BeyondTrust Password Safe Reviews

I use Password Safe as a fully-fledged conventional PAM solution; for SSH and RDP brokering to servers, whether that's Linux or Windows, as well as SQL and Oracle.

I also use the product to publish applications using a jump box server and as a vault for user credentials to provide normal use and REST API through CI/CD integration.

We have active and passive appliances and an offsite cold spare.

The RDP and SSH session recording is good. The associated UI is  pretty straightforward, and Direct Connect is a good feature.

Integration with Active Directory is a handy feature. 

The CI/CD and REST API are also satisfactory; the solution has a full PAM feature set and they all work well. 

Password Safe is relatively straightforward to run. 

We use PowerShell and Shell scripting using the solution's libraries. We also use the .NET library, where I worked with developers to create .NET extensions for use in solutions built in-house. We used the product's software development kit to develop plugins to some extent, and mainly we integrated with the REST API for our Azure-developed CI/CD pipeline. This capability is essential because DevSecOps becomes a requirement at some point. We're dealing with privileged accounts to do releases, which must be carefully managed and require password rotation. Thus, we need a source system for these release management pipelines to provide passwords, allowing the user to continue with the following deployment steps. Highly privileged accounts, by their nature, require regular password changes, which is a critical element in our DevOps.

I'm not too fond of the Smart Rules feature, mainly because too many features can cause complexity.

There is a limited capacity on the appliance, which I wasn't informed about when I purchased the product. I can have a maximum of 150 rules per appliance; any more than that and rule processing becomes very complex, especially regarding password revision. Hitting a capacity limit you don't know about can be problematic. Ideally, we would not have a limited capacity, allowing us to be in a completely managed state with password rotation for every service account, not just the highly privileged ones.

The solution does not indicate an issue, but when we hit the capacity limit, rules can become erratic, resulting in password resets during the middle of the day when they're in use. This can be an issue, especially as there is no performance counter so we can track how close we are to the limit, nor is there an indication of when we cross it. This is an element that could use a redesign.

Another feature that could be improved is the password rotation schedule; as a financial organization, that's very important to us. We sometimes require the maintenance window to be on a Saturday instead of during the week. The solution gives the option for the fifth day of the month, the tenth day of the month, the first day of the week etc., but not more specific. I want to be able to set the rule that password changes only happen on a Saturday, for example, and I can't do that.

To compensate, BeyondTrust tells us we can write scripts to set the password resets. This needs to be improved because it results in additional work for us, and they could fix the small scheduling gap in their product.

The MSA element of the solution is fine; there are no significant issues implementing MSA with the interface. However, the interface can be somewhat complicated for admins, though not for end users. Precisely, when troubleshooting user issues, we encountered strange errors. We needed to go into the appliance log to understand what was happening, and the UI needed to be more intuitive to help us.

We were late refreshing the UI, so it had pretty old components until about 2020, and we experienced browser issues. After 2020, the UI improved, but the look and feel of the application are still dated. I carried out POCs for CyberArk and SafeGuard, and both of their interfaces are much better than Password Safe's. I liken the solution to a Toyota; it's a good all-rounder, and it isn't bad though it has some issues.

We had an issue with the Team Passwords feature: the privilege concept needed to be improved. There was no differentiation between contributors of privileged information and the consumers of it. Additionally, until very recently, there was no REST API integration with Team Passwords, so we couldn't publish secrets using REST API. This could have been better, as it meant we needed a different team for CI/CD and Team Passwords, resulting in some cases of duplication.

I've been using the solution for five years. 

The solution is relatively stable, though the stability could be improved as we often encounter issues of various kinds. As such, the tool requires a large team to manage it and stay on top of any problems that occur.

My experience with customer support has been mixed; the US and UK teams are the best, while the others could have been better. The UK and UK support staff are highly professional people who seem very close to the developers and have excellent knowledge of their products.

Some of our cases took up to four months to resolve because there is a difference between Password Safe, the software layer, and the UVM appliance layer, which BeyondTrust essentially treats as a separate product. There have been some significant problems with the UVM appliance layer, especially compared to Password Safe. The latter has some specific issues, but they are usually quick to resolve, whereas, with UVM, we can hit a dead end, even with support.

