CyberArk Privileged Access Manager Reviews

It is for the lab. We just onboard all the privileged accounts and then try to make them compliant and provide access to end-users. We are CyberArk administrators, and our responsibility is to onboard the accounts and provide access to end-users so that there is no business impact and the users are able to connect to their target services.

I started with version 10.6, and now, the current version of CyberArk is 12.1. It is deployed on-prem, but in my lab, it is my virtual setup.

It is one of the best solutions in the market. Ever since I started using this solution, there has not been any compromise when it comes to our lab.

There is a lot of room for improvement in the report section. I also work on other tools, such as Thycotic, which allows you to create customized reports for your organization's needs. In CyberArk, there are limited reports, whereas in Thycotic or some of the other PAM tools, because the database is different, you can customize the report based on your needs through SQL queries.

The GUI part can be better. Previously, they had a classic one, and then they upgraded to the new one, but it is less user-friendly than other PAM solutions. Its GUI is a little bit complex.

I have been using this solution for almost five years.

It is a stable solution. It is a top PAM solution as per Gartner.

Its scalability is good.

I have contacted them multiple times. They helped me in a good way. Whenever I raised a ticket, depending on the ticket priority, they provided good support. Sometimes, I got a response within two hours.

CyberArk has a distributed architecture. Therefore, as compared to other PAM solutions, it is a little bit complex. You first need to understand the environment and then install the individual components, whereas, in other PAM solutions, you have to build the database and then simply run the application and directly connect to the application. You can then start using the application.

If you are using this solution for the first time, you need to be a little bit aware of Windows, Linux, and AD. Otherwise, it might be complex for you.

I would rate it a nine out of ten. 

Our use case for CyberArk Enterprise Password Vault is managing privileged accounts. These are local accounts, e.g. local desktops, laptops, or servers. They have a built-in administration account, so part of the solution is to ensure that that account's username and password are stored in the vault and managed by CyberArk Enterprise Password Vault.

The most valuable feature of CyberArk Enterprise Password Vault is the auto password recycling feature, which works this way: previous accounts which are managed by this solution get their password reset every time, based on our given parameters, e.g. every two days, every five days, every week, etc. You give CyberArk Enterprise Password Vault the number of days that you want the passwords to be changed, so users won't need to have their passwords written somewhere. They can just log on to the solution and retrieve the password. They may even be able to remotely connect to the devices that they want to connect to via the PSM function of CyberArk Enterprise Password Vault.

What needs to be improved in CyberArk Enterprise Password Vault is their customer support, because as administrative engineers, since we're not experts in the solution, we have to rely on customer support.

Their customer support needs improvement in terms of being responsive and being understanding. They are knowledgeable, but responding and willingness to come and help knowing that it's their tool, rather than relying on the engineers from the customer side, e.g. our side, to do all the technical things.

The initial setup and upgrade process for CyberArk Enterprise Password Vault is complex and can only be done by CyberArk, so this is another area for improvement.

My experience with CyberArk Enterprise Password Vault is almost three years.

CyberArk Enterprise Password Vault stability is good. If it's properly set up, it can just run by itself. It's a very solid tool, but it has to be properly set up because a simple misconfiguration can create a lot of pain. Once set up, it's really good.

Customer support for this product still needs some improvement.

The initial setup for CyberArk Enterprise Password Vault is another pain point, because the setup, including upgrading the solution, can only be done by CyberArk themselves. They have professional services involved to get an initial setup done, and to even do an upgrade, because of the complexity of the product itself.

The SaaS version of CyberArk Enterprise Password Vault is very expensive, but the on-premises version is relative, e.g. depending on the size of the environment, it can be a bit pricey, but it's relatively okay compared to the others. It's their SaaS solution that's expensive.

We're using version 11.1 of CyberArk Enterprise Password Vault.

It's probably not fair to judge CyberArk Enterprise Password Vault based on my overall experience with it, because the tool itself is brilliant, though it's a little bit complex in terms of how it is set up. The customer service could still be improved to meet the standards, but I'm giving CyberArk Enterprise Password Vault a score of seven out of ten.

I've deployed Password Vault for various use cases across different industries from finance to healthcare and manufacturing. 

I love how easily we could operate within Password Vault and get things done. It was almost effortless. After we went through the implementation phase, it did what was promised, and we did not have to call support. It was a flawless install. All of us had experience as well because we got our certifications. We'd worked with it for at least a year.

There was a situation when one of our presidents had an issue, but I can't recall the specifics.

I've been using Password Vault for three years now.

For scalability, I'd give it a 13 on a scale of one to 10.

The installation was very smooth. 

