CyberArk Privileged Access Manager Reviews

The primary use case and the most used functionality of CyberArk PAM is managing privileged access (an easy way to pass permissions to specific servers to specific users granularly) and password management (an automated solution that manages password validity, expiration, etc.). PSM gives a possibility to set all connections secure and it is possible to re-trace actions made by users during such sessions. It is a good tool for extending usage to new end targets sometimes even out of the box.

CyberArk PAM ended a scenario where several dozens or even hundreds of privileged accounts had the same password or administrators had passwords written down on sticky notes. 

I have experience with onboarding thousands of accounts - mostly Windows, Unix, and network devices. I have developed (customized based on defaults) password management plugins for Unix systems and network devices.

I like the integrations for external applications. There are actually infinite possibilities of systems to integrate with - you would just need to have more time to do that. It is not an easy job, yet really valuable. I am not an expert on that, however, I try every day to be better and better. I have the support of other experienced engineers I work with so there is always someone to ask if I face any problems. End-customers sometimes have really customized needs and ideas for PSM-related usage.

The Vault's disaster recovery features need improvement. There is no possibility to automatically manage Vault's roles and for some customers, it is not an easy topic to understand.

I noticed that CyberArk changed a little in terms of the documentation about disaster recovery failover and failback scenarios. Still, it is a big field for CyberArk developers. Logically it is an easy scenario to understand - yet not for everyone, surely.

I've used the solution for around five years. I have been using CyberArk PAM as an end customer for three years. For another two, I work as a CyberArk support specialist.

Stability is overall good. However, there are many error messages that are like false-positive - they do not produce any issue yet logs are full of information.

The scaling has been mostly positive. It seems not hard to scale it up.

Sometimes it is hard to understand the capabilities, limitations, etc. They try to help with that.

Positive

I've never used another solution that would have the same or similar capabilities.

The initial setup can be complex. It is important to go really carefully step-by-step with instructions. When you do that, you can be 100% sure everything will work well.

When I was an end-customer I recall using a vendor for the implementation and support. Now, I am a vender and therefore I do it by myself.

Licensing may sometimes seem a little complicated. A good partner from CyberArk can work it out.

Unfortunately, I have not participated in evaluating other options.

Overall, I am really glad I worked with CyberArk for five years.

Our primary use case for the solution is to support privileged identities.

The password management feature is valuable.

The solution can be improved by including more connectors to other third-party systems for integration.

We have been using the solution for approximately five years.

The solution is stable.

The solution is scalable. Approximately 150,000 people are using the solution.

We previously used One Identity.

The initial setup was a bit complex.

We deployed the solution in-house.

We have seen a return on investment. The solution makes our procedures better, making the environment more secure and changing the mindset of people. 

I rate the solution a seven out of ten.

Privileged Access Management is basically used to just keep track and log. We have to provision those accesses. If a newcomer comes, they have to be identified to ensure they are the correct users. So for those, there is a web implementation where there are some products that you can order, then they're approved. Depending on that mechanism, it's been decided, oh, this is a valid user. That's how it's been managed.

Privileged Access Management in CyberArk is one of the very first features that was implemented as part of Privileged Access Management. Then came Endpoint Manage and finally the Password Vault. From the very beginning, once Identity Access Management as a service started, with Dell One Identity Manager as the first service. Then came CyberArk. I don't think there is an additional benefit that it has brought. It's sort of an essential commodity in the entire Identity Access Management infrastructure.

For me, Privileged Access Manager and One Identity sort of merge together. For me, the best part of CyberArk is Password Vault and Endpoint, basically. If you ask me what's there that, it's that everything is pretty straightforward. There is no confusion. It's a pretty straightforward application to work on.

It is a scalable product.

The solution is stable. 

They should allow further customization as it's really hard to do any further customizations over CyberArk. We do have a wrapper of customization. However, it's very difficult, especially their web implementation. That's one thing I would say they can improve. With Angular and everything on the market, they still have their in-house web implementation tool, which is sort of a headache. 

I would love them to improve their UI customizing features. 

You simply cannot install the demo UI in every customer, basically. They would always ask for something to make their UI look a little different -  simple things like their logo or some sort of additional information pertaining to their particular customer. Even doing the smallest of changes takes a lot to do. 

The solution is stable and reliable. 

I haven't been faced with intermittent bugs like I do on One Identity.

With CyberArk, we rarely get those situations. It's a very, very stable software. You rarely need to raise any bug or service request with them.

