The solution was implemented to secure privileged access management in a large-scale corporate environment.
Architect at a tech services company with 11-50 employees
Helps secure privileged access in large corporate environments and is highly adaptable
Pros and Cons
- "The actual innovations offered by the vendor stand out to me. They are quick to respond to market demands and the changing environment of privileged access management."
- "Documentation is the primary area of improvement."
What is our primary use case?
How has it helped my organization?
Privilege access management protects the accounts that have administrative privileges and secures those in a secure and encrypted vault so that they are secured and protected. Not having the credentials "on the wire" is only one part of what the solution offers. If the credentials are exposed on the network, they can be exposed to various vulnerabilities and increase the attack surface areas.
Protecting privileged accounts reduces the attack surface area. It is estimated that around 70% to 80% of all compromises in cybersecurity are due to unauthorized privileged credential exposure, either by lateral movements or phishing attempts. By securing those accounts, we tackle a significant part of the problem.
Additionally, knowing who, when, and how the privileged credential is being used via the reporting and analytics module allows visibility into a previously unknown area.
What is most valuable?
The actual innovations offered by the vendor stand out to me. They are quick to respond to market demands and the changing environment of privileged access management. I see BeyondTrust Password Safe as an innovation leader compared to some of the other vendors in the market.
What needs improvement?
Documentation is the primary area of improvement. Their documentation has improved over the last three to five years, but there's still room for improvement. A more intuitive search and not having disparate documentation categories would be helpful.
While they are quick to market for improved features, there are still additional features that other vendors have that they don't have like a credential injection for the users' web browser extension.
Buyer's Guide
BeyondTrust Password Safe
December 2024
Learn what your peers think about BeyondTrust Password Safe. Get advice and tips from experienced pros sharing their opinions. Updated: December 2024.
824,067 professionals have used our research since 2012.
For how long have I used the solution?
I have been using this solution since 2013.
What do I think about the stability of the solution?
The solution is very stable. Part of my role is to design and implement disaster recovery and business continuity planning. Although planning is important, these are rarely put to use.
What do I think about the scalability of the solution?
The solution is very adaptable. The solution can be deployed in environments with a single domain and then scaled up to handle multiple domains positioned globally as well as adding cloud security.
How are customer service and support?
Customer service and support are great!
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
I worked with Delinea, which used to be called Thycotic and CyberArk.
The decision that clients typically make to choose BeyondTrust is often from a proof of concept (PoC) or through an extensive advisory engagement. One differentiator is shown between a user-centric environment versus an asset-centric environment. The two clear differences between BeyondTrust and CyberArk are that BeyondTrust is more asset-driven, while CyberArk is more user-driven. Both have their advantages, but it depends on the workflow and architecture that suits the client.
How was the initial setup?
As a person that has been involved in multiple deployments of BeyondTrust Password Safe for various companies, I can say the initial setup is fairly straightforward.
What about the implementation team?
In-house deployments can be challenging and so leveraging a delivery provider that specializes in PAM deployments provides numerous benefits. PAM/IGA/IAM are unlike many other security solutions as it has their own language and unique demands that are often not as intuitive. Knowing how to overcome project crawl, analysis paralysis, adoption challenges, and executive buy-in can be helpful.
What was our ROI?
The ROI can be quickly realized for BeyondTrust vs. some of their competitors. The ease of implementation and the speed to get that initial return on investment is impressive.
With the BeyondTrust solution, you have the capability to deploy the more secured layered solutions such as Secure Remote Access (SRA), Endpoint Privilege Management (EPM), and Identity Security Insights (recently released this month) that are all designed to protect the entire enterprise.
What's my experience with pricing, setup cost, and licensing?
BeyondTrust has migrated towards subscription-based licensing/annual renewals. They remain competitive and on par with their pricing, often coming in under other competitors. Pricing is one of the reasons clients choose BeyondTrust, but it's not the only reason.
What other advice do I have?
Overall, I would rate the solution an eight out of ten.
One of the more important areas to focus on is knowing your environment pertaining to the assets and accounts before deployment is attempted. Not knowing what needs to be protected will make the deployment more challenging. Although BeyondTrust excels in the discovery of assets and accounts, knowing WHERE to look can be challenging.
Deploying the product using only a percentage of its capabilities can lead to frustrations and reduced ROI. Not managing service accounts, networking, and database teams that are typically more challenging can lead to vulnerabilities as well.
