CyberArk Privileged Access Manager Reviews

I use CyberArk Privileged Access Manager for privileged access management for our IT administrative team. It helps in managing access to IT systems.

By implementing this solution, we wanted to monitor and manage access. We wanted to control who can log into which machine.

Our administrators no longer have to save the passwords or credentials in a file or spreadsheet to share with colleagues. Everything is organized in a vault. We have logs on which credentials were used and at what time on a machine.

CyberArk Privileged Access Manager is very powerful and customizable. We are able to customize it as per our needs. 

It has been stable over the last four years, and we have a good overview of the usage of every credential on hosts and endpoints. Our infrastructure consists of many solutions and pieces, and CyberArk Privileged Access Manager is one of the important pieces. 

CyberArk Privileged Access Manager has not helped us reduce the number of privileged accounts, but it certainly helps us manage our privileged accounts. Without it, it would not be possible to manage them.

CyberArk Privileged Access Manager assists us in meeting compliance and regulatory requirements from the government, the European Central Bank, and our customers. It is hard to measure the time saved on satisfying compliance requirements related to financial services by implementing CyberArk Privileged Access Manager, but without it, it would not be possible for us to meet these requirements.

The most valuable features of CyberArk Privileged Access Manager are its robust functionality and reliability. 

It has reduced the mean time to respond, but it is hard to provide any metrics. Its log and audit files are very helpful when we have to investigate an incident.

CyberArk Privileged Access Manager helps ensure data privacy because we now know who is using which credentials and at what time.

CyberArk Privileged Access Manager did not have much effect on our operational efficiency because it is a new tool for us. Any new tool means more work. It has also not saved us costs, but without it, we would not be able to meet the requirements for operating our bank.

We were able to realize its benefits immediately after the deployment.

The graphical user interface could be simplified and harmonized for better usability. It should be consistent. Its GUI is very confusing.

I have been using CyberArk Privileged Access Manager for four years.

Overall, the stability of the solution is high. I would rate it a nine out of ten for stability.

Currently, it meets my organization's capacity requirements. I would rate it a nine out of ten for scalability.

We have about 6,000 employees at different locations. We have different operating systems, database systems, and decentralized infrastructure.

Their technical support is good, but it can be better. Even if we provide everything required along with the ticket, we get a standard response asking for the logs. They do not go into analyzing the issue. They just ask for the log files. I would rate their support a six out of ten.

Neutral

We did not use any solution before CyberArk Privileged Access Manager. This is the first solution we are using for Privileged Access Management.

Its implementation took us a year because we have a complicated infrastructure. It requires support from a consultant or an implementation partner. You cannot install it yourself. The automatic onboarding of the privileged accounts is a lot of work.

It requires maintenance because if your infrastructure changes, you have to take care of all the new credentials. If you also have a cloud setup, you need to figure out how to connect everything. There is a lot of work involved in maintaining it. It is not easy.

We took the help of a third party for deployment and customization.

CyberArk Privileged Access Manager is on the expensive side.

I would recommend CyberArk Privileged Access Manager to other users. It is one of the leaders in Gartner's Quadrant. It is stable. 

My overall rating for the solution is an eight out of ten.

We have traditional use cases for Windows, Unix, and Linux-based systems. Additionally, we have use cases involving AWS, Oracle, SQL, and Postgres databases.

We also plan to bring in more use cases for VMware vCenter, VMware VxRail, and iDRAC. We aim for CyberArk Privileged Access Manager to be an integral part of all our infrastructures in accessing and securing credentials, particularly in restricted environments. It is a life science project. There are certain places restricted for the users.

We are still trying to get everything driven through CyberArk. We are trying to restrict direct RDPs to a particular target or doing an SSH outside of CyberArk. The adaptability is about 60% at this time, but we want to make it 100%.

Authentication is the key to protecting sensitive data. Integration with SAML or Okta prevents intrusions to a great extent.

