CyberArk Privileged Access Manager Reviews

Our primary use case of this solution is for elevated access.

The primary improvement to my organization is the fact that now the users are aware that: one, the work that they do will be recorded and so there will be an audit trail of what has happened; and then, two, we don't have to worry about people sharing passwords because they are given out on a case by case basis.

• Session recording 
• Password rotation

Some folks would like to have keystroke tracking and some would not. I guess if they could make that an option that might be interesting for certain organizations.

Scalability and stability are both excellent. We have around 250 users. All individuals with privilege to elevated access will be required to use this after a certain amount of time.

Thus far technical support is excellent. We haven't had any issues or difficulties.

The initial setup was pretty straightforward. Deployment took approximately six months. For the deployment, there was a group of about five to six individuals. For sustainment, we just have gotten into a training mode and we will have our support team giving them assistance.

I would rate this solution a 9.5 out of ten. To get it to a ten it should give other possibilities to select if you could follow the keystrokes. It should have a flexibility with things in which people can use it a lot faster.

My primary use case for the product is essentially to secure our privileged accounts, and it's performing amazingly.

What it allows us to do is to rotate the credentials for privileged accounts. It ensures we understand where the accounts are being used and that they are staying compliant with our EISB Policy, which is a policy to change passwords. Thus, attackers find it harder to get in and steal an old password which is just sitting out on a system.

We utilize CyberArk secure infrastructure. We are moving towards applications in the cloud, but we do not currently have that. We are also utilizing CyberArk secure application credentials and endpoints.

The benefits are the way it allows us to secure accounts, but also be agile with providing privileged usage to our users. It is performing quite well, because it allows us to basically do what the user wants us to do, but in a secure manner. So, everyone is happy. Most of all, we don't have any breaches.

It enables us to secure accounts and make sure they are compliant. Then, when the accounts are not compliant, it gives us the data so we can reach out to account owners, and say, "Your accounts aren't within our ESP policy. We need you to become compliant." This allows us to not only secure them, but keep track of what accounts are moving out of that secure boundary.

The most valuable would be the REST API on top of PTA, which we do not have installed yet, but we are looking to install it moving forward in the future. What it enables us to do is if someone takes a privileged account and logs into a machine that we do not know about, it will alert us and log that they have logged in. It allows us to take that identify back and rotate the credentials, so we now own it instead of the intruder going out and using a rogue account.

More additional features as far as the REST is concerned, because we have something which was the predecessor to REST. A lot of the features which were in the predecessor have not necessarily been ported over to REST yet. I would like to see that to be more of a one-on-one transition, and be fully built.

It is very stable. We are going to upgrade by the end of this year, if not early next year, to the most recent version 10.12.

The scalability is incredible. They just released Marketplace, and they are constantly releasing updates to the components and adding new components, like Conjur. This is something that we ran into with Secret Server and DevOps, so it is already scalable, but becoming more so in the future.

The technical support is wonderful. We get the right person. They answer very quickly, giving us solutions which actually work. If we can't get a solution from them right away, we can tap into the community with the tools that they have given us, and work with people from other companies who have already solved the same issue.

I was involved in the upgrading processes, but not the initial setup. Upgrading is lengthy, because we have quite a few components, but it is definitely straightforward.

It has started new projects at our organization. So, we can see where our current landscape is for our privileged accounts, then we try to make them more secure.

Try a demo, if you can. Make it a hands-on with some of the components and see what they offer you.

I have used other privileged account management tools in the past. This, by far, outranks them as far as features and usability. The integrations on top of that as well. 

Each new product that our company buys, we turn to CyberArk, and they are say, "Yes, we integrate with that."

I have used the new generator utility plugin once, so not extensive experience, but I have used it. It does work.

Most important criteria when selecting a vendor: They integrate with CyberArk.

The solution helps our developers access internal systems. It also helps us in Privilege Access Management.

