Symantec Privileged Access Manager Reviews

My primary use case for this solution is for work in data center components. We use it with our data center devices. 

The DB clustering is a really good benefit of using CA PAM.

An improvement for this solution is that it should not be constantly based on user name and password. There should be a condition to edit and update your username. Also, it would be nice to have a single sign-on, but that particular portal doesn't allow any copy/paste.

In addition, I have an additional suggestion. I will give you a scenario. In regards to the licensing, I have some concerns. The NAS team, they want to have 24/7 support. The NAS team is the one actually using this CA PAM. So, the total count is some hundred members. But at other times, the login is 23 members. So it's like a batch. Every 7 hours there is a batch change, so every 7 hours 23 members will change. But when I ask for a licensing part, they are saying we have to take 100 license, not 23 license. Each time I have to ask for 100 licenses, even though I have only 23 members at a time using the solution. If there were any options for concurrent usage of a license, that would be a better option.

I find it is a stable product for our organization. But, we have had to do some debugging sessions occasionally.

We have previous experience with CyberArk.

The initial setup was easy and straightforward.

I would prefer better licensing options for the 20-100 users we have at a given time. 

We also considered CyberArk.

So when we are trying develop some particular portal, when you are looking with loop-back IP, connecting the backend by a loop-back IP, the response is coming by an actual IP - that's the portal design. Because it is redirecting multiple URLs, the portal designed like in such a way like it will take your input and redirect your many multiple URLs with the connection and respond back to your browser, but the browser always it comes back with the actual IP, not the loop-back IP.  In this case, the CA PAM is working well for us.

• Privileged account management
• Session management
• Session recording
• One stop access for all things involving privileged access management.

• Earlier admins used to access critical system from their desktop, which was a security threat considering the wide variety of compromises happening on endpoint. Now, all the privileged access is tunneled through PAM.
• With password management, we can enforce complicated password policies and very important frequent password changes, i.e., weekly.
• Most importantly, we now have recordings for each and every privileged session which is used for auditing, compliance, and investigations.

Privileged account management for Windows (domain and local) and Unix.

Service account management is a key area where the product needs to develop. Currently, the product supports service account discovery, but only if the host name of the server is known. For unknown host names, it is still a dark area.

In comparison with Thycotic and CyberArk, the service account management functionality needs to be extended to application pools, SQL database, PowerShell scripts, service account discovery, etc.

We experience stability issues after every patch upgrade. This is a place where CA needs to improve drastically.

The product is very scalable in terms of concurrent sessions that it can handle at a time, number of device it can support, accounts that it can manage, or number of nodes that you can deploy in a cluster. It comes in four forms.

1. Physical appliance
2. Virtual instance
3. AWS
4. Azure (just launched).

The technical support has improved a lot in last year with the advent of the European technical support team.

No previous solution was used.

Initial setup is very straightforward and ease to configure. It is similar to any appliance-based network security device.

Pricing is fair compared to other top vendors, like CyberArk. The licensing is simple and scalable.

We did not evaluate any other solutions.

Go for it if your key areas are password/session management of Windows/Unix/database.

Be careful if you want to use this for service account management.

There are some technical challenges while integrating the web-based console (security devices) for transparent login/single sign-on.

The key benefits are we improve our governance. We ensure we can build more trust in the way we run and operate our environment, and most of all is the accountability. Where things do go wrong from time to time, we are in a good position to ensure that we can recover quickly.

One of the key things for us about the product is around its simplicity. Being able to put in the technology that allows the business to remove complexity and also allow the security improvements. This is high on our agenda. 

As with most things CA, once we are bringing more technology into the portfolio and being able to collapse those products into a much more integrated way, that will definitely come over the time. 

In terms of improvement, keep listening to customers and their challenges and make sure the roadmap is very responsive. It is all about being agile, so we need to make sure the product is very easy to work with. It does not constrain us further down the road.

At the moment, we are going through several evaluations. We found that the architecture is scalable and very resilient. In terms of scaling up, it has yet to be proven, but so far, so good.

We have worked with CA before, so we understand that each engagement is slightly different. One thing we do make sure is we always do things like test runs as part of any onboarding of a system. This would be no different if we go down this path in the future.

It is fairly mature in the world of what it have known as a vault. When you look in a wider context of how to bring it into an organization, it is not necessarily just the technology side. I would rate it from the technology side between a seven and an eight. Actually, how it becomes too much of an adopted technology in a much more wider industry, they are still around about a five to six, but it has to do with the vendor across the industry.

Most important criteria when selecting a vendor: It is about really understanding what the security challenges are in the industry, but also being able to align with specific use cases each organization is going to deal with. You have a generic capability that we can take off the shelf, but we should be able to customize when you need it. Having that right balance is really important. I think from my of view, CA has started to move in that direction more. I would like to see more of that.