At my previous company, my budget amount was $15,000, and we didn't spend all of that. It was a larger company than the one I'm with now. It was global. We didn't spend that or come anywhere near it. They're still adding on, and I know that CyberArk will be the solution that they're going to stick with. They were hybrid, and now they're all cloud.

I rate Password Vault 10 out of 10. If you're planning to implement Password Vault, my advice is to just let it work. Do all your use cases up front, and make sure you throw everything at them that you think will happen in your environment. Make sure that that's all addressed, so when you go to deployment, it's just easy. 

We mainly use it to protect servers from inappropriate access and ransomware.

We started with on-prem solutions years ago. Our most recent implementations were done in data centers and the cloud. However, we are not in the cloud for CyberArk.

It is a really valuable tool. From the very beginning of my career in cybersecurity, I found that CyberArk is one of the best solutions that I could recommend to our customers. While it is usually seen as an access and identity management solution, it is a cybersecurity and cyber defense tool from my colleague's and my point of view.

It is a single tool that isolates possible kinds of malware. You get lateral movement blocking and auditing information, e.g., you know who is doing what. You are getting protections from the service as well as a useful environment. All your admins can easily go in and out of your company while accessing your servers in a secure way, even if they are working abroad.

One of the best points is that it gives you full control for all the use cases in your infrastructure, in terms of servers, applications, social networks, batch processes, etc. 

It gives you the ability to know what is happening, who is executing everything, and recover that information over time. Everything is recorded there. This is useful, not only for auditing proposes, but for admins and users. This also helps with troubleshooting. For instance, an application or system starts failing at 4:30 in the morning on a Sunday. Usually, the first questions that you ask yourself is, "What changed at 4:30? What has happened? Who was touching that server?" WIth CyberArk, you have the ability to search for that information and find it in minutes. It is really useful for troubleshooting.

The PPA from CyberArk provides a lot of information about access and allows for possible detection of fraudulent use or different tries of accessing, even for family Internet users. Thus, it gives you another source of information regarding risk.

We are using Secrets Manager with some of our customers. We are using it mainly for containers and DevOps. This secure access is really important, and becoming more important every day. We are constantly moving customers to the cloud. Every day, containers are more important for our customers as they extend into microservices, etc. 

The possibility to integrate with the DevOps cycle is vital right now. Sometimes, containers are deployed while some clients have them very protected. They have a lot of things with Panorama, Microsoft, etc. That is a risk because you are deploying things quickly, along with errors and other things that you are developing. So, having to use hard-coded passwords here would be a big mistake. 

Secrets Manager accelerates a lot of the possibilities and simplifies the process, since development teams just need to use credentials. When they arrive on a project, there are new people or resources in their development teams. Thanks to CyberArk, they just need to manage their identities to have access to everything. They don't need to receive credentials nor search for them. They have everything the day that they start working.

We find it easy to use CyberArk PAM to implement least privilege entitlements. We usually do some interviews at the very beginning with different teams to understand their real needs. We define saves and different AV groups for the kind of users that we are going to prepare. Then, the process to assign permissions to different groups is really easy and straightforward. If you want to change or reduce access, that can be easily changed at any moment.

I have been using it for more than 10 years.

In the last year, it has been a very stable platform.

Scalability is fantastic. It has been really easy to scale. In fact, most of our customers who start, or have doubts about how to start, we propose to them, "Well, if you are not sure or don't have the budget right now, you can start with a small deployment, then we will grow." It easily grows and you can add components. 

Other customers have started with a small CPD deployment, then replicated. We put high availability on another CPD. It is really good for public clouds.

We have some customer environments that are over 10,000 servers as well as some environments with more than 50,000 managed identities.

I would rate their technical support as eight out of 10. They are usually really good and quick about answering any questions that you raise. However, they are sometimes not flexible with things. For instance, from one day to another, there might be something that had been done years ago by CyberArk, then they say, "We do not support that." You then have to initiate a complaint and start working with them. Things might become complicated and months pass while you are working with them. Usually, they are good and fast, but sometimes they seem to be blocked with problems, e.g., you will suddenly be working with another team instead of the team that you were working with the day before.

Positive

I have been working with CyberArk and with the CyberArk teams for years. They have been able to adapt the solutions that they have developed or bought. They have grown a lot with the acquisition of different companies. They have been able to adapt them, make them valuable, and helpful.

The initial setup is straightforward because we have a lot of experience with it. While there are a lot of components, I don't find it difficult.

A deployment can typically be done in less than a week, but it does depend on the environment.

