Symantec Privileged Access Manager Reviews

• Consolidates access to all the systems
• Easy to deploy/virtual
• Records access for troubleshooting issues

One example of how it has improved the way my organization functions is that before, we had to deal with the firewall rules between domains to control access. With CA PAM, we simply set the rule once, which can be applied when we add new clients into our cloud environment.

They need to improve how it scales. We end up adding new “appliances” to scale for large or complex environments.

I run a multi-tenant cloud environment so I cover multiple domains and environments. So, as we grow our customer base by adding more systems, new customers or have different security zones for new applications/systems for customers, we end up having to add more appliances….we can only scale the virtual resources so much before we start hitting the performance thresholds on the appliance and the thresholds we have set with a customer.

By segregating and/or adding new appliances we even out the load and still maintain the performance we want with our customers. Obviously, I am talking about customers that have a higher access than some other companies.

I have used this solution for roughly a year.

At the beginning, we did have some stability issues, i.e., until we understood the product, and then the process was better.

There were scalability issues. The architecture forces us to add systems - similar to a Cisco model.

The technical support is above average.

I have used different systems in the past with other companies that I worked for, so I have been able to compare several of these. CA PAM is the least expensive option than most and is easy to deploy.

The initial setup/configuration was easy. It was more troublesome in finessing the rule sets/processes that needs to be used, which isn’t a product issue but an internal walkthrough of how we wanted the access to be controlled and in what manner.

Negotiate well but more importantly, design your architecture and understand what you will need as you scale (build building blocks).

We also evaluated One Identity, Centrify and Microsoft PIM.

Make sure you fully vet out what is needed for the complete process, and understand what you need up front for the initial set and what will be added at what trigger points.

Monitoring privileged users’ actions is valuable because of the high level of trust and wide-ranging access insiders typically enjoy. The impact of an insider breach incident can be quite high.

• Integrates your management

Customers want simultaneous monitoring of users’ actions, so a manager can block the session immediately in case of a user violation.

I have used it for six years.

We had some issues with the load balancing feature when configured for clustering.

We have not encountered any scalability issues.

Technical support is average.

We did not previously use a different solution.

Initial setup was simple because of the rule-based configuration.

Reduce the price by subdividing the license bundle.

Before choosing this product, we did not evaluate other options.

It is the best solution for managing privileged users.

• High availability/stability
• Flexibility
• Security
• Excellent support

We need a solution that is very reliable for our users. We need something that has the ability to handle requests for network ports and various configurations. Security is one of the highest priorities and part of that is tracking/auditing. Xceedium/CA PAM support has been excellent and that is one of the main reasons we have stuck with this solution. We have had the same core team supporting us over the years and they work with us through any issues.

Centralized firewall rules (through the appliances) make it easier for users to access our secure environments from a variety of locations and devices. The release of the CA PAM Client eliminated the Java vulnerabilities and support issues with browser access.

The areas of this product with room for improvement are mostly small annoyances like search fields that you cannot type a query and hit Enter (have to tab or click the button).

I have used it for about eight years.

We have encountered stability issues at various software and hardware versions, but we worked with the support team to quickly stabilize our environment.

We have not encountered any scalability issues; we have plenty of capacity for our environment usage. We only added appliances for new data centers and redundancy.

Technical support is excellent. They respond quickly and work with us to find solutions; easy web access to open and update tickets.

We started with the Xceedium solution to protect remote access to our secure environments.

Setup was straightforward once we linked to Active Directory and had our network firewall group access completed.

Licensing is by device and/or user depending on your functionality. We only use the Session Management, so it is by devices.

We looked at a few other solutions over the years but nothing was better than what we had. We are looking to the future to see if any new solutions might be as good or better and cheaper. Licensing costs do add up as we are adding more servers in our secure networks.

Get enough appliances for redundancy so if you lose one due to hardware or software issues, there is no impact to users. We use a VIP that directs all users to whichever appliance is available.

The most important feature is that we do not need to know the passwords any more; just having access to the end point; and that it’s easy to manage users and the account.

