CyberArk Privileged Access Manager Reviews

We currently use CyberArk Privileged Access Manager for password vaulting. Our roadmap includes managing service accounts, rotating passwords, and expanding to SSH keys, AWS keys, and other login credentials. We've already implemented local administrative accounts and rotated elevated domain administrative accounts. Additionally, we've integrated Okta for multi-factor authentication, using Okta Verify, and plan to expand this to workforce identity for broader end-user security and credential management.

CyberArk Privileged Access Management's most valuable features are primarily its password vault functionality, specifically CyberArk's Core Privileged Manager and Privileged Session Manager. These components facilitate secure password rotation and out-of-band session management, addressing our organization's critical security needs.

The current process for accessing RDP through the CyberArk or administrative portal involves downloading an RDP file. This is inconvenient for users and problematic due to security restrictions that prevent accessing servers via downloaded RDP files. Ideally, the process should allow for a direct RDP connection upon providing server details, eliminating the download step and streamlining access. This issue represents a significant challenge and source of frustration for users.

The product is complex and requires extensive configuration. More tutorials and detailed use cases with troubleshooting steps would be beneficial, particularly for first-time implementers. Despite the excellent customer service, resolving issues can be time-consuming due to the product's complexity. Compared to lightweight solutions like Okta, CyberArk requires more background experience and is not as straightforward to learn and implement.

I have been using CyberArk Privileged Access Manager for almost five years.

The performance of CyberArk Privileged Access Management sometimes lags or crashes, but this is not a significant concern.

We have not reached platform limitations yet, as CyberArk supports up to eight hundred platforms per tenant, and documentation is clear about scalability limits.

Customer support has been very helpful and responsive. My customer success manager facilitated many calls with technical experts, efficiently resolving critical issues.

Positive

CyberArk's environment setup was straightforward, but we encountered issues during the Proof of Concept stage, specifically with PAM account discovery. While the CyberArk Manager displayed discovered accounts, we couldn't download the data into a usable format like an Excel sheet. This hindered our ability to identify efficiently and inventory discovered accounts, particularly from Windows systems, for phased onboarding. Although we eventually received instructions from CyberArk support on downloading the data, the process was complex and time-consuming. Simplified data export features would greatly benefit administrators.

I received excellent support from CyberArk's technical team and customer success manager, who arranged calls and helped resolve implementation issues.

Although CyberArk Privileged Access Management is expensive, its protection capabilities outweigh the cost.

I also evaluated CyberArk, along with Okta PAM and BeyondTrust, because it encompasses all the features we require, and Gartner recognizes it as an industry leader.

I rate CyberArk Privileged Access Management seven out of ten. 

To streamline project setup, new users should receive guidance on planning and implementation scopes. Scheduling a jump start without such direction can complicate learning.

Our primary use case is the scheduled password change management of Windows, Linux, and Cisco privileged local user passwords, as well as providing internal applications using the REST API credentials to access and maintain network elements.

Utilizing the CyberArk Password Vault DR implementation, we have a ready resource as a hedge against network issues caused by seasonal hurricanes through having a replicated DR vault in an out-of-state facility.

The implementation of the CyberArk Privileged Access Management has reduced the total labor cost of doing quarterly password change management (PCM) on the thousands of network elements (routers & switches), servers, and workstations throughout our nationwide network.

In addition to reducing the direct labor cost of the PCM procedures, the automation aspect has reduced risk that has previously resulted in many lost man-days resolving issues which previously was attributed to human-factor error during PCM procedures.

Utilizing the Central Policy Manager to provide policy programmable password change management automation, which can be configured either globally, or by using the individual PlatformIDs which limits the effect of human error on a nationwide implementation of network devices that are remotely co-located and not readily accessible. 

The implementation of the PSM proxy has reduced the specific risk of "insider attacks" on our domain controllers and SLDAP servers by eliminating direct user login by an open secure connection on the user's behalf without ever revealing the privileged credentials.

My personal wishlist of features has been fulfilled with versions 12.6 and 13.2, which provide a host of improvements that the administrator community has been asking for.  