The tool’s pricing and scalability can be better.

I have been using the solution for five years.

I would rate the tool’s stability a ten out of ten. It is stable.

I would rate the tool’s scalability an eight out of ten. The tool is scalable.

I would rate the tool’s setup a nine out of ten. The solution’s setup is easy. We have a good internal implementation team who completed the deployment in a few days. About five to six engineers worked on the tool’s deployment.

We have an internal integrator for the tool.

We have seen ROI with the tool’s use.

I would rate the tool’s pricing a six out of ten.

The tool is robust and our IT team is happy with it. It provides you with strong security.

We are using CyberArk Privileged Access Manager for securing access to the host or the server. The solution has the capability to record activity on the server, rotate the passwords, kick out an active user, and complete an action if suspicious activity is triggered on the server. We typically only use the solution for accessing the target server and for password rotations.

One of the benefits of using CyberArk Privileged Access Manager is we have an audit trail that fits the requirements of our organization and we are more secure using the features of the solution, such as investigating and tracking.

All of the features of CyberArk Privileged Access Manager are valuable.

I have been using CyberArk Privileged Access Manager for approximately six months.

CyberArk Privileged Access Manager is stable.

The scalability of CyberArk Privileged Access Manager is very good.

We have approximately 300 users using the solution.

The partner support we have in Indonesia is fast and responsive to our needs. They are available if we are facing a problem. However, there is still room for improvement.

I rate the support from CyberArk Privileged Access Manager an eight out of ten.

Positive

I was previously using MEGA HOPEX.

The initial setup of CyberArk Privileged Access Manager difficulty depends on the environment that you are implementing it into. However, it typically is simple.

I rate the initial setup of CyberArk Privileged Access Manager a five out of ten.

We use a third party to do the implementation of the solution. We purchased preventive and corrective maintenance from our partner.

There are additional features added to our CyberArk Privileged Access Manager license. For example, features that allow us to integrate into various kinds of platforms.

I would recommend this solution to others. It has great value and it ensures your environment is secure and it is most important in production. If your company is a financial institution it is a lot of times mandatory to have a solution similar to this in operation because of cyber security concerns. We need to have preventive or professional action and one of those elements is to have a secure platform.

I rate CyberArk Privileged Access Manager an eight out of ten.

We use this solution for privileged systems access with a high emphasis on security. End users are required to go through a process of being vetted in our NERC environment in order to use the solution. This product has been used by my company for about five years now.

This product has placed a new culture in my company by making employees more aware of IT compliance and cyber security. It has also placed us in a position to meet NERC CIP v6 requirements.

The Password Upload Utility tool makes it easier when setting up a Safe that contains multiple accounts and has cut down the amount of time that it takes to complete the task.

Using the PSMP (Privileged Session Manager Proxy) makes it extremely convenient for UNIX Administrators to utilize their favorite SSH client software (i.e. SecureCRT or Putty) to connect to a privileged target without having to go through the PVWA web login.

I would like to see the product enhancement with the Secure Connect feature. Today, there is no functionality to create "Accounts" using Secure Connect to permanently store a user's working tab. It is a tedious manual process of entering host IP information and user credentials into a privileged target system.

Currently, in Secure Connect, an end user is required to enter account information manually, and cannot save any of this information for future use. It’s a manual process of entering information all the time. Unless you are working with accounts already stored in “Safes”.

I have been using this solution for seven years.

We have noticed some stability issues with the PSM Servers. We've noticed that there may be a limitation on the number of users that a PSM Server can handle. We have two PSM Servers deployed in our Production environment and have come to a conclusion that we may need to add two more to stabilize the environment.

Upgrading to version 9.9 significantly reduced the stability issues with the PSM Servers and the limitation on the number of users that the PSM can handle.

CyberArk could use some improvement in their level of customer service. Sometimes, it can take more than a day before a Case that I have submitted online gets a response from tech support.

