CyberArk Privileged Access Manager Reviews

CyberArk PAM is used to secure passwords and remediate audit findings. CyberArk PAM is used to manage access to passwords, rotating these after use or on a regular basis, and verifying the passwords on the system match what is in the vault on a regular basis. Passwords are managed in this manner on both Linux and Windows servers.

CyberArk PAM ensures that passwords on Linux servers are highly secure, regularly changed, and completely auditable. This saves enormous amounts of time when responding to audits and security concerns. And the scheduled verification of passwords ensures that passwords remain available when needed and stay secure. CyberArk has become the standard tool for password management.

I find value in notifications from CyberArk when passwords fail verification and have other issues. Investigation of these issues often uncovers other issues. The way safe security is handled is outstanding and makes it easy to provide safe access to those who need it and deny safe access to those who should not have it.  

Another valuable feature is the agentless architecture of the product. Using native processes to manage passwords and not having to install and update agents is a huge plus.

A more friendly and functionally complete user interface would be nice to have. The current interface is not very intuitive. It is somewhat clunky and difficult to navigate, and many times have to toggle between the somewhat underdeveloped new interface and the older classic UI. This state of basically having two interfaces is a prime opportunity for CyberArk to improve its product.

Also, it would be nice if the vaults could run on Linux instead of Windows.

I have been working with CyberArk for more than ten years in various capacities ranging from end user to safe/vault administrator to application administrator.

The solution is incredibly stable.

We have not run into any scaling issues.

CyberArk support is pretty solid.

Positive

I did not previously use a different solution.

The initial setup is more complex than simple, however, not daunting.

We worked with the vendor team who were very knowledgeable during the implementation.

The PAM product isn't low-cost, however, it is worth it. Go with a longer-term agreement to realize lower costs.

CyberArk PAM was chosen before I got involved so I am not aware of which other products were evaluated. However, we have never had to go back and review the decision to use CyberArk.

Use CyberArk professional services when needed. They are very knowledgeable and experienced which means engagements have a high success rate.

I use the solution for administration. If the customer requires Alero or HTML, we will deploy the solution in that particular environment. Otherwise, if the end users are accessing the solution via VPN or from inside the network, we will not deploy Alero or HTML. We will instead focus on CyberArk's core PAM, which includes the vault password rotation component, the web interface component, the jump server, and PPA. These are CyberArk's four main components which we deploy for every customer.

CyberArk has a lot of modules, such as Enterprise Password Vault, which is the heart of the solution and needs to be up and running at any time. Privileged accounts and session recordings get stored inside the vault itself.

Likewise, we can configure high availability for the vault, like an active/passive or an active/active configuration. Replication disaster recovery is also supported.

CyberArk is also capable of rotating the credentials for a lot of endpoints. It has the CPM plugins by default for password management, Windows and Linux, as well as databases like Oracle and MS SQL, and can also rotate to some network devices like Cisco 9000.

We have Privileged Access Management, a general server between the user's and the target's machine. All of the sessions go from that server to the target endpoints. Once the end user disconnects the session, the session recordings and live monitoring will be uploaded to the vault. That recording will be stored for 180 days for auditing.

Another component is Privileged Threat Analytics. It detects any threats on target machines. For example, an end user might connect to a Linux endpoint and try to run privileged commands. Those commands are customizable and can be defined in the PTA as well. Whenever those users run those particular commands on the target, the PTA will report suspicious activity and report to security admins in the organization via mail or even on the web portal. We have a separate tab for security.

Within security events, these particular suspicious activities will be detected as threats and attain a risk score, "This is the user who connected to this particular target and ran these particular commands or applications."

CyberArk has a remote access solution called CyberArk Remote Access Alero. CyberArk also supports HTML gateways so that users can connect from outside the network without a VPN connection.

The solution has many advantages, such as the user interfaces and remote app features when using local applications when sessions are getting established over RDP, SSH, database, and web browsers. It is easy for administration as well.

Password management for all the endpoints needs improvement.

