CyberArk Privileged Access Manager Reviews

It was originally just a glorified KeePass. We scaled it up to an enterprise-wide solution for all our IT support teams. In that way, it improves our ability to control, secure, and manage access across the enterprise for different support teams, whether it be IAM, Exchange, or server admin. It's been a really fantastic growth opportunity for me and for the company.

Service count rotation is probably one of my favorite features. Even though we're not using it right now, we're going to be using it in the future. The ability to automatically rotate any password I need to really helps with the entire enterprise strategy that we're pushing right now.

The solution's ability to manage all our access requirements at scale is interesting, actually. It does everything we need it to, and it's not a tool that I expected we would be using at this scale, as an enterprise-wide client. A little bit of history on that being that when we first started using it, it was a glorified password vault. It was a store. It was KeePass. So we really scaled it up and it's been a really interesting journey.

I'd like it to be a little more granular. I want a little bit more control over exactly what we do. I know if you do that, you add more knobs and dials to deal with, but that's just my personal approach: granular access.

Lately, due to an upgrade, it hasn't been as stable as we need it to be, but I don't think that's any fault of the product. I think it's the fault of just infrastructure as a whole.

However, in the past, the product has never been down. It's been incredibly stable. And in terms of interface and usage, it's actually been really stable. There haven't been any bugs or glitches or anything of the sort to impede me from doing my job.

I didn't think we'd be here. However, it's incredibly scalable. We are able to use it in two different environments: one is IT and one is OT. And the scalability, as a whole, has been able to translate to an enterprise-wide process, so it's been really great to see. We're hoping that, should we acquire anything or divest something, it would be that easy to actually deal with it in terms of scalability.

Technical support has been good, even great. They have come in and assisted us whenever we had issues. If there was ever an outage, they were already on the phone by the time we needed them. They've been doing a great job helping us out so far.

We did not have a previous solution.

We have seen ROI. Our adoption rate is way up. More teams are involved in using it. That alone stands as a return on investment when we have more adopters, more people using the tool, more people logging into the tool and utilizing its capabilities.

Use the tool, but communicate with your user base. If you're not going to communicate with your user base, then you're dead in the water already. Don't force this on someone. Work with them in order to use it.

The product has delivered innovation with each update. When I first started, we weren't able to run scans and pull service-account information and reset those service accounts at any endpoint. That, as a whole, as I mentioned earlier, was my favorite feature of the product. That innovation alone is probably one of my favorites, and definitely something that deserves praise.

I would rate the product a nine because nobody gets a 10. It's been a fantastic product and it's been easy to use. The training courses involved have been great, so I would rate it a nine.

I wouldn't say CyberArk has been a huge impact on my career, but it's definitely played a role in helping me advance, in terms of being able to communicate with clients, utilizing my skill sets, both the technical and soft-skill use. It's allowed me to really branch out and see my growth through business liaison.

The primary use case is for storing user passwords and administration credentials.

I am the engineer for a company that sells this solution mostly to financial institutions. 

It is also useful for auditing and securing shared accounts or co-shared accounts.

The most valuable feature is the special management. It records the activity and the actions that we use for auditing.

The deployment architecture, the ability to locate and change credentials and the stability need to be improved. They need to install or include an appliance-based option, which CyberArk does not have.

The technical support can improve on the time that it takes to get a callback.

The integration is great but needs to be a bit more user-friendly.

Also, a feature with the ability to create password sync.

In the next release, I would like to see the following:

• Availability on the cloud and the appliance.
• More documentation for the setup. 
• Simplify the deployment.
• Continuous operation with this solution.
• Simplify the infrastructure for better stability.
• Increase the support for applications.
• Invest in local on the ground staff in various regions.
• The ability to search by the activities, especially for Windows Servers.
• Improve the auditing capabilities for their searches.

The stability depends on the infrastructure it is installed on, which is important because CyberArk does not have the hardware appliance.

This solution is scalable. It scales very well, there are no issues.

The technical support is good, there are no issues.

They know what to do when you call them, they are competent.

Sometimes they can take too long before getting back to you, which is something that can be improved.

Previously I was using Centrify and One Identity. We switched because CyberArk has a lot of strength in my region. Some partners do not want to deploy CyberArk to their customers because they feel it will create competition when it comes to renewal. They don't want the price to be affected.

The initial setup is complex. The architecture needs improvement in the documentation for the setup and the manageability.

If you have everything provided for you, it can take three to four hours to deploy this solution.

I think that it might be cheaper than the other competitors in our region.

I have learned that the deployment can be tricky. Always plan your deployment in phases.

Don't unload all of your privilege credentials at once, otherwise, you have an issue with the passwords. 

Always, have help available on standby when you are deploying this solution to prevent issues.

This solution is quite efficient. You don't always have to have your applications. If you are encrypting the server, you don't need the applications. You are required to do it on your workstation. The server will deliver that to you from the managing pack when you try to implement the sessions.

I would rate this solution an eight out of ten.

