BeyondTrust Password Safe Reviews

It is used primarily to adhere to SOC compliance and to provide what we call user/administrator segregation.

We are an MSP. We do manage services, but we also do a lot of other things. We implement as well as do ongoing managed services. We don't use it in our organization. We have it in our lab set up as a running service so that I can go there and test something just to see what'll happen because I can do a snapshot of my system and then revert if things go wrong. That's something that I don't want to experiment with in a client environment, even in a test or a dev environment. I just want to test something. I can do that in our lab, but our organization does not use Password Safe.

BeyondTrust's discovery is off the charts. It doesn't just discover servers and user accounts, it also discovers the services, such as Microsoft services, and scheduled tasks. For example, if you want to change a password on a Windows service, which is also linked to other scheduled tasks or IIS app pools, just changing the password on the service is going to break the scheduled task and break the IIS app pool. BeyondTrust is able to dynamically discover and manage all three tasks of synchronizing, stopping, and starting the services as the passwords are being rotated. It is quite intuitive.

When we have services and devices that are in a red zone, which includes the internet-facing devices or the devices in the direct internet compartment, the password vulnerability is what we are trying to handle. The primary factor that makes a lot of security officers feel better is that passwords can be made long and complex, but even a very long and complex password over a period of time can be cracked. BeyondTrust allows you to not only do long and complex passwords but also regularly schedule rotations that are well within the timeframes of being able to crack a password. A password with 26 characters, 8 to 10 special characters, and an uppercase/lowercase combination will take IBM Big Blue six months to crack. In those six months, we would have changed that password 10 times or more. So, the password that IBM Big Blue is crunching on to crack has already been changed, rendering the previous password that might have been compromised inert.

It is useful for segregating user accounts. A common scenario is that a user receives an email and even though the email comes from somebody the user doesn't know, the user opens a Word document. The user gets a macro virus and is compromised. If it is just a regular user in the environment, it is only a disaster, but if it turns out that in that client environment, that user also happens to be a domain administrator or a local server administrator, it is armageddon. So, we use BeyondTrust to segregate user accounts where the domain admin connects to BeyondTrust with his user account, which also has a counterpart matching ID in BeyondTrust. When he connects to the endpoint devices to perform his job, the account that he is connecting to in BeyondTrust has the privilege. So, when he connects to BeyondTrust, he authenticates with his user account and connects to what I refer to as a dedicated admin account. That dedicated admin account is session recorded and keystroke logged. You have all the tracking records and Windows logs. Everything is captured, and then when the user is done, he logs off and continues on his workstation as a regular user again. The session is completely segregated.

So, we're able to provide user/administrator segregation. The reason I do the dedicated admin account is that, with multi-user shared accounts, it is a little bit more difficult to quantify who did what. It can be done, but it is just more difficult. With a dedicated admin account, it is one-to-one rather than one-to-many or many-to-one. BeyondTrust Password Safe provides the ability to do all of this with rules. They have template capabilities built into the product. All you have to do is customize Smart Rules to perform your action. That's the beauty of BeyondTrust. I don't know what I would do if I had to go back to another solution that did not have them. I've worked with other privileged management solutions. For me, not having BeyondTrust Smart Rules would be taking a step backward.

It is important that Password Safe provides integrated password and session management in one solution. When you have it in one solution, you don't have two devices to manage because at a certain point, if you need a secondary component to perform something that the original solution does not perform, that's another managed system that you have in your network, which adds on a transparent cost. Having password and session management in one solution keeps all of your administration within one application.

Its customization features help us to manage most assets, databases, and applications, which is critical. We are able to work and visually connect with various platforms, such as Linux, Unix, Linux, Ubuntu, etc. Ubuntu is being used a lot for small edge solutions because it is inexpensive. It is also easy to manage because it is a Nix platform. People put a lot of Ubuntu-based solutions on their edge devices, such as secure remote access or an HTML5 gateway. We're able to manage all of that within one interface in BeyondTrust.

