BeyondTrust Privileged Remote Access Reviews

Initially, we had a different VPN set up for our external vendors, and working for a pharmaceutical company, we had a lot of equipment vendors telecommuting in to do maintenance on the equipment. Using BeyondTrust PRA streamlined this process; it made it easy for us to manage and distribute the proper certificates and assign privileges to all external users. If one of the remote parties got a new employee, we would set up an access account using their name, providing the same permissions as their coworkers to manage parts of our infrastructure. This was an excellent addition to our company and alleviated a lot of pressure from our support staff.

We signed a contract with a new IT management firm that took over our IT support. That's 300 new employees that needed access to the right groups, et cetera. It took just one day to create the 300 accounts and assign them to the proper teams. PRA streamlines the onboarding process, even for large groups of new remote helpers, setting up the correct templates, having the Discovery in place, and assigning and revoking access.

We like the integration with Active Directory. It allows us to discover the endpoints and user accounts that need protection. It's a good way of securing our privileged access.

Another feature I like is the approach to jump points. Jump points are the external-facing proxies, which use the same outbound HTTPS connection method as the jump client but allow the initiation of RDP connections, et cetera, into the downstream networks. This feature was the key selling point for us in choosing BeyondTrust PRA. 

The security provided by the solution regarding remote and privileged access is about as good as we can get without completely locking down permissions. Going with PRA is the best step if a client is looking to lock down administrative access with a remote solution while applying the principle of least privilege. 

We used the solution's Vault to add not just service accounts but also the users' main administrative accounts discovered through Active Directory. We limited permissions, so users couldn't even review their account passwords. This was managed in the Vault and injected into each session. 

Compared to other products, PRA is one of the better ones. We need to start the discovery manually, but it's comprehensive and clear. It allows us to select what to import and has the automation behind it to manage endpoints and accounts, which is a valuable feature for any enterprise business.

The physical solution wasn't as important to us; our architecture strategy was SaaS first, virtual later. If BeyondTrust didn't have a SaaS offering, we would look at availability to install it in one of the public cloud offerings on the market. Having the SaaS option available, especially for medium-sized businesses, is very much something that gives BeyondTrust an edge in the market. 

The solution improved our network security. Especially regarding remote vendors, it allowed us to complete our network segregation goals. We could close down all external access to that network and leverage PRA as the single entry point. 

Not needing to share passwords is essential to us. We have peace of mind knowing nobody can view passwords, share credentials, and operate outside their defined context within the network unless they have explicit permissions. That helps us sleep at night.  

Previously, third parties had VPN access, and it was important for us to shut that down. Now that the entry point is closed, there is only one dimension for us to consider; which vendor has access to what. This makes management and the general security picture clearer.  

SSO authentication was one of our main requirements, so that integration was crucial. It allows us to provide quick access to the tool itself using the same credentials. 

The solution stands above its competitors in this regard. Using the team functionality allows us to create groups of users with a team leader who can monitor those sessions. This functionality works great, and PRA is at the top of the spectrum here. Having somebody at a physical station and someone remotely accessing the station works very well, especially for training purposes. The recording functionality is another nice feature; the video view is small but can be expanded to a larger view. 

The integration client, backup solution, and SSO setup and provisioning could be improved. There isn't any documented or supported user provisioning currently, which slows down the processes of onboarding and assigning permissions. I would like to see this improved soon.

The Vault could use some attention, specifically in managing named administrative accounts. I have to assign permissions to my named admin account during sessions manually, but I think that should be the default. Admin account permissions could use some more automation and be adjusted to be more user-centric.

BeyondTrust could improve text-based auditing; it's not very readable. I can get the details through the jump client and other tools, but if I run a simple PowerShell command, the solution generates multiple lines for that specific session in the text audit, which doesn't make sense.

I was the lead implementer for the solution for one of my clients, a global pharmaceutical company. The project took over a year, and I used the product for another six months as both an end user and an admin before leaving that job. I used the solution for almost two years in total.

The solution never let me down during the entire implementation; though the integration client was the opposite, I was never satisfied with it. I recall some stability issues stemming from significant database actions that slowed down the system. There was also a bug that took both our team and the BeyondTrust team three business days to resolve, which didn't help with our impression of the tool.

