CyberArk Privileged Access Manager Reviews

This solution is used for managing all unmanaged and forgotten privileged accounts. DNA tool is amazing, far better than imaginable in previous years.

We are able to keep an eye on every move made by privileged accounts throughout the enterprises, and with PSM we have monitoring after hours.

CPM, which helps keep the password policy up to date. which eventually helps to maintain the GDPR data security requirements for almost every client in Europe and elsewhere. 

It is currently a robust product, but we should be able to join together small components. This will improve support and understanding.

Companies often have an enormous amount of admin credentials out there. They want to find out how many they have, start cleaning them up, and ensure they're all kept in an encrypted vault. Password Vault is probably the top product in that space, and it's a monster to implement, but CyberArk is great at what they do.

Password Vault's main advantage is its scalability. We constantly see huge enterprises implementing something like this, and the privileged session management is an excellent piece. You can kind of watch videos of whatever an admin has done. So, for example, if an admin doesn't check out their password and fires up a session on a machine, you can see playback. Scalability and those particular features are pretty valuable for monitoring your insider threat.

Our customers haven't complained about any stability issues, and we've set Password Vault up for quite a few customers. However, the stability depends on the equipment unless they do it in the cloud. But if they're setting up on a bunch of VMs, and that VM store goes down, that's not necessarily a CyberArk problem. That's more of a problem with Windows or VMware, etc., or something like that. So I guess the stability's fine.

There are upwards of six components you need to set it up. And you might need anywhere from two to five servers. It takes some work to set that up, especially in a larger environment.

On-prem CyberArk is pretty expensive. It's pricey and you get what you pay for. It's an incredible product for what it does, but it's significantly cheaper to go to the cloud.

I would rate Password Vault seven out of 10. I'd only go that low because of how challenging the installation can be. I advise our customers to consider using CyberArk's cloud option because many people just reflexively lean toward the on-prem solution. The cloud solution is considerably less expensive. It's still complex to set up the different components and make it all work together, so I suggest you make sure you need all those components. Maybe you don't even want to use everything there, but consider the cloud version. It's the same product, but it's more straightforward and cost-effective. You're not losing any functionality.

Managing passwords to infrastructure and applications, keeping those accounts “safe,” and being able to audit their use.

The audit capabilities include video so that not only keystrokes but also mouse clicks are captured. This provides safety and reassurance for anyone working in our infrastructure. 

Reducing the number of “admin” accounts by utilizing accounts that can be used by individuals with the same role, but only one at a time. When the accounts have been used, its password is changed (to something a user would have had to write down) before being made available for reuse. The passwords which are hidden from the users are not known, and thus can be long and complex, while only being used for a session before being changed.

Privileged Threat Analytics (PTA) that can function in more that one AD domain at a time. The recent enhancement that allows resilience in PTA is great, but operation in more than one domain is required as many organizations have multiple AD domains. Even if it’s just prod and test or PPE split, you still want to know what’s going on in it.

Three to five years.

No Previous PAM solution used.

Yes, based on Gartner

The primary use case of this solution is for third-party developers that come into our infrastructure from VPN to connect. They are organizations that are outside of our organization.

Before CyberArk, our developers would connect from the VPN directly to the jump servers to get all of their access. We have removed the jump servers to connect to CyberArk.

The security has improved. We know who is accessing and what they are doing. The access is secure. 

CyberArk has increased our security.

The most valuable feature is that it is flexible. It has many connectors. that have done well, the EPV and SSH sessions are all being recorded and everything works fine.

This solution does not support the SQL Developer. We have to purchase separately from CyberArk and we have to ask them to develop it.

This solution is a bit complex compared to other solutions. The installation and administration are complex.

Some things can be done through the interface, but the whole installation process and upgrade process can be done with the installation script but it's complex.

This is too complex for some organizations that do not have a large scale.

In the next release, they could simplify the setup and I would like some tasks added like file sharing. When a client connects to CyberArk and wants to put a file on the server, they cannot.

I thought that the client would be able to drop a file onto the server and the file would be visible on the server.

I have to disable the connection to provide a copy and this is a security issue, and I closed this file to the client then he can't upload and files to us.

They need to come up with a way for the client to file share with CyberArk.

I have been using this solution for six months.

This solution is stable. We have not had any issues.

This solution is scalable but pricey.

There are fifty users and they are developers.

I have not contacted technical support. I am not an engineer, I work for the bank and I have implemented this solution.

Previously we used Fudo and jump servers with OTP. It is not the same, but from a security perspective, it is also quite good and less expensive.

The initial setup is complex.

You need at least one engineer to manage the software. I must have dedicated people to administer it.

We worked with integrators for the installation. The first step was the installation process and the hardening. This process took two weeks to implement.

The migration process was more complex and more time-consuming.

This solution is expensive.

My advice would be to compare with other products and if they don't want such a large solution they could try Fudo or a similar solution that is easier and can scale like CyberArk.

I would rate this solution a nine out of ten.

We have different privileged accounts in our enterprise. All of the application owners and the stakeholders want to store those accounts CyberArk privileged security, so they can connect to the target systems. It also allows for session recordings at the time of auditing.

We can be connected to the target system and the PSM component comes into play. In addition, a true asset is the recordings the solution keeps.

We have found with the recent upgrade a lot of issues we had with the connection have been resolved.

It is stable.

There are no issues with scalability. Our clients are very happy to use the product.

Tech support is very quick to answer our request tickets. 

