We use it to control privileged access within the environment, including domain admins and server admins.
We're using the CyberArk Privilege Cloud version, which is the PaaS.
We use it to control privileged access within the environment, including domain admins and server admins.
We're using the CyberArk Privilege Cloud version, which is the PaaS.
It provides a one-stop shop for the majority of our administrators to get the privileged access they need. It has enabled us to reduce risk as well, and that is the largest benefit that we've encountered through the solution. We've reduced the number of admins in our environment significantly.
It provides an automated and unified approach for securing access across environments, including hybrid, multi-cloud, RPA, and DevOps, as well as for SaaS applications. For what we're using it for, it's doing all of that seamlessly in one place. It helps us to quickly adapt and secure modern technology, and that's another reason we chose CyberArk. They already had integrations with solutions that we were either moving toward or that we already had. We weren't going to have to do them as customizations.
The ability, with Secrets Manager, to secure secrets and credentials for mission-critical applications means people don't have to go searching for them. They know where they are—they're in CyberArk—so they don't have to go to a separate place. They have one identity to manage, which is their single sign-on identity. From there, they can go into CyberArk to get the access they need. That's an area that has been very helpful. And from a risk perspective, the multifactor authentication to get to those accounts has also been awesome. That helps us to be in compliance, as well as secure.
The Privileged Session Manager has been the most useful feature because we're able to pull back information on how an account is used and a session is run. We're also able to pull training sessions and do reviews of what types of access have been used.
We also use CyberArk’s Secrets Manager. Because AWS is the biggest area for us, we have accounts in AWS that are being rotated by CyberArk. We also have a manual process for the most sensitive of our AWS accounts, like root accounts. We've used Secrets Manager on those and that has resulted in a significant risk reduction, as well. There's a lot to it, but from a high level, we've been able to get some things under control that would have been difficult otherwise.
For DevOps, we've integrated some automation with CyberArk to be able to onboard those systems. There are some native tools like the CFTs that we're using with CyberArk to get CyberArk deployed automatically to them.
It also gives us a single pane of glass to manage and secure identities across multiple environments; a single view with all of the accounts. It's super important for us to be able to see all of that in one place and have that one-stop shop with access to different environments. We have lots of domains because a lot of acquisitions have happened. It's important for us to be able to manage all of those environments with one solution and we do have that capability with CyberArk.
I've been using CyberArk Privileged Access Manager at this company for two years, and all together for the past six years.
The stability is great. We haven't had problems with it.
The scalability is very good. I'm surprised they keep as many logs and video recordings as they do on their side. But scalability hasn't been a problem. If we wanted to scale up, we could certainly do so. All we would have to do is add more servers on our side, with our PSMs (Privileged Session Managers). The way the solution is built out, you can expand it elastically pretty easily.
We have around 400 users right now who are mostly in IT. There are developers, database administrators, as well as our Active Directory enterprise teams, and some of our cloud implementation and infrastructure teams. We have some in incident response people, from information security, who use it as well.
We're looking to expand it in the coming year. We've already started that expansion. It's the developers we're targeting next and there are a lot of them. We're looking at a couple of hundred more users within a year.
If there is an area that has room for improvement, it's probably working with their support and getting people on the phone. That is hard to do with most products in general, but that seems to be the difficult area. The product is fantastic, but sometimes we want somebody on the phone. I would rate their support at eight out of 10, whereas the rest of the solution is a nine or 10.
From a technical support perspective, they've been really good. There has just been a little bit of trouble with the database stuff, but that's because ours is a very aggressive deployment. Sometimes, when working with support, they aren't as aggressive as we are.
I've used Thycotic and Hitachi HiPAM, and we've used some custom in-house build solutions.
The reason we switched is that Thycotic opened up the door to that possibility when we talked about pricing. The price came out to be something similar to what we were spending. We were basically going to have to redeploy the whole Thycotic solution to get what we needed, and that opened it up for us to evaluate the landscape.
There were some complexities about the setup, but deploying a solution like this is going to be complex, no matter what solution you go with. CyberArk did an excellent job of making sure that we had everything we needed. They had checklists and the prerequisites we had to do before we got to the next steps. Although it was complex, they were complex "knowns," and we were able to get everything organized fairly easily.
Our initial deployment took about two weeks.
We broke the deployment into four phases. The first phase was called Rapid Risk Reduction, and with that we were getting our domain admins under control, where we went with domain admin, server admin, and link admin. A part of that was the server administrators and Linux administrators. All of that was part of a very short-term goal that we had.
