CyberArk Privileged Access Manager Reviews

The primary use case and the most used functionality of CyberArk PAM is managing privileged access (an easy way to pass permissions to specific servers to specific users granularly) and password management (an automated solution that manages password validity, expiration, etc.). PSM gives a possibility to set all connections secure and it is possible to re-trace actions made by users during such sessions. It is a good tool for extending usage to new end targets sometimes even out of the box.

CyberArk PAM ended a scenario where several dozens or even hundreds of privileged accounts had the same password or administrators had passwords written down on sticky notes. 

I have experience with onboarding thousands of accounts - mostly Windows, Unix, and network devices. I have developed (customized based on defaults) password management plugins for Unix systems and network devices.

I like the integrations for external applications. There are actually infinite possibilities of systems to integrate with - you would just need to have more time to do that. It is not an easy job, yet really valuable. I am not an expert on that, however, I try every day to be better and better. I have the support of other experienced engineers I work with so there is always someone to ask if I face any problems. End-customers sometimes have really customized needs and ideas for PSM-related usage.

The Vault's disaster recovery features need improvement. There is no possibility to automatically manage Vault's roles and for some customers, it is not an easy topic to understand.

I noticed that CyberArk changed a little in terms of the documentation about disaster recovery failover and failback scenarios. Still, it is a big field for CyberArk developers. Logically it is an easy scenario to understand - yet not for everyone, surely.

I've used the solution for around five years. I have been using CyberArk PAM as an end customer for three years. For another two, I work as a CyberArk support specialist.

Stability is overall good. However, there are many error messages that are like false-positive - they do not produce any issue yet logs are full of information.

The scaling has been mostly positive. It seems not hard to scale it up.

Sometimes it is hard to understand the capabilities, limitations, etc. They try to help with that.

Positive

I've never used another solution that would have the same or similar capabilities.

The initial setup can be complex. It is important to go really carefully step-by-step with instructions. When you do that, you can be 100% sure everything will work well.

When I was an end-customer I recall using a vendor for the implementation and support. Now, I am a vender and therefore I do it by myself.

Licensing may sometimes seem a little complicated. A good partner from CyberArk can work it out.

Unfortunately, I have not participated in evaluating other options.

Overall, I am really glad I worked with CyberArk for five years.

Our primary use case for the solution is to support privileged identities.

The password management feature is valuable.

The solution can be improved by including more connectors to other third-party systems for integration.

We have been using the solution for approximately five years.

The solution is stable.

The solution is scalable. Approximately 150,000 people are using the solution.

We previously used One Identity.

The initial setup was a bit complex.

We deployed the solution in-house.

We have seen a return on investment. The solution makes our procedures better, making the environment more secure and changing the mindset of people. 

I rate the solution a seven out of ten.

Privileged Access Management is basically used to just keep track and log. We have to provision those accesses. If a newcomer comes, they have to be identified to ensure they are the correct users. So for those, there is a web implementation where there are some products that you can order, then they're approved. Depending on that mechanism, it's been decided, oh, this is a valid user. That's how it's been managed.

Privileged Access Management in CyberArk is one of the very first features that was implemented as part of Privileged Access Management. Then came Endpoint Manage and finally the Password Vault. From the very beginning, once Identity Access Management as a service started, with Dell One Identity Manager as the first service. Then came CyberArk. I don't think there is an additional benefit that it has brought. It's sort of an essential commodity in the entire Identity Access Management infrastructure.

For me, Privileged Access Manager and One Identity sort of merge together. For me, the best part of CyberArk is Password Vault and Endpoint, basically. If you ask me what's there that, it's that everything is pretty straightforward. There is no confusion. It's a pretty straightforward application to work on.

It is a scalable product.

The solution is stable. 

They should allow further customization as it's really hard to do any further customizations over CyberArk. We do have a wrapper of customization. However, it's very difficult, especially their web implementation. That's one thing I would say they can improve. With Angular and everything on the market, they still have their in-house web implementation tool, which is sort of a headache. 