Positive

ROI is tough to measure, as the solution isn't generating profit. We implemented automation with CI/CD, reducing human effort and saving time on previously manual tasks. I can't tell if this has yielded an ROI, but we achieved a target in that we are more secure, our highly privileged accounts are rotated etc.

I rate the solution a six out of ten. 

The earliest version of the solution's interface could have been more intuitive, and we sometimes experienced issues with request check-ins and check-outs. However, the recent introduction of the Team Password feature allows users to collaborate and share passwords within a managed team. Some elements of this feature lagged in our first few weeks with it.

We used some of the solution's customization features, and it works fine; however, we had some significant issues when doing Discovery Scans. We encountered strange errors, especially on custom platforms, and it took a lot of work to understand the problems. As a result, we stepped away from customization as the issues around Discovery became extremely hard to deal with for us. 

We saw the benefits of using the solution very quickly, especially for the more basic elements at the beginning of the implementation. By targeting highly privileged accounts in the first round through the Active Directory, those can be up and running in two weeks maximum. The more complex and detailed configuration becomes, whether with discovery, dependency, or multiple-layer applications, the time to value increases correspondingly. 

I advise potential users to stay manageable and not try to do everything simultaneously. Build slowly and keep an eye on the capacity; only deploy with one appliance, or you are destined to fail and will run out of capacity fast. It's better to refresh the UVM appliance version every two to three years with a new image and migrate rather than upgrade because upgrading is the worst part of this product. It'll cost money to keep migrating to newer appliances, but it's worth it to avoid the experience of upgrading.

On-premises

Typically, we would allow users to connect with their regular user ID, a non-privileged user account, and automatically connect to a designated privileged account managed by BeyondTrust. This account would be onboarded to target systems or databases, preventing users from using their user account as a privileged account. Instead, it would act as a surrogate, using only a managed, dedicated account the user could access.

The platform's most valuable feature is its architecture capabilities, which allow for creating and supporting high availability and failover through designated server components.

The initial server implementation tasks could be easier to process. 

I have been working with BeyondTrust Password Safe for four years.

While some initial server implementation tasks may appear to hang, they are simply processes communicating with each other. 

Overall, the solution is very stable and intuitive.

Thousands of users were utilizing the product across our sites. I rate the scalability a nine and a half out of ten. 

The technical support and customer services are phenomenal. There were instances when we experienced outages during scheduled updates in the middle of the night. On one occasion, an update hung, and we couldn't resolve it. We got technical support that night, which was extremely impressive.

Positive

The initial setup is very straightforward if you understand network architecture. 

Once all the documentation was created, the deployment took about two to three days per site. As the security architect, I was responsible for the documentation, while another team member typically handled the actual implementation. I did step in to handle some implementations myself when one team member had an emergency.

It requires maintenance, typically a weekly manual process or monitoring updates. While most updates can be done automatically, some require manual triggering. One person per site handles the weekly updates, though one person could manage all five sites.

The task of managing the updates is relatively low-level and is often assigned to newer team members. I created very detailed documentation, so they needed to log in, follow the instructions, and let the processes occur. The most time-consuming aspect is waiting for the update processes to complete, which occurs only once a month or every two weeks.

Four team members were involved in the deployment because we managed five separate international locations.

I rate BeyondTrust Password Safe a nine out of ten. 

Our use case was allowing users to connect with their regular, non-privileged user ID and automatically connect to a designated privileged account for target systems or databases. This prevented users from using their regular account as a privileged account. Instead, it used a managed, dedicated account in BeyondTrust Password Safe that only that the user could use. For example, my account "Gary.Jolley" might have a domain admin account "dam-Gary.Jolley" that I'd automatically connect to.

The most valuable feature is the architecture capabilities, which allow designated server components for high availability and failover. It works well with identity and access management solutions, allowing users to be automatically onboarded and offboarded. The account mapping feature makes rollout seamless. The session monitoring capabilities are excellent, with keystroke and graphical monitoring. This enhanced our security posture by providing detailed accounts of user actions. It helped us pass our SOX audits.

