BeyondTrust Endpoint Privilege Management Reviews

There are three use cases that you can target. The first use case is the fact that some of your users may need admin rights for launching custom applications, such as Visual Studio, or they may want to install something on their machine on their own, or they may want to start, stop some services, change maybe system font, if the need arises, or install a custom font or change the driver, update the driver. Also, instead of giving full blanket admin rights, we can give selective admin rights using EPM in order to protect the company and the infrastructure from abuse. This is the first major use case.

The second use case is where we implement application blacklisting and whitelisting. If I don't want Adobe applications to run within my company, I can create a policy around that. Or, for example, if I have Adobe licenses, and those are only valid for version two to version three. Anything below two, I don't own and anything above three, I am not allowed to upgrade. Therefore, whitelisting based on version control also can be implemented. 

The third use case, which not popular in my region, is where cyberattacks can be mitigated or zero-day attacks can be mitigated, by making sure we whitelist only the browser and only Outlook. If the browser tries to invoke a script or if Outlook launches say Excel or PDF as an attachment, and from there, if a script tries to launch, we will be able to block it. Therefore, making sure that the entry point of the malware itself is blocked is possible. That said, having said that, it has zero intelligence in checking whether the script is legitimate or bad. It's going to block everything. It blocks all and later you can enable it, if the need arises.

The solution can scale.

It's relatively straightforward to set up, especially if you are deploying to the cloud.

Technical support has gotten more responsive.

At the moment, they don't support Linux. For this EPM, they have a different product for EPM, for Linux.

The same company needs two different products for EPM. One works with Windows and Mac and the other solution is mainly created for Linux. They can try to merge these two and make one product. That would be an improvement. Being a policy administrator, I have to create, or maybe monitor, two different admin consoles for the policy due to the separation between the OS.

They have a troubleshooting utility or a quick start utility, a quick start policy. They need to come up with better integrative options which should be customer-centric. At the moment, it is from their point of view. A quick start policy is something that helps customers to remove admin rights on day one.

I've been dealing with the solution for the last eight years. 

The solution is definitely stable. That's why within the last eight years, we are able to satisfy the most demanding customers in the world. It supports 10 users. It supports 10,000 users or even 100,000 users. It's scalable.

I'm not sure how many people collectively are using it in our company. I happen to have one specific area within my control. There are other technicians who will be implementing this from my own company.

I've used technical support in the past. 

The product was initially developed by Avecto. Then BeyondTrust purchased that company and they both merged together. Initially, the team was quite small. The company itself was small, and its support was not that good, in terms of response time. However, when they used to come online, their technical expertise was at par. It was way beyond our expectations. The only trouble was to bring them on a call, as the company was slightly small.

Fast forward six years, seven years. Now, the strength of BeyondTrust being a larger organization, we have better access to the technical team. Today, we raise a support ticket and someone will definitely assist by tomorrow. That's progress.

However, technical expertise becomes a challenge sometimes. Not always. Just sometimes. Any big organization will not assign an L3 person on day one. That's the architecture problem. Not the company's problem.

I may scream at the top of my lungs that I don't think this is something that an L1 can handle and they will not believe me. They would like to go through L1, and L2 and then eventually reach L3. That's the only issue with any big organization. It's an architectural problem. 

The ease of deployment depends on your requirement and your setup. If you are handling the cloud, then it's fairly easy. You simply download the agent and install the agent. The reporting is inbuilt. Policy management is inbuilt. If you consider other deployments, there is some friction, depending on the architecture.

The licensing is paid on a yearly basis. I can't speak, however, to the actual cost of the solution.

We are a partner and we sell and support this EPM solution to other customers.

We use both cloud and on-premises deployment options. 

I'd suggest new users go slow. Instead of going bold. It's a powerful solution. If I create a beautiful policy, the product will behave beautifully. However, if I create an ugly policy, the product will show its ugly face to you, as it's just a brainless bull running around. You have to give it a direction. Otherwise, it can harm you. 

Overall, I would rate the solution an eight out of ten.

We use it to limit user privileges.

It reduces major vulnerabilities by removing local administrator privileges.

I like that I can remove local admin privileges from developers.

It only has limited support for Mac.

In version 7.3 there were driver compatibility issues with other security applications, but they were resolved very quickly by support.

The BeyondInsight appliance environment is not as flexible as it should be in some designs. But overall, it’s a well-designed product.

I would rate support at six out of 10. They need more people in the Pacific time zone.

The setup was straightforward. The appliance build was very simple and was completed with minimal effort.

PowerBroker for a Mac client is three times the price of the Windows version.

• Avecto
• Thycotic
• Viewfinity

Implementation is simple, but privileged application support may need a lot of testing. Support may not be able to help due to a lack of understanding of your environment.