I would love them to improve their UI customizing features. 

You simply cannot install the demo UI in every customer, basically. They would always ask for something to make their UI look a little different -  simple things like their logo or some sort of additional information pertaining to their particular customer. Even doing the smallest of changes takes a lot to do. 

The solution is stable and reliable. 

I haven't been faced with intermittent bugs like I do on One Identity.

With CyberArk, we rarely get those situations. It's a very, very stable software. You rarely need to raise any bug or service request with them.

It's pretty scalable. Although we haven't increased our infrastructure once, we have installed the latest version. Even then, adding other infrastructure items into the portfolio is not a big deal once you have done the initial installation.

Our organization is more than 30,000 to 35,000 people. However, only a handful of them are entitled to Privileged Access Management. There might be only 5,000 users. It is used quite extensively.

It sort of was implemented with One Identity Manager when Identity Access Management came into the picture. In early times when there was simply Excel as an identity access manager, and then there was nothing basically. Once there was the onset of proper identity access management without in-house custom tools or proper streamlining process, this solution was added. Initially, One Identity was sort of used as a Privileged Access Management also. However, soon they realized that it lacked in a lot of places for Privileged Access Management. That's when we went to CyberArk. That was way before my time.

I have been part of the initial implementation. However, the day-to-day operational tasks are being handled by a different team.

I was part of a migrational project. When I joined this organization, they were just migrating from the last stable version to the present stable version. It was pretty straightforward. There was, in my organization at least, documentation that was a bit more thorough to follow. That helped me a lot.

The implementation takes quite some time. Even in production, we have to instantiate the service. We had to take a special weekend, which means downtime since this is a critical application. Therefore, moving this takes some time. It's not that there are glitches and all. It's such a heavy application that requires moving so many things. For us, it took around nine to nine and a half hours roughly to deploy. This is considering if I take off all the in-between stoppages and breaks.

Privileged Access Management is a complex topic. I won't say that any of the tools are straightforward. That said, if you are thorough, then it's pretty straightforward for people who are in this industry.

I'd rate the setup process a four out of five in terms of ease of implementation.

With every security tool, new users learning by themselves is a bit difficult since the material isn't openly released. It's released if you have a partnership or if you pay for the software. That makes learning the tool a bit difficult. If you are interested in learning, the only thing is to get a job in that field. If your company is using it, it's like learning by doing. That's the only way you can learn about this product.

I'd rate the solution eight out of ten.

My primary use case for this solution is to prevent privileged access, privilege accounts, and to mark all of those for future ordering proposals. It is to limit their access.

The most valuable feature is that it always provides flexibility, password quality and one-time user check-in and check-out. It also provides flexibility and a comprehensive reporting. In terms of reporting, it can pull up to three types of reports and you can do some Excel work on those. Then, you will be able to find information that you were looking for. It is is the reporting by-laws, as well. Apart from this, it also has a lot of advanced components. It can extend the picture at the end of the productive scope.

There was a functionality of the solution that was missing. I had noticed it in BeyondTrust, but not in this solution. But, recently they have incorporated something similar.

It is a stable solution for our needs.

The scalability provided by this solution is a lot better than some of the other available products on the market.

The technical support has been tremendous. They try to resolve the issue as soon as possible, but sometimes I would expect them to engage an L3 level of support at the very first moment, as for priority, but they take a bit longer. 

Sometimes, when we install their product, the BFN (Bridge to Future Networks) to the component manager, we have issues. When we install this component in high ability mode, and the load balancer, then sometimes that creates different problems. Sometimes, to find the issue we actually, even if one of the component goes down, get notifications easily. That is not an issue, but to rectify the issue, sometimes it takes longer than I would like, you know. When it goes for a higher ability mode for the component then it makes our work a little a cumbersome.

This solution is considered to be more expensive than others out there on the market today.

I have previous experience with BeyondTrust. And, there are other products, such as Lieberman and Arcos, which are being used in the Indian market because of its cost effectiveness.