I would say the SaaS offering isn't particularly scalable. The more endpoints we added, the more sluggish the tool became. However, BeyondTrust's high availability approach offers much better scalability on the backend side, and endpoints with added jump points can be clustered for higher availability. The sky is the limit by improving the database size and storage at the backend.

We had over 600 total users; mostly IT support and admin teams. There were also 10 to 20 vendors each with three to ten users that used the tool to remotely manage equipment. 

The product is used daily by a large number of users simultaneously. Before I left the company, the highest number of concurrent sessions I saw was 25. If I had to estimate, I would say PRA is used for over 300 sessions daily with the same number of users.

I would like to differentiate the implementation team and the technical support as they are two separate entities. The implementation team could improve how they guide the customer through the process. The technical support staff are knowledgeable and do everything they can to help, but they aren't the easiest to reach. They don't do user-to-user sessions, and the only way to reach them is through tickets. There is a chat function, but that's more for gleaning more details of the issue; I often just wanted to pick up the phone and ask someone a question or explain my problem to them. BeyondTrust's documentation appears to be aimed more toward executives than technicians, and that doesn't help the situation either.

This may have been specific to how we wanted to implement the solution, but a lot of technical information was missing. It took some back and forth through the ticket system to finally get that information via a member of support staff doing a screen-sharing session. Screen sharing is much more effective than only having a text chat, but it took too long for us to get there.

I would still give them a seven out of ten because they're very knowledgeable and do everything they can to help. The support system is impersonal; especially when we were starting out, that personal touch makes all the difference. Ultimately, this is about the security of our organization; we don't want to go back and forth with bots and tickets before finally reaching a member of staff who can help us.

Neutral

The initial setup was complex because we didn't know precisely what we wanted to achieve and neither did BeyondTrust, and the communication between us wasn't the best. It took a while for us to realize what we wanted to achieve, how the solution could deliver that, and in what configuration, and they could have helped us out more with that. It isn't easy to fill out the integration sheet; it requires a fair amount of product knowledge.

It took us six months to understand the basics and set up the tool according to our requirements. It took another six months to get the implementation going. That is partly because the pharmaceutical company required the solution to be qualified. That process took time because BeyondTrust didn't have much relevant documentation; we had to write much of it ourselves.

Deployment can be completed with one engineer and one server admin, with the latter deploying the clients and jump points. Once we understood the basic principles of the product, it became straightforward to implement. BeyondTrust could better convey that to new customers unfamiliar with their solution. A dedicated team of three to four staff is sufficient for deploying and maintaining the solution for an enterprise business.

I wasn't directly involved in the licensing and pricing, but I can say that PRA is licensed per endpoint added to the Vault. I would advise users to take frequent exports of their license usage package; it's a simple feature that provides a spreadsheet of every machine in the Vault. This helps to cut down on duplicate licenses, which can happen by adding the same endpoint using an IP address and a fully qualified domain name, for instance.

The implementation is an additional cost, and they offer several tiers, so the price varies. There are also some optional add-ons, so I would advise people to research the product well and find out precisely what they need regarding features. The Advanced Web Access add-on provides some required functionality when interfacing with websites; that's one to consider.

We reviewed two other vendors: CyberArk and Devolutions, but we eventually went with BeyondTrust for several reasons. Devolutions fell off quickly because it's too small, which is a risk. We liked the approach of operating over an outbound HTTPS connection to the SaaS appliance, which was more of a security benefit for us than the CyberArk solution, so we went with PRA.

I would rate this solution an eight out of ten. 

I would advise potential customers to have an excellent understanding of their requirements and what their landscape will look like five years down the line. Consider if the SaaS offering is appropriate, as I understand switching to a self-hosted instance isn't a straightforward process, so it's essential to plan.

If I need a privileged remote access solution in my future endeavors, BeyondTrust's offering will be my go-to, and I recommend it for any size of business.