With these version releases, that leaves my only "unfulfilled" product improvement request to be the creation of some kind of memo field for each device account, which could be used, in our network at least, to leave a note about the device for either the security or network engineering team members.

We originally implemented the product in 2014 as a compliance mandate and fully integrated the application and functionality in 2017. We have just finished our fourth product upgrade and expanded our enterprise vault space to meet growing demand.

My implementation has been very stable over the past seven years, only having minor hiccups caused by "human error" during the "accidental" editing of a configuration file.

We currently store over 50,000 privileged passwords, and I know if our network doubled tomorrow, the product would scale to meet the increased demand.

There are two specific organizations within CyberArk that can provide customer assistance.

The customer success team is there with serious advanced knowledge to assist when things are not flowing. In my specific case, while I was learning to be a PAM administrator, I routinely contacted our customer success team with questions related to "Where can I find this documentation?", "How does this work?" and my favorite, "How can I put my permission back onto a safe?"

The other team is the professional services team, whose job is to be able to come in, analyze an issue, and correct it with the utmost speed. These are also highly experienced individuals that can be brought in the expand your implementation as needed.

Positive

Prior to the implementation of the CyberArk Privileged Access Manager, the security operations utilized unencrypted spreadsheets to store privileged passwords, which became a POAM when discovered during a routine security audit.

Our organization utilized the CyberArk professional support team to come in and provide a local, hands-on planning and implementation approach. This implementation methodology actually reduced long-term costs by making sure the implementation was done according to CyberArk's Best Practices.

Our organization utilized CyberArk's professional support team to come in and provide a local, hands-on planning and implementation approach. This implementation methodology actually reduced long-term costs by making sure the implementation was done according to CyberArk's Best Practices.

Our annual support costs are offset by the reduced labor costs within the SOCC environment, as the product has automated most of the password change management procedures, allowing labor to be focused on other topics.

While the IAM space is heating up with new vendors, both CyberArk development and the product team seem to be ahead of the curve, with features and products to enable enterprise customers the ability to secure their networks and break the intrusion cycle.

CyberArk was our first venture into a secure password vault and was implemented at the recommendation of our federal customer.

The product takes some time to learn. That said, CyberArk Software offers both a customer success team as well as paid professional support to assist.  

The customer success team has always seemed to be in my corner when needed, bringing insight and assistance when I was unable to resolve some of my "self-created issues".

My use cases as of right now include configuration, implementation, and developing a PowerShell report.

By implementing CyberArk Privileged Access Manager, we wanted to secure the password data and password accounts. We could see the benefits of CyberArk Privileged Access Manager immediately after we deployed it and started using it.

They could improve CyberArk Privileged Access Manager by providing more reports. If I need to know the 10 most-used accounts for this week, that functionality can be made available in the reports.

I have been using CyberArk Privileged Access Manager for seven years.

It is stable. The environment is stable, with no lagging, crashing, or downtime.

I cannot say much about scalability because we did not have any need for it.

I have contacted their technical support plenty of times. I would rate CyberArk's support a seven out of ten. They are always good.

Neutral

I have not used any alternatives to CyberArk Privileged Access Manager in my career.

The initial deployment was easy because I went to training first. The training was set up by CyberArk. From design to implementation, it took close to six months.

In terms of maintenance, it requires OS upgrades and patches. It doesn't take a long time.

We did not use any help from a third party, such as an integrator or consultant. The number of people required depends on the environment. I don't see how one person can manage it because there is a lot of information to collect before even doing a design.

My company always complains about the cost of CyberArk Privileged Access Manager because it's too high.

For a new user, I would advise them to try to configure CyberArk Privileged Access Manager a couple of times before starting to use it in a production environment.

I would rate CyberArk Privileged Access Manager a nine out of ten.

We're using CyberArk Privileged Access Manager to manage our service accounts, privileged service accounts, and password rotation. We also use Conjur.

CyberArk Privileged Access Manager has helped our organization remain compliant in the privileged access management space. It is very helpful for meeting compliance and regulatory requirements such as SOCS, SWIFT, and PCI DSS.