Team Passwords feature has been hugely helpful for securely storing credentials owned by small groups outside of traditional privileged user roles. When you go into an organization, you've got people who are storing passwords in KeePass, or they've got PW Safe, which are free downloadables. The next thing you know, you have got 200 or 300 developers and administrators with all these individual solutions, and sometimes, some of them need to share them with each other. Team Passwords is your one-stop shop for all IDs and passwords that are not necessarily dedicated to a specific device. Just the IDs and passwords can be stored and allowed access by groups. We're doing a huge migration to Team Passwords, and we've developed APIs for creating the environment and importing the passwords. Tens of thousands of IDs and passwords are going into it. It is amazing. I remember 20 years ago, somebody was bragging about a password safe solution they did in Lotus Notes. I still giggle about that because Lotus Notes is fat, and it was very complex. Team Passwords is visually intuitive. My teenage daughter could sit down and do it.

So, this client had multiple password storage solutions. They first ended up installing Thycotic Secret Server because they also had certificates and a couple of other different types of authentication solutions, but they were veering away from certificate-based and needed an ID and password solution. The Thycotic solution was also out of date. The SQL database was falling apart. It was used to its maximum extreme. Considering they were already using BeyondTrust Password Safe, Team Passwords was a natural blend. 

In one of the cases, an engineer had a fairly large key pass solution, and when he left the company, his workstation was re-imaged. They ended up losing information for a significant number of devices. They happened to be network-oriented devices such as routers and switches. To this day, they are gathering all those previous IDs and passwords. Now, with BeyondTrust Team Passwords, all they have to do is to add a user to a group, and they now have access to all those IDs and passwords rather than somebody walking out the door with them or them getting wiped in a system re-image. They are in one location where they could be backed up and secured.

We use Password Safe to protect privileged identities and privileged access. The difference between any PAM and IM is that IM is basically for all the identities and the users in the organization. PAM mainly focuses on privileged access. For example, it can be to any database, or a Windows machine where someone is an administrator, or on a Linux machine where someone is root or equivalent to root, or any other web-based application where someone is an administrator. The focus was that any user should log into the infrastructure using PAM.

Every user, administrator, and developer who logged into IT infrastructure used BeyondTrust Password Safe.

I used BeyondTrust in my previous organization. We used version 22. They recently changed their version number so it matches the year. For instance, in 2022, the version number is 2022.

BeyondTrust Password Safe is used so that all the activities can be recorded and logged. Sessions can be monitored, and all of that data can be audited later if needed. Generally in organizations, IT departments, or teams, people find it difficult to rotate passwords. If it's an administrator account, the passwords are generally not rotated. They're either shared between teammates, or the passwords are written down somewhere. With BeyondTrust, you can automatically rotate the password, and set the complexity of the password, the letters, the characters, special characters, upper case, lower case, etc. You can choose when the password should be rotated, and if the password should be rotated every day, every month, or after every use.

You can enforce your password policies on these privileged accounts, which previously were not rotated that much. There are so many breaches. Recently, there was a SolarWinds attack where the password was solarwinds123. The privileged accounts were not safeguarded, and the passwords weren't rotated. People knew the password. But with this solution, no one needs to know the passwords. If it is implemented in the perfect sense, the passwords will be rotated regularly. Administrators who are logging onto the system's servers and databases don't need to know the password because the session is proxied by Password Safe's solution directly. You will see the applications, and it helps enforce least privilege, which is one of the main principles.

With least privilege, if you are allowed to have access to only two servers out of ten, then you will only be given access to those two servers. You click on the machine you want to log into, and you will get the link. If you want to do RDP or SSH, click on that and the session will be launched. You don't need to know the password, and passwords are automatically rotated.

The solution is deployed on-premises.

In my organization, there were hundreds of users. There were different teams. In other organizations, I have seen 1,000 users at different points. At any given time, there might be 400 or 500 users.

They are mainly admins and end users. End users can vary a lot and have different roles. They are the people who log onto the servers, databases, network devices, and web applications. There are a few admins, developers, and network administrators. Administrators are also end users in any particular instance because they're also the users and consumers of that particular service.

It's a security product that gives users flexibility. They can open an RDP system and then go into it. When you introduce a layer into a security system, users are forced to do things that they weren't doing before. If you ask any operational team, they will say that they used to do a task in five minutes, but now it takes them ten minutes. They aren't happy with having any solution in between. That's always a security versus operations issue. 

It definitely improves security, and audit compliance is also well taken care of when you include software like that.