It's pretty scalable. Although we haven't increased our infrastructure once, we have installed the latest version. Even then, adding other infrastructure items into the portfolio is not a big deal once you have done the initial installation.

Our organization is more than 30,000 to 35,000 people. However, only a handful of them are entitled to Privileged Access Management. There might be only 5,000 users. It is used quite extensively.

It sort of was implemented with One Identity Manager when Identity Access Management came into the picture. In early times when there was simply Excel as an identity access manager, and then there was nothing basically. Once there was the onset of proper identity access management without in-house custom tools or proper streamlining process, this solution was added. Initially, One Identity was sort of used as a Privileged Access Management also. However, soon they realized that it lacked in a lot of places for Privileged Access Management. That's when we went to CyberArk. That was way before my time.

I have been part of the initial implementation. However, the day-to-day operational tasks are being handled by a different team.

I was part of a migrational project. When I joined this organization, they were just migrating from the last stable version to the present stable version. It was pretty straightforward. There was, in my organization at least, documentation that was a bit more thorough to follow. That helped me a lot.

The implementation takes quite some time. Even in production, we have to instantiate the service. We had to take a special weekend, which means downtime since this is a critical application. Therefore, moving this takes some time. It's not that there are glitches and all. It's such a heavy application that requires moving so many things. For us, it took around nine to nine and a half hours roughly to deploy. This is considering if I take off all the in-between stoppages and breaks.

Privileged Access Management is a complex topic. I won't say that any of the tools are straightforward. That said, if you are thorough, then it's pretty straightforward for people who are in this industry.

I'd rate the setup process a four out of five in terms of ease of implementation.

With every security tool, new users learning by themselves is a bit difficult since the material isn't openly released. It's released if you have a partnership or if you pay for the software. That makes learning the tool a bit difficult. If you are interested in learning, the only thing is to get a job in that field. If your company is using it, it's like learning by doing. That's the only way you can learn about this product.

I'd rate the solution eight out of ten.

Our use case for CyberArk Enterprise Password Vault is managing privileged accounts. These are local accounts, e.g. local desktops, laptops, or servers. They have a built-in administration account, so part of the solution is to ensure that that account's username and password are stored in the vault and managed by CyberArk Enterprise Password Vault.

The most valuable feature of CyberArk Enterprise Password Vault is the auto password recycling feature, which works this way: previous accounts which are managed by this solution get their password reset every time, based on our given parameters, e.g. every two days, every five days, every week, etc. You give CyberArk Enterprise Password Vault the number of days that you want the passwords to be changed, so users won't need to have their passwords written somewhere. They can just log on to the solution and retrieve the password. They may even be able to remotely connect to the devices that they want to connect to via the PSM function of CyberArk Enterprise Password Vault.

What needs to be improved in CyberArk Enterprise Password Vault is their customer support, because as administrative engineers, since we're not experts in the solution, we have to rely on customer support.

Their customer support needs improvement in terms of being responsive and being understanding. They are knowledgeable, but responding and willingness to come and help knowing that it's their tool, rather than relying on the engineers from the customer side, e.g. our side, to do all the technical things.

The initial setup and upgrade process for CyberArk Enterprise Password Vault is complex and can only be done by CyberArk, so this is another area for improvement.

My experience with CyberArk Enterprise Password Vault is almost three years.

CyberArk Enterprise Password Vault stability is good. If it's properly set up, it can just run by itself. It's a very solid tool, but it has to be properly set up because a simple misconfiguration can create a lot of pain. Once set up, it's really good.

Customer support for this product still needs some improvement.

The initial setup for CyberArk Enterprise Password Vault is another pain point, because the setup, including upgrading the solution, can only be done by CyberArk themselves. They have professional services involved to get an initial setup done, and to even do an upgrade, because of the complexity of the product itself.

The SaaS version of CyberArk Enterprise Password Vault is very expensive, but the on-premises version is relative, e.g. depending on the size of the environment, it can be a bit pricey, but it's relatively okay compared to the others. It's their SaaS solution that's expensive.

We're using version 11.1 of CyberArk Enterprise Password Vault.

It's probably not fair to judge CyberArk Enterprise Password Vault based on my overall experience with it, because the tool itself is brilliant, though it's a little bit complex in terms of how it is set up. The customer service could still be improved to meet the standards, but I'm giving CyberArk Enterprise Password Vault a score of seven out of ten.

I have worked as a CyberArk SME, team leader, project manager in the financial industry. I've managed both the implementation and configuration of enterprise CyberArk infrastructures.

