Symantec Privileged Access Manager Room for Improvement

MB
System Administrator at Alghanim Industries

The response time for support could be faster. Some features should be added: cloud-based, VPN-less, more secure, and it should be adjusted in a hybrid environment.

This solution is out of support now, so we are moving to BeyondTrust. With BeyondTrust, we have a dedicated team working on those products that is specialized and easily understands our environment.

It should have cloud features. One of the reasons we are using BeyondTrust is that we are going away from the VPNs. BeyondTrust doesn't require a VPN.

View full review »
it_user715158 - PeerSpot reviewer
Information Security Manager at United Parcel Service

Reporting. It's difficult to locate the reports, there are limits on what reports can be run from the GUI, and the report formats are lacking. I have already spoken to product management about this specific area.

View full review »
it_user613575 - PeerSpot reviewer
Sr. Security Analyst at a retailer with 1,001-5,000 employees

The areas of this product with room for improvement are mostly small annoyances like search fields that you cannot type a query and hit Enter (have to tab or click the button).

View full review »
Buyer's Guide
Symantec Privileged Access Manager
March 2024
Learn what your peers think about Symantec Privileged Access Manager. Get advice and tips from experienced pros sharing their opinions. Updated: March 2024.
765,234 professionals have used our research since 2012.
it_user715158 - PeerSpot reviewer
Information Security Manager at United Parcel Service

We are a multiplatform shop, so we have Windows, Linux, mainframe. The mainframe piece of it is coming along, but we would like to see a little bit more integration with the non-CA mainframe component, such as RACF. That is what we use, but they have more features which are coming out in the next month or so, which is a huge. They are listening to their customers. I think that is great, but they need to do a little bit more on the mainframe side.

View full review »
it_user778803 - PeerSpot reviewer
Program Manager at a financial services firm with 10,001+ employees

We are going to work on Trade Analytics, so we wanted to see how Trade Analytics work and all.

They need to work on some of the enhancements, which we have already given to them. 

They need to have zero tier and active-active setup with zero minimum downtime, which they are working on it. 

View full review »
it_user707178 - PeerSpot reviewer
Project Coordinator at a logistics company with 10,001+ employees

The OOTB reporting functionality is lacking. The ability to view a simple breakdown of the various data. They offer an all or nothing solution that does work for my organization. We need to be able to distribute reports to various groups that have users working in CA PAM without showing them all the activity. However, there are APIs that can be utilized to make custom reports. The product is good and enhancements are coming to improve the product. Reporting is what is lacking in this version of the product.

View full review »
it_user705717 - PeerSpot reviewer
Senior Systems Administrator at a tech company with 5,001-10,000 employees

It limits the number of CIs. Why not have unlimited CIs?

As I understand the licensing, we purchase the PAM product and pay for it based on the number of CIs. (A “CI” is a “configuration item”. It’s an ITIL term.)

That means the number of servers, routers, switches, etc. for which PAM controls access and tracks activity. Why not charge us a flat fee and give us unlimited CIs?

View full review »
it_user705711 - PeerSpot reviewer
System Support Analyst at a financial services firm with 10,001+ employees

I think most people that use the product are concern with performance and they are also used to the user inference. We shouldn’t compromise a better looking UI with performance. It’s hard to say, because ever since I’ve started using the product, we have had performance issues.

What I hope happens with the new product CA PAM is to keep all the useful features that exist in PA, but what I’ve noticed with many new products is the UI gets polished but systems lags stability and performance or it adds additional complexity instead of simplifying the user experience.

I hope that’s not the case with the new product. And of course with any new product, there should be improvements in stability, usability, performance and support.

View full review »
JO
Tech Lead at a financial services firm with 5,001-10,000 employees

I wish it could create local accounts on desktops. But, what I really want to do with it is automatically manage DevOps pipelines through tools like Docker/Puppet/Chef. It would manage shared secrets to the segregated environments. I am hoping that the API is helpful for this.

View full review »
it_user621030 - PeerSpot reviewer
Works at a tech vendor with 10,001+ employees

I think it works just enough because it is a mandate from the customer to have the privileged access for the administrators to manage the servers using the PIV cards. We haven't used it long enough to comment on areas for improvement.

We clearly know what the functionality is that we need from the product. I think this has been accomplished by the functionality that exists in the PAM of Xceedium.

View full review »
it_user479766 - PeerSpot reviewer
CIO/Management Consultant at a tech company with 51-200 employees

I believe continued expansion of integration to multiple systems including SSO and SAML technologies will provide a more-expansive, enterprise view of access orchestration, which will in turn strengthen the security of the environment.

