Symantec Privileged Access Manager Reviews

The key benefits are we improve our governance. We ensure we can build more trust in the way we run and operate our environment, and most of all is the accountability. Where things do go wrong from time to time, we are in a good position to ensure that we can recover quickly.

One of the key things for us about the product is around its simplicity. Being able to put in the technology that allows the business to remove complexity and also allow the security improvements. This is high on our agenda. 

As with most things CA, once we are bringing more technology into the portfolio and being able to collapse those products into a much more integrated way, that will definitely come over the time. 

In terms of improvement, keep listening to customers and their challenges and make sure the roadmap is very responsive. It is all about being agile, so we need to make sure the product is very easy to work with. It does not constrain us further down the road.

At the moment, we are going through several evaluations. We found that the architecture is scalable and very resilient. In terms of scaling up, it has yet to be proven, but so far, so good.

We have worked with CA before, so we understand that each engagement is slightly different. One thing we do make sure is we always do things like test runs as part of any onboarding of a system. This would be no different if we go down this path in the future.

It is fairly mature in the world of what it have known as a vault. When you look in a wider context of how to bring it into an organization, it is not necessarily just the technology side. I would rate it from the technology side between a seven and an eight. Actually, how it becomes too much of an adopted technology in a much more wider industry, they are still around about a five to six, but it has to do with the vendor across the industry.

Most important criteria when selecting a vendor: It is about really understanding what the security challenges are in the industry, but also being able to align with specific use cases each organization is going to deal with. You have a generic capability that we can take off the shelf, but we should be able to customize when you need it. Having that right balance is really important. I think from my of view, CA has started to move in that direction more. I would like to see more of that.

I think like most evaluations, it takes a lot of time and effort. We do look at things around where the history of the technology, where it's born out of, where they are currently going, and the direction they are going. Also, in terms of how well they are going to integrate into the wider portfolio. Evaluations are not just about features and functions of this specific product, but it is taking that holistic view around what else we can get out of it in the next three to five years. It is really important for us to have that clear roadmap and one that we believe in and trust.

One of the valuable features is the randomly generated password. It is a strong way to protect the security access to the network and servers in our department of Homeland Security Environmental Management System.

It has helped us with security.

Updates get difficult for the client. It needs to improve. I experienced difficulty in upgrading the software myself. With a tech engineer's help, I was able to manually delete some directories and was finally able to upgrade successfully. The codes should be easier and have an auto-feature to upgrade.

We have used this solution for two years.

We did not encounter any issues with stability.

We did not encounter any issues with scalability.

We did not use different solution before.

The initial setup was straightforward.

Make it easier to upgrade the software.

With CA PAM, it's mainly the vaulting of credentials that we're looking for, and then after that, probably the bastion functionality where we force all of our administrators through that to get to the servers. We'll also do session recording of both RDP and the SSH sessions through it.

It definitely helps with security. It also helps with how we audit which credentials are being used. When somebody actually logs in to CA PAM, they have to go in through second factor authentication. Once they're logged in, whatever credentials they check out, we get to see that and our auditors get to see that. It helps out in that way.

A better discovery interface of accounts.

It does do discovery of accounts for Windows servers, and you could do UNIX servers as well, but it's kind of clunky how it does it.

It's a very stable solution, but we also built it to be highly available and redundant as well. We built it out where we have four appliances in one single cluster across two data centers.

It's pretty scalable from what we can see. We have four appliances in a single cluster across two data centers, and we can actually even grow that if we wanted to.

I haven't had to call in any cases yet, but we've been working with the CA services team to help us implement the solution. They've been really really good.

Over time security has been becoming more prevalent, mainly because of the number of attacks out there. We found that just by looking at our whole portfolio of solutions that we already had in place, there were definitely some small gaps and areas that we needed to fill. PAM was one of the solutions that we found to help us with vaulting credentials, rapidly changing credentials.

Beforehand, for administrators to change certain credentials, they would have to go in and there would be change control processes that they had to go through. The vaulting automates a lot of that for us.

