Symantec Privileged Access Manager Reviews

I mostly do support for the product so I’m aware of all the features this product offers. I like the fact that passwords are checked-in automatically. In case you forget to release the account so that other people can use it, it keeps the account secured by changing the password automatically.

You can do A2A integration. You can have your own script, which can then run outside of PA to retrieve the password and perform other tasks.

It has CLI commands for bulk changes. I’ve used that feature to on-board thousands of accounts, and it saved time and effort rather than doing it manually.

PA is a global vault application which is essential in our day-to-day tasks is retrieving and using privileged accounts. Also provides a nice logging and notification to management as well as audit.

I think most people that use the product are concern with performance and they are also used to the user inference. We shouldn’t compromise a better looking UI with performance. It’s hard to say, because ever since I’ve started using the product, we have had performance issues.

What I hope happens with the new product CA PAM is to keep all the useful features that exist in PA, but what I’ve noticed with many new products is the UI gets polished but systems lags stability and performance or it adds additional complexity instead of simplifying the user experience.

I hope that’s not the case with the new product. And of course with any new product, there should be improvements in stability, usability, performance and support.

We have used this solution for over two years.

Stability is a problem that we fight every day.

We have scalability issues. For our current stress test, it looks like the system is not able to handle a large number of users at peak times.

I think there are two points to this. It’s very hard to get to level 2 or 3 support to answer questions. We had cases that were dragged on for years with no answer waiting for engineering. It almost sounds like we are on our own and this product is not “really supported” or CA is so busy with other more important issues that higher level support is almost never available.

I am not sure. When I joined the bank, this was what they were using.

I was not part of the bank at that point.

I think this product is no longer available. But if it is, I would recommend a full stress test before they even implement it. Make sure you can run it on the newest web or application servers.

Used for securing privileged accounts. This is the why people choose this particular product: To manage credentials and record sessions.

DXC has created a managed service offering based on it.

• The user interface and dependence on applets and Windows could use some improvement.
• Increased the compatibility with other browsers.
• Remove the Java applet dependency (it is being depreciated).

We have been using this solution for 12 months.

We did not encounter any issues with stability.

We did not encounter any issues with scalability.

Technical support could be improved.

We haven’t switched from a previous solution, but rather added an additional option to our offering catalog.

The initial setup was straightforward.

Before choosing this product, we evaluated CyberArk PAM.

Make sure you are certified from the official CA course.

One of the valuable features is the randomly generated password. It is a strong way to protect the security access to the network and servers in our department of Homeland Security Environmental Management System.

It has helped us with security.

Updates get difficult for the client. It needs to improve. I experienced difficulty in upgrading the software myself. With a tech engineer's help, I was able to manually delete some directories and was finally able to upgrade successfully. The codes should be easier and have an auto-feature to upgrade.

We have used this solution for two years.

We did not encounter any issues with stability.

We did not encounter any issues with scalability.

We did not use different solution before.

The initial setup was straightforward.

Make it easier to upgrade the software.

Session Recording: This feature is very useful and powerful. This application is very easy, fast, and trustworthy!

This product allows the administrator of users control of the vault of passwords, in the sense that is known who are the privileged users and who has the power to close the session for security issues.

The answer for the requirements of the users is faster and stable. The Session Recording function in audits is accurate and functional.

The integration with AS/400 Endpoint via Transparent Login could be better and useful for some users.

Almost one year.

Not yet.

Not yet.

Good.

No.

The deployment was straightforward, and the provisioning, too. In general, it's not complicated to work with this solution.

They can request a trial, and if the results are positive, make a PoC.

We are a partner of CA. The tests were only executed for this product (CA PAM).

Try the product.

• Session Management (Session Control and Recording)
• Very good in reliability
• Deployment Model: Available in both hardware and software appliance with one step installation only

Not applicable. I’m distributor of this product, not an end user.

Live session

GUI command keystroke and filtering

Session limitation

Live Session is a common feature now on PAM technology. By having this feature, an Administrator can monitor on live session about a privileged user activity, same like what we saw in CCTV. CA should add this feature on their PAM product, then they can compete with competitors.