CyberArk can handle password management for Windows, Linux, databases, and network devices. However, there are solutions like Tenable or Skybox, Palo Alto, and other security devices for which we cannot provide password rotations on CyberArk. CyberArk should look into development for those particular plugins. I heard they had developed them, but they are not widely available. So if, for example, a customer requires CPM's password management plugin for Tenable, they need to send a request to CyberArk themselves so that the CyberArk team will then sell it to the customer. It does not come with an implementation license. It's a separate thing that a customer needs to purchase. CyberArk will assign it to that particular customer ID, and that plugin will not be supported for other customers. But those are their business tactics. They will not reveal all their plugins, only the basic ones.

I have worked with CyberArk Enterprise Password Vault for four years on a regular basis.

I rate the solution's stability an eight out of ten.

I rate the solution's scalability an eight out of ten.

The technical support is very poor. We handle implementation for our clients, so we do not handle support after. We do the knowledge transfer and if they face some challenges, we will show them how to troubleshoot as well as the documentation. We provide everything to the customer as they are not experts in CyberArk.

If the customer faces any issue, they will raise a case with CyberArk in the technical portal. But once they raise a case, CyberArk will not respond.

Let us say I opened a case this morning. Initially, they will respond, "I am the technical expert handling this particular case. Please provide me the logs." Their first reply will be that they want the logs. The customer will then gather the logs somehow and attach those logs to the case.

However, it will take two days for technical support to investigate their logs and reply. Even after two days, they will reply, and will say, "I am transferring this case to the higher level expert" that is, L2 or L3, "they will get back to you." 

The initial reply will be given by the L1 engineer who doesn't know the product or how to troubleshoot that situation, so every case will go to the L2 level or L3. The time taken in the process is too heavy. So even if I open the case as a "severe" case, even if it is not severe, they will reply to say that this particular case is not severe, so I have to keep it as "medium" or "low." As a result, customers consider hiring support from my company.

Neutral

With CyberArk, we have the direct installer file and setup files for each component, such as Password Vault Web Access, CPM, PSM, and PTA. The implementation engineer should install every component. We also need to have servers for each component. We need to request a set of servers per the architecture and the components count. Once we get those servers, Windows or Linux servers, we need to copy the setup files onto them. We need to deploy the setup files by installing and taking some steps. It contains manual and automatic installation, with CyberArk providing some PowerShell scripts themselves. With those scripts, we can do the installation automatically. 

By comparison, with BeyondTrust, whatever the module is, the virtual appliance is built by the BeyondTrust team itself with all the configurations. We just need to deploy it in our organization network and do the initial networking configuration, and later, we can directly do the integrations.

Also, CyberArk recommends we do hardening for each component for security purposes. After hardening, unwanted firewalls and services will be disabled on the operating systems, which makes the product more secure.

Though there are some efforts required from the implementation engineer, the installation is straightforward. I rate the initial setup a seven out of ten.

Users will clearly understand the solution once they go through the architecture diagram.

To connect to the target systems and view the accounts, view the session recordings, and check if the system health of all the components is working well. Any admin-related task will be done in the web portal, Password Vault Web Access, a separate component in CyberArk.

CyberArk is one of the better solutions which users will want to implement in their organization for securing their privileged accounts and access, and session monitoring for auditing. If they can deploy CyberArk, it's a good product.

The most common use case is when you need to hide the management for the servers, switches, routers, et cetera. You can use privileged access for remote use cases.

In my company, we have a lot of servers, and the problem is when the users want to access these platforms. You can access all the architecture and knowledge with this product. It provides more access and visibility.

The password rotation and cyber gateway have been quite useful. It's a solution that allows you to search for passwords for your servers and accounts. This is the most feature power.

The solution is quite stable.

It is scalable on the cloud. 

The implementation is hard. For example, the on-prem implementation specifically is really hard to deploy. 

The solution does not scale well on-premises. 

This is an expensive product.

It's hard to get help from support if you are not certified. 

I've been using the solution for five years. 