We were able to realize its benefits immediately after the deployment, and we are happy with it.

CyberArk Privileged Access Manager has not helped reduce the number of privileged accounts, but they all are being vaulted now. We do not have any privileged accounts that are not vaulted in CyberArk.

CyberArk Privileged Access Manager’s ability to safeguard credentials is very important. The paradigms are changing. The data is at threat when it is online. Anything digital needs to be secured. CyberArk has been the leader in the PAM product market. Our client made a good decision by taking CyberArk as their PAM tool.

The features that CyberArk Privileged Access Manager provides are good. It helps to meet the compliance and regulatory requirements to a large extent.

CyberArk Privileged Access Manager has helped to improve the incident response mean times. We have notifications configured from CyberArk. We have integrated CyberArk with ServiceNow and Splunk SIEM. We get notified pretty easily. The notification part works very well with CyberArk. There is about 85% improvement.

One of the best features of CyberArk Privileged Access Manager is the capability of Privileged Session Manager (PSM) because it provides visibility into user activities, audit ability, and traceability. 

The integration with most other technologies is also excellent. We expect more plug-ins, but it already includes plug-ins for password management with other technologies, offering a robust mechanism for credential safety and management.

One area for improvement is the plug-in development challenge. Although CyberArk provides a plug-in generator utility, it does not fully meet our needs, particularly for web-based applications. The plug-in generator currently works only for Telnet and SSH connections. We cannot generate a plug-in for web-based applications.

Moreover, integration with ServiceNow ticketing supports change requests or incidents but lacks support for service requests. Introducing service request support could prevent the overhead of raising unnecessary incidents or changes. There have been a lot of votes for this feature, but I am not sure why CyberArk has not yet introduced it. This is one of the features that we have been waiting for.

I have used CyberArk for over six years, and the client I am working with has been using it for over four years.

I would rate its stability an eight out of ten. There are occasional bugs where while installing the product, it behaves differently on different servers, especially during patch upgrades. Such issues have been more noticeable since we moved from version 12.6 to higher versions. This could be because they have done a lot of UI changes and enhancements in these versions.

Scalability is good, and I would rate it around an eight out of ten.

They are fast. In some cases, they typically respond within one to two days. However, the response time can vary depending on the priority and volume of cases they receive.

Neutral

We previously used BeyondTrust but are transitioning everything to CyberArk, as it offers better integration and enhancements.

The initial setup is easy. I was not part of the organization during the initial setup phase. It probably took around six months.

There are other vendors that handle the maintenance for us. CyberArk comes into the picture if issues are not resolved by our vendors.

The pricing for CyberArk is on the higher side compared to other Privileged Access Management products. Something should be done regarding enterprise licensing for long-standing customers.

I would advise trying CyberArk as it offers a wide range of integrations, plug-ins, and enhancements compared to other solutions. However, it is expensive.

Overall, I would rate CyberArk Privileged Access Manager an eight out of ten.

The primary use case for CyberArk Privileged Access Manager is within the IT security industry. It manages privileged access and generates reports, particularly for clients in sectors like finance. The system facilitates account management, enables the generation of on-demand reports, and helps maintain security protocols for these clients.

CyberArk Privileged Access Manager has enhanced my organizational capabilities by providing important security reporting features.

The most valuable features of CyberArk Privileged Access Manager include its search capabilities. Searching was previously a challenge, especially with Windows servers. When searching, we could only search based on the account name itself, as the system couldn't identify which accounts had access to which systems. This functionality caught my attention. Another standout feature is CyberArk Compass, which is planned for an upcoming release or has potentially already been released for Prisma Cloud. Finally, managing user accounts through the PWA is quite helpful. When a user is suspended, we can activate the account using the PWA instead of the private client.

The ability to manage user accounts and suspend them with ease through Password Vault Web Access rather than a client is a significant feature.

I like the integration with tools like Compass and the ability to search based on account names and systems.

