We changed our name from IT Central Station: Here's why
Get our free report covering Microsoft, ManageEngine, and other competitors of Thycotic Password Reset Server. Updated: January 2022.
564,643 professionals have used our research since 2012.

Read reviews of Thycotic Password Reset Server alternatives and competitors

PAM Architect at a tech services company with 11-50 employees
Real User
Top 5Leaderboard
Stable, good support, and secures each password with individual encryption
Pros and Cons
  • "CyberArk probably has probably the best vault on the market because of the multiple layered security and each password getting its own encryption."
  • "CyberArk has two disadvantages; the first is that it's insanely expensive and the other is it's very complex."

What is our primary use case?

I'm an integrator and we identify and provide performance discovery, and we select the best product for our clients.

We have users that are administrators in the environment, and we convert them into a shared account model. Many of the organizations have two accounts. One is a regular user account and the other gives them administrative rights.

CyberArk allows for a higher degree of segregation of duties, although CyberArk itself doesn't do that. You have to have knowledge of role-based access control and least privilege principles. It supports it, but you have to implement it.

There is also service recording, service accounts on Windows Systems, and Linux systems, to rotate their passwords.

You will find service accounts with passwords that are 5,000 to 8,000 days old, but not with CyberArk. It creates a very strong service to prevent attacks. 

When passwords don't change it makes them very vulnerable and allows attackers significant lateral mobility within an organization. It gives them the necessary time to scout the environment and choose what their attack will be, whether it's going to be a ransomware attack or a data exfiltration attack or if it's going to go in to cause defamation to the company like creating a denial of service to clients. Also, hacking their Facebook page or their Twitter page are common attacks.

What is most valuable?

CyberArk probably has probably the best vault on the market because of the multiple layered security and each password getting its own encryption. Each password gets individual encryption. By the time you are able to crack one of the passwords, it's already been changed a dozen times.

The attack surface on a CyberArk Vault is very nominal and in addition, CyberArk also has its own on-staff hackers where companies actually hire them to perform penetration testing, but within, inside the environment.

What needs improvement?

CyberArk has two disadvantages; the first is that it's insanely expensive and the other is it's very complex. 

That's the downside because CyberArk was not built organically. It was built systematically.

They're not built into the product. You have to shoehorn things in. You have to create programmatic interfaces to make things work, but that's why I said it's the most complex product.

CyberArk is still in the model of managing accounts and passwords. When you're logged in as a domain admin, you're leaving footprints everywhere you go. These footprints can be picked up and replicated. So, I think CyberArk is behind the curve in that area.

Customers are already having an issue with the cost of CyberArk and then you have to add another $100,000.00 to the bill for other application accounts.

I would like to see a more streamlined and built-in programmatic onboarding and offboarding process. Something a little bit less complex than what they're currently doing.

The price is the problem and also the architecture can be daunting because CyberArk really strongly encourages having hardware vaults. Most corporations are totally virtualized.

I use virtualized vaults on everything including the high availability configuration.

For how long have I used the solution?

I started using Cyber-Ark Enterprise Password Vault when they were on version five or six, they are now on 11.5 or 11.6. I have been using this solution for a total of 15 years.

What do I think about the stability of the solution?

CyberArk is very stable.

If there is a problem, or if a problem does occur, unless you know exactly what to do and how to diagnose it, you may not be able to find it because there are so many moving parts. However, a good administrator can usually diagnose a problem fairly rapidly.

They determine the root cause by performing a root cause analysis. Also, you should inform CyberArk because sometimes a fix might be required. CyberArk stopped performing single sign-on.

What do I think about the scalability of the solution?

CyberArk is very scalable. It's one of the things that I love and it's also one of the things that I hate about CyberArk.

For example, it's a standalone vault that is practically uncrackable. If you want to do a password rotation you need to have a central password manager. It's called a CPM.

If you want session recordings you have to have a PSM. They can be run on the same server, but eventually, the performance is going to be an extensive task. 

A CPM is performing verification on passwords continuously, and to start stacking server roles on top of each other. 

If you're a semi-vault in a small environment, with one server running CPM, PSM, and PDWA all on one box, it would be no problem with less than 10 administrators and only 70 servers.

With other small or larger organizations that have hundreds of servers rendering that capability or that flexibility, you would have to have a dedicated CPM and dedicated PDWAs, which is the administrator web interface.

For a medium-sized company where you want to do a session recording for all the administrator access, it will cause a problem. It will require multiple PSM servers and if you don't have a good administrator who documents the build process well, or they don't update it, then the problem shows when you build a new PSM. If they don't add all the applications to it then you're going to get an intermittent error across the low-balanced PFMs, where eight of the ten work, but two of them don't because they didn't install the SFQL agent. It's a very complex program, albeit very scalable.

If you're a multinational corporation, you can have your vault in one location and have PSMs distributed where the systems are in the data centers. Then, the PDWAs and the CPMs would be in the data centers and you would have the PDWAs where the user populations are. Rather than having one single appliance or one single box that does everything, you end up having boxes distributed all over. This means that they have to do synchronization and it works out very well most times.

We have small to large company clients. We have clients that have tens of thousands of administrative accounts and 1000 or so servers, to clients as small as having 70 servers with maybe only 750 to 1500 accounts.

