CyberArk Privileged Access Manager Reviews

My primary use case for the product is essentially to secure our privileged accounts, and it's performing amazingly.

What it allows us to do is to rotate the credentials for privileged accounts. It ensures we understand where the accounts are being used and that they are staying compliant with our EISB Policy, which is a policy to change passwords. Thus, attackers find it harder to get in and steal an old password which is just sitting out on a system.

We utilize CyberArk secure infrastructure. We are moving towards applications in the cloud, but we do not currently have that. We are also utilizing CyberArk secure application credentials and endpoints.

The benefits are the way it allows us to secure accounts, but also be agile with providing privileged usage to our users. It is performing quite well, because it allows us to basically do what the user wants us to do, but in a secure manner. So, everyone is happy. Most of all, we don't have any breaches.

It enables us to secure accounts and make sure they are compliant. Then, when the accounts are not compliant, it gives us the data so we can reach out to account owners, and say, "Your accounts aren't within our ESP policy. We need you to become compliant." This allows us to not only secure them, but keep track of what accounts are moving out of that secure boundary.

The most valuable would be the REST API on top of PTA, which we do not have installed yet, but we are looking to install it moving forward in the future. What it enables us to do is if someone takes a privileged account and logs into a machine that we do not know about, it will alert us and log that they have logged in. It allows us to take that identify back and rotate the credentials, so we now own it instead of the intruder going out and using a rogue account.

More additional features as far as the REST is concerned, because we have something which was the predecessor to REST. A lot of the features which were in the predecessor have not necessarily been ported over to REST yet. I would like to see that to be more of a one-on-one transition, and be fully built.

It is very stable. We are going to upgrade by the end of this year, if not early next year, to the most recent version 10.12.

The scalability is incredible. They just released Marketplace, and they are constantly releasing updates to the components and adding new components, like Conjur. This is something that we ran into with Secret Server and DevOps, so it is already scalable, but becoming more so in the future.

The technical support is wonderful. We get the right person. They answer very quickly, giving us solutions which actually work. If we can't get a solution from them right away, we can tap into the community with the tools that they have given us, and work with people from other companies who have already solved the same issue.

I was involved in the upgrading processes, but not the initial setup. Upgrading is lengthy, because we have quite a few components, but it is definitely straightforward.

It has started new projects at our organization. So, we can see where our current landscape is for our privileged accounts, then we try to make them more secure.

Try a demo, if you can. Make it a hands-on with some of the components and see what they offer you.

I have used other privileged account management tools in the past. This, by far, outranks them as far as features and usability. The integrations on top of that as well. 

Each new product that our company buys, we turn to CyberArk, and they are say, "Yes, we integrate with that."

I have used the new generator utility plugin once, so not extensive experience, but I have used it. It does work.

Most important criteria when selecting a vendor: They integrate with CyberArk.

The solution helps our developers access internal systems. It also helps us in Privilege Access Management.

The tool’s pricing and scalability can be better.

I have been using the solution for five years.

I would rate the tool’s stability a ten out of ten. It is stable.

I would rate the tool’s scalability an eight out of ten. The tool is scalable.

I would rate the tool’s setup a nine out of ten. The solution’s setup is easy. We have a good internal implementation team who completed the deployment in a few days. About five to six engineers worked on the tool’s deployment.

We have an internal integrator for the tool.

We have seen ROI with the tool’s use.

I would rate the tool’s pricing a six out of ten.

The tool is robust and our IT team is happy with it. It provides you with strong security.

We use this solution for privileged systems access with a high emphasis on security. End users are required to go through a process of being vetted in our NERC environment in order to use the solution. This product has been used by my company for about five years now.

This product has placed a new culture in my company by making employees more aware of IT compliance and cyber security. It has also placed us in a position to meet NERC CIP v6 requirements.

The Password Upload Utility tool makes it easier when setting up a Safe that contains multiple accounts and has cut down the amount of time that it takes to complete the task.

