BeyondTrust Endpoint Privilege Management Reviews

There are three components for BeyondTrust. Password Safe is where we privilege the accounts like server accounts, domain accounts, local accounts, or custom third-party applications. We use the application to monitor and fix the recordings of third-party applications. You can also use it for Cisco integrations and multi-factor authentication.

I find the solution’s features like section management, password management, and analytics valuable.

There are three types of endpoints. If we need to use them in the solution, then we need to purchase the licenses separately. The tool needs to improve its licensing.

I have been using the solution for four and a half years.

The solution is stable.

The solution is scalable. There are around 10,000 users for the solution in our organization.

The tool’s setup is straightforward compared to other products. The solution’s deployment depends on remote databases. We should also install a challenge-response code. For Password Safe, we need to install the EPM database, challenge-response code, etc.

The product’s licensing is different for Windows, Linux, and Mac. The tool’s licensing is yearly.

I would rate the solution an eight out of ten. You can deploy the solution to Azure, AWS, or on-premises. This solution will be very helpful for organizations for security purposes. The tool is very user-friendly. The solution’s graphic user interface is also very easy compared to other products.

Its use cases are mostly around all the 65,000 endpoints. The use cases are mostly for privileged access and the application control across all endpoints throughout the organization to make sure we have the least privileged model with zero-trust enabled at the endpoints.

We started with on-prem, but now, we've moved to the SaaS cloud.

It has helped in multiple ways. We have more than 30 years of legacy of having local admins on our endpoints. With this solution, we have removed the local admins from the users. Now, we are giving them privileges on their machine only for the applications and not for everything. It has reduced the unwanted risk and increased the security posture. 

It also helps with some robotic process automation. It helps with certain actions that we have been engaged in for certain RPA-type behaviors.

We are able to increase the security by blocking a lot of applications, such as encrypted chat applications and blacklisted applications. Data exfiltration is a big concern in our company, and this solution helps us to tighten up those controls in many different ways. We are able to control the access.

The privileged access and the application control are helpful in making sure we have good, robust challenge responses. Blacklisting with trusted application protection is also beneficial for us.

Reporting analytics is one of the areas that can be improved. It is a new cloud-based solution. So, many more specific reports can come out natively. Currently, we get all the events, and we put them in plug-ins. From there, we generate our own design of reports. If there is a much more solid or robust reporting analytics framework within the product itself, it would be helpful.

One of the requirements that I've already expressed is that they can unify the clients. We have got two clients: one for the iC3 adapter and one for the Defendpoint client itself within the EPM product. iC3 is used for connection to the SaaS or cloud, and Defendpoint is the actual product that does all the local admin privilege management. They can just unify them. 

We've probably been using this solution for three years.

In the on-premise version, stability is okay. However, it takes time to sync up policies. That's because it depends on the environment that you have. From the Active Directory perspective, it depends on how the group policies are going to be advertised back to the endpoints. So, there was some delay, but it was completely because of our environment. 

In the cloud version, the deployments are pretty quick. Policies get deployed pretty quickly. Overall, the cloud experience has been good. However, because it's a SaaS service in the cloud, we often have to reach out to the BeyondTrust team to make sure that our backend compute, which is not visible to us, is completely solid. The databases, servers, and other things are running in the cloud, and they're properly, adequately beefed up to have the right resources because we don't have visibility on that. With on-prem, we know how much compute, memory, or CPU cores we are putting to the servers at the backend. On the SaaS cloud compute, we don't know that. The initial few registrations took a toll. It was because BeyondTrust was also trying to figure out the volume of traffic that was coming their way. It took a while to baseline the compute configuration at their end, but once it was all figured out and resolved, the performance has been fairly consistent.

The solution is scalable to the level of security posture that we wanted to deploy in our environment. From a scalability perspective, we are pretty good with the way we have used the product so far.

Their support line is good. They're familiar with the product, and they have expertise with the product. So far, any tickets raised by my team have been dealt with fairly with the right solutions. I would give them an eight out of 10 because there is always room for improvement. There are instances where you expect a solution to come faster with more accurate details. There are always back and forth conversations, until and unless you figure out the final solution.

We didn't use any other solution previously. This was the first time we were trying to do an endpoint privilege management solution. 