CyberArk has vast trust across the globe. People who've used CyberArk usually don't go back and change the product, unless it is a cost issue. If it is a cost issue, I must suggest BeyondTrust as a cost-effective solution for similar services.

One of our customers is using the 9.5 version of the solution.

We personally use the product. We are implementing it and have a lot of involvement in its usage.

We use it primarily because we need to manage business accounts and reduce our inboxes.

It has improved the way our company functions on the basis that they're expanding, and the SDDC management solution and the decision to bring on security licenses under the system umbrella, then has passwords and the system management be a requirement in the coming quarters. We are already doing a small PoC with the relevant themes of the natural habits of the security teams. 

The password reconciliation and its limitation with respect to access in target servers along with the end users apart from the import, which is already available. This helps our customers in their software requirement imports.

The lead product has a slow process. There are some reports and requirements from CyberArk which are not readily available as an applicable solution. We have made consistent management requests in the logs.

It is stable. They have had subsequent releases with patches for bugs. 

With respect to scalability, it depends upon how much scalability you need in the moment. 

There is not seamless stability in the support. Sometimes, we don't have any level of support which is required when something critical happens.

We were using the Centrify solution for managing UNIX apart from CyberArk. However, the scope of the Centrify solution is not as wide as the CyberArk solution.

Initially, there was a lot of hiccups, because there were a lot of transitions due to manual installations. 

Eventually, the licensing cost benefit doesn't happen or maximize the customer's profit.

Network and security licenses are currently being managed by other outsource vendors, so they are facing some type of problems in the digital aspect. 

Recently, there has been some new licensing guidelines which have come up since 2018 related to installation by technicians. However, we had our solution installed in 2015. 

Work off your roadmap for implementation.

We recommend CyberArk solutions.

We use CyberArk to manage our privileged accounts, our passwords for our critical infrastructure. We have a lot of root administrator level accounts and other application and node accounts that are critical to our business. We use CyberArk to keep those rotated, keep them secure, in an encrypted environment giving us a lot more control and auditing capability.

We are not planning to utilize CyberArk to secure infrastructure for applications running in the cloud because, in our particular business, we like to keep things in-house. Although we have a very small use case scenario where we have one application published to a cloud service, for the vast majority of our infrastructure, we keep it in-house and manage it ourselves.

In terms of utilizing CyberArk's secure application credentials or endpoints, I'd have to think through what CyberArk means by "endpoints," exactly. We do some application management right now. We're mostly doing more server-router, switch, node. And we have some custom vendor nodes that are not your normal off-the-shelf things, that we're trying to get under management right now. As we move along and become more secure, we'll probably do more and more of the application management like that.

It has given us a common environment where all of our critical infrastructure credentials can be stored. From the pure usability and administrative perspective, I can't imagine doing what we do without it. And we're a fairly small business. We don't have 10,000 servers or 5,000 systems to manage. Still, the smaller the business, the smaller the company, the smaller the number of support people you have. So we still end up with a lot of people having to do a lot of work. 

I would say the security, having all the credentials in one place, having a two-factor login to the system available to us, which we use, and then that administrative aspect of it, being able to lighten our administrative load, so once we hand over certain things to CyberArk, that administrative work is done by CyberArk and not by us anymore. It enables us to get a lot more done with a smaller crew.

The first thing that pops into my head is, when you're dealing with some old-school people who have been around our business for many, many decades, who are accustomed to writing down passwords on pieces of paper on their desk, getting those people off of the desktop and into an encrypted environment, that alone, is an enormous improvement.

We literally had people, just a few years ago, who would have pieces of paper written with everything - address, username, password - sitting in plain sight on their desktop that the janitor at night could come in and see laying on their desk. Just within the last few years, I've even seen higher-level people who have the little sticky note out on their desktops, on top of their screen, with credentials. It's all electronic but, still, you get to their desktop or you look over their shoulder and you see everything.