You can't just focus on privileged access management. Privileged Remote Access, as well as solutions such as endpoint privilege management, are all part of a complete identity and access management solution that must be designed and deployed correctly. If not designed and deployed correctly, it will have the opposite of making the environment secure.
Least privilege, zero trust, and cloud security awareness are all buzzwords we see often. Privileged Access Management (PAM) is a part of the layered security approach that will keep your company out of the cyber news headlines.
Which deployment model are you using for this solution?
Public Cloud
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: Partner | System Integrators
Cybersecurity Architect with self employed
Quick to deploy and provides a lot of value from the security, management, and auditing perspective
Pros and Cons
- "It provides integrated password and session management in one solution, which is important for us because, from an auditing standpoint, we are accountable for the type of access being used. We need to ensure that accounts are securely stored and there is the right type of accountability around who is gaining the access. After gaining it, how they're using it, where they're using it, etc."
- "Named accounts don't work well in this solution. If you use named accounts for your administrative access, the way Smart Rules work is that it takes your SAM account name and matches it to the account name of your privileged ID, which creates limitations on size and how big those names can be because the directory has a 20-character limit."
What is our primary use case?
We're using it as a vaulting solution. We're doing password vaulting, and we're doing password rotations. We also do session management and session proxies.
We probably are using version 7.2.
How has it helped my organization?
From a management and audit perspective, we've seen a lot of improvement because now, we're secure in the sense that we know where that access is coming from, and we know who is requesting the access. From that perspective, we're very happy, and it has provided a lot of value, but from a user perspective, it has been negative. When we talk to our frontline guys, who actually use this solution, they're not too happy with the whole solution itself only because they feel that it has added a step in their whole process and procedures.
We use PuTTY, and we didn't find it very difficult to integrate session management into existing business processes. It was pretty good. It all comes back to how you would define the users and how you define the administrative access. If sudo and those types of things are kept out of the picture, then by getting access to a privileged role or group or SSHing into a session with the root privileges, they're able to do everything they need to do without having to go through the virtual model of sudo to access something. The seamlessness was that they didn't have to go and make that connection happen. It was just all integrated within the solution itself. They just click on the asset that they wanted access to, and it would provide SSH access to that system.
So far, we have been able to integrate session management without disrupting business processes, at least for the assets that we've been on. That's very important to us. The main feature is the session recording. If we can continue to have session management, and we get those session recordings, that's the key for our auditing team.
What is most valuable?
The vaulting features are valuable.
It provides integrated password and session management in one solution, which is important for us because, from an auditing standpoint, we are accountable for the type of access being used. We need to ensure that accounts are securely stored and there is the right type of accountability around who is gaining the access. After gaining it, how they're using it, where they're using it, etc.
What needs improvement?
In terms of intuitiveness, the UI for a generic user is good. I wouldn't call it great because, at times, some of the capabilities are difficult. While trying to get to the password itself or trying to find the asset itself, it sometimes gets difficult to narrow down or identify which asset you can get credentials for. There were some search features and the ability to have a favorite, but in a lot of cases for our user community, it wasn't very useful.
The RDP access needs to be improved. I wasn't very keen on that. It downloads an RDP file every time you want to access the solution. It builds up these sessions on your laptop. That was one of the pain points that a few of our administrators had talked about.
Named accounts don't work well in this solution. If you use named accounts for your administrative access, the way Smart Rules work is that it takes your SAM account name and matches it to the account name of your privileged ID, which creates limitations on size and how big those names can be because the directory has a 20-character limit.
For how long have I used the solution?
I've been using BeyondTrust since 2018. So, it has been about four years.
What do I think about the stability of the solution?
It is very stable. It is good. We haven't had any major incidents with the product.
What do I think about the scalability of the solution?
It is good. It is very easy to add new VMs to the solution and integrate them with the existing hardware. Scalability is very easy.
To date, if I remember correctly, we have 200 users as administrators using the solution today, and they are the domain admins from a Windows perspective and the root access administrators on a Linux box.
Its usage is not as extensive as the organization first hoped. They are not planning to make it any larger than it is today.
How are customer service and support?
I didn't like it at all, but that was about two years ago. I'm not on the site anymore. I was the architect, and during the time of implementation, there were things on which our developers had more input than the BeyondTrust team. I would rate them a five out of ten.