Using the PSMP (Privileged Session Manager Proxy) makes it extremely convenient for UNIX Administrators to utilize their favorite SSH client software (i.e. SecureCRT or Putty) to connect to a privileged target without having to go through the PVWA web login.

I would like to see the product enhancement with the Secure Connect feature. Today, there is no functionality to create "Accounts" using Secure Connect to permanently store a user's working tab. It is a tedious manual process of entering host IP information and user credentials into a privileged target system.

Currently, in Secure Connect, an end user is required to enter account information manually, and cannot save any of this information for future use. It’s a manual process of entering information all the time. Unless you are working with accounts already stored in “Safes”.

I have been using this solution for seven years.

We have noticed some stability issues with the PSM Servers. We've noticed that there may be a limitation on the number of users that a PSM Server can handle. We have two PSM Servers deployed in our Production environment and have come to a conclusion that we may need to add two more to stabilize the environment.

Upgrading to version 9.9 significantly reduced the stability issues with the PSM Servers and the limitation on the number of users that the PSM can handle.

CyberArk could use some improvement in their level of customer service. Sometimes, it can take more than a day before a Case that I have submitted online gets a response from tech support.

The level of technical support has been great. The challenge has been to get an initial response and sometimes follow-up from CyberArk Support.

If you are going to set up CyberArk for the first time, I highly recommend that you utilize their Professional Services. They are extremely knowledgeable and very helpful and will ensure that your implementation is a success.

We use Texas DIR when evaluation and making purchases of products.

We are currently on version 9.10. We would like to upgrade to the latest version some time this year. There is currently a CyberArk Security Bulleting CA19-09 that addresses potential administrative manipulations within the PVWA and the Digital Vault. CyberArk has released patch 9.10.4 to address the PVWA and they are working on releasing a patch for the Vault Server.

I have been working with CyberArk for the past five years. I do installations, support, and presales.

We have installed the CyberArk solution and have been using it as a PAM solution.

The main reason for having the solution in place is to isolate and monitor all previous activities that have taken place within the organization. The second thing is to make sure all the previous accounts have been onboarded to the solution and accurately monitored as well as passwords have been managed as per the policies defined. The third thing is to make sure users are unaware of their previous account passwords. Those should be centrally stored and located in one of the solutions where we can manage them per our policy or ask users to raise a request for internal workflows on the solution, in case of any emergencies. The last thing is for managing the service account passwords.

Initially, the IT team and other teams used to access the servers manually. Now, because of this solution, everyone is onboarded on the PAM and we can direct all sessions to the PAM. Also, we have control of all decisions and activities being performed. Along with that, we are satisfying audit requirements with this because we are getting reports to track what we need to comply with any regulated requirements. 

We have an option for protecting various kinds of identities. It also provides you with a medium for authenticating your systems, not only with passwords, but also with the PKI certificates and RSA Tokens. There is also Azure MFA. So, there are many options for doing this. It has a wide range for managing all security identities. 

The most valuable feature is CyberArk DNA, which is an open-source tool used for scanning all servers, like Linux or Unix. We can get a very broad idea of the scope and picture of the servers as well as their predefined vulnerabilities, the service accounts running on them, and the dependent accounts running on those services. We get a very wide scope for all our servers and environments. 

There are some other options like Privileged Threat Analytics (PTA), which is a threat analytics tool of CyberArk that detects violations or any abnormal activities done by users in the privileged solution. This tool is very unique, since other PAM program solutions don't have this. This makes CyberArk the unique provider of this feature in the market.

It is very easy to maintain passwords in the solution, instead of changing them manually or using other tools. So, it is a centralized location where we have accounts and passwords in a database based on our defined policies. 

Product-wise, CyberArk is continuously improving. For the last two years, it has brought on new modules, like Alero and Cloud Entitlements Manager. Alero gives VPN-less access to the environment. So, there are many new things coming into the market from CyberArk. This shows us that it is improving its modules and technology.

