Coming October 25: PeerSpot Awards will be announced! Learn more
Buyer's Guide
Privileged Access Management (PAM)
September 2022
Get our free report covering CyberArk, BeyondTrust, One Identity, and other competitors of WALLIX Bastion. Updated: September 2022.
632,539 professionals have used our research since 2012.

Read reviews of WALLIX Bastion alternatives and competitors

Salif Bereh - PeerSpot reviewer
Consultant at a consultancy with 10,001+ employees
Consultant
Top 20
Remote desktop manager can register connections, making it easy to connect to machines through the virtual IP
Pros and Cons
  • "All the features of CyberArk are useful for me, but the biggest one is that CyberArk has logs for all the features. That is important when there is a problem. You know where to look and you have the information. In cyber security, the most important aspect is information."
  • "The PTA could be improved. Currently, companies often have multiple domains and sometimes it's difficult to implement CyberArk in this kind of infrastructure. For example, you can add CPM (Central Policy Manager) and PSM (Privileged Session Manager and PVWA (Password Vault Web Access) for access, but if you want to add PTA (Privileged Threat Analysis) to scan Vault logs, it is difficult because this component may be adding multiple domain environments."

What is our primary use case?

There are many possible use cases, but in general, CyberArk permits users to target machines and rotate their passwords, and to record decisions. It is used to create security through PTA and to forward Vault logs and investigate events. It also enables users to access passwords in dev code without actually knowing the passwords. There are a lot of advantages to CyberArk.

As a consultant, I have seen a lot of CyberArk configurations. Sometimes we use the CyberArk Cluster Vaults with one DR. I also worked for a company that used only one vault, without a cluster, but they switched data centers when there was an incident.

How has it helped my organization?

I used to be a Windows and Linux administrator before I used CyberArk. The difference is that now it is simple for me to connect to my target machines. I can add them to my favorites, making access to the servers simple. 

CyberArk enables confidentiality. The passwords are stored in a fully secured Vault. If you want, you can access target machines without using PVWA. If you act as a remote desktop manager, you can register your connections and connect your target machines through the virtual IP and easily connect to your machines. Your connections and commands would all be registered to the Vault.

What is most valuable?

All the features of CyberArk are useful for me, but the biggest one is that CyberArk has logs for all the features. That is important when there is a problem. You know where to look and you have the information. In cyber security, the most important aspect is information.

Another valuable feature is that if you don't have access to a machine, you can see the machine in CyberArk. It's the management capabilities that CyberArk enables for a company that are very useful.

Other useful features are optional, such as recording decisions or rotating passwords.

What needs improvement?

The PTA could be improved. Currently, companies often have multiple domains and sometimes it's difficult to implement CyberArk in this kind of infrastructure. For example, you can add CPM (Central Policy Manager) and PSM (Privileged Session Manager and PVWA (Password Vault Web Access) for access, but if you want to add PTA (Privileged Threat Analysis) to scan Vault logs, it is difficult because this component may be adding multiple domain environments. 

CyberArk, as a solution, can easily adapt to a lot of environments, and you can add a lot of components to different zones, and that will work with the Vault. But not all the components, such as the PTA, can do so.

Also, it would be helpful if CyberArk added some features for monitoring machines when we access them. For example, they need to improve the PVWA. In general, when we don't use the PVWA, we don't have a lot of problems. For me, the PVWA is not perfect. I would like to see more features in the PVWA to administer our machines and to improve the transfer of data.

For how long have I used the solution?

I have been using CyberArk Privileged Access Manager for more than three years.

I have implemented and maintained CyberArk solutions for clients, including creating administration functionality, such as platforms and support for users, so that everybody has 24/7 access to the account. 

I have also been involved in enhancing the solution by installing useful components and testing them. I would help analyze if a component could be of interest to the client and then implement it in production.

In general, I would help maintain the solutions and make sure that everybody can access the accounts, and that password rotation works.