It is necessary to use professional service for the setup of the solution. It is a challenge if you are not well-versed in CyberArk.

In comparison to other products on the market, CyberArk is a more costly product.

Primary use case is storing and rotating local domain admin credentials for Windows and Unix network devices.

We're using CyberArk secure application credentials and endpoints on a small scale and we're planning, for the future, to use CyberArk to secure infrastructure applications running in the cloud. We don't have experience using the Plugin Generator Utility.

It is performing pretty well for the most part. We have some issues with RADIUS authentication, some bugs with that. But, generally speaking, it works really well.

The benefit is knowing where your accesses are, who has access to what. Additionally, obviously, it provides improved security around having your credentials locked down and rotated regularly.

Credential rotation. It's tops.

I'd like to see a more expansive SSH tunneling situation through PSMP. Right now you have an account that exists in the vault and you say, "I want to create a tunnel using this account." I'd like to see something that is not account-based where I could say, "I want to create a tunnel to this machine over here," and then authenticate through the PSMP and then your tunnel is set up. You wouldn't need to then authenticate to a machine. Then you could go back in through your native clients and connect to that machine. Also, to have that built out to include not just Unix targets but anything you'd want to connect to.

The stability, overall, is really good, outside of some of the RADIUS problems that we're having. Generally, it is very good.

The scalability, sometimes, is lacking. It works really well for more static environments. I've been at places that had a really static environment and it works really well. You've got X number of CPMs and X number of PVWAs in your vault and everything gets up and going and it's smooth sailing. But for an environment where you're constantly spinning up new infrastructure or new endpoints, sometimes it has a hard time keeping up.

Technical support actually works really well. From time to time there can be some issues as far as SLAs go. Sometimes results will be on the back end of an SLA, which is still fair. It seems like you're complaining that it's "one to three days" and it's three as opposed to one, which is an unfair criticism. 

Generally, everybody is pretty knowledgeable. They're pretty upfront when it needs to be passed off to somebody else. That usually happens in a pretty timely manner.

I have been involved in the initial setup elsewhere. It's actually really straightforward, depending on what you're trying to do. If you have a simpler environment, to set up a PVWA and to set up a vault, is straightforward. It's all pretty much there in the guide. Sometimes the documentation gets a little bit out of sync, where things aren't exactly as they should be but it's always really close. Generally, the documentation is good and straightforward.

I'm not the right person to answer questions about ROI for our organization.

Engage with Professional Services, not just for help with, "Here are the buttons to click," because they've been really helpful as far as how we would want to implement things.

Our most important criteria when selecting or working with a vendor, outside of the product being good, are reliability and timeliness of response. Those are the two big things. I think CyberArk does a pretty good job on these.

I rate CyberArk at eight out of 10. I think the solution, as released, is usually very good. When something comes out, it's generally airtight and works as advertised. However, sometimes they are a little bit slow to keep up with what's coming out. In 2017, for example, they released support for Windows Server 2016, which had been out for a year or so. There is probably some tradeoff that is required to keep things so airtight, by holding back a little bit. But that would be my one criticism: It's slow to keep up, sometimes, with updates.

The proxy solution using PSM and PSMP is valuable. It gives leverage to reach out to servers which are NATed in separate networks and can be reached only by using a jump server.

Security has been improved. It has improved compliance and there is more control over the privileged users.

The performance of this product needs to be improved. When the number of privileged accounts increases, i.e., exceeds 2000, then the performance of the system reduces. The login slows down drastically and also the connection to the target system slows down. This is my observation and thus, the server sizing needs to be increased.

I have used this solution for three years.

We have not encountered any stability issues so far.

We have experienced some scalability issues, in terms of the performance.

The technical support is good.

Initially, we were using the CA ControlMinder. There were many issues with this solution, mainly in regards to no proxy solution and poor performance.

The setup has a medium level of complexity.

One should negotiate well.

We looked at other solutions such as CA PAM, Lieberman Software, Thycotic and ARCOS.

This is the best product from its breed.

This solution is used primarily for privileged segment access and break-glass access. We also use it for log-on session recording and access control, where we can grant access to our key systems for ad-hoc use.

The most valuable feature is the ability to delegate access to admins when they need it. It allows us to have some kind of proof on the approval process, rather than give people standing access on a full-time basis.

I would prefer that this is a fully-managed service, rather than have to manage the software ourselves and keep it up to date. A cloud-based deployment would ultimately be better for us than an on-premises appliance.

Stability has not been a problem.

We didn't have any issues with scalability, although we only have 30 or 40 systems integrated. There were not tens of thousands.

We did not need to contact technical support.

The initial setup was not very hard, although it took a little while to get it set up. The only difficult part is making sure that it is integrated with all of the applications. If you've got Active Directory then it is easy, and pretty straightforward. If instead, you have all local accounts then it can get a lot harder, although I don't think that any other application can improve it if you've got local accounts everywhere.

The actual installation that included getting it up and running was pretty quick, taking only a couple of days. Going through all of the change management and other processes took much longer, on the order of months. The more problems there are with accounts inside the organization, the longer the deployment will take.

Our in-house team was responsible for the deployment.

The price of this solution is expensive.

My advice for anybody who is implementing this product is to get the admins familiar with the setup. They have to learn how to get the process approved, especially in an ad-hoc scenario. The scheduled changes are ok, but the ad-hoc ones can be a little bit problematic if you don't have enough approvals ready to approve access.

If an organization can afford it then the Cyberark Enterprise Password Vault works well.

I would rate this solution a nine out of ten.