CyberArk Privileged Access Manager Reviews

We are using it for privileged access management.

• It is very secure. 
• The voice technology is very good.
• It is very simple to use.
  

We haven't had issues with scalability.

We have good support from support. They are very helpful.

We did not have a previous solution.

The initial setup was somewhat complex, but we received help from the product support team with the installation.

The product is costly due to its active management features.

The product is the best in the market at the moment.

I would recommend the product for sales learning. 

We use it all.

• Privileged account access and management
• Credential rotation
• Access control
• Privileged session recording

CyberArk PAS helps ensure accounts are managed according to corporate policies. In short, it takes people out of the machine work of ensuring credentials remain up-to-date, and handles connection brokering such that human usage and credential management remain independent.

All of the features we use have helped our security posture in some way. All of these have their place in defining and supporting the security posture:

• Password management
• Session management
• Recording
• Access control.

Overall, I think it is a fantastic product, when used as designed and intended.

One of its biggest downfalls is also one of its biggest strengths. It is easily customized, and that customization makes it very easy to start trying to shoehorn the solution into roles it was never intended to fill.

I think that one of the advantages of the CyberArk PAS suite is that it is modular. On top of the basics, you can implement modules to:

• Manage (verify, change and reset) privileged passwords and SSH keys
• Manage (isolate and monitor) privileged session to the different types of devices
• Control Applications (e.g., malware)
• Detect, e.g., backdoor use, unusual behavior, and Kerberos hacks of privileged accounts
• Avoid/remove hardcoded passwords in applications/scripts
• Implement the principle of least privilege

Even those components can extend their operational area by use of, e.g., plug-ins, making it possible to manage about any kind of privileged account or session.

I see companies that already have thought about their privileged accounts, while others have not (to that extent). Implementing the CyberArk solution, it helps (and sometimes forces) these companies to think about their privileged accounts. Are they really needed? Who needs access to them? What kind of privileges do these accounts need (service accounts/log on accounts/etc.)? And so on. Thinking about these things helps customers to organize their data/privilege accounts in the CyberArk solution. It then helps the organizations to get control of their privileged accounts and to safely store and manage these, knowing that only the correct persons can access these accounts and that the different devices can only be managed via one central entry point to the datacenter.

With every version, I can see that the product wins on functionality and user experience. On the latter though, I hear from customers that on the UI level, things could be better. CyberArk continuously asks for feedback on the product (e.g., via support, yearly summits) from customers and partners, and hence, with version 10, they are addressing these remarks already.

The web portal (and hence the user interface) has some legacy behavior:

• Some pages are created for past-generation monitors. With current resolutions, filling the pages and resizing some elements on the pages could be handled better.
• They are not consistent with the layout of different pages. Some have, let’s say, a Windows 7 look and feel, while others have the Windows 8 look and feel.

Nevertheless, even with those remarks, it does what it is supposed to do.

I’m working as a partner of CyberArk for about four years now. I started on version v7.1 (currently on v9.7) and I have served about 20 happy customers.

As no software is perfect, I don’t think it is any different with CyberArk. Their support, however, is able to tackle most of the problems. Sometimes patches are distributed. The CyberArk solution highly integrates with different platforms (Windows/Linux) and applications (AD, SIEM, email, etc.). So, not configuring it well can result in unexpected behavior. You need to consider the limitations of the platforms it is installed on, as well.

As mentioned, one of the advantages of the CyberArk PAS suite is the modular build up; not only on covering the functional area, but also on size of your network/datacenter. If you, e.g., notice that the number of privileged accounts to manage increases, you can simply add an additional module/component that manages those passwords.

Their support is good. It is split up into different areas (technical, implementation, etc.) and I always have a quick answer. And they go all the way for their customers.

I saw customers using another product for their privileged accounts. Due to its limitations (e.g., on password and session management) and stability, they decided to switch to CyberArk.