We have developed our own methodology for the implementation and deployment of CyberArk. We put the final users at the center of their strategy. One of the things that we have found that fails when deploying a PAM solution is that everyone focuses on the tool. CyberArk works and we know the tool is there, so we just focus on how the different groups are working with their servers, applications, etc. We focus on adapting the deployment in a way that does not disrupt their jobs. We try to be non-disruptive and not change the way users work.

We adapt the solution to already existing workflow processes, tools, accesses, etc. This is one of the best parts of CyberArk. It provides a lot of flexibility to adapt.

The main problem for the tool is its licensing. I work for a really big company. When you try to develop this as a service, usually you work with leverage teams who are formed with dozens of members. You might dedicate one FTE, or less, for something, e.g., an antivirus administrator. You might have half an FTE's effort dedicated to administering the antivirus, but then you have a team of about 30 users who might access that ticket. The problem is that CyberArk eliminated the possibility of concurrent users years ago. This is a big problem for companies who work with leverage teams.

You need to pay for everyone. 40 licenses are used by 20 or 30 people. This is a big problem because licenses are not precisely cheap.

It provides the broadest point of view for privileged access management solutions in the market. We have tested several other proposals and tools for our customers and ourselves. There is a huge difference with using CyberArk.

We evaluated CA PAM and another solution. The main difference is that they cover just a part of the solution. They promise the solution will be very simple to deploy because they only have a simple appliance. However, they are actually really difficult to deploy for an entire project as well as give you value. We have experienced a lot of support and integration problems. You need to do a lot of things by yourself. Whereas, in CyberArk, you have plenty of plugins and developed material in the marketplace. 

This is the big difference at the moment. When you are deploying, it seems like a very simple project, and the other solutions will tell you, "Well, it's just an appliance," and then it becomes a nightmare. Whereas, CyberArk does what it does. You need to deploy several servers, but it works.

From time to time, people in the market are like, "Wow, it was born as a cloud-native solution." Sometimes, this is real and means something, but usually it is mostly a marketing thing. Why would we ignore all a solution's previous experience just for something born in the cloud? Most of the IT solutions that we use in the cybersecurity market are not born in the cloud. For instance, if you go with Securonix or Sentinel, there is a huge difference in the way they were conceived and the way they were born. Just because something is cloud-native or new doesn't mean that it is good. I wouldn't go for something that is cloud-native, just because it is.

I would rate CyberArk as nine out of 10. I won't give the 10 because I have my problems with the licensing. However, the solution is completely recommendable and a must-have in every environment.

I have been working with CyberArk for the past five years. I do installations, support, and presales.

We have installed the CyberArk solution and have been using it as a PAM solution.

The main reason for having the solution in place is to isolate and monitor all previous activities that have taken place within the organization. The second thing is to make sure all the previous accounts have been onboarded to the solution and accurately monitored as well as passwords have been managed as per the policies defined. The third thing is to make sure users are unaware of their previous account passwords. Those should be centrally stored and located in one of the solutions where we can manage them per our policy or ask users to raise a request for internal workflows on the solution, in case of any emergencies. The last thing is for managing the service account passwords.

Initially, the IT team and other teams used to access the servers manually. Now, because of this solution, everyone is onboarded on the PAM and we can direct all sessions to the PAM. Also, we have control of all decisions and activities being performed. Along with that, we are satisfying audit requirements with this because we are getting reports to track what we need to comply with any regulated requirements. 

We have an option for protecting various kinds of identities. It also provides you with a medium for authenticating your systems, not only with passwords, but also with the PKI certificates and RSA Tokens. There is also Azure MFA. So, there are many options for doing this. It has a wide range for managing all security identities. 

The most valuable feature is CyberArk DNA, which is an open-source tool used for scanning all servers, like Linux or Unix. We can get a very broad idea of the scope and picture of the servers as well as their predefined vulnerabilities, the service accounts running on them, and the dependent accounts running on those services. We get a very wide scope for all our servers and environments. 

There are some other options like Privileged Threat Analytics (PTA), which is a threat analytics tool of CyberArk that detects violations or any abnormal activities done by users in the privileged solution. This tool is very unique, since other PAM program solutions don't have this. This makes CyberArk the unique provider of this feature in the market.

It is very easy to maintain passwords in the solution, instead of changing them manually or using other tools. So, it is a centralized location where we have accounts and passwords in a database based on our defined policies. 

Product-wise, CyberArk is continuously improving. For the last two years, it has brought on new modules, like Alero and Cloud Entitlements Manager. Alero gives VPN-less access to the environment. So, there are many new things coming into the market from CyberArk. This shows us that it is improving its modules and technology.

We can integrate the solution with any other technologies. This is straightforward and mostly out-of-the-box.