Going from that to having an encrypted environment, that alone was a huge improvement. Working with a lot of people who have been around the business for a long time, who have more of an old-school mentality, getting those credentials moved into a more secure environment and getting them rotated automatically, that's a huge improvement by itself.

The basic features are, themselves, highly useful. I was just saying to some CyberArk people that I came to understand fairly early on that CyberArk is not just an IT security or cybersecurity tool. It's also an administrator tool.

I had a fair number of systems where the passwords were not fully managed by CyberArk yet, and they were expiring every 30 or 45 days. I was able to get management turned on for those accounts. From an administrator perspective, I didn't have to go back into those systems and manually change those passwords anymore. CyberArk was taking that administrator task away from me and handling it, so it lightened the load on our administrative work.

It is a good security tool, but it's also a great administrator tool in that respect.

Things that they were speaking about, here at the Impact 2018 conference, are things that we've already been looking it. They have been on our radar, things like OPM. We're beginning to use PSMP a little bit ourselves. We already have that implemented, but we haven't been using it a lot. The number one thing might be OPM, that we're looking at, that we think might help us in our business, but we haven't implemented them yet.

There are so many options that are currently available, and there are already efforts, projects within CyberArk, that they're working on right now, that I haven't really had time to think beyond what they're already offering. There are so many things that they have that we're not using yet, that we haven't licensed yet. There is a lot of stuff out there that we could take on that we haven't yet for various reasons, including budgeting.

It's always the need to do a cost-benefit and then doing a business case to management and convincing them that it's something that would be good for us and that it's worth spending the money on.

Right now, it's just trying to implement what's out there and use some of those tools that would give us the most bang for the buck.

Stability is very, very good. We did have a minor incident. It could have been a major incident. The customer support people were spot on in getting us back in order pretty quickly. I think it's a little bug in the version that we're at. That's one of the reasons we need to upgrade right now. We're just trying to decide which version we want to upgrade to before we pull the trigger.

Beyond that, as far as stability and reliability, there really haven't been any major issues. We've had one little incident. We got it mitigated within a very short amount of time thanks to, on that day, really good, quick tech support from CyberArk. And beyond that, it's been a very stable and reliable system. There hasn't been any other downtime that I can point to and say it was CyberArk's fault.

I painted myself into the corner a couple of times, and had to jump through some hoops to get myself back out; those were my fault, a lack of experience.

For the most part, over the two and a half years we've used it, we've just had that one little incident that caused us a little bit of concern. Like I said, it was mitigated very quickly and didn't cause a huge storm within the company and didn't have a huge impact that particular day, fortunately.

We haven't scaled it up much since we took it on. From everything I've seen, I think scalability should be excellent. You can spin up as many component servers as you need to get the job done. Obviously, at some point, licensing is going to come into that. I don't see how scalability would be any kind of problem for anyone. I think you can make it as big or as little as you need it to be.

This is coming from a person who spent two-and-a-half years in customer support, so I do have a certain amount of empathy towards customer support people and the challenges they deal with. It depends on who you get on the other end of the phone. When you call in, you may get the young lady that I got the day we had that major issue. She very quickly found exactly what we needed to do and told us how to do it, and we got the problem settled.

I've had other situations on much more minor issues, like how to configure this or how to make that work and I haven't had as good an experience on all of those. Sometimes I do, sometimes I don't. I think it depends more on who you get rather than on the company in general. Some support reps are always going to be better than others.

I've only had a very small number of experiences with them. When I have an issue like that, I don't just open up a ticket and then leave it alone until they get back with me. I usually go back and continue to dig for a solution. About half the time, I find my own solution anyway. But I don't think it was commonly the case that they were not attempting to get back with me.

Sometimes they didn't always offer, for the less critical issues perhaps, a quick, easy, how-to-implement it solution. This is probably a common thing, but they do ask for a lot of log files, a lot of information. They ask you to provide a lot of information to them before they're willing to give you anything at all upfront. It would be nice if they did a little bit of more give and take upfront of, "Well, why don't you try one or two or three of these common sense things, the first things that pop up on the radar on this type of issue, and see if any of them help? And we'll take the information that you gather and we'll go in the meantime." 