Command keystroke and filtering on GUI session is needed to record and filter which commands allowed or not allowed privileged user work on GUI sessions, i.e., RDP Windows. By having this feature an Administrator can prevent dangerous commands when a privileged user on an RDP Session and open PowerShell or Windows Command or Database Engine CLI (MySQL, Oracle, etc.)

Session limitation is a very critical feature that cannot be addressed by CA PAM. By having this feature, only one username can allowed to login to the PAM dashboard at the same time and prevent another person to login using the same username (sharing password/username).

I have used this solution for two years.

There were no issues with stability.

There were no issues with scalability.

I would give technical support a rating of four out of five.

We did not use a solution before this one.

The initial setup was straightforward and very easy to setup.

There is a combination of user and target devices pricing/licensing. There is no point to charge on target device pricing for 1000+ target devices. I would suggest charging for user percentages.

I’m very satisfied with the product.

When you look at the whole PAM itself, session manager is very important. It records what happens. Access manager and credential manager are very important as well. Those are the key things. Session manager, access manager, and credential manager.

On the access management side, our system administrators, under privileged management, don't have to use their local tools to log on to the production servers.

They basically will log on, but they need access controls. They log on to a web interface, so that they will have access to the servers. From there, they can make the sessions.

What I'm saying is that on 443, with an extra cell connection, you log on to a web server and that web server will basically initiate the sessions from the web server to the production server. At that point, my session is secure because all that is happening inside that subnet or inside that network. All my end user is seeing is training the HTML-file interface.

That makes the access more secure. Even on the session side, the sessions are really between the production servers and the IA PAM. The sessions are not between the endpoint and the production server. So that makes it more secure by using a PAM.

When we look at CA PAM, the multi-tenant deployment is definitely an improvement that we want to see. They don't offer multi-tenancy.

If I have an enterprise, or if I am an MSP and I would like use an instantiation of CA PAM for multiple tenants, I can't do that.

I have to deploy a CA PAM for each tenant, which basically increases the cost and the management side of it. That's a very essential thing.

CyberArk does the multi-tenancy, but CA PAM doesn't have this.

We have used it for two years.

Stability-wise, there were no issues. It met our SLAs. For the most part, it's really stable. There were no significant outages or issues with the stability of the product. We didn't have any of that experience with the solution.

There were some scalability issues. Along with access manager, there's something called a credential manager. The way the CA PAM solution is designed, a credential manager is local to each of these boxes.

If you want to scale to multiple data centers and multiple end points, the credential manager is not centralized anymore. We need to have a way to synchronize that. That seems to be one of the biggest issues of scalability.

It has AD integration, but the way they do it is an issue, because it's not scalable. For every active directory identity, it basically creates a local user. It defeats the whole purpose of using a single identity store. That's not a scalable solution to manage identities itself. That's a big issue.

We did submit an enhancement request to CA on multi-tenancy and the active directory implementation, and we don't think they have released any updates. That's a big issue with this product.

I would give tech support a rating of 7/10. They're not the best, because the product was acquired from a small company. Just updating the portal with the knowledge base and the support took a long time. We had a bad experience with that.

Once they got all the stuff integrated into the CA support structure, the responsiveness was there, but the relevant information of the tech staff to solve the problem was not there.

There were no previous solutions. CA PAM is the new evolution of Privileged Management. We haven't used a PAM solution in the past, and this was our first generation PAM that we used. We didn't move from an existing solution.

Once you have a network, then the reach-out is added. They have something called Outer Discovery, which discovers all the accounts and all the servers’ end points and groups.

I'm not going to say it's very easy, but on the flipside, I'm not going to say it's terribly hard to do it.

The reason it was not easy, was that the end points of the system administrators that have access to PAM needed a version of Java and some Java libraries on the end point.

With logged-on systems in the DOD space, or with the federal space, it's really tough to get those versions installed. The federal government, the central IT, update the Java versions and we don't have control over that. Every time we have an upgrade, it breaks the accessibility of the software.

Even though they say it's a web based tool, they still need a Java version that is compatible and libraries have to be on your client to do it. The Java competence has been a nightmare.

The product installation by itself is fairly easy, but the accessibility is very difficult.