How are customer service and technical support?

Technical support is awesome!

CyberArk has excellent technical support. They may not be timely. They're not quick, but they're great.

I would rate the technical support a ten out of ten.

You have to follow the ticket creation process, which is in your benefit because you need screenshots and logs to be able to diagnose the problem. If you do that, then CyberArk comes back with some incredible support help and in most times it's something that I would have never been able to figure out because the product is very complex and it has a lot of moving parts.

Which solution did I use previously and why did I switch?

I have not used any other solution previously. CyberArk is what I learned first.

How was the initial setup?

The initial setup was very complex. There are a lot of moving parts. The skillsets for some of the advanced features require administrators to know how to program in specific APIs. 

The complexity to implement is very high. On a scale of one to 10, it's a 9.5.

What's my experience with pricing, setup cost, and licensing?

CyberArk is very expensive and there are additional fees for add-ons.

What other advice do I have?

CyberArk Password Vault is probably the top vault on the market and Thycotic would be a close second.

CyberArk is not always suited for our clients but it is the best solution. Eight out of 10 organizations don't implement it. Just because you know CyberArk doesn't mean you understand it.

The SaaS solution is sound but the on-premises is primarily what I have worked on. I am CyberArk certified. When I started off several years ago, I got my CIS as PE. I was put into a security group in EDS. 

Network admins who work for the company have to be administrators, with high skill levels. 

Before implementing CyberArk, I would say do a very aggressive use case creation of everything that you're expecting the vault to do. The security architecture should be able to create high-level bulleted use cases. Security administration should be able to take it down to the next level of detail.

They will have to add Conjure, which is another license for CyberArk.

I would rate this solution a nine out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Cybersecurity Architect at a tech vendor with 1-10 employees
Real User
Top 5Leaderboard
Designed for enterprises, but could use more stability and testing
Pros and Cons
  • "One of the most valuable features is that this is a product designed with enterprises in mind."
  • "I think that BeyondTrust Password Safe could be improved with more testing. In the beginning, they were practically using customers as beta testers. Maybe the product has evolved since I last used it, but if you look at PAM, privileged access management, whatever's out there has already been done. I don't see there being any other enhancements that are being made regarding PAM, except to support more cloud-based applications."

What is our primary use case?

There are a lot of customers, worldwide, who use this solution, especially in the education sector. This solution is so niche that it's not like TeamViewer. It's basically designed and developed with enterprises in mind—it's an enterprise solution. It's built for a highly privileged and secure environment. It starts with a virtual appliance and physical appliance and then, now, to what's basically a cloud-based type of access. 

What is most valuable?

One of the most valuable features is that this is a product designed with enterprises in mind. 

What needs improvement?

I think that BeyondTrust Password Safe could be improved with more testing. In the beginning, they were practically using customers as beta testers. 

Maybe the product has evolved since I last used it, but if you look at PAM, privileged access management, whatever's out there has already been done. I don't see there being any other enhancements that are being made regarding PAM, except to support more cloud-based applications. 

For how long have I used the solution?

I have been working with this solution for over 10 years. 

What do I think about the stability of the solution?

The early version of this solution was not stable. It was terrible, but I think they eventually got their act together and it's better now so that they can compete. I haven't tried a cloud version, but if you imagine a solution is 100% on-prem and suddenly turns to the cloud, you can imagine there will be a lot of testing and bugs and all that. I'm not saying the product isn't good, it's just that when you have a vendor that starts out on-premise and only turns to cloud in the past couple years, they have a long way to catch up to leaders such as Thycotic or Centrify. 

You've got to patch it every month, so how could that be stable? 

What do I think about the scalability of the solution?

This solution isn't really scalable because it's Windows-based. How could any Windows solution be scalable? This is strictly my personal opinion, but I would believe that about 80% to 90% of people will agree with me. Windows platforms aren't scalable. 

What was our ROI?

I think that customers could see an ROI eventually. A lot of customers purchase the product because they have to get something implemented for GRC: governance, risk, and compliance reasons. So, if you don't buy any of them, then the auditor will say that you didn't pass the audit because you don't have that mechanism in place. This solution is expensive. Is it worth ROI? Yes and no. If they have to meet compliance and whatever standard requirements, I would advise the customer to at least look at two complete products first. This wouldn't be my first choice. 

What's my experience with pricing, setup cost, and licensing?

This solution is not cheap—it's a very expensive solution. Very, very expensive compared to the features and functions that they offer. 

Which other solutions did I evaluate?

This solution is competing with Thycotic and Centrify, the leaders. Only in the past couple years did BeyondTrust turn from 100% on-prem and start offering cloud services, so of course they still have a long way to catch up with them. 

What other advice do I have?

I rate this solution a five out of ten, to be neutral and in the middle. To those looking to implement this solution, I would advise them to fully test it out in their environment before even making the purchase. You've got to thoroughly test it—test everything, otherwise you might regret it. 

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Flag as inappropriate
Get our free report covering Microsoft, ManageEngine, and other competitors of Thycotic Password Reset Server. Updated: January 2022.
564,643 professionals have used our research since 2012.