CyberArk Privileged Access Manager Reviews

The primary use case is for password credential management of privileged accounts. The product has performed very well, and we will continue to invest in this space because the CyberArk tools are working well for us.

We are using it to manage infrastructure and applications in the cloud, rotating credentials which are used for operating system logins and cloud console credentials.

We have a lot of privileged accounts with a lot of administrators. The only way to have a good handle on the inventory of accounts, and have some type of controls around who has access to the accounts, is to have a tool like CyberArk.

The key aspects of privileged access management are being able rotate passwords, make sure someone is accountable, and tie it back to a user (when the system is being used). This helps our security posture. We also look at other privileged accounts, which are used by overlooked applications, and this provides a benefit to the company. 

The most valuable features would be:

• Ease of installation
• Support for every use case that we have come across.
• Application credentials: We have been able to manage them in CyberArk, whether they come as a custom plugin or straight out-of-the-box.

Some of the additional features that we are looking at are in the Conjur product. So, CyberArk has some of the features we want covered either by utilizing Conjur's features or by integrating Conjur directing into the CyberArk tool. I am specifically discussing key management, API Keys, and things for connecting applications in the CI/CD pipelines.

Stability is great, especially as the product matures. I have been using CyberArk since version 4. We currently are using version 9 in our production environment, and are looking to deploy version 10. Version 9 is very stable compared to the previous versions. 

Scalability is great. We have no problems. 

We have a very large, diverse, global environment, and we have not run into any scalability issues. 

Technical support is very good. We have had a technical account manager (TAM) in the past, and have worked directly with her as our primary source. However, we also contact other people in the support environment, and they know the product well and are always willing to help out.

I did an initial installation at another company. It was pretty straightforward. 

CyberArk offered to help with designing the architecture. Once we got all those pieces sorted out, the implementation was easy.

I don't know if anyone has done a true number analysis, but we do see the following:

• The amount of time that people used to spend maintaining credentials;
• The amount of time that used to be utilized for audit purposes and who had which accounts at any point in time.

There is ROI on the actions above because the amount of time that it took to do these tasks has been significantly cut.

If you are starting from scratch with the product, you should take a good inventory of your accounts to know what is in the scope. Start off with the password management aspect of it, but also look into things that provide session management, SSH key, and rotation. These are some of the basic things a new company using privileged access should look for.

CyberArk is always willing to take feedback from the customer and are looking for ways to improve. There are all types of programs within CyberArk to take that feedback and incorporate it into their product.

I have experience using quite a few of the plugins, but I am not familiar with the new generator utility plugin.

The most important criteria when selecting a vendor: They need to understand our environment. We have a very complex environment at a very large scale. They need to show that they have a product which can meet the needs of a large organization like ours, and find solutions from old legacy environments to everything through the cloud.

We currently employ CyberArk Privileged Access Management, which involves extremely complex processes for ensuring the secure management, verification, and guarantee of credentials. Implementing the professional installation tool represents another challenging aspect of this task.

The most valuable feature of CyberArk Privileged Access Manager is privileged threat analytics.

The support could improve for CyberArk Privileged Access Manager.

I have been using CyberArk Privileged Access Manager for approximately three years.

The solution has high availability.

CyberArk Privileged Access Manager is highly scalable. When compared to other solutions it scales well.

I plan to use the solution more in the future.

The issue of technical support is crucial, as there are not many specialized partners available in Brazil to provide this service. While English language support is of good quality, there is a significant shortage of partners capable of meeting the demand locally.

The initial setup of CyberArk Privileged Access Manager is easy.

We have received a high ROI using CyberArk Privileged Access Manager.

The price of the solution is reasonable.

I rate the price CyberArk Privileged Access Manager a seven out of ten.

Individuals who wish to utilize CyberArk should be cautious when selecting a partner to implement the solution, as proper architecture design is essential to ensure a streamlined and effective implementation.

I rate CyberArk Privileged Access Manager a nine out of ten.

We use it for service accounts and local accounts for the machine. We are basically using it to rotate passwords or reconciling passwords, as needed. We do have a number which get changed on a yearly basis (most do). Some get changed on a more frequent basis. Users go into the safes that they have access to or whatever account they need, and they pull it. That is our use case.