How are customer service and support?

I would rate WALLIX support at six out of ten, while CyberArk's support is a seven. The reason it's a seven is that we always have to send them the logs. Of course, we do get some response and they work on things, but sometimes we lose time on little tickets.

How would you rate customer service and support?

Neutral

How was the initial setup?

If you have some experience, it is not complex to implement CyberArk. For me, the preparation is more difficult than the installation. Because CyberArk uses binaries, if you add good information, it will work. But if you miss something at the preparation stage, like the opening of the flows that you need, of course, it will be difficult. I know how the solution works, so it's not difficult.

First, you have to install the Vaults, and after installing them you can add PVWA to access the information. After that, you can install the PSM and then the CPM for the rotation, and that's it.

The time it takes to implement depends on the environment. Sometimes we work with complex environments and we have to adapt and collect all the information that we will need. We need to look out how the machines should be set up for the installation. It really depends on the size of CyberArk you want to install, including how many computers will be onboarded to CyberArk. There are technical and functional variables.

What's my experience with pricing, setup cost, and licensing?

CyberArk is one of the best PAM solutions and one of the most expensive, but it works better than the others, so the pricing is fair.

Which other solutions did I evaluate?

I used to work on WALLIX Bastion, but CyberArk works better than WALLIX. WALLIX is a PAM solution, a French version, but when I was at another job I was a consultant on both WALLIX and CyberArk at the same time. That's when I saw that CyberArk is better.

It is simpler to upgrade the CyberArk environment and components than WALLIX. CyberArk has a user interface but WALLIX does not because WALLIX is installed on Linux while CyberArk is installed on Windows, making it user-friendly. Connecting is also simple with CyberArk. When a user connects to the PVWA, there aren't a lot of buttons. When users see the icon, they click "Connect" and connect. It is simple for them.

CyberArk can adapt easily to environments. For example, when we talk about connectors, CyberArk can easily connect to all the target machines these days. CyberArk can onboard network machines, Windows Servers, Linux servers, and Oracle Databases.

Web application passwords can be rotated. With its PSM and Selenium features, it enables the connection of a web application to CyberArk and rotation of passwords, so that it's not system accounts all the time. We can manage the web application accounts as well. CyberArk can also connect to the cloud.

What other advice do I have?

When you work on CyberArk, you have to have more than one skill set. You are not just a PAM consultant because you manage passwords for all kinds of systems. You have to have skills in Windows, Linux, databases, and security because you manage those kinds of accounts. If you don't have those kinds of prerequisites, you can't work with CyberArk.

I started working on CyberArk when it was version 10.x and at this moment it is at 12 and more. The interface has changed and a lot of features have been added over that time. It's a good solution.

Which deployment model are you using for this solution?

On-premises
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Flag as inappropriate
Professional Service Manager at a financial services firm with 501-1,000 employees
Real User
Offers a highly reliable VPN contact point and solves our password management issues
Pros and Cons
  • "The first feature I like about One Identity Safeguard is the live contact point for the VPNs. This has been working very well for us, as it's both highly available and reliable."
  • "We currently have a problem with the Active Directory integrations on Windows. Some of our users need to be logged with Active Directory, but we are having communication issues between One Identity and Active Directory. It seems that Active Directory is not well-integrated."

What is our primary use case?

The first time I used One Identity Safeguard was when I was the manager of the infrastructure of Ayendeh Bank, and we are currently using it now at my present company.

Our main use case is in security reviews for all of the change management and incident management services, and we also use it for the VPN connection for PAM. It allows us to review everything that goes on over the working day.

For example, our third-parties who support all of our services, including network services (e.g. Cisco) and our Linux servers, are eligible to connect via the VPN, and through One Identity Safeguard, they are able to make contact with and use the various services.

