CyberArk Privileged Access Manager Reviews

Our primary use case of this solution is for elevated access.

The primary improvement to my organization is the fact that now the users are aware that: one, the work that they do will be recorded and so there will be an audit trail of what has happened; and then, two, we don't have to worry about people sharing passwords because they are given out on a case by case basis.

• Session recording 
• Password rotation

Some folks would like to have keystroke tracking and some would not. I guess if they could make that an option that might be interesting for certain organizations.

Scalability and stability are both excellent. We have around 250 users. All individuals with privilege to elevated access will be required to use this after a certain amount of time.

Thus far technical support is excellent. We haven't had any issues or difficulties.

The initial setup was pretty straightforward. Deployment took approximately six months. For the deployment, there was a group of about five to six individuals. For sustainment, we just have gotten into a training mode and we will have our support team giving them assistance.

I would rate this solution a 9.5 out of ten. To get it to a ten it should give other possibilities to select if you could follow the keystrokes. It should have a flexibility with things in which people can use it a lot faster.

The main usage of our implementation is to limit the credentials exposure to our third-party teams. They are able to connect to the end-points in a secure and isolated manner without needing to know any end-point credentials.

Our third-party teams are able to connect to the end-points in a secure and isolated manner without needing to know any end-point credentials. Besides this, end-points themselves are back in control when the passwords are managed by the CPM.

The two main features are the CPM and the PSM. This is to make sure that the credentials are managed in a controlled manner and the sessions that are launched are set up in an isolated way.

We are aware that in 10.6, the "just in time" access has been created. I would like to see this developed further.

The vault is almost a set-and-forget solution. Once the vault has been installed and configured, not much needs to be done in there apart from the occasional upgrade.

The environment is very easy to scale out. Especially running the CPM and PSM components in a load balanced virtual environment gives you the flexibility to quickly expand the environment.

This has been excellent for me. They always replied quickly, and most of the time the issue was resolved. The only downside — as soon as a ticket goes to the R&D engineers, you will have to wait a bit.

We did not use a PAM product before this.

The initial setup (for a UAT environment) was straightforward. During the planning of the PROD environment, it became a little more tricky with different network segments and method for accessing the environment itself.

We had a combination of in-house (with training), vendor (CyberArk) and third-party vendor. The third-party vendor Computacenter helped us with creating some design and documentation. I would not recommend this third-party to other people as they did not fully work with us and listen to our requirements.

We are still rolling out in our environment which makes the ROI difficult to calculate.

Make sure to use the latest licensing model as that will give you most of the "cool" features to work with.

One of the most important aspects is to ensure that the business is behind the solution. CyberArk suite will only work well if all users adopt the system.

One of our customers is using the 9.5 version of the solution.

We personally use the product. We are implementing it and have a lot of involvement in its usage.

We use it primarily because we need to manage business accounts and reduce our inboxes.

It has improved the way our company functions on the basis that they're expanding, and the SDDC management solution and the decision to bring on security licenses under the system umbrella, then has passwords and the system management be a requirement in the coming quarters. We are already doing a small PoC with the relevant themes of the natural habits of the security teams. 

The password reconciliation and its limitation with respect to access in target servers along with the end users apart from the import, which is already available. This helps our customers in their software requirement imports.

The lead product has a slow process. There are some reports and requirements from CyberArk which are not readily available as an applicable solution. We have made consistent management requests in the logs.

It is stable. They have had subsequent releases with patches for bugs. 

With respect to scalability, it depends upon how much scalability you need in the moment. 

There is not seamless stability in the support. Sometimes, we don't have any level of support which is required when something critical happens.

We were using the Centrify solution for managing UNIX apart from CyberArk. However, the scope of the Centrify solution is not as wide as the CyberArk solution.

Initially, there was a lot of hiccups, because there were a lot of transitions due to manual installations. 

Eventually, the licensing cost benefit doesn't happen or maximize the customer's profit.

Network and security licenses are currently being managed by other outsource vendors, so they are facing some type of problems in the digital aspect. 

Recently, there has been some new licensing guidelines which have come up since 2018 related to installation by technicians. However, we had our solution installed in 2015. 

Work off your roadmap for implementation.

We recommend CyberArk solutions.

I am a CyberArk admin. I manage everyone's PSA accounts, including EPM and PVWA.