How would you rate customer service and support?
Neutral
Which solution did I use previously and why did I switch?
In the organization I'm in, we had CyberArk previously. We made the switch because there was an initiative to improve our stance on privileged access management, and the CyberArk solution that was deployed wasn't kept up to date. It was outdated and needed to be upgraded.
It was a real competition between CyberArk and BeyondTrust, and the company eventually chose to use BeyondTrust. Between CyberArk and BeyondTrust, there were no real big differences at the time. Both of them achieved whatever goals that we wanted, but it was really a cost factor. BeyondTrust was significantly cheaper than CyberArk at the time.
How was the initial setup?
We didn't deploy in the cloud. We deployed on-prem. It was a VM image that they provided to us. It was a huge factor that it was so quick to deploy, and they gave us that VM image. We went into VMware and created a space where we could deploy that image, and it was ready to go.
The initial setup was pretty straightforward. We needed their help a little bit, but for the most part, it was pretty straightforward. Their documentation was good at guiding us through. It mainly had the configure/next type of screens. So, it was a lot easier to implement and deploy.
In terms of duration, the server build wasn't very long. It took us a few weeks up to a month at the max. However, the actual implementation of getting the accounts in, identifying privileged accounts, and getting all those things sorted took roughly about a year and a half.
We didn't have to go through the migration strategy. So, it didn't apply to us. We have gone through an upgrade process with Password Safe. It was much more difficult than the actual setup. It wasn't as easy as we thought it would be. There were a lot of components. For example, the database required special scripts to be run against it. That was more complex than we'd like. As per my Ops teams, the biggest issue was some of the coordination with database teams because when the upgrades happened, there were some schema changes or custom changes on the database that had to be implemented. Coordinating these changes was a bit difficult, but application-wise, the solution itself wasn't very hard to upgrade.
What about the implementation team?
We used BeyondTrust and Optiv. Our experience was interesting because midway through, the BeyondTrust resource that we had either left or was let go, but we had continuity after that. Depending on who you talked to, it was mixed in terms of engagement.
For maintenance, we have a centralized identity management group that manages a solution, and then we have a database group that helps. Altogether, there are roughly about five resources to keep the solution up and running.
What was our ROI?
You see the value in it based on your data leakage and your ability to secure privileged access to the systems. I don't know if you see a real value right off the bat, but the biggest value you'll see is on your auditing side. After a year, during the audit, the audit team will see its benefits.
What's my experience with pricing, setup cost, and licensing?
At the time, BeyondTrust was significantly cheaper than CyberArk. Pricing-wise, if I remember correctly, it goes by assets. The pricing was negotiated for our instances based on the number of assets that we onboard into the system. It is a little different from CyberArk, where the pricing is by users. So, it depends. If you have a lot of assets, it can get very expensive.
Which other solutions did I evaluate?
We also evaluated the CA solution. The reason why the CA solution was immediately taken off the shelf was that a client was required on every desktop. That was one of the main reasons why the organization didn't want to go with that solution.
What other advice do I have?
The biggest lesson that I have learned from using this solution is that named accounts don't work well in this solution.
My advice would be to really understand your use cases. If you have use cases that are specifically for named access where your privileged access is not shared but it is named to specific users, then you might want to look at their Smart Rules capability and what it can do. If you're using a shared pool of administrative access and you're reusing privilege access from that shared pool, the solution beats everyone out there, hands down.
We haven't used the Team Passwords feature to securely store credentials owned by small groups outside of traditional privileged user roles. It came up afterward, and we haven't yet implemented it here. We also didn't try to customize anything because we try to go out of the box as much as possible.
I'd rate it an eight out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
BeyondTrust Password Safe
December 2024
Learn what your peers think about BeyondTrust Password Safe. Get advice and tips from experienced pros sharing their opinions. Updated: December 2024.
824,067 professionals have used our research since 2012.
Manager at a consultancy with 10,001+ employees
Has good reporting and Smart Rules
Pros and Cons
- "BeyondTrust Password Safe has good reporting and Smart Rules which makes it convenient. Though Smart Rules are convenient, those who do not have much experience with such things may find it difficult to understand how these things work. Otherwise, I find Smart Rules very convenient to work with."
- "There are multiple features that have issues, although they could be specific to our environment. What we have seen is that whenever a user gets added to the authentication store, the sync between Password Safe and the authentication store, which is generally easy, takes a lot of time. It does not occur immediately."