The primary use case for BeyondTrust is for when one needs to control the administrative accesses on their critical assets, whether that be Windows, Linux, or UNIX servers, databases, and application servers.

I would say session management on the go is the most valuable feature. When the session is going on, you can stop the session without terminating it for justification. You can cancel it. The recording takes very little space. Those are some things that the customers are worried about when they talk about session recording.

The other valuable feature is out-of-box connectors. BeyondTrust has partnered with many well-known companies. Other PAM products are not there yet. The number of out-of-box connectors BeyondTrust has is really good.

One issue, especially when you deploy HA actively and passively, is the synchronization. Usually, there is a large delay between the sync. The biggest problem is that it takes at least 14 minutes to detect that the primary is down. That is 14 minutes of downtime, which is a huge amount of time, especially for our enterprise customers. That delay should be reduced.

The other area to improve is that they rely on MS SQL servers only. You cannot have any other database behind them. They have to be on MS SQL. If they can do something about these issues, this would be a better alternative for some customers.

In terms of software, BeyondTrust should work on other operating systems other than Windows and support non-Windows operating systems also.

I haven't faced any issues with stability. Others might have, but I personally haven't faced any stability issues, because the system is very solid. The processes behind them are very well defined, as well. I haven't seen any instability yet, but perhaps there might be in the future.

Scalability is very simple. I mean you can just add a greater number of nodes or sessions. They can be behind a load balancer, so it's very easily scalable. They do need to have a license for the scalability that they wish to reach, so they can keep upgrading their hardware as much as they want.

There are chances some customer might give very negative feedback. Firstly, we think that they are extremely good in terms of ability. Next, they give you a slot for the support. If you give a ticket they respond quickly and give you a slot. However, the customer needs to make sure that they are available for that slot. Otherwise, they can view which slots will be available soon. If they miss a slot, the technical support will get busy with other tasks. This is one reason we have had negative feedback. It comes from the customer's end. 

As an implementer who has submitted tickets, we have gotten responses that resolve the issue. I have found that the way they communicate to resolve the issue was really good. I work with other vendors' products as well, although not for PAM. I thought that BeyondTrust support was really good.

The initial setup was very straightforward and simple.

The deployment time depends upon the size of deployment. If it's a single company with DC and DR, where you have an HA in DC and DR, the maximum time if they have 500 assets, for example, would be two weeks. If everything is smooth, it should be a maximum of two weeks. It could also be shorter.

We do demonstrations for implementations only because we are partners for BeyondTrust in this region. We deploy the solution.

I've actually looked at ARCON and BeyondTrust. Now I'm working with BeyondTrust implementation.

Features-wise, BeyondTrust is a lot better than ARCON. ARCON, even with limited features, is still good, but the number of features and scope of its privilege control is limited.

BeyondTrust Password Safe works for critical assets and servers. For endpoints, it offers PowerBroker and Bomgar, which is for privilege remote access and control. I think that the suite of BeyondTrust covers a good landscape. ARCON is limited.

Don't start the implementation until you get the prerequisite sheet confirmed from the customer. If not, you may waste a lot of time at the customer's site.

I have learned a couple of things from this product. First, if the organization doesn't have a structured hierarchy of the work or the segregation of duties properly implemented, no matter what kind of security there is, it tends to fail. Operationally, it tends to fail. The tasks never get finished. BeyondTrust helps define those duties properly.

That was one major thing. The other thing I learned is that PAM is not for an inexperienced person. Don't give a PAM solution to a company that is employing inexperienced people, because they will never understand the concept of security and why identity security is important.

I would rate this solution as eight and a half or nine out of ten. I am not saying ten, only because of the limited choice of Windows. If it had alternate options available, I would give it a ten.

The main areas of focus of BeyondTrust products is Privileged Access Management. Along with it, they've also bundled the PAM solutions with a Vulnerability Management solution. We all know Retina Network Security Scanner has been around for more than a decade now and anybody would agree with me that it has been a most comprehensive scanner. BeyondTrust bundles these two areas of security - PAM and VM - with an extremely rich reporting & analytics platform – BeyondInsight - which gives actionable intelligence to SMBs as well as large enterprises.

Along with PAM & VM, PBW allows implementing a strong workflow in the organization, with regards to accessing the most valued resources of the enterprise. The request-approval process along with session monitoring and recording, could prove a very strong deterrent security control for actors with malicious intent.

With all the other features, such as asset inventory, scanning, jobs scheduling, etc., BeyondInsight offers an intelligent platform for reporting and analysis of the collected information from the customer's environment. It presents the information in the form of heat maps, risk maps, ROI graphs which are very useful for presenting to your senior executives during your budget planning. Overall, it has proven very useful to all individuals from engineer to the 'C' class of the company.