We can integrate the solution with any other technologies. This is straightforward and mostly out-of-the-box.

For DevOps, we are using Conjur with a Dynamic Access Provider. We use those modules to make sure identities on other environments have been secured. For Azure and other cloud environments, we have out-of-box options where we can do some little configuration changes to get those identities secured. We have a process of managing these identities for RPA as well.

It has a centralized page where you can manage everything. This makes work easier. You don't have to remember different module URLs or browser applications. It is very easy to get all the secure identities of other environments into a single page, which is very important for us as it helps a lot in terms of operations, e.g., reduces management time. This is a single page where you can manage all accounts and onboard them to the CyberArk. You can then secure and see passwords from everywhere. So, there is a single pane of glass where you can manage all the identities across environments as well as across different types of identities.

We have a module called Endpoint Privilege Manager (EPM) that is used for the endpoint, managing the least privilege concept on Windows and Mac devices. We also have On-Demand Privilege Manager (OPM), which is used on UNIX and AIX machines. Using these modules, we can achieve the least privilege management on endpoints as well deploying on servers, if required. 

The continuous scanning of the assets is limited to Windows and Unix. We like to have the solution scan any databases, network devices, and security devices for privileged accounts. That would be very helpful. 

For least privilege management, we need a different level of certification from privileged management. Least privilege management comes under endpoint management. It takes time to get used to it, as it is not straightforward.

I have been well-versed with the CyberArk product for the last five years of my career.

The solution is very stable. 

Once the project installation was done, we put this product into the environment based on the policies that we defined, but it had initial hiccups. The policies that we defined might have hampered and raised issues, but the product is very stable.

The solution is very scalable. The landscape gets improved every day. It is scalable because it integrates with Azure, AWS, and other cloud solutions. Also, we have modules that work for DevOps, Secrets Manager, and Endpoint Privilege Manager. So, CyberArk is not just a PAM. It covers most of the products in the threat landscape. We do not worry about scalability in terms of CyberArk.

Our primary support is partners with whom we are interacting throughout the project. Then, if an issue is not yet resolved, we will raise a case with CyberArk support. They have certain SLAs that they are following based on the seriousness of an issue. The response will be according to that. 

The support is good.

Positive

We didn't use another solution before we bought this one.

The initial setup is straightforward. They have done major reforms on the installation process, so now we have automatic installations. We just have to run a particular script, and that does the installation for us. We also have a manual installation and that is our legacy process. So, we have both options. It is up to the customer how to move forward, but it is pretty straightforward. 

RNS did the installation for us. Our experience with them was pretty good. They followed all the processes per project management standard. They tracked all the activities, making sure the project was delivered on time, which was good.

One dedicated person is enough for the solution's maintenance.

CyberArk DNA is free if you purchase the CyberArk solution. There is no additional charge for CyberArk DNA, which is great.

Before, I used to work as a system integrator. I looked into other PAM solutions, like ARCON and BeyondTrust.

Make sure your use cases are covered. Go for a small PoC, if possible, to make sure that all your use cases are covered and delivered per your expectations. Check whether the solution is on-prem or Azure and the resource utilization needed for implementation. For your IT expansions in future, check whether you will need any additional modules in future or if the existing ones will meet your future requirements.

With Secure Web Solutions, we could access any web applications from a PC. It was like a native tool where you could browse from your Chrome or any web applications, and the applications would be routed to the CyberArk where it was securing the web applications and access. However, this product was deprecated last year so it is no longer supported from CyberArk's point of view.

I would rate CyberArk PAM as nine out of 10.

From an industry perspective, you continue to see the headlines in the media about how bad actors have been able to take advantage of weak policies and security controls around access management within companies.  In these cases, the focus has been around employees that can access the most sensitive information, or have access to the very controls that operate and protect the firm.  Products like CyberArk, that provide controls for privileged access, have helped mitigate the threat of taking over those accounts that have the greatest amount of risk to an organization, particularly for those who are system administrators and have the highest powers in being able to access all levels of the technology infrastructure.