CyberArk Privileged Access Manager has helped us become more efficient in managing these service accounts.

CyberArk Privileged Access Manager feels quite secure in ensuring data privacy.

CyberArk Privileged Access Manager has a very strong potential for preventing attacks and lateral movements, but it has not had an impact one way or the other on the number of privileged accounts in our organization. They are just managed differently.

CyberArk Privileged Access Manager makes it easy for users to retrieve and manage their passwords.

I have been using CyberArk Privileged Access Manager for a few months. I am still learning, and I appreciate all the networking and education at the CyberArk Impact in Boston, which is going to set me up for success as I take on my role.

In CyberArk Privileged Access Manager, the UI has room for improvement, as does the dashboard reporting, which could be made better or easier to use. The interface needs to be more intuitive in CyberArk Privileged Access Manager. There should be dashboards in CyberArk Privileged Access Manager with more data and reporting capability for the non-compliant scenarios.

My company has been using it for a long time; I have been using it only for a few months.

I have not had any support experience with CyberArk at this point in my journey. 

I found the CyberArk Impact event to be much more effective as an educational experience.

Positive

The time-to-value for CyberArk Privileged Access Manager was recognized pretty quickly after implementing it.

I hope to learn how the pricing works so that I can understand it better, but I am certain it is not inexpensive.

It is absolutely necessary to have a PAM tool like CyberArk Privileged Access Manager, even if someone is using other security tools.

Based on my experience thus far, I would recommend CyberArk Privileged Access Manager to other users.

I would rate CyberArk Privileged Access Manager as an eight out of ten. It is early in my journey with this solution.

We use CyberArk Privileged Access Manager for privileged access management (PAM) escalation, securing our website, and applications. Our cybersecurity team actively utilizes its features.

The PAM escalation is valued. The access control feature and privilege and role-based assignment are outstanding. Dividing the user admin for security protection is the best feature. Additionally, its remote access allows easy connection for my team, and it efficiently manages identity.

Initially, it was challenging to understand and use all the features incrementally. Having a better user journey with a support team to connect would improve the product and services.

I have been using CyberArk Privileged Access Manager for about eight months in our company.

The solution is quite stable. We have not faced any issues related to stability since using CyberArk Privileged Access Manager for eight months.

CyberArk Privileged Access Manager is scalable. As a startup, it initially handled fewer users, but it scaled well as we grew.

Technical support was fast in its replies and always supportive, helping to resolve any issues efficiently.

Neutral

We used miniOrange, an Indian-based cybersecurity product for access management and PAM escalation. We also used one more product, which I don't remember the name of.

The initial setup was straightforward due to well-documented resources and tutorials.

Our cybersecurity team, comprising two to three people, worked on the deployment and feature implementation.

The pricing is quite well-structured with monthly and weekly plans.

I evaluated miniOrange and one other product.

New users should watch the YouTube channel, read the documentation, check the resource section including CyberArk University, and see if it works well with their product. I rate the overall solution a nine. My overall product rating is 9 out of 10.

CyberArk's Privileged Access Management solution covers a whole range of features, like privileged web access, private vault, privileged session manager rights for a session in isolation, privileged threat analytics for analytics, and private sessions. We also use CyberArk's Application Access Manager, which includes their credential providers, such as agents and run servers. Then there is a central credential provider, which is API-based credential retrieval, and DAP or Conjur. This is more of a DevOps model for credential provisioning. We also have the Central Policy Manager, which rotates the credentials associated with unprivileged or servers accounts. It's a huge environment. 

Those are all the different functions we use. We initially purchased CyberArk for privileged access manager and session isolation of privileged users. By privileged users, I mean main admins, global admins, and preps like Azure or Office 365. Our initial use case was to manage those users who could drastically impact the environment if their credentials were compromised.

After we purchased the product, we had a third party on it. They suggested we also leverage CyberArk as part of the platform for managing service accounts, i.e. go out and proactively rotate credentials that are running or ordering services. That's another kind of big use case that we started implementing a couple of years. It's long work. It is tough to do, there's a lot of cases where it just doesn't work right, but overall it's been pretty valuable.