The only improvement I could suggest would be standardizing documentation, but that's more the responsibility of the implementing engineer rather than BeyondTrust Password Trust itself. The documentation must be specific and narrow for implementation, not just broad guidelines.

I have been using the product for four years. 

BeyondTrust Password Safe is incredibly stable. During initial server implementation, some processes might appear to hang, but they're actually communicating with each other. It's very intuitive.

On a scale of one to ten, I'd rate the scalability as nine and a half. BeyondTrust Password Safe's scalability allows different roles and strategically placed servers for better failover. We had thousands of end users across our sites.

The technical support is phenomenal. They were available even for middle-of-the-night outages during scheduled updates.

Positive

BeyondTrust Password Trust's main advantage is its network architecture implementation. It's similar to CyberArk, but CyberArk has some features, like privileged threat analytics, that the solution doesn't.

The initial setup is straightforward if you understand network architecture. Four people helped with deployment across five international locations, taking about two to three days per site after documentation was created. It requires weekly maintenance, which can mostly be done automatically, but some updates need manual triggering. One person could maintain all five sites, and we often assigned this task to new employees as the process was well-documented.

The use case was to integrate BeyondTrust with the organization and onboard servers and accounts. We created Smart Rules and used other features for automatic onboarding and integrating BeyondTrust with various components in the organization, such as SNMP, SIEM, and AD.

It reduces risks. Beyond Password Safe manages all privileged credentials. It takes care of the automatic rotation and connection to the target servers. It reduces a lot of risks of cyber attacks, malware, and ransomware.

It is very important to us that Password Safe provides integrated password and session management in one solution.

Its customization features help us to manage most assets, databases, and applications. With the plugins and customization features, we can connect to databases. We can also connect to Windows and Linux. When I worked with it in 2018, we also had to use one of the plugins to connect to a mainframe. It supports a lot of different platform connections.

The Direct Connect feature allows us to use existing tools such as MobaXterm, PuTTY, or SecureCRT. There is a feature that power users can use to connect to the log server every day. This way, they don't have to go through the web portal. They can just connect to their target server by using MobaXterm, PuTTY, or SecureCRT.

Smart Rules is a nice feature in BeyondTrust. It is a unique feature that BeyondTrust has as compared to other vendors such as CyberArk. With Smart Rules, you can do automatic onboarding of accounts. There are a lot of options and features. For example, you can do onboarding based on different AD attributes. It is a nice feature in BeyondTrust that some of the other PAM vendors don't have. With other vendors, we have to create our own scripts, whereas, with BeyondTrust, we can just use the in-built Smart Rules.

In terms of the intuitiveness of the user interface, I find it to be pretty good as compared to the other products. It is user-friendly, and in terms of the looks and feel, it is one of the better ones.

I find it a little bit confusing because you have the management console, and then within the management console, you have access to different admin consoles. There are probably two or three different ones. I wish they would place all those different types of consoles into one main one so that we don't have to access two or three different consoles to do the work.

When we deploy BeyondTrust, we have to deploy our own database on a SQL server. It doesn't deploy the database. I wish BeyondTrust packages the whole solution in one and includes the MySQL database so that when you deploy it, it deploys everything for you. BeyondTrust gives you the software, but you are in charge of setting up your own database. It is a single appliance just for the BeyondTrust portion but not the database. Unless that has changed in later releases, you have to set up your own database for BeyondTrust Password Safe. I find that part complex because we then need the expertise and help of the database team to set it up, which also increases the deployment time. If they can deploy the database, it will reduce the deployment time.

Their documentation is not very detailed and thorough. In case of any issues, a lot of times, we have to go through their professional service. They need to update their documentation and create a good knowledge base for us so that when we run into problems, we can go there and search for common issues or problems.

I have been working with this solution for about three years. I have used it on and off depending on the companies I worked for.

It is average because we did have issues with some parts of the solution.

Its scalability is good. It is very scalable. We didn't have too many users because we switched over to CyberArk after two years, but the plan was for 500 end users.

We don't have plans to increase its usage because we switched over to Cyborg earlier this year.

Their documentation is not very detailed. A lot of time, we have to go through their professional service. We do get really good people, but they should provide more and better documentation and knowledge base so that we can solve a lot of issues on our own instead of going through their professional service.