As an end-user within the organization, I can't and I don't need to know the passwords of privileged accounts as CyberArk is taking care of the password/SSH Keys management on the target machines. The solution provides this security without changing the end-user experience because they are able to use the end-user tool like putty or remote desktop connection even without passing through the CyberArk interface

Our most valuable features would probably be password/key rotation, the SSH key manager, account discovery and quality of video recordings.

I think they can add a new feature for the account onboarding like I've seen for another PAM tool: for instance they should give to the CyberArk administrator the chance to upload the accounts via the PVWA using a txt or an xls file.

If you don't know the product well, it might not be easy to set up, because CyberArk has several modules. You need to study it before to start to implement this solution. It's not like other PAM tools e.g.Thycotic, which is easy to set up, as it's just a web server with a database.

The deployment itself can take between one and two work weeks. The project, or configuration documents, however, must take more time. You cannot think about the infrastructure in one week. You have to prepare all the documents, understand the infrastructure you want, etc. It's the project management that takes more time.

You have to analyze the target hosts that you have in your organization and understand what is the scope of your project. You have to make a very clear plan for the project and CyberArk infrastructure sizing. Then you have to do a very good job with the project management and collaborate with the privileged accounts stakeholders. With all that in mind, you can go ahead with CyberArk.

Be careful with the configuration. When you make changes and so on, be very careful to understand what you are doing. Plan and test what you are doing in a test environment before switching to production.

I would rate CyberArk as nine out of ten. Ten means that it's the best solution on the market and no one else compares to it.  However, before giving them a ten, they should do something related to the Password Vault utility. Maybe they should add some other features too. For me, it is one of the best tools on the market, so nine is enough for now.

The primary use case is increasing security and our security posture at our company, helping to prevent any future breaches and secure as many privileged accounts as we can. We have a lot of use cases, so there is not really a primary one, other than just trying to increase our security and protect our most privileged accounts.

We do not have a large cloud presence as of yet, but like other organizations, we are starting to get into it. We have a fantastic adoption of CyberArk that extends all the way up through executive leadership. A lot of times, projects and proof of concepts that we want to go through are very well-received and well supported, even by our top leadership. Once we get to the point where we are ready to do that, I think we will have executive support, which is always incredibly important for these types of things. 

We are in healthcare, so we are a little bit behind everybody else in terms of adoption and going into these types of areas. We are a little bit behind others in terms of cloud, but we will definitely get there.

Right out of the gate, three years ago, we secured all of our Windows Servers and all of our local administrator accounts. We followed that with all of their root accounts for our Unix servers. We were able to greatly increase our posture with local accounts. Then, we went through domain admins and reduced the landscape and password age of those accounts. We have demoted a lot of domain admins and taken a lot of that away from people, giving it a shared account structure. This has worked well for us to be able to protect our most sensitive assets. We call them crown jewels. It has been important to be able to do that, and CyberArk has allowed us to do that, which has been great.

We have tightly integrated CyberArk into a lot of our different processes. Our security organization is massive. We have a lot of different teams and different things moving. Not only have we integrated this into our identity access management team, so onboarding and offboarding, but we also have integrated it in our threat management side where they do security configuration reviews before we have applications go live. We require these accounts that operate those particular solutions to be vaulted immediately. We have implemented them into a lot of our policies, standards, and processes. It has helped us with our adoption with other teams, and it has also helped us to integrate it at the ground level.

It has an automatic password rotation. We have so many accounts, and being such a large organization, it helps take a lot of maintenance off of our plates, as well as automating a lot of those features to help increase our security. Having this automation in place, it has really been beneficial for us.

We do use their AIM solution for application credentials.

One of the things that I have been wanting is that we use the Privileged Threat Analytics (PTA) solution, and it is a complete standalone solution, but they will be integrating it into the vault and into the PVWA. So, we will have that singular place to see everything, which for us is great because it's one less thing to log into and one less thing that you feel like you have to jump over to get a piece of information. Having a centralized place to manage the solution has been something that I have always wanted, and they are starting to understand that and bring things back together.

Three to five years.

It is phenomenal. We have three data centers across the United States. This was last year or the year before, we had one of our data centers altogether go out, and a very large amount of our critical applications went down. CyberArk stayed up the entire time. We had redundancy in another data center and we had disaster recovery plans already set up and ready to go. In that time, when everything was so hectic and everybody was scrambling, trying to get the data center back up and available, they were able to access the privileged credentials that they needed because our solution remained up and available.