The product is really stable. You just need to deploy a higher viability solution. However, you need to do a lot of budgeting to deploy that higher viability solution. You need at least 12 servers. It's really, really difficult to have a budget for that.

It is easy to scale on the cloud. It is difficult to expand it on-premises. 

We have 30 people using the solution in my company.

At this point, we do not have plans to increase usage. 

The technical support is really excellent. However, if you don't have a certification, it is impossible for you to receive technical support.

We previously used BeyondTrust and Centrify, among other solutions.

The initial setup is pretty difficult and it takes a while to put into place. 

You need at least six servers to deploy it and it's really difficult to have a budget for that - plus, the implementation itself is really hard. You likely have to dedicate one week to deploy the solution and another week or two to onboard all the accounts.

Basically, it's pretty complex to implement. 

We've used a consultant to assist us with the implementation. 

The ROI is really quick. If you have a compromised account, it can compromise your infrastructure, and the loss of the business is really high. With this product and the protection it offers, you can witness ROI immediately.

You need a large number of servers, and therefore it gets expensive to deploy the product.

The license is expensive. It costs us around $200 per user. 

We are using a privileged cloud and an on-prem cloud, an on-prem APD. We have a hybrid setup.

I'd advise potential new users to have very good scripting at the outset. If you don't, you'll have difficulties in the long run. 

While the solution is expensive, it's excellent. I would rate it ten out of ten. You definitely get what you pay for. 

The solution is primarily for security and access control. 

It's used to ensure and protect the complete IT infrastructure administrative account and the administrators and limit them to do any particular activities on the server and record all the activities on the server. it's for auditing purposes and for forensic usage.

We use it o identify if somebody internally hits the organization or tries to intrude and try to do a data breach or try to steal the information or do some kind of internal hacking. That risk can be eliminated using the tool.

CyberArk is one of the greatest platforms. It supports lots of requirements in the privileged access management area. 

From a configuration point of view, it is not very straightforward as per the deployment. The configuration is typical. However, when it comes to the integration piece, it has flawless integrations with lots of applications, whether it is out-of-the-box or customized. It supports any number of platforms. 

The company is very keen on looking at new applications to build out-of-the-box plugins. The support for the privileged single sign-on configurations with the application is excellent. 

Security-wise, the security is unbeatable compared to any other tool in the industry. They have a vault concept. They consider it similar to a bank vault. This is where they keep all the privileged admins' passwords. That particular vault has seven layers of security, which are unbreakable. It basically cannot be hacked. It cannot be hijacked. 

If something goes wrong, for example, if the vault is destroyed, your data is still protected. You can easily revive your data from that particular vault. It's a great capability. The security is excellent. It is very, very tight here. They support one signal protocol kind of communication with the internal products.

Where your password will be residing that is protected by a seven-layer of security. It has a web interface hosted on an IAS server on Windows. It has a CPM called central password management, which will do the password rotation. That is sitting on one other server. It has a session manager, which provides the single sign-on mechanism, privileged single sign-on mechanism, or automatic single sign-on to log into any infrastructure servers and applications. These are the four core products, and they integrate with each other and they integrate on one single port.  

If you try to intrude on the system or any hackers try to intrude the system, they will not be able to do that as the communication through this port is entirely encrypted. They will not be able to revive the data in real-time. It's a great security feature.

It supports hybrid deployments as well. It supports single standalone deployments for high availability with different kinds of deployment structures or topologies. This is a growing trend in the market. 

They can work on the pricing part. Its pricing is a big challenge here. When it started, the product came in at a very low cost. Now, they are the leaders in the market, so the cost has grown and is quite huge. 

I've used the solution for four years now. 

The solution is very stable. It's reliable and the performance is good. 

Every organization is different. Some are small, some are large, and some are medium-sized. This product fits all organizations. It is designed to be scalable. 

Technical support has been excellent overall. We are pleased with their level of service. 

