CyberArk Privileged Access Manager Reviews

Our clients primarily use the CyberArk Password Vault for password rotation and password management.

The feature I find most valuable is the password credential rotation.

With regards to potential improvements for the CyberArk product, I find the product quite expensive and I would like to see the cost reduced. 

I have been using CyberArk Password Vault for 8 years. 

CyberArk Password Vault is super stable once you are on a tried and true platform version. 

The product is also easy to scale. 

I have utilized CyberArk technical support for issues and this was very straightforward to work with. The response time was a little slow. 

I have previously deployed and installed Thycotic as an alternate password vault solution, but I find CyberArk to be much better.

With installation of CyberArk Password Vault, there are some complexities to setting it up, I would say it is not straight forward to setup. 

We have clients that ask us to implement CyberArk PAM. There are two kinds:

1. Greenfield installation and setup. 
2. They already have CyberArk and want to extend their usage to protect different types of accounts and passwords.

CyberArk PAM protects privileged accounts and passwords. Privileged account means that those accounts have particular authorization that can span all the features of the system. For example, usually on network devices, they come out out-of-the-box with administrator accounts. Windows has an administrator account built-in so you need to protect that. Also, Active Directory has some accounts, like domain administrators, who can do whatever on the platform. These accounts are used for administration.

CyberArk stores and rotates the password/credential. They can rotate SSH keys as well. This protects the attack surface. By way of CyberArk, you can allow sessions, isolation, and recording. The main aim is to protect privileged accounts and their credentials.

I started with version 9.7, and now I am working with version 10.10, but the latest version is 12.

The automatic change of the password and Privileged Session Manager (PSM) are the most valuable features. With Privileged Session Manager, you can control the password management in a centralized way. You can activate these features in a session; the session isolation and recording. You apply the full intermediation principle. So, you must pass through CyberArk PAM to get access to the target system. You don't need to know the password, and everything that you do is registered and auditable. In this case, no one gets to touch the password directly. Also, you can implement detection and response behavior in case of a breach.

With CyberArk, you have a centralized store. With Privileged Session Manager, you can just look by the browser, looking through the name of the account, the name of the system, and the host name. In this case, you get the password and can then get through. Therefore, it is easier to get access to the system because it is easier to search the system for what you want using the user interface/browser of CyberArk. You also have an auditable action because the password is unknown to the administrator.

Some aspects of the administration need improvement, though they have recently made improvements to the API. However, the management with the interface and configuration are not so user-friendly. It has not changed much during all the years that CyberArk has been on the market. The management part, like platform management as well as PSM connectors definition and management, could be improved, even if it has already been done with the API.

Onboarding is always a difficult path for every PAM solution. It is not immediate.

We have been using it for six years, usually in delivery projects.

The stability is very good. There are no problems with it.

It has good scalability. Though, because the architecture is modular, you must plan a bit. In terms of performance, it is very scalable, but you need to pay attention to the architecture because it is not like having Kubernetes that moves laterally. While you can deploy it in a second, you need to be careful. 

They have a good response time. 

Sometimes, on the development side, for some components, it does not respond for PSM connectors and CPM plugins. They don't tend to take responsibility for those. While clients tend to develop some PSM connector and CPM plugin, I would like a more flexible response on these types of issues being raised. Because while I am developing those components, I am developing on their product.

Positive

We had clients who had quite a lot of SAP systems, something like 900. At first, their change management practice, i.e., the changing of the administrators' passwords was not so frequent, e.g., once a year instead of once a month or every two months. Their password management was usually done by storing those passwords on an Excel. Therefore, if they needed to connect to a system, they had to access the Excel file to find the machine and accounts to then receive the passwords for access to the system. This was unwieldy since they needed to look through an Excel spreadsheet with more than 900 entries. This is also not very secure since you have an Excel file with a clear password on your workstation. 