It is performing well. However, we need a bit more education for our user community because they are not using it to its capabilities.

We are interested in utilizing the CyberArk secure infrastructure or running applications in the cloud. We are actively implementing Conjur right now just on a test basis to see how it goes.

It gives us the capability to rotate passwords. That is the biggest thing. We do not want them being stagnant so every service account that we have needs to be rotated at least once a year.

Being able to automatically change usages, whenever the password is reconciled. However, we still have to educate the user community, because not all our users enter the usages.

PSM: I am going to go back to my company and push for it a little bit more within our groups, because I know that my counterpart has brought it up a number of times in the past. It has been getting blocked, but I have a couple of other paths that we can pursue so we can try to get it, at least, in our infrastructure and tested.

It has been stable. We have not had too many issues with it or any downtime.

It should be able to meet our needs going forward. I don't foresee us leveraging thousands more accounts than we already do. I think it will be fine.

I have done many upgrades on many different systems and applications. It was more of a difficult upgrade path only because there were a lot of small things which could have been done if it were prepackaged into scripts inside the executable during the installation. For example, it automatically stops services so it can do the upgrade. 

There were a lot of manual steps which could have been automated. I read the 10.4 release that was sent out about a month or two ago, and I saw the steps required for upgrade have been reduced by about 90%. That was a big thing for me, but I still haven't seen that yet because we have not upgrade past 9.9.5.

The ROI on this is just being able to rotate on a 365 day schedule the passwords.

Educate the user community once you get it actively deployed and set up a strict policy on it.

Most important criteria when selecting a vendor:

• Good reputation for technical support
• Product that does what it is supposed to do.

CyberArk is managing our privileged accounts: most of the service accounts, admin accounts, and all other privileged accounts on different platforms including Windows and Linux. A lot of databases have already been onboarded. At the moment we are working towards integrating, or implementing, the AIM product to make sure those hard-coded credentials are being managed by CyberArk, instead of being directly coded in.

The plan is to utilize CyberArk secure infrastructure applications running in the cloud, but we will definitely have to upgrade our knowledge. Conjur is one of the very important things we are currently considering, in addition to, of course, AWS and Azure. We have to get ourselves up to speed. So at the moment, we are setting up the platform, but eventually, that is what the goal is.

Currently, we are not using CyberArk secure application credentials and endpoints.

It helps us in identifying and detecting the major threats and vulnerabilities and to make sure those vulnerabilities are addressed before something bad happens. It is more of a preemptive solution, to take care of our weaknesses and overcome them.

We have been continuously monitoring, reporting, and observing where we were a few years ago, or a few months ago, and where we are now. There is continuous improvement in our security posture and that is where the satisfaction is. The solution is really doing what it is supposed to be doing, helping us to improve our security.

The most important feature is managing the credentials and implementing those policies which rotate the credentials. Session Manager is also key in not letting the users have access to those credentials. Instead, CyberArk actually manages everything by itself.

As a customer, I might need a plugin for a specific product, or an application, and CyberArk might have already worked with some other client on it. There has to be some platform where it is available for everybody else to go and grab it, instead of my having to reinvent the wheel.

So far it has been absolutely wonderful. Of course, the initial glitches, the initial testing, the adjustments in implementation are there. It takes a lot of effort but, once it was all set and it started doing its processes, I haven't seen any concerns or issues.

We haven't had any post-implementation downtime at all, because we have our infrastructure set up in a way that we have active-passive standby on the CPMs. We have PVWAs in a load-balanced environment, we have multiple PSMs in a load-balanced environment as well. They compliment each other, so even if there is work or maintenance happening on one of the components, the other component is there to provide support, and ongoing access to all the users, without having any downtime.

The scalability is definitely very powerful. We did upgrade it, migrate it, a couple of times in the past. Previously I was involved in migrations and, of course, adding more resources, or more accounts - onboarding. It has been amazing.

Occasionally when we are doing a new integration, or run into issues we are not able to fix by ourselves, we use technical support. Escalations have been done, and the support has been absolutely outstanding.