What is our primary use case?
We use BeyondTrust Password Safe for server and database management of the accounts noted. We will be moving ahead with application management as well.
What is most valuable?
BeyondTrust Password Safe has good reporting and Smart Rules which makes it easy. Though Smart Rules are easy, those who do not have much experience with such things may find it difficult to understand how it works. Otherwise, I find Smart Rules very easy to work with.
What needs improvement?
There are multiple features that have issues, although they could be specific to our environment. What we have seen is that whenever a user gets added to the authentication store, the sync between Password Safe and the authentication store, which is generally easy, takes a lot of time. It does not occur immediately.
This is persistent for Password Safe used by administrators who require immediate access. If immediate access is not possible, then access should be made possible at least within one hour or so. This does not happen in our environment. The access takes more than three to six hours to happen.
Whenever a new end user is provisioned for access, it would take twelve hours to twenty-four hours. Since they are end users, the time taken is fine. However, when we consider administrators, they might need access at different times. The three-hour time frame for the administrators in our environment is a lot of time.
For how long have I used the solution?
I have been using the solution for more than one and a half years.
What do I think about the stability of the solution?
I would rate the stability of this tool as seven out of ten because of the immediate access.
What do I think about the scalability of the solution?
The scalability is good and I would like to rate it eight out of ten. We have around 1200-1500 users.
How are customer service and support?
The support that we have from BeyondTrust is good.
How was the initial setup?
The setup for BeyondTrust Password Safe is not so easy and not complex as well. They have documentation available.
Which other solutions did I evaluate?
I had compared many vendors sometime back in 2019. The other vendors have either added new features or merged with others.
What other advice do I have?
I would rate the solution an eight out of ten. I would recommend it for monitoring.
Which deployment model are you using for this solution?
Hybrid Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Security Engineer at Protego Trust Bank
Good advanced auditing and forensic features but has crashed
Pros and Cons
- "It simplifies your compliance and tracking to benchmark other credentials and analytics."
- "It has crashed on us in the past."
What is our primary use case?
We use the solution as a password safe to keep the privileged credentials secret to make sure they aren't stolen or lost.
How has it helped my organization?
We don't have to remember passwords. It's automated. There is a rotation of privileged passwords, which keeps me from memorizing things.
What is most valuable?
I like that I don't have to memorize passwords. The whole process is fully automated.
Advanced auditing and forensic features are great.
It simplifies your compliance and tracking to benchmark other credentials and analytics.
The solution can scale.
What needs improvement?
Their support is not good.
The extensible API is the feature that I like to learn. However, we aren't using it at the moment.
It has crashed on us in the past.
For how long have I used the solution?
I've used the solution for about a year.
What do I think about the stability of the solution?
I'd rate stability six out of ten. It has crashed a couple of times on us.
What do I think about the scalability of the solution?
The solution can scale. I'd rate the scalability eight out of ten.
We have a user base of less than 250. We do not have plans to increase usage.
How are customer service and support?
We were down early Friday, and we tried to get a team to help us. It took a whole weekend. They need to be better at supporting and helping fix issues quickly.
How would you rate customer service and support?
Neutral
Which solution did I use previously and why did I switch?
We previously had other solutions, including Tenable.
How was the initial setup?
I was not part of the initial setup process.
What's my experience with pricing, setup cost, and licensing?
We have a three-year license.
The pricing isn't part of my scope. I don't directly deal with licensing.
What other advice do I have?
We are using the latest version of the solution.
It's important to do a POC for over a month and negotiate on the pricing. There are other powerful tools that are out there that are easier to use.
Your deployment tends to involve other tools, so check its ability to integrate with them.
I'd rate the solution seven out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Sr Security Analyst at a tech services company with 51-200 employees
Supports screen recording and is user-friendly, but we should have more control over the appliance
Pros and Cons
- "Screen recording is valuable, and integration with applications is easy. We can customize whatever we want. We did a lot of application integration using scripting."
- "We don't have much control over the appliance. When anything happens in the backend, we have to depend on the support team. We need to raise a case so that they can update the appliance. If we have control over it, we would be able to troubleshoot easily."
What is our primary use case?
We deploy in client environments. It's not deployed in our environment. Generally, its deployment depends upon a client's environment. Sometimes, it's hybrid. Sometimes, it's on-prem, and sometimes, it's on a virtual hypervisor or VMware.