We implemented the BeyondTrust suite of products as part of our initial evaluation and continued to use the product because we liked it very much. We distribute security solutions to our customers, so we can only sell something to our customers that we believe in. And the best way to start to believe in something is to experience it. So, from the initial evaluation environment, we moved a few assets – because it's not a very large organization - and implemented a workflow process for our IT contractors. Developers and network engineers who access our infrastructure devices such as servers, routers, and firewalls have to put forth a request (though we've kept them as auto-approve 24x7, since we trust them :) ), to access the devices. All these activities are monitored, recorded & audited on a periodic basis or in cases of issues. We do not have any external auditing done within our company. However, I can imagine the kind of details provided by the solution to the auditors on almost all of the IT activities required to be monitored and audited.

Apart from auditing & recording requirements, our sysadmin now has the best control of his work in his tenure with us, in the area of patch management for our networks. RNSS has been scheduled for periodic scan jobs preparing a report. We've configured the Enterprise Update server, which checks the vulnerabilities, suggested remediation, and once they've been reviewed, all the systems are patched directly from the Enterprise Update server.

These are some of the areas I can think of at this point of time that we have benefited from BeyondTrust so far.

I'm of the thought that the best products in the market have room for improvement, always, and so is the case with this product as well. I have always submitted the improvements / bugs list to the vendor and am looking forward for them to be implemented in their coming releases.

These are related to the Flash / Java Web UI, which we know is very vulnerable. I would love to see the Reporting & Analytics console in HTML5 or other technologies which are not as vulnerable as Flash. That's something I don’t promote for the product. However, it being an internal-facing Web application, it doesn't pose a very high risk.

Other areas for improvement I have suggested in the past were more tight integration with some of the comprehensive ticket management systems. Currently, it does open a ticket in external ticket management system by sending an email. However, I would love to see these tickets being opened and customizable for other activities, such as after a vulnerability scan for high-impact or high-risk vulnerabilities, systems not patched for a certain time duration, and the list can go on. Auto-opening & auto-closing of tickets is something I would love to see implemented in BeyondTrust.

I've been implementing & using BeyondTrust products for more than a year now.

I have not encountered any major stability issues so far; just a few minor bugs, such as when you run / schedule jobs, sometimes we could see two of them being run. But this was just in the UI, RNSS in the background would still run as per the configured and scheduled jobs & reporting back is also as expected. Apart from that, the product is pretty much stable.

I've seen the product scale with no problems. I've implemented products in customers’ environments as a POC with a few servers / resources under monitoring. And once they decided to go ahead with the solution, they've scaled very well to a few hundred or thousands of users with addition of endpoint software, with virtually no impact on the performance. On the contrary, the more the resources being monitored, the more information being collected, which lights up the platform and provides a very comprehensive list of information of your network.

Until now, there hasn’t been local direct support in Australia, so any support has to be raised via email and there is a day's lag. To speak directly to the support rep, you have to call a toll-free U.S number. However, I haven't doubted the competitiveness and efficiency of the support. All the cases I have submitted so far, for ourselves as well as our customers, have been resolved to an excellent level of satisfaction.

I wasn't using any similar solution previously.

The product is available in the software as well as virtual appliance form which is a hardened Windows server, shipped securely to the end-user. It does have initial setup and configuration tasks. I would not say it's simple for naive users; however, having said that, it's backed up by very strong, simple and straightforward step-by-step documentation, which is very simple to understand and can be followed by a beginner to mid-level engineer.

Compared to its competitors, BeyondTrust software is way too cheap and offers many more features and functionality at the base price point. Licensing is simple and based on either number of users or number of resources, whichever is cheaper for the customer and very easy to calculate. Licenses are not hard-limited on the number of users.

Security, as always, should be taken care of in a layered approach. BeyondTrust products take care of the containment of the breach with its PAM suite of solutions, as well as reducing the attack surface with its Vulnerability Management products. Together, they present a very strong, in-depth defense approach for customers. It's not an endpoint protection product, though they have their endpoint agents, which could be installed on the workstations. It has to be implemented in conjunction with other security solutions such as endpoint protection and gateway security solutions such as email & web, as well as firewalls, IDS, IPS and other network security devices.

BeyondTrust Endpoint Privilege Management helps with activity monitoring. 

The tool is easy to use and deploy. It has PAM capabilities like privilege access. The solution helps with the management of third parties and vendors. It is an effective solution compared to other alternatives. 

The product should improve its price. 

I have been working on the solution since the beginning of the first quarter. 

The solution is stable. 

The tool is scalable. 

BeyondTrust Endpoint Privilege Management is easy to deploy. 

I rate the solution a seven out of ten. 

The features related to application elevate is amazing. It helped the company to remove almost all admin local users.

