CyberArk Privileged Access Manager Reviews

Our main use cases for CyberArk Privileged Access Manager are privileged access management and privileged session management. Another use case of the solution is password rotation.

CyberArk Privileged Access Manager improved our organization by identifying the owners of the service accounts. Each service account should be associated with an owner because without an owner, that account becomes an orphan account that nobody can take ownership of, so this means nobody would know what that account is doing. When we brought in CyberArk Privileged Access Manager, it helped us have a roadmap that allowed account ownership and account onboarding. CyberArk Privileged Access Manager gave us a roadmap, a plan to follow, and a guide on how to manage privileged access, and this is very important because we don't want privileged access to be compromised or breached.

Realizing the benefits of CyberArk Privileged Access Manager was a long journey. It was not an easy journey. It was a long journey to put things in place and get them onboarded because not all applications were compatible. It took six months to a year at least, to start the process properly.

The applications which were in Active Directory were easy, for example, it was easy to onboard the accounts and rotate the passwords because that meant only running scheduled tasks. There were a few accounts, however, where the applications weren't compatible with password rotation, particularly old applications or legacy applications that would break if the passwords were changed. To get all those sorted and to get all those in place, and explain what those changes were, took a lot of time, but for accounts that were just running scheduled tasks or services, those were onboarded easily and had their passwords rotated, particularly those which had identified owners.

One of the features I found valuable in CyberArk Privileged Access Manager is privileged session management. It's a feature that allows you to record the session, so if there's a risk, that risk can be highlighted.

I also found it valuable that CyberArk Privileged Access Manager can be integrated with PTA, and this means that it will tell you if there's a risk to the logins and signs of risk and if risky behavior is observed. It's a good feature.

Another good feature is the CPM because it helps you rotate the passwords automatically without involving the admins. It can go and update the scheduled tasks and the services. At the same time, if there's an application where it cannot do all of these, CPM will trigger an automatic email to the application owners, telling them that they should go ahead and change the password. This allows you to manage the account password that CyberArk cannot manage, which helps mitigate the risk of old passwords, where the password gets compromised, and also allows you to manage the security of the domain.

Integration is also a valuable feature of CyberArk Privileged Access Manager. It has an application access module function that allows you to integrate and manage applications, including BOT accounts. It also allows you to manage ServiceNow and many other applications.

What could be improved in CyberArk Privileged Access Manager is the licensing model. It should be more flexible in terms of the users. Currently, it's based on the number of users, but many users only log in once in four months or once in five months. It would be great if the licensing model could be modified based on user needs. We even have users who have not logged in even once.

Another area for improvement in CyberArk Privileged Access Manager is the release of vulnerability patches because they don't release it for all versions. They would say: "Okay, you should upgrade it to this point. The patches are available", but sometimes it is not feasible to do an upgrade instantly for any environment, because it has to go through the change management process and also have other application dependencies. If that can be sorted out, that would be nice.

I've been using CyberArk Privileged Access Manager for around seven years now.

CyberArk Privileged Access Manager is a stable solution.

CyberArk Privileged Access Manager is deployed on-premises in the company, so I'm unable to comment on scalability, but they do have a software as a service model, so that's scalable.

Technical support for CyberArk Privileged Access Manager is responsive. As for their timelines for completing tickets, it would depend on the process. Sometimes it takes them less time to respond, and sometimes it takes them longer. They have different levels of support, so if level one is not able to resolve it, they escalate the issue in due time to the next level of support. They're mostly able to help.

On a scale of one to ten, with ten being the best, I'm giving their support an eight. There's always room for improvement, and in their case, in terms of support, what they could improve is their response time, especially their response to business-critical activities or issues.

The company was probably using LockBox before using CyberArk Privileged Access Manager, but I'm not sure about that.

Installing CyberArk Privileged Access Manager was easy. It's only the firewall you need to introduce into the environment that takes time, particularly if you're doing an on-premises model.

I saw a return on investment from using CyberArk Privileged Access Manager. It's a good privilege access management solution and identity and access management solution as a whole. It's a really good product.