We are currently deploying it for one of our Indian clients. For this client, we are deploying SaaS-based Password Safe, which is purely on the cloud. They also have BeyondTrust Remote Support. We are integrating both of them. BeyondTrust Remote Support is for tech support for their teams, and Password Safe is for password rotation, screen recording, and monitoring of their employees.
How has it helped my organization?
It helps to automate password rotations and manage privileged accounts. If your employees are supposed to rotate passwords for some period of time but they are not doing that, you can automate that.
It provides ultimate security through automation and Smart Rules. You can enforce password policies and access policies. For example, you have local administrator accounts on local systems. If you didn't write any Smart Rules for the local administrators, any employee with administrator privilege can make an administrator account, but that account will not get detected in our system. With Smart Rules, Password Safe can detect that administrator account and onboard and manage that account through an automated process.
The database team of a client had scripted or hard-coded passwords for databases. We were able to use the API scripts provided with the BeyondTrust Password Safe to retrieve the passwords. The database team had already written a script for database login. So, anytime the database team wanted to log in using that script, the password was retrieved from BeyondTrust Password Safe vault.
They offer a jump server or terminal server where we can configure the databases or other applications. A lot of customers have in-house applications, and even products such as CyberArk or Saviynt CPAM do not provide connectors to those because they are not common. BeyondTrust provides some flexibility there for application integration. We can write our own scripts. We can do scripting in our way and integrate it with any application.
Its user interface is easy to use. I also work with other non-PAM solutions, such as SailPoint and Oracle, and as compared to those solutions, BeyondTrust has a very user-friendly interface, and everything is also very well documented.
What is most valuable?
Screen recording is valuable, and integration with applications is easy. We can customize whatever we want. We did a lot of application integration using scripting.
What needs improvement?
We don't have much control over the appliance. When anything happens in the backend, we have to depend on the support team. We need to raise a case so that they can update the appliance. If we have control over it, we would be able to troubleshoot easily.
They can improve application integration. They can provide out-of-the-box connectors for common applications so that we don't need to do the customization and write scripts from scratch for lots of applications. They can provide an application catalog with pre-configured connectors.
For how long have I used the solution?
It has been two and a half years.
What do I think about the stability of the solution?
It's pretty stable. From version 21 onward, it has been more stable.
What do I think about the scalability of the solution?
It's scalable. We can add as many active-active appliances. If the number of users of a client increases, we can increase the active-active appliances anytime.
One of our clients from the Middle East has a big environment with almost 55,000 users. That's our biggest client. There are also small-sized and medium-sized clients.
How are customer service and support?
Their support is pretty good. They are available for any issues. I would rate them an eight out of ten.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
I used CyberArk and Saviynt CPAM, but BeyondTrust Password Safe is better than both of them. CyberArk is the leader, but BeyondTrust Password Safe can easily take the position of CyberArk.
BeyondTrust Password Safe provides flexibility for customized application integration. BeyondTrust also provides lots of other solutions for remote support and privilege management for Windows, Unix, and Linux. We can also manage Linux servers in the Active Directory domain by using BeyondTrust AD Bridge.
Saviynt also has good capabilities. They don't have a very mature product for privileged access management, but with IGA, they're providing privileged access management, which is a plus point for them.
How was the initial setup?
BeyondTrust provides a single appliance with everything we need to deploy in the cloud. Nowadays, they're providing UVM appliances, UVM20 and UVM50, which are user license-based. We just need to do network configuration and minimal appliance configuration, such as default settings, threshold settings, etc. Deployment is very quick and easy nowadays.
Generally, the deployment takes a week, but it also depends on a customer's requirements and environment, such as whether they have a high availability environment with two or three appliances, whether we need to open certain ports, and whether we need to integrate with a database for session recording storage. Configuration of a single appliance only takes one or two hours, but there could be some delay from the client side in taking care of all the dependencies, such as opening required ports. That's why we keep one week for deployment in our plan.
Our implementation strategy depends on the client's environment. It depends on how the client wants the environment and whether they want high availability.
I have not handled the process of migrating end-users to Password Safe, but a colleague of mine has handled migration from CyberArk to BeyondTrust Password Safe. It was not very difficult. They could easily do it.
What about the implementation team?