It was a bit complex because the architecture is complex. At the same time, this is also an advantage in relation to other competitors in the market because CyberArk's architecture is inherently secure. So, while it is a bit more complex to set up initially, it is necessary for reaching the security that other solutions do not give you.

The installation can easily be done. It is the architecture part that is complex, possibly because you need to size the machines. 

It depends greatly on the project. Usually, the best approach is a modular one. You start with a set of users, then move on to expanding the solution with size in mind. 

CyberArk's architecture is peculiar. It is the most secure on the market because they have a hard-end computer out of the domain that stores passwords with multiple cryptography. Then, there are the default components that dialogue with Password Vaults. Only CyberArk has this. The other solutions usually give you an encrypted database on an appliance, and this is a very different scenario. Therefore, CyberArk has an inherently secure architecture.

Broadcom PAM is not as stable versus CyberArk. 

Plan wisely and you will have a very good product. The approach should be modular and step by step. Start with the UNIX administrators, network device administrator, Windows administrator, and Active Directory administrator, then move onto more complex scenarios, like web server administrators, sub-administrators, etc. 

I would rate CyberArk PAM as nine out of 10. It could be more manageable.

The major use case for us is to securely release and manage passwords for non-personal accounts.

CyberArk provides an automated and unified approach for securing access across environments. It's a work in progress but that is the goal, for us, of implementing CyberArk. We want to provide a unified way to access all environments. We are in transition, like most big companies, into cloud solutions. So this is also something that is being discussed and analyzed. But that, overall, is the mission of CyberArk in our organization.

CyberArk has made it possible to work with non-personal accounts. Before, there was a much more focus on having privileges associated with personal accounts, and non-personal accounts were scarcely used because doing so required a lot of manual work. That work has been replaced with automated password management and the controls that come with CyberArk. It allows our organization to control the risks associated with high privileges. Previously, anyone could do whatever they wanted, on their own, but now we can enforce dual control. That is very important from a risk perspective. And the fact that we have it automated means it doesn't require that much effort to maintain things.

Also, when we onboard new employees, the solution saves us time, to a certain extent, when it comes to providing them with secure access to the applications and IT systems they will be working with. Those savings are not directly thanks to CyberArk, but it can be considered part of the bigger solution to make sure that employees have the correct access to the resources they need as soon as possible. That is true after they have been onboarded or when their position has changed and they need to be granted new access.

The automatic password management is the most important feature. The second most important feature is the ability to enforce dual control on the release of those passwords. The combination of these two features is the most important thing for us because we can show that we're in control of who uses any non-personal account, and when they do so.

I have been using CyberArk Privileged Access Manager for five years.

My impression of the solution's stability, in general, is very positive. It's quite robust. There are mechanisms in place that allow you to have high availability and that allow you to have proper disaster recovery. Those mechanisms are very solid, as we have tested them extensively within our processes to assess the risk associated with the use of CyberArk. They have performed very well.

The only thing that is lacking with respect to the stability is the scalability issue. The amount of data we need processed is too big for CyberArk to manage properly. That mostly impacts performance, not the stability, but to some extent the stability has suffered due to that. 

But overall, I would rate it very good in terms of stability. We had a minor issue once and, other than that, we have been online the whole time that I have been here. We have tested it thoroughly and have not found any situation where it would become too unstable to perform our tasks.

The major pain point that we have is the capacity of CyberArk due to the sheer volume of NPAs that we are managing. We are a large organization and we have hundreds of thousands of non-personal accounts to manage. We have already found out that there are certain capacity limitations within CyberArk that might introduce performance issues. From my perspective, something that would be valuable would be if the Vault could hold more passwords and be more scalable.

We have used their tech support extensively and there has been a lot of improvement in the way that CyberArk support operates over the last few years, but it still leaves somewhat to be desired. That is particularly true given the pricing. You would expect, for the amount of money that they charge for their support, and for their product in general, that it would be better. 

