CyberArk Privileged Access Manager Reviews

There are many possible use cases, but in general, CyberArk permits users to target machines and rotate their passwords, and to record decisions. It is used to create security through PTA and to forward Vault logs and investigate events. It also enables users to access passwords in dev code without actually knowing the passwords. There are a lot of advantages to CyberArk.

As a consultant, I have seen a lot of CyberArk configurations. Sometimes we use the CyberArk Cluster Vaults with one DR. I also worked for a company that used only one vault, without a cluster, but they switched data centers when there was an incident.

I used to be a Windows and Linux administrator before I used CyberArk. The difference is that now it is simple for me to connect to my target machines. I can add them to my favorites, making access to the servers simple. 

CyberArk enables confidentiality. The passwords are stored in a fully secured Vault. If you want, you can access target machines without using PVWA. If you act as a remote desktop manager, you can register your connections and connect your target machines through the virtual IP and easily connect to your machines. Your connections and commands would all be registered to the Vault.

All the features of CyberArk are useful for me, but the biggest one is that CyberArk has logs for all the features. That is important when there is a problem. You know where to look and you have the information. In cyber security, the most important aspect is information.

Another valuable feature is that if you don't have access to a machine, you can see the machine in CyberArk. It's the management capabilities that CyberArk enables for a company that are very useful.

Other useful features are optional, such as recording decisions or rotating passwords.

The PTA could be improved. Currently, companies often have multiple domains and sometimes it's difficult to implement CyberArk in this kind of infrastructure. For example, you can add CPM (Central Policy Manager) and PSM (Privileged Session Manager and PVWA (Password Vault Web Access) for access, but if you want to add PTA (Privileged Threat Analysis) to scan Vault logs, it is difficult because this component may be adding multiple domain environments. 

CyberArk, as a solution, can easily adapt to a lot of environments, and you can add a lot of components to different zones, and that will work with the Vault. But not all the components, such as the PTA, can do so.

Also, it would be helpful if CyberArk added some features for monitoring machines when we access them. For example, they need to improve the PVWA. In general, when we don't use the PVWA, we don't have a lot of problems. For me, the PVWA is not perfect. I would like to see more features in the PVWA to administer our machines and to improve the transfer of data.

I have been using CyberArk Privileged Access Manager for more than three years.

I have implemented and maintained CyberArk solutions for clients, including creating administration functionality, such as platforms and support for users, so that everybody has 24/7 access to the account. 

I have also been involved in enhancing the solution by installing useful components and testing them. I would help analyze if a component could be of interest to the client and then implement it in production.

In general, I would help maintain the solutions and make sure that everybody can access the accounts, and that password rotation works.

I would rate WALLIX support at six out of ten, while CyberArk's support is a seven. The reason it's a seven is that we always have to send them the logs. Of course, we do get some response and they work on things, but sometimes we lose time on little tickets.

Neutral

If you have some experience, it is not complex to implement CyberArk. For me, the preparation is more difficult than the installation. Because CyberArk uses binaries, if you add good information, it will work. But if you miss something at the preparation stage, like the opening of the flows that you need, of course, it will be difficult. I know how the solution works, so it's not difficult.

First, you have to install the Vaults, and after installing them you can add PVWA to access the information. After that, you can install the PSM and then the CPM for the rotation, and that's it.

The time it takes to implement depends on the environment. Sometimes we work with complex environments and we have to adapt and collect all the information that we will need. We need to look out how the machines should be set up for the installation. It really depends on the size of CyberArk you want to install, including how many computers will be onboarded to CyberArk. There are technical and functional variables.

CyberArk is one of the best PAM solutions and one of the most expensive, but it works better than the others, so the pricing is fair.

I used to work on WALLIX Bastion, but CyberArk works better than WALLIX. WALLIX is a PAM solution, a French version, but when I was at another job I was a consultant on both WALLIX and CyberArk at the same time. That's when I saw that CyberArk is better.

It is simpler to upgrade the CyberArk environment and components than WALLIX. CyberArk has a user interface but WALLIX does not because WALLIX is installed on Linux while CyberArk is installed on Windows, making it user-friendly. Connecting is also simple with CyberArk. When a user connects to the PVWA, there aren't a lot of buttons. When users see the icon, they click "Connect" and connect. It is simple for them.