For DevOps, we are using Conjur with a Dynamic Access Provider. We use those modules to make sure identities on other environments have been secured. For Azure and other cloud environments, we have out-of-box options where we can do some little configuration changes to get those identities secured. We have a process of managing these identities for RPA as well.

It has a centralized page where you can manage everything. This makes work easier. You don't have to remember different module URLs or browser applications. It is very easy to get all the secure identities of other environments into a single page, which is very important for us as it helps a lot in terms of operations, e.g., reduces management time. This is a single page where you can manage all accounts and onboard them to the CyberArk. You can then secure and see passwords from everywhere. So, there is a single pane of glass where you can manage all the identities across environments as well as across different types of identities.

We have a module called Endpoint Privilege Manager (EPM) that is used for the endpoint, managing the least privilege concept on Windows and Mac devices. We also have On-Demand Privilege Manager (OPM), which is used on UNIX and AIX machines. Using these modules, we can achieve the least privilege management on endpoints as well deploying on servers, if required. 

The continuous scanning of the assets is limited to Windows and Unix. We like to have the solution scan any databases, network devices, and security devices for privileged accounts. That would be very helpful. 

For least privilege management, we need a different level of certification from privileged management. Least privilege management comes under endpoint management. It takes time to get used to it, as it is not straightforward.

I have been well-versed with the CyberArk product for the last five years of my career.

The solution is very stable. 

Once the project installation was done, we put this product into the environment based on the policies that we defined, but it had initial hiccups. The policies that we defined might have hampered and raised issues, but the product is very stable.

The solution is very scalable. The landscape gets improved every day. It is scalable because it integrates with Azure, AWS, and other cloud solutions. Also, we have modules that work for DevOps, Secrets Manager, and Endpoint Privilege Manager. So, CyberArk is not just a PAM. It covers most of the products in the threat landscape. We do not worry about scalability in terms of CyberArk.

Our primary support is partners with whom we are interacting throughout the project. Then, if an issue is not yet resolved, we will raise a case with CyberArk support. They have certain SLAs that they are following based on the seriousness of an issue. The response will be according to that. 

The support is good.

Positive

We didn't use another solution before we bought this one.

The initial setup is straightforward. They have done major reforms on the installation process, so now we have automatic installations. We just have to run a particular script, and that does the installation for us. We also have a manual installation and that is our legacy process. So, we have both options. It is up to the customer how to move forward, but it is pretty straightforward. 

RNS did the installation for us. Our experience with them was pretty good. They followed all the processes per project management standard. They tracked all the activities, making sure the project was delivered on time, which was good.

One dedicated person is enough for the solution's maintenance.

CyberArk DNA is free if you purchase the CyberArk solution. There is no additional charge for CyberArk DNA, which is great.

Before, I used to work as a system integrator. I looked into other PAM solutions, like ARCON and BeyondTrust.

Make sure your use cases are covered. Go for a small PoC, if possible, to make sure that all your use cases are covered and delivered per your expectations. Check whether the solution is on-prem or Azure and the resource utilization needed for implementation. For your IT expansions in future, check whether you will need any additional modules in future or if the existing ones will meet your future requirements.

With Secure Web Solutions, we could access any web applications from a PC. It was like a native tool where you could browse from your Chrome or any web applications, and the applications would be routed to the CyberArk where it was securing the web applications and access. However, this product was deprecated last year so it is no longer supported from CyberArk's point of view.

I would rate CyberArk PAM as nine out of 10.

We use it to control privileged access within the environment, including domain admins and server admins.

We're using the CyberArk Privilege Cloud version, which is the PaaS.

It provides a one-stop shop for the majority of our administrators to get the privileged access they need. It has enabled us to reduce risk as well, and that is the largest benefit that we've encountered through the solution. We've reduced the number of admins in our environment significantly.

It provides an automated and unified approach for securing access across environments, including hybrid, multi-cloud, RPA, and DevOps, as well as for SaaS applications. For what we're using it for, it's doing all of that seamlessly in one place. It helps us to quickly adapt and secure modern technology, and that's another reason we chose CyberArk. They already had integrations with solutions that we were either moving toward or that we already had. We weren't going to have to do them as customizations.

The ability, with Secrets Manager, to secure secrets and credentials for mission-critical applications means people don't have to go searching for them. They know where they are—they're in CyberArk—so they don't have to go to a separate place. They have one identity to manage, which is their single sign-on identity. From there, they can go into CyberArk to get the access they need. That's an area that has been very helpful. And from a risk perspective, the multifactor authentication to get to those accounts has also been awesome. That helps us to be in compliance, as well as secure.

The Privileged Session Manager has been the most useful feature because we're able to pull back information on how an account is used and a session is run. We're also able to pull training sessions and do reviews of what types of access have been used.