This question goes both ways; initial setup can be straightforward and it can become complex. The architecture in the network and installation of the software itself is pretty straightforward. Most of the modules/components are agentless. This makes it possible to install the solution in the datacenter without impacting any existing devices (no impact on running systems, and simplifying change and release management). Integrating the systems (privileged accounts) in the CyberArk solution can happen gradually.

The flexibility of the product, on the other hand, has as a consequence that there is a lot to configure. Depending on the existing infrastructure and functional demands at the different organizations, care has to be taken to have a correct implementation.

As far as pricing, personally, I’m not involved in the sales part. So, I cannot elaborate on this topic. For licensing, I can advise the same thing as mentioned elsewhere: Start small and gradually grow.

Before choosing this product, I did not evaluate other options (being a partner, not customer).

The Privileged Account Security product is a suite. That means that the product consists of different components/modules that cover a particular functional area (check their website) on privileged accounts. Plugging in more of those components in the environment results in covering a greater part of that area. Of course, there is a common layer that is used by all components. This is the security layer that holds and protects the privileged accounts.

Start small. Use first the basic components that, e.g., include password management. Gradually grow the number of components/modules/functional area to include, e.g., other types of accounts, session management, intrusion detection, end-point protection, etc. Having a project scope that is too large will make the step of using the solution too big. Make sure every stakeholder in the project is aware and let them gradually ‘grow’ with the product.

The ability to create custom connector components is the most valuable feature of the product. Once the organisation matures in their privileged access strategy, CyberArk’s customisation capability allows you to target application-level access (e.g., web-based management consoles) as opposed to just the underlying operating system. The API allows operational efficiency improvements, through being able to programmatically provision accounts into the Vault.

It has improved our organization by being able to consolidate several privileged access technologies into a unified tool. Session recording and auditing capability, and approval workflows allow a high degree of control over the organisation’s privileged access requirements for compliance purposes.

• Authentication to the solution: Authentication to the PVWA utilises integration to IIS. Therefore, it is not as strong as desired.
• Reporting capability and customisation: Reporting utilises predefined templates with limited customisation capability.

I have used it for 15 months; approximately nine months in a large enterprise.

I have not encountered any stability issues.

I have not encountered any scalability issues. The solution is fairly scalable. All presentation-level components are operable in highly available configurations.

Technical support is 8/10; level of engagement depends on severity of problem.

I did not previously use a different solution.

Initial configuration is quite complex and takes a considerable amount of time. However, this depends on the management requirements of the organisation. An example of this is connectors to mainframes, which might require a degree of customisation and knowledge of how the password manager functions (and relevant training). Setup regarding installation is straightforward, as the provided guides are quite expansive and include several installation possibilities (e.g., standalone, HA, DR, etc.)

Appropriately scope the organisation’s requirements to ensure licenses are not over-provisioned.

I was not part of the selection process.

If an organisation has not utilised a PAM tool before, it is a large cultural change fundamentally in how a user works, and should be taken into consideration accordingly. The solution is complex depending on the requirements; therefore, the implementation should not be rushed and it should be tested appropriately.

With the Privileged Session Manager, we can monitor sessions in real time and terminate the session if there's any unnecessary activity found. For example: We give access to user to access the server only to update patches, but if we find any activity not related to patch updates, we can terminate the session.

Actually my company/previous company does not use this product, but we sold it to our customer. This product helped our customer manage their privileged accounts. It’s easier to them to manage and control the privileged accounts.

It needs more plugin connectors for all devices. CyberArk currently can manage or make it easier to manage about 80% of our total devices. The rest still need R&D to develop the plugin. If CyberArk had more plugin connectors, the customer would not need to raise plugin development requests for several devices and CyberArk could easily connect to these devices.

What I mean with CyberArk needing to improve plugin connector is that currently CyberArk is able to manage almost all devices (server, network devices, security devices etc.) which are more than 80% of all devices. In my experience device such as IBM OS/390 and Cisco TACACS still need custom plugin connectors developed by CyberArk R&D.

