CyberArk Privileged Access Manager Reviews

I have worked as a CyberArk SME, team leader, project manager in the financial industry. I've managed both the implementation and configuration of enterprise CyberArk infrastructures.

As an end-user within the organization, I can't and I don't need to know the passwords of privileged accounts as CyberArk is taking care of the password/SSH Keys management on the target machines. The solution provides this security without changing the end-user experience because they are able to use the end-user tool like putty or remote desktop connection even without passing through the CyberArk interface

Our most valuable features would probably be password/key rotation, the SSH key manager, account discovery and quality of video recordings.

I think they can add a new feature for the account onboarding like I've seen for another PAM tool: for instance they should give to the CyberArk administrator the chance to upload the accounts via the PVWA using a txt or an xls file.

If you don't know the product well, it might not be easy to set up, because CyberArk has several modules. You need to study it before to start to implement this solution. It's not like other PAM tools e.g.Thycotic, which is easy to set up, as it's just a web server with a database.

The deployment itself can take between one and two work weeks. The project, or configuration documents, however, must take more time. You cannot think about the infrastructure in one week. You have to prepare all the documents, understand the infrastructure you want, etc. It's the project management that takes more time.

You have to analyze the target hosts that you have in your organization and understand what is the scope of your project. You have to make a very clear plan for the project and CyberArk infrastructure sizing. Then you have to do a very good job with the project management and collaborate with the privileged accounts stakeholders. With all that in mind, you can go ahead with CyberArk.

Be careful with the configuration. When you make changes and so on, be very careful to understand what you are doing. Plan and test what you are doing in a test environment before switching to production.

I would rate CyberArk as nine out of ten. Ten means that it's the best solution on the market and no one else compares to it.  However, before giving them a ten, they should do something related to the Password Vault utility. Maybe they should add some other features too. For me, it is one of the best tools on the market, so nine is enough for now.

The main purpose of getting CyberArk was to control the use of the shared passwords. 

Secondly, we needed to take out the secrets from the applications' source code (database connection strings). 

Thirdly, we wanted to improve the network segmentation and reduce the number of firewall exceptions. We're doing that by assigning a PSM per network zone and limiting the exceptions to its connections.

The practice of sharing passwords disappeared completely and the most sensitive application is using the AIM to retrieve database passwords for all its users.

We're still struggling with the use of RDP through PSMs.

The most valuable features for us are the AIM and PSM because they helped us by reducing the number of secrets floating around.

The AIM providers registration process could be easier and could allow re-registration. Also, some sort of policies for assigning access rights and safe ownership would be useful for deployment automation. We're seeing difficulties with hosts requiring 2FA, and we need to better cover them with PSM and PSMP.

I am very impressed with the stability, but I still need to convince some colleagues.

Scalability is rather good, we haven't reached any technical limitations yet.

The support is always very responsive, accurate, and complete in their solutions. I've always had a personal contact that would know our setup and was able to concentrate on our specifics instead of pointing to a generic document on the support site.

No, we haven't used any other solution.

The initial setup was straightforward because its entire complexity was hidden by the CyberArk expert who guided the whole process.

Our vendor's implementation team was stellar.

We haven't yet calculated the ROI.

Attempt to minimize the AIM deployments as the license is expensive. Take a license for a test instance even if it might cost extra.

I cannot tell what other options were evaluated.

Keep an eye on the cloud integrations and be ready for Conjur.

This solution is used for managing all unmanaged and forgotten privileged accounts. DNA tool is amazing, far better than imaginable in previous years.

We are able to keep an eye on every move made by privileged accounts throughout the enterprises, and with PSM we have monitoring after hours.

CPM, which helps keep the password policy up to date. which eventually helps to maintain the GDPR data security requirements for almost every client in Europe and elsewhere. 

It is currently a robust product, but we should be able to join together small components. This will improve support and understanding.

• Vaulting of privileged credentials. 
• Used as a jump host solution. 
• We wanted to keep passwords from being exposed to end users and connect them seamlessly to their target devices.

Our privileged accounts are now stored in a more secure location and lateral movement within the network have been lessened.

The PSM is excellent and the ability to write your own connectors and plugins is invaluable as far as flexibility goes.

• Enhanced PSM support for Java based applications.
• Easier to use bulk uploader tools (which are already being worked on).

As a security engineer, I mostly implement the Enterprise Password Vault Suite (Vault Server, Central Policy Manager, Password Vault Web Access) as this is the base upon which every additional component is built. I am using and implementing the additional components, such as the Privileged Session Manager and Application Identity Manager, more and more.

When implementing CyberArk, I see that a lot of security issues are addressed by the solution. For example, audit issues for privileged (non-personal) accounts, which have a sufficient amount of impact on the organization when being compromised or misused.

A major benefit next to the auditing capabilities is the secure storage of the accounts in questions. CyberArk has the most extensive hardening and encryption techniques I have seen in a product, with equal intentions.

Additionally, CyberArk can reduce the attack surface of these accounts by retaining the privileged accounts (protecting the credentials) within a secure environment only to be accessed through a secured proxy server (Privileged Session Manager). What I have also seen is that the Privileged Session Manager can aid in the adoption of CyberArk within an organization as it allows the end user to keep using his personal way of working (e.g., Remote Desktop Manager, Customized Putty).