View full review »
it_user526257 - PeerSpot reviewer
Senior Solutions Architect, at a tech services company with 10,001+ employees
  • Reporting is very limited.
  • Online Help is not detailed enough.
  • Canned reports provided results for all targets and cannot simply be run for a particular customer when used in a service provider environment; one has to create some custom filtering.
  • Multi-tenancy (reporting, AD users, customer devices, customer credentials).
  • Interface and routing configuration (no individual routing tables per interface, cannot see routing table).
  • Network connectivity to multiple networks where these networks might have overlapping IP address spaces.
  • Session recording not included by default without an additional license.
  • Session recording mount point is often disconnected after a system restart.
  • Additional configuration required for multi-domain AD forests in order to find groups in child domains and to expand their membership.
View full review »
Stefan Zivanovic - PeerSpot reviewer
Cyber Security Consultant at CyberGate Dfenese

There should be some training platform similar to Microsoft and IBM. We can't find useful documentation or YouTube videos to learn about the process. They should include some assignments in the test environment to explore the product's features.

View full review »
AP
IT Security Consultant at a tech services company with 51-200 employees

Live session

GUI command keystroke and filtering

Session limitation

Live Session is a common feature now on PAM technology. By having this feature, an Administrator can monitor on live session about a privileged user activity, same like what we saw in CCTV. CA should add this feature on their PAM product, then they can compete with competitors.

Command keystroke and filtering on GUI session is needed to record and filter which commands allowed or not allowed privileged user work on GUI sessions, i.e., RDP Windows. By having this feature an Administrator can prevent dangerous commands when a privileged user on an RDP Session and open PowerShell or Windows Command or Database Engine CLI (MySQL, Oracle, etc.)

Session limitation is a very critical feature that cannot be addressed by CA PAM. By having this feature, only one username can allowed to login to the PAM dashboard at the same time and prevent another person to login using the same username (sharing password/username).

View full review »
it_user558579 - PeerSpot reviewer
IT Infrastructure Director at a construction company with 1,001-5,000 employees

They actually just announced adding features that I would have liked included in the release that we're using. These new features all revolve around reporting and analytics. The basic reporting that comes with it is basic. They are not broad enough or deep enough. Apparently, with the latest release that was announced yesterday, there's a new analytics piece to it that really expands on its reporting capabilities.

Some of the key analytics that I would like to see are consolidated dashboard views with information about any privileged access usage that is out of the norm from a security perspective. That is now included in this new module; but I don’t think that this module is part of the Base Privileged Access Manager

Also, the licensing model, with cost as you scale with the number of users and recordable sessions. If it was cheaper, I would give it a perfect ranking.

View full review »
it_user599001 - PeerSpot reviewer
Co Founder & Chief Operating Officer at a tech services company with 51-200 employees

The product itself is solid. I haven't really seen any deficiencies. It’s more just getting the message out about why it's so important. That's what our organization is trying to do. We're also a reseller. We are trying to convince companies that they need this type of technology. Publishing more use cases would be helpful just to help to convince companies why they need a product like this.

View full review »
it_user779106 - PeerSpot reviewer
Information Security at ITG

What PAM does is when a user signs in, or when a user gets prompted to an organization, they are classified based on what teams, job titles, and roles that they have. 

One feature I would like to see is instead of just giving passwords to the user based on job function, from auditing perspective, turn that cycle around. Let us have a reporting feature that will say, "Can you please show me all the users who have access to the DB admin account essay." That would really help from an auditing standpoint. 

There is already a feature for that. It is not too great to use. Instead of being Splunk, maybe have a feature built into the application. 

View full review »
it_user624780 - PeerSpot reviewer
Director, Managed Services - Analytics & Data Solutions at a tech services company with 51-200 employees

They need to improve how it scales. We end up adding new “appliances” to scale for large or complex environments.

I run a multi-tenant cloud environment so I cover multiple domains and environments. So, as we grow our customer base by adding more systems, new customers or have different security zones for new applications/systems for customers, we end up having to add more appliances….we can only scale the virtual resources so much before we start hitting the performance thresholds on the appliance and the thresholds we have set with a customer.

By segregating and/or adding new appliances we even out the load and still maintain the performance we want with our customers. Obviously, I am talking about customers that have a higher access than some other companies.

View full review »
it_user558024 - PeerSpot reviewer
Director Of Information Security at a insurance company with 1,001-5,000 employees

I would like to see better integration with Security Incident Management solutions, a SIM, like a Splunk.

The integration with IBM’s Guardian is useful, but it is not a specific plug-in or API. It is just log information; so a little more detail would be useful there.

View full review »
it_user351294 - PeerSpot reviewer
Technical Director at a tech services company with 51-200 employees

The rule management portion and reporting is very weak on its own. Also, the login part and visibility are not user friendly, as is management of the policies. Moreover, I can't easily generate the metrics. Once the rules increase, if you can’t cross-reference it becomes a challenge.