Their professional service or technical support is very good. When we opened a case, sometimes, they answered within a day, and sometimes, it took five days before someone answered the ticket, but when we do get someone, in general, I found most of them to be very good. I would rate them an eight out of ten.

Positive

We didn't use any other solution before BeyondTrust, but we recently switched over to CyberArk.

The process of migrating end users to Password Safe varies from organization to organization, but overall, if you have all the proper workflows, it isn't difficult. With PAM, half of the work is related to processes and policies, and the other half is related to technology. In terms of the technology, I found it to be pretty straightforward, but you need to have all the policies defined in advance.

It wasn't too difficult for us to integrate Session Management into existing business processes. You have to provide the connection strings. The difficulty level was average.

I was the integrator for one of the projects. As a part of their purchase, they also got a certain amount of hours of professional services from BeyondTrust.

We had a team of about five people for its deployment and maintenance. There were two DevOps and two BeyondTrust admins.

We didn't see a return on our investment.

The pricing of BeyondTrust is very good as compared to other products. That was the main reason we decided to go with BeyondTrust at first.

I wasn't involved in its procurement. They had to go through their due diligence. They probably had four PAM vendors, and they went through their procurement process.

Functionality-wise, it works. Everything works well, especially with using Smart Rules. There is a big learning curve to deploying and maintaining it because when you buy this solution, it doesn't come with a Password Safe database. You have to deploy that yourself. If they can package a database with Password Safe, it would be better and more user-friendly. It will cut down the deployment time. They should also improve their documentation, knowledge base, and support on their website. There is not a lot of good information.

I would rate it a six out of ten.

We use the solution as a password safe to keep the privileged credentials secret to make sure they aren't stolen or lost.

We don't have to remember passwords. It's automated. There is a rotation of privileged passwords, which keeps me from memorizing things. 

I like that I don't have to memorize passwords. The whole process is fully automated.

Advanced auditing and forensic features are great.

It simplifies your compliance and tracking to benchmark other credentials and analytics.

The solution can scale.

Their support is not good.

The extensible API is the feature that I like to learn. However, we aren't using it at the moment. 

It has crashed on us in the past.

I've used the solution for about a year.

I'd rate stability six out of ten. It has crashed a couple of times on us.

The solution can scale. I'd rate the scalability eight out of ten. 

We have a user base of less than 250. We do not have plans to increase usage. 

We were down early Friday, and we tried to get a team to help us. It took a whole weekend. They need to be better at supporting and helping fix issues quickly.

Neutral

We previously had other solutions, including Tenable. 

I was not part of the initial setup process. 

We have a three-year license.

The pricing isn't part of my scope. I don't directly deal with licensing.  

We are using the latest version of the solution. 

It's important to do a POC for over a month and negotiate on the pricing. There are other powerful tools that are out there that are easier to use.

Your deployment tends to involve other tools, so check its ability to integrate with them.

I'd rate the solution seven out of ten. 

On-premises

We primarily use the solution to keep passwords.

The solution offers session monitoring and has a good connection profile. It directs users to specific commands that our organization needs.

The user interface is very nice.

The performance is good. It does depend on how much you are giving to the appliance, however, we've never had any issues.

It's quite interactive.

It's stable.

The solution can scale.

Technical support is helpful and responsive.

We'd like to have incremental backups to ensure the solution's information is protected regularly.

I've been using the solution for three and a half years. 

The solution is stable, and the performance is good. There are no bugs or glitches. It doesn't crash or freeze. It's a very mature solution. 

The solution scales well. I'd rate the ability to scale eight or nine out of ten. We've seen that customers have 120 or 130 users, and they are using it as active-passive. They can also convert it to active-active, and it's fine. It can support more users as well. They can go up the 150 or 155 with no issue. 

Depending on the use case and the willingness of the customer, it can work well for a wide variety of companies, from small to large, including enterprises that can easily buy and implement it. 

I've dealt with technical support in the past, and they are quite good. When I had a critical case, they were available within half an hour. 

I am working with another solution. I've found other options aren't as stable. 

The implementation process is quite simple. I'm using it on-premies, however, they also provide a cloud version.

