CyberArk Privileged Access Manager Reviews

• EPV: Enterprise Password Vault
• PSM: Privileged Session Manager
• AIM: Application Identity Manager
• The latest version of the product is mature and there is more functionality than we need.

• Improved security
• Reduced the overhead to protect enterprise data from delays
• Receives logs about all activities
• Compliance with several standards

I’m not the end-user. As a solutions architect (consultant), I designed and planned the solution in a very complex network environment.

We have not encountered any stability issues. After more than six years with my first CyberArk client, everything works great.

We have not encountered any scalability issues. The solution was scaled right at the beginning of the project.

We called technical support a few times and they came back to us very quickly. They fixed our problems very quickly. The problems were caused mainly by changes in the network.

We did not use any previous solution.

We were assisted for the initial setup by a CyberArk consultant for one week.

A good architecture will help to gather the business requirements. You can then come up with the right sizing and licenses. If it is a large installation, implement in phases to become familiar with the products, and then purchase the licenses at the right time.

All other top solutions in the Gartner Magic Quadrant were evaluated and CyberArk came up as the best and most mature choice. I compared all solutions using my client business requirements and what the solutions offered to them on the top of the business requirements. The scope of the project became wider.

I would recommend being well prepared. Do not improvise. Understand what you are doing. Take the time to read the technical documentation, and not just the marketing material, to understand CyberArk. It will not be a waste of time.

Take the time to prepare, clean, and document all your privileged, services, and application accounts. Use the product for its intended design.

We are using CyberArk Privileged Access Manager because we have too many accounts and we need to manage them.

CyberArk Privileged Access Manager has helped our organization by controlling users' access.

CyberArk Privileged Access Manager could improve the integration docking, it should have more layers. For example, integration with OpenShift.

I have been using CyberArk Privileged Access Manager for approximately two years.

CyberArk Privileged Access Manager is stable.

We have thousands of users using CyberArk Privileged Access Manager in my organization.

The support from CyberArk Privileged Access Manager is good.

The initial setup of CyberArk Privileged Access Manager was straightforward.

We had a local third-party company help us with the implementation of CyberArk Privileged Access Manager. The maintenance is sometimes a challenge for our consulting team that does it.

I would recommend this solution to others.

I rate CyberArk Privileged Access Manager a nine out of ten.

This solution is used for managing all unmanaged and forgotten privileged accounts. DNA tool is amazing, far better than imaginable in previous years.

We are able to keep an eye on every move made by privileged accounts throughout the enterprises, and with PSM we have monitoring after hours.

CPM, which helps keep the password policy up to date. which eventually helps to maintain the GDPR data security requirements for almost every client in Europe and elsewhere. 

It is currently a robust product, but we should be able to join together small components. This will improve support and understanding.

Companies often have an enormous amount of admin credentials out there. They want to find out how many they have, start cleaning them up, and ensure they're all kept in an encrypted vault. Password Vault is probably the top product in that space, and it's a monster to implement, but CyberArk is great at what they do.

Password Vault's main advantage is its scalability. We constantly see huge enterprises implementing something like this, and the privileged session management is an excellent piece. You can kind of watch videos of whatever an admin has done. So, for example, if an admin doesn't check out their password and fires up a session on a machine, you can see playback. Scalability and those particular features are pretty valuable for monitoring your insider threat.

Our customers haven't complained about any stability issues, and we've set Password Vault up for quite a few customers. However, the stability depends on the equipment unless they do it in the cloud. But if they're setting up on a bunch of VMs, and that VM store goes down, that's not necessarily a CyberArk problem. That's more of a problem with Windows or VMware, etc., or something like that. So I guess the stability's fine.

There are upwards of six components you need to set it up. And you might need anywhere from two to five servers. It takes some work to set that up, especially in a larger environment.

On-prem CyberArk is pretty expensive. It's pricey and you get what you pay for. It's an incredible product for what it does, but it's significantly cheaper to go to the cloud.

I would rate Password Vault seven out of 10. I'd only go that low because of how challenging the installation can be. I advise our customers to consider using CyberArk's cloud option because many people just reflexively lean toward the on-prem solution. The cloud solution is considerably less expensive. It's still complex to set up the different components and make it all work together, so I suggest you make sure you need all those components. Maybe you don't even want to use everything there, but consider the cloud version. It's the same product, but it's more straightforward and cost-effective. You're not losing any functionality.

Managing passwords to infrastructure and applications, keeping those accounts “safe,” and being able to audit their use.

The audit capabilities include video so that not only keystrokes but also mouse clicks are captured. This provides safety and reassurance for anyone working in our infrastructure. 

Reducing the number of “admin” accounts by utilizing accounts that can be used by individuals with the same role, but only one at a time. When the accounts have been used, its password is changed (to something a user would have had to write down) before being made available for reuse. The passwords which are hidden from the users are not known, and thus can be long and complex, while only being used for a session before being changed.