CyberArk can adapt easily to environments. For example, when we talk about connectors, CyberArk can easily connect to all the target machines these days. CyberArk can onboard network machines, Windows Servers, Linux servers, and Oracle Databases.

Web application passwords can be rotated. With its PSM and Selenium features, it enables the connection of a web application to CyberArk and rotation of passwords, so that it's not system accounts all the time. We can manage the web application accounts as well. CyberArk can also connect to the cloud.

When you work on CyberArk, you have to have more than one skill set. You are not just a PAM consultant because you manage passwords for all kinds of systems. You have to have skills in Windows, Linux, databases, and security because you manage those kinds of accounts. If you don't have those kinds of prerequisites, you can't work with CyberArk.

I started working on CyberArk when it was version 10.x and at this moment it is at 12 and more. The interface has changed and a lot of features have been added over that time. It's a good solution.

It is nothing but privileged access management. Most companies have servers, and for each server, they identify a generic ID to login. For example, if someone is an administrator, they will be using that ID to log in. So, we need to manage those IDs in a common repository, and that is why we have CyberArk PAM. CyberArk PAM is nothing but a common repository used to store passwords and manage them.

Managing passwords is a pain area in any organization. By using this tool, we have a set of policies and emerging technology where we manage these passwords.

It is a central repository. Therefore, if someone needs to access a server, then they go through CyberArk PAM. It provides a secure way to do this and CyberArk PAM records everything. For example, if you are connecting to a Linux server, then once you get into the Linux server and if it is integrated with CyberArk, it will automatically start recording everything that is being done. In most banks, seeing the recordings is very useful. If there are any gaps or something has happened which shouldn't have happened, then we can check the logs and videos. So, it gives security, in a robust manner, to the organization.

We have connected all the endpoints in our organization's servers. This has been an improvement. We are trying to connect any new servers being added into the organization to CyberArk PAM.

When it comes to PAM, it is always about compliance. It has a feature that enables you to access the password in a very secure way using encryption. You also need multiple approvals. For example, if you have access to CyberArk, it doesn't mean that you have access to the server. So, whenever you try to access that server, a request will go to your manager. Once he approves the request, only then will you be able to access the server. These are a few of the features that I like about this solution.

CyberArk PAM provides ease of access based on how they have designed it. It is clearly defined where you have to go and what you have to do. If you are an end user, it is very easy to use and provides a comfort level.

CyberArk PAM is able to find all pending servers that can be integrated, but we cannot get this as a report. We can only see the list of servers on CyberArk PAM. This is a problem that could be improved.

If you are an administrator or architect, then the solution is kind of complicated, as it is mostly focused on the end user. So, they need to also focus on the people who are implementing it.

I started using CyberArk PAM in 2016, so it has been almost six to seven years. I started with version 9, and now it is currently on version 12. So, I have used multiple versions of CyberArk.

Its scalability is good. It is available on-premise and they started having a cloud three or four years back.

Our environment is very small. We are managing around 2,000 users. Whereas, I have seen it managing users of 10,000 to 15,000 servers. We have around 30,000 users, and I have seen that kind of environment, though what I am currently managing is much less. When it comes to the Middle East, it is always regionally focused, it is not international. Our organization is specific to one country and not international.

The technical support is from the US. The only problem is that they reply during their own time zone. It has been a bit difficult to reach them, but we get the answers, they are just a bit delayed.

Neutral

We previously had Hitachi ID PAM. We switched to CyberArk because of the features and interface, where there is a bit of distinct difference between the two solutions. Though, the architecture is the same.

When you do an implementation, it is always challenging internally. While the setup is very easy because they give you tools for installation, you have certain things that you need to keep in mind when you implement it in an organization. These things become a kind of a roadblock. Every time that something comes up that you need to enable from the organization's side, e.g., if you have to unlock a few things on the organization's side, you must go through a process and some teams might not allow you to go ahead with it.

The deployment took three to six months.

For the deployment, we needed a solution architect, two consultants, and two people to work on the BAU. While it depends on your organization's size, we needed around five to 10 people to implement it. 