This was a huge for us. To have the users of the system feel that it is stable, trustworthy, and dependable. We have had great success with the disaster recovery functionality that we have with CyberArk vault. We test it frequently, and it is stable for us. We have been very pleased with the stability of the solution.

So far, it has been fantastic. We are a very large organization. We have approximately 110,000 employees and almost 20,000 accounts vaulted, where there is a lot of room for us to continue to grow. Even at the scale that we are at now, it has never had any kind of issues. We have never had any issues with deploying additional things. We do have some room to grow in some of our components servers if we need those, but everything that we have stood up so far has been operating flawlessly. We have not had any issues with our scale. It has been great.

We have contacted them less frequently as we have become more familiar with the solution. A lot of times now engaging technical support is more for sanity checks, and saying, “Are we doing this right or are we missing anything?” We have utilized them and have had pretty good success with having them help us with particular issues.

When we have called them, it has been something which has been a challenge for us. We generally get to the right person. Sometimes it takes us a bit of time and some further explanation to say, “This isn't exactly what we're asking." Then, we need to pull in somebody more technical or a next level of escalation. 

The customer success team has been monumental in helping us get the right people involved. If we log a support ticket, for example, and we are at a point in our maturity and our understanding of the solution that Tier 1 support is usually not what we need. We have done a lot of our own checks and troubleshooting, and we are able to say, "Here is all the stuff that we've done. We need the next level of support."

The customer success team has been monumental in pulling in the right people and helping us get to the right people on that side rather than working with the support person and saying, “We pulled this person in.” Sometimes, it is pulling in the solution manager or the team lead for that solution and getting to the top of that team almost immediately. We have had great feedback. The customer success team has been at the center of helping us get to that point.

We did not use another solution before CyberArk.

The big thing that was a catalyst for us to look at CyberArk was the Anthem breach that happened back in 2014 or 2015. Being a healthcare organization, our executive leadership realized that we are a big company. We are not immune to these sorts of attacks either. We have got to get something in place. Being best of breed, we turned to CyberArk for that. Again, it has been a fantastic partnership, and has both ways; we've been able to help them. They have been able to help us quite a bit as well. 

The initial setup was straightforward. We did have an implementation engineer from CyberArk who walked through it with us. He guided us through the process. Even though the documentation is straightforward, there is a lot there to do with a lot of different components which make it up. In and of itself, there are a lot of moving parts, but having that implementation engineer onsite, helping us walk through it helped us be very successful quickly. We also had the same experience when we went through upgrades where we contracted with professional services to help us. They have always had someone out there who guided us through it, either onsite or remotely. We have had both instances and both have been very successful.

I was the primary engineer and lead engineer who stood up the entire solution. I was both solution architect at that time, as well as the solution engineer. I have since moved into the architect role and have backfilled my position. However, I was there at the very beginning and did all of the initial setup.

The first year that we were standing up CyberArk, our organization did an annual pen testing. In one of our organizations, where we didn't have CyberArk deployed yet, they were able to escalate privileges and get all the way to a domain controller, and go all the way that an attacker would be able to. The next year that they did their annual pen testing, after we had deployed in that same region, they basically got stopped almost immediately, and they were never able to escalate their privileges. We stopped the pen test in their tracks because of the solution being in place.

While that may not have a dollar amount because it was just a test, it gives us a lot of peace of mind. Of course, we can't always say that it is impossible for somebody to get in. Someone is going to eventually get in, that is bound to happen. Knowing that we have the solution in place and reducing that threat landscape as much as we have, has been phenomenal for us, at least from an intrinsic value standpoint.

We did not evaluate other solutions. We automatically went with CyberArk.

CyberArk is a fantastic solution. They understand what the industry is trending towards. They are able to meet that very quickly. Being in healthcare, we are a little bit behind the times and we follow people a little further behind (for example, the financial sector has been doing all this stuff for so long). However, healthcare, as an industry, is always a few steps behind because we are clinical and have to support a lot of different clinicians, physicians, and regulations, which sometimes makes us move more slowly. Just having this has been huge for us.

One of the things which has differentiated us from other customers from CyberArk is we have been tremendously successful in rolling out different implementations. There are a lot of clients whom I have talked to personally who have bought the solution, but have never implemented it, or they have been met with a lot of struggles or a lot of uphill battles with their staff and adoption. My best advice would be to start out and find the quick wins, the low-hanging fruit; these things you can provide to your organization to have them understand and see the same value that you are seeing as you are implementing.

