft Azure leveraging KeyVault to synchronize on-premise and cloud secrets in a consistent hybrid credential management architecture.

Credential rotation automation combined with privileged session management are great aspects of the solution. It enables highly complex passwords that the end user never knows or sees. We have some use cases where administrative users will log in to highly privileged systems using a one-time use secret and immediately following their administrative session the password is rotated

The ability to develop and deploy applications with no stored secrets is very valuable. This keeps code repositories free of secrets and application authentication is centrally controlled and monitored.

The greatest area of improvement is with the user interface of the Password Vault Web Access component. The latest long-term support version of CyberArk (12.x)  still includes and still leverages the version 9.x UI in order to maintain some of the administrative functionality.   

The performance of the 9.x UI leaves much to be desired and there are still some administrative tasks that require the use of a thick "PrivateArk" client.   

Many improvements have been made over time, however, there is still work needed.

I've used the solution for eight years.

The solution has been quite stable for many years and includes the functionality for clustering the multiple site replication, both of which we leverage for a high level of uptime.

The solution is very scalable, however, with scale, there are certainly performance considerations.

Support has been a mixed bag. First-level support has been extremely time-consuming to get to an escalation resource that can help us resolve our reported issue. In all fairness, we have a very experienced staff and generally only contact support for more complex issues. There have been improvements made over the years and the commitment to improving support. Still, there is work needed in that department.

Positive

I did not previously use a different solution. 

Setup depends on the complexity of the solution. A simple configuration could be up and running in a day.

Our environment is run in-house by a contract team with expertise in CyberArk.  However, we do leverage the vendor for major upgrades and have used their technical account manager services in the past