For the initial setup, where there are out-of-the-box plugins, it is pretty straightforward. But when we start going into a more advanced level, where a new plugin has to be developed, or the connection component has to be developed, there is a bit of a complexity. But again, nothing too complex, nothing which cannot be achieved.

Technically, just managing all those privileged accounts and securing our environment, we feel it is much more secure than it was before. So the ROI it is definitely working out.

Take this solution over any other solution. In fact, I have personally brought a couple of my old colleagues with a technical background into this product line so that most of them are now certified on CyberArk and working in the same environment as well. 

Without doubt CyberArk is a 10 out of 10. From my experience, the kind of work I have done with this solution, it's absolutely amazing. It has the capabilities to secure the environment, which is the most important part. Anytime we hear any news of breaches elsewhere, that's when we say, "Hey, they should have done something, implemented the solution before they were hit." Once they are hit, they run around and try to fix the problems. But CyberArk, it's an amazing solution.

When it comes to selecting or working with a vendor, our most important criteria are access to support, what level of support is available, how fast the turnaround can be. The executives or the account team have to be very accessible to us, so if we need to implement a new product or new integration we should at least be able to get hold of the people who can guide us in the right direction.

The primary use case is increasing security and our security posture at our company, helping to prevent any future breaches and secure as many privileged accounts as we can. We have a lot of use cases, so there is not really a primary one, other than just trying to increase our security and protect our most privileged accounts.

We do not have a large cloud presence as of yet, but like other organizations, we are starting to get into it. We have a fantastic adoption of CyberArk that extends all the way up through executive leadership. A lot of times, projects and proof of concepts that we want to go through are very well-received and well supported, even by our top leadership. Once we get to the point where we are ready to do that, I think we will have executive support, which is always incredibly important for these types of things. 

We are in healthcare, so we are a little bit behind everybody else in terms of adoption and going into these types of areas. We are a little bit behind others in terms of cloud, but we will definitely get there.

Right out of the gate, three years ago, we secured all of our Windows Servers and all of our local administrator accounts. We followed that with all of their root accounts for our Unix servers. We were able to greatly increase our posture with local accounts. Then, we went through domain admins and reduced the landscape and password age of those accounts. We have demoted a lot of domain admins and taken a lot of that away from people, giving it a shared account structure. This has worked well for us to be able to protect our most sensitive assets. We call them crown jewels. It has been important to be able to do that, and CyberArk has allowed us to do that, which has been great.

We have tightly integrated CyberArk into a lot of our different processes. Our security organization is massive. We have a lot of different teams and different things moving. Not only have we integrated this into our identity access management team, so onboarding and offboarding, but we also have integrated it in our threat management side where they do security configuration reviews before we have applications go live. We require these accounts that operate those particular solutions to be vaulted immediately. We have implemented them into a lot of our policies, standards, and processes. It has helped us with our adoption with other teams, and it has also helped us to integrate it at the ground level.

It has an automatic password rotation. We have so many accounts, and being such a large organization, it helps take a lot of maintenance off of our plates, as well as automating a lot of those features to help increase our security. Having this automation in place, it has really been beneficial for us.

We do use their AIM solution for application credentials.

One of the things that I have been wanting is that we use the Privileged Threat Analytics (PTA) solution, and it is a complete standalone solution, but they will be integrating it into the vault and into the PVWA. So, we will have that singular place to see everything, which for us is great because it's one less thing to log into and one less thing that you feel like you have to jump over to get a piece of information. Having a centralized place to manage the solution has been something that I have always wanted, and they are starting to understand that and bring things back together.

Three to five years.

It is phenomenal. We have three data centers across the United States. This was last year or the year before, we had one of our data centers altogether go out, and a very large amount of our critical applications went down. CyberArk stayed up the entire time. We had redundancy in another data center and we had disaster recovery plans already set up and ready to go. In that time, when everything was so hectic and everybody was scrambling, trying to get the data center back up and available, they were able to access the privileged credentials that they needed because our solution remained up and available.