When we set up CA PAM, it's a OVA. It's an appliance, a virtual appliance, that we just needed to throw in VMware, spin it up, and there it is. From there it was just connecting in other things like our storage, our time server, and whatever else. Very very simple to set up.

For us, we mainly wanted a solution that worked in the scenarios that we were looking for.

We've demoed numerous products. After even just watching the demos we weeded some out. Then we actually brought a few in-house that we liked, and we did proof of concepts. We found out that some products just didn't work the way we wanted them to in our environment.

The reason we chose CA PAM is it worked in the scenarios that we wanted it to, and it just worked without problems.

Rating: I would say probably a seven or an eight. As I said, the interface is not the easiest to navigate and it doesn't really have the discovery piece or fully baked discovery. Overall, the solution works and there's just multiple ways of doing things. You don't have to use the whole GUI interface to get your stuff in. There's ways of importing our credentials and what not through Excel spreadsheets and what not. It's really easy how the import/export mechanism works.

I would definitely tell them [peers] to do an in-house proof of concept of the solution to make sure that solution works for their environment.

If I remember correctly, it was the two factor authentication, and the single most important capability was it supported PIV and CAC as one of the two factors. That was pretty huge for us.

Our organization does and uses cloud-based solutions. Those have to be very secure.

Specifically, administrative access needs to be highly secure. When people are accessing the production environment as administrators or as non-end users, they use CA Privileged Access Manager to be able to access it.

Trouble free installation and configuration and not even noticing that it's installed. There's too many steps involved in accessing the production network. Too many things you have to do to get on.

It'd be great if you just stuck in your PIV card and Windows popped up, asked you for your password. You typed it in, then it remembered your credentials.

For about 10 months.

There were some issues with stability.

From what I remember, people would complain that every 30 minutes to an hour or so, their connection would drop and they'd have to reconnect, but it wasn't clear whether that was a problem with the network we were working on or whether that was a problem with Privileged Access Manager.

We didn't run into any scale issues at all. The more people involved, the more it was able to handle.

Yeah, we worked with technology support. They were actually pretty helpful. The couple of problems we had, they were able to identify and help us resolve.

Yeah, we were using OpenVPN. We were using OpenVPN, and the biggest single reason was dual-factor authentication with PIV and CAC. That was the biggest single reason.

I did not personally do the setup. From what I remember, it took a couple of weeks for the security lead to do the work. That's not out of the question or a surprise with a security product, because just getting it operating usually takes a little bit, then getting it fine tuned takes a whole another round of work.

We looked at about a half a dozen, and this one came out to be the best one. We filtered down.

I would say, test it out in your environment, make sure it works out well. If it configures well, and then, assuming it works out fine, you're in good shape.

The most important feature is that we do not need to know the passwords any more; just having access to the end point; and that it’s easy to manage users and the account.

Since we implemented CA PAM in our company, we don't need to pass the passwords to every individual administrator. He just logs in using his own credentials and then searches for the end point he wants to access and that's it. We approve their access and they're ready to administer the end point. This is good because we don't need to change passwords every time one of our colleagues leaves the company.

There are many improvements needed. We are always searching for new features and new ways to improve the solution, because I'm just the local administrator. I have a support company which implements the solution. We are always constantly trying to improve new features to upgrade the solution, to understand more ways to facilitate our databases.

We are going on the third year. We have had many complications during the implementation.

The current release that we are using is much faster than the old ones we were trying. We had several problems with performance and crashes, screens that wouldn’t load up. The final release we are using is much better and more stable.

Now, it is scalable.

I would give technical support a 2.5/5. I'm not sure if this is a problem with my local support or CA support, but when we opened a case, it took several days to get a response. It cost me time to get a reply. They'd come back to us to understand what is going on or what was necessary to give support. Between me opening the case and my local support trying to understand what we want; then, they don't know how to solve it and go to CA support and try to understand again; that takes a long time.