Since we implemented CA PAM in our company, we don't need to pass the passwords to every individual administrator. He just logs in using his own credentials and then searches for the end point he wants to access and that's it. We approve their access and they're ready to administer the end point. This is good because we don't need to change passwords every time one of our colleagues leaves the company.

There are many improvements needed. We are always searching for new features and new ways to improve the solution, because I'm just the local administrator. I have a support company which implements the solution. We are always constantly trying to improve new features to upgrade the solution, to understand more ways to facilitate our databases.

We are going on the third year. We have had many complications during the implementation.

The current release that we are using is much faster than the old ones we were trying. We had several problems with performance and crashes, screens that wouldn’t load up. The final release we are using is much better and more stable.

Now, it is scalable.

I would give technical support a 2.5/5. I'm not sure if this is a problem with my local support or CA support, but when we opened a case, it took several days to get a response. It cost me time to get a reply. They'd come back to us to understand what is going on or what was necessary to give support. Between me opening the case and my local support trying to understand what we want; then, they don't know how to solve it and go to CA support and try to understand again; that takes a long time.

This is the only one. We got this implementation by bid, so we couldn't choose any company. It was the lowest price and a quicker time to implement.

The first setup was complex. The implementation, to me, was very bad.

We did a proof of concept with another solution.

When they came for the proof of concept, we only had access to the system itself. I couldn't try to understand the complexity of implementation or support or all the features that the solution would have to offer. I just saw the main features.

I have found the automated authentication to be most valuable.

We do not have to authenticate users due to automatic authentication, so this allows us to be much more secure.

The demonstration and consideration portion does not work the best. It's not that intuitive. To define how it should work and what systems should be involved, requires extensive training to understand how to configure the setup. It is not immediately obvious to do this.

I have used it for about a year.

I did not encounter any deployment issues.

I did not encounter any stability issues.

I did not encounter any scalability issues.

We actually haven't had to use technical support, yet.

We have not used a different solution. We started with CA PAM.

The initial setup was complex. The system itself was easy to install, but the configurations were highly complicated.

Other options were evaluated but I was not involved in that.

Get as much training as possible.

The most valuable feature is the general concept of securing privileged passwords. Having worked in IT for a long time, I know how privileged passwords can float around. They pass from person to person and don’t get changed when they should be changed, such as when someone key who knows them leaves the organization. So, I appreciate the value of locking all that down.

Being able to have a centralized place to store the most critical username/password combinations that you have. These are the ones that access your key systems. PAM prevents some of the breaches that we've seen recently where one of those privileged accounts can lead to access to confidential information or financials can really paralyze an entire organization. Breaches can potentially smear organizations in the media when their names get out there in that light. So the whole concept of locking that down is very important.

The product itself is solid. I haven't really seen any deficiencies. It’s more just getting the message out about why it's so important. That's what our organization is trying to do. We're also a reseller. We are trying to convince companies that they need this type of technology. Publishing more use cases would be helpful just to help to convince companies why they need a product like this.

We don't actually use this solution ourselves. We implement the solution for people who buy it. I’ve been doing it for about a year. I haven't used it personally, but I know how it works.

It's very self-contained as a product. Being appliance-based, it's easy to implement. It's stable. No complaints there.

It is very scalable. I know it's used in large organizations like banks and healthcare organizations. It's just a matter of swapping in. I recall on one of the enablement calls that I attended, they had a very defined set of parameters where if you reached a certain threshold, you would then swap in another PAM appliance.

I've actually never called in to their technical support, so I really can't say.

I don't really know much on the pricing side. I'm more on the technical side. We do have an instructor that teaches the PAM enablement classes, and he's a big fan of the course materials. He thinks that they're very valuable and well worth the cost of attending a class. So attend the public CA courses on PAM, because they're very good.

I would say definitely get professionals that can help out. My company is in this space, and this is what we do for a living, so I don't think that it's a product that you want to go and try to implement on your own. Getting professional experience on your side for two or three weeks, or whatever it takes, to deploy the solution is well worth the investment.

With CA PAM, it's mainly the vaulting of credentials that we're looking for, and then after that, probably the bastion functionality where we force all of our administrators through that to get to the servers. We'll also do session recording of both RDP and the SSH sessions through it.