But I've seen major improvements in the last couple of years. I think they are aware of this issue and that it is an area that they are lacking in and they're working towards improving it.

They need to better recognize who they are dealing with. CyberArk has an extensive training program, the CyberArk University. You put in a lot of effort, resources, and money, to attend the training and become a professional in terms of your knowledge and ability to manage the Vault, and the solution in general. But then, when you require support, you are asked very simple questions, which you have already answered based on the knowledge that you've obtained from CyberArk. It takes a lot of time and effort to convince their support that you indeed have a more complex case to resolve, rather than a very simple fire-and-forget solution. It's generally not the kind of thing where they can give you a link to their knowledge base and look through it to find a solution yourself.

I have been working with CyberArk for five years and have all the possible certificates, and have extensive knowledge about it. Any time that I report a case to support, it seems the general gist of how such services operate is that they're trying to get rid of you. They give you a solution that, maybe, vaguely resembles the issue, or a solution that you specifically stated that you tried already and it does not work, just to get rid of you. They probably have customers who would be happy with that, but because of the importance of that software within our organization and the level of maturity that we have within my team as administrators of CyberArk, we expect, and we've communicated this to them, that they will approach our requests in a more advanced way. 

They should recognize that we have probably already done what the first line of support would suggest be done, and that we require some more involved support, but it seems very difficult to communicate this to them. Even if we get through to further lines of support, we often have the feeling that we still know more than they do about their own tools. I think there has been some sort of knowledge drain from CyberArk. We often have the feeling that they are learning on the job. They don't inspire a lot of confidence when it comes to their support.

Neutral

There is a lot of return on investment in CyberArk. Being a financial institution, we are responsible for managing risks, and CyberArk really helps us to be in control with the usage of NPAs. That, in turn, translates into a proper risk score for the organization, and that directly translates into actual money being saved.

It's expensive, certainly. But CyberArk is the leader in the market with regards to privileged access management. You pay a lot, but you are paying for the value that is being delivered. 

It's not a tool for small companies. You need to be a large company with a lot of resources to implement it. But the price tag can be justified, even though it's always hard to quantify these things. It really brings value, regardless of the level at which you implement it. If you use it at a very basic level, as just a password manager, or you go further with all the other elements of the tool, it's expensive, but it's worth the price.

We only use it on-prem, but for someone who only wants to solve cloud security challenges with a born-in-the-cloud security solution, I would still tell them CyberArk is one of the potential solutions. I would also tell them to do their assessment because it costs a lot. So it depends on the scale of use and the use cases. It certainly has the most capabilities that could be of use, but it depends on whether you only have some small deployments in the cloud and on the size of the risks involved. For certain scenarios, I would say they should immediately go with CyberArk, and that they shouldn't bother with others' solutions. In other scenarios, I would say they should do a very thorough assessment of the market before they decide because there might be cheaper options that will be sufficient for them.

I've deployed Password Vault for various use cases across different industries from finance to healthcare and manufacturing. 

I love how easily we could operate within Password Vault and get things done. It was almost effortless. After we went through the implementation phase, it did what was promised, and we did not have to call support. It was a flawless install. All of us had experience as well because we got our certifications. We'd worked with it for at least a year.

There was a situation when one of our presidents had an issue, but I can't recall the specifics.

I've been using Password Vault for three years now.

For scalability, I'd give it a 13 on a scale of one to 10.

The installation was very smooth. 

At my previous company, my budget amount was $15,000, and we didn't spend all of that. It was a larger company than the one I'm with now. It was global. We didn't spend that or come anywhere near it. They're still adding on, and I know that CyberArk will be the solution that they're going to stick with. They were hybrid, and now they're all cloud.

I rate Password Vault 10 out of 10. If you're planning to implement Password Vault, my advice is to just let it work. Do all your use cases up front, and make sure you throw everything at them that you think will happen in your environment. Make sure that that's all addressed, so when you go to deployment, it's just easy. 