This is the only one. We got this implementation by bid, so we couldn't choose any company. It was the lowest price and a quicker time to implement.

The first setup was complex. The implementation, to me, was very bad.

We did a proof of concept with another solution.

When they came for the proof of concept, we only had access to the system itself. I couldn't try to understand the complexity of implementation or support or all the features that the solution would have to offer. I just saw the main features.

We look to make sure that there are two HyperACCESS specifications: 

1. Privileged managements: These are ordered to ensure that all the passwords assume one location so a user can enter and all their passwords are protected. Their passwords cannot be shared because they are rotated. 
2. The odd user: This user has to go through the system and exercise a chair relay. This should be our Gateway for login. 

The most common features that I use are password vaulting and password management. 

I would like this solution to be simpler. It should have a one-click access that works together with AWS. 

Scalability has been good. 

We have received good support from the tech support team.

We used IBM before.

It was a challenge for our newer staff members to install. 

It is more expensive than other solutions on the market.

We have been using IBM extensively because customers demand that we provide this option.

Password Management and Session Recording. The simplicity and ease that it is to be up and running out-of-the-box is very much appreciated.

The recording feature uses a proprietary format that is very light, even with high definition videos, allowing you to use very little hard drive space. This has proven very valuable when managing large amounts of sessions.

We are now able to record all technical support requests that require a remote control session, therefore accountability has risen reducing the amount of mistakes or errors.

Clients are also more confident that all activities are recorded and everyone is held accountable when asking for support being provided.

With the recently added feature that supports recording VNC sessions, we have been able to expand the session management to the IT personnel who prefer VNC for remote session management.

The support for other remote assistance tools would be excellent. Free included tools in Windows (Remote Assist) and Microsoft SCCM Configuration Manager (ConMgr Remote Control) allow companies to reduce the amount of RDP connections and expand the usage of the tools are frequently used by companies to provide technical support for remote assistance.

This could increase the amount of purchased licenses, with increasing growth of (remote) managed services (MSPs), and would also allow a company to demand that a provider use a tool such as CA PAM when providing remote assistance, in order to record evidence or increase accountability. Access to online training free of charge is also highly recommended.

Over two years.

Not in my experience. It has proven to be a very stable solution, even when it is run as a virtual appliance.

Not in my experience.

I have had a good experience because they have been able to resolve issues nine of 10 in a short period.

The cons are that you are rarely (if ever) able to talk to a technician when calling support. This is frustrating when the issues are critical or urgent.

This is much worse in out of office hours. At times, when the issues are complex, the resolution times has been longer than desired and the time in between contacts is also too long.

There is a lot of space to improve in this area.

No, I have looked at CyberArk, but never used it as a customer.

Session management is pretty straightforward as is the password management. We were able to get it up and running in no time. It might be a bit complex to follow the flow of creating the devices, users, and single sign on using the password vault, so that process could be simplified for those getting started with the solution.

Can’t say much. The prices are not low, but one can ask for a discount. It’s not the cheapest PAM solution.

Yes, CyberArk. We found it too complex and with more features than one would probably need.

If looking for a solution with privileged session management, great recording features with an integrated password vault and Single Sign-On that is pretty straightforward to implement out-of-the-box and does not overwhelm you with unnecessary features, it the best way to go.

It has space for improving the user interface and remote connection tools, but surely this is something that should be in their roadmap.

When you look at the whole PAM itself, session manager is very important. It records what happens. Access manager and credential manager are very important as well. Those are the key things. Session manager, access manager, and credential manager.

On the access management side, our system administrators, under privileged management, don't have to use their local tools to log on to the production servers.

They basically will log on, but they need access controls. They log on to a web interface, so that they will have access to the servers. From there, they can make the sessions.

What I'm saying is that on 443, with an extra cell connection, you log on to a web server and that web server will basically initiate the sessions from the web server to the production server. At that point, my session is secure because all that is happening inside that subnet or inside that network. All my end user is seeing is training the HTML-file interface.