This was a huge for us. To have the users of the system feel that it is stable, trustworthy, and dependable. We have had great success with the disaster recovery functionality that we have with CyberArk vault. We test it frequently, and it is stable for us. We have been very pleased with the stability of the solution.

So far, it has been fantastic. We are a very large organization. We have approximately 110,000 employees and almost 20,000 accounts vaulted, where there is a lot of room for us to continue to grow. Even at the scale that we are at now, it has never had any kind of issues. We have never had any issues with deploying additional things. We do have some room to grow in some of our components servers if we need those, but everything that we have stood up so far has been operating flawlessly. We have not had any issues with our scale. It has been great.

We have contacted them less frequently as we have become more familiar with the solution. A lot of times now engaging technical support is more for sanity checks, and saying, “Are we doing this right or are we missing anything?” We have utilized them and have had pretty good success with having them help us with particular issues.

When we have called them, it has been something which has been a challenge for us. We generally get to the right person. Sometimes it takes us a bit of time and some further explanation to say, “This isn't exactly what we're asking." Then, we need to pull in somebody more technical or a next level of escalation. 

The customer success team has been monumental in helping us get the right people involved. If we log a support ticket, for example, and we are at a point in our maturity and our understanding of the solution that Tier 1 support is usually not what we need. We have done a lot of our own checks and troubleshooting, and we are able to say, "Here is all the stuff that we've done. We need the next level of support."

The customer success team has been monumental in pulling in the right people and helping us get to the right people on that side rather than working with the support person and saying, “We pulled this person in.” Sometimes, it is pulling in the solution manager or the team lead for that solution and getting to the top of that team almost immediately. We have had great feedback. The customer success team has been at the center of helping us get to that point.

We did not use another solution before CyberArk.

The big thing that was a catalyst for us to look at CyberArk was the Anthem breach that happened back in 2014 or 2015. Being a healthcare organization, our executive leadership realized that we are a big company. We are not immune to these sorts of attacks either. We have got to get something in place. Being best of breed, we turned to CyberArk for that. Again, it has been a fantastic partnership, and has both ways; we've been able to help them. They have been able to help us quite a bit as well. 

The initial setup was straightforward. We did have an implementation engineer from CyberArk who walked through it with us. He guided us through the process. Even though the documentation is straightforward, there is a lot there to do with a lot of different components which make it up. In and of itself, there are a lot of moving parts, but having that implementation engineer onsite, helping us walk through it helped us be very successful quickly. We also had the same experience when we went through upgrades where we contracted with professional services to help us. They have always had someone out there who guided us through it, either onsite or remotely. We have had both instances and both have been very successful.

I was the primary engineer and lead engineer who stood up the entire solution. I was both solution architect at that time, as well as the solution engineer. I have since moved into the architect role and have backfilled my position. However, I was there at the very beginning and did all of the initial setup.

The first year that we were standing up CyberArk, our organization did an annual pen testing. In one of our organizations, where we didn't have CyberArk deployed yet, they were able to escalate privileges and get all the way to a domain controller, and go all the way that an attacker would be able to. The next year that they did their annual pen testing, after we had deployed in that same region, they basically got stopped almost immediately, and they were never able to escalate their privileges. We stopped the pen test in their tracks because of the solution being in place.

While that may not have a dollar amount because it was just a test, it gives us a lot of peace of mind. Of course, we can't always say that it is impossible for somebody to get in. Someone is going to eventually get in, that is bound to happen. Knowing that we have the solution in place and reducing that threat landscape as much as we have, has been phenomenal for us, at least from an intrinsic value standpoint.

We did not evaluate other solutions. We automatically went with CyberArk.

CyberArk is a fantastic solution. They understand what the industry is trending towards. They are able to meet that very quickly. Being in healthcare, we are a little bit behind the times and we follow people a little further behind (for example, the financial sector has been doing all this stuff for so long). However, healthcare, as an industry, is always a few steps behind because we are clinical and have to support a lot of different clinicians, physicians, and regulations, which sometimes makes us move more slowly. Just having this has been huge for us.