I have been working with CyberArk for the past five years. I do installations, support, and presales.

We have installed the CyberArk solution and have been using it as a PAM solution.

The main reason for having the solution in place is to isolate and monitor all previous activities that have taken place within the organization. The second thing is to make sure all the previous accounts have been onboarded to the solution and accurately monitored as well as passwords have been managed as per the policies defined. The third thing is to make sure users are unaware of their previous account passwords. Those should be centrally stored and located in one of the solutions where we can manage them per our policy or ask users to raise a request for internal workflows on the solution, in case of any emergencies. The last thing is for managing the service account passwords.

Initially, the IT team and other teams used to access the servers manually. Now, because of this solution, everyone is onboarded on the PAM and we can direct all sessions to the PAM. Also, we have control of all decisions and activities being performed. Along with that, we are satisfying audit requirements with this because we are getting reports to track what we need to comply with any regulated requirements. 

We have an option for protecting various kinds of identities. It also provides you with a medium for authenticating your systems, not only with passwords, but also with the PKI certificates and RSA Tokens. There is also Azure MFA. So, there are many options for doing this. It has a wide range for managing all security identities. 

The most valuable feature is CyberArk DNA, which is an open-source tool used for scanning all servers, like Linux or Unix. We can get a very broad idea of the scope and picture of the servers as well as their predefined vulnerabilities, the service accounts running on them, and the dependent accounts running on those services. We get a very wide scope for all our servers and environments. 

There are some other options like Privileged Threat Analytics (PTA), which is a threat analytics tool of CyberArk that detects violations or any abnormal activities done by users in the privileged solution. This tool is very unique, since other PAM program solutions don't have this. This makes CyberArk the unique provider of this feature in the market.

It is very easy to maintain passwords in the solution, instead of changing them manually or using other tools. So, it is a centralized location where we have accounts and passwords in a database based on our defined policies. 

Product-wise, CyberArk is continuously improving. For the last two years, it has brought on new modules, like Alero and Cloud Entitlements Manager. Alero gives VPN-less access to the environment. So, there are many new things coming into the market from CyberArk. This shows us that it is improving its modules and technology.

We can integrate the solution with any other technologies. This is straightforward and mostly out-of-the-box.

For DevOps, we are using Conjur with a Dynamic Access Provider. We use those modules to make sure identities on other environments have been secured. For Azure and other cloud environments, we have out-of-box options where we can do some little configuration changes to get those identities secured. We have a process of managing these identities for RPA as well.

It has a centralized page where you can manage everything. This makes work easier. You don't have to remember different module URLs or browser applications. It is very easy to get all the secure identities of other environments into a single page, which is very important for us as it helps a lot in terms of operations, e.g., reduces management time. This is a single page where you can manage all accounts and onboard them to the CyberArk. You can then secure and see passwords from everywhere. So, there is a single pane of glass where you can manage all the identities across environments as well as across different types of identities.

We have a module called Endpoint Privilege Manager (EPM) that is used for the endpoint, managing the least privilege concept on Windows and Mac devices. We also have On-Demand Privilege Manager (OPM), which is used on UNIX and AIX machines. Using these modules, we can achieve the least privilege management on endpoints as well deploying on servers, if required. 

The continuous scanning of the assets is limited to Windows and Unix. We like to have the solution scan any databases, network devices, and security devices for privileged accounts. That would be very helpful. 

For least privilege management, we need a different level of certification from privileged management. Least privilege management comes under endpoint management. It takes time to get used to it, as it is not straightforward.

I have been well-versed with the CyberArk product for the last five years of my career.

The solution is very stable. 

Once the project installation was done, we put this product into the environment based on the policies that we defined, but it had initial hiccups. The policies that we defined might have hampered and raised issues, but the product is very stable.

The solution is very scalable. The landscape gets improved every day. It is scalable because it integrates with Azure, AWS, and other cloud solutions. Also, we have modules that work for DevOps, Secrets Manager, and Endpoint Privilege Manager. So, CyberArk is not just a PAM. It covers most of the products in the threat landscape. We do not worry about scalability in terms of CyberArk.