If CyberArk IS able manage more than 95% from total devices it would help the customer to using it without raising a support ticket to create a plugin connector. CyberArk will more easier to manage all devices with no compromise

I used this solution from mid-2013 until mid-2015.

So far, it is stable.

This product is scales easily.

Technical support is good. They have good technical teams around the world including southeast Asia.

Most customers using a different solution switch to CyberArk because CyberArk is more user-friendly than its competitors and have more plugins compared to the others.

Initial setup was actually easier.

Start small.

Yes, we evaluate other options. The issue was about price, stability, scalability and the development of this product to ensure support.

Contact the local distributor for help.

The primary use case of this solution is for third-party developers that come into our infrastructure from VPN to connect. They are organizations that are outside of our organization.

Before CyberArk, our developers would connect from the VPN directly to the jump servers to get all of their access. We have removed the jump servers to connect to CyberArk.

The security has improved. We know who is accessing and what they are doing. The access is secure. 

CyberArk has increased our security.

The most valuable feature is that it is flexible. It has many connectors. that have done well, the EPV and SSH sessions are all being recorded and everything works fine.

This solution does not support the SQL Developer. We have to purchase separately from CyberArk and we have to ask them to develop it.

This solution is a bit complex compared to other solutions. The installation and administration are complex.

Some things can be done through the interface, but the whole installation process and upgrade process can be done with the installation script but it's complex.

This is too complex for some organizations that do not have a large scale.

In the next release, they could simplify the setup and I would like some tasks added like file sharing. When a client connects to CyberArk and wants to put a file on the server, they cannot.

I thought that the client would be able to drop a file onto the server and the file would be visible on the server.

I have to disable the connection to provide a copy and this is a security issue, and I closed this file to the client then he can't upload and files to us.

They need to come up with a way for the client to file share with CyberArk.

I have been using this solution for six months.

This solution is stable. We have not had any issues.

This solution is scalable but pricey.

There are fifty users and they are developers.

I have not contacted technical support. I am not an engineer, I work for the bank and I have implemented this solution.

Previously we used Fudo and jump servers with OTP. It is not the same, but from a security perspective, it is also quite good and less expensive.

The initial setup is complex.

You need at least one engineer to manage the software. I must have dedicated people to administer it.

We worked with integrators for the installation. The first step was the installation process and the hardening. This process took two weeks to implement.

The migration process was more complex and more time-consuming.

This solution is expensive.

My advice would be to compare with other products and if they don't want such a large solution they could try Fudo or a similar solution that is easier and can scale like CyberArk.

I would rate this solution a nine out of ten.

We are using the solution for privileged account management. (Rotation, session isolation, checkout, etc.)

Accounts are managed, passwords change frequently, and we have better audit logs! When something happens, there is a better chance you can determine the who/what/where/when/why of the situation.

The vaulting technology as well as the privileged session management: Having the vaulting tech ensures that the credentials are secure, and PSM ensures that the end user can perform needed tasks without knowing or needing the credentials.

A greater number of out-of-the-box integrations with other vendors: They are working on it, but more is better!

Rock solid! I would say it is, set it and forget it, but the vendor keeps on top of upgrades and enhancements.

It seems to work well for any size of organization, or any size of deployment in my experience.  

Pretty straightforward, a lot of time will be spent on the initial engineering phase where you determine how you want to use the solution, naming requirements, admin accounts, etc.

As with everything, try before you buy. Get a trial licence, set up a demo environment and see if it meets the use case for your enterprise.  

• Vaulting of privileged credentials. 
• Used as a jump host solution. 
• We wanted to keep passwords from being exposed to end users and connect them seamlessly to their target devices.

Our privileged accounts are now stored in a more secure location and lateral movement within the network have been lessened.

The PSM is excellent and the ability to write your own connectors and plugins is invaluable as far as flexibility goes.

• Enhanced PSM support for Java based applications.
• Easier to use bulk uploader tools (which are already being worked on).