The level of technical support has been great. The challenge has been to get an initial response and sometimes follow-up from CyberArk Support.

If you are going to set up CyberArk for the first time, I highly recommend that you utilize their Professional Services. They are extremely knowledgeable and very helpful and will ensure that your implementation is a success.

We use Texas DIR when evaluation and making purchases of products.

We are currently on version 9.10. We would like to upgrade to the latest version some time this year. There is currently a CyberArk Security Bulleting CA19-09 that addresses potential administrative manipulations within the PVWA and the Digital Vault. CyberArk has released patch 9.10.4 to address the PVWA and they are working on releasing a patch for the Vault Server.

CyberArk Enterprise Password Vault can be used for password vaulting and purpose session management.

The most valuable features of CyberArk Enterprise Password Vault are password vaulting and automatic rotation of passwords after use.

CyberArk Enterprise Password Vault can improve the distributive vault feature. Distributing the vault in multiple areas and multiple data centers should improve.

I have been using CyberArk Enterprise Password Vault for approximately seven years.

The stability of CyberArk Enterprise Password Vault depends on what you use it for. It is very stable when using a single vault. I had the most problems using the distributive vault. They've worked through some of that, so it's more stable now.

The scalability of CyberArk Enterprise Password Vault is okay. The distributive vault is what would affect the scalability and there were some issues with that that I've run into.

We only have a small number of users in the current company I am working at, and the previous company I was working for had hundreds of users using the solution. 

We do not plan to increase the usage of this solution.

The support from CyberArk Enterprise Password Vault is good.

I rate the support from CyberArk Enterprise Password Vault a four out of five.

Positive

I did not use a solution similar to CyberArk Enterprise Password Vault.

The initial setup of CyberArk Enterprise Password Vault was straightforward. The time it took to implement was two months.

We did the implementation of CyberArk Enterprise Password Vault in-house.

We have approximately nine people for the deployment and maintenance of CyberArk Enterprise Password Vault.

We have seen a return on investment from using CyberArk Enterprise Password Vault.

There are no additional costs other than the standard licensing fees.

We evaluated other solutions but we decided to choose CyberArk Enterprise Password Vault because they were a key player in the market who invented the space.

CyberArk Enterprise Password Vault is great. It excels on-premise. If you were looking at the hybrid or other solutions, there are other solutions that were built in that environment. They're probably a little ahead of CyberArk Enterprise Password Vault at this point.

I rate CyberArk Enterprise Password Vault an eight out of ten.

I have been working with CyberArk for the past five years. I do installations, support, and presales.

We have installed the CyberArk solution and have been using it as a PAM solution.

The main reason for having the solution in place is to isolate and monitor all previous activities that have taken place within the organization. The second thing is to make sure all the previous accounts have been onboarded to the solution and accurately monitored as well as passwords have been managed as per the policies defined. The third thing is to make sure users are unaware of their previous account passwords. Those should be centrally stored and located in one of the solutions where we can manage them per our policy or ask users to raise a request for internal workflows on the solution, in case of any emergencies. The last thing is for managing the service account passwords.

Initially, the IT team and other teams used to access the servers manually. Now, because of this solution, everyone is onboarded on the PAM and we can direct all sessions to the PAM. Also, we have control of all decisions and activities being performed. Along with that, we are satisfying audit requirements with this because we are getting reports to track what we need to comply with any regulated requirements. 

We have an option for protecting various kinds of identities. It also provides you with a medium for authenticating your systems, not only with passwords, but also with the PKI certificates and RSA Tokens. There is also Azure MFA. So, there are many options for doing this. It has a wide range for managing all security identities. 

The most valuable feature is CyberArk DNA, which is an open-source tool used for scanning all servers, like Linux or Unix. We can get a very broad idea of the scope and picture of the servers as well as their predefined vulnerabilities, the service accounts running on them, and the dependent accounts running on those services. We get a very wide scope for all our servers and environments. 