When it comes to the product's ability to standardize security and reduce risk across the entire enterprise, standardization is all about simplifying the complexity of IT threats and risks and it's all about the standardization of the controls that you have in place. If you have a product set that enables you to provide security, and it is consistently applied across a specific user base, then you have standardization which drives both enhanced security through the privileged access controls, and efficiency through the standardization of your operating model.

Availability is an interesting challenge, but it is part of an IT Risk Strategy.  When it comes to Cybersecurity, Privileged Access control is the ability to manage IT risk associated with the most powerful access to your infrastructure services.  This IT Risk can manifest itself as compromised information, manipulated data, or disruption of your IT based services. A Privileged Access Security product reduces the threat of stolen credentials and account takeovers of those profiles that would have the power to take down your enterprise.   Therefore, it not only reduces the risk to your firm, but also drastically improves availability. 

The most valuable features are its simplicity and the ease of implementation. When you think about privileged access management and the complexity of solving privileged access for those system administrators in your organization, CyberArk is a product that helps you simplify that problem and implement a standard set of security controls to protect the enterprise.  

In terms of the products ability to manage Privileged Access control requirements at scale; scale is really a function of two influences, which would either be the size of your infrastructure, or the complexity of your organizations operating model for those that have privileged access to your infrastructure services.  CyberArk scales quite readily across a large organization and through proper design and engineering is capable of expanding across a variety of use cases.  Like any technology control implementation however, it is always important to ensure you review and optimize the organizations support operating model, in order to ensure that you have the most optimal design and implementation of CyberArk.  

CyberArk has captured the individual privileged access space well. They've captured the application-to-application and DEVOPS space quite well.. They should continue to invest in optimizing the services, and help companies drive down risk associated with application based passwords, as this is an industry that is being closely watched by external regulators. 

CyberArk continues to stay close to the industry and are always looking for ways to improve  their products and service offerings accordingly.  There are 3 areas that I would call out, that CyberArk should continue to focus on:

1) Continue to help organizations understand how they align their strategies and roadmaps to industry trends and the overall cybersecurity threat landscape. 

2) Continue to help the industry innovate on talent , and position customers to be more successful in supporting their CyberArk implementations. 

3) Continue to help customers understand the Risk reduction capabilities and scorecards associated with their deployments.  Initiatives like the CyberArk Blueprint will help enable enable informed customers. 

The perceived stability of CyberArk is quite dependent on the complexity of the environment it is implemented in, and the overall design of the infrastructure, including both PSM and Vault technologies.  As an infrastructure it is quite stable; however, in complex network infrastructure environments, sporadic network disruptions could create issues accessing the various CyberArk network devices.

Scalability is a function of both technology growth, and integration capability.  CyberArk has not only continued to advance the infrastructure robustness of their software solutions, but through the C3 alliance they have also created integration opportunities with other IT Security and Access Mgmt products that allow companies to provide a full ecosystem of IT controls within their organizations.    This also provides an opportunity for companies to consider best of breed products, like CyberArk, and not have to restrict their decisions to a small set of technology tools that do not provide comprehensive Privileged Access Services.

CyberArk is a growing company and their technical support has continued to grow and mature across the organization. The one thing I'll say that CyberArk has been able to do is to continue to keep in touch with its customers and look into areas where there's opportunity to continue improving their technical support across the organization. CyberArk works with an integrated model: They have integrators within firms that will implement the product. But at some point, you always need to refer back to the software owners of the product to make sure that you're comfortable that what you've designed and implemented is in keeping with what their blueprint would have recommended in the first place. In addition, their technical support has continued to mature and grow to help customers become successful in their deployments.

What is complex is privileged access management. When companies look at implementing a software solution for privileged access management, if they actually haven't looked at the complexities of privileged access within their own organization — and I'm speaking more in terms of the business processes for that type of access across the organization — then any software tool is going to look complex because it's not going to solve the problem.