Having the prerequisites ready in necessary as it does require those for the service account, and often customers don't have that ready. 

We can implement the solution for our clients. 

I'm not aware of the exact pricing.

I have not compared the solution to other options. This is quite an exceptional solution, and I've been happy with the products.

We are partners. 

I'd rate the solution eight out of ten. 

On-premises

The use cases are essentially the same as those for any PAM solution. Like addressing security compliance, securing the network against threats, and protecting all identities with intelligence and minimal concerns.

It also includes cloud security management, handling different shifts, and addressing workforce access, passwords, and the likes of compiance. It simplifies analytics, reporting, and secret implementation.

Additionally, it reduces servers while increasing stability in privileged access. These are the general use cases that apply to all PAM solutions.

BeyondTrust Password Safe provides proper security for your network. Its primary feature is identity governance. It allows you to manage your users effectively and implement robust governance. The solution includes reporting, which aligns with the National Security standard and enhances cybersecurity resilience.

This protection safeguards against attacks. When discussing the management of essentials post-classification, BeyondTrust Password Safe also assists with this. It plays a critical role in preventing cyber identity theft. Without BeyondTrust Password Safe, your system is more susceptible to identity theft. It's an all-encompassing solution that significantly reduces such risks.

BeyondTrust Password Safe is specifically designed to limit cyber identity theft. It's highly effective in preventing incidents of identity theft.

It is very easy to deploy. It's easy to use. That's the major thing I like about it.

The pricing is not cheap, but it could be better.

I'm familiar with BeyondTrust. I have been with it for around a year.

The stability is perfect.

It is highly scalable.

The technical support is very good.

I'm familiar with both BeyondTrust and Password Safe. It's actually a Privileged Access Management (PAM) solution. It is a good competitor to Deliena, One Identity, and WALLIX.

It is very easy to set up. It is very easy to deploy. Depending on the environment, it can be deployed quickly. So it's very good. I like it.

The deployment model depends on the customers.

The pricing is nice. It is a yearly basis license. I would rate the pricing a seven out of ten, where one is cheap and ten is expensive.

I would recommend using this solution. Overall, I would rate the solution an eight out of ten.

We are using it for vaulting and proxying the admin session. It is not yet implemented. We will implement it at the beginning of 2021.

Session recording, password rotation, and password vaulting are the most valuable features.

Its documentation can be improved. Its documentation is currently complicated, and it is not good. It needs to be better.

Their technical support can also be improved. It is not bad, but it can be better.

Its stability is pretty good.

It is very scalable. We started with three different sites to implement this product, and we, for sure, will implement it for the fourth site. It is easy to install any kind of component inside this environment.

Their technical support is not that bad, but it can be improved.

I use CyberArk and BeyondTrust. In terms of functionality and how they work, they are pretty close, but I prefer BeyondTrust. For vaulting, I like CyberArk a little bit more. For all other things, such as session recording and proxy, I like how BeyondTrust works. To proxy a session on Linux or Unix with CyberArk, you need to create an account each time on the remote site or the device to which you want to connect. BeyondTrust is different. You use a Windows machine, so you can connect with an AD account. It could be a functional account, a privilege account, or any other kind of account, but you use the same account instead of using a new one each time. Monitoring or auditing is easier with BeyondTrust than CyberArk. BeyondTrust is three times less expensive than CyberArk. 

It is complex, but it is not only about the product. You need to have good governance and guidelines for password management and session recording and for proxying all those sessions. The process before implementing the product involves more work than setting up the application. It took us one year to design and do some testing in a non-prod environment. We will start the projects and deployment at the beginning of 2021.

It has subscription-based licensing. BeyondTrust is three times less expensive than CyberArk.

You need to be very clear about how to implement vaulting or the session recording mechanism. If you don't go with an external partner to help you with that, it can very difficult to have a solid implementation of such solutions, whether it is CyberArk, Thycotic, BeyondTrust, or any other solution. Just because you installed these solutions doesn't mean that they would resolve 100% of your work. You need to have some processes for such applications, and you need to do some homework first. With the help of an external consulting company that knows how to implement such solutions, you can progress very fast.

I would rate BeyondTrust Password Safe an eight out of ten.

On-premises