One person can do the deployment and administration of basic things for a mid-scale or small-scale client. It also depends on a client's requirements. If a client wants it done in a short time, we would need another consultant, but generally, one person can easily do these tasks.
What other advice do I have?
You can follow its documentation for implementation. BeyondTrust has documented everything very well. They have clearly mentioned the port requirements and system requirements. They have good training resources on their website. You can easily follow them.
I would rate BeyondTrust Password Safe a seven out of ten.
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Senior Specialist at a financial services firm with 1,001-5,000 employees
Features integration with Active Directory and useful session recording, but appliance has limited capacity, and upgrade process needs improvement
Pros and Cons
- "The CI/CD and REST API are also satisfactory; the solution has a full PAM feature set and they all work well."
- "There is a limited capacity on the appliance, which I wasn't informed about when I purchased the product. I can have a maximum of 150 rules per appliance; any more than that and rule processing becomes very complex, especially regarding password revision. Hitting a capacity limit you don't know about can be problematic. Ideally, we would not have a limited capacity, allowing us to be in a completely managed state with password rotation for every service account, not just the highly privileged ones."
What is our primary use case?
I use Password Safe as a fully-fledged conventional PAM solution; for SSH and RDP brokering to servers, whether that's Linux or Windows, as well as SQL and Oracle.
I also use the product to publish applications using a jump box server and as a vault for user credentials to provide normal use and REST API through CI/CD integration.
We have active and passive appliances and an offsite cold spare.
What is most valuable?
The RDP and SSH session recording is good. The associated UI is pretty straightforward, and Direct Connect is a good feature.
Integration with Active Directory is a handy feature.
The CI/CD and REST API are also satisfactory; the solution has a full PAM feature set and they all work well.
Password Safe is relatively straightforward to run.
We use PowerShell and Shell scripting using the solution's libraries. We also use the .NET library, where I worked with developers to create .NET extensions for use in solutions built in-house. We used the product's software development kit to develop plugins to some extent, and mainly we integrated with the REST API for our Azure-developed CI/CD pipeline. This capability is essential because DevSecOps becomes a requirement at some point. We're dealing with privileged accounts to do releases, which must be carefully managed and require password rotation. Thus, we need a source system for these release management pipelines to provide passwords, allowing the user to continue with the following deployment steps. Highly privileged accounts, by their nature, require regular password changes, which is a critical element in our DevOps.
What needs improvement?
I'm not too fond of the Smart Rules feature, mainly because too many features can cause complexity.
There is a limited capacity on the appliance, which I wasn't informed about when I purchased the product. I can have a maximum of 150 rules per appliance; any more than that and rule processing becomes very complex, especially regarding password revision. Hitting a capacity limit you don't know about can be problematic. Ideally, we would not have a limited capacity, allowing us to be in a completely managed state with password rotation for every service account, not just the highly privileged ones.
The solution does not indicate an issue, but when we hit the capacity limit, rules can become erratic, resulting in password resets during the middle of the day when they're in use. This can be an issue, especially as there is no performance counter so we can track how close we are to the limit, nor is there an indication of when we cross it. This is an element that could use a redesign.
Another feature that could be improved is the password rotation schedule; as a financial organization, that's very important to us. We sometimes require the maintenance window to be on a Saturday instead of during the week. The solution gives the option for the fifth day of the month, the tenth day of the month, the first day of the week etc., but not more specific. I want to be able to set the rule that password changes only happen on a Saturday, for example, and I can't do that.
To compensate, BeyondTrust tells us we can write scripts to set the password resets. This needs to be improved because it results in additional work for us, and they could fix the small scheduling gap in their product.
The MSA element of the solution is fine; there are no significant issues implementing MSA with the interface. However, the interface can be somewhat complicated for admins, though not for end users. Precisely, when troubleshooting user issues, we encountered strange errors. We needed to go into the appliance log to understand what was happening, and the UI needed to be more intuitive to help us.
We were late refreshing the UI, so it had pretty old components until about 2020, and we experienced browser issues. After 2020, the UI improved, but the look and feel of the application are still dated. I carried out POCs for CyberArk and SafeGuard, and both of their interfaces are much better than Password Safe's. I liken the solution to a Toyota; it's a good all-rounder, and it isn't bad though it has some issues.
