BeyondTrust Endpoint Privilege Management Reviews

It's mainly for privilege management when you log in to any Windows system, so you'll be able to execute only what you have to and can.

Everyone in the company uses BeyondTrust Endpoint Privilege Management—about 3000 to 4000 in South Africa and another 1000 in the UK.

One of the valuable features is the absence of any local user in a unique system. All users are defined in the AD; communication is only between Unix and AD. When you log in, there are no local users on any unique system you access.

Another valuable feature is privilege management, where only the command steps needed to be executed given to the user, and they cannot execute more than that.

There is always room for improvement. One thing that would be helpful is if it was easier to define which commands can be used. Currently, we use a program to automate all of this, but it's not a default feature of BeyondTrust Endpoint Privilege Management. It can be a bit more difficult if we're not using our own script. We have a script that checks the day from the AD group to see if any users have certain privileges, and we execute it to make any necessary changes. We've automated the process by creating our own script. We run it four times a day.

In the future release, I would like to see it easier to configure without adding all the scripts. It would be helpful if it had a user-friendly manual that allows you to change things easily. It would make BeyondTrust Endpoint Privilege Management a lot easier to use.

I've been working with it for a long time. It's the latest version.

We started with AD Bridge about four years ago, only AD Bridge, and then we added the privilege management about two years after finishing the credit bridge.

I would rate stability a seven out of ten. Sometimes we lose the connection to the domain, but just the domain joins and resolves the problem.

It is a scalable product. We have over 1000 systems that we scan every day. We check every day if the system is not there in full. If it has been more than twenty days, we take it out of the assets. If there is a new system, it will join the asset. We have a contract running four times a day that checks for all this. If there is a user that left the company and was deleted from the database, it's all automated.

The customer service team is okay. I've had a few issues with them, but they were reasonable. However, I have one issue that has been ongoing for a year, and they have not been able to solve it yet. It could be a difficult issue, I'm not sure. I managed to resolve it myself with my own programs that check and solve it automatically, but it persists after over a year. They are unable to identify or replicate the problem.

We need two to three people for solution administration. We have a big configuration and complicate it with the script that we are running. These scripts are very complicated, and it took us quite a few times to wind it to this case. But now that it is automated, we need half a person to do it. But in the beginning, we needed a lot of people.

And now that it is running and automated, every user has been added automatically without any intervention.

Before, we had a division where we had to add local users all over the systems. But now we are using BeyondTrust Endpoint Privilege Management. All are controlled by the privilege management, and we don't have so many problems.

I suggest starting with AD Bridge and implementing it properly before installing the privilege management. Doing them together will be very difficult. First, enable the AD Bridge fully and make it available to all users, and then install Privilege Management.

I would rate it around eight out of ten.

The solution's least privilege enforcement has helped us ensure access is given to only the required people.

Sometimes, it's difficult for other users to understand how accounts and servers are mapped, which is complex. How the accounts are presented in the solution's UI can be improved.

I have been using BeyondTrust Endpoint Privilege Management for five to six years.

I rate the solution an eight out of ten for stability.

I rate the solution an eight out of ten for scalability.

I rate the solution an eight out of ten for its ease of deployment and integration with our infrastructure.

On a scale from one to ten, where one is cheap and ten is expensive, I rate the solution's pricing a seven out of ten.

The solution is doing a good job of enhancing the endpoint security posture by managing the overall application life cycle and helping us block unwanted applications. The solution's scanning feature helps identify the unmanaged accounts within the console itself. We do not have to do a DNA scan like CyberArk separately, which is a separate license.

The solution's least privilege enforcement has helped us ensure access is given to only the required people. It is easy to maintain the solution.

The solution helps identify the unmanaged accounts and then develop a plan for managing those transferred accounts, which were used as service accounts in multiple critical applications.

Users should have an in-house person to manage the environment. If they completely depend upon the vendors, they might be unable to do things at the right pace.

Overall, I rate the solution an eight out of ten.

We are an integrator, and we do a lot of Identity and Access Management and Privileged Identity. I am only just getting into this solution. I am not trained in it, but I've been reading about it. I have recommended it for a client based on their requirements and based on what I know about CyberArk versus a couple of others. I have not implemented it yet. I have the agent running on the system where I am actually profiled. I have its latest version.