The primary use case of this solution is for third-party developers that come into our infrastructure from VPN to connect. They are organizations that are outside of our organization.

Before CyberArk, our developers would connect from the VPN directly to the jump servers to get all of their access. We have removed the jump servers to connect to CyberArk.

The security has improved. We know who is accessing and what they are doing. The access is secure. 

CyberArk has increased our security.

The most valuable feature is that it is flexible. It has many connectors. that have done well, the EPV and SSH sessions are all being recorded and everything works fine.

This solution does not support the SQL Developer. We have to purchase separately from CyberArk and we have to ask them to develop it.

This solution is a bit complex compared to other solutions. The installation and administration are complex.

Some things can be done through the interface, but the whole installation process and upgrade process can be done with the installation script but it's complex.

This is too complex for some organizations that do not have a large scale.

In the next release, they could simplify the setup and I would like some tasks added like file sharing. When a client connects to CyberArk and wants to put a file on the server, they cannot.

I thought that the client would be able to drop a file onto the server and the file would be visible on the server.

I have to disable the connection to provide a copy and this is a security issue, and I closed this file to the client then he can't upload and files to us.

They need to come up with a way for the client to file share with CyberArk.

I have been using this solution for six months.

This solution is stable. We have not had any issues.

This solution is scalable but pricey.

There are fifty users and they are developers.

I have not contacted technical support. I am not an engineer, I work for the bank and I have implemented this solution.

Previously we used Fudo and jump servers with OTP. It is not the same, but from a security perspective, it is also quite good and less expensive.

The initial setup is complex.

You need at least one engineer to manage the software. I must have dedicated people to administer it.

We worked with integrators for the installation. The first step was the installation process and the hardening. This process took two weeks to implement.

The migration process was more complex and more time-consuming.

This solution is expensive.

My advice would be to compare with other products and if they don't want such a large solution they could try Fudo or a similar solution that is easier and can scale like CyberArk.

I would rate this solution a nine out of ten.

The solution is very complete. It has the most features on the market.

Session monitoring is excellent. It may be the solution's most valuable aspect.

The solution offers very good password protection.

It offers great integration with many products.

The initial setup could be simplified. Right now, in comparison to its nearest competitors, it's quite complex.

The solution is very stable.

The solution is easy to scale.

I've never had to reach out to technical support.

The initial setup is complex. You need to install many virtual machines. You must do many configurations. It's not just one machine to another; you'll also have to handle the configuration of independent machines as well.

The price is higher than the competition, but if the customer wants the best product for their company, they won't mind the price.

We have a permanent license. Licensing is based on how man users you have, so the pricing varies according to the size of the company.

We're a partner of CyberArk.

I'd rate the solution nine out of ten.

I have worked as a CyberArk SME, team leader, project manager in the financial industry. I've managed both the implementation and configuration of enterprise CyberArk infrastructures.

As an end-user within the organization, I can't and I don't need to know the passwords of privileged accounts as CyberArk is taking care of the password/SSH Keys management on the target machines. The solution provides this security without changing the end-user experience because they are able to use the end-user tool like putty or remote desktop connection even without passing through the CyberArk interface

Our most valuable features would probably be password/key rotation, the SSH key manager, account discovery and quality of video recordings.

I think they can add a new feature for the account onboarding like I've seen for another PAM tool: for instance they should give to the CyberArk administrator the chance to upload the accounts via the PVWA using a txt or an xls file.

If you don't know the product well, it might not be easy to set up, because CyberArk has several modules. You need to study it before to start to implement this solution. It's not like other PAM tools e.g.Thycotic, which is easy to set up, as it's just a web server with a database.

The deployment itself can take between one and two work weeks. The project, or configuration documents, however, must take more time. You cannot think about the infrastructure in one week. You have to prepare all the documents, understand the infrastructure you want, etc. It's the project management that takes more time.

You have to analyze the target hosts that you have in your organization and understand what is the scope of your project. You have to make a very clear plan for the project and CyberArk infrastructure sizing. Then you have to do a very good job with the project management and collaborate with the privileged accounts stakeholders. With all that in mind, you can go ahead with CyberArk.

Be careful with the configuration. When you make changes and so on, be very careful to understand what you are doing. Plan and test what you are doing in a test environment before switching to production.

I would rate CyberArk as nine out of ten. Ten means that it's the best solution on the market and no one else compares to it.  However, before giving them a ten, they should do something related to the Password Vault utility. Maybe they should add some other features too. For me, it is one of the best tools on the market, so nine is enough for now.

The primary use case of the solution is to gather privileged accounts from different systems and to contain privileged accounts in one secure place.

Security is the solution's most valuable feature. As far as I know, this solution is the most secure system of this class on the market today, even considering another management system like Fudo Security, which we also use. The integration capabilities are very good; it helps strengthen our overall security.