We had an issue with the Team Passwords feature: the privilege concept needed to be improved. There was no differentiation between contributors of privileged information and the consumers of it. Additionally, until very recently, there was no REST API integration with Team Passwords, so we couldn't publish secrets using REST API. This could have been better, as it meant we needed a different team for CI/CD and Team Passwords, resulting in some cases of duplication.
For how long have I used the solution?
I've been using the solution for five years.
What do I think about the stability of the solution?
The solution is relatively stable, though the stability could be improved as we often encounter issues of various kinds. As such, the tool requires a large team to manage it and stay on top of any problems that occur.
How are customer service and support?
My experience with customer support has been mixed; the US and UK teams are the best, while the others could have been better. The UK and UK support staff are highly professional people who seem very close to the developers and have excellent knowledge of their products.
Some of our cases took up to four months to resolve because there is a difference between Password Safe, the software layer, and the UVM appliance layer, which BeyondTrust essentially treats as a separate product. There have been some significant problems with the UVM appliance layer, especially compared to Password Safe. The latter has some specific issues, but they are usually quick to resolve, whereas, with UVM, we can hit a dead end, even with support.
How would you rate customer service and support?
Positive
What was our ROI?
ROI is tough to measure, as the solution isn't generating profit. We implemented automation with CI/CD, reducing human effort and saving time on previously manual tasks. I can't tell if this has yielded an ROI, but we achieved a target in that we are more secure, our highly privileged accounts are rotated etc.
What other advice do I have?
I rate the solution a six out of ten.
The earliest version of the solution's interface could have been more intuitive, and we sometimes experienced issues with request check-ins and check-outs. However, the recent introduction of the Team Password feature allows users to collaborate and share passwords within a managed team. Some elements of this feature lagged in our first few weeks with it.
We used some of the solution's customization features, and it works fine; however, we had some significant issues when doing Discovery Scans. We encountered strange errors, especially on custom platforms, and it took a lot of work to understand the problems. As a result, we stepped away from customization as the issues around Discovery became extremely hard to deal with for us.
We saw the benefits of using the solution very quickly, especially for the more basic elements at the beginning of the implementation. By targeting highly privileged accounts in the first round through the Active Directory, those can be up and running in two weeks maximum. The more complex and detailed configuration becomes, whether with discovery, dependency, or multiple-layer applications, the time to value increases correspondingly.
I advise potential users to stay manageable and not try to do everything simultaneously. Build slowly and keep an eye on the capacity; only deploy with one appliance, or you are destined to fail and will run out of capacity fast. It's better to refresh the UVM appliance version every two to three years with a new image and migrate rather than upgrade because upgrading is the worst part of this product. It'll cost money to keep migrating to newer appliances, but it's worth it to avoid the experience of upgrading.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Data warehouse cubes on the backend gives us the ultimate visibility into our assets
What is our primary use case?
BeyondTrust replaced the leading password management solution, offered vulnerability management and gave me a third-party patch management that integrates with Microsoft. To me, that was a win-win.
How has it helped my organization?
It improved our overall return on investment by at least two-fold and gave us more intelligence on our assets than we expected.
What is most valuable?
The sharing of intelligence gathered by scanning, and data warehouse cubes on the backend that gives us the ultimate visibility into our assets.
What needs improvement?
I would love if they integrated Bomgar's SSO with BeyondTrust for the session recording that we use for vendors.
For how long have I used the solution?
Less than one year.
What do I think about the stability of the solution?
It has no problems. It's very flexible.
What do I think about the scalability of the solution?
It will scale and has a built-in capability to augment expansion via external databases.
How are customer service and technical support?
Support has been very very good.
Which solution did I use previously and why did I switch?
We used CyberArk, and we found for an SMB that the product required more FTEs than we could handle. CyberArk is really meant for 100K FTE enterprises and requires a serious.
How was the initial setup?
It is a complex product that has a lot of capabilities and does take some learning. They recommend taking their foundations class to understand and get the most out of the product.
What about the implementation team?
Very good. (A-, or B++).
What was our ROI?
Good
What's my experience with pricing, setup cost, and licensing?
Talk to references, look at Gartner and the positive and negative comments. BeyondTrust has the least negative comments of all the products and ties vulnerability management, scanning, password management, session recording, inventory management, intelligence gathering on attached assets. And when you look at all this together and price out separate options, the TCO is easy to justify.
Which other solutions did I evaluate?
CyberArk's password safe.
What other advice do I have?
It is a steep learning curve, but once automated, it makes your life a lot easier.