It was a straightforward process. We were on-premise. We were using group policies to manage this whole EPM solution, and it was easy to move to the cloud. Wherever you have agent-based deployments, there is always a little bit of complication, but we were able to make it work.

On-prem deployment took almost three to four months. We had a very large and wide-scale environment. A lot of legacies were also built-in, so it took a while to build the policies around, get the local admins out from the endpoints, and take over with Defendpoint or the BeyondTrust EPM solution.

The migration to the cloud was pretty good. It wasn't that bad. When we had it on-prem, it was a single client. When we had to go to the cloud, two clients were needed. One was the iC3 web adapter that makes a connection to the SaaS cloud, and the second one was the existing Defendpoint client. Having an extra client adapter needed a little bit more packaging on the endpoint side, which added a little bit more to the transition to the cloud. Policy-wise, everything was straightforward.

We did it by ourselves. In the initial deployment, it was a team of six or seven people. They came from different groups. We had group policy administrators, Windows administrators, and security administrators from my team. There was also the endpoint provisioning team that does the packaging work.

In the cloud migration, the same team was there, but we didn't have the Windows team and the admin team. That's because they weren't required from a group policy perspective. It mostly had security administrators. The packaging team was also very important. We also have a test team that does the validation from a testing perspective across a variety of endpoints in different regions. So, there were around six or seven people during the cloud migration.

We have definitely been getting an ROI, and we want to maximize that ROI. We have a zero-trust adoption process going on continuously for the next two to three years, so we are trying to maximize the ROI. We haven't yet got the full ROI, and we will try to maximize the ROI from the product going forward.

Its pricing and licensing are okay. We were in the perpetual model when it was on-prem, and now, with the SaaS service, we have a subscription model. As a customer, I would always like to see a lower price, but it seems to be priced at the right model currently, and we are trying to get the maximum benefits out of it.

In addition to their standard licensing fees, there is just the internal infrastructure cost for the license, indexing, etc. There is nothing additional from any other components that we use for the job. These are the resources for managing the solution at our end.

We did take a look at several other products, but we finalized on BeyondTrust. We looked at some of the Microsoft solutions, and we also looked at some of the CyberArk solutions to do a comparison. What was more interesting with BeyondTrust was the flexibility in the policies. The clarity in the policy writing was a little better, and the deployment of the solution was easier. The overall product simplicity was fairly okay. When you're going from a hardcore local admin to a zero local admin stage, simplicity in the product is extremely important. So, simplicity and flexibility were the key factors.

I would advise going for the cloud-based solution. The cloud-based solution has come a long way from its initial stage. 

It is a very simplified solution. Their licenses are very straightforward, simple, and accommodating. The support has been really good, and their flexible policy model has really been instrumental in going for a stage-by-stage approach. You don't have to go all the way to impact your environment from day one. You can define your policies using their quick policy wizard and other processes to simplify your environment. You should proceed step-by-step to get rid of the local admin and the environment. Evaluation with their simplistic and flexible model is going to make it much easier and faster for you to pick up the solution.

I would rate it a nine out of 10. There is always a scope for improvement.

I find the comprehensive Privilege Access Management features valuable, including automation, and the ability to integrate with applications and the Windows operating system.

The weaknesses are related to the effort required to migrate from existing technologies or having no Privilege Access Management (PAM) at all to adopting technologies like BeyondTrust. It involves changes in processes and can take a significant amount of time, typically six to twelve months.

I have been with this solution for about ten years. In my current company, my customers are using it. In my previous company, I was the actual customer.

It has been stable.

It is a scalable solution. I would recommend it for both smaller and larger companies.

The customer service and support were always very good. When I was a customer, we had a systems integrator partner who handled technical issues, and they were skilled and knowledgeable about the technology. As long as you have good support either from BeyondTrust or a capable systems integrator, it should work smoothly. Everything is fine from a speed of response perspective.

Positive

I was using CyberArk. While both products achieve the same goal, they differ significantly in their architectures and how they integrate with applications. It's challenging to make a direct comparison, but they essentially do the same things.  

Apart from pricing considerations, BeyondTrust is a newer product, and therefore it's more agile and has a more solid approach.

CyberArk is obviously the more mature market leader in the PAM space. They have a lot more experience and a larger pool of people with CyberArk skills in the marketplace. So if you are looking for a more mature product, then CyberArk would probably be the better choice.