One of the things which has differentiated us from other customers from CyberArk is we have been tremendously successful in rolling out different implementations. There are a lot of clients whom I have talked to personally who have bought the solution, but have never implemented it, or they have been met with a lot of struggles or a lot of uphill battles with their staff and adoption. My best advice would be to start out and find the quick wins, the low-hanging fruit; these things you can provide to your organization to have them understand and see the same value that you are seeing as you are implementing.

I am familiar with the the new plugin generator utility. I have not used it because I think it is a newer version than what we have, but I am excited about it. I am looking forward to utilizing it. It is similar to what they have for their PSM solution. They have some new web services framework, so they do not have to use the AutoIt tool because it takes a long time to create plugins today. Like the plugin creation utility, it will allow us to take a whole lot of time off of our turnaround to be able to provide some of these connection components.

Most important criteria when selecting a vendor: Because we have so many applications and solutions across our organization, interoperability is a big thing. I am in charge of CyberArk, as well as Duo, who we use for our two-factor, and having that integration point or the ability to integrate with these solutions is huge for us. As we try to standardize across all of our different organizations, which is very difficult in our industry, what we offer for a particular solution rather than having 30 different iterations of different applications, has been huge for us. Standardization and integration is a huge point for choosing a vendor.

We use it to harden our passwords for privileged users. We also utilize CyberArk to secure application server credentials.

We plan to utilize CyberArk's secure infrastructure and applications running in the cloud. We have AWS now. That is our next avenue: To get in there and have that taken care of.

If any intruder gets inside, they would not be able to move around nor do lateral movements. It minimize any attack problems within our network.

It keeps us from having to fight with passwords or groups which are not getting onboard with the program.

We are able to rotate privileged user passwords to eliminate fraudulent use.

The web access piece needs improvement. We have version 9.5 or 9.9.5, and now we have to upgrade to version 10. 

Stability is rock solid.

Scalability should not be an issue with us. Our implementation team sized it real well when we received it. We are a younger installation, so we have a long way to go. We have not seen the top end yet.

The technical support is great. They are very responsive.

I was not involved in the initial setup.

CyberArk is the best out there. Their product makes our privileged access management so much easier.

For privilege access management, there is really no choice but to implement this or a similar solution. It is the last bastion that companies have. Firewalls used to be the perimeter and the place to be. Nowadays, intruders can walk through the perimeter (the firewall). So, we have to get on the inside and get it tied down. They are not very many people playing in this market. CyberArk is on the top, so there should not be any reason not to go with it.

Most important criteria when selecting a vendor:

• Best of breed
• Top quality support organization.

Our primary use case is to secure privileged access. 

Right now, it is performing fairly well. We have had instances where we have had to work with the customer support to integrate a custom plugin and struggled a bit there. It took a bit longer than we expected, but it ended up working out. Most of our focus now is getting our systems into CyberArk, which has nothing to do with the CyberArk software. It is just being able to communicate with our internal team to get them in there. So far, we haven't had a problem with CyberArk.

The product is for hardening access and making the organization more secure, therefore reducing chances of a breach. That is the most beneficial to any company, avoiding any type of data loss which will reflect negatively on your company. Once that happens, you are frowned upon, and nobody wants that.

It plays a huge role in enhancing our organization's privileged access and security hygiene. We are using it for most of our open systems, like Windows and Unix. Our plan is to integrate it with our entire internal network. 

The central password manager is the most valuable feature because the password is constantly changing. If an outsider threat came in and gained access to one of those passwords, they would not have access for long. That is critical and very important for the stability of our company.

One of the main things that could be improved would be filtering accounts on the main page and increasing the functionality of the filters. There are some filters on the side which are very specific, but I feel there could be more. For example, I want to look at accounts which are not working within a specific safe all at the same time.

So far, so good with stability. We have done a couple disaster recovery exercises with CyberArk, and they have gone according to plan.

We have not gotten to scalability yet, because we are still working on integrating our systems. We have a very minute portion of it. 

So, scalability will come afterwards, once we have everything there and we understand how much capacity we have used. As of now, scalability has not been an issue.

The product should meet our needs in the future.

The technical support is good at communicating. I learned a lot yesterday about how to figure out a support case quicker by helping them help you, and by giving them as much information as you can. In the past, I have not done that as well as I could have.