If a firm focuses on understanding their existing Privileged Access operating model, the inherent business processes, and the risk & pervasiveness of Privileged Access across their enterprise, then they will be better positioned to understand the business problem they need to solve.  CyberArk will then become a capability that enables them to solve their IT Risk issues with privileged access, and capitalize on the efficiencies with their new operating model.  The complexity seldom ever lies in the technology. It always lies in how well it integrates with the business processes that the firm is trying to solve as part of its deployment.

Privileged Access Management is a business transformation program.  It forces business to look at their overall operating model for system administrative and application based access, and develop a strategy that reduces risk overall to the enterprise. Once this strategy is completed, and a new operating model is conceived, CyberArk software and services becomes a very effective series of controls that enable the business to secure the most sensitive access to services, and allows the organization to operate within their risk tolerance. 

Far too often companies will treat the CyberArk product set as a software implementation, that becomes overly complex and evolves into a multi-year program. This is due in part to the legacies of technology programs, where the implementation will force business to rethink their operating model, and therefore delays, scope changes and cost of overall program becomes associated with the software implementation initiative. This is a consequence of positioning a Privileged Access program as a security software implementation, and not a true business transformation initiative. 

While CyberArk continues to adjust its licensing costs and continues to look at the comparisons in the industry and the ability to effectively and affordably help companies and firms solve their privileged access problems, companies also have to look at the overall cost of what a privileged access program means to their firm, and what shareholder value they gain as a result of implementing those types of products or services or business processes. In that context, they should start to look at what the comparison is against the software that they're using to enable those very controls they're trying to implement.

I've spent some time with BeyondTrust. I've spent some time with Centrify. I've had their products in for different instances and different purposes. They play an interesting concentric role in some of the areas that they focus on, but I wouldn't say I have one-to-one experience in other product sets.

CyberArk continues to innovate, as they refine strategies based on industry research and trends in the cyber security landscape, and incorporate the necessary updates to both their roadmaps as well as their product sets. The creation of the customer implementation roadmap, acquisition of Conjur for DEVOPS and the development of  Alero to address 3rd party secured access, are examples of product innovation to address  emerging risks within the  industry.  

I would rate CyberArk 8 our of 10;  although I do remain impressed with their existing set of product offerings, their cyber security roadmap & strategy, and their overall corporate philosophy, I do feel it is necessary for them to ensure they remain vigilant and maintain pace with an evolving cyber industry.  Significant disruption in the technology industry brought on by advancements in Machine Learning / AI, commoditization of cyber attack tools, and rapid deployment of IoT based technologies, summon the need to ensure companies do not become complacent in the agility of their security tools.

I have several passions. One of the passions I've always had is in organizational transformation and leadership. A second is really around the space for identity and access management. CyberArk has allowed me to continue, even after I've retired from the industry after 35 years, to still live that passion through their customers. I've been given the opportunity to provide some keynotes around organizational transformation. It's an exciting industry to be in and CyberArk has allowed me the benefit of still continuing to enjoy that experience.

The main usage of our implementation is to limit the credentials exposure to our third-party teams. They are able to connect to the end-points in a secure and isolated manner without needing to know any end-point credentials.

Our third-party teams are able to connect to the end-points in a secure and isolated manner without needing to know any end-point credentials. Besides this, end-points themselves are back in control when the passwords are managed by the CPM.

The two main features are the CPM and the PSM. This is to make sure that the credentials are managed in a controlled manner and the sessions that are launched are set up in an isolated way.

We are aware that in 10.6, the "just in time" access has been created. I would like to see this developed further.

The vault is almost a set-and-forget solution. Once the vault has been installed and configured, not much needs to be done in there apart from the occasional upgrade.

The environment is very easy to scale out. Especially running the CPM and PSM components in a load balanced virtual environment gives you the flexibility to quickly expand the environment.