In terms of use case, it primarily has two things, and you can choose whatever you want in the middle. One side is that you can use it to allow the user to have specific administrative rights and do certain things without having to call the help desk. For example, you can allow users to be able to install certain applications. You can also have a whitelist or a blacklist of things that they are allowed to install, which saves a boatload of money in calling the help desk. The other side is to rein in administrators so that they don't go too far or do something outside of the bounds. The help desk personnel would have different restrictions when they log into a workstation than regular users.

What I liked about this solution is that it can also integrate for tracking malicious use or sending analytics to a host that can process them. I don't know if CyberArk, Centrify, or Thycotic can do that. The analytics was something the client really wanted, and they already had BeyondTrust. 

It is very scalable. The agent on the workstation is very thin, and the processing power required on a server is nothing out of the ordinary. It is also very stable and easy to deploy.

What's bothering me, which is true of all of them, is that sometimes, the error codes that come up don't necessarily get reflected in the searches within their support sites or they're out of date. I would rather search by an error code than type in the text and search for it by text because the error code means that it is programmatic, and it is known. It might not be desired, but it at least is not unexpected. If you don't have an error code, you just get an anomalous error, and if it is lengthy, it can be difficult to search and find the specific instance you're looking for. This is something I would like all of them to improve. BeyondTrust, CyberArk, Centrify, and Thycotic could do some improvements in staying up to date and actually allowing you to search based on the product version. They are assuming that everybody is on their way to release. They put out a new release, but it is not reflected on the support site, which makes no sense to me, especially when they revamp all the error codes. They all have been guilty of this in some way.

I started using it about a month ago when I was doing the appraisal of it, and I put it on a virtual machine. Our work machine is a virtual machine.

It is very stable. I had worked on a competitor's product two years ago, and it was rather buggy. It had issues. Sometimes, it used to hang the machine. Because you're running an agent on the workstation, it could have a memory conflict or an application conflict. It doesn't happen anymore because you've got it pretty much running strictly in Windows.

It is very scalable. 

I used their email support, which is very good.

I didn't switch the client to this one. I recommended this one because it stays under the BeyondTrust umbrella. It also helped them in getting a discount for volume and being a loyal customer and things like that. They also didn't have to add new infrastructure. 

CyberArk is a very good product, and I like it. I've been trained in it, but I have not implemented it. I am not going to ask the customer to install another infrastructure or another platform, especially when the products are fairly equal or equal enough to not be an issue to put on a table. If I had recommended CyberArk, they would have to put in a CyberArk infrastructure and retrain a whole bunch of administrators to administer that. They would also have to train a whole bunch of support people to manage off-hours, holidays, weekends, and things like that. Every time you add another brand, it adds to your soft costs, which can make a solution pretty expensive.

Hard costs are so much fun, and they're much easier. I've seen people get up and just start writing on a dry erase board because they know all the hard costs. It would be good if they would just be honest with themselves and the clients and explain what some of the soft costs are in terms of additional training or a more significant hardware footprint.

It is pretty straightforward to get the agent installed. You install the agent and the server component, and you let the users do whatever they've been doing for the last 10 or 20 years of their life. You also create profiles. For example, I had a developer profile for both Windows and Linux, and I had a profile for a regular user, help desk, and engineering. After you create profiles, an administrator can look at their activities in the log and analyze things like the following:

• Why did he install CCleaner on the machine?
• Why did he install this application?
• Why did he elevate a command prompt to do something? What is he doing?
• Why does he need administrator command prompts?

You can then add things like this to your blacklist, and you can create a profile that will allow or disallow that.

I would rate BeyondTrust Endpoint Privilege Management a nine out of ten. 

It elevates the user to perform admin tasks without the user being a part of an administrator group.

PowerBroker allows elevation of required actions or application and eliminates the need of user having full administrative access. There are immense security and administrative benefits associated with removing users administrative access on the workstation.

PowerBroker allows the elevation of certain actions based on different whitelisting abilities. This can range from restarting services, installing software and allowing applications that require administrative privileges to run.

It is very similar to the UAC components built into Windows but gives us a lot more control surrounding the elevation

Previously, all users were in the administrator group of their machines. Since PowerBroker elevates the user, we can remove the users from the administrator group. Thus, the machines become less vulnerable to attacks

Improve the ActiveX rule for websites.