I think like most evaluations, it takes a lot of time and effort. We do look at things around where the history of the technology, where it's born out of, where they are currently going, and the direction they are going. Also, in terms of how well they are going to integrate into the wider portfolio. Evaluations are not just about features and functions of this specific product, but it is taking that holistic view around what else we can get out of it in the next three to five years. It is really important for us to have that clear roadmap and one that we believe in and trust.

I have been in the security business for almost 30 years. We have never had a solution in place where we could really manage and control privileged accounts in the company. This solution really makes a big difference. We started rolling it out for our Linux base. It has been invaluable to us already, and it has only been a year.

We are a multiplatform shop, so we have Windows, Linux, mainframe. The mainframe piece of it is coming along, but we would like to see a little bit more integration with the non-CA mainframe component, such as RACF. That is what we use, but they have more features which are coming out in the next month or so, which is a huge. They are listening to their customers. I think that is great, but they need to do a little bit more on the mainframe side.

Solid as a rock. It is a hardened appliance. We went with that version versus the virtual, and we set it up in less than half a day, and have had no problems since. It has been running fine.

Based on the purchase that we made, we bought an awful lot of appliances. We are using only a small portion of it right now, because it can handle so much volume. We know we can scale up with what we have, and we probably will not need to buy any further appliances down the road. So, that is huge.

It is very easy to set up the initial piece. We even did it without CA on-site for the first day. We got it up and running, then they came in and helped us tweak it and make it a little bit more efficient. However, setting it up out of the box, it was a no-brainer. It was very quick.

Right out of the box, right now, I would say it is a solid eight. I think 10 is doable, and they are very close. We are still only a year out. We have only really done one platform, so I am kind of saving the nine and 10 for once we are fully deployed.

Most important criteria when selecting a vendor: Support is a big deal. Reputation is great, but the support is what we use most. After the sale is over and the initial deployment is done, we need to work with support, and if support is not strong, then that hurts us. We can't get the product to be what we want it to be.

I see it performing really well. It has a really good scalability attribute, where you can continuously keep dumping on new users and giving them only the access they need on the projects that they would view. It is very controlling and I really like that.

Whoever built it from the ground up, they understand how an organization is laid out. You can tell. When a user comes in, it automatically picks up their information. It is very easy to use. The interface is very friendly, colorful, and bold. I really like that. It is friendly to the users. 

What PAM does is when a user signs in, or when a user gets prompted to an organization, they are classified based on what teams, job titles, and roles that they have. 

One feature I would like to see is instead of just giving passwords to the user based on job function, from auditing perspective, turn that cycle around. Let us have a reporting feature that will say, "Can you please show me all the users who have access to the DB admin account essay." That would really help from an auditing standpoint. 

There is already a feature for that. It is not too great to use. Instead of being Splunk, maybe have a feature built into the application. 

There have been no issues with CA technical support.

After doing a little bit of research in the PAM market, there are not too many PAM players out there. Obviously, there is CyberArk but the other big player is CA PAM. I took a look at CA PAM. CA's rep gave me every reason to pick CA PAM over CyberArk.

CyberArk is harder to set up. You need a stand up infrastructure to back up CyberArk. PAM, on the other hand, is much more simple to use, and you do not need as many Windows servers to back it up as far as I know. 

1. According to the users who have actually used CyberArk and CA PAM, they have said that CA PAM is ten times easier to use and manage. 
2. Also, according to the users, CyberArk is only in the Windows area. They only control passwords in the Windows area. I am not sure how true that is, but that is a huge thing. 

If your company has Windows, Unix, and Linux, and has accounts all over the place and you need to management it, look into CA now. 

I feel like I have to learn more about CA PAM, because there are a lot of questions I still have for the product and I do not know them yet. 

Most important criteria when selecting a vendor: technical support. Always having someone there who knows a lot about the product, but at the same time, they will be straight up with you about the difficulties. I really do like when people tell me, this is not working, and tell you straight off the bat. I really like that straightforwardness.

It is for all admins. We need to have a two-factor authentication. So for that, we are using the PAM, Privileged Access Manager product called Xceedium.

We have just put it in QA, so it will go live in production by March or April. 

It will provide us with more security. Anybody who has access can only get it. It makes admin access more critical. People are not building service accounts. 

It will provide more security and monitoring. 

The session recording is useful. We can capture what each of our users are doing.

It gives you list of servers, so you can see which users have access to which servers. This is really useful, so we can make sure nobody is getting extra access than what is needed. It is also isolated from Internet, so there is no way hackers or anybody can come into the systems.

We are going to work on Trade Analytics, so we wanted to see how Trade Analytics work and all.

They need to work on some of the enhancements, which we have already given to them. 

They need to have zero tier and active-active setup with zero minimum downtime, which they are working on it. 