Our primary support is partners with whom we are interacting throughout the project. Then, if an issue is not yet resolved, we will raise a case with CyberArk support. They have certain SLAs that they are following based on the seriousness of an issue. The response will be according to that. 

The support is good.

Positive

We didn't use another solution before we bought this one.

The initial setup is straightforward. They have done major reforms on the installation process, so now we have automatic installations. We just have to run a particular script, and that does the installation for us. We also have a manual installation and that is our legacy process. So, we have both options. It is up to the customer how to move forward, but it is pretty straightforward. 

RNS did the installation for us. Our experience with them was pretty good. They followed all the processes per project management standard. They tracked all the activities, making sure the project was delivered on time, which was good.

One dedicated person is enough for the solution's maintenance.

CyberArk DNA is free if you purchase the CyberArk solution. There is no additional charge for CyberArk DNA, which is great.

Before, I used to work as a system integrator. I looked into other PAM solutions, like ARCON and BeyondTrust.

Make sure your use cases are covered. Go for a small PoC, if possible, to make sure that all your use cases are covered and delivered per your expectations. Check whether the solution is on-prem or Azure and the resource utilization needed for implementation. For your IT expansions in future, check whether you will need any additional modules in future or if the existing ones will meet your future requirements.

With Secure Web Solutions, we could access any web applications from a PC. It was like a native tool where you could browse from your Chrome or any web applications, and the applications would be routed to the CyberArk where it was securing the web applications and access. However, this product was deprecated last year so it is no longer supported from CyberArk's point of view.

I would rate CyberArk PAM as nine out of 10.

The solution is too complicated to use and should be simplified. It took me a long time to understand how to use it. There is a lot that the solution can improve for the future.

I used CyberArk Enterprise Password within the last 12 months.

The solution is stable and reliable.

We have approximately eight people in my organization that use this solution.

I did not like the solution at all and I was happy when we stopped using it.

I rate CyberArk Enterprise Password an eight out of ten.

It is useful for protecting passwords. If you need to do access security management, you can first use the CyberArk console, and after that, you can connect the firewall interface or firewall command line. Similarly, if you need to do an RDP session, you need to first log in to CyberArk before connecting to the Windows RDP session. This way, the admin doesn't know the password, and that password is changed immediately. To change the password, you first discover the old password in the network, and after that, you can change the password.

It can be integrated with other systems, but it is not easy to integrate. It takes too long to integrate it. Its integration should be easier and simpler. 

Its stability is very good. It is a very robust and stable product if you have the correct installation and configuration. Otherwise, you would have problems.

It is scalable. Our customers are enterprises with a minimum of 2,000 users and maybe 100 admin users.

We are satisfied with their support. Our customers need local support, and CyberArk provides that. Their documentation is also good.

It is a little complex as compared to its competitors. Its deployment took a long time.

We had a consultant, and we were satisfied with the service. You need someone with one or two years of experience.

They have two types of licensing: purchase and subscription. You have to pay for each admin user, such as Microsoft admin, mail admin, database admin, etc.

I would rate CyberArk Privileged Access Security an eight out of ten. It is a good product.

We use this solution for ID purposes. When we remove a user from the server, we need a privileged ID password.

We are a University. It's a large organization.

It's not very different when compared with other products.

From what I can see, the Systems Integrator is useless. When I ask for the information, nothing is given to me. They need to provide better training for the System Integrator.

I have been working with this solution for two years.

Its' quite stable.

It's a scalable solution but could be improved. On a scale of one to five, I would rate it a four.

I have not used technical support.

The initial setup is pretty easy. It is not complex.

We used a reseller, integrators, but they were useless to me.

Pricing is quite high and it could be improved.

I would rate CyberArk Privileged Access Security a six out of ten.