The complexity of the initial setup depends on the organization it's applied to. If an organization has a complex IT environment with multiple applications or legacy systems, it can be quite complex. However, if an organization mostly uses cloud-based applications, it's relatively straightforward.

The PAM market overall is quite highly priced. It's a necessary expense, but both BeyondTrust and CyberArk are on the expensive side.

Make sure you have a thorough understanding of your environment, assets, and applications before considering any product like BeyondTrust or CyberArk. If you don't understand your assets and the applications you're trying to protect, you may encounter issues.

Overall, I would rate the solution an eight out of ten. To push it to a ten, improvements in pricing and easier integration into legacy applications would be beneficial.

We use it primarily for Jamf Pro. Most of our users who use Jamf Pro are on Mac. We work on artificial intelligence and machine learning, specifically for the military and healthcare sectors. We have developers and many DevOps professionals who use MacBooks. We manage Jamf Connect and Jamf Pro, and since developers need admin access on their MacBooks to execute code and perform coding tasks, we can't give full admin access to everyone in the company. 

We use EPM (Endpoint Privilege Management) as the agent, which communicates with the server and is deployed on the machines. The agent follows specific rules defined on the server. Users on Mac can only use these 100 specified commands. Anything beyond those commands won't work. 

We provide limited privileges, such as changing Wi-Fi or network settings, but users cannot create admin accounts on the machine. However, as an administrator, I can create admin accounts using EPM. But we have restricted that option in APM (Application Privilege Management). If you have admin access, you can create an admin account, but it will automatically be downgraded to a standard account. These are the situations we have implemented using EPM.

The most valuable features are the development tools. We use them for coding, such as VS Code, iTerm, and Brew. These activities often require sudo access to execute the code. So, we have granted sudo access to standard users through EPM.

BeyondTrust EPM is a very complicated tool. When I started using it, I struggled for six months just to configure it. It's not straightforward and requires more improvements, especially in the console. Currently, there is no console option available in BeyondTrust Endpoint Privilege Management. In comparison, other tools offer a simple certificate management system in Windows Server. I'm not familiar with Linux since we primarily use Windows. In Windows, we just open the console for application management. We open a browser, log in, and access the console interface.

However, with BeyondTrust Endpoint Privilege Management, it's different. It's a certificate-based tool where you have to double-click the certificate to bring up the user interface. Unfortunately, the user interface (UI) is very ugly. But when it comes to the tool's features, they are awesome. The tool's features are awesome.

The only drawback is they need to improve the UI. They should have the option to access a console and report. Yes, the reporting is also very bad. Let's say I want to export a file from BeyondTrust EPM to see how many devices we have given admin access to with high or medium flexibility; I cannot export that information. I cannot export. I always take screenshots. There should be an option to simply click "export" and have an Excel file. So, those improvements are required in the UI. 

Since BeyondTrust is not used by many companies, there are very few companies that use this product, and it's also very expensive by the way. It was very expensive.

Moreover, they should have a good portal, like Jamf has Jamf Nation. If you have any issues, you can find help there. But with BeyondTrust, since very few people are using it, there is no community to help each other.

And on top of that, it's a very complicated tool to implement. These are the things that, in my opinion, they need to improve. But when it comes to the features, whatever you are paying for, you are getting your money's worth.

We have been using BeyondTrust Privilege Management for two years. I first used it at my previous company. We are using version 2.12.

Stability is good. 

Scalability is good. I would rate the scalability a nine out of ten. There are around 600 users in our organization using BeyondTrust. I can say around 50% of total users are using BeyondTrust Endpoint Privilege Management.

The initial setup was very difficult. Even if you are an expert in EPM, it is still very difficult. It's not straightforward like Jamf.

The deployment was done in-house. Moreover, it will take time, actually. Let's say you are an expert. Maybe it will take months or two months to deploy.

I would advise if you're using BeyondTrust Endpoint Privilege Management for the first time, seek professional services directly from BeyondTrust, not from a vendor or supplier role. Take professional services directly from BeyondTrust EPM.

Overall, I would rate the solution an eight out of ten because I'm also missing something on the pricing side. I'm missing something on the configuration side. Those things are missing.