View full review »
Balamurali P - PeerSpot reviewer
Solution Architect at a tech consulting company with 501-1,000 employees

An improvement for this solution is that it should not be constantly based on user name and password. There should be a condition to edit and update your username. Also, it would be nice to have a single sign-on, but that particular portal doesn't allow any copy/paste.

In addition, I have an additional suggestion. I will give you a scenario. In regards to the licensing, I have some concerns. The NAS team, they want to have 24/7 support. The NAS team is the one actually using this CA PAM. So, the total count is some hundred members. But at other times, the login is 23 members. So it's like a batch. Every 7 hours there is a batch change, so every 7 hours 23 members will change. But when I ask for a licensing part, they are saying we have to take 100 license, not 23 license. Each time I have to ask for 100 licenses, even though I have only 23 members at a time using the solution. If there were any options for concurrent usage of a license, that would be a better option.

View full review »
Sudip Karmacharya - PeerSpot reviewer
Information Security Specialist at CAS Trading House

We have to do a lot of manual work to automate features. The initial phase is simple, but it is difficult to configure our requirements. In addition, the integration between Symantec Privileged Access Manager and identity governance has to be better.

View full review »
AS
Security Consultant at a tech services company with 10,001+ employees

Service account management is a key area where the product needs to develop. Currently, the product supports service account discovery, but only if the host name of the server is known. For unknown host names, it is still a dark area.

In comparison with Thycotic and CyberArk, the service account management functionality needs to be extended to application pools, SQL database, PowerShell scripts, service account discovery, etc.

View full review »
it_user572919 - PeerSpot reviewer
Architect at a comms service provider with 10,001+ employees

As with most things CA, once we are bringing more technology into the portfolio and being able to collapse those products into a much more integrated way, that will definitely come over the time. 

In terms of improvement, keep listening to customers and their challenges and make sure the roadmap is very responsive. It is all about being agile, so we need to make sure the product is very easy to work with. It does not constrain us further down the road.

View full review »
it_user705741 - PeerSpot reviewer
Sr. Oracle DBA at a government with 10,001+ employees

Updates get difficult for the client. It needs to improve. I experienced difficulty in upgrading the software myself. With a tech engineer's help, I was able to manually delete some directories and was finally able to upgrade successfully. The codes should be easier and have an auto-feature to upgrade.

View full review »
it_user572856 - PeerSpot reviewer
Security Engineer at EarthLink

A better discovery interface of accounts.

It does do discovery of accounts for Windows servers, and you could do UNIX servers as well, but it's kind of clunky how it does it.

View full review »
it_user712038 - PeerSpot reviewer
Business Coach & Consultant

Trouble free installation and configuration and not even noticing that it's installed. There's too many steps involved in accessing the production network. Too many things you have to do to get on.

It'd be great if you just stuck in your PIV card and Windows popped up, asked you for your password. You typed it in, then it remembered your credentials.

View full review »
it_user589527 - PeerSpot reviewer
IT Infrastructure Manager at a tech services company

There are many improvements needed. We are always searching for new features and new ways to improve the solution, because I'm just the local administrator. I have a support company which implements the solution. We are always constantly trying to improve new features to upgrade the solution, to understand more ways to facilitate our databases.

View full review »
it_user762522 - PeerSpot reviewer
Solution Architect at a tech services company with 10,001+ employees

I would like this solution to be simpler. It should have a one-click access that works together with AWS. 

View full review »
it_user708474 - PeerSpot reviewer
Pre-Sales Engineer at a tech services company with 51-200 employees

The support for other remote assistance tools would be excellent. Free included tools in Windows (Remote Assist) and Microsoft SCCM Configuration Manager (ConMgr Remote Control) allow companies to reduce the amount of RDP connections and expand the usage of the tools are frequently used by companies to provide technical support for remote assistance.

This could increase the amount of purchased licenses, with increasing growth of (remote) managed services (MSPs), and would also allow a company to demand that a provider use a tool such as CA PAM when providing remote assistance, in order to record evidence or increase accountability. Access to online training free of charge is also highly recommended.

View full review »
it_user651831 - PeerSpot reviewer
Cloud SME

When we look at CA PAM, the multi-tenant deployment is definitely an improvement that we want to see. They don't offer multi-tenancy.

If I have an enterprise, or if I am an MSP and I would like use an instantiation of CA PAM for multiple tenants, I can't do that.

I have to deploy a CA PAM for each tenant, which basically increases the cost and the management side of it. That's a very essential thing.

CyberArk does the multi-tenancy, but CA PAM doesn't have this.

View full review »
it_user707196 - PeerSpot reviewer
Principal Consultant

I would like it to support more types of integration.

View full review »
it_user459162 - PeerSpot reviewer
Presale Engineer with 51-200 employees

Reporting, Logging, and support recording for Web App using Java.