The setup process is typical. It's not easy to set up. It depends upon the environment, the requirement, what the customer is looking for, et cetera. If, let's say, there's 1,500 accounts, which need to be protected and 10,000 servers, which need to be protected, the deployment can be done with the two-node setup. The two-node setup is okay. However, when it comes to the larger organization where we have lots of privileged accounts and lots of servers or when the account increases to 100,000 servers and 100,000 or 200,000 privileged accounts, in those cases, the product is complex.

You need to be well trained in order to be able to execute an implementation. 

The pricing used to be very competitive. I can't speak to the exact pricing. However, it is my understanding that it has gotten more expensive. 

I'm certified in CyberArk. Earlier, we worked with CyberArk as a partner. At this point, our contract is in a renewal state.

I'd rate the solution nine out of ten. 

It is a great product when it comes to security. From the security point of view, I would advise a new user to use this tool and deploy it in your environment since the security is unbeatable.

We mainly use it to protect servers from inappropriate access and ransomware.

We started with on-prem solutions years ago. Our most recent implementations were done in data centers and the cloud. However, we are not in the cloud for CyberArk.

It is a really valuable tool. From the very beginning of my career in cybersecurity, I found that CyberArk is one of the best solutions that I could recommend to our customers. While it is usually seen as an access and identity management solution, it is a cybersecurity and cyber defense tool from my colleague's and my point of view.

It is a single tool that isolates possible kinds of malware. You get lateral movement blocking and auditing information, e.g., you know who is doing what. You are getting protections from the service as well as a useful environment. All your admins can easily go in and out of your company while accessing your servers in a secure way, even if they are working abroad.

One of the best points is that it gives you full control for all the use cases in your infrastructure, in terms of servers, applications, social networks, batch processes, etc. 

It gives you the ability to know what is happening, who is executing everything, and recover that information over time. Everything is recorded there. This is useful, not only for auditing proposes, but for admins and users. This also helps with troubleshooting. For instance, an application or system starts failing at 4:30 in the morning on a Sunday. Usually, the first questions that you ask yourself is, "What changed at 4:30? What has happened? Who was touching that server?" WIth CyberArk, you have the ability to search for that information and find it in minutes. It is really useful for troubleshooting.

The PPA from CyberArk provides a lot of information about access and allows for possible detection of fraudulent use or different tries of accessing, even for family Internet users. Thus, it gives you another source of information regarding risk.

We are using Secrets Manager with some of our customers. We are using it mainly for containers and DevOps. This secure access is really important, and becoming more important every day. We are constantly moving customers to the cloud. Every day, containers are more important for our customers as they extend into microservices, etc. 

The possibility to integrate with the DevOps cycle is vital right now. Sometimes, containers are deployed while some clients have them very protected. They have a lot of things with Panorama, Microsoft, etc. That is a risk because you are deploying things quickly, along with errors and other things that you are developing. So, having to use hard-coded passwords here would be a big mistake. 

Secrets Manager accelerates a lot of the possibilities and simplifies the process, since development teams just need to use credentials. When they arrive on a project, there are new people or resources in their development teams. Thanks to CyberArk, they just need to manage their identities to have access to everything. They don't need to receive credentials nor search for them. They have everything the day that they start working.

We find it easy to use CyberArk PAM to implement least privilege entitlements. We usually do some interviews at the very beginning with different teams to understand their real needs. We define saves and different AV groups for the kind of users that we are going to prepare. Then, the process to assign permissions to different groups is really easy and straightforward. If you want to change or reduce access, that can be easily changed at any moment.

I have been using it for more than 10 years.

In the last year, it has been a very stable platform.

Scalability is fantastic. It has been really easy to scale. In fact, most of our customers who start, or have doubts about how to start, we propose to them, "Well, if you are not sure or don't have the budget right now, you can start with a small deployment, then we will grow." It easily grows and you can add components. 

Other customers have started with a small CPD deployment, then replicated. We put high availability on another CPD. It is really good for public clouds.

We have some customer environments that are over 10,000 servers as well as some environments with more than 50,000 managed identities.