The solution was definitely implemented because it saves you time and money, for example, access management and privileged access management are now automated when in the past, those processes were done manually. The new feature CyberArk DNA was also given free of charge, so that DNA tool can scan the environment for all the vulnerable accounts for password hash attacks, for accounts where the passwords were not changed. That definitely saves time, because that type of scanning would be very difficult for someone to do manually, and the report that comes out of that scan is very objective.

I'm not involved in the purchase of the CyberArk Privileged Access Manager licenses, so I'm unable to comment.

I was not part of the evaluation process.

I recently switched jobs, so I was working with CyberArk Privileged Access Manager in my previous organization, and also using it in my current organization. I'm using version 12.2 of the solution.

In terms of maintenance, it can be monitored through SCOM Monitoring, but the vault is standalone. CyberArk Privileged Access Manager can enable SNMP Traps so that the vault can be monitored automatically and it can trigger an incident to the ticketing tool the teams are using. It has the ability for automated monitoring.

My advice to others looking into implementing CyberArk Privileged Access Manager is to know their network properly. If they're doing an on-premises deployment, they should know their network properly, and they should first audit their environment in terms of the accounts they're going to manage on CyberArk Privileged Access Manager. They should also assign the owners and assign everything beforehand to help make implementation faster.

I'm rating CyberArk Privileged Access Manager nine out of ten.

We primarily use the product as part of the growing security posture of the company.

The solution provided password management and API password retrieval functionality. 

The most valuable aspects of the solution include password management and Rest API retrieval of vaulted credentials. 

The solution needs better features for end users to manage their own whitelisting for API retrieval. 

I've used the solution for over a decade. 

It's a privileged access management tool so it helps in making sure that all privileged accounts are compliant.

The product is an important security measure against credential theft. It ensures session isolation and password rotation including pushing passwords to the endpoints. 

It's also possible to pull the password from the CyberArk to ensure that there are no hardcoded credentials in scrips or DevOps tools. 

It provides a comprehensive access control list and auditing. Reporting capabilities are extensive.

New features are being added in every release, and there are few releases a year.

Enhancement requests can be submitted by the community and are taken into consideration by the company.

As configuration options are very extensive, it is sometimes hard to find the correct and complete way of customization or specific configuration. 

The documentation is rather basic and it is missing many use cases. 

It's also hard to test solutions without a development environment as CyberArk doesn't provide the possibility to run the environment for personal purposes.

I've used the solution for six years.

My company uses CyberArk Enterprise Password Vault for our servers and when our IT partners try to access our mission critical systems. We have also integrated the product with software tools used for authentication purposes. Our company's IT uses LDAP credentials to log in to the PVWA application while also being able to use granted privileges on one or more servers.

The most valuable feature of the solution is session recording.

There is a little bit of confusion in the implementation part, especially when one tries to understand the actual working of the product. The ones involved in the implementation of the product did not show the people in our company how they work on the product. The aforementioned area can be considered for improvement.

I have been using CyberArk Enterprise Password Vault for a year and six months. The product is used in my company. I use CyberArk Enterprise Password Vault Version 12.0. I am a customer of the product.

It is a scalable solution.

We upgraded the solution even though we had subscribed to the product for ten years in our company. In our company, we wanted around 50 employees to be able to operate the solution.

From my end, I have not used technical support. I don't know if my colleagues have faced any problems because of which they had to contact technical support.

The implementation took place over a period of three months.

The solution is deployed on-premises.

CyberArk Enterprise Password Vault is a very expensive product.

I believe that the charges for maintenance and support are already included in CyberArk Enterprise Password Vault's pricing policy.

I will tell those planning to use the solution that it is a very expensive solution. Due to the cyber security constraints of the product, most of the companies are forced to update by paying money to CyberArk, which I feel is one of the problematic areas in the product. Feature-wise, it is a very good product.

I rate the overall product a nine out of ten.

In a large financial institution, CyberArk Privileged Access Management (PAM) plays a pivotal role in ensuring the security and integrity of sensitive financial data. With numerous systems, applications, and databases holding critical client information and transaction data, the institution faced the challenge of managing and protecting privileged accounts effectively.