We went with the SaaS version of the solution and had some regrets about that. Pharmaceutical companies must comply with a host of rules and regulations, and one of the requirements was to keep recordings of every session for over 90 days. The SaaS solution's storage did not meet our needs in a large enterprise environment. We had to use a third-party backup tool provided by BeyondTrust to download sessions to our local storage, but it was a poor tool; the error handling and logging functions were sub-standard.

The ability to operate without a VPN wasn't particularly a requirement. Our project aimed to secure administrative access, so our focus was more on user accounts than endpoints and connections. During our market research, we discovered that few solutions focus on privileged identity management; they're usually integrated with PAM tools like BeyondTrust PRA.

As a technician, I can vouch for both ends of that spectrum. The benefit of PRA being a standalone solution in our case is the ability to quickly and definitively sever that tie into our network. That being said, the solution currently doesn't solve all of our privileged access difficulties; we still have to manage roles and privileges in cloud solutions. I don't think there is a product on the market that allows for efficient management of both worlds; the cloud SaaS product and on-premises remote access.

Regarding leveraging service accounts as a password manager, there are better solutions, including BeyondTrust's own Password Safe, which integrates well. In terms of managing remote access accounts, PRA does an excellent job and provides relatively fine-grain policy permissions customization. We can have users operating accounts where they cannot view the password, and other users can access the password if needed to access some legacy applications, for example.

One of my customers used old, poorly coded legacy applications, so programs required admin privileges to run. They wanted to give users the ability to run the applications without giving them admin rights.

The company wanted more secure desktops, and the solution provided that. Previously, everybody was an admin of the desktops, and they suffered a cryptographic lock attack. They recovered from this and implemented PRA to avoid repeating the scenario. They bought 500 licenses, the estimated number of staff using the legacy applications. They planned to upgrade to around 1000 licenses a few months later, realizing they had other applications that necessitated this kind of solution. 

The project goal was to allow staff to run applications with admin privileges without being admins, which was the product's most important feature.

The company had distinct groups of staff with different requirements, which weren't fulfilled by giving them all admin rights. The solution's data granularity allowed us to define specific use cases and population types and categorize users based on that. This gave us good control over the system. 

Privileged Remote Access not needing a VPN was a requirement in this case, as the user didn't implement a VPN, nor did they want to. This feature was a plus for the customer. 

From what we observed the security provided by RPA is very good. 

The solution being available in multiple formats was necessary in this case, as the client was adamant that the solution needed to be SaaS; a requirement for their IT configuration. The ability to test issues was crucial to them. 

The solution has improved the security of the client's network. 

Not needing to share passwords was crucial to the client. They were hesitant about credential sharing because of the suffered cryptographic attack.

Having an all-in-one solution was vital in this case, as most of the users did not have technical expertise. This necessitated a solution that is easy to use and implement, and an all-in-one solution simplifies the process significantly. 

The solution is very flexible, which is a plus, but I would say the implementation requires someone with knowledge and experience, as it can be easy to get lost in all the details. The implementation process could be streamlined and simplified. Though the complexity of the solution provides greater flexibility, it requires a lot of time to understand it fully.

The UI is somewhat basic, so that could use some work. It's okay; apart from that, it's an aesthetics issue.

I implemented the solution for one of my customers, which took three months, then I passed it over to them. 

The solution's stability is good. It's reliable and I didn't experience any bugs or glitches.

The product's scalability looks good. My client purchased 1000 licenses, maybe 10% for developers, and the rest for end-users. They need a functioning application without a complex IT setup and maintenance. 

Their customer support is very good. They are quick, knowledgeable, and helpful.

Positive

I carried out the deployment myself, and it was straightforward. I implemented it with Azure, and it took three months. One member of the security team is responsible for the maintenance. We had help from the publisher to set up the tool, and our strategy was to do an initial deployment for 100 users for proof of concept, then deploy for the remaining 400.

My client found the solution a bit expensive but considering their use case and requirements, they didn't have any other choice. As far as I know, implementation and licensing are the only costs. 

I would rate this solution a nine out of 10. 

It's essential to get to know the product in detail because it's very complex. It can do whatever you want, but it requires some effort. That's why it's important to have an implementation team who knows what they are doing. It's crucial to delegate responsibility for the solution to someone who understands it and can work with the publisher team to find the proper configuration.