I would rate their technical support as eight out of 10. They are usually really good and quick about answering any questions that you raise. However, they are sometimes not flexible with things. For instance, from one day to another, there might be something that had been done years ago by CyberArk, then they say, "We do not support that." You then have to initiate a complaint and start working with them. Things might become complicated and months pass while you are working with them. Usually, they are good and fast, but sometimes they seem to be blocked with problems, e.g., you will suddenly be working with another team instead of the team that you were working with the day before.

Positive

I have been working with CyberArk and with the CyberArk teams for years. They have been able to adapt the solutions that they have developed or bought. They have grown a lot with the acquisition of different companies. They have been able to adapt them, make them valuable, and helpful.

The initial setup is straightforward because we have a lot of experience with it. While there are a lot of components, I don't find it difficult.

A deployment can typically be done in less than a week, but it does depend on the environment.

We have developed our own methodology for the implementation and deployment of CyberArk. We put the final users at the center of their strategy. One of the things that we have found that fails when deploying a PAM solution is that everyone focuses on the tool. CyberArk works and we know the tool is there, so we just focus on how the different groups are working with their servers, applications, etc. We focus on adapting the deployment in a way that does not disrupt their jobs. We try to be non-disruptive and not change the way users work.

We adapt the solution to already existing workflow processes, tools, accesses, etc. This is one of the best parts of CyberArk. It provides a lot of flexibility to adapt.

The main problem for the tool is its licensing. I work for a really big company. When you try to develop this as a service, usually you work with leverage teams who are formed with dozens of members. You might dedicate one FTE, or less, for something, e.g., an antivirus administrator. You might have half an FTE's effort dedicated to administering the antivirus, but then you have a team of about 30 users who might access that ticket. The problem is that CyberArk eliminated the possibility of concurrent users years ago. This is a big problem for companies who work with leverage teams.

You need to pay for everyone. 40 licenses are used by 20 or 30 people. This is a big problem because licenses are not precisely cheap.

It provides the broadest point of view for privileged access management solutions in the market. We have tested several other proposals and tools for our customers and ourselves. There is a huge difference with using CyberArk.

We evaluated CA PAM and another solution. The main difference is that they cover just a part of the solution. They promise the solution will be very simple to deploy because they only have a simple appliance. However, they are actually really difficult to deploy for an entire project as well as give you value. We have experienced a lot of support and integration problems. You need to do a lot of things by yourself. Whereas, in CyberArk, you have plenty of plugins and developed material in the marketplace. 

This is the big difference at the moment. When you are deploying, it seems like a very simple project, and the other solutions will tell you, "Well, it's just an appliance," and then it becomes a nightmare. Whereas, CyberArk does what it does. You need to deploy several servers, but it works.

From time to time, people in the market are like, "Wow, it was born as a cloud-native solution." Sometimes, this is real and means something, but usually it is mostly a marketing thing. Why would we ignore all a solution's previous experience just for something born in the cloud? Most of the IT solutions that we use in the cybersecurity market are not born in the cloud. For instance, if you go with Securonix or Sentinel, there is a huge difference in the way they were conceived and the way they were born. Just because something is cloud-native or new doesn't mean that it is good. I wouldn't go for something that is cloud-native, just because it is.

I would rate CyberArk as nine out of 10. I won't give the 10 because I have my problems with the licensing. However, the solution is completely recommendable and a must-have in every environment.

CyberArk's Privileged Access Management solution covers a whole range of features, like privileged web access, private vault, privileged session manager rights for a session in isolation, privileged threat analytics for analytics, and private sessions. We also use CyberArk's Application Access Manager, which includes their credential providers, such as agents and run servers. Then there is a central credential provider, which is API-based credential retrieval, and DAP or Conjur. This is more of a DevOps model for credential provisioning. We also have the Central Policy Manager, which rotates the credentials associated with unprivileged or servers accounts. It's a huge environment. 

