Symantec Privileged Access Manager Reviews

So far the best value is the centralized management of all administrative accounts. Before PAM, domain administrators, Unix administrators with root access, end-users with elevated desktop privileges, and so on, were managed by those individual groups themselves. Now we have a way to separate the management of accounts with and without elevated privileges. This provides better control over who can see what information, and who can perform which actions.

So all the different roles (such as database admin, Unix admin, network administrator), are now centralized into one system. Users are authenticated with a single sign-on to access only what is appropriate for their role. It also enables us to take a generic role, like an administrator, and grant certain access rights to that role. Then you can apply the generic role, but go inside and make it granular. That isn't available in the product off the shelf, like in Microsoft or Red Hat.

It also integrates with our identity management system in which the roles and responsibilities are defined. Syncing the two systems is very helpful as well.

It is very helpful with passing audits. It’s one thing to say you have a control; it’s another to show your control. This is very easy to show. It also simplifies the security team's role in that we aren't chasing as many accounts with elevated privileges. We have a central place to go look for them.

A secondary feature is that it tracks normal behavior, and then sends notifications about anything out of the norm. An example of that is: a network administrator would add accounts on a regular basis at a rate of 10 a day; if 50 were to show up in one day, it would automatically flag it and say, "Something's not right, take a look."

I would like to see better integration with Security Incident Management solutions, a SIM, like a Splunk.

The integration with IBM’s Guardian is useful, but it is not a specific plug-in or API. It is just log information; so a little more detail would be useful there.

So far, so good. It is new. We haven’t had any issues yet.

So far, so good. It is new. We haven’t had any issues yet.

Technical support been good too. We had professional services onsite with us, so that made things easy. We have transitioned away from that, but so far things have been fine. We haven't had any major issues.

We were not using anything else previously.

It was a little bit of both. There's some internal politics, and the internal infrastructures, as well as bringing in a new product,; but overall it was fine.

There was lack of knowledge from my team; and then learning from the other team, as well as the professional services team learning our infrastructure and its intricacies.

How do you get a change control approved so we could do something quickly?

We went with it because of internal customer needs, the regulatory and audit requirements, ease of installation, and auditor funding.

I would say do your research. We did, and that's why I said there weren't any real competitors. There always; but in this space, I don't think so – not today.

The CA PAM’s ability to seamlessly integrate and provide a demarcation between users and systems is the most attractive aspect. It:

• Enables all control to start with Xsuite’s Deny All, Permit by Exception (DAPE) approach to limit privilege access controls.
• Enables all privileged users to see only those systems and access methods to which they’re expressly allowed access. Privileged users include Vendor Integration and Partners.
• Enables and verifies all system policies, providing an additional level of control by selectively filtering commands issued.
• Enables unauthorized commands to be blocked, with optional user warnings and policy violation alerts to security teams and logs.
• Enables sessions of users attempting to violate policies to be terminated, or accounts deactivated; enterprise policy control.
• Enables “leapfrogging” prevention, which allows one system to be used as a launch point for additional attacks / lateral movement.
• Enables full stack and system integration.
• Enables service integration with all systems using APIs or application to application.

These features greatly assist us and our clients in protecting their data privacy.

In retrospect, we and our clients have seen a reduction in service-related issues for application server and mainframe environments, a reduction in the provisioning lifecycle and requirements for systems such as mainframes, and a substantial increase in security flow and protection.

I believe continued expansion of integration to multiple systems including SSO and SAML technologies will provide a more-expansive, enterprise view of access orchestration, which will in turn strengthen the security of the environment.

I have been involved with this product for three years, both using and implementing for client architectures.

I have not encountered any issues with stability.

I have not encountered any issues with scalability; this is a true enterprise expandable product for mid-market and beyond.

In my experience with the CA PAM, their support apparatus has improved immensely over the past 12 months and continues to improve based on client feedback. Indications from my clients are that CA Technologies actually listens to their concerns and takes action.

Being in the technology sector for many years, we did not initially use products such as the CA PAM. We relied on common architecture, such as Microsoft and Oracle. As the need for more segregation of duties became prevalent, we looked to enhance our security with privileged access management. The feedback from most clients surrounding PAM is it provides a segregated extension of access control framework to enable better protection of customer privacy/data.

The initial setup is not complex. The design and integration can become complex without the proper solution architecture and understanding the impacts changes in technology place on a companies operational process and employee behavioral management. These topics became more complex to manage and establish than the product itself.

Product pricing and licensing is related to short-term or long-term business planning. In many cases, this solution should be looked at as a long-term solution. Therefore, considering the long-term savings in perpetual vs annual licensing is paramount to a progressive architecture. Therefore, I believe it is in the interest of the business to make these decisions prior to OEM engagement; they need to be vetted and defined as a value to the company at large.

No other options were evaluated because this PAM has made substantial gains in system integration, which outweigh industry choices.

I am a proponent of the product in many ways but most importantly, I believe a solid, well-thought-out strategy and solid architectural plan for the future needs to be the priority, not buying a product to fit the unknown.