Which deployment model are you using for this solution?
Private Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Associate Security Engineer at a security firm with 11-50 employees
Good performance, a nice user interface, and responsive support
Pros and Cons
- "The performance is good."
- "We'd like to have incremental backups to ensure the solution's information is protected regularly."
What is our primary use case?
We primarily use the solution to keep passwords.
What is most valuable?
The solution offers session monitoring and has a good connection profile. It directs users to specific commands that our organization needs.
The user interface is very nice.
The performance is good. It does depend on how much you are giving to the appliance, however, we've never had any issues.
It's quite interactive.
It's stable.
The solution can scale.
Technical support is helpful and responsive.
What needs improvement?
We'd like to have incremental backups to ensure the solution's information is protected regularly.
For how long have I used the solution?
I've been using the solution for three and a half years.
What do I think about the stability of the solution?
The solution is stable, and the performance is good. There are no bugs or glitches. It doesn't crash or freeze. It's a very mature solution.
What do I think about the scalability of the solution?
The solution scales well. I'd rate the ability to scale eight or nine out of ten. We've seen that customers have 120 or 130 users, and they are using it as active-passive. They can also convert it to active-active, and it's fine. It can support more users as well. They can go up the 150 or 155 with no issue.
Depending on the use case and the willingness of the customer, it can work well for a wide variety of companies, from small to large, including enterprises that can easily buy and implement it.
How are customer service and support?
I've dealt with technical support in the past, and they are quite good. When I had a critical case, they were available within half an hour.
Which solution did I use previously and why did I switch?
I am working with another solution. I've found other options aren't as stable.
How was the initial setup?
The implementation process is quite simple. I'm using it on-premies, however, they also provide a cloud version.
Having the prerequisites ready in necessary as it does require those for the service account, and often customers don't have that ready.
What about the implementation team?
We can implement the solution for our clients.
What's my experience with pricing, setup cost, and licensing?
I'm not aware of the exact pricing.
Which other solutions did I evaluate?
I have not compared the solution to other options. This is quite an exceptional solution, and I've been happy with the products.
What other advice do I have?
We are partners.
I'd rate the solution eight out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Buyer's Guide
Download our free BeyondTrust Password Safe Report and get advice and tips from experienced pros
sharing their opinions.
Updated: December 2024
Popular Comparisons
CyberArk Privileged Access Manager
Azure Key Vault
AWS Secrets Manager
HashiCorp Vault
Delinea Secret Server
ManageEngine Password Manager Pro
Akeyless Secrets Management
Zoho Vault
BeyondTrust DevOps Secrets Safe
SolarWinds Passportal
Buyer's Guide
Download our free BeyondTrust Password Safe Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- What are some best practices to implement for secure employee password management?
- What advice do you have for an enterprise user on Password Day 2021?
- When evaluating Enterprise Password Managers, what aspect do you think is the most important to look for?
- What should one take into account when selecting an enterprise password manager?
- Why is Enterprise Password Managers important for companies?
UPDATE: Since I posted this almost a year ago, BeyondTrust has decided to remove their scanning solution from their UVM (Unified Vulnerability Management ) appliance. At the end of 2019 BeyondTrust announced that they will EOL their integrated scanner (12/31/2020).
This single move has removed the benefit that BeyondTrust brought to the table, wiping out any economies of scales that justified the ROI and TCO benefit of an integrated Unified Vulnerability Management solution.
This now turns their UVM into just a Password management solution. Which is still better than CyberArk, but now lacks the additional benefit of intelligence gathering.
To make matters worse, BeyondTrust has decided to partner with Tenable to provide the replacement vulnerability scanning solution. When asked what other integrations they had besides Tenable, there was no answer. Clearly some deal was cut with no thought to their customers or their customers experience with Tenable.
Without a scanning solution, the visibility of the assets is now questionable. Where I once viewed them as a visionary and leader, it seems that the executives are reverting to their safe desks and not providing the vison necessary to stay ahead of the pack.
Unfortunately, due to BeyondTrust change in direction, their ROI is now questionable and now has to be re-thought.
The final straw was their overt push for their customers to use Tenable as a replacement for their EOL vulnerability scanner.
All I can say is that for me BeyondTrust's value has diminished tremendously due to their decision to remove themselves from the vulnerability market. I have also lost trust in BeyondTrust to listen to their customers' needs to address our challenges.