Our company works alongside various PSPs (Payment Service Providers),
and our work here is mainly to prepare the software switch for them, and
to handle the SLA for infrastructure maintenance services. Due to the nature of our work, we also use One Identity Safeguard for on-call and direct administrators whether they are in-house or external to our company. It is, in fact, the main tool for managing access for all the services. And because of that, I'm available for these companies 24/7 all year long.

At present, we have around 17 direct users of One Identity who use it on a daily basis, which includes 10 people from my own department.

What is most valuable?

The first feature I like about One Identity Safeguard is the live contact point for the VPNs. This has been working very well for us, as it's both highly available and reliable.

The second thing I like is the services that let us review all the contacts and take all the passwords from another administrator. These services are very reasonable. For instance, some of the third-parties will leave our company and support, but then fail to relinquish the usernames and passwords. With the security orchestra that One Identity Safeguard provides, this is no longer a problem.

What needs improvement?

We currently have a problem with the Active Directory integrations on Windows. Some of our users need to be logged with Active Directory, but we are having communication issues between One Identity and Active Directory. It seems that Active Directory is not well-integrated.

Apart from that, when we are using the interactive login, such as when logging in and going inside the site for support, we find that we need to repeat the username and password, sometimes even two or three times.

When it comes to suggestions for new features, I would like to see something along the lines of an automated command prevention system. To elaborate, sometimes we will have users who input unsafe commands, and we would like to prevent those commands from being processed, and to be able to identify those users who sent the commands.

I believe some kind of automation, possibly based on AI, would be appropriate for this, and it would help the administrators and managers to more easily prevent these kinds of incidents. Part of my role is to reduce the number of total incidents, and if we had an automated mechanism to prevent unsafe commands from being entered in the first place, it would help a great deal.

For how long have I used the solution?

I have been using One Identity Safeguard for about six years.

What do I think about the stability of the solution?

I can say that it is 100% stable because during the past two years we have not had a single problem with stability.

What do I think about the scalability of the solution?

In our company, the scalability is good enough for us at present. In my department, there are ten direct users, and outside my department there are another seven direct users. Perhaps when we increase our customers, we will scale up further.

How are customer service and support?

At present, because of the sanction department for technology in Iran, we cannot use the direct customer support. Instead, we use third-party support. For example, we have a contact point with a company who has branches in Turkey, and they are taking the tickets for Safeguard. Before that, with Balabit, we got responses in less than 24 hours.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

Before Safeguard, we were using Balabit. However, Balabit has now been acquired by One Identity.

Another solution that was being used by some of the other companies I consulted for was WALLIX Bastion. Using WALLIX was a really different experience. With One Identity, we have no problems with connections or slow communications in the network, but with WALLIX there were many problems to do with the networking. Sometimes the servers would even crash or hang, but none of these issues have been found in Safeguard. By comparison, Safeguard is much better in terms of performance, networking, and server stability.

How was the initial setup?

There were no real problems with the setup. Regarding the ease of installation, if you have a professional team, then it is easy. But, for example, if it's your first time setting it up as a junior administrator, then it can be quite difficult. I would Safeguard a 3.5 out of 5 in terms of how complex the initial setup is.

What about the implementation team?

We used an in-house team for the implementation, because myself and the other companies we work with have a lot of experience in it. Thus, for us, it was no problem to implement.

What's my experience with pricing, setup cost, and licensing?

The license is very expensive for us, partly due to inflation and partly because of the exchange rate between the Dollar and the Iranian Rial. We purchased a perpetual license that we've been using up until now, but I believe that we are not going to update it in the future. Instead, we plan to find another third-party  to support us with the license, in the sense that we would have access to their license as a shared agreement.

What other advice do I have?

I would rate One Identity Safeguard a nine out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
Buyer's Guide
Privileged Access Management (PAM)
September 2022
Get our free report covering CyberArk, BeyondTrust, One Identity, and other competitors of WALLIX Bastion. Updated: September 2022.
632,539 professionals have used our research since 2012.