I have used this product for almost a year.

The software sometimes uses a lot of memory.

We have not had any scalability issues.

Technical support is mostly good.

We didn’t use any previous solutions.

It's a straightforward setup.

Price seems to be a little on the higher side.

We evaluated Avecto.

Make use of Polmon and Beyondtrust reporting console to create the elevation rules.

We are using the solution to access the servers remotely.

The solution's most valuable feature is its ability to publish the application remotely instead of logging into the server. You can just run the software from the remote server. 

The solution's features for customizing access for the engineers, creating forms, and establishing workflows need improvement. Also, they should provide integration with VDI solutions. It would be great to run it from the Citrix Storefront or VMware Horizon.

I have been using the solution for three years.

The solution is stable.

The solution's technical support is good.

Positive

The solution is easy to deploy. However, it is complex in terms of configuration and customization. The process takes nearly two weeks to complete.

We implemented the solution with the help of two or three executives and an integrator.

The solution's pricing is high.

The solution's enterprise features align precisely with our organizational focus. I advise others to evaluate it and compare, considering the variations in each environment.

Overall, I rate it seven out of ten.

It is straightforward. It is a good technology, and it is made to do one single thing.

They are doing good for now, but they should start to consider tight integration with Mac solutions. There should be more integration with Mac. There should be Active Directory (AD) Bridging. Thycotic and Centrify have it currently because they merged and joined forces, and it was a feature available in Centrify. So, basically, they joined forces to create a kind of perfect product. If you have a hybrid or mixed environment with Windows and Mac, your Active Directory can only manage or enforce policies on Windows, but what about your Mac devices? How do you control them? So, AD Bridging will act as a bridge to bring all your Mac devices into your Active Directory. This way you have full control over your entire environment.

I have been selling this solution for three years.

It is stable. 

It is scalable.

I never had a problem for which I needed their technical support. The product is simple and easy to use. Our team is also capable of solving all the problems.

It is easy to deploy. The deployment duration depends on how many servers or routers you have, what kind of IT stuff you need to grant access to, and how much stuff you have. I am referring to the entire environment with all the customers and all the users. If you have five routers, five firewalls, it might take up to two to three days to deploy the entire solution. It also depends on the number of administrators you have.

Price-wise, it is very competitive. In our area, government entities and banks don't go for the monthly payment. It is a headache even for us in terms of finance and procurement to go for monthly payments. Quarterly might be more logical and reasonable, but the minimum that we go for is one year, and sometimes, we even try to compile and give one offering for three years.

It is mainly deployed on-prem. About 95% of the sales that I do are on-prem solutions. That's because we're talking about security.

It is a good technology. I would definitely recommend this solution. I would never sell it if I can't recommend it. I would give it an eight out of 10.

The primary reason for BeyondTrust was so that one administrator could use their password to log on to our server. The second reason was, we needed to use BeyondTrust to form some level of sharing. It's my understanding that Microsoft has this and we have this challenge of having a tier one and tier two. We wanted to do a structure like that. 

The solution can do so much. It's quite flexible.

It's a great tool.

It's nice to have admission tools without having to remember the password. You just have to click on whatever you need to do and you get temporary access. 

The product is stable.

Technical support is good.

We have installed BeyondTrust, however, it's not working as-is. There are two domains, and there's a trust between those two domains, however, just one of the domains is working. We've not been able to set it up such that we're able to use the second domain as well. That, unfortunately for us, that second domain is a valuable domain, it's very critical.

BeyondTrust is trying to find a way to do it, however, we do not need it for some time. It's working at least, however, there are some times where it just freezes out. We have to fall back on RDP to do BeyondTrust. That was part of the reason I was doing the comparison between BeyondTrust and Broadcom - to see if there was a way to resolve this.

The implementation process could be better. It's not as vast as we would like it to be.

If you don't get the implementation right at the outset, you will struggle with the product.

For the most part, the stability is good. There are no bugs or glitches. It doesn't crash or freeze. It's reliable. 

We are actually working on scaling the solution currently. My understanding is that it is possible, and part of our plans, however, I can't speak to how easy it is to scale, or how much you can actually expand it.

I haven't really dealt with technical support. I recall the team having to reach out during implementation and, as I recall, they were helpful and responsive and our team was satisfied with the level of support.