That makes the access more secure. Even on the session side, the sessions are really between the production servers and the IA PAM. The sessions are not between the endpoint and the production server. So that makes it more secure by using a PAM.

When we look at CA PAM, the multi-tenant deployment is definitely an improvement that we want to see. They don't offer multi-tenancy.

If I have an enterprise, or if I am an MSP and I would like use an instantiation of CA PAM for multiple tenants, I can't do that.

I have to deploy a CA PAM for each tenant, which basically increases the cost and the management side of it. That's a very essential thing.

CyberArk does the multi-tenancy, but CA PAM doesn't have this.

We have used it for two years.

Stability-wise, there were no issues. It met our SLAs. For the most part, it's really stable. There were no significant outages or issues with the stability of the product. We didn't have any of that experience with the solution.

There were some scalability issues. Along with access manager, there's something called a credential manager. The way the CA PAM solution is designed, a credential manager is local to each of these boxes.

If you want to scale to multiple data centers and multiple end points, the credential manager is not centralized anymore. We need to have a way to synchronize that. That seems to be one of the biggest issues of scalability.

It has AD integration, but the way they do it is an issue, because it's not scalable. For every active directory identity, it basically creates a local user. It defeats the whole purpose of using a single identity store. That's not a scalable solution to manage identities itself. That's a big issue.

We did submit an enhancement request to CA on multi-tenancy and the active directory implementation, and we don't think they have released any updates. That's a big issue with this product.

I would give tech support a rating of 7/10. They're not the best, because the product was acquired from a small company. Just updating the portal with the knowledge base and the support took a long time. We had a bad experience with that.

Once they got all the stuff integrated into the CA support structure, the responsiveness was there, but the relevant information of the tech staff to solve the problem was not there.

There were no previous solutions. CA PAM is the new evolution of Privileged Management. We haven't used a PAM solution in the past, and this was our first generation PAM that we used. We didn't move from an existing solution.

Once you have a network, then the reach-out is added. They have something called Outer Discovery, which discovers all the accounts and all the servers’ end points and groups.

I'm not going to say it's very easy, but on the flipside, I'm not going to say it's terribly hard to do it.

The reason it was not easy, was that the end points of the system administrators that have access to PAM needed a version of Java and some Java libraries on the end point.

With logged-on systems in the DOD space, or with the federal space, it's really tough to get those versions installed. The federal government, the central IT, update the Java versions and we don't have control over that. Every time we have an upgrade, it breaks the accessibility of the software.

Even though they say it's a web based tool, they still need a Java version that is compatible and libraries have to be on your client to do it. The Java competence has been a nightmare.

The product installation by itself is fairly easy, but the accessibility is very difficult.

We did reach out to CA and submitted a ticket with them, saying, "Okay, you need to get out of this Java thing, and then have something like HTML-file-based access, so that we don't have to have any of these Java things."

They said, "Great," but nothing has happened so far.

We did evaluate other solutions.

• We did a market research of Xceedium, before CA bought Xceedium Xsuite
• CyberArk
• Dell had a tool to do privileged identity management
• There's another company also, that starts with Cyber, but I don't remember the name

We evaluated these solutions, and Xceedium, which is now CA PAM, stood out.

If you are going for a multi-tenant deployment as an MSP, I would work with CA to see when that feature will be available.

If the local end points are logged down with the Java versions, I would really tell them to pull out the HTML-file-based solution. The accessibility of this tool from the desktops is very, very difficult. Those are two big things for a use case.

I would recommend them to make sure they validate that these things are rolled out and then use it. Other than those two issues, everything else is good.

Asking me to rate the solution is a tough question, because the market research came out well. It stood out. The usability was good.

The accessibility and other issues were big blockers for our customer:

• The local accounts with AD integration
• Multi-tenant deployment
• Java installation on the local machines

Those three elements were the biggest blockers. I would have rated it higher, but because of those three blockers, I'll had to rate it lower. They were very significant blockers for our project when we used it, and we were always putting out fires to do that.