BeyondTrust Endpoint Privilege Management Reviews

The solution's least privilege enforcement has helped us ensure access is given to only the required people.

Sometimes, it's difficult for other users to understand how accounts and servers are mapped, which is complex. How the accounts are presented in the solution's UI can be improved.

I have been using BeyondTrust Endpoint Privilege Management for five to six years.

I rate the solution an eight out of ten for stability.

I rate the solution an eight out of ten for scalability.

I rate the solution an eight out of ten for its ease of deployment and integration with our infrastructure.

On a scale from one to ten, where one is cheap and ten is expensive, I rate the solution's pricing a seven out of ten.

The solution is doing a good job of enhancing the endpoint security posture by managing the overall application life cycle and helping us block unwanted applications. The solution's scanning feature helps identify the unmanaged accounts within the console itself. We do not have to do a DNA scan like CyberArk separately, which is a separate license.

The solution's least privilege enforcement has helped us ensure access is given to only the required people. It is easy to maintain the solution.

The solution helps identify the unmanaged accounts and then develop a plan for managing those transferred accounts, which were used as service accounts in multiple critical applications.

Users should have an in-house person to manage the environment. If they completely depend upon the vendors, they might be unable to do things at the right pace.

Overall, I rate the solution an eight out of ten.

I was part of the project, I collaborated with a Privileged Access Management consultant and incorporated it with their existing password safe from BeyondTrust. This allowed for a comprehensive approach to security within the designated area of focus.

When it comes to FSO security, a prevalent objective is the removal of admin rights for users and many security teams aim to transition users from admin to standard status, even while ensuring the seamless operation of critical business applications. Challenges arise as some users find it difficult to complete their tasks without admin rights. Avecto Defendpoint addresses this by allowing specific business applications to run with elevated privileges through the Advantage Token. Striking a balance, it empowers users in standard mode to run essential business applications with the necessary admin rights, while maintaining a secure posture.

The notable aspect is its ability to capture the application's behavior comprehensively and this thorough analysis is crucial for effective policy management. During troubleshooting, the event capture feature, known as PG capture, proves invaluable. By leveraging this functionality, administrators can quickly identify processes through Windows Event Viewer. The obtained insights from these events can be utilized for immediate problem resolution. Furthermore, the reporting feature facilitates the seamless addition of policies based on the gathered information, making it a standout and practical feature. In the event of attackers attempting to execute malicious files that require admin privileges, it intervenes at the initial stage, blocking such attempts outright. The incorporation of a chat feature and the adoption of BeyondTrust's Trusted Application Protection further enhance security measures. Organizations often opt for implementing policies from this application suite, safeguarding fundamental applications like Office, Adobe, and browsers.

When working with the on-premises installation, the reporting process posed challenges, requiring the installation of SQL. The differences between EPO reports and the reporting console were observed, prompting a desire for equivalence, especially in specific report types critical to customer evaluation. Aligning these features across platforms would enhance the overall reporting consistency and user experience. A valuable enhancement could be the capability to deploy agents directly through the console. While it might not currently fall within the scope of the product, having the ability to uninstall or install agents seamlessly through the console would be a beneficial feature.

I have been using it for six years.

It is notably stable, especially evident through its tamper protection feature. Even attempts to tamper with the product, such as through registry settings, proved unsuccessful in our testing, attesting to its robustness.

The ability to seamlessly uninstall or install agents through the console would be highly advantageous. Presently, dependency on SSE for scalability and deployment tasks involves setting up groups and pushing tasks to endpoints, including the configuration of policies for certificates.

Their support was excellent, providing valuable responses within a few hours. However, during the transition period, typical of major changes, responsiveness slightly declined, taking a day or two to receive a response. Fortunately, things have improved, and we now receive prompt responses.

CyberArk is a significant rival, offering a multitude of features, some of which may not necessarily align with the fundamental needs of the customers. Avecto Defendpoint, on the other hand, caters to the precise requirements articulated by the customers. This thorough comparison involves not only feature sets but also financial considerations and other pertinent aspects.

The initial setup is straightforward, requiring the fulfillment of certain prerequisites. This includes setting up ports and, if opting for reporting through SQL, configuring the SQL server along with the necessary accounts. When all these prerequisites are in place, the implementation process is smooth and not overly complicated.

The process involves several steps, starting with initial discussions to understand the existing infrastructure and identifying the necessary knowledge about the current state. Subsequently, approvals need to be obtained from relevant workflow departments based on the proposed changes. Once the groundwork is established, the next phase entails getting the servers up and running for it. The decision-making process then extends to choosing the appropriate deployment model, whether on-premises or in the cloud. For customers with the Password Safe, considerations regarding the Password Safe console come into play. This comprehensive approach ensures a thorough understanding of the client's requirements before making informed decisions about the deployment. Our process typically involves progressing from Proof of Concepts to real-time production deployment. The entire timeline for this transition spans approximately three months.