Those are all the different functions we use. We initially purchased CyberArk for privileged access manager and session isolation of privileged users. By privileged users, I mean main admins, global admins, and preps like Azure or Office 365. Our initial use case was to manage those users who could drastically impact the environment if their credentials were compromised.

After we purchased the product, we had a third party on it. They suggested we also leverage CyberArk as part of the platform for managing service accounts, i.e. go out and proactively rotate credentials that are running or ordering services. That's another kind of big use case that we started implementing a couple of years. It's long work. It is tough to do, there's a lot of cases where it just doesn't work right, but overall it's been pretty valuable.

From a security perspective, CyberArk PAM gives us a lot of control and visibility into what our privileged users are doing. In terms of securing our cloud-native apps, we're just getting into deploying things to Azure, AWS, etc., and DAP brings a lot of value to that because it is cloud-agnostic credential retrieval. Azure has their key vaults, and AWS has their version if you are a multi-cloud solution. CyberArk's Secrets Manager, or DAP, brings a lot of value because you only have to learn how to integrate your apps with one solution that can be deployed across multiple clouds. 

I will say that CyberArk is struggling with some of the cloud integrations. For instance, Azure has a native identity solution, and Microsoft keeps causing issues with their ability to identify the hosts calling back. Some cloud providers are trying to lock CyberArk and other tools out of their environment and force you to use their native one. With that said, I don't use the other functions. I don't use the containerization Kubernetes integration or anything like that. We're not at that point yet. One of my significant concerns about investing a lot of time in CyberArk Conjur or DAP solution is that Microsoft seems to be trying to push them out of that space, and if they do that, then all of that work is null and void.

In our initial use case, we found CyberArk's privileged session management functionality to be incredibly flexible. It's challenging to write these plug-ins, but if you have somebody with a development background, you can write all sorts of custom connections to support different functional applications. We've written over a hundred custom connectors ourselves that allow us to do all types of privileged session management for various applications. On top of that, the rest of the API-based central credential providers allow us to get away from credentials that may be hard-coded in the script or some application. 

CyberArk's web console isn't in a great state. Over the last three years, if not more, it has been transitioning from what they call the "classic UI" to its modern interface. However, there are a lot of features that you can only use in the classic interface. Hence, each version seems to put more makeup on the modern interface, but all of the complex functionality you need is still in the classic UI. 

I'm not sure they've figured out how to transition, and they're kind of in a weird state. So, while CyberArk has made strides, the web interface is painful, particularly as an administrator, because you have to bounce between these different user interfaces. It is an incredibly complex solution that requires at least a dedicated employee or more to maintain it, support it, and understand it thoroughly. If you don't have that, it's just not the right solution for you because it is very complicated. 

Many of the infrastructure folks who use the product dislike it because it complicates their workflow. They get a little less control, and they have to go through a specific solution. It proactively logs in for them, which obfuscates some of the issues that they may be troubleshooting. And I think some of the consumers aren't big fans of the product. Also, I feel that in the last year or so, CyberArk has been pushing very hard for customers to go to their cloud solution. It doesn't have the same flexibility as the on-premise version, which is problematic because that's where I see a lot of value in the solution.

I've been using CyberArk PAM for about four years now.

CyberArk support isn't the worst, but it's certainly not the best. I'd give it a six out of 10. They were responsive. After you submit a ticket, you get the typical response. You gather all the logs and send them, and then they do some analysis. They typically send you back to get more specific logs, so it's a standard support experience. I would not say it's great, but it is not terrible either.

Overall, as a partner in our digital transformation, CyberArk has been great. The technology adds a lot of value, but they're also very much engaged and concerned. The customer success manager very much wants to make sure we're getting value out of the tool. I guess my only concern there is that they are pushing very heavily for customers to switch to their new cloud solutions that may or may not fit our needs or expectations. I am worried that they're going to push even harder. For example, CyberArk might start offering features only available in the cloud solution that would make our future somewhat tenuous depending on what's going on. So my only hangup is that they're pushing cloud solutions that I don't think are very mature yet.