The interface and user experience could be improved. In comparison, in Fudo Security, items are very searchable and it's very comfortable to work with. CyberArk is not very good at that. It could be improved and it wouldn't be too complicated to do so. The solution is too big and complex for any business that is small or medium-sized. They should offer a more compact version or make a solution better suited to smaller businesses.

I've been using the solution for five to ten years.

It's an enterprise-level solution. So long as you can afford it, you can scale.

I've never had to reach out to technical support.

We didn't really use a different solution. We use Fudo Security, but it's not for password management alone. It's more of an all-in-one solution. We still use it; it's cheap and it's a very simple solution in comparison to CyberArk.

The initial setup is okay; I'd rate it seven out of ten in terms of ease of use compared to other solutions.

Many different things during installation are not straightforward. For example, it would be better to make some kind of pre-installed machine or virtual machine or to make it easy to deploy various ISO files. There are competitors that have just one machine and no infrastructure involved. It would also be better if they embedded the license or offered some free options.

Deployment took about a month.

As far as I know, CyberArk changed its pricing policy for our region. Overall it was very expensive a few years ago, but now, just around a year ago, it became less expensive and it's easier for us to sell it.

We use the on-premises deployment model.

In terms of advice, I'd suggest others follow the implementation carefully.

I'd rate the solution eight out of ten. It's not easy to install and it's got too many components which means it's not really suitable for small or medium-sized businesses.

Our primary use of CyberArk Privileged Access Manager is to bring control on to the privileged access. For a while, there were individual IDs having privileged access. We wanted to restrict that. We implemented the solution so that it can be more of internal control. We can have session recordings happening and reduce our attacks.

There are two main ways CyberArk Privileged Access Manager Server Control has been helpful to us.

1. Any administrator using his own or her own ID and password to connect to the server or the domain that has been removed and the credentials for accessing the domain or the servers has been locked down into the password wallet, the access to it is controlled now through that group. Now we know who has access and what kind of access. Also, we control access through tickets. Unless there is an approved ticket, an administrator cannot just log onto a server and make changes. In this way, we are ensuring that an attack cannot just steal somebody's ADID and get into the server and create problems.
2. Through the application and team managers, we have removed the hardcoded user ID and password in our applications. Those are now in a password vault that is not known to anyone. The vault knows and changes the password, then connects the applications to the database.

The features that we find most valuable are:

• Enterprise Password Vault
• Privilege Session Manager
• Application Manager
• Team Manager

These modules help us in locking down the credentials, rotating passwords automatically without us having to worry about it, isolation of servers from the user machine and availability of privileged session recordings for us to check on demand.

I think that the connectors, the integration pieces, the integration to ticketing system. This is something which is not meeting our requirements via out-of-the-box solutions, so we have to look for a customized solution, that could be improved.

Integration with the ticketing system should allow any number of fields to be used for validation before allowing a user to be evaluated and able to access a server.

Additional features: We are looking at the connectors. The connectors to be more robust and provide more flexibility for out-of-the-box implication.

It's quite stable so we've not faced any problems so far and it's been working smoothly for us. Initially, there were some technical issues, disconnections happening, and the slowness was there, but we've been able to overcome those challenges. Now for the past 15, 20 days, it's been running smoothly.

The software is scalable enough, so if we want to add more domains, we can just go ahead and do it. I don't see a challenge with that. There are a couple of other parts of the solution that we are not rolling out, but we'll be doing that.

The support has been good. Turnaround times have been okay. They have not been immediate, but they do respond in a few hours, or in a day.

We didn't have a previous solution at the time.

AIM was a complex piece, but the install was straightforward. It took us around five months.

We went with an implementation partner for the deployment which included a number of admins. Currently, there are around 60 users but they are going to be 150 plus in a month or so.

We want the implementation partner for supporting it for the next three months, and then we will make the call whether we want to continue with them or maybe our resources should be good enough internally to support it.

The cost and licensing fees of the software are fairly reasonable.

There were a few competitors we evaluated like CA Technologies, Arcos, Oracle, and Microsoft.

My advice would be to plan ahead of time. Put up the plan for all the modules that you are going to implement. Look at what the dependencies of those are and plan for those dependencies in advance, then start the project.

Especially where it is the application identity manager, the AIM part, which is not only dependent upon the implementation partner but also the customer dev team to make the changes.

That's what makes it critical to plan ahead, ensure all stakeholders' commitment of their time and support, then start the implementation.

I would rate it nine out of ten.

It provides a tamper-proof solution for privileged accounts and third-party access to corporate assets.

We have different teams that hire out consultants from various vendors. For those consultants, there was a challenge in providing access to our critical infrastructure. CyberArk PAS provides isolated and recorded sessions for third-party/outsourced admin access. 

Automatic password management based on a strong password policy. Because still, many people choose not strong enough passwords for administrative accounts.

The product should be improved in order to support more platforms. It will be awesome if google cloud API keys are being supported like AWS and Azure.

Pretty scalable in the sense of PSM and storage.

No, we didn't use any.

Yes, there was a POC which took place among BeyondTrust, Thycotic and CyberArk.