I was part of the project, I collaborated with a Privileged Access Management consultant and incorporated it with their existing password safe from BeyondTrust. This allowed for a comprehensive approach to security within the designated area of focus.

When it comes to FSO security, a prevalent objective is the removal of admin rights for users and many security teams aim to transition users from admin to standard status, even while ensuring the seamless operation of critical business applications. Challenges arise as some users find it difficult to complete their tasks without admin rights. Avecto Defendpoint addresses this by allowing specific business applications to run with elevated privileges through the Advantage Token. Striking a balance, it empowers users in standard mode to run essential business applications with the necessary admin rights, while maintaining a secure posture.

The notable aspect is its ability to capture the application's behavior comprehensively and this thorough analysis is crucial for effective policy management. During troubleshooting, the event capture feature, known as PG capture, proves invaluable. By leveraging this functionality, administrators can quickly identify processes through Windows Event Viewer. The obtained insights from these events can be utilized for immediate problem resolution. Furthermore, the reporting feature facilitates the seamless addition of policies based on the gathered information, making it a standout and practical feature. In the event of attackers attempting to execute malicious files that require admin privileges, it intervenes at the initial stage, blocking such attempts outright. The incorporation of a chat feature and the adoption of BeyondTrust's Trusted Application Protection further enhance security measures. Organizations often opt for implementing policies from this application suite, safeguarding fundamental applications like Office, Adobe, and browsers.

When working with the on-premises installation, the reporting process posed challenges, requiring the installation of SQL. The differences between EPO reports and the reporting console were observed, prompting a desire for equivalence, especially in specific report types critical to customer evaluation. Aligning these features across platforms would enhance the overall reporting consistency and user experience. A valuable enhancement could be the capability to deploy agents directly through the console. While it might not currently fall within the scope of the product, having the ability to uninstall or install agents seamlessly through the console would be a beneficial feature.

I have been using it for six years.

It is notably stable, especially evident through its tamper protection feature. Even attempts to tamper with the product, such as through registry settings, proved unsuccessful in our testing, attesting to its robustness.

The ability to seamlessly uninstall or install agents through the console would be highly advantageous. Presently, dependency on SSE for scalability and deployment tasks involves setting up groups and pushing tasks to endpoints, including the configuration of policies for certificates.

Their support was excellent, providing valuable responses within a few hours. However, during the transition period, typical of major changes, responsiveness slightly declined, taking a day or two to receive a response. Fortunately, things have improved, and we now receive prompt responses.

CyberArk is a significant rival, offering a multitude of features, some of which may not necessarily align with the fundamental needs of the customers. Avecto Defendpoint, on the other hand, caters to the precise requirements articulated by the customers. This thorough comparison involves not only feature sets but also financial considerations and other pertinent aspects.

The initial setup is straightforward, requiring the fulfillment of certain prerequisites. This includes setting up ports and, if opting for reporting through SQL, configuring the SQL server along with the necessary accounts. When all these prerequisites are in place, the implementation process is smooth and not overly complicated.

The process involves several steps, starting with initial discussions to understand the existing infrastructure and identifying the necessary knowledge about the current state. Subsequently, approvals need to be obtained from relevant workflow departments based on the proposed changes. Once the groundwork is established, the next phase entails getting the servers up and running for it. The decision-making process then extends to choosing the appropriate deployment model, whether on-premises or in the cloud. For customers with the Password Safe, considerations regarding the Password Safe console come into play. This comprehensive approach ensures a thorough understanding of the client's requirements before making informed decisions about the deployment. Our process typically involves progressing from Proof of Concepts to real-time production deployment. The entire timeline for this transition spans approximately three months.

By consistently reviewing and adjusting policies, and implementing stringent measures, this product can provide enhanced security, ensuring a substantial return on investment.

It is relatively more cost-effective compared to the competing product.

When evaluating this product, it's more effective to base the assessment on your specific use cases rather than comparing it to other products. If the product aligns with ninety percent of your use cases and meets your needs, it would strongly indicate that proceeding with this product is a favorable choice. Overall, I would rate it eight out of ten.