My concern and area for improvement revolves around reporting. I even submitted an enhancement request to CyberArk Software, suggesting that they include a dedicated dashboard page within either Privileged Cloud or their self-hosted PAM solution. This dashboard could feature visual elements like pie charts to display metrics such as account compliance percentages. For example, it could show PTA alerts to visualize security events occurring within a month, quarter, or year. Having such a feature would allow for on-the-spot report generation. Currently, we rely on the REST API to invoke and pull the necessary information. We then have to manually copy the data, convert it from JSON to Excel, and generate the desired report and dashboard. This process is time-consuming and sometimes leads to inconsistencies in the information provided.

I have been using CyberArk Privileged Access Manager for six years.

The stability of CyberArk Privileged Access Manager is generally good. Minor issues may arise, but they are typically manageable and not major. On a scale of one to ten, I would rate the stability an eight out of ten.

My deployment of CyberArk is scalable, although the scalability differs depending on whether it's on-premises or cloud.

Customer support is somewhat lacking. They are often unavailable on Fridays, and the support process, such as raising a call or case, can take too long. On a scale of zero to ten, I would rate their support as six out of ten.

Neutral

Before using CyberArk, I interacted with BeyondTrust. BeyondTrust features, such as their reporting simplicity, made it easier for me to generate reports. The switch was primarily motivated by cost considerations.

The initial setup was detailed and required steps to ensure security measures were aligned with standards. Efficient sequencing, working with redundancy, and cooperation with load-balancing teams were crucial parts of the process.

The deployment took one week to complete because of the redundancy.

The solution is expensive but not excessively so. Discussions with clients have revealed that costs, especially for Privileged Cloud, are a concern. Improved support could enhance the solution's overall value.

I would rate the cost of CyberArk Privileged Access Manager seven out of ten with ten being the most expensive.

I would recommend CyberArk Privileged Access Manager because it is a leading solution for privileged access management. Although it has room for improvement, particularly in areas like reporting and support, it remains a solid option. I rate it an eight out of ten.

We have deployed CyberArk Privileged Access Manager using various configurations. For instance, active components are located in one location, while passive components reside in another. This is determined by the route to the virtual machine, as the components operate as virtual machines. The primary vault is situated in a separate location, and the disaster recovery vault is placed in another distinct location. Currently, we have a PAM license for 800 users, but we are utilizing it for 650 users.

CyberArk Privileged Access Manager maintenance addresses security bulletins and involves several key steps. We ensure the admin utilizes the security bulletin during maintenance, which begins with raising a change request. Before the change is approved and implemented in production, it is thoroughly tested in a test environment to verify its functionality. Deployment to production follows successful testing. Application-specific maintenance for CyberArk follows the product roadmap, ensuring we remain at most one version behind the latest release. We also promptly apply necessary security patches from security bulletins. Furthermore, from an OS perspective, we maintain alignment with the latest Microsoft patches, ensuring all systems are up-to-date and secure.

I am an admin, and I use this solution for all our users. We have 80 users in our environment.

By implementing CyberArk Privileged Access Manager, we wanted to secure our environment and track everything.

We were able to realize its benefits within four to five months of its deployment after we had onboarded everything.

CyberArk Privileged Access Manager is cool. It has a lot of good tools, including everything we need. 

It could be more user-friendly. Sometimes I encounter issues, and I do not know what the issue is. It takes a lot of time to find the error and fix it. Sometimes it gives an error, but I do not know what the error is. I have to find the documents, but it does not provide all the details needed to fix the error. This is one of the day-to-day issues with CyberArk. 

When I contact support, it takes a long time to get help. They request all these logs, but they are not always relevant to my case. It is not always a definite help because I sometimes need help with issues that do not require any logs or device details. I am not sure if they read the case or not.

I have been using CyberArk Privileged Access Manager for four years.