The ROI depends upon a company's capability to maximize the usage of this application. If you buy something, it is your responsibility to use it at an optimal level.

Previously, the pricing was very meager. They started publicizing and advertising the solution, growing CyberArk, as an organization. They also changed their pricing with that growth, e.g., the pricier the product, the more people who will purchase it.

Bomgar was one of its competitors, now it is called BeyondTrust. Another competitor was Thycotic. 

While CyberArk PAM has survived, it needs to be more flexible. They are currently focusing on the solution's GUI, but rather than the GUI, they need to focus on the solution's internal aspects, e.g., making the steps a bit easier. There are too many things to focus on and be aware of. So, they need to streamline it in a way where it is more compact.

You need to know the sizing of your company and not randomly use it, thinking you may need to use this solution in the future. You need to use most of the features, e.g., if you have 10 features, then your company should use at least seven features of CyberArk. If you are not going to use seven or more features, i.e., if it is below seven, you should not go for this tool.

We were using Secrets Manager for managing a few SSH files, but we are not using it anymore.

I would rate this solution as eight out of 10. CyberArk is a solution to problems being faced by multiple companies and organizations. It removes security threats and vulnerabilities from an organization in a secure way, and your credentials are handled in a secure way. Therefore, it solves this pain area in a company, and that is why I think they are one of the top tools.

I use CyberArk as a password vault and session recordings and to connect the server sites. I use some critical systems if I can access them, including workflows and mechanisms. 

It's really good. 

The digital vault is great. It protects our passwords and manages those passwords and changing periods.

There is some third-party access to our system's recording process. It's very, very important for us and we're glad they allow it.

It is a robust product. It's very stable and reliable.

The solution can scale well. 

The interface could be updated a bit. Right now, it's not very good. 

It is very complex and difficult to set up the solution. 

Maybe some customers have a lot of systems. For example, we have 1000 Windows systems and 500 Linux systems. I need a remote desktop management solution for the CyberArk. I'd like to be able to change desktops with one click. We'd like the next release to have remote desktop management tools. 

I've been using the solution for the last five years. 

The solution is very stable.

We no have had no performance issues; it's a really robust product. If I need more performance, I use another server, install another server, and improve our performance.

It is very easily scalable. 

We have 50 admins on this solution. 

We are using the solution to 70% capacity. We do plan to increase usage. 

We did use Delinea, formally Thycotic. That solution is really good, however, not fully secure. CyberArk is a more secure product - much better than Thycotic. Thycotic may be better in terms of its admin-friendly interface and integration, however, CyberArk offers more than vendor integration. It has massive integration capabilities.

The implementation and integration process is very, very complex. It is a robust product, however. I don't have to do a lot of setups, luckily. However, when you first set it up, it's very difficult as you don't really know what you're doing. 

The first 27% of the implementation took us maybe three months, however, for more than 95% of installation, it took us over one year. We had all the features up and running, however. 

We started with connection and session recording features, however, items such as password changing and other integrations, for example, firewall connection and switch interface connection were rolled out over the year.

You only need one person to maintain the solution. 

We had a third party help us with the implementation process. 

It's a yearly license that we pay. It is more expensive than other options. There are competitive products that are cheaper. 

I can't speak to the exact price. On a scale of one to five, with one being the most expensive, I would rate it a one. The license covers five servers. If you need more servers, you pay more. The same is true with disaster sites. If you need a disaster site, you are fine. It is included. If you need more, you need to pay for it. 

We did look at multi-factor authentification options and zero-trust network access. 

I'm not sure which version of the solution we're using. It's likely the latest version.

This is a fully secure product and integrates with a lot of different systems. I'd recommend the product to others. 

I'd rate the solution eight out of ten.

The most common use case is when you need to hide the management for the servers, switches, routers, et cetera. You can use privileged access for remote use cases.

In my company, we have a lot of servers, and the problem is when the users want to access these platforms. You can access all the architecture and knowledge with this product. It provides more access and visibility.

The password rotation and cyber gateway have been quite useful. It's a solution that allows you to search for passwords for your servers and accounts. This is the most feature power.