Now, the reporting feature on CA PAM only shows the basic information in white-black table format. If I’m a customer, I like to see the reports with colorful charts and pictures.

About the Web App using Java:

Currently, CA PAM only can record and work with a Web Console that doesn't use Java. If a Web Console uses Java and has a pop-up, CA PAM can’t do a recording.

View full review »
it_user705705 - PeerSpot reviewer
Finance at a tech services company with 10,001+ employees

When there’s new patches or upgrades, please test the new release well, so it won’t break the functional parts.

View full review »
it_user616500 - PeerSpot reviewer
Security Engineer

There are a lot of gaps in the documentation. The documentation has to improve like anything else. There are a lot of things which are not covered in the documentation, and there are a few things which are covered in the documentation, but are not clear.

To mention the features which are not covered and which are not clear would require a separate document. Here are some examples:

  • Authentication methods: PAM does support a few authentication mechanisms to login to PAM. But the documentation does not have the details of how to integrate TACACS+ in PAM. The documentation explains it at a very high level.
  • Application Connectors: PAM does support different application connectors. But for CISCO devices, the details are not clear.
  • Roles and Privileges: There are almost 200 privileges in Credential Management. There is not a document which has the details for the privileges and their functionality.
  • Segregation of Duties: There is not a document for PAM roles. For example, if the user has “Standard User” as a role, he cannot have “Approver Role” from CM. It is a limitation in PAM. This limitation might be due to security or operational functionality. But it should be documented if it is limitation of PAM.
View full review »
it_user713793 - PeerSpot reviewer
Citrix / Windows Administrator/PM at a government with 10,001+ employees

I would definitely like to see improvements in the documentation. It is very plain and doesn't provide details. They are no screenshots either.

View full review »
it_user705735 - PeerSpot reviewer
IAM Architect at a tech services company with 5,001-10,000 employees

I’m no fan of Java as an application front-end, as it tends to have issues depending on what browser one’s using. Have nothing further right now due to limited exposure to the more technical parts of the product.

View full review »
it_user531528 - PeerSpot reviewer
Security Consultant

The live session recording is still not in the features.

View full review »
OI
Engineer at a university with 51-200 employees

I think the management console could be improved. I have just watched a demo video for the management console and I think it may need to be simplified. I haven't yet had hands-on experience with the solution so it's difficult to comment on possible additional features. 

View full review »
RS
Especialista em CA at a tech services company with 5,001-10,000 employees

I would like to see improvements in branding customization and multi-tenancy.

View full review »
it_user705699 - PeerSpot reviewer
Consultor Senior TI y Seguridad de Datos at a tech services company

The integration with AS/400 Endpoint via Transparent Login could be better and useful for some users.

View full review »
it_user621822 - PeerSpot reviewer
Works

Customers want simultaneous monitoring of users’ actions, so a manager can block the session immediately in case of a user violation.

View full review »
it_user708468 - PeerSpot reviewer
Senior Engineer at a tech services company with 1,001-5,000 employees

Role mapping, high availability, coverage of more important AWS data centers in Frankfurt.

View full review »
it_user705714 - PeerSpot reviewer
Systems/Software Engineer at a tech vendor with 10,001+ employees
  • The user interface and dependence on applets and Windows could use some improvement.
  • Increased the compatibility with other browsers.
  • Remove the Java applet dependency (it is being depreciated).
View full review »
it_user707184 - PeerSpot reviewer
Security and Governance Manager (Principal Director) at a tech services company with 201-500 employees

I would like the ability to provision through a real REST API. Perhaps this could be SCIM-PAM, once it is certified.

View full review »
it_user707193 - PeerSpot reviewer
IT Security & Compliance at a energy/utilities company with 1,001-5,000 employees

It lacks good logging capabilities and the reports are not customized. Also, there are security issues with the 'super' account.

View full review »
it_user705702 - PeerSpot reviewer
IT Operations at a retailer with 10,001+ employees

Still Exploring.

View full review »
it_user705732 - PeerSpot reviewer
Ingeniero de servicios at a tech services company with 51-200 employees

The Java problem for web access to the platform, add more useful information in the logs; solve the Javascript problem to access to some Google services on the web.

View full review »
it_user595743 - PeerSpot reviewer
Cloud Solutions Architecture Manager at a tech services company with 501-1,000 employees

The demonstration and consideration portion does not work the best. It's not that intuitive. To define how it should work and what systems should be involved, requires extensive training to understand how to configure the setup. It is not immediately obvious to do this.

View full review »
Buyer's Guide
Symantec Privileged Access Manager
March 2024
Learn what your peers think about Symantec Privileged Access Manager. Get advice and tips from experienced pros sharing their opinions. Updated: March 2024.
765,234 professionals have used our research since 2012.