Neutral

The environment's architecture is very complex, depending on your use cases, and I'm talking about CyberArk as a whole. Their past solution — their AM solution — and all of the other solutions bundled together are straightforward, and it all needs to work together. Depending on your use case and the connected components you need to have or build, you must learn a lot. So, it's not as simple a thing to deploy — at least on-premise. It isn't straightforward. Our environment comprises 20 to 30 servers that we had to spin up and connect. Disaster recovery has to be thoroughly vetted, discussed, and documented because as you onboard and manage those privileged accounts, you need a way to get to them if something goes wrong.

It took about a month to get the product running and several months to onboard users. And when we start talking about Application Access Manager, that's ongoing, and I think that'll probably be ongoing for a very long time. We were targeting our specific use cases, so we started with interactive users. The whole idea was to restrict, manage, and monitor those interactive users. Our rollout proceeded from the most privileged users to the less privileged users. Then we started targeting service accounts and that kind of stuff. So it was a phased approach from highest risk to lowest risk to lower risk.

CyberArk PAM requires a lot of maintenance. Right now, we have about one and a half people, but I would say we need to add several more people to do a better job and add a lot of functionality. It requires a lot of maintenance and monitoring. They've relied on many different Microsoft features to secure the privileged session manager. It requires a lot of tuning, monitoring, and managing those solutions. They use AppLocker to restrict and isolate these running sessions, and AppLocker breaks all the time, so you have to go in and troubleshoot why it's broken and tweak it. That could mean adding a new rule or updating an application. It is a lot of maintenance, depending on your use case. But then again, we have gone very hard into privileged session management and developed over a hundred custom connectors. Another customer might deploy RDP and call it a day, drastically reducing maintenance.

If you ask me the ROI, I'm not sure I could give you an exact number. Security tools are pretty tricky when it comes to that. But if you're adopting a risk-based approach, this substantially reduces risk. It brought a lot of visibility and allowed us to monitor all of our privileged users, so it is valuable from the perspective of KPI, modern solutions, and risk reduction. If we were to score this on an internal risk review, our previous risk would rank four out of five, and we've lowered this to a low severity risk.

CyberArk had just changed switched their licensing model to perpetual licenses when we purchased, including the whole PAM Suite. Before we bought it, they were licensing each function individually, which got complicated and very expensive. When we decided to buy it, it was much more straightforward and still quite expensive, but it brings a lot of value and risk reduction to the organization. 

In the last year or so, it's my understanding that they have switched from a perpetual licensing model to pushing companies to a subscription-based model. I have not dealt with this yet, so I'm not sure my feedback on licensing would be too valuable because they've moved away from the license type we purchased.

This was our first foray into the PAM space. We did a proof of concept evaluating three different solutions, so CyberArk was the clear winner. I don't want to speak ill of any other solutions, but I will say that CyberArk's architecture was much more secure. Other competing solutions may leverage an agent that is installed on your local machine and runs your privileged applications locally, leaving a lot to be desired from a security perspective. 

CyberArk uses remote desktop gateways similar to Microsoft's RDS functionality, and it abstracts that privileged application from your workstation. So even if you're compromised, a malicious actor on your laptop or workstation would not be able to get to that privileged application. This was very valuable to us. Other solutions did not have that functionality.

As it stands today, I would rate CyberArk PAM nine out of 10. However, I'm concerned about the future of the platform. While I've had nothing but great experiences so far, I have concerns about how they've been pushing that cloud solution in the last year and a half. I feel like they're going to pressure us to move to the cloud even though they're not mature enough in the cloud. 

Rather than create a cloud-native version, they've migrated their on-premise solution to the cloud, but they don't allow cloud customers to access the backend, which I recommend all the time as an on-premise user. Instead, you have to submit a support ticket and have their support do things on your behalf, which delays your ability to work with the tool. Furthermore, they may not be willing to make the modifications you want because it would affect their ability to impact the solution consistently. CyberArk designed the on-premise version to be incredibly flexible, and I have never found a use case where I can't do the work I want to do. Their cloud model discards a lot of that flexibility, which is where I see a lot of value, so I have concerns about the future of the tool.