We use this solution to provide remote authentication for a support system that we are providing. We have a data center with many different products that are based on Windows, Linux, and hardware appliances.

There are many different ways to configure this solution in order to provide what we need. Depending on the kind of system that we're supporting, we can directly access the server, and application, or even a web page.

The most valuable feature is that this solution can be implemented regardless of the operating system. It can be used with Microsoft, Linux, Unix, and Cisco, and we can use the same product to access every different service.

This solution is simple to use.

Changing your password should be simplified, and there should not be a charge for it. For every server that we are supporting, we have an administrator password to log in. This is for remote access and remote support, and we do not like to give this password to the local support people. I would like to be able to assign a dedicated password that can be used only for one day. There are other products that can do this.

We built this system with redundancy and we have never had a crash or any other problem with it.

We deal with a person from the vendor to handle our maintenance, and we never have to contact technical support directly. We are very happy with the support.

This initial setup of this solution is straightforward.

It is not very easy to implement because there are so many types of servers. It depends on the knowledge of the person. However, if it is properly defined then it is very simple to use.

The length of time for deployment depends on the implementation. If everything is known then it can take one to two hours. In other cases, it can take a week or two.

I would rate this solution a nine out of ten.

The primary use case is for customers who are aware of RDP, remote desktop insecurity, and want to resolve this by deploying BeyondTrust Remote Access. There are so many features built into the system, and both cloud and on-premises deployment are offered. 

This product is very stable and scalable. This is an excellent platform. 

I can't think of any specific improvements because the product is already so rich. 

This solution is very stable. 

It's very scalable—horizontal, vertical, you name it. 

This product is backed up by excellent, very knowledgeable support. 

The company guarantees the best ROI, provided you take advantage of all the features. If you're buying a product, though, you shouldn't use only the basic function features anyway—use the advanced features. So the ROI is almost guaranteed when you invest in this product, but you need to find the right partner for deployment. You need a partner who will show you all the features you can take advantage of so that you benefit from the ROI, otherwise you're wasting it and you might as well buy something cheaper and more basic. 

The price is pretty expensive, but you get what you pay for and this is a great product. 

This product is the de facto standard, based on function features, installation, and customer base. There is a reason why so many well-known companies use it. 

I rate BeyondTrust Privileged Remote Access a nine out of ten, just because there's no such thing as a perfect product. 

I have a hundred different use cases. They're all different because every customer is different. One of the top use cases is where a third-party vendor needs to internally access one of the servers or applications. 

Its security, simplicity, and ease of deployment and maintenance are the most valuable. It is FIPS compliant, so it goes through severe penetration testing every one year or two years. They have to maintain this compliance. It is very safe.

Customers have been using it in the last eight years because of the simplicity of getting it deployed quickly. Most of the people using the solution had been hacked already, so they needed it quickly. As compared to the other solutions in the market, it can be turned on in production very quickly. You don't really need to have a server. It can be deployed very rapidly on VMware or Hyper-V, and you don't need to do an installation. It is a kind of an all-included package that you just deploy in a VM environment. It is basically a VM that is specifically built for a customer. The way the PRA data solutions work is that you need to build them for each customer because of being hard-coded with their SSL certificate, their web page name, and all that.

It would be very nice if it has an enterprise vault. Currently, it can interact with Password Safe, which is a separate solution and equivalent to Thycotic Secret Server. Instead of having Password Safe as a separate entity, they should combine it with BeyondTrust Privileged Remote Access. They have done it in some way, but it is not an enterprise tech solution.

I have been using this solution for eight years.

It is very stable. In eight years, I've never seen a bug.

Our clients are large businesses. 

I used to work there. I know this stuff by heart, so I don't need to call them. 

It is easy to set up. The complex part is to explain all the beneficial features and functionality to the customer because it can pretty much do everything. Discussing the environment and use cases is where you spend most of the time before you do the deployment.

Its deployment can be done very quickly. It can be deployed within 24 hours, which is useful if there is any hacking or breach. After that, you can add more complexity to it and configure it for a use case.

I would rate BeyondTrust Privileged Remote Access a nine out of ten.