Instead of throwing it all in your lap to go and collect a whole huge collection of data to bring them before they give you anything, perhaps it would be better if they were a little more give-and-take upfront of, "Why don't you try these couple of things while we take your log files and stuff and go research them?" A little bit of that might be more helpful.

We were using KeePass before we got CyberArk, and I can't imagine trying to manage the number of accounts and credentials we have today, and the number of systems, with something like KeePass. It would be a nightmare.

We switched because of the scale of where we were going. All of our infrastructure passwords, prior to three-and-a-half years ago, were decentralized. The people who worked on a particular system managed the passwords for that system in their own particular way. There was no across-the-board system. There was no standard regarding these having to be encrypted versus those. Everybody came up with their own way of handling that. We tried to implement some standards during the years leading up, but they were not mandatory. So people ended up just doing what they wanted to do.

Now, with CyberArk, there is a mandate from upper management that we all use this tool. All the credentials go into it and they are all encrypted. Eventually, everything, 100 percent or as near 100 percent as we can get it, will be under full management.

In terms of criteria for selecting a vendor, from my perspective, I like to be able to find someone who can speak to me on a somewhat technical level and help me work through technical issues. But I also want them to give me a vision of things, the roadmap or other products and other things that are available, without getting too much of a marketing pitchor sales pitch. I don't mind a little bit of that. I know that's important. But at the same time, I don't just want a slick sales presentation. I want to know the technical end of how does this really work? I want to be able to have some vision as to how we might implement that. Not just what it can do for us, but how would we actually go through the machinery, go through the work, to make it work for us.

It's always good to have a vendor that can provide resources, that can speak to someone like me on a technical level, and that can help me work through issues, whether it's lack of experience or just lack of knowledge in a certain area; a vendor that can help me work through some of those situations and get me to where I need to be.

I went through the proof of concept and then I also went through the initial install of our infrastructure. For our company, I've probably done 80 to 90 percent of the work in CyberArk myself.

The implementation was fairly straightforward. We had a really good implementation engineer. He did a really good job. Of course, every individual brings his own kind of approach to things. They give you insight and then you run into someone else that gives you a little different perspective. It surprised me how straightforward some of the setup is. I've experienced some things since then that lead me to think it is something that CyberArk is constantly improving on: How to implement new installs or upgrades and make them better and easier.

For instance, there was one system that, when we first installed in 2016, we were told upfront that this was not an easy system to spin up and get working. We had made an attempt at it and failed. A year later, I installed it by myself from the documentation and it went as smoothly as could be, no problems. They had improved it over that year to the point where just about anybody could do it.

The team that I'm on, we weren't leading up the investigative part. Our security group did that. They're the ones who brought CyberArk to us and said, "This is the one we're going to go with." There was actually another entity within our corporate parent company that had already been using it for about nine months before we did. We adopted it from there. Since then, another entity has adopted it as well.

One big piece of advice I would give is: Don't ignore user acceptance. If you want people to use CyberArk, you have to pay attention to user acceptance. If your users hate it, then your entire experience is going to be an uphill battle, when you're trying to get people to actually use the tool. It doesn't matter how good the tool is, it doesn't matter how well it does password management. It doesn't matter how well it does all these other things. If your users hate it, you're going to have an uphill struggle with the people that you need to be on your side. You've got to get user acceptance right.

Now, you can't completely sacrifice all those other things just for user acceptance, I'm not saying that. But you have got to keep user acceptance up there, alongside everything else. It's got to be a hand-in-hand thing as you go along, so don't ignore user acceptance. Spend some time doing it.

I tend to shy away from giving anybody a 10 out of 10. I would rate it at about eight out of 10, a pretty high rating. Anything could be improved, and certainly, CyberArk is not immune to that. But I think it's a good tool.