I am familiar with the the new plugin generator utility. I have not used it because I think it is a newer version than what we have, but I am excited about it. I am looking forward to utilizing it. It is similar to what they have for their PSM solution. They have some new web services framework, so they do not have to use the AutoIt tool because it takes a long time to create plugins today. Like the plugin creation utility, it will allow us to take a whole lot of time off of our turnaround to be able to provide some of these connection components.

Most important criteria when selecting a vendor: Because we have so many applications and solutions across our organization, interoperability is a big thing. I am in charge of CyberArk, as well as Duo, who we use for our two-factor, and having that integration point or the ability to integrate with these solutions is huge for us. As we try to standardize across all of our different organizations, which is very difficult in our industry, what we offer for a particular solution rather than having 30 different iterations of different applications, has been huge for us. Standardization and integration is a huge point for choosing a vendor.

We use it to harden our passwords for privileged users. We also utilize CyberArk to secure application server credentials.

We plan to utilize CyberArk's secure infrastructure and applications running in the cloud. We have AWS now. That is our next avenue: To get in there and have that taken care of.

If any intruder gets inside, they would not be able to move around nor do lateral movements. It minimize any attack problems within our network.

It keeps us from having to fight with passwords or groups which are not getting onboard with the program.

We are able to rotate privileged user passwords to eliminate fraudulent use.

The web access piece needs improvement. We have version 9.5 or 9.9.5, and now we have to upgrade to version 10. 

Stability is rock solid.

Scalability should not be an issue with us. Our implementation team sized it real well when we received it. We are a younger installation, so we have a long way to go. We have not seen the top end yet.

The technical support is great. They are very responsive.

I was not involved in the initial setup.

CyberArk is the best out there. Their product makes our privileged access management so much easier.

For privilege access management, there is really no choice but to implement this or a similar solution. It is the last bastion that companies have. Firewalls used to be the perimeter and the place to be. Nowadays, intruders can walk through the perimeter (the firewall). So, we have to get on the inside and get it tied down. They are not very many people playing in this market. CyberArk is on the top, so there should not be any reason not to go with it.

Most important criteria when selecting a vendor:

• Best of breed
• Top quality support organization.

Our primary use case is to secure privileged access. 

Right now, it is performing fairly well. We have had instances where we have had to work with the customer support to integrate a custom plugin and struggled a bit there. It took a bit longer than we expected, but it ended up working out. Most of our focus now is getting our systems into CyberArk, which has nothing to do with the CyberArk software. It is just being able to communicate with our internal team to get them in there. So far, we haven't had a problem with CyberArk.

The product is for hardening access and making the organization more secure, therefore reducing chances of a breach. That is the most beneficial to any company, avoiding any type of data loss which will reflect negatively on your company. Once that happens, you are frowned upon, and nobody wants that.

It plays a huge role in enhancing our organization's privileged access and security hygiene. We are using it for most of our open systems, like Windows and Unix. Our plan is to integrate it with our entire internal network. 

The central password manager is the most valuable feature because the password is constantly changing. If an outsider threat came in and gained access to one of those passwords, they would not have access for long. That is critical and very important for the stability of our company.

One of the main things that could be improved would be filtering accounts on the main page and increasing the functionality of the filters. There are some filters on the side which are very specific, but I feel there could be more. For example, I want to look at accounts which are not working within a specific safe all at the same time.

So far, so good with stability. We have done a couple disaster recovery exercises with CyberArk, and they have gone according to plan.

We have not gotten to scalability yet, because we are still working on integrating our systems. We have a very minute portion of it. 

So, scalability will come afterwards, once we have everything there and we understand how much capacity we have used. As of now, scalability has not been an issue.

The product should meet our needs in the future.

The technical support is good at communicating. I learned a lot yesterday about how to figure out a support case quicker by helping them help you, and by giving them as much information as you can. In the past, I have not done that as well as I could have.

I was not involved in the initial setup.

Not applicable.

I do not have much experience with other solutions, so I don't think I can adequately compare and contrast it with others.

CyberArk is on top of its game. The product has worked well for our company.

If you are looking at implementing this solution, buy the training and go to it. If you do not train, it is hard to understand it. It is hard to pick it up by cross-training with other people. You really want to start off strong.

Most important criteria when evaluating a technical solution:

Be brutally honest about all the factors that go into the solution that you are looking for (buyer) and what the solution can offer (seller).