The solution is quite stable.

It is scalable on the cloud. 

The implementation is hard. For example, the on-prem implementation specifically is really hard to deploy. 

The solution does not scale well on-premises. 

This is an expensive product.

It's hard to get help from support if you are not certified. 

I've been using the solution for five years. 

The product is really stable. You just need to deploy a higher viability solution. However, you need to do a lot of budgeting to deploy that higher viability solution. You need at least 12 servers. It's really, really difficult to have a budget for that.

It is easy to scale on the cloud. It is difficult to expand it on-premises. 

We have 30 people using the solution in my company.

At this point, we do not have plans to increase usage. 

The technical support is really excellent. However, if you don't have a certification, it is impossible for you to receive technical support.

We previously used BeyondTrust and Centrify, among other solutions.

The initial setup is pretty difficult and it takes a while to put into place. 

You need at least six servers to deploy it and it's really difficult to have a budget for that - plus, the implementation itself is really hard. You likely have to dedicate one week to deploy the solution and another week or two to onboard all the accounts.

Basically, it's pretty complex to implement. 

We've used a consultant to assist us with the implementation. 

The ROI is really quick. If you have a compromised account, it can compromise your infrastructure, and the loss of the business is really high. With this product and the protection it offers, you can witness ROI immediately.

You need a large number of servers, and therefore it gets expensive to deploy the product.

The license is expensive. It costs us around $200 per user. 

We are using a privileged cloud and an on-prem cloud, an on-prem APD. We have a hybrid setup.

I'd advise potential new users to have very good scripting at the outset. If you don't, you'll have difficulties in the long run. 

While the solution is expensive, it's excellent. I would rate it ten out of ten. You definitely get what you pay for. 

We use this solution for privileged systems access with a high emphasis on security. End users are required to go through a process of being vetted in our NERC environment in order to use the solution. This product has been used by my company for about five years now.

This product has placed a new culture in my company by making employees more aware of IT compliance and cyber security. It has also placed us in a position to meet NERC CIP v6 requirements.

The Password Upload Utility tool makes it easier when setting up a Safe that contains multiple accounts and has cut down the amount of time that it takes to complete the task.

Using the PSMP (Privileged Session Manager Proxy) makes it extremely convenient for UNIX Administrators to utilize their favorite SSH client software (i.e. SecureCRT or Putty) to connect to a privileged target without having to go through the PVWA web login.

I would like to see the product enhancement with the Secure Connect feature. Today, there is no functionality to create "Accounts" using Secure Connect to permanently store a user's working tab. It is a tedious manual process of entering host IP information and user credentials into a privileged target system.

Currently, in Secure Connect, an end user is required to enter account information manually, and cannot save any of this information for future use. It’s a manual process of entering information all the time. Unless you are working with accounts already stored in “Safes”.

I have been using this solution for seven years.

We have noticed some stability issues with the PSM Servers. We've noticed that there may be a limitation on the number of users that a PSM Server can handle. We have two PSM Servers deployed in our Production environment and have come to a conclusion that we may need to add two more to stabilize the environment.

Upgrading to version 9.9 significantly reduced the stability issues with the PSM Servers and the limitation on the number of users that the PSM can handle.

CyberArk could use some improvement in their level of customer service. Sometimes, it can take more than a day before a Case that I have submitted online gets a response from tech support.

The level of technical support has been great. The challenge has been to get an initial response and sometimes follow-up from CyberArk Support.

If you are going to set up CyberArk for the first time, I highly recommend that you utilize their Professional Services. They are extremely knowledgeable and very helpful and will ensure that your implementation is a success.

We use Texas DIR when evaluation and making purchases of products.

We are currently on version 9.10. We would like to upgrade to the latest version some time this year. There is currently a CyberArk Security Bulleting CA19-09 that addresses potential administrative manipulations within the PVWA and the Digital Vault. CyberArk has released patch 9.10.4 to address the PVWA and they are working on releasing a patch for the Vault Server.

Primarily, I import accounts from our critical systems.  

Knowing that our passwords are stored securely within the vault has been a big improvement. It eliminates the need for users to store passwords in less secure locations.