• Ease of use.
• The way in which it can learn about the connectivity to systems, e.g., VMware vCenter Console; it can wrap that into its internal Java-based shell. Therefore, one does not need a terminal server solution.
• The non-Java based client.
• Two integration options with AD using SAML and the AD GC ports.
• The API explorer.

This system comes with a built in Java client which handles the connectivity to remote systems, e.g. the VMware vCenter Console Web Interface.

When you add the system to the CA PAM, you can put the connection into “learn mode” where you map out where the username and the password and submit fields are. You can then configure the system in PAM with the relevant credentials and then based on the information it “learned” about where the username and password and submit fields are and what needs to go where, it presents you with a vCenter Web Interface and logs you onto vCenter automatically based on your PAM permissions. This vCenter Web Console is effectively proxied via this Java Client that CA PAM has available and happens through the PAM system – the end user does not make a direct connection to vCenter.

In other PAM solutions that we tested, one had to setup a Microsoft Remote Desktop Server (TS) and publish the vCenter Web Interface and integrate that published app with the PAM solution so that when a user wants to access the particular vCenter server, PAM initiates the Remote Desktop Server published app – inserts the credentials – to provide you with access to vCenter.

When integrating with Active Directory for authentication purposes – most vendors support LDAP. For larger AD environments, the LDAP integration supports the Microsoft MSFT ports (3268 & 3269) that allows one to look for nested group memberships across multiple child domains. Another way to integrate with AD is to use SAML.

We were able to use both methods with the CA PAM solution. With another vendor we tested, they did not support SAML.

We only did an evaluation of the product, but we do feel that it will improve our security and governance posture and shave time off our engineers having to connect to systems managed by the PAM solution. It also gives us the accountability we are looking for.

• Reporting is very limited.
• Online Help is not detailed enough.
• Canned reports provided results for all targets and cannot simply be run for a particular customer when used in a service provider environment; one has to create some custom filtering.
• Multi-tenancy (reporting, AD users, customer devices, customer credentials).
• Interface and routing configuration (no individual routing tables per interface, cannot see routing table).
• Network connectivity to multiple networks where these networks might have overlapping IP address spaces.
• Session recording not included by default without an additional license.
• Session recording mount point is often disconnected after a system restart.
• Additional configuration required for multi-domain AD forests in order to find groups in child domains and to expand their membership.

We used it over a period of about 2-3 months, up to slightly less than two months ago as part of our proof of concept tests.

I have not encountered any stability issues; it is very stable.

I have not encountered any scalability issues; it scaled easily.

Technical support is very good.

I did not previously use a different solution.

Initial setup was straightforward, but we had some problems initially understanding what needed to be done to get an end device under management and how to set up the networking.

• Take note that Session Recording is not included by default.
• One would likely also have to invest in other infrastructure in a service provider environment when wanting to use the same solution for multiple clients to allow for the necessary networking.
• Additional costs that need to be catered for:
  • Storage space, NAS or SAN for session recording data.
  • A Terminal Server and CALs for more-complex end devices, e.g., Cisco UCS – the client needs to be run from a Terminal Server as a published application by the PAM solution

We ran a PoC with CA and BeyondTrust at the same time.

It consists of three components that work well together: access controls, SIEM, and password recording capabilities.

The access control component is solid. It adds another layer of security from the basic OS security of Linux and Windows. A lot of customers use it. The segregation is difficult to achieve as different OS's require different skill sets, but in terms of admin, it’s the same cost, and that’s a key benefit.

The rule management portion and reporting is very weak on its own. Also, the login part and visibility are not user friendly, as is management of the policies. Moreover, I can't easily generate the metrics. Once the rules increase, if you can’t cross-reference it becomes a challenge.

With any deployment, you may have overkill, so it’s up to the business to get balance with rules.

It’s been in the market a long time, so thankfully it is stable.

Scalability is not an issue because of the architecture. The management piece just manages policies, so you can still go the system and are not handicapped.

The initial set up is very straightforward. The complexity is not so much of a problem, but that’s up to the organization.

There are not many players in this arena so there aren't many choices. IBM has a solution, but I don’t think they push it.

Definitely you have to go for a tested solution. This solution doesn’t have bugs, but you should follow CA’s messaging that it’s always good to deploy in small chunks. Applications have problems, and sometimes it’s a process. You just have to expand over time.

We use Symantec Privileged Access Manager for controlling administrator and privileged user access. We can check the activities in the server for fragile files and documents in case of any issues.

There should be some training platform similar to Microsoft and IBM. We can't find useful documentation or YouTube videos to learn about the process. They should include some assignments in the test environment to explore the product's features.

We have been using Symantec Privileged Access Manager for four months.

It is a stable platform.

It is a scalable platform.

The product is easy to install.

The product's pricing depends on the agreement. They offer per-device, per-user, or monthly and yearly licensing models.

I rate Symantec Privileged Access Manager an eight out of ten.