We also use CyberArk’s Secrets Manager. Because AWS is the biggest area for us, we have accounts in AWS that are being rotated by CyberArk. We also have a manual process for the most sensitive of our AWS accounts, like root accounts. We've used Secrets Manager on those and that has resulted in a significant risk reduction, as well. There's a lot to it, but from a high level, we've been able to get some things under control that would have been difficult otherwise.

For DevOps, we've integrated some automation with CyberArk to be able to onboard those systems. There are some native tools like the CFTs that we're using with CyberArk to get CyberArk deployed automatically to them.

It also gives us a single pane of glass to manage and secure identities across multiple environments; a single view with all of the accounts. It's super important for us to be able to see all of that in one place and have that one-stop shop with access to different environments. We have lots of domains because a lot of acquisitions have happened. It's important for us to be able to manage all of those environments with one solution and we do have that capability with CyberArk.

I've been using CyberArk Privileged Access Manager at this company for two years, and all together for the past six years.

The stability is great. We haven't had problems with it.

The scalability is very good. I'm surprised they keep as many logs and video recordings as they do on their side. But scalability hasn't been a problem. If we wanted to scale up, we could certainly do so. All we would have to do is add more servers on our side, with our PSMs (Privileged Session Managers). The way the solution is built out, you can expand it elastically pretty easily.

We have around 400 users right now who are mostly in IT. There are developers, database administrators, as well as our Active Directory enterprise teams, and some of our cloud implementation and infrastructure teams. We have some in incident response people, from information security, who use it as well.

We're looking to expand it in the coming year. We've already started that expansion. It's the developers we're targeting next and there are a lot of them. We're looking at a couple of hundred more users within a year.

If there is an area that has room for improvement, it's probably working with their support and getting people on the phone. That is hard to do with most products in general, but that seems to be the difficult area. The product is fantastic, but sometimes we want somebody on the phone. I would rate their support at eight out of 10, whereas the rest of the solution is a nine or 10.

From a technical support perspective, they've been really good. There has just been a little bit of trouble with the database stuff, but that's because ours is a very aggressive deployment. Sometimes, when working with support, they aren't as aggressive as we are.

Positive

I've used Thycotic and Hitachi HiPAM, and we've used some custom in-house build solutions.

The reason we switched is that Thycotic opened up the door to that possibility when we talked about pricing. The price came out to be something similar to what we were spending. We were basically going to have to redeploy the whole Thycotic solution to get what we needed, and that opened it up for us to evaluate the landscape.

There were some complexities about the setup, but deploying a solution like this is going to be complex, no matter what solution you go with. CyberArk did an excellent job of making sure that we had everything we needed. They had checklists and the prerequisites we had to do before we got to the next steps. Although it was complex, they were complex "knowns," and we were able to get everything organized fairly easily.

Our initial deployment took about two weeks.

We broke the deployment into four phases. The first phase was called Rapid Risk Reduction, and with that we were getting our domain admins under control, where we went with domain admin, server admin, and link admin. A part of that was the server administrators and Linux administrators. All of that was part of a very short-term goal that we had. 

Phase two was called risk reduction, where we were focused on Microsoft SQL, the database administrators, and Oracle Database administrators. It also included bringing in some infrastructure support as well. 

Phase three was enterprise-grade security, and with that we've been pushing the network tools and AWS admins, along with some other controls. 

And our last phase, which we've just recently started on, is one where we are going to be pushing hard to get developers onboarded into CyberArk. There are a whole lot of little details that go along with all of that. The initial auto onboarding happened in phase three, but we also have auto onboarding that we're looking to roll out across a larger group.

We implement least privilege entitlements as well. We started out from a high level of not going the least privilege route and, rather, we locked things down in a way that they were managed, at least. Then we started knocking down the least privileged path. You have to start somewhere, and least privilege is not going to be the first option, out of the gate. You're going to have to take stepping stones to the best practices. And that's what we've done. We took this large amount of high-risk access and brought it into CyberArk and then pulled access away over time and have been making things more granular, when it comes to access to the systems. The access within the systems, within CyberArk, is absolutely granular and we have been very granular with that from the beginning.

For maintenance of it we need about one and a half people. My team supports it and, while one full-time person is probably enough to support the solution, my team is split up. The general operations of CyberArk are what take up the most time. The actual running of the solution, from an engineering perspective, is very lightweight; it's hardly anything.

We did not use a third party for the deployment.

We started doing some comparisons of different tools and that's why we ended up switching to CyberArk, after discussions with both Thycotic and CyberArk. When looking at the capabilities, we ended up moving towards CyberArk. We felt it was a more mature solution and that some of the connectivity and reporting was done in a way that we would prefer, for a company of our size.