There are some other options like Privileged Threat Analytics (PTA), which is a threat analytics tool of CyberArk that detects violations or any abnormal activities done by users in the privileged solution. This tool is very unique, since other PAM program solutions don't have this. This makes CyberArk the unique provider of this feature in the market.

It is very easy to maintain passwords in the solution, instead of changing them manually or using other tools. So, it is a centralized location where we have accounts and passwords in a database based on our defined policies. 

Product-wise, CyberArk is continuously improving. For the last two years, it has brought on new modules, like Alero and Cloud Entitlements Manager. Alero gives VPN-less access to the environment. So, there are many new things coming into the market from CyberArk. This shows us that it is improving its modules and technology.

We can integrate the solution with any other technologies. This is straightforward and mostly out-of-the-box.

For DevOps, we are using Conjur with a Dynamic Access Provider. We use those modules to make sure identities on other environments have been secured. For Azure and other cloud environments, we have out-of-box options where we can do some little configuration changes to get those identities secured. We have a process of managing these identities for RPA as well.

It has a centralized page where you can manage everything. This makes work easier. You don't have to remember different module URLs or browser applications. It is very easy to get all the secure identities of other environments into a single page, which is very important for us as it helps a lot in terms of operations, e.g., reduces management time. This is a single page where you can manage all accounts and onboard them to the CyberArk. You can then secure and see passwords from everywhere. So, there is a single pane of glass where you can manage all the identities across environments as well as across different types of identities.

We have a module called Endpoint Privilege Manager (EPM) that is used for the endpoint, managing the least privilege concept on Windows and Mac devices. We also have On-Demand Privilege Manager (OPM), which is used on UNIX and AIX machines. Using these modules, we can achieve the least privilege management on endpoints as well deploying on servers, if required. 

The continuous scanning of the assets is limited to Windows and Unix. We like to have the solution scan any databases, network devices, and security devices for privileged accounts. That would be very helpful. 

For least privilege management, we need a different level of certification from privileged management. Least privilege management comes under endpoint management. It takes time to get used to it, as it is not straightforward.

I have been well-versed with the CyberArk product for the last five years of my career.

The solution is very stable. 

Once the project installation was done, we put this product into the environment based on the policies that we defined, but it had initial hiccups. The policies that we defined might have hampered and raised issues, but the product is very stable.

The solution is very scalable. The landscape gets improved every day. It is scalable because it integrates with Azure, AWS, and other cloud solutions. Also, we have modules that work for DevOps, Secrets Manager, and Endpoint Privilege Manager. So, CyberArk is not just a PAM. It covers most of the products in the threat landscape. We do not worry about scalability in terms of CyberArk.

Our primary support is partners with whom we are interacting throughout the project. Then, if an issue is not yet resolved, we will raise a case with CyberArk support. They have certain SLAs that they are following based on the seriousness of an issue. The response will be according to that. 

The support is good.

Positive

We didn't use another solution before we bought this one.

The initial setup is straightforward. They have done major reforms on the installation process, so now we have automatic installations. We just have to run a particular script, and that does the installation for us. We also have a manual installation and that is our legacy process. So, we have both options. It is up to the customer how to move forward, but it is pretty straightforward. 

RNS did the installation for us. Our experience with them was pretty good. They followed all the processes per project management standard. They tracked all the activities, making sure the project was delivered on time, which was good.

One dedicated person is enough for the solution's maintenance.

CyberArk DNA is free if you purchase the CyberArk solution. There is no additional charge for CyberArk DNA, which is great.

Before, I used to work as a system integrator. I looked into other PAM solutions, like ARCON and BeyondTrust.

Make sure your use cases are covered. Go for a small PoC, if possible, to make sure that all your use cases are covered and delivered per your expectations. Check whether the solution is on-prem or Azure and the resource utilization needed for implementation. For your IT expansions in future, check whether you will need any additional modules in future or if the existing ones will meet your future requirements.