It is good. We had a ten-minute outage last month. That is all. We do not know the reason. 

It is reliable.

CyberArk's support quality has to improve because we are totally dependent on them. I would rate their support a five out of ten.

Neutral

I used to use Okta. CyberArk Privileged Access Manager has more features.

We had a third-party professional service that helped us to install it. It took about four or five months. To deploy, we worked with three people.

It does not require any maintenance. We just have to do the day-to-day operations work.

New users should have training before they sign up for CyberArk. CyberArk should provide mandatory training so that everyone implements it properly. Sometimes, new users do not know what is going on, and they open a ticket, which might be an issue from their end. CyberArk should have a new user training service so that everyone is familiar with it.

I would rate CyberArk Privileged Access Manager a seven out of ten.

I am a senior manager, and we have multiple clients for whom we deploy CyberArk Privileged Access Manager. We also manage or upgrade their instances. We handle migrations and new implementations. We take care of anything related to CyberArk.

The feature that I like the most is the Privileged Session Manager. It offers session recordings, logging, and tracking of user workstreams. It keeps a record of activities, allowing me to easily fetch screen recordings to detect any misuse and see who did what and what happened. Its benefits can be seen immediately after the deployment.

Based on the user experience that I see on a day-to-day basis, some changes could be made to the Privileged Session Manager tool to make it more user-friendly. The user interface of that tool could be more advanced and understandable to laymen, rather than being more of a developer tool. I would recommend more user-friendliness there.

CyberArk is more focused on the cloud solution. They are not going towards on-prem, but a lot of clients still like the on-prem solution. With the cloud implementation, you have a lot of dependencies on expert services. When you get into some issues, you have to wait for expert services. They usually reply in two to three days. That is something CyberArk needs to make better. If they want clients to move to the cloud, they need to support them in real-time. The client should not be waiting for two days to get a response for the issue. If CyberArk wants people to pay for cloud services, they need to make the cloud services much more real-time.

I have been using CyberArk Privileged Access Manager for approximately six years.

CyberArk Privileged Access Manager is a stable solution. I have never faced any issues with stability.

CyberArk Privileged Access Manager is a scalable solution.

I have contacted their support a lot of times. The quality of support is okay, but the time frame for replies should be much faster than it is currently.

Neutral

I have not used any similar solution for PAM. However, for managing the accounts, we have used some password management solutions such as 1Password, but they do not give you the accessibility and different components that PAM provides. They are just for password storage and keeping the passwords safe. A PAM solution from CyberArk or BeyondTrust solution provides a lot more than that, so we cannot compare them. There is no comparison.

I have deployed it both on the cloud and on-prem. My one client is on-prem, and another one is on the cloud.

The initial deployment depends on how extensive it is. For one client, it was quite easy, but after the deployment, it was tricky to deploy the components for AEM, EP, and CCP. On-prem implementation is much easier than the cloud. Cloud solutions require better and more immediate support. Cloud deployment is challenging due to dependencies on expert services.

It requires a bit of maintenance but not that much. Once you deploy the solution, it works, but there are always new upgrades. For example, if you deploy a web connector for web applications and Chrome releases an upgrade, you have to see whether CyberArk is supporting that upgrade or not. Accordingly, you have to update the drivers and other things for the web applications. The same goes with PSMP and SMP. If there are any version upgrades or any vulnerability patch fixes, you have to perform maintenance.

We help customers deploy it.

The duration depends on how big the instance is. To deploy all the components, the duration can range from three to six months.

It can be deployed by one person, but it also depends on how many instances of servers you are deploying, what is the concurrent usage, how many users are being onboarded, and what components you have. There is PSM. There is EPM and PSMP. It depends on what exactly the client requires. These are some factors that determine the time frame and number of people required.

From a client perspective, CyberArk's pricing is fair but there is a significant increase each year. They should limit the price increase because this could potentially drive customers to other partners. Price changes should be at defined intervals. There should not be sudden jumps.