Thycotic is a good tool. A lot of IT people already understand the structure of how it runs. The upgradability is nice as well. You can just click an "upgrade" button and it upgrades the solution for you. The cons of Thycotic include the way that the recorded sessions are done. In addition, proxy server connections were not available. Maybe they are now, but at the time we were building out custom connectors and we had to go through a third party to get those developed. It was very bad and every step of the way was like pulling teeth. That really soured our relationship with them a bit because we couldn't seem to execute with that solution. When we started talking with them about what we needed it to do to make things easier, they ended up recommending a full redeploy. That's not ideal under any circumstances for anyone. That's why we took a step back and evaluated other solutions.

With CyberArk, some of the pros were that their sales team and engineers were very quick to come in and help us understand exactly what we needed. The deployment timeframe was  also much shorter. We didn't have to work through a third party, as we would have had to with Thycotic. And the type of relationship we've had with CyberArk is one that I wish we had with other vendors we use. They've been phenomenal working with us.

CyberArk's abilities are amazing. We're just starting to hit some limits, but we're able to get through the majority of them. Some of the database stuff is a little bit more involved. The other things, like cloud and all of the Linux and Windows, have not been a problem at all. It's not that the database stuff is a problem, but it's just more complex.

If you want to talk about CyberArk providing an automated and unified approach for securing access for all types of identity, "all types" is a strong claim. I wouldn't ascribe "all types" of identities to anything. But for everything that we're doing with it, it has been a great tool and it's doing that for us.

We are mostly rotating passwords and using PSM for remote connections.

It provides us with better security and control over our accounts.

It provides an automated and unified approach for securing access for all types of identities. This approach is important for us. The more things we have that can be automated, the easier it is to get things done.

It gives a single pane of glass to manage and secure human and machine identities across environments, which is important for us.

It saves time when it comes to onboarding new employees and providing them secure access to SaaS apps and IT systems. It probably saves a couple of hours.

The automatic rotation of credentials is probably the most useful feature.

It should be easy to use for non-technical people. Its interface can be a bit difficult. Some parts of its interface are not very intuitive. Some of the controls are hidden, and instead of having a screen with all the controls for that account on it, you have to use menus and other similar things.

Its documentation could be better. Some of the documentation lacks details for people who aren't super technical.

I have been using this solution for about six years.

It is stable. We never had any hiccups that were caused by CyberArk.

It is easily scalable. In terms of usage, it is being used by all of IT. We have over 500 users utilizing the solution. We're always adding new people and features, so its usage is increasing every day. We plan to implement more types of accounts. 

Their technical support is good, but some of their documentation lacks details for people who aren't super technical. I would rate them an eight out of 10.

Other than the regular Password Manager, they didn't have any real solution. They chose to look into CyberArk because it is a good security practice to have accounts automatically rotate and secure remote connections.

It is pretty complex, but they have professional services to help with that. It is complex because of all the security around it, all the hardening, and getting everything set up to communicate with each other. I am not sure about the duration of the initial deployment because I wasn't on the team then.

In terms of maintenance, it doesn't require a lot of people. Maintenance is just keeping up with patches. It is pretty stable and doesn't require a lot.

We used CyberArk's professional services. They were good, and they helped get everything set up. They also helped do upgrades.

It is in line with its competitors, but all such solutions cost too much money.

It is a good choice. I'm not sure if they're the market leader or not, but they seem to have the biggest footprint. I know there are a couple of competitors, but I've never used them. The other two that I know about are not as widely used, so there is a bigger community for support for CyberArk, and there is also CyberArk's support.

CyberArk is good as a technology partner for ensuring that we maintain a strong security posture throughout our digital transformation. It is a needed platform to have.

Given my experience with CyberArk PAM, to a colleague at another company who says, “We want to solve cloud security challenges with born-in-the-cloud security solutions as opposed to legacy solutions that have been adapted to the cloud," I would say that CyberArk is a good option for the cloud. That's because you don't have to worry about maintenance, and all the integrations are already in place. The different accounts that CyberArk can integrate with are already in place.

It doesn't really give a single pane of glass to manage and secure identities across multiple environments. It only gives visibility into CyberArk and how the accounts are working there. If something is wrong with an account, sometimes, you have to check other tools, such as Active Directory, or permissions.

We don't use CyberArk’s Cloud Entitlements Manager and Secrets Manager. We use CyberArk PAM to implement least privilege entitlements, and it is neither easy nor difficult to implement them. It is somewhere in the middle. The adoption of least privilege entitlements by using CyberArk PAM is also somewhere in the middle. If users aren't really technical, they would have problems with it.