There are three use cases that you can target. The first use case is the fact that some of your users may need admin rights for launching custom applications, such as Visual Studio, or they may want to install something on their machine on their own, or they may want to start, stop some services, change maybe system font, if the need arises, or install a custom font or change the driver, update the driver. Also, instead of giving full blanket admin rights, we can give selective admin rights using EPM in order to protect the company and the infrastructure from abuse. This is the first major use case.

The second use case is where we implement application blacklisting and whitelisting. If I don't want Adobe applications to run within my company, I can create a policy around that. Or, for example, if I have Adobe licenses, and those are only valid for version two to version three. Anything below two, I don't own and anything above three, I am not allowed to upgrade. Therefore, whitelisting based on version control also can be implemented. 

The third use case, which not popular in my region, is where cyberattacks can be mitigated or zero-day attacks can be mitigated, by making sure we whitelist only the browser and only Outlook. If the browser tries to invoke a script or if Outlook launches say Excel or PDF as an attachment, and from there, if a script tries to launch, we will be able to block it. Therefore, making sure that the entry point of the malware itself is blocked is possible. That said, having said that, it has zero intelligence in checking whether the script is legitimate or bad. It's going to block everything. It blocks all and later you can enable it, if the need arises.

The solution can scale.

It's relatively straightforward to set up, especially if you are deploying to the cloud.

Technical support has gotten more responsive.

At the moment, they don't support Linux. For this EPM, they have a different product for EPM, for Linux.

The same company needs two different products for EPM. One works with Windows and Mac and the other solution is mainly created for Linux. They can try to merge these two and make one product. That would be an improvement. Being a policy administrator, I have to create, or maybe monitor, two different admin consoles for the policy due to the separation between the OS.

They have a troubleshooting utility or a quick start utility, a quick start policy. They need to come up with better integrative options which should be customer-centric. At the moment, it is from their point of view. A quick start policy is something that helps customers to remove admin rights on day one.

I've been dealing with the solution for the last eight years. 

The solution is definitely stable. That's why within the last eight years, we are able to satisfy the most demanding customers in the world. It supports 10 users. It supports 10,000 users or even 100,000 users. It's scalable.

I'm not sure how many people collectively are using it in our company. I happen to have one specific area within my control. There are other technicians who will be implementing this from my own company.

I've used technical support in the past. 

The product was initially developed by Avecto. Then BeyondTrust purchased that company and they both merged together. Initially, the team was quite small. The company itself was small, and its support was not that good, in terms of response time. However, when they used to come online, their technical expertise was at par. It was way beyond our expectations. The only trouble was to bring them on a call, as the company was slightly small.

Fast forward six years, seven years. Now, the strength of BeyondTrust being a larger organization, we have better access to the technical team. Today, we raise a support ticket and someone will definitely assist by tomorrow. That's progress.

However, technical expertise becomes a challenge sometimes. Not always. Just sometimes. Any big organization will not assign an L3 person on day one. That's the architecture problem. Not the company's problem.

I may scream at the top of my lungs that I don't think this is something that an L1 can handle and they will not believe me. They would like to go through L1, and L2 and then eventually reach L3. That's the only issue with any big organization. It's an architectural problem. 

The ease of deployment depends on your requirement and your setup. If you are handling the cloud, then it's fairly easy. You simply download the agent and install the agent. The reporting is inbuilt. Policy management is inbuilt. If you consider other deployments, there is some friction, depending on the architecture.

The licensing is paid on a yearly basis. I can't speak, however, to the actual cost of the solution.

We are a partner and we sell and support this EPM solution to other customers.

We use both cloud and on-premises deployment options. 

I'd suggest new users go slow. Instead of going bold. It's a powerful solution. If I create a beautiful policy, the product will behave beautifully. However, if I create an ugly policy, the product will show its ugly face to you, as it's just a brainless bull running around. You have to give it a direction. Otherwise, it can harm you. 

Overall, I would rate the solution an eight out of ten.

We are an integrator, and we do a lot of Identity and Access Management and Privileged Identity. I am only just getting into this solution. I am not trained in it, but I've been reading about it. I have recommended it for a client based on their requirements and based on what I know about CyberArk versus a couple of others. I have not implemented it yet. I have the agent running on the system where I am actually profiled. I have its latest version.