We want to integrate it with our IT service management platform and our SOC solution, but that's a future project.

The password protection itself is the most important feature. It's something we didn't have before.

Moreover, the interface is intuitive. It is clear and user-friendly. 

The session monitoring and recording feature is also a good feature feature, but we're currently experiencing an issue with session monitoring not working correctly. We're working with CyberArk to resolve it.

We aren't able to view active sessions or historical recordings of sessions.

It is complex, which is something I know CyberArk is working on. They're trying to simplify certain administration tasks because a common critique is the level of complexity. But overall, we can do everything we need with it.

So, CyberArk could still focus on making it more user-friendly.

I have been using it for a year. 

So far, we haven't had any scalability problems.

We have around 50 licensed users – primarily administrators. We currently manage about 5,000 accounts with CyberArk.

Sometimes, the initial response time is a bit slow, but once the customer service and support take on a case, they resolve issues quickly.

Positive

CyberArk handled the primary setup tasks. We worked with a partner to implement additional components and now have the knowledge to manage the solution ourselves.

The implementation process took around eight months. 

There has been an ROI. 

We expect to see a full return on investment within the next three years. This was part of our long-term security plan.

It is expensive, but the cost is justified considering the security it provides. Compared to other solutions, it is costly. We have not tried other solutions, but the price is high. 

We only license Password Vault.

My company evaluated another solution like Delinea but preferred CyberArk due to its robustness and flexibility.

I like its flexibility, while adding some complexity, allows us to fully customize the solution to our needs.

One of the main advantages is the way we can connect from outside. We use a portal that provides secure access to our systems without needing a VPN. We just scan a QR code, and we're connected. We do not need to use a password and we are in through the QR code scan. 

I would recommend using it. Overall, I would rate the solution a nine out of ten.

It's a very complete solution for what we need.

The solution is primarily for security and access control. 

It's used to ensure and protect the complete IT infrastructure administrative account and the administrators and limit them to do any particular activities on the server and record all the activities on the server. it's for auditing purposes and for forensic usage.

We use it o identify if somebody internally hits the organization or tries to intrude and try to do a data breach or try to steal the information or do some kind of internal hacking. That risk can be eliminated using the tool.

CyberArk is one of the greatest platforms. It supports lots of requirements in the privileged access management area. 

From a configuration point of view, it is not very straightforward as per the deployment. The configuration is typical. However, when it comes to the integration piece, it has flawless integrations with lots of applications, whether it is out-of-the-box or customized. It supports any number of platforms. 

The company is very keen on looking at new applications to build out-of-the-box plugins. The support for the privileged single sign-on configurations with the application is excellent. 

Security-wise, the security is unbeatable compared to any other tool in the industry. They have a vault concept. They consider it similar to a bank vault. This is where they keep all the privileged admins' passwords. That particular vault has seven layers of security, which are unbreakable. It basically cannot be hacked. It cannot be hijacked. 

If something goes wrong, for example, if the vault is destroyed, your data is still protected. You can easily revive your data from that particular vault. It's a great capability. The security is excellent. It is very, very tight here. They support one signal protocol kind of communication with the internal products.

Where your password will be residing that is protected by a seven-layer of security. It has a web interface hosted on an IAS server on Windows. It has a CPM called central password management, which will do the password rotation. That is sitting on one other server. It has a session manager, which provides the single sign-on mechanism, privileged single sign-on mechanism, or automatic single sign-on to log into any infrastructure servers and applications. These are the four core products, and they integrate with each other and they integrate on one single port.  

If you try to intrude on the system or any hackers try to intrude the system, they will not be able to do that as the communication through this port is entirely encrypted. They will not be able to revive the data in real-time. It's a great security feature.

It supports hybrid deployments as well. It supports single standalone deployments for high availability with different kinds of deployment structures or topologies. This is a growing trend in the market. 

They can work on the pricing part. Its pricing is a big challenge here. When it started, the product came in at a very low cost. Now, they are the leaders in the market, so the cost has grown and is quite huge. 

I've used the solution for four years now. 

The solution is very stable. It's reliable and the performance is good. 

Every organization is different. Some are small, some are large, and some are medium-sized. This product fits all organizations. It is designed to be scalable. 