The PAM solution was seamlessly integrated into the existing IT infrastructure. It introduced granular access controls, requiring all employees to log in with standard user accounts, regardless of their role. When a privileged action is required, the PAM system enables the temporary elevation of privileges through just-in-time (JIT) access, granting access only for the necessary time frame. This reduces the window of opportunity for potential cyber threats.

CyberArk Privileged Access Management (PAM) has been a game-changer for our organization's security landscape. With PAM in place, we've experienced a significant reduction in potential security breaches. The meticulous control it offers over access rights ensures that only authorized personnel can access critical systems and sensitive information. The implementation of just-in-time access has effectively minimized our attack surface, making it incredibly challenging for unauthorized users to exploit vulnerabilities.

The most valuable features of CyberArk Privileged Access Management (PAM) are its granular access controls and just-in-time (JIT) access provisioning. These features ensure that only authorized users have elevated privileges and access to critical systems. JIT access reduces the attack surface by granting privileges only when needed, minimizing exposure to potential threats. 

Additionally, robust auditing and real-time monitoring capabilities enhance security by tracking privileged activities, aiding in threat detection and compliance. PAM's ability to seamlessly integrate into existing infrastructures and streamline workflows further adds operational efficiency, making it an indispensable tool for modern cybersecurity.

CyberArk PAM could greatly benefit from an under-the-hood update; integrating machine learning algorithms could provide predictive insights.

The user interface lacks intuitiveness; revamping the UX of the web access panel through intuitive navigation, customization, contextual assistance, visual coherence, and accessibility considerations will undoubtedly result in higher user satisfaction, increased engagement, and ultimately, a more competitive offering in the market.

In addition, several tools seem to be outdated, however, you can see that CyberArk is constantly working on them.

I've used the solution since 2017.

We use the solution for privileged access to internal systems and multiple customer environments.

We have distributed PSM and CPM components throughout multiple sites and customer domains access over the VPN, with PSM load balancing handled via third-party hardware load balancers. 

Environment segregation and security are high on the criteria for the implemented solution, however, not at the overall expense of performance. 

We tend towards providing access to privileged admin applications direct from the PSM servers wherever suitable, yet offload additional workloads to siloed RDS collections if the need arises. 

I appreciate the ease of use for support analysts. We provide a single pane of glass access to our analysts where segregated admin access is provided via safe access groups. The overall goal is to provide the analysts with just enough access to function without being totally impaired by security constraints. With the piece of mind that the auditing and recording capabilities allow. We provide access to fully managed systems via distributed PSMs, or where the need arises we can provide access to online third-party access points via a central pool of web-enabled PSMs.

The most important feature is the password rotation and recording to align with customer security requirements.

The reporting and auditing functions allow us to provide evidence-based accounting to customers or security personnel when or if required. Being able to prove that "it does what it says on the tin" is a very key selling point or point scorer in project and planning sessions.

The marketplace default connectors are constantly evolving and simplifying administration. In the case of one not being available then the majority of additional requests can be catered for with some clever AutoIT scripting.

Remediation of some of the platform settings in the master policies section would be handy.

Overall what I would really love to see is the third-party PAS reporter tool pulled more into the overall solution, ideally as its own deployable component service installation package, that could be installed/branded alongside the PVWA service, and build out API integration so that third party calls could draw valuable data directly out of the management backend with very little amount of additional admin overhead.

I've used the solution for eight years. 

The solution is very stable; if instability is ever experienced it is likely to be as a result or symptom of a problem elsewhere, such as external factors (updates, network etc.).

The solution is fairly scalable, although depending on how far and wide you stretch your footprint, you may be better suited to multiple smaller vaults and component environments, than one large pot.

Initial call logging can be tedious at times. If you clearly articulate an issue yet are then required to collate entirely irrelevant logging information or jump through a default set of "have you tried this" questions it can cause frustration. Call escalation via account management has improved and when needed we have then progressed with support at a faster pace.

Positive

I have not worked with a solution with a focus explicitly for PAM.

The initial setup was both straightforward and complex in equal measure.

The majority of the setup was in-house. On occasion, we have engaged the vendor team and always had a positive outcome.