It has been performing very nicely. We are on version 9.10. We are thinking of upgrading to 10.3 soon, hopefully. I don't want go to 10.4 since it just came out.

We are planning on utilizing CyberArk to secure application credentials and endpoints because of PAS. We do have a lot of accounts for developers, and we do manage a lot of passwords in the world.

Our company is not in the cloud yet. We are not that big. We are looking to move to it soon, as it is on our roadmap. By the end of the year or early next year, we are hoping to move CyberArk to the cloud.

It has removed the local admin rights. It is safe and improving well. 

Also, everyone doesn't have passwords to certain applications because of PAS, which is managing the passwords world-wide. So, it is more secure.

Our overall security posture is pretty good, but there is always more to improve upon.

I feel like I love EPM more because it is a pretty sleek tool. I like how it manages everyone's accounts. It removes all the local admin accounts, and I like that part about EPM.

You can write different types of policies for custom business needs or any developer needs. If they need certain functions allocated, they can be customized easily.

The interface on version 9 looks old. I am excited for version 10 because of the interface and design are good, and it is easier to use.

It is pretty stable because we have not moved to the new version. When it comes out, we don't want to go to the newest version the right away because we do not know if it is stable or not. We do not want to put it in the production yet, so we want to wait until the next one comes out, then we go from there.

We have not had any downtime with the product. No issues yet.

It is pretty scalable. It should meet our needs in the future.

They are extremely knowledgeable. Sometimes I asked a question, and their first reply is the answer. Then, I have them close the ticket. I feel like I am getting the right person.

I was not involved in the initial setup.

If you want more security, get CyberArk.

I used the new plugin generator utility here in the lab. Right now, it is manual, and the plugin is very easy to use. It is amazing.

Most important criteria when selecting a vendor: I prefer better tech support, because I love the CyberArk support. I want support like that everywhere with all my vendors.

Previously, we used to share passwords for service and normal admin accounts among team members. However, since we started managing it through the product, we've transitioned to individual admin accounts or implemented dual control for shared accounts. With dual control, exclusive checking and checkout options are available, and passwords are not stored in clear text anywhere in the credentials.

The solution's most valuable features are automatic password rotation, privilege manager, and secret manager. Previously, IT personnel had admin rights on their regular accounts, allowing them to log in to domain controllers. However, this posed a security risk as compromised accounts could grant unauthorized access to domain controllers. To mitigate this risk, we implemented separate DA accounts for IT staff. These DA accounts were restricted from logging in to domain controllers and did not have associated email addresses. They were dedicated AD accounts solely for accessing domain controllers, and the solution handled their management.

Previously, manually rotating admin credentials was a time-consuming task. However, implementing the tool's automatic password management feature has made this process easier. We've configured defined policies within the solution to dictate when these credentials should be changed.

The tool's UI has bugs and lags. It needs to be improved. The deployment process can be complex due to multiple components for various functionalities, each requiring separate infrastructure management. To simplify this process, consolidating all these components into a single platform could be beneficial. The product's pricing could be cheaper. 

I have been using the product for eight to nine years. 

I rate the product's stability a seven out of ten. 

I rate the tool's scalability a seven out of ten. 

The tool's support gets worse each year. Support is outsourced to smaller companies, which doesn't work fine. Its support was good eight to nine years back. Over the years, it hasn't improved but degraded. 

Negative

I work with BeyondTrust. BeyondTrust's UI and support are good and never lag. BeyondTrust is also cheaper. 

CyberArk Enterprise Password Vault's implementation timeline largely depends on the size and complexity of the infrastructure. A smaller infrastructure with around a thousand servers can typically be implemented within a week or two. However, the implementation process may extend to four or five months for more extensive infrastructures with tens or hundreds of thousands of workstations and accounts. The tool's transition into a security-focused product necessitates strong integration with security orchestration platforms. Prebuilt packages with ready-made integrations are required instead of developing everything from scratch. It lags in automation. 

We have seen 40-50 percent improvements after using the solution. 

I rate the product a seven out of ten.

The password vault and session monitoring are useful.

We have been using this solution since 2016.

The solution is stable, but some features in BeyondTrust are unavailable in CyberArk Privileged Access Manager. For example, there is a PMUL feature in BeyondTrust where you can do a deeper dive with the keys for login, but it is not available in CyberArk Privileged Access Manager.

The technical support is good, and they fix any issues we have. However, the turnaround time for technical support is lengthy.