This has been excellent for me. They always replied quickly, and most of the time the issue was resolved. The only downside — as soon as a ticket goes to the R&D engineers, you will have to wait a bit.

We did not use a PAM product before this.

The initial setup (for a UAT environment) was straightforward. During the planning of the PROD environment, it became a little more tricky with different network segments and method for accessing the environment itself.

We had a combination of in-house (with training), vendor (CyberArk) and third-party vendor. The third-party vendor Computacenter helped us with creating some design and documentation. I would not recommend this third-party to other people as they did not fully work with us and listen to our requirements.

We are still rolling out in our environment which makes the ROI difficult to calculate.

Make sure to use the latest licensing model as that will give you most of the "cool" features to work with.

One of the most important aspects is to ensure that the business is behind the solution. CyberArk suite will only work well if all users adopt the system.

The main focus of using CyberArk was to replace our previous Excel spreadsheets, which contained all of our passwords. The reason that we brought it in was to replace them and meet certain audit requirements.

We are using CyberArk to secure applications for credentials and endpoints.

We are planning on utilizing CyberArk to secure infrastructure and applications running in the cloud. It is on our roadmap for next year.

It allows me to create my custom CPMs more easily and quickly without having to code everything. It helps me build a lot of these codes, so it makes it easier for me to create custom CPMs and PSMs.

It allows us to be able to manage a third-party which is not natively supported by CyberArk. If there are certain legacy applications which are so old that CyberArk does not support them out-of-the-box, it allows me to be able to create custom connections and be able to manage those accounts.

• Ability to do workflow.
• Allows users to self-provision access to the accounts that they need.

There is some stuff that we still have not fully integrated, which is our AIM solution. We are having all types of issues with it. I have been working with Level 3 support on it, but otherwise, from a functionality perspective, everything has been working except for the AIM solution.

The new PVWA is great. I actually saw some of the newer functionalities, and the look and feel looks great so far. It is just a matter of getting us there. We need to be able to upgrade the environment. They have been able to get the functionalities I was looking for on some of the latest releases.

Stability is pretty good. I have not had any issues with it.

Scalability is pretty good. I have not had any issues with it. It should meet my company's needs in the future.

For what I was using technical support for, they were really knowledgeable. They were able to resolve the issues that we had. I have not had any problems with them, though it took them a bit of time. A lot of times, they did not escalate it right away, not until three or four tries, then they did escalate it to Level 2, possibly even Level 3 support.

We were previously using Excel spreadsheets. We changed because of audit requirements, but a lot of times it will due to usability. We understand that having our password in a spreadsheet is a huge vulnerability, so it is one of the things that made us look for a solution to manage those credentials, and create automated workflows around it for audit requirements.

The initial setup was pretty straightforward. I think the implementation only took a couple of days.

We had someone from the CyberArk team helping us with the implementation.

One of the processes that we have defined is called a Fire ID process, where to be able to get a Fire ID. It requires a user to call the help desk. The help desk will create a ticket, then contact the employee's managers to get approval, and then provide them with an account. That process, in some cases, can take hours.

With CyberArk, it allows us to streamline and create a workflow which allows them to automatically log into CyberArk, grab the credentials that they want, and it automatically sends their approval to their manager, who can click a couple buttons, approve, and the user is able to get their credentials. That process went from hours to now just minutes.

We looked at Leiberman, and also at Thycotic Secret Server.

One main things that stood out about CyberArk would be the actual user interface. CyberArk's interface was better than the other two, and their price points were fairly similar. The usability and functionality were similar, so we looked at it from a user standpoint (the front-end of the tool), and CyberArk came out on top.

My advice is to have the necessary resources to fully implement this. Don't just bring it in and let it sit. It needs to have the resources with a fully dedicated team to be able to get this functional. Otherwise, it will be sitting there not being fully utilized. There are a lot of functionalities that require a lot of resources to get it up and running.

I have been using the new plugin generator utility for about a year. I took a PSM Connection course this past summer. I have been using it ever since.