It provides consistent controls to enable secure access, manage secrets, and implement least privilege at scale across our environment. It is somewhat user-friendly for people to just rotate passwords. Its interface can be a bit difficult.

I would rate it an eight out of 10.

CyberArk's Privileged Access Management solution covers a whole range of features, like privileged web access, private vault, privileged session manager rights for a session in isolation, privileged threat analytics for analytics, and private sessions. We also use CyberArk's Application Access Manager, which includes their credential providers, such as agents and run servers. Then there is a central credential provider, which is API-based credential retrieval, and DAP or Conjur. This is more of a DevOps model for credential provisioning. We also have the Central Policy Manager, which rotates the credentials associated with unprivileged or servers accounts. It's a huge environment. 

Those are all the different functions we use. We initially purchased CyberArk for privileged access manager and session isolation of privileged users. By privileged users, I mean main admins, global admins, and preps like Azure or Office 365. Our initial use case was to manage those users who could drastically impact the environment if their credentials were compromised.

After we purchased the product, we had a third party on it. They suggested we also leverage CyberArk as part of the platform for managing service accounts, i.e. go out and proactively rotate credentials that are running or ordering services. That's another kind of big use case that we started implementing a couple of years. It's long work. It is tough to do, there's a lot of cases where it just doesn't work right, but overall it's been pretty valuable.

From a security perspective, CyberArk PAM gives us a lot of control and visibility into what our privileged users are doing. In terms of securing our cloud-native apps, we're just getting into deploying things to Azure, AWS, etc., and DAP brings a lot of value to that because it is cloud-agnostic credential retrieval. Azure has their key vaults, and AWS has their version if you are a multi-cloud solution. CyberArk's Secrets Manager, or DAP, brings a lot of value because you only have to learn how to integrate your apps with one solution that can be deployed across multiple clouds. 

I will say that CyberArk is struggling with some of the cloud integrations. For instance, Azure has a native identity solution, and Microsoft keeps causing issues with their ability to identify the hosts calling back. Some cloud providers are trying to lock CyberArk and other tools out of their environment and force you to use their native one. With that said, I don't use the other functions. I don't use the containerization Kubernetes integration or anything like that. We're not at that point yet. One of my significant concerns about investing a lot of time in CyberArk Conjur or DAP solution is that Microsoft seems to be trying to push them out of that space, and if they do that, then all of that work is null and void.

In our initial use case, we found CyberArk's privileged session management functionality to be incredibly flexible. It's challenging to write these plug-ins, but if you have somebody with a development background, you can write all sorts of custom connections to support different functional applications. We've written over a hundred custom connectors ourselves that allow us to do all types of privileged session management for various applications. On top of that, the rest of the API-based central credential providers allow us to get away from credentials that may be hard-coded in the script or some application. 

CyberArk's web console isn't in a great state. Over the last three years, if not more, it has been transitioning from what they call the "classic UI" to its modern interface. However, there are a lot of features that you can only use in the classic interface. Hence, each version seems to put more makeup on the modern interface, but all of the complex functionality you need is still in the classic UI. 

I'm not sure they've figured out how to transition, and they're kind of in a weird state. So, while CyberArk has made strides, the web interface is painful, particularly as an administrator, because you have to bounce between these different user interfaces. It is an incredibly complex solution that requires at least a dedicated employee or more to maintain it, support it, and understand it thoroughly. If you don't have that, it's just not the right solution for you because it is very complicated. 

Many of the infrastructure folks who use the product dislike it because it complicates their workflow. They get a little less control, and they have to go through a specific solution. It proactively logs in for them, which obfuscates some of the issues that they may be troubleshooting. And I think some of the consumers aren't big fans of the product. Also, I feel that in the last year or so, CyberArk has been pushing very hard for customers to go to their cloud solution. It doesn't have the same flexibility as the on-premise version, which is problematic because that's where I see a lot of value in the solution.

I've been using CyberArk PAM for about four years now.

CyberArk support isn't the worst, but it's certainly not the best. I'd give it a six out of 10. They were responsive. After you submit a ticket, you get the typical response. You gather all the logs and send them, and then they do some analysis. They typically send you back to get more specific logs, so it's a standard support experience. I would not say it's great, but it is not terrible either.

Overall, as a partner in our digital transformation, CyberArk has been great. The technology adds a lot of value, but they're also very much engaged and concerned. The customer success manager very much wants to make sure we're getting value out of the tool. I guess my only concern there is that they are pushing very heavily for customers to switch to their new cloud solutions that may or may not fit our needs or expectations. I am worried that they're going to push even harder. For example, CyberArk might start offering features only available in the cloud solution that would make our future somewhat tenuous depending on what's going on. So my only hangup is that they're pushing cloud solutions that I don't think are very mature yet.