Also, I'd like to point out that service account management is incredibly hard, particularly in a company that's been around for a while. Any company looking to adopt service account management needs to know that it's not as easy as vendors make it sound. Many things don't work right out of the box, so the most important lesson we've learned is to calibrate the expectations of senior management when it comes to service account management because it is a lot harder than anybody thinks. You're likely to break things in the process of trying to manage these accounts. 

We use the solution for cybersecurity and regulation.

The tool has safe vaults. We keep our passwords in the Vault. The tool’s recording feature is also valuable for us.

The tool needs to improve its usage and interface. They need to have a modern and useful interface. I want the product to improve its integration capabilities as well since some of the integration features do not work always.

I have been using the solution for five years.

The solution is a stable product.

The product is scalable. You can manage 100,000 scripts or 1000 secrets with the solution.

I would rate the tool’s support an eight out of ten. The tech support is good and not complex. You can escalate the problems easily.

If you do not have prior experience, then the tool’s setup is complex. It has a complex installation process. You need to do pre-configuration correctly. The deployment takes around two to three days to complete. One experienced person is enough for the deployment.

The product’s pricing is feasible for enterprise customers. The pricing is expensive for smaller businesses. You need to pay additional costs for service implementation and local support.

I would rate the product a ten out of ten. We recommend this product for enterprise customers. The tool’s pricing and operation are a problem for small customers. They need to opt for Software as a Service. Companies need to install this product since they have a lot of accounts and passwords.

I'm a security solutions architect. I design solutions and hand them over to the client once they're implemented. We educate the users on how the solution works or turn it over to our managed services department

CyberArk PAM is an identity management solution used to manage privileged accounts on domains and local servers, including admin accounts in Windows environments and root users in Unix. 

With CyberArk, you can be fully confident that your existing accounts are secure. You will be 100 percent secure against attacks if you have all the right policies in place.

PAM could be more user-friendly and CyberArk could update the documentation to include more real-world examples. You have to learn it yourself through trial and error. In particular, the online documentation should have more information about troubleshooting.

I have used CyberArk PAM for two years. 

CyberArk PAM is stable.

CyberArk PAM is scalable. Managing 80,000 accounts is almost as easy as managing a thousand. 

CyberArk has a solid community. It's easy to get support and feedback from the forums. However, it can be difficult to access official technical support if you don't have a CyberArk certification because they have a process to limit unnecessary calls. You get excellent support once you're certified. 

Deploying CyberARK is complicated, but it is relatively easy for me because I have excellent scripts for implementing the prerequisites. It might be challenging for the average end user. It would be ideal to educate them in a demo environment because hard to explain this to a user without them. I would need to build an environment to show them. A simulated lab environment is one thing CyberArk PAM lacks.

We set up the prerequisites and discover the privileged accounts in the environment. CyberArk has a tool that scans the servers and detects accounts. This works best in a Microsoft environment. It's more difficult without Active Directory because you have to rely on the information the customer provides. You can begin the onboarding process once you've identified the accounts. 

It takes a month to set up the prerequisites and two or three days to install CyberArk PAM. Once it is deployed, it takes eight months to a year to tie up some loose ends. You may need to identify some accounts that you missed. The total time depends on the size and complexity of the user's environment. If you've configured everything correctly, it's simple to maintain. 

The ROI for CyberArk PAM is difficult to measure because the benefit is a reduction in risk. If CyberArk can eliminate most of the customer's security risks, then it's worth what they paid. 

CyberArk isn't cheap, but it's the best. You have to pay for quality. 

I rate CyberArk Privileged Access Manager 10 out of 10. CyberArk is the leader in Gartner's quadrant. I tell my customers that they need to be 100 percent secure—99 percent isn't good enough. The top hackers will exploit that 1 percent hole, and you're finished. You need 100 percent, or else you're wasting your money.