So far, it is stable in our development and QA. Once we go in production, we will know it. We have just started testing on the products, especially integration testing and performance testing. After that, we will know the stability, and we are putting Splunk and monitoring alerts on right now. 

For scalability, we had some performance issues with the regular virtual jump servers. Therefore, to make the improvement better and all, we ordered bare metal physical servers. This way we will have better results and the performance will be good. 

We are using the technical support. We also have a list of all the security enhancements, which are needed. We gave it to CA. They are working on it, and for any issues, we are escalating the issues and working with the product team directly. 

They are really good at answering us quickly. Some of them, they also provided us a patch, and some of them are going into the new version, which is 301, so we are upgrading our environment to 301 now in our development and QA next week. 

It was a straightforward setup.

Cost-wise, CA was better compared to others in the market. 

One of the goals for one of our projects this year was to implement Privileged Access Management. We tried different products in the market: Xceedium, CyberArk, etc. This is when we decided on Xceedium. 

All were almost good, but CA's UI was much better. Performance-wise, CA was good. One of the advantages was Unix, which was not on CyberArk. It was more Windows-focused. We have been using Windows and Linux both. 

When we started analyzing different products, CA was really good. They are more proactive every time. 

They really worked hard in the PoC. They made sure all of our use cases are validated, and they would even provide us patches during our PoC. 

Depending on your requirements, you can compare different products and decide what you want. This product so far seems good to us.

Most important criteria when selecting a vendor: Our use cases, all of them, should be validated: the product performance and how the product behaves. We do a full end-to-end PoC to make sure how the product performs. Basically making sure all of the use cases have been satisfied and each have a proactive active-active setup. 

Transparent login for users of privileged IDs (Linux, Windows). This prevents sharing of the password because it is never seen.

Once we implemented the solution, we found that support groups were sharing the Root password with some application teams to facilitate implementations and upgrades. The applications required Root due to software requirements or other issues. This process was never documented and therefore was unknown. We are now working on getting these applications under proper controls. They will either need to use PAM if Root is still required or proper access will be implemented where Root will not be required for day to day support.

Reporting. It's difficult to locate the reports, there are limits on what reports can be run from the GUI, and the report formats are lacking. I have already spoken to product management about this specific area.

Four months.

Not yet.

Yes, we noticed that when trying to rotate 1400 privileged passwords with a single job, the results were not consistent. Support suggested we break the job up into smaller groups. We will likely have well over 200,000 managed accounts in the system when we are fully deployed. We should be able to submit mass password changes without having to break them down into groups of 50 or less.

For the most part, support is good. We do run into problems sometimes with respect to getting support for APIs. Our experience has been that engineering has to become involved due to limitations with the support staff's knowledge/experience in this area.

We have been trying to get approved for a solution (this or others) for 15 years. We finally have a CIO who understands the need for and benefit of this product and it was approved late in 2016.

Appliance setup was not difficult. We did have issues with network setup (behind a load balancer, or not; these were mostly internal issues and not the problem of the product). We selected this product (in part) because of the initial ease of implementation. We did a PoC and had the appliances set up in less than a day.

Appliances are relatively cheap, don’t skimp. Make sure you have redundancy, high availability, and enough appliances to manage the concurrent workload. Definitely make sure you include training in your budget and purchase. There are at least three specific courses that are a must for any administrator of the product. Courses can be classroom, virtual, on site or web-based. A2A licensing will be the cost that continues to grow over time. As you begin to deploy and work with various groups, you will find more uses for the A2A component and this is licensed by agent deployed on a server.

We had a project to review eight vendors and their PAM products: IBM, Hitachi, CyberArk, BeyondTrust, CA, Enforcive, Centrify, and Lieberman.

Definitely do your homework. CA PAM was the best product for us but if you are strictly a mainframe shop you might like a different solution and similarly for a Windows only shop. For us we have all platforms (Windows, Linux, Unix, mainframe, databases, network devices, appliances) that need to be managed. This product was relatively simple to implement but again do your homework. Make sure you document your use cases, and I strongly recommend setting up a test environment before deploying into production. We were told to get ROI so we started with production and are now standing up a fully supported test environment. If I had the time, I would have done this the other way around.

The tool helps us manage local, domain, and service accounts. It helps us meet compliance standards.

The fact the password is changed after each checkout beats changing passwords manually every few months.

I would definitely like to see improvements in the documentation. It is very plain and doesn't provide details. They are no screenshots either.

We owned this product for about three years. I took over the project about six months ago.

I did not encounter any issues with stability.

I did not encounter any issues with scalability.

Few people I've dealt with know the product well. They are not very helpful. Some technical support team members don't have much knowledge.

I don't think DSS used any other solution prior to this.

I didn't do the initial setup, so I can't answer this question.

I'm the admin and do not know anything about pricing and licensing.

I personally have used RPM and think it is more user-friendly.

Be prepared to call tech support a lot because the documentation is almost worthless.