I would rate CyberArk Privileged Access Manager an eight out of ten.

My primary use case for CyberArk Privileged Access Manager is managing privileged access across the organization. I focus on auditing compliance and ensuring compliance with financial systems like SAP.

The benefits of CyberArk Privileged Access Manager are typically realized over time, often facing initial resistance from various teams within an organization. While security, audit, and governance teams readily recognize the value of CyberArk, platform teams, and other stakeholders may resist its implementation. This necessitates a concerted effort to sell CyberArk internally, emphasizing its benefits and addressing concerns. Convincing internal stakeholders can be more challenging than securing buy-in from security or IT teams, often requiring three to six months after deployment for the benefits to become evident and widely accepted.

For me, CyberArk Privileged Access Manager's most valuable features are password and session management. It also includes technologies like Zero Standing Privileges and EPM, which I deploy for customers to demonstrate the return on investment.

CyberArk could enhance its usability by simplifying its architecture and design. Additionally, incorporating automated onboarding and offboarding features directly into the product would reduce the maintenance burden on administrators.

I have been using CyberArk Privileged Access Manager for eight years.

I find CyberArk to be quite stable. Exceptions occur mostly due to user errors. It has a large customer base and positive feedback within my network.

On-premises scalability is challenging for me due to deploying various components on different servers, but I find SaaS to be more promising in scalability.

In my experience, the quality of support has been inconsistent. Response times seem to correlate with the strength of the relationship with the CyberArk account manager, with quicker responses when rapport is strong.

Neutral

I worked briefly with BeyondTrust but returned to CyberArk, which has been my primary focus.

In SaaS, most tasks are abstracted, reducing the workload compared to on-premise solutions where tasks like network configuration, connectivity, SSL certificates, and management fall on the user. However, SaaS solution eliminate the overhead of building VMs and similar infrastructure. Overall effort for both approaches is comparable, but SaaS offers the significant advantage of CyberArk managing the underlying infrastructure, including the vault and web interface, a feature most customers prefer today.

Initial setups were challenging for me at first, but with experience, they became more manageable. It generally requires reviewing documentation and seeking initial support from CyberArk. The deployments take between three and six months.

Implementation involves a project team with a project manager and Windows engineers for tasks like VM provisioning. Typically, I have executed projects primarily by myself, sometimes with minimal assistance from junior resources.

CyberArk Privileged Access Manager is more expensive than its competitors, such as BeyondTrust, Delinea, and ManageEngine PAM360. While ManageEngine PAM360 offers similar flexibility and support at a lower cost, CyberArk's SaaS solution is particularly expensive. This high price point has discouraged many customers from migrating from on-premise solutions to the CyberArk SaaS platform.

I would rate CyberArk Privileged Access Manager nine out of ten.

CyberArk manages the maintenance for the Privileged Access Manager.

Organizations must ensure users understand the importance of PAM and how it secures infrastructure. Training sessions, workshops, and demos are crucial for building user engagement and overcoming initial resistance.

I use CyberArk Privileged Access Manager to prevent exposing credentials for super-critical accounts, such as admin accounts and root accounts. I use it to protect these credentials and to avoid exposing them.

The module called PTA, Privileged Threat Analytics, is very useful. When you give access to a user, it monitors and detects if the user's behavior is unusual. After giving access, it continually checks if the user is the same user. It detects unusual behavior if someone else accesses the application.

The solution's architecture could be improved. It requires installation on four to five different servers. Each server has a purpose, but when you need to troubleshoot, it can be difficult because you need to access each of them. Reducing the number of servers would be helpful.

In the SaaS version, the number of required servers is reduced from five to three, but it is not completely cloud-based because servers still need to be deployed on-premises. Some clients are migrating from on-premises to the cloud. They do not want to use more servers or increase their on-premises data centers. They want everything to be on the cloud, but even in the SaaS version of CyberArk Privileged Access Manager, they need to deploy some servers on-premises. That is not very helpful.