We did reach out to CA and submitted a ticket with them, saying, "Okay, you need to get out of this Java thing, and then have something like HTML-file-based access, so that we don't have to have any of these Java things."

They said, "Great," but nothing has happened so far.

We did evaluate other solutions.

• We did a market research of Xceedium, before CA bought Xceedium Xsuite
• CyberArk
• Dell had a tool to do privileged identity management
• There's another company also, that starts with Cyber, but I don't remember the name

We evaluated these solutions, and Xceedium, which is now CA PAM, stood out.

If you are going for a multi-tenant deployment as an MSP, I would work with CA to see when that feature will be available.

If the local end points are logged down with the Java versions, I would really tell them to pull out the HTML-file-based solution. The accessibility of this tool from the desktops is very, very difficult. Those are two big things for a use case.

I would recommend them to make sure they validate that these things are rolled out and then use it. Other than those two issues, everything else is good.

Asking me to rate the solution is a tough question, because the market research came out well. It stood out. The usability was good.

The accessibility and other issues were big blockers for our customer:

• The local accounts with AD integration
• Multi-tenant deployment
• Java installation on the local machines

Those three elements were the biggest blockers. I would have rated it higher, but because of those three blockers, I'll had to rate it lower. They were very significant blockers for our project when we used it, and we were always putting out fires to do that.

The product is for privileged access for a jump server using a PIV card.

So far, with the functionality of what we had, there has not been much improvement at this point of time. I am not able to comment at this time.

I think it works just enough because it is a mandate from the customer to have the privileged access for the administrators to manage the servers using the PIV cards. We haven't used it long enough to comment on areas for improvement.

We clearly know what the functionality is that we need from the product. I think this has been accomplished by the functionality that exists in the PAM of Xceedium.

We have been using this solution for six months.

We don't use it that often and it is only for admin users. So far, there have been no issues with stability.

There were no issues with scalability.

I would give technical support a rating of 10/10. It's a matter of a learning curve for my administrators. When they requested support, they were quick to respond. It's not really a problem. It's basically a lack of awareness of the product. It was quickly resolved talking to the technical support people.

There was not a previous solution.

We did not have any team members who were trained in Xceedium. For the setup, we got directions from the manual that was provided by the reseller.

We then went to Xceedium, which is now CA. They helped us if we had any issues from the technical point of it.

I would rate the setup as 80/20: 80% being simple and the remaining 20% needed some help from the technical folks at CA.

We did not evaluate different products. There was no choice for us. We didn't have a choice to evaluate other solutions because they mandated the use of this product.

I think it's a good solution for anybody who is looking for a single sign-on implementation for administration of the servers.

It's a straightforward solution. It has been in the federal space for quite some time. It has been part of our TRM.

Transparent login and cluster synchronization. This is quite stable compared with other products. It is easy to manage for the administrator.

After the CA acquisition of Xceedium, I was able to see a lot of improvement in technical support.

There are a lot of gaps in the documentation. The documentation has to improve like anything else. There are a lot of things which are not covered in the documentation, and there are a few things which are covered in the documentation, but are not clear.

To mention the features which are not covered and which are not clear would require a separate document. Here are some examples:

• Authentication methods: PAM does support a few authentication mechanisms to login to PAM. But the documentation does not have the details of how to integrate TACACS+ in PAM. The documentation explains it at a very high level.
• Application Connectors: PAM does support different application connectors. But for CISCO devices, the details are not clear.
• Roles and Privileges: There are almost 200 privileges in Credential Management. There is not a document which has the details for the privileges and their functionality.
• Segregation of Duties: There is not a document for PAM roles. For example, if the user has “Standard User” as a role, he cannot have “Approver Role” from CM. It is a limitation in PAM. This limitation might be due to security or operational functionality. But it should be documented if it is limitation of PAM.

We have been using this solution for two and a half years.

I faced stability issues in the past, but I have not faced any stability issues lately.

I have not faced any scalability issues.

I would give technical support a rating of 6/10.

We did not use a previous solution.

The setup was straightforward.

There are currently other tools on the market which are much cheaper than PAM. They can do almost all of what PAM does, and even do it better. CA can think of reducing the pricing for PAM.

We did not evaluate other solutions.