For BeyondTrust Remote Support, I am onboarding accounts. I create special connectors through the RDS server into one server broker to run various applications. I establish browser connections and perform onboarding, uploading accounts, and applying remote rules. 

I also create smart groups for access. I also use Password Safe to allow users to connect through a target machine through the appliance with built-in databases.

The features I find valuable in Password Safe include password retention and management, session privilege monitoring, live monitoring and recording, and the use of PS automation scripts for creating connections. 

The smart tooling and smart group features are also important as, after finalizing discovery, they auto-collect accounts in the environment and organize them in Smart Groups for easy access.

Our customers are looking for a product that offers provisioning in their network, and for that reason, they choose BeyondTrust Password Safe.

The pricing model being lower for unlimited devices and unlimited users has proven more cost-effective.

We use this solution for password management. It allows us to control and manage passwords in a safe and secure way, and it records sessions.

The solution is deployed on-premises. It's being used extensively in my organization.

Before implementing BeyondTrust Password Safe, our server engineers and database engineers were storing passwords on an actual sheet, which is a plain text password. Since implementing BeyondTrust Password Safe, they're not doing that anymore. We eliminated the risks from storing passwords on plain text. We also have clear data that shows who modified a file.

We use the Team Passwords feature to securely store our passwords. Our team has a lot of shared passwords. Those passwords were shared in SharePoint or in the common share folder. We wanted to eliminate that because it's a risk. Team Passwords lets us securely save a password that's shared between a group of people so nobody else can see it. It's secure, and we don't have to save the password in an Excel sheet.

The Team Passwords feature has affected our level of security in a completely positive way. With a shared password, everybody could see it and someone could log in and change the password. They could also share it with someone else, like a third-party vendor or with someone outside the organization.

Team Passwords gives us better control over our passwords. Someone outside the team isn't able to get the password. Even if it's shared, we're able to see who checked the password.

It's more secure to use and better than using Excel or Notepad to save passwords. It's a really good option.

We're using it as a vaulting solution. We're doing password vaulting, and we're doing password rotations. We also do session management and session proxies.

We probably are using version 7.2. 

From a management and audit perspective, we've seen a lot of improvement because now, we're secure in the sense that we know where that access is coming from, and we know who is requesting the access. From that perspective, we're very happy, and it has provided a lot of value, but from a user perspective, it has been negative. When we talk to our frontline guys, who actually use this solution, they're not too happy with the whole solution itself only because they feel that it has added a step in their whole process and procedures.

We use PuTTY, and we didn't find it very difficult to integrate session management into existing business processes. It was pretty good. It all comes back to how you would define the users and how you define the administrative access. If sudo and those types of things are kept out of the picture, then by getting access to a privileged role or group or SSHing into a session with the root privileges, they're able to do everything they need to do without having to go through the virtual model of sudo to access something. The seamlessness was that they didn't have to go and make that connection happen. It was just all integrated within the solution itself. They just click on the asset that they wanted access to, and it would provide SSH access to that system.

So far, we have been able to integrate session management without disrupting business processes, at least for the assets that we've been on. That's very important to us. The main feature is the session recording. If we can continue to have session management, and we get those session recordings, that's the key for our auditing team.

BeyondTrust Password Safe is used to protect privileged accounts and record any activity when using those accounts. Password Safe is able to record and report anything in SSH. It's mainly used for auditing purposes.

We downloaded the virtual appliance and deployed the solution on-premises.

My company's goal is to have mature security and privileged account management. It's mainly used for security purposes and to avoid the usage of credentials.

The solution was implemented to secure privileged access management in a large-scale corporate environment.

Privilege access management protects the accounts that have administrative privileges and secures those in a secure and encrypted vault so that they are secured and protected. Not having the credentials "on the wire" is only one part of what the solution offers. If the credentials are exposed on the network, they can be exposed to various vulnerabilities and increase the attack surface areas.

Protecting privileged accounts reduces the attack surface area. It is estimated that around 70% to 80% of all compromises in cybersecurity are due to unauthorized privileged credential exposure, either by lateral movements or phishing attempts. By securing those accounts, we tackle a significant part of the problem. 

Additionally, knowing who, when, and how the privileged credential is being used via the reporting and analytics module allows visibility into a previously unknown area.