I started using CyberArk Privileged Access Manager in 2022, which was two years ago.

I have not experienced much instability. Sometimes, the issue lies with the server I deployed, but this is not very often.

In the on-premises version, scalability is difficult because server limitations can require buying new hardware. The SaaS version is more flexible, allowing easier scaling with increased users.

I contacted them more when I started to work with this solution. I still contact them but not so much.

I would rate their technical support a six out of ten. They are helpful, but complex issues can take a long time to resolve, which can delay solutions for urgent customer issues.

Neutral

I have used other solutions like Password Manager, but they were not very helpful because you use and store the same credentials, so there is a risk of exposing real credentials. CyberArk Privileged Access Manager allows me to create a random password and share it with a person, preventing the exposure of real credentials.

While some of the Password Manager solutions are free, they are too dangerous because they expose credentials.

I have worked with both on-premises and cloud versions. I prefer the cloud version because with on-prem, I need to install my own servers and maintain those servers. I do not have to do that with the cloud model. The responsibility belongs to CyberArk. I have fewer responsibilities as an administrator.

Initially, the setup was difficult to understand, but after three to four deployments, it became easier. It also depends on the kind of applications or servers needing integration.

In terms of maintenance, when the customer starts to use a new application, it needs to be integrated with CyberArk Privileged Access Manager. Sometimes the new application is not 100% compatible. In such a case, the developer needs to create the integration.

In the first deployment, there was a team of two people.

Its price is high. I have also worked with Delinea. CyberArk is comparatively expensive compared to other PAM solutions, such as Delinea, especially during renewal.

It takes some time to realize the benefits of this solution. Customers take time to understand this solution. It also happened to me when I first started to learn how this solution works. I was looking for a solution to protect identities, and when I came across this solution, I found it hard to deploy as the architecture is complex. Still, in one month, I was able to understand the purpose of this solution.

Before deployment, I advise being clear about the applications to integrate and the users who will use them. Mapping this information beforehand will save time during production. You will not have to add them one by one.

I would rate this solution a nine out of ten.

I work with the infrastructure access team in my organization and we have CyberArk as a primary solution along with a number of components for Privileged Access Management (PAM) and monitoring within the privileged access sphere.

We began with CyberArk in 2018, when we procured the licenses for CyberArk and all its components including the PAM suite and Endpoint Privilege Management (EPM). Our management took a call and we had to do a proof of concept to evaluate the product and see what it was capable of. As a product owner, I had six months to complete this. We evaluated a few specific use cases and presented our findings of the CyberArk's capability to management around the end of the third month.

Since then, CyberArk's Privileged Access Management is still our central solution for the entire estate, including all our servers (Windows/Unix), databases, devices, and so on, with around 5,000 to 8,000 users globally. Essentially, all access is managed through Privileged Access Management. That said, I am not sure to what extent all of the findings were carried forward after our initial evaluation because a lot of changes have happened within the organization. Our overall threat assessment, criteria, and even the framework has changed, now leaning towards a Zero Trust kind of strategy.

For instance, even for the tools that are used within the Privileged Access Management suite, there is a tighter alignment towards enterprise architecture, and we currently have a highly-evolved enterprise architecture group from which everything is driven. Earlier, individual units would have had their own licenses to see what they can do with them, but now things are more closely aligned with the overall enterprise architecture strategy. Given this, some of CyberArk's tools such as EPM have somewhat dropped off from the list of our priorities.

As for how we have deployed CyberArk, it's currently all on-premises. We do have a roadmap for transformation to the cloud, but I am not sure what kind of place CyberArk will have in that, as it depends on the enterprise architect's view on the cloud transformation. We have had some discussions around what to do about the cloud portion of our assets (e.g. VMs and such), what kind of monitoring we need, and so on, and I think that, among other apps, Splunk will likely become part of our toolset when it comes to the cloud. I believe we are also evaluating CyberArk's Cloud Entitlements Manager on this roadmap.