Most important criteria when selecting a vendor: 

1. It will be usability of the product. I want to make sure that when we have the product, we can quickly use it and have a full understanding of it without all the hoops that we need to jump through just to be able to understand what that system looks like or how it works. 
2. The next thing will be support. How will they be able to support the system? Do they have a good support staff who will be able to help us get through an implementation? 

Those are the two main things I look for: the usability and supportability of the tools.

The primary use case is, of course, that we do the EPV for password vaulting and security changing, and prior to version 10 we were excited and it functioned perfectly fine. There are a few glitches with version 10 that we are not really happy with, but the functionality itself still exists and it's working like it should.

We actually have our vaults in the cloud. I don't know if we have any applications in the cloud that we're planning on managing, yet. We're not really a big AIM shop just yet, so I don't know if we're planning on utilizing CyberArk to secure infrastructure applications running in the cloud.

We're looking forward to utilizing CyberArk to secure application credentials and endpoints, however right now we have three or four AIM licenses.

It increases the security posture across the entire enterprise because it's not only helping to secure those infrastructure accounts but it's also helping to secure our user accounts as well.

It requires a lot more auditing and monitoring and checks. So if you don't have the right approvals, you can't get the credentials you need to do what you need to do. So if you don't have authorization, of course you can't get them anyway. In total, it's making the environment more secure. The security posture is a lot better.

I love the ability to customize the passwords: the forbidden characters, the length of the password, the number of capital, lowercase, and special characters. You can customize the password so that it tailor fits, for example, mainframes which can't have more than eight characters. You can say, "I want a random password that doesn't have these special characters, but it is exactly eight characters," so that it doesn't throw errors. 

And then, of course, the users have the ability to rotate those passwords on a daily basis with a Reconcile Account. Or, if they want to do one-time password checkouts, we can manage those, check in, check out. I like the flexibility of the changing of the password, specifically.

PSM is pretty cool, but my favorite part is I get to secure your passwords that you get to use either with or without PSM.

We had an issue with the Copy feature. Of course when we do the password rotation we restrict users' ability to show a copy of their passwords for some cases, and in other cases they actually need that ability, but we would prefer them to copy to the clipboard and then paste it where it needs to go - as opposed to showing and it typing it somewhere and you have the whole pass the hash situation going. But apparently, in version 10, that Copy feature does not work. You actually have to click Show and then copy the password from within Show and then paste it. We've had a million tickets and we had to figure out a workaround to it. 

Then there is the failed authentication now. I don't know if that was a glitch or if that was an update, because I know sometimes you don't really want to tell a person when their account has been suspended because if I'm a hacker, maybe I'm just thinking I have the wrong password. When the account is locked you don't actually want them to know the account is suspended. However, since we are the CyberArk support within our organization, we need to know that the password is suspended and we won't know that unless we have the ITA log up.

So when a user calls and says, "Hey, I'm locked out of CyberArk, I can't get into CyberArk," we have to go through all of these other troubleshooting steps because the first thing we don't think of right now is, "The account is suspended," because normally we would be told that the account is suspended. They would take a screenshot of the error and it would say, 'Hey, user is suspended, station is suspended for user so-and-so." It doesn't say that anymore. So now it just says "Failed authentication." And that could be because they might not be in the right groups in Active Directory, they might not have RSA. It could be so many different things, where before, they would be able to say, "Yeah, I'm suspended." And we could say, "Okay, we can fix that in two minutes." We just log in to PrivateArk and enable your account and you're fine. Now we're saying, "Maybe we should check PrivateArk first, just in case," to make sure you're not suspended. It's going to be a whole rabbit hole that we fall into, simply because we're not given that information upfront.