Phase two was called risk reduction, where we were focused on Microsoft SQL, the database administrators, and Oracle Database administrators. It also included bringing in some infrastructure support as well.
Phase three was enterprise-grade security, and with that we've been pushing the network tools and AWS admins, along with some other controls.
And our last phase, which we've just recently started on, is one where we are going to be pushing hard to get developers onboarded into CyberArk. There are a whole lot of little details that go along with all of that. The initial auto onboarding happened in phase three, but we also have auto onboarding that we're looking to roll out across a larger group.
We implement least privilege entitlements as well. We started out from a high level of not going the least privilege route and, rather, we locked things down in a way that they were managed, at least. Then we started knocking down the least privileged path. You have to start somewhere, and least privilege is not going to be the first option, out of the gate. You're going to have to take stepping stones to the best practices. And that's what we've done. We took this large amount of high-risk access and brought it into CyberArk and then pulled access away over time and have been making things more granular, when it comes to access to the systems. The access within the systems, within CyberArk, is absolutely granular and we have been very granular with that from the beginning.
For maintenance of it we need about one and a half people. My team supports it and, while one full-time person is probably enough to support the solution, my team is split up. The general operations of CyberArk are what take up the most time. The actual running of the solution, from an engineering perspective, is very lightweight; it's hardly anything.
We did not use a third party for the deployment.
We started doing some comparisons of different tools and that's why we ended up switching to CyberArk, after discussions with both Thycotic and CyberArk. When looking at the capabilities, we ended up moving towards CyberArk. We felt it was a more mature solution and that some of the connectivity and reporting was done in a way that we would prefer, for a company of our size.
Thycotic is a good tool. A lot of IT people already understand the structure of how it runs. The upgradability is nice as well. You can just click an "upgrade" button and it upgrades the solution for you. The cons of Thycotic include the way that the recorded sessions are done. In addition, proxy server connections were not available. Maybe they are now, but at the time we were building out custom connectors and we had to go through a third party to get those developed. It was very bad and every step of the way was like pulling teeth. That really soured our relationship with them a bit because we couldn't seem to execute with that solution. When we started talking with them about what we needed it to do to make things easier, they ended up recommending a full redeploy. That's not ideal under any circumstances for anyone. That's why we took a step back and evaluated other solutions.
With CyberArk, some of the pros were that their sales team and engineers were very quick to come in and help us understand exactly what we needed. The deployment timeframe was also much shorter. We didn't have to work through a third party, as we would have had to with Thycotic. And the type of relationship we've had with CyberArk is one that I wish we had with other vendors we use. They've been phenomenal working with us.
CyberArk's abilities are amazing. We're just starting to hit some limits, but we're able to get through the majority of them. Some of the database stuff is a little bit more involved. The other things, like cloud and all of the Linux and Windows, have not been a problem at all. It's not that the database stuff is a problem, but it's just more complex.
If you want to talk about CyberArk providing an automated and unified approach for securing access for all types of identity, "all types" is a strong claim. I wouldn't ascribe "all types" of identities to anything. But for everything that we're doing with it, it has been a great tool and it's doing that for us.
We use this solution for password management. It allows us to control and manage passwords in a safe and secure way, and it records sessions.
The solution is deployed on-premises. It's being used extensively in my organization.
Before implementing BeyondTrust Password Safe, our server engineers and database engineers were storing passwords on an actual sheet, which is a plain text password. Since implementing BeyondTrust Password Safe, they're not doing that anymore. We eliminated the risks from storing passwords on plain text. We also have clear data that shows who modified a file.
We use the Team Passwords feature to securely store our passwords. Our team has a lot of shared passwords. Those passwords were shared in SharePoint or in the common share folder. We wanted to eliminate that because it's a risk. Team Passwords lets us securely save a password that's shared between a group of people so nobody else can see it. It's secure, and we don't have to save the password in an Excel sheet.
The Team Passwords feature has affected our level of security in a completely positive way. With a shared password, everybody could see it and someone could log in and change the password. They could also share it with someone else, like a third-party vendor or with someone outside the organization.
Team Passwords gives us better control over our passwords. Someone outside the team isn't able to get the password. Even if it's shared, we're able to see who checked the password.
It's more secure to use and better than using Excel or Notepad to save passwords. It's a really good option.
I like the session recording feature. I also like the analytics and reports. You can pull up a report, and the UI is fantastic. The system is recording when nobody's there, so we have a record of what's happening.