From a functional point of view, I would not have a concrete idea of how CyberArk has improved our organization because that information is better provided by someone from the operations team. Those kind of evaluations are typically done at a much higher level, probably at COO or a similar level, and they have a close alignment with the enterprise architecture group.

On a practical note, with CyberArk there is integration with your identity management system such that, when done properly, you can ensure that anyone from an administrator to production support personnel will gain the relevant access they need in good time. PAM offers integration with Active Directory, LDAP, and so on, and is fairly compliant with these kinds of approaches to identity.

I'm no longer the product owner for PAM, but I can say that the most useful feature is the vault functionality, which keeps all your passwords secure in a digital vault.

The second most useful feature is the monitoring of your privileged sessions. So you have an audit trail, where any privileged access session has to be authorized, and you have access to all the relevant monitoring controls.

When I was a component owner for PAM's Privileged Threat Analytics (PTA) component, what I wanted was a clear mapping to the MITRE ATT&CK framework, a framework which has a comprehensive list of use cases. We reached out to the vendor and asked them how much coverage they have of the uses cases found on MITRE, which would have given us a better view of things while I was the product owner. Unfortunately they did not have the capability of mapping onto MITRE's framework at that time.

PTA is essentially the monitoring interface of the broker (e.g. Privileged Access Management, the Vault, CPM, PSM, etc.), and it's where you can capture your broker bypass and perform related actions. For this reason, we thought that this kind of mapping would be required, but CyberArk informed us that they did not have the capability we had in mind with regard to MITRE ATT&CK.

I am not sure what the situation is now, but it would definitely help to have that kind of alignment with one of the more well-known frameworks like MITRE. For CyberArk as a vendor, it would also help them to clearly spell out in which areas they have full functionality and in which ares they have partial or none. Of course, it also greatly benefits the customers when they're evaluating the product.

I've been using CyberArk Privileged Access Management since 2018.

CyberArk's PAM does what it's supposed to do, based on the interactions I've had with the folks from operations. There are the usual operational challenges, but it fulfills its basic purpose.

Stability assessments are conducted by a separate team that does risk assessments, so I don't have a lot of insight into this aspect, but considering that the product has been running for quite some time now and it's still the central solution for access management, I would reckon that it's a pretty stable product.

There are different categories out there when it comes to scalability. In the case of bringing in new target systems, then sure, you can bring in what you need based on your licensing criteria. In terms of bringing in target systems which are not covered by the list of connectors that you have, this too is possible as there is scope for customization. Overall, I think it's fairly scalable and it does give decent support on the scalability front.

Our onboarding is progressing smoothly and at a steady pace. With the onboarding, you have new users coming on, and because it's a central solution, the rollout is global. There are even plans for extending the department in terms of increasing the redundancy of components, which is largely determined by operational performance reviews and so forth.

In my personal experience as product owner assigned to various components, there have been challenges with the support at times. I would say that it has scope for improvement.

Neutral

I have used a similar solution, but it was closer to a desktop password manager kind of tool. It was made by IBM and it was something you could actually install on your desktop and manage your passwords around that.

Later on IBM developed the tool into something more enterprise-oriented, and it turned into what we would classify as a privileged access management solution. But otherwise, CyberArk was probably the first fully-fledged solution in this sphere that I have used.

The initial part of the setup was quite good. When it came to Windows, we had success in the beginning stages, but later on we had to have a number of discussions with CyberArk with respect to the 'groups' nomenclature, as we wanted to have a very clear standard that could be used consistently throughout the organization.

The first iteration was mostly fast and easy, however at one point we realized that there was much more detailing needed to be done. So we went through another iteration with a more detailed design and came up with more comprehensive coverage of groups, or roles, as you might say. In total, I think it was around two years before the Windows part was comprehensively addressed, but after that, it was covered quite quickly. 