I was not involved in the initial setup.

Not applicable.

I do not have much experience with other solutions, so I don't think I can adequately compare and contrast it with others.

CyberArk is on top of its game. The product has worked well for our company.

If you are looking at implementing this solution, buy the training and go to it. If you do not train, it is hard to understand it. It is hard to pick it up by cross-training with other people. You really want to start off strong.

Most important criteria when evaluating a technical solution:

Be brutally honest about all the factors that go into the solution that you are looking for (buyer) and what the solution can offer (seller).

• Client-less feature
• Flexible architecture support
• High level of customization for maximize utilization
• User friendly and Flexibility of multiple choice
• Adhere to Security Compliance

This tool is in Leader's quadrant in Gartner Quadrant report. Not just because it has more features than other but also it improves the way organization function. CyberArk can be used as many as you can think of. Such Granular ways of utilizing parameters, features and restrict permissions that no other tool can grant you. This tool has always surprise me with its capability and features.

Since this tool major utilizing modules are PAM and PSM, hence AIM and OPM are least considered by client. Client is somehow reluctant to use these features. Yes, i do agree that these Modules are not that friendly but also CyberArk do not providing proper training on these modules. Reports are also one of the major concern, as it gives a very basic kind of reports. CyberArk must provide some graphical reports which can be customized as per client requirement. After all presentation does matter.

I have been working with PIM solutions since Apr 2011 and I was introduced to CyberArk around four years ago. I started with version 7.2 and I’m now working with version 9.6. Other than this CyberArk, I had experience on Dell TPAM, CA PUPM, Arcos PAM, BeyondTrust PIM etc with some more expertise on Imperva SecureSphere, Guardium, Tripwire Enterprise, Novell Access Manager etc.

Ofcourse, which deployment does not encountered any issue, however it depends upon your planning whether you are facing critical issues or just small hiccups. From my point of view, yes you need to plan it well, think from everyone prospective and also but most important it should be give ease of working not make end user frustrate. Understanding this tool and its utilization is more important in order to deploy it. Since the planning is not only limited to installation of CyberArk components but also it go beyond it such as GPO, AD Configuration, OU Setup, User usage, account management and so on. I face many issues during deployment and also after deployment. Plan it well before implementation.

Earlier in 9.0 version I faced some stability issues, yes there are some stability issues with CyberArk such as memory leakage, password unsync etc. These are some common problems but frustrating. In this version of CyberArk, memory leakage is a quite common and frequent issue which lend up access issue to end users.

As I said above, you need to plan wisely before you implement it. You need to consider all prospects of this tool before implementation.

CyberArk support is one of the best support I have ever seen. I worked on multiple tools and had a conversation with their customer support, CyberArk support is one of best one i have encountered with. They are very patient and calm. However sometime they are not much aware about the issue and could not provide the solution until it escalated to L3. It would give 8 out of 10 to CyberArk support.

Refer to customer service. Technical support is 8/10.

I started my career with Quest TPAM (now Dell TPAM) and also worked on BeyondTrust, CA PUPM, ARCOS, etc. BeyondTrust and ARCOS were introduced in market at that time. These tools are good but doesn't seems to be user friendly as CyberArk PAM. These solutions are bit complex to implement, configure and usage. Even if these tools have some good features which keeps them running in market but one feature in which all these tools are beaten up by CyberArk is User Friendly.

Users are more confident in using CyberArk, more convenient in installing and deployment and easier to customize as per client requirement.

Again, it completely depend upon your architecture design of CyberArk and planning. More complex Architecture leading to more complexity in implementation. Understand the Architecture, understand client requirement and only then design and implement. The sure shot guarantee of successful implementation is "Keep It Short and Simple".

Initially, I took some help but have never got a chance to work with Vendor team. I use to implement CyberArk for my client based on their requirement. I still not consider myself as an expertise, as I am still learning this tool and it always surprise me, however I would rate myself on overall - 6 out of 10.

Learning, keep involve yourself in learning. This is best ROI you will get.

Please contact your local CyberArk Sales support, they will better guide you.

In case of CyberArk, No .. Never.