In terms of future releases, I would love to be a partner again and get a temporary license that I can put back in my home lab because my license expired. I would like to play with 10.4. I want to see it and feel it out and see if I can break it because my rule of thumb is, if I can break it, I can fix it. That is one of the things I like about CyberArk, especially over CA PAM, because with CA PAM you get no view into the back-end on how it's configured and how it's built and how it works. With CyberArk, they literally give you everything you need and say, "Hey, this is your puppy. Raise it how you want." You get to see the programming and you get to configure and everything. I've broken several environments, but I'm pretty good at fixing them now because I know how I broke them.

Prior to version 10, I was gung-ho CyberArk. I wish we would have waited until version 10.7 as opposed to 10.3. But for the most part it's stable, it's just that there are glitches in the matrix right now. We'll have to work those out.

I have worked with both CyberArk and what was formerly Xceedium and is now CA PAM, and in my opinion, I'm gung-ho CyberArk. CA PAM is not scalable like that at all. I love the fact that the different components can be installed in multitude or in singularity on different servers.

I understand the concept of it being an appliance, and technically it is an appliance because of how CyberArk hardens everything. But the fact that I can put my vault here in a central location on one net for example, and I'll have a CPM in California, a CPM in Texas, a CPM in New York, a CPM in Florida, and actually be able to grow with my company and not necessarily have to continue to grow my vault until I get to a certain number accounts - yet I can still manage everything across the country, if not the world - I love that. I love the flexibility and the capability of being able to pull those components out.

I'm not a fan of technical support with CyberArk. It's like jumping through red tape and hoops. Quite frankly, it's almost like when you call CyberArk you get the Help Desk or the level-one. I'm a level-one. I got the CCD, I know how to do the initial troubleshooting. When I call CyberArk it's because I can't figure the problem out. So I need a level-two, three, four. I don't need you to tell me, "Hey, open a ticket and then give me logs."

I would like to say, "Can I get a WebEx please? Can you just look at this because I can tell you exactly what I did and how I did it, and then I just need you to help me fix it, because we've been doing this for about 30 minutes now, and when it gets to an hour it's going to start costing my customers money. So can we fix this today rather than tomorrow?" I'm not the biggest fan of tech support.

I have had experience with CA PAM. That's the only other password vaulting technology that I've used so far. I've used SailPoint IdentityIQ, but that's not really password vaulting. Apparently, there is a partnership growing that allows you to provision CyberArk through SailPoint, which I worked on with the CDM project - and it was a headache last year. So I'm excited about the new CM technology that they have that's allowing for that integration, but other than that, I haven't really done much.

I have done several installations for the CDM contract of CyberArk and I've done several upgrades as well.

The installation is as straightforward as it comes. There are some glitches, but it's not with CyberArk, it's with the environment that I'm installing in. In that environment they don't ever follow directions, so we have to get there and say, "We need you to rebuild your vault because you did it from an image and not from the CD, and it's not supposed to have any GPOs, it's not supposed to be on the domain. CyberArk tells you this in their paperwork. We told you this." But, of course, they don't listen. We get there and they spend a day telling us, "Hey, we have to rebuild our server." And we say, "Okay, well thanks for those eight hours. I appreciate it."

The biggest return on investment would be the security itself. I've seen ethical hackers that attempted to infiltrate a component or a department in the agency and they were stopped at the gate. They tried every which way they could and they just couldn't get the passwords they needed to get to the elevated accounts to get to where they wanted to go. So it was just great to see CyberArk in action.

Do your research. That would be my biggest advice. CyberArk is a great tool. However, it is not the only tool that does what it does and, in some cases, for a lot of people, other passport vaulting tools are more toward what they would need in their environment.

I would give CyberArk an eight out of 10, and the two missing points would probably be mostly because of technical support. I would love to actually get the support that I asked for. I would love to actually get the help that I'm asking you for as opposed to you telling me, "Yes, I can help you. I need you to fill out these papers and jump through that hoop and then cut a cartwheel and rub your belly while you pat your head at the same time." If it wasn't for that, it would be more towards a 10.

My most important criteria when selecting a vendor are

• credibility
• functionality.