The Smart Rules feature is one of the coolest features. It allows us to automatically onboard accounts based on the criteria instead of manually onboarding. It allows us to manage assets or accounts based on the criteria we search for in Smart Rules.
The UI is cool. They have different symbols and icons. I think the UI is better and more informative than other solutions.
The customization features help me manage most assets, databases, and applications. It's more than sufficient for us. The default connectors and plugins are capable of managing the database in the server, units, and systems.
The banners could be improved because they aren't informative. For example, if something is not correct and I open the error notification, the dialogue box simply says, "This is an error." It would be great if they could provide some valuable comments about how to fix the errors. If I try to remove something, the error box says it cannot be removed, which isn't helpful. I have to wait for the account to check in, and then it will be removed.
The information description in the logs and the error reporting could be improved. For someone who's inexperienced, it's hard to understand.
I have used this solution for more than three years.
The stability is really good. Our setup is Active/Active, so we have more than eight appliances, and everything works well. It might differ for companies that decide to choose Active/Passive and only have two appliances.
We have enough appliances in our organization, so we don't feel that the stability is lagging.
The scalability is good.
I would rate technical support as nine out of ten.
Technical support is really good. If we need help, we contact somebody from the customer portal. We don't need to wait. We get a reply from an engineer right away, telling us what we need to do. If somebody's not available, a senior engineer will respond.
I'm amazed by the response time. They are as quick as possible. They have enough support people across the globe.
Before using this solution, I used Hitachi ID PAM.
There are multiple reasons why we switched. They don't have 24/7 support. We're on Asia Pacific Time, but most of their technical support staff are in Canada and the United States. If something happened in our time zone, they weren't available. Their product is very expensive, but they don't have as many features as BeyondTrust.
Comparatively, BeyondTrust has a lot of features and database inclusion. I would say BeyondTrust is 100 times better than Hitachi ID.
The setup isn't a complex process. There are two different setups. They provide the UVM-based installation and software-based installation. We selected the UVM-based installation.
The installation itself is pretty easy. The documentation is very structured. It's not complicated.
Migrating end users to Password Safe was hard in our case because no one in our organization knew about the solution. People were using Excel or Notepad and manually changing passwords. We created an internal document system, but migrating the accounts was a difficult task. As soon as the host was set up, it was pretty easy.
It's easy to maintain. All our appliances are connected to the internet. We receive patches and updates directly from BeyondTrust. We don't need to ask anyone to provide an update or patch. It's up to us to choose and schedule a proper time for updates.
We did the implementation in-house, but we had a consultant assist us from BeyondTrust. We had a good experience with him.
We have definitely seen ROI. It's worth buying.
We only pay for Password Safe. Session management is included, but we don't use it.
There aren't any additional costs besides the standard licensing fees. We pay for an annual license.
We also evaluated CyberArk, but we chose BeyondTrust because of the cost. It's affordable compared to CyberArk.
I would rate this solution a nine out of ten.
The installation is straightforward. If you just follow their instructions, you don't need any experience. They also provide automated ways to onboard accounts. The documentation is very structured.
We have used Thycotic Secret Server for some secret management and integrated it with some applications. We mainly used it for Privileged Account Discovery and the management of them.
The discovery engine is really robust and flexible. It had some session management features that are better compared to some other vendors. Overall the GUI is very good and straightforward to operate compared to other solutions. For example, CyberArk and Hitachi tend to be hard to navigate.
When working with larger enterprises Thycotic Secret Server becomes a little cumbersome to work with because they do not allow as much flexibility as some of the other competitors, such as CyberArk. Thycotic Secret Server could improve by being more flexible when it comes to customization, and increase the number of API integrations.
In an upcoming release, there should be more AI and machine learning features. Some of the competitors are leaning in this direction.
I have been using Thycotic Secret Server for approximately two years.
There can be some stability issues when you use the video record feature. You have to be careful when you turn on the video recording features and what you want to record because the data adds up quickly. There is a performance impact to your network as well, that has to be planned for. Users think it is a fancy feature and they want to use it but you have to plan ahead of time before you use it.
The solution is able to be scaled and it is not too difficult.
The last organization I implemented the solution in they have approximately 900 users using the solution.
The technical support is good. They were able to give us support when we needed it.
I have used other solutions, such as CyberArk and Hitachi.
The setup was straightforward.
When comparing the price of Thycotic Secret Server with other solutions it is reasonable.
My advice to those wanting to implement this solution is they should know their requirements. It is a great solution it fits your requirements. It is important to know what you need to integrate with and how.
I rate Thycotic Secret Server an eight out of ten.