With Secure Web Solutions, we could access any web applications from a PC. It was like a native tool where you could browse from your Chrome or any web applications, and the applications would be routed to the CyberArk where it was securing the web applications and access. However, this product was deprecated last year so it is no longer supported from CyberArk's point of view.

I would rate CyberArk PAM as nine out of 10.

From an industry perspective, you continue to see the headlines in the media about how bad actors have been able to take advantage of weak policies and security controls around access management within companies.  In these cases, the focus has been around employees that can access the most sensitive information, or have access to the very controls that operate and protect the firm.  Products like CyberArk, that provide controls for privileged access, have helped mitigate the threat of taking over those accounts that have the greatest amount of risk to an organization, particularly for those who are system administrators and have the highest powers in being able to access all levels of the technology infrastructure.

When it comes to the product's ability to standardize security and reduce risk across the entire enterprise, standardization is all about simplifying the complexity of IT threats and risks and it's all about the standardization of the controls that you have in place. If you have a product set that enables you to provide security, and it is consistently applied across a specific user base, then you have standardization which drives both enhanced security through the privileged access controls, and efficiency through the standardization of your operating model.

Availability is an interesting challenge, but it is part of an IT Risk Strategy.  When it comes to Cybersecurity, Privileged Access control is the ability to manage IT risk associated with the most powerful access to your infrastructure services.  This IT Risk can manifest itself as compromised information, manipulated data, or disruption of your IT based services. A Privileged Access Security product reduces the threat of stolen credentials and account takeovers of those profiles that would have the power to take down your enterprise.   Therefore, it not only reduces the risk to your firm, but also drastically improves availability. 

The most valuable features are its simplicity and the ease of implementation. When you think about privileged access management and the complexity of solving privileged access for those system administrators in your organization, CyberArk is a product that helps you simplify that problem and implement a standard set of security controls to protect the enterprise.  

In terms of the products ability to manage Privileged Access control requirements at scale; scale is really a function of two influences, which would either be the size of your infrastructure, or the complexity of your organizations operating model for those that have privileged access to your infrastructure services.  CyberArk scales quite readily across a large organization and through proper design and engineering is capable of expanding across a variety of use cases.  Like any technology control implementation however, it is always important to ensure you review and optimize the organizations support operating model, in order to ensure that you have the most optimal design and implementation of CyberArk.  

CyberArk has captured the individual privileged access space well. They've captured the application-to-application and DEVOPS space quite well.. They should continue to invest in optimizing the services, and help companies drive down risk associated with application based passwords, as this is an industry that is being closely watched by external regulators. 

CyberArk continues to stay close to the industry and are always looking for ways to improve  their products and service offerings accordingly.  There are 3 areas that I would call out, that CyberArk should continue to focus on:

1) Continue to help organizations understand how they align their strategies and roadmaps to industry trends and the overall cybersecurity threat landscape. 

2) Continue to help the industry innovate on talent , and position customers to be more successful in supporting their CyberArk implementations. 

3) Continue to help customers understand the Risk reduction capabilities and scorecards associated with their deployments.  Initiatives like the CyberArk Blueprint will help enable enable informed customers. 

The perceived stability of CyberArk is quite dependent on the complexity of the environment it is implemented in, and the overall design of the infrastructure, including both PSM and Vault technologies.  As an infrastructure it is quite stable; however, in complex network infrastructure environments, sporadic network disruptions could create issues accessing the various CyberArk network devices.

Scalability is a function of both technology growth, and integration capability.  CyberArk has not only continued to advance the infrastructure robustness of their software solutions, but through the C3 alliance they have also created integration opportunities with other IT Security and Access Mgmt products that allow companies to provide a full ecosystem of IT controls within their organizations.    This also provides an opportunity for companies to consider best of breed products, like CyberArk, and not have to restrict their decisions to a small set of technology tools that do not provide comprehensive Privileged Access Services.