Privileged Threat Analytics (PTA) that can function in more that one AD domain at a time. The recent enhancement that allows resilience in PTA is great, but operation in more than one domain is required as many organizations have multiple AD domains. Even if it’s just prod and test or PPE split, you still want to know what’s going on in it.

Three to five years.

No Previous PAM solution used.

Yes, based on Gartner

We have different privileged accounts in our enterprise. All of the application owners and the stakeholders want to store those accounts CyberArk privileged security, so they can connect to the target systems. It also allows for session recordings at the time of auditing.

We can be connected to the target system and the PSM component comes into play. In addition, a true asset is the recordings the solution keeps.

We have found with the recent upgrade a lot of issues we had with the connection have been resolved.

It is stable.

There are no issues with scalability. Our clients are very happy to use the product.

Tech support is very quick to answer our request tickets. 

It is necessary to use professional service for the setup of the solution. It is a challenge if you are not well-versed in CyberArk.

In comparison to other products on the market, CyberArk is a more costly product.

Primary use case is storing and rotating local domain admin credentials for Windows and Unix network devices.

We're using CyberArk secure application credentials and endpoints on a small scale and we're planning, for the future, to use CyberArk to secure infrastructure applications running in the cloud. We don't have experience using the Plugin Generator Utility.

It is performing pretty well for the most part. We have some issues with RADIUS authentication, some bugs with that. But, generally speaking, it works really well.

The benefit is knowing where your accesses are, who has access to what. Additionally, obviously, it provides improved security around having your credentials locked down and rotated regularly.

Credential rotation. It's tops.

I'd like to see a more expansive SSH tunneling situation through PSMP. Right now you have an account that exists in the vault and you say, "I want to create a tunnel using this account." I'd like to see something that is not account-based where I could say, "I want to create a tunnel to this machine over here," and then authenticate through the PSMP and then your tunnel is set up. You wouldn't need to then authenticate to a machine. Then you could go back in through your native clients and connect to that machine. Also, to have that built out to include not just Unix targets but anything you'd want to connect to.

The stability, overall, is really good, outside of some of the RADIUS problems that we're having. Generally, it is very good.

The scalability, sometimes, is lacking. It works really well for more static environments. I've been at places that had a really static environment and it works really well. You've got X number of CPMs and X number of PVWAs in your vault and everything gets up and going and it's smooth sailing. But for an environment where you're constantly spinning up new infrastructure or new endpoints, sometimes it has a hard time keeping up.

Technical support actually works really well. From time to time there can be some issues as far as SLAs go. Sometimes results will be on the back end of an SLA, which is still fair. It seems like you're complaining that it's "one to three days" and it's three as opposed to one, which is an unfair criticism. 

Generally, everybody is pretty knowledgeable. They're pretty upfront when it needs to be passed off to somebody else. That usually happens in a pretty timely manner.

I have been involved in the initial setup elsewhere. It's actually really straightforward, depending on what you're trying to do. If you have a simpler environment, to set up a PVWA and to set up a vault, is straightforward. It's all pretty much there in the guide. Sometimes the documentation gets a little bit out of sync, where things aren't exactly as they should be but it's always really close. Generally, the documentation is good and straightforward.

I'm not the right person to answer questions about ROI for our organization.

Engage with Professional Services, not just for help with, "Here are the buttons to click," because they've been really helpful as far as how we would want to implement things.

Our most important criteria when selecting or working with a vendor, outside of the product being good, are reliability and timeliness of response. Those are the two big things. I think CyberArk does a pretty good job on these.

I rate CyberArk at eight out of 10. I think the solution, as released, is usually very good. When something comes out, it's generally airtight and works as advertised. However, sometimes they are a little bit slow to keep up with what's coming out. In 2017, for example, they released support for Windows Server 2016, which had been out for a year or so. There is probably some tradeoff that is required to keep things so airtight, by holding back a little bit. But that would be my one criticism: It's slow to keep up, sometimes, with updates.

The proxy solution using PSM and PSMP is valuable. It gives leverage to reach out to servers which are NATed in separate networks and can be reached only by using a jump server.

Security has been improved. It has improved compliance and there is more control over the privileged users.

The performance of this product needs to be improved. When the number of privileged accounts increases, i.e., exceeds 2000, then the performance of the system reduces. The login slows down drastically and also the connection to the target system slows down. This is my observation and thus, the server sizing needs to be increased.

I have used this solution for three years.

We have not encountered any stability issues so far.

We have experienced some scalability issues, in terms of the performance.

The technical support is good.

Initially, we were using the CA ControlMinder. There were many issues with this solution, mainly in regards to no proxy solution and poor performance.

The setup has a medium level of complexity.

One should negotiate well.

We looked at other solutions such as CA PAM, Lieberman Software, Thycotic and ARCOS.

This is the best product from its breed.