In terms of use case, it primarily has two things, and you can choose whatever you want in the middle. One side is that you can use it to allow the user to have specific administrative rights and do certain things without having to call the help desk. For example, you can allow users to be able to install certain applications. You can also have a whitelist or a blacklist of things that they are allowed to install, which saves a boatload of money in calling the help desk. The other side is to rein in administrators so that they don't go too far or do something outside of the bounds. The help desk personnel would have different restrictions when they log into a workstation than regular users.

What I liked about this solution is that it can also integrate for tracking malicious use or sending analytics to a host that can process them. I don't know if CyberArk, Centrify, or Thycotic can do that. The analytics was something the client really wanted, and they already had BeyondTrust. 

It is very scalable. The agent on the workstation is very thin, and the processing power required on a server is nothing out of the ordinary. It is also very stable and easy to deploy.

What's bothering me, which is true of all of them, is that sometimes, the error codes that come up don't necessarily get reflected in the searches within their support sites or they're out of date. I would rather search by an error code than type in the text and search for it by text because the error code means that it is programmatic, and it is known. It might not be desired, but it at least is not unexpected. If you don't have an error code, you just get an anomalous error, and if it is lengthy, it can be difficult to search and find the specific instance you're looking for. This is something I would like all of them to improve. BeyondTrust, CyberArk, Centrify, and Thycotic could do some improvements in staying up to date and actually allowing you to search based on the product version. They are assuming that everybody is on their way to release. They put out a new release, but it is not reflected on the support site, which makes no sense to me, especially when they revamp all the error codes. They all have been guilty of this in some way.

I started using it about a month ago when I was doing the appraisal of it, and I put it on a virtual machine. Our work machine is a virtual machine.

It is very stable. I had worked on a competitor's product two years ago, and it was rather buggy. It had issues. Sometimes, it used to hang the machine. Because you're running an agent on the workstation, it could have a memory conflict or an application conflict. It doesn't happen anymore because you've got it pretty much running strictly in Windows.

It is very scalable. 

I used their email support, which is very good.

I didn't switch the client to this one. I recommended this one because it stays under the BeyondTrust umbrella. It also helped them in getting a discount for volume and being a loyal customer and things like that. They also didn't have to add new infrastructure. 

CyberArk is a very good product, and I like it. I've been trained in it, but I have not implemented it. I am not going to ask the customer to install another infrastructure or another platform, especially when the products are fairly equal or equal enough to not be an issue to put on a table. If I had recommended CyberArk, they would have to put in a CyberArk infrastructure and retrain a whole bunch of administrators to administer that. They would also have to train a whole bunch of support people to manage off-hours, holidays, weekends, and things like that. Every time you add another brand, it adds to your soft costs, which can make a solution pretty expensive.

Hard costs are so much fun, and they're much easier. I've seen people get up and just start writing on a dry erase board because they know all the hard costs. It would be good if they would just be honest with themselves and the clients and explain what some of the soft costs are in terms of additional training or a more significant hardware footprint.

It is pretty straightforward to get the agent installed. You install the agent and the server component, and you let the users do whatever they've been doing for the last 10 or 20 years of their life. You also create profiles. For example, I had a developer profile for both Windows and Linux, and I had a profile for a regular user, help desk, and engineering. After you create profiles, an administrator can look at their activities in the log and analyze things like the following:

• Why did he install CCleaner on the machine?
• Why did he install this application?
• Why did he elevate a command prompt to do something? What is he doing?
• Why does he need administrator command prompts?

You can then add things like this to your blacklist, and you can create a profile that will allow or disallow that.

I would rate BeyondTrust Endpoint Privilege Management a nine out of ten. 

We are using the solution to access the servers remotely.

The solution's most valuable feature is its ability to publish the application remotely instead of logging into the server. You can just run the software from the remote server. 

The solution's features for customizing access for the engineers, creating forms, and establishing workflows need improvement. Also, they should provide integration with VDI solutions. It would be great to run it from the Citrix Storefront or VMware Horizon.

I have been using the solution for three years.

The solution is stable.

The solution's technical support is good.

Positive

The solution is easy to deploy. However, it is complex in terms of configuration and customization. The process takes nearly two weeks to complete.

We implemented the solution with the help of two or three executives and an integrator.

The solution's pricing is high.

The solution's enterprise features align precisely with our organizational focus. I advise others to evaluate it and compare, considering the variations in each environment.

Overall, I rate it seven out of ten.