By consistently reviewing and adjusting policies, and implementing stringent measures, this product can provide enhanced security, ensuring a substantial return on investment.

It is relatively more cost-effective compared to the competing product.

When evaluating this product, it's more effective to base the assessment on your specific use cases rather than comparing it to other products. If the product aligns with ninety percent of your use cases and meets your needs, it would strongly indicate that proceeding with this product is a favorable choice. Overall, I would rate it eight out of ten.

We are an integrator, and we do a lot of Identity and Access Management and Privileged Identity. I am only just getting into this solution. I am not trained in it, but I've been reading about it. I have recommended it for a client based on their requirements and based on what I know about CyberArk versus a couple of others. I have not implemented it yet. I have the agent running on the system where I am actually profiled. I have its latest version.

In terms of use case, it primarily has two things, and you can choose whatever you want in the middle. One side is that you can use it to allow the user to have specific administrative rights and do certain things without having to call the help desk. For example, you can allow users to be able to install certain applications. You can also have a whitelist or a blacklist of things that they are allowed to install, which saves a boatload of money in calling the help desk. The other side is to rein in administrators so that they don't go too far or do something outside of the bounds. The help desk personnel would have different restrictions when they log into a workstation than regular users.

What I liked about this solution is that it can also integrate for tracking malicious use or sending analytics to a host that can process them. I don't know if CyberArk, Centrify, or Thycotic can do that. The analytics was something the client really wanted, and they already had BeyondTrust. 

It is very scalable. The agent on the workstation is very thin, and the processing power required on a server is nothing out of the ordinary. It is also very stable and easy to deploy.

What's bothering me, which is true of all of them, is that sometimes, the error codes that come up don't necessarily get reflected in the searches within their support sites or they're out of date. I would rather search by an error code than type in the text and search for it by text because the error code means that it is programmatic, and it is known. It might not be desired, but it at least is not unexpected. If you don't have an error code, you just get an anomalous error, and if it is lengthy, it can be difficult to search and find the specific instance you're looking for. This is something I would like all of them to improve. BeyondTrust, CyberArk, Centrify, and Thycotic could do some improvements in staying up to date and actually allowing you to search based on the product version. They are assuming that everybody is on their way to release. They put out a new release, but it is not reflected on the support site, which makes no sense to me, especially when they revamp all the error codes. They all have been guilty of this in some way.

I started using it about a month ago when I was doing the appraisal of it, and I put it on a virtual machine. Our work machine is a virtual machine.

It is very stable. I had worked on a competitor's product two years ago, and it was rather buggy. It had issues. Sometimes, it used to hang the machine. Because you're running an agent on the workstation, it could have a memory conflict or an application conflict. It doesn't happen anymore because you've got it pretty much running strictly in Windows.

It is very scalable. 

I used their email support, which is very good.

I didn't switch the client to this one. I recommended this one because it stays under the BeyondTrust umbrella. It also helped them in getting a discount for volume and being a loyal customer and things like that. They also didn't have to add new infrastructure. 

CyberArk is a very good product, and I like it. I've been trained in it, but I have not implemented it. I am not going to ask the customer to install another infrastructure or another platform, especially when the products are fairly equal or equal enough to not be an issue to put on a table. If I had recommended CyberArk, they would have to put in a CyberArk infrastructure and retrain a whole bunch of administrators to administer that. They would also have to train a whole bunch of support people to manage off-hours, holidays, weekends, and things like that. Every time you add another brand, it adds to your soft costs, which can make a solution pretty expensive.

Hard costs are so much fun, and they're much easier. I've seen people get up and just start writing on a dry erase board because they know all the hard costs. It would be good if they would just be honest with themselves and the clients and explain what some of the soft costs are in terms of additional training or a more significant hardware footprint.

It is pretty straightforward to get the agent installed. You install the agent and the server component, and you let the users do whatever they've been doing for the last 10 or 20 years of their life. You also create profiles. For example, I had a developer profile for both Windows and Linux, and I had a profile for a regular user, help desk, and engineering. After you create profiles, an administrator can look at their activities in the log and analyze things like the following:

• Why did he install CCleaner on the machine?
• Why did he install this application?
• Why did he elevate a command prompt to do something? What is he doing?
• Why does he need administrator command prompts?

You can then add things like this to your blacklist, and you can create a profile that will allow or disallow that.