There are severals application that all users needed to have local admin configured to work. After the powerbroker implementation, all users with this privilege were removed, it improved the security and helped to change the IT vision, from Security to SAFETY.

Reports to the end user.

1 year

Not at all.

Not at all

No.

Very good.

Very good

No.

Easy.

Vendor team. Very good.

N/A

I'm sure everyone should have the cluster environment, which means more expensive, anyway, cheaper than the other solutions.

Yes, CyberArk, CA.

No.

We primarily offer this solution to our clients. Our clients use it for access. For example, if there is a user who is not from their existing network and he's a contractor, they have to be able to give him the privilege to come inside, otherwise, that person can't access anything internally like a regular end user can. This solution allows them to offer separate privileged user access for specific users. 

The solution is very fast.

The solution offers good authentification. It makes managing passwords and access easy and ensures that access is granted only to respective people and/or organizations.

BeyondTrust has very good integrations with quite a lot of security vendors such as SailPoint, IBM, FortiGuard, Splunk, etc.

There are different vendors that are pretty competitive in terms of features. BeyondTrust is great in some areas, however, CyberArk is as well. The solution needs to continue to add features in order to stay competitive in the market.

Their technical support could be more responsive and helpful.

The solution is quite expensive.

I've been using this solution for one year now.

We don't have any issues with stability. It doesn't crash or freeze. It's not buggy.

The solution offers good scalability and is easy to upgrade as needed.

While I've never been in touch with technical support, my team has in the past.

They can improve their services. That's my understanding based on the feedback I've heard. They are a Gartner leader, and due to this accolade, sometimes they can get a bit lazy when it comes to giving the right support. They are a leader so they take advantage. There are a lot of deals which we have lost due to this kind of attitude.

There are been cases that we are handling that have been going on for a year now. Even though they are an industry leader, they haven't been able to solve a small problem. We have the American University of Dubai struggling to solve a small problem, and it's been one year since one case has been opened with BeyondTrust, and they're not able to solve it. That's far too long.

The initial set up is quite quick. BeyondTrust implementation does not take much time. However, it depends on the complexity of the client. It'll take months sometimes if the customer does not know their requirements. For example, a basic implementation takes 10 to 15 days. However, if there is more access needed it takes months sometimes. Access has to be defined based on the number of end-users. It may take as long as four months or so.

The cost of the solution is very high. As a market leader, they tend to charge a premium. They only provide the product. Technical support is extra, if a company wants to have access to that.

Overall, I'd rate the solution five out of ten.

I would definitely recommend it, however, I would recommend organizations test a couple of solutions based on their requirements. There will be a different requirement for a retail outlet and a different requirement for an oil and gas company. 

Even though it is privileged remote access, different accesses most likely need to be granted. If somebody is a software developer, and somebody is just for support, they will need different types of access. Whether this solution offers that a company needs depends on different requirements from different end-users.

In terms of meeting compliance objectives of securing endpoints, this product is very useful. It works for things like ISO, PCI, DSS, and the CIA. BeyondTrust meets all of the technical requirements from the compliance perspective. The vault, remote access management, and VP enlisted VPNs will become very useful in terms of being able to manage and maintain infrastructure security without having the complexities of changing passwords all of the time. It also helps to maintain all of the compliance objectives with password complexity changes. All of those things get managed under one product tree.

The privileged access management into sensitive systems is very valuable. That includes control from the endpoint all the way through to the managing of passwords and credentials that are used by the person to access the sensitive information. It's very useful because nobody ever really maintains passwords for those endpoint systems. It's maintained in the Dropbox password file.

This depends on the client. Some clients find the granular approach a lot better than the simplified approach and some clients prefer the simplified approach better than the granular approach. Depending on the type of organization and type of information that must be protected, there are obviously different requirements.

I actually haven't been using this solution. Customers of mine have been using it for about three years to provide me with evidence for audit purposes. They retrieved this evidence from BeyondTrust. When I ask them about endpoint management, all the information that I ask for they pull out of BeyondTrust. 

At this point in time, I haven't had any complaints from clients that it let them down, so I would assume it's stable.

It is definitely scalable. I've worked with clients that have a 75,000-device network and it's working fine. Our clients have anywhere from about 15,000 users up to about 40,000 users.

The initial setup is complex.

We use a vendor team to implement.

Approach it slowly. Don't rush in and drop things down there. Do it carefully, because you might end up breaking access to systems, which is complicated when you're running a production environment. Make sure you go through the testing process vigorously before you deploy.

I would give BeyondTrust a seven out of ten. There are some features in CyberArk that are better, cheaper, or easier to implement. Some of those running in CyberArk don't have the conflicts that BeyondTrust has, as there are many products in the suite. You've got to compare apples with apples.