CyberArk is a growing company and their technical support has continued to grow and mature across the organization. The one thing I'll say that CyberArk has been able to do is to continue to keep in touch with its customers and look into areas where there's opportunity to continue improving their technical support across the organization. CyberArk works with an integrated model: They have integrators within firms that will implement the product. But at some point, you always need to refer back to the software owners of the product to make sure that you're comfortable that what you've designed and implemented is in keeping with what their blueprint would have recommended in the first place. In addition, their technical support has continued to mature and grow to help customers become successful in their deployments.

What is complex is privileged access management. When companies look at implementing a software solution for privileged access management, if they actually haven't looked at the complexities of privileged access within their own organization — and I'm speaking more in terms of the business processes for that type of access across the organization — then any software tool is going to look complex because it's not going to solve the problem.

If a firm focuses on understanding their existing Privileged Access operating model, the inherent business processes, and the risk & pervasiveness of Privileged Access across their enterprise, then they will be better positioned to understand the business problem they need to solve.  CyberArk will then become a capability that enables them to solve their IT Risk issues with privileged access, and capitalize on the efficiencies with their new operating model.  The complexity seldom ever lies in the technology. It always lies in how well it integrates with the business processes that the firm is trying to solve as part of its deployment.

Privileged Access Management is a business transformation program.  It forces business to look at their overall operating model for system administrative and application based access, and develop a strategy that reduces risk overall to the enterprise. Once this strategy is completed, and a new operating model is conceived, CyberArk software and services becomes a very effective series of controls that enable the business to secure the most sensitive access to services, and allows the organization to operate within their risk tolerance. 

Far too often companies will treat the CyberArk product set as a software implementation, that becomes overly complex and evolves into a multi-year program. This is due in part to the legacies of technology programs, where the implementation will force business to rethink their operating model, and therefore delays, scope changes and cost of overall program becomes associated with the software implementation initiative. This is a consequence of positioning a Privileged Access program as a security software implementation, and not a true business transformation initiative. 

While CyberArk continues to adjust its licensing costs and continues to look at the comparisons in the industry and the ability to effectively and affordably help companies and firms solve their privileged access problems, companies also have to look at the overall cost of what a privileged access program means to their firm, and what shareholder value they gain as a result of implementing those types of products or services or business processes. In that context, they should start to look at what the comparison is against the software that they're using to enable those very controls they're trying to implement.

I've spent some time with BeyondTrust. I've spent some time with Centrify. I've had their products in for different instances and different purposes. They play an interesting concentric role in some of the areas that they focus on, but I wouldn't say I have one-to-one experience in other product sets.

CyberArk continues to innovate, as they refine strategies based on industry research and trends in the cyber security landscape, and incorporate the necessary updates to both their roadmaps as well as their product sets. The creation of the customer implementation roadmap, acquisition of Conjur for DEVOPS and the development of  Alero to address 3rd party secured access, are examples of product innovation to address  emerging risks within the  industry.  

I would rate CyberArk 8 our of 10;  although I do remain impressed with their existing set of product offerings, their cyber security roadmap & strategy, and their overall corporate philosophy, I do feel it is necessary for them to ensure they remain vigilant and maintain pace with an evolving cyber industry.  Significant disruption in the technology industry brought on by advancements in Machine Learning / AI, commoditization of cyber attack tools, and rapid deployment of IoT based technologies, summon the need to ensure companies do not become complacent in the agility of their security tools.

I have several passions. One of the passions I've always had is in organizational transformation and leadership. A second is really around the space for identity and access management. CyberArk has allowed me to continue, even after I've retired from the industry after 35 years, to still live that passion through their customers. I've been given the opportunity to provide some keynotes around organizational transformation. It's an exciting industry to be in and CyberArk has allowed me the benefit of still continuing to enjoy that experience.