I would rate BeyondTrust Endpoint Privilege Management a nine out of ten. 

It elevates the user to perform admin tasks without the user being a part of an administrator group.

PowerBroker allows elevation of required actions or application and eliminates the need of user having full administrative access. There are immense security and administrative benefits associated with removing users administrative access on the workstation.

PowerBroker allows the elevation of certain actions based on different whitelisting abilities. This can range from restarting services, installing software and allowing applications that require administrative privileges to run.

It is very similar to the UAC components built into Windows but gives us a lot more control surrounding the elevation

Previously, all users were in the administrator group of their machines. Since PowerBroker elevates the user, we can remove the users from the administrator group. Thus, the machines become less vulnerable to attacks

Improve the ActiveX rule for websites.

I have used this product for almost a year.

The software sometimes uses a lot of memory.

We have not had any scalability issues.

Technical support is mostly good.

We didn’t use any previous solutions.

It's a straightforward setup.

Price seems to be a little on the higher side.

We evaluated Avecto.

Make use of Polmon and Beyondtrust reporting console to create the elevation rules.

We are using the solution to access the servers remotely.

The solution's most valuable feature is its ability to publish the application remotely instead of logging into the server. You can just run the software from the remote server. 

The solution's features for customizing access for the engineers, creating forms, and establishing workflows need improvement. Also, they should provide integration with VDI solutions. It would be great to run it from the Citrix Storefront or VMware Horizon.

I have been using the solution for three years.

The solution is stable.

The solution's technical support is good.

Positive

The solution is easy to deploy. However, it is complex in terms of configuration and customization. The process takes nearly two weeks to complete.

We implemented the solution with the help of two or three executives and an integrator.

The solution's pricing is high.

The solution's enterprise features align precisely with our organizational focus. I advise others to evaluate it and compare, considering the variations in each environment.

Overall, I rate it seven out of ten.

It is straightforward. It is a good technology, and it is made to do one single thing.

They are doing good for now, but they should start to consider tight integration with Mac solutions. There should be more integration with Mac. There should be Active Directory (AD) Bridging. Thycotic and Centrify have it currently because they merged and joined forces, and it was a feature available in Centrify. So, basically, they joined forces to create a kind of perfect product. If you have a hybrid or mixed environment with Windows and Mac, your Active Directory can only manage or enforce policies on Windows, but what about your Mac devices? How do you control them? So, AD Bridging will act as a bridge to bring all your Mac devices into your Active Directory. This way you have full control over your entire environment.

I have been selling this solution for three years.

It is stable. 

It is scalable.

I never had a problem for which I needed their technical support. The product is simple and easy to use. Our team is also capable of solving all the problems.

It is easy to deploy. The deployment duration depends on how many servers or routers you have, what kind of IT stuff you need to grant access to, and how much stuff you have. I am referring to the entire environment with all the customers and all the users. If you have five routers, five firewalls, it might take up to two to three days to deploy the entire solution. It also depends on the number of administrators you have.

Price-wise, it is very competitive. In our area, government entities and banks don't go for the monthly payment. It is a headache even for us in terms of finance and procurement to go for monthly payments. Quarterly might be more logical and reasonable, but the minimum that we go for is one year, and sometimes, we even try to compile and give one offering for three years.

It is mainly deployed on-prem. About 95% of the sales that I do are on-prem solutions. That's because we're talking about security.

It is a good technology. I would definitely recommend this solution. I would never sell it if I can't recommend it. I would give it an eight out of 10.

The primary reason for BeyondTrust was so that one administrator could use their password to log on to our server. The second reason was, we needed to use BeyondTrust to form some level of sharing. It's my understanding that Microsoft has this and we have this challenge of having a tier one and tier two. We wanted to do a structure like that. 

The solution can do so much. It's quite flexible.

It's a great tool.

It's nice to have admission tools without having to remember the password. You just have to click on whatever you need to do and you get temporary access. 

The product is stable.

Technical support is good.

We have installed BeyondTrust, however, it's not working as-is. There are two domains, and there's a trust between those two domains, however, just one of the domains is working. We've not been able to set it up such that we're able to use the second domain as well. That, unfortunately for us, that second domain is a valuable domain, it's very critical.

BeyondTrust is trying to find a way to do it, however, we do not need it for some time. It's working at least, however, there are some times where it just freezes out. We have to fall back on RDP to do BeyondTrust. That was part of the reason I was doing the comparison between BeyondTrust and Broadcom - to see if there was a way to resolve this.

The implementation process could be better. It's not as vast as we would like it to be.

If you don't get the implementation right at the outset, you will struggle with the product.