I'm not in the loop to be able to answer to ROI.

Engage with Cyberark account management and professional services to fully understand your current, expected, and future requirements. 

Some default settings applied early on may be very time-consuming to amend at a later date (for example, set a default attribute in a platform, extrapolate that platform out to 300 other platforms and a single change may then have to be retrofitted 300 times). So the more scope you can define at deployment the better.

I believe other vendors were evaluated prior to selecting CyberArk.

I'd advise other users to take their time, measure twice, and cut once.

The most valuable features of CyberArk Enterprise Password Vault are password rotations and password encryptions.

CyberArk Enterprise Password Vault has a lot of enterprise-level features compared to other PAM products. It's a well-known product, and its implementation is very easy. The solution has good documentation compared to other products. CyberArk Enterprise Password Vault is legitimate software that releases patches as per vulnerability.

We require IAM (identify and access management) capability at the administrator level because we need more identification.

I have been working with CyberArk Enterprise Password Vault for the past six months.

CyberArk Enterprise Password Vault is a stable solution.

CyberArk Enterprise Password Vault is a scalable solution. We have more than 1000 people using the solution.

CyberArk Enterprise Password Vault's technical support team is good. Whenever we require any help, they assist us based on the SLA. The technical support team's response speed and competence are very good.

Positive

The solution was easy to deploy.

We need a basic understanding of the tools needed and customer requirements to deploy the solution. If the customer is looking only for a password deployment, we deploy only the password.

The deployment will require two or three people and a minimum of one week.

CyberArk Enterprise Password Vault's pricing is reasonable. Since CyberArk Enterprise Password Vault is an enterprise-level solution, its cost is higher than other solutions in the market. The solution comes with maintenance for the first year. However, after that, we need to pay for maintenance.

CyberArk Enterprise Password Vault's licensing model is comparatively very easy. It has a single license. We can deploy the solution based on the particular solutions we need.

One or two administrators are more than enough to operate the solution.

A backup strategy and DR setup are more than enough to implement CyberArk Enterprise Password Vault.

Overall, I rate CyberArk Enterprise Password Vault an eight out of ten.

The main use case is the protection of privileged accounts. We also use it for multi-factor authentication and single sign-on.

Now we feel assured that all our privileged accounts are well protected. Our admins don't know passwords and don't enter them manually. This eliminates the risk of interception and account hijacking.

First of all, CyberArk offers great flexibility. Throughout our years of experience, we haven't found any system that we couldn't connect with CyberArk. We have many web management consoles, and it's no problem to connect to them using custom connectors.

Moreover, it's a highly customizable solution. If you know how to do it, you can customize it as you want.

There is room for improvement in the pricing model. From a technical point of view, there are no issues. Support could be faster, though. We have mentioned that better support from CyberArk would be beneficial.

So, support could be faster, and pricing can be improved.

We have been using it for our needs and sharing it for over ten years. Currently, we use version 12.

It is a very stable solution. I would rate the stability a ten out of ten. If you can read the manual and avoid making mistakes, it's very stable.

It is an extremely scalable solution. I would rate the scalability a ten out of ten. In our organization, there are ten CyberArk users; they all are system administrators. 

The customer service and support could be better. The response time could be better. 

Neutral

I would rate my experience with the initial setup a four out of ten, one being difficult and ten being easy. It's a modular system. To run CyberArk, you need to deploy several different services, set them up, and configure the interactions. It's not a solution in one box.

The initial setup is not very complex, but I would say it's not very simple, either.

We have deployed CyberArk in both environments. We have several working calls in the cloud and some parts on-premises. The initial deployment takes about two days. 

Our main technical task was to reduce security risks, which we accomplished with CyberArk.

I would rate CyberArk's pricing a nine out of ten, with one being cheap and ten being expensive. It's one of the most expensive solutions in the market, but it's worth it.

I would suggest finding a qualified partner. Don't try to install and configure it on your own. Instead, seek a certified CyberArk partner. It will save a lot of time and stress.

Overall, I would rate the solution a nine out of ten. It's very good, but there are still areas for improvement, like any other product.