We set up huge environments.

Regarding pricing, we have an APAC sheet and a contact person from CyberArk Singapore that provides a pricing sheet when we need one.

I rate this solution an eight out of ten. I would recommend having a proper plan before implementing this solution. It will be a smoother process if you jot down the granular execution level and get senior resources with hands-on experience.

Our primary use case for this solution is privileged threat management and session management.

I have an affinity towards CyberArk. I find that it works out-of-the-box, as a product.

I really like the PTA (Privileged Threat Analytics). I find this the best feature.

From what I see, like the out of the box password management features, or you can pay the tax forms, which I will write log, can become extensive. For example, we have right now 45 to 50 platforms to tell that were out of the box, like Cyber Optics 200 out of the box connectors, so if we can just put those also into out of the box so that the pros do not have to retell everything to what they think the comp manager of Cyber Optics representative. Apart from that, if we could have some kind of out-of-the box feature that you can simply say "no" so they don't have to go into a development mode, that would a really helpful feature.

I would not say there is a stability issue. There are quite a few bugs, which I have discovered in versions 10.1 and 10.2, but I believe that was rectified out of scalability.

I have no scalability issues at the present time.

I believe the tech support staff can be more proactive. Right now, I have booked a ticket with tech support for an issue, and I have labeled the ticket "moderate priority." The response from tech support was at best, an answer within three to four days. I believe that is too much time, and can be shortened.

It's straightforward, I mean probably who for 11 years of experience is quite straightforward, but maybe for a newbie, it could be complex.

I do not have any opinions to add about the pricing.

I think if the industry could work together on TSM connectors, this would be a cutting-age change.

Its performance is excellent. We have had multiple use cases: 

• It is PSM, so as a jump box to our servers.
• We use it as a primary mechanism for all our consultants and auditors to access our systems. So, they come in through a Citrix app, then it is used by PVWA to access all the servers.

We are currently using CyberArk to secure applications with credentials and endpoints.

We plan on utilizing CyberArk to secure infrastructure and applications running in the cloud going forward. We are looking into possibly AWS or Azure.

• It has helped from an auditing perspective identify who has access to privileged accounts.
• We are able to now track who is accessing systems. 
• It provides an accountability to the individuals who are using it, knowing that it is audited and tracked.

It has become one of the primary components that we have. We also utilize PTA, and we are now integrating that into our risk management program so we can identify the uses of the vault which are outside of the norm, e.g., people accessing after hours. It has reduced the amount of time that we are looking through logs and audit logs.

The auditing and recording are incredible. Also, we have started using the AIM product to get rid of embedded passwords.

Our DevOps team is looking in the direction of cloud, because we are not in it today. We are hoping to build it with Conjur from the ground up.

It is very stable. We have never had any downtime; no issues. We worked with support on several upgrades, and are looking forward to the 10.x upgrade.

We have no issues with scalability. We are using it in a pretty wide environment. We also use it in our business continuity environment with no issues.

I evaluate the technical support very highly. Although, the individuals who we worked with were very technical. If they did not know something, they pulled in somebody right away. 

Also, one of the best attributes is the customer success team. We found great value in working with customer success and their team.

If there are defects or issues, over the years, CyberArk management has listened to them and resolved those issues. Not many organizations respond to their customer feedback as well as CyberArk has.

We did not have a previous solution. We have always used CyberArk. 

From a risk landscape, we knew that privilege accounts were where attackers were going, doing lateral movements. These are keys of the kingdom which protect those, and that is why we focused in this area.

The initial setup was very complex. There were a lot of manual process. Over the years, we have seen a significant transition in the installation scripts, the setup, and the custom capabilities. So, CyberArk has come a long way since the beginning.

The upgrade processes have also improved.

We now know where our privileged accounts are and how to manage them. So, it is more from an exposure standpoint.

No.

Take your time. It is not a quick hit, where I am going to put it in today and be done. It is a process. The cyber hygiene program is a crucial aspect of how to implement this successfully.

I do have experience with the new plugin generator utility. We have been using it for a short period of time. It is not fully in production yet, but it seems to be quite good.

Most important criteria when selecting a vendor: Technical ability, not only in the product, but in the industry as a whole. This helps set CyberArk apart. They are not only experts in their product, but they are experts in the industry, including Red Team capabilities. They are gearing their product towards the defending of what the active exploits are, not something that has been done in the past.