We use it for all of our privileged accounts, local admin, domain admin, and application accounts. We use several of the product suites. We are using the EPV suite along with AIM, and we are looking into using Conjur right now. Overall, it has been a great product and helped out a lot with being able to manage privileged accounts.

We don't have a lot of stuff in the cloud right now, but as we move forward, this is why we are looking at Conjur. We would definitely use it for that and DevOps.

We have owned the product since version 6.5.

We are utilizing CyberArk to secure application credentials and endpoints using AIM. We have a big project this year to try to secure a lot of application accounts using AIM.

It is helping to centralize control over credentials. It gets a lot of privileged accounts off endpoints and rotates them, so they are not out in the open.

• Scalability
• Stability
• Usability

We are able to centrally manage credentials, touch applications, and rotate passwords.

I have some experience with the generator utility plugin. Although, we did plugins prior to the generator, manually installing them working with support. I do like the interface with the generator utility plugin, as it is very handy.

We would like to expand the usage of the auto discovery accounts feed, then on our end, tie in the REST API for automation.

It is very stable. We have not had any issues. There is a lot of redundancy that you can build into the product, so it's a very solid product.

It has the ability to scale out. We have scaled out quite a bit with our product and use of it to get to multiple locations and businesses, so it has the breadth to do that.

The technical support does a good job. Sometimes, it takes you a little bit to get to the right person. As they grow, they are having growing pains. One of the things is just being able to get somebody on the phone sometimes. Besides that, usually if you put in a ticket, you get a response back quickly. However, overall, they have a good, solid group. 

We were not using a different solution before CyberArk.

One of the biggest factors when dealing with this field/area in privileged accounts is you have to have executive support from the top down. Push for this, because trying to get different business units or groups to implement this product is very hard if you don't have upper level management support.

Most important criteria when selecting a vendor: 

• Stability of the product.
• The customer service interface: Someone who can work with you on the product and understand what your needs are.

To securely manage privileged accounts within the enterprise and automate password compliance where possible. Bringing multiple account types all into a single central repository with an intuitive user interface has greatly improved our security standing. Instead of managing each account in its disparate location like Database, Active Directory, LDAP, and Mainframe, we can now do it from a single solution. This has enabled great strides in standardizations across account types for password and access management.

CyberArk has enabled my organization to monitor and manage privileged accounts in a secure manner while also giving the ability to adhere to password compliance automatically. CyberArk has helped us to remove hard-coded credentials in applications and scripts. Traditional password policies often fall short of providing adequate protection, but CyberArk's PAM has allowed my organization to set robust password policies that require a combination of uppercase and lowercase letters, numbers, and special characters.

AIM has been a great help in automating password retrieval which removes the need for hard-coded credentials. Hard-coded credentials are a risk to organizations as they are easy for attackers to target. Therefore less hard-coded credentials increase the security stance of the enterprise. We have greatly utilized the out-of-the-box usage automation like Windows Scheduled tasks and password config files. The reconcile feature is another must-have to give users the ability to not only change their password but to unlock it as well where needed. 

CyberArk's Privileged Access Management (PAM) stands out as an industry leader, and it is often considered at the top of its class. This comprehensive solution has consistently delivered robust features and innovative security measures that make it an essential component of any organization's cybersecurity strategy. While no system is without room for advancement, CyberArk has continuously demonstrated its commitment to innovation and improvement, and many of the potential areas of improvement are already being actively addressed.

I have been using this solution for 13 years.

This solution is very stable with the ability of satellite vaults and HA.

CyberArk is incredibly scalable. Make sure to check out the unlimited option.

Excellent service and quick responses with engineers who understand the product.

Positive

We started out with CyberArk. When we started to look into using a PAM solution they were the leader in the space (and still are).

For the time saved and security added, the benefit far outweighs the cost.

Check out the unlimited model as it can save money and make for a more scalable solution depending on the size and needs of your organization.

My company evaluated other options, but I was not with the company when this occurred.

Contact the professional help for a demo, and you will not be disappointed. Even if you do not choose CyberArk, they can help identify current security gaps.