Technical support has been excellent overall. We are pleased with their level of service. 

The setup process is typical. It's not easy to set up. It depends upon the environment, the requirement, what the customer is looking for, et cetera. If, let's say, there's 1,500 accounts, which need to be protected and 10,000 servers, which need to be protected, the deployment can be done with the two-node setup. The two-node setup is okay. However, when it comes to the larger organization where we have lots of privileged accounts and lots of servers or when the account increases to 100,000 servers and 100,000 or 200,000 privileged accounts, in those cases, the product is complex.

You need to be well trained in order to be able to execute an implementation. 

The pricing used to be very competitive. I can't speak to the exact pricing. However, it is my understanding that it has gotten more expensive. 

I'm certified in CyberArk. Earlier, we worked with CyberArk as a partner. At this point, our contract is in a renewal state.

I'd rate the solution nine out of ten. 

It is a great product when it comes to security. From the security point of view, I would advise a new user to use this tool and deploy it in your environment since the security is unbeatable.

In our company, CyberArk is used to manage passwords for IP use. We use CyberArk for managing and automatically changing passwords in our managed system and environment.

We use it for coding privileged sessions, but we also use another solution for that, and CyberArk is the backup for this.

We are using the latest version.

It improves security in our company. We have more than 10,000 accounts that we manage in CyberArk. We use these accounts for SQLs, Windows Server, and Unix. Therefore, keeping these passwords up-to-date in another solution or software would be impossible. Now, we have some sort of a platform to manage passwords, distribute the inflow, and manage IT teams as well as making regular changes according to the internal security policies in our bank.

CyberArk PAM gives us a single pane of glass to manage and secure identities across multiple environments. This is quite important for compliance reasons.

CyberArk PAM provides quantitative risk analysis for every human and machine identity in our environment. This has a big impact on reducing risk. 

The PAM feature is the most valuable. It helps us to automate our jobs and administrative tasks. 

It also gives us a lot of features for compliance. Using this type of software is required by Polish law in finance and business in Poland.

We use CyberArk’s Secrets Manager to secure and manage secrets and credentials for mission-critical applications. The newest GUI is much better than the older version. Now, it is quite good.

CyberArk PAM provides an automated and unified approach for securing access to all types of identities that we use. This is very important to us.

I would like advanced RPA in the basic license. CyberArk has RPA, but we would need to buy additional licenses. It is not out-of-the-box.

I would like better support.

I have been using it for five years.

So far, we don't have any problems. We have implemented higher availability in CyberArk. So, maintenance or updates don't have an impact on our environment. We don't have performance problems or anything like that. The stability is very high.

I have had no problem with agility in this solution. Everything works fine and gives us an opportunity to act as we want.

According to the information that I have, we simply add more servers if we need it or have additional business requirements. So, scalability is high.

There are about 155 users. Mostly, they are our IT administrators and developers.

This tool is used daily in our bank. We don't have plans to increase usage right now.

We don't often contact technical support, but when we do it, the response could be faster and better.

Neutral

We didn't previously use another solution.

The initial setup was complex. Our deployment took three months.

We needed to scale our environment and implement the correct number of servers to prepare for a working environment.

Implementation of our CyberArk instance was done by an external company. It covered all our needs and requirements.

We have not seen ROI directly in money. However, we have seen ROI in quality. It increases security in our IT environment and provides the highest SLA for our systems.

CyberArk PAM helps save us time when it comes to onboarding new employees and providing them secure access to SaaS apps and IT systems. It is saving us about two to three days per new employee.

We use an old model for pricing. The new model is a subscription model on the cloud. 

The price of CyberArk support could be a little bit less. Otherwise, pricing is fine.

We did some benchmarking, without the tools, to compare the cost of maintenance and functionality. We compared CyberArk to Password Manager Pro from ManageEngine. CyberArk has more functionality and better stability, in our opinion. The price was very similar between the two solutions. 

CyberArk is a good technology partner. They help us a lot with maintenance and our security process management.

I don't have experience in the cloud using CyberArk. However, for on-premises environments, it works very well. I recommend it. 

I would rate the solution as a nine out of 10.