The initial setup can be tricky in that, if you get the implementation wrong, it will affect everything and won't work as it is supposed to. 

That said, I was not a part of the implementation team, and therefore cannot discuss specifics. I can say that the deployment took some time, however.

It's my understanding that we have a license that is paid monthly.

I don't have a view of the exact costs the company pays. It's not an aspect of the solution I deal with. Our management team deals directly with them.

I've looked into Broadcom to see if it could resolve some issues we were having under this product.

We are a customer and an end-user.

I'm not sure which version of the solution we're on right now. I cannot speak to the exact version number we are using.

I would definitely recommend the product to other companies and users. For us, it's a very important organizational tool.

Overall, I would rate it at an eight out of ten. We're mostly quite satisfied with its capabilities.

There are multiple use cases for this solution. There is the auto-discovery option for PowerBroker Password Safe, which can discover all the local accounts on any of Windows, Linux, or Unix. It can work with Active Directory and onboard Active Directory accounts automatically, if the correct credentials have been provided for AD. When it comes to databases, it also governs and controls all of them. It can integrate with Oracle Database, SQL, Oracle Linux, or other database environments.

I'm a BeyondTrust partner and I have multiple deployments, four or five banks right now. The features that give us quite an edge compared to what our competitors are offering - like IBM or Thycotic - are the Session Management, that is quite a big one; also the recording of keystrokes. In addition, there is the password vaulting and state-of-the-art Password Management, which I haven't seen in other products.

It also provides a granular approach through the Management Console and manages all the operations "from the inside out". It is easy to explain and easy to manage.

If you are specifically dedicated to Privileged Access Management, the definitions are a bit unclear throughout the world. I have been in contact with engineers around the world, in Canada, the U.S, and the U.K as well. Everyone has quite a different definition for Privileged Access Management or Identity Access Management or Identity Management.

Because of the definition of PAM, I don't think they can provide anything in addition to what has been defined. If you want to include anything else in this product, it will deviate from the boundaries of PAM.

I have not encountered issues with the stability.

There are slight hiccups but they are based on the configuration details of the appliances, as done by the clients. If you are talking about the application or the features it provides, I don't think there are any hiccups with BeyondTrust.

I have worked on competitive products as well. IBM and Thycotic are lightweight applications utilizing limited resources and providing proportionate results. I don't think anyone can compete with BeyondTrust.

The response time and the responsiveness, the level of support that they provide, is tremendous.

I have worked on the scene, I have worked on firewalls as well as on multiple security products, but the support from BeyondTrust is highly efficient, from a highly experienced technical staff. The level at which they provide support, the dedication as well as the expertise they have, is among the best I have seen.

I have utilized OpenAM SSO, as a single sign-on. That was a Canadian product. It was an open-source solution. But I am happier with BeyondTrust. About 95 percent of use cases are handled by BeyondTrust. Whether you're talking about a bank or a telco, whatever their requirements are, they can be met by the PAM. When it comes to the PAM, I don't think that any application can compete with BeyondTrust, except for the financial issue that has been recently affected by the change in the licensing model.

The initial setup is straightforward; the way that they provide the UVMs, and the whole package when it comes to deployment. What they do is provide you a complete setup package. Everything in there is preconfigured, so all you have to do is to provide the basic IP addresses and other stuff and that's it.

What BeyondTrust was providing was user-based licensing which was a great benefit from the client point of view. Recently, I don't know why, the licensing model has been changed, and that is the reason that they have lost a bit of their edge when it comes to the PAM, against our competition.

The asset-based licensing, from the user's point of view, is not beneficial. The licensing should be based on the users. The greater the number of users, the greater will be the load and the greater the scalability problems. I presume that is why the licensing model has changed.

My company first chose the IBM Identity Manager suite. Later on, we surveyed the market and the needs and requirements of the clients. We thought the IBM solution was utilizing too many resources to achieve a very limited goal. The requirements are related to PAM, but they were employing IM.

I would rate BeyondTrust at eight out of 10. It's not a 10 because the scalability and licensing have impacted us a lot. Of the two points that I have deducted: One is the non-flexibility on the pricing and one is the licensing model. When you launch a product in several markets like the European market, the Asian market, or the Russian market, you have to be very flexible when it comes to the pricing.