Before CyberArk's PAM, we had a legacy tool that was managing the privileged access for Windows and we had that decommissioned around this time, which was a victory of sorts.

The first step of the implementation strategy was putting all the passwords in the vault, thereby securing them. We also had a tool called Application Identity Manager, which we used for mitigation of the hard-coded passwords. Only after the vault was in place alongside Application Identity Manager, were steps taken to deploy the PAM suite.

Back in 2015, we had about three or four full-time CyberArk Professional Services folks undertake an effort to implement it, but that project failed. All that was achieved was the central vault deployment, and I think they also had Application Identity Manager installed at the time, but nothing apart from that. So it didn't take off the way it was supposed to, possibly due to a misalignment with the top management and the enterprise architecture viewpoint. But later on, and toward the second half of 2016, things started picking up again and further steps were taken from 2017 onward to deploy the Privileged Access Management functionality.

Throughout the PAM deployment, there was a fairly large vendor team that we were working with. I reckon the vendor team size was around 45 to 50 people. Within the organization, there was another large team that was supporting with various roles, such as in engineering, architecture, operations, governance, and so on. In total, there were around 50 of the vendor's team and maybe 20 to 30 roles from within the organization. There were other layers of responsibility, such as the risk team, but all those were kind of on the outside of the deployment.

I don't have much access to the facts and figures surrounding ROI, but I would reckon that with the Zero Trust risk strategy that we have, the product does match some of our key challenges. For one, we have the vault solution, so the passwords are safe up there. And then we have brokering in place for some of the key platforms, so I would say that these positives, along with our strategy and roadmap, will decide the fate of the future of CyberArk within the organization.

I'm aware that the organization had purchased licensing for almost all of CyberArk's solutions including licensing for PTA, EPM, and the Application Identity Manager. But when it comes to PSM, this is one of the components where there's an additional charge for any extra PSMs that you want to deploy. I believe that there's some rider where the vendor has a bit of leeway to, at times, charge a premium on whatever additional services you may require above the board.

Based on my experience as a product owner, I would advise, firstly, to set up an enterprise security architecture as authority within the organization, and ensure that it is closely aligned with your business. Once that is set up, then the enterprise security architecture should determine the priorities of the business and, accordingly, you can lay out a roadmap and strategy.

From a product perspective, CyberArk may or may not fit into your organization based on what strategy you have detailed, or it may or may not fit your requirements. So I would definitely not recommend purchasing the tool first and then determining what to do with it next.

Regarding automation, we are adopting DevOps for the positives it brings, such as cost savings, efficiency, etc., yet there needs to be some checks and balances. Having a fully automated solution would require you to think through the security aspects very carefully. That is why alignment with the enterprise security architecture is of great importance when it comes to securing access across environments in an identity management solution.

CyberArk's PAM is based on the concept of identity, such that a user logs in with his or her identity. So whatever systems the user accesses, there is an audit trail that is tied back to that same identity. This can happen across multiple environments based on factors such as the separation of duties, where certain engineers may not be allowed access to certain areas of development. These checks and balances occur when we give access to those kinds of rules and permissions. There are some targets we have for automation, but if it's fully automated it wouldn't be all throughout our organization as we have found there are some pitfalls with full automation.

Now, when you bring the cloud into the picture, as with our own transformation roadmap, you can't just put a tool in front of you and then expect everything to fall into place from on-premises to the cloud. It does not work that way. You need to have a sound strategy from your enterprise security perspective and only then can you ensure that things will fall into place.

Concerning the UI, PAM has an administrative dashboard and everything, but from a monitoring perspective, we also rely on additional tools apart from what CyberArk offers. For least privilege and managing secrets, there's a tool from CyberArk for that, but I'm not sure we have any plans on using that solution.

Overall, I would rate CyberArk Privileged Access Management a seven out of ten.