Another burden that organizations have is the need to manage hard-coded credentials. CyberArk also has a solution for this, allowing the credentials to be stored in the vault, where they can be retrieved by a script or applications through the execution of a command instead of hard-coding the credentials. There is also a solution available for accounts used in Windows scheduled tasks, services and more.

The last generic, relatively new improvement for customers is the ability to monitor and identify the usage of the accounts managed by the suite. By using Privileged Threat Analytics, you can match the usage of CyberArk against the actual (logon) events retrieved from the corporate SIEM. Next to this, PTA profiles privileged account usage to discover malicious patterns such as different IP addresses or usage of an account on an unusual day. This is a very useful practice to gain an enhanced view on these privileged accounts and can eventually limit the impact of any malicious usage because of early detection.

In every product, there is room for improvement. Within CyberArk, I would like to see more support for personal accounts. It can be done right now, but I can imagine changing a few aspects would make this easier and more foolproof.

Next to that, the REST API is not as capable as I would like. CyberArk is getting close, though.

Lastly, I would love to see a password filler that can provide raw input (like a keyboard). There are scenarios where administrators do not have the ability to copy and paste a password from the clipboard. As typing over a long random password is a tricky job, a raw password filler would be a solution that could overcome this issue.

I have been involved with CyberArk for three years now. During this period, I have designed, implemented and supported multiple CyberArk environments.

During the time that I have worked with CyberArk, I was able to conclude - based on experience and colleague stories - that this is one of the most stable products I have ever encountered. I have never seen any stability issue that was not related to a human error or a configuration issue.

As far as I’m aware, we have not encountered any scalability issues. I have heard of some issues with the database of CyberArk when scaling to excessive amounts of entries, a long time ago. These issues have been fixed, as far as I know.

In addition, it is possible to have issues with the Central Policy Manager when you configure it wrong.

The technical support for our customers is primarily handled by ourselves, with CyberArk technical support to fall back to. I have seen great improvements in the quality of support over the years and they continue to do so. The response is fast and the quality is good.

There is room for improvement in bug tracking. When a bug is confirmed, it is hard to track when or if it will be released in one of the future releases. As CyberArk is building an entire new support portal, I hope that this will be improved someday.

My company did not previously use a different solution. My company has had CyberArk in their portfolio for more than 10 years now.

Our company has set up a ‘generic’ and fast implementation plan based on our experiences and best practices. This plan provides a straightforward approach, which can be customized into a complex solution to suit every customer's needs.

In general, the installation is quick, but the actual work is found in the process of onboarding new account(type)s as this requires a significant amount of communication and coordination.

Try to create a good design with a CyberArk partner before you start thinking about licensing. Then, you will have a good view on the components needed to suit your environment from the start towards a fully mature environment.

Do not think too big at the start.

EPV (Enterprise Password Vault) is the most valuable feature of the product to me. It is the core of the product, where it stores the passwords it needs to protect. It protects privileged IDs within a secure digital vault.

User friendliness and reporting: While the PVWA (Password Vault Web Access) provides a web console for the end user and administrator to access the solution, there is room for improvement. (E.g.: show tips when the mouse hovers over.) Reportingprovides very detailed information; however, it requires customization before it is presentable.

I first got introduced to CyberArk around 2012.

No issue with stability. The solution provides an HA option.

I would say there are scalability issues. After the solution is deployed, resizing it is difficult. Therefore, proper sizing at the planning stage is important.

Technical support is excellent; one of the most knowledgeable and well-trained support staff.

I did not previously use a different solution.

Initial setup was complex. A typical deployment will require at least two months of full-time planning. In a large deployment, it can be over six months.

Before choosing this product, I did not evaluate other options.

A well-trained and experienced deployment team is critical. Sizing, safe design, and access management need to be discussed beforehand.

reason for not being a 10 is, there is always rooms for improvements.

CyberArk is a good, profitable, and most valuable solution.

While testing the functionality of PAM, we weren't merely conducting a standard PAM evaluation. We aimed to establish a connection and successfully received a response from the target PAM component.

The product’s pricing could be improved.

I have been using CyberArk Privileged Access Manager as a partner and implementor.

The product is stable. If you make some changes or something, it's stable.

The solution is scalable. We cater it to enterprise businesses.

Customer support takes too much time to provide some response. When you open some cases, sometimes it takes one or two weeks to get some people to know the problem and how they will help us.

Neutral

The initial setup takes a few days to complete.

I rate the initial setup a six out of ten, where one is difficult and ten is easy.

The product is expensive.

I rate the product’s pricing a seven out of ten, where one is cheap and ten is expensive.

Overall, I rate the solution a nine out of ten.

We are using CyberArk Privileged Access Manager because we have too many accounts and we need to manage them.

CyberArk Privileged Access Manager has helped our organization by controlling users' access.

CyberArk Privileged Access Manager could improve the integration docking, it should have more layers. For example, integration with OpenShift.

I have been using CyberArk Privileged Access Manager for approximately two years.

CyberArk Privileged Access Manager is stable.

We have thousands of users using CyberArk Privileged Access Manager in my organization.

The support from CyberArk Privileged Access Manager is good.

The initial setup of CyberArk Privileged Access Manager was straightforward.

We had a local third-party company help us with the implementation of CyberArk Privileged Access Manager. The maintenance is sometimes a challenge for our consulting team that does it.

I would recommend this solution to others.

I rate CyberArk Privileged Access Manager a nine out of ten.