For the most part, the stability is good. There are no bugs or glitches. It doesn't crash or freeze. It's reliable. 

We are actually working on scaling the solution currently. My understanding is that it is possible, and part of our plans, however, I can't speak to how easy it is to scale, or how much you can actually expand it.

I haven't really dealt with technical support. I recall the team having to reach out during implementation and, as I recall, they were helpful and responsive and our team was satisfied with the level of support.

The initial setup can be tricky in that, if you get the implementation wrong, it will affect everything and won't work as it is supposed to. 

That said, I was not a part of the implementation team, and therefore cannot discuss specifics. I can say that the deployment took some time, however.

It's my understanding that we have a license that is paid monthly.

I don't have a view of the exact costs the company pays. It's not an aspect of the solution I deal with. Our management team deals directly with them.

I've looked into Broadcom to see if it could resolve some issues we were having under this product.

We are a customer and an end-user.

I'm not sure which version of the solution we're on right now. I cannot speak to the exact version number we are using.

I would definitely recommend the product to other companies and users. For us, it's a very important organizational tool.

Overall, I would rate it at an eight out of ten. We're mostly quite satisfied with its capabilities.

There are multiple use cases for this solution. There is the auto-discovery option for PowerBroker Password Safe, which can discover all the local accounts on any of Windows, Linux, or Unix. It can work with Active Directory and onboard Active Directory accounts automatically, if the correct credentials have been provided for AD. When it comes to databases, it also governs and controls all of them. It can integrate with Oracle Database, SQL, Oracle Linux, or other database environments.

I'm a BeyondTrust partner and I have multiple deployments, four or five banks right now. The features that give us quite an edge compared to what our competitors are offering - like IBM or Thycotic - are the Session Management, that is quite a big one; also the recording of keystrokes. In addition, there is the password vaulting and state-of-the-art Password Management, which I haven't seen in other products.

It also provides a granular approach through the Management Console and manages all the operations "from the inside out". It is easy to explain and easy to manage.

If you are specifically dedicated to Privileged Access Management, the definitions are a bit unclear throughout the world. I have been in contact with engineers around the world, in Canada, the U.S, and the U.K as well. Everyone has quite a different definition for Privileged Access Management or Identity Access Management or Identity Management.

Because of the definition of PAM, I don't think they can provide anything in addition to what has been defined. If you want to include anything else in this product, it will deviate from the boundaries of PAM.

I have not encountered issues with the stability.

There are slight hiccups but they are based on the configuration details of the appliances, as done by the clients. If you are talking about the application or the features it provides, I don't think there are any hiccups with BeyondTrust.

I have worked on competitive products as well. IBM and Thycotic are lightweight applications utilizing limited resources and providing proportionate results. I don't think anyone can compete with BeyondTrust.

The response time and the responsiveness, the level of support that they provide, is tremendous.

I have worked on the scene, I have worked on firewalls as well as on multiple security products, but the support from BeyondTrust is highly efficient, from a highly experienced technical staff. The level at which they provide support, the dedication as well as the expertise they have, is among the best I have seen.

I have utilized OpenAM SSO, as a single sign-on. That was a Canadian product. It was an open-source solution. But I am happier with BeyondTrust. About 95 percent of use cases are handled by BeyondTrust. Whether you're talking about a bank or a telco, whatever their requirements are, they can be met by the PAM. When it comes to the PAM, I don't think that any application can compete with BeyondTrust, except for the financial issue that has been recently affected by the change in the licensing model.

The initial setup is straightforward; the way that they provide the UVMs, and the whole package when it comes to deployment. What they do is provide you a complete setup package. Everything in there is preconfigured, so all you have to do is to provide the basic IP addresses and other stuff and that's it.

What BeyondTrust was providing was user-based licensing which was a great benefit from the client point of view. Recently, I don't know why, the licensing model has been changed, and that is the reason that they have lost a bit of their edge when it comes to the PAM, against our competition.

The asset-based licensing, from the user's point of view, is not beneficial. The licensing should be based on the users. The greater the number of users, the greater will be the load and the greater the scalability problems. I presume that is why the licensing model has changed.

My company first chose the IBM Identity Manager suite. Later on, we surveyed the market and the needs and requirements of the clients. We thought the IBM solution was utilizing too many resources to achieve a very limited goal. The requirements are related to PAM, but they were employing IM.

I would rate BeyondTrust at eight out of 10. It's not a 10 because the scalability and licensing have impacted us a lot. Of the two points that I have deducted: One is the non-flexibility on the pricing and one is the licensing model. When you launch a product in several markets like the European market, the Asian market, or the Russian market, you have to be very flexible when it comes to the pricing.