Neutral

The environment's architecture is very complex, depending on your use cases, and I'm talking about CyberArk as a whole. Their past solution — their AM solution — and all of the other solutions bundled together are straightforward, and it all needs to work together. Depending on your use case and the connected components you need to have or build, you must learn a lot. So, it's not as simple a thing to deploy — at least on-premise. It isn't straightforward. Our environment comprises 20 to 30 servers that we had to spin up and connect. Disaster recovery has to be thoroughly vetted, discussed, and documented because as you onboard and manage those privileged accounts, you need a way to get to them if something goes wrong.

It took about a month to get the product running and several months to onboard users. And when we start talking about Application Access Manager, that's ongoing, and I think that'll probably be ongoing for a very long time. We were targeting our specific use cases, so we started with interactive users. The whole idea was to restrict, manage, and monitor those interactive users. Our rollout proceeded from the most privileged users to the less privileged users. Then we started targeting service accounts and that kind of stuff. So it was a phased approach from highest risk to lowest risk to lower risk.

CyberArk PAM requires a lot of maintenance. Right now, we have about one and a half people, but I would say we need to add several more people to do a better job and add a lot of functionality. It requires a lot of maintenance and monitoring. They've relied on many different Microsoft features to secure the privileged session manager. It requires a lot of tuning, monitoring, and managing those solutions. They use AppLocker to restrict and isolate these running sessions, and AppLocker breaks all the time, so you have to go in and troubleshoot why it's broken and tweak it. That could mean adding a new rule or updating an application. It is a lot of maintenance, depending on your use case. But then again, we have gone very hard into privileged session management and developed over a hundred custom connectors. Another customer might deploy RDP and call it a day, drastically reducing maintenance.

If you ask me the ROI, I'm not sure I could give you an exact number. Security tools are pretty tricky when it comes to that. But if you're adopting a risk-based approach, this substantially reduces risk. It brought a lot of visibility and allowed us to monitor all of our privileged users, so it is valuable from the perspective of KPI, modern solutions, and risk reduction. If we were to score this on an internal risk review, our previous risk would rank four out of five, and we've lowered this to a low severity risk.

CyberArk had just changed switched their licensing model to perpetual licenses when we purchased, including the whole PAM Suite. Before we bought it, they were licensing each function individually, which got complicated and very expensive. When we decided to buy it, it was much more straightforward and still quite expensive, but it brings a lot of value and risk reduction to the organization. 

In the last year or so, it's my understanding that they have switched from a perpetual licensing model to pushing companies to a subscription-based model. I have not dealt with this yet, so I'm not sure my feedback on licensing would be too valuable because they've moved away from the license type we purchased.

This was our first foray into the PAM space. We did a proof of concept evaluating three different solutions, so CyberArk was the clear winner. I don't want to speak ill of any other solutions, but I will say that CyberArk's architecture was much more secure. Other competing solutions may leverage an agent that is installed on your local machine and runs your privileged applications locally, leaving a lot to be desired from a security perspective. 

CyberArk uses remote desktop gateways similar to Microsoft's RDS functionality, and it abstracts that privileged application from your workstation. So even if you're compromised, a malicious actor on your laptop or workstation would not be able to get to that privileged application. This was very valuable to us. Other solutions did not have that functionality.

As it stands today, I would rate CyberArk PAM nine out of 10. However, I'm concerned about the future of the platform. While I've had nothing but great experiences so far, I have concerns about how they've been pushing that cloud solution in the last year and a half. I feel like they're going to pressure us to move to the cloud even though they're not mature enough in the cloud. 

Rather than create a cloud-native version, they've migrated their on-premise solution to the cloud, but they don't allow cloud customers to access the backend, which I recommend all the time as an on-premise user. Instead, you have to submit a support ticket and have their support do things on your behalf, which delays your ability to work with the tool. Furthermore, they may not be willing to make the modifications you want because it would affect their ability to impact the solution consistently. CyberArk designed the on-premise version to be incredibly flexible, and I have never found a use case where I can't do the work I want to do. Their cloud model discards a lot of that flexibility, which is where I see a lot of value, so I have concerns about the future of the tool.

Also, I'd like to point out that service account management is incredibly hard, particularly in a company that's been around for a while. Any company looking to adopt service account management needs to know that it's not as easy as vendors make it sound. Many things don't work right out of the box, so the most important lesson we've learned is to calibrate the expectations of senior management when it comes to service account management because it is a lot harder than anybody thinks. You're likely to break things in the process of trying to manage these accounts.