It definitely helps with security. It also helps with how we audit which credentials are being used. When somebody actually logs in to CA PAM, they have to go in through second factor authentication. Once they're logged in, whatever credentials they check out, we get to see that and our auditors get to see that. It helps out in that way.

A better discovery interface of accounts.

It does do discovery of accounts for Windows servers, and you could do UNIX servers as well, but it's kind of clunky how it does it.

It's a very stable solution, but we also built it to be highly available and redundant as well. We built it out where we have four appliances in one single cluster across two data centers.

It's pretty scalable from what we can see. We have four appliances in a single cluster across two data centers, and we can actually even grow that if we wanted to.

I haven't had to call in any cases yet, but we've been working with the CA services team to help us implement the solution. They've been really really good.

Over time security has been becoming more prevalent, mainly because of the number of attacks out there. We found that just by looking at our whole portfolio of solutions that we already had in place, there were definitely some small gaps and areas that we needed to fill. PAM was one of the solutions that we found to help us with vaulting credentials, rapidly changing credentials.

Beforehand, for administrators to change certain credentials, they would have to go in and there would be change control processes that they had to go through. The vaulting automates a lot of that for us.

When we set up CA PAM, it's a OVA. It's an appliance, a virtual appliance, that we just needed to throw in VMware, spin it up, and there it is. From there it was just connecting in other things like our storage, our time server, and whatever else. Very very simple to set up.

For us, we mainly wanted a solution that worked in the scenarios that we were looking for.

We've demoed numerous products. After even just watching the demos we weeded some out. Then we actually brought a few in-house that we liked, and we did proof of concepts. We found out that some products just didn't work the way we wanted them to in our environment.

The reason we chose CA PAM is it worked in the scenarios that we wanted it to, and it just worked without problems.

Rating: I would say probably a seven or an eight. As I said, the interface is not the easiest to navigate and it doesn't really have the discovery piece or fully baked discovery. Overall, the solution works and there's just multiple ways of doing things. You don't have to use the whole GUI interface to get your stuff in. There's ways of importing our credentials and what not through Excel spreadsheets and what not. It's really easy how the import/export mechanism works.

I would definitely tell them [peers] to do an in-house proof of concept of the solution to make sure that solution works for their environment.

CA PAM has session recording, which is a very valuable feature. Overall, it is generally easy to use. It's a relatively simple product to setup and configure. You're not looking at tons of Professional Services hours to get it running.

Its primary benefits are the ability to regulate and control privileged access accounts, and their usage. Say for instance, that you have an administrator account for your Oracle EBS system: you obviously don't want your system administrators all sharing a single account. If you do find yourself in a situation where you only have one administrator account, you can setup Privileged Access Manager to track which administrators are using that single administrator account. That is very useful.

They actually just announced adding features that I would have liked included in the release that we're using. These new features all revolve around reporting and analytics. The basic reporting that comes with it is basic. They are not broad enough or deep enough. Apparently, with the latest release that was announced yesterday, there's a new analytics piece to it that really expands on its reporting capabilities.

Some of the key analytics that I would like to see are consolidated dashboard views with information about any privileged access usage that is out of the norm from a security perspective. That is now included in this new module; but I don’t think that this module is part of the Base Privileged Access Manager

Also, the licensing model, with cost as you scale with the number of users and recordable sessions. If it was cheaper, I would give it a perfect ranking.

I have had no stability issues whatsoever with it.

We have a relatively small implementation, but from what we've seen so far, it would scale pretty well.

We’ve used a little bit of technical support. It was really just a couple of questions here and there, and the support has been very good so far.

We did not have a solution in place.

Initial setup is pretty straightforward.

My organization had a push to increase our security posture this year. One of the areas we're looking at concentrating on is the use and control of privileged accounts. We obviously looked at the feature functionality set; then cost, then ease of use with a proof of concept demo.

We considered Thycotic Secret Server and we looked at a ManageEngine product. Ultimately, it came down to a choice between the Thycotic product and CA's PAM.

The only advice that I would give is to also consider some of the new pure Cloud-based offerings that are out. They weren't necessarily strong enough for us to consider when we were looking.