From a security perspective, CyberArk PAM gives us a lot of control and visibility into what our privileged users are doing. In terms of securing our cloud-native apps, we're just getting into deploying things to Azure, AWS, etc., and DAP brings a lot of value to that because it is cloud-agnostic credential retrieval. Azure has their key vaults, and AWS has their version if you are a multi-cloud solution. CyberArk's Secrets Manager, or DAP, brings a lot of value because you only have to learn how to integrate your apps with one solution that can be deployed across multiple clouds. 

I will say that CyberArk is struggling with some of the cloud integrations. For instance, Azure has a native identity solution, and Microsoft keeps causing issues with their ability to identify the hosts calling back. Some cloud providers are trying to lock CyberArk and other tools out of their environment and force you to use their native one. With that said, I don't use the other functions. I don't use the containerization Kubernetes integration or anything like that. We're not at that point yet. One of my significant concerns about investing a lot of time in CyberArk Conjur or DAP solution is that Microsoft seems to be trying to push them out of that space, and if they do that, then all of that work is null and void.

In our initial use case, we found CyberArk's privileged session management functionality to be incredibly flexible. It's challenging to write these plug-ins, but if you have somebody with a development background, you can write all sorts of custom connections to support different functional applications. We've written over a hundred custom connectors ourselves that allow us to do all types of privileged session management for various applications. On top of that, the rest of the API-based central credential providers allow us to get away from credentials that may be hard-coded in the script or some application. 

CyberArk's web console isn't in a great state. Over the last three years, if not more, it has been transitioning from what they call the "classic UI" to its modern interface. However, there are a lot of features that you can only use in the classic interface. Hence, each version seems to put more makeup on the modern interface, but all of the complex functionality you need is still in the classic UI. 

I'm not sure they've figured out how to transition, and they're kind of in a weird state. So, while CyberArk has made strides, the web interface is painful, particularly as an administrator, because you have to bounce between these different user interfaces. It is an incredibly complex solution that requires at least a dedicated employee or more to maintain it, support it, and understand it thoroughly. If you don't have that, it's just not the right solution for you because it is very complicated. 

Many of the infrastructure folks who use the product dislike it because it complicates their workflow. They get a little less control, and they have to go through a specific solution. It proactively logs in for them, which obfuscates some of the issues that they may be troubleshooting. And I think some of the consumers aren't big fans of the product. Also, I feel that in the last year or so, CyberArk has been pushing very hard for customers to go to their cloud solution. It doesn't have the same flexibility as the on-premise version, which is problematic because that's where I see a lot of value in the solution.

I've been using CyberArk PAM for about four years now.

CyberArk support isn't the worst, but it's certainly not the best. I'd give it a six out of 10. They were responsive. After you submit a ticket, you get the typical response. You gather all the logs and send them, and then they do some analysis. They typically send you back to get more specific logs, so it's a standard support experience. I would not say it's great, but it is not terrible either.

Overall, as a partner in our digital transformation, CyberArk has been great. The technology adds a lot of value, but they're also very much engaged and concerned. The customer success manager very much wants to make sure we're getting value out of the tool. I guess my only concern there is that they are pushing very heavily for customers to switch to their new cloud solutions that may or may not fit our needs or expectations. I am worried that they're going to push even harder. For example, CyberArk might start offering features only available in the cloud solution that would make our future somewhat tenuous depending on what's going on. So my only hangup is that they're pushing cloud solutions that I don't think are very mature yet.

Neutral

The environment's architecture is very complex, depending on your use cases, and I'm talking about CyberArk as a whole. Their past solution — their AM solution — and all of the other solutions bundled together are straightforward, and it all needs to work together. Depending on your use case and the connected components you need to have or build, you must learn a lot. So, it's not as simple a thing to deploy — at least on-premise. It isn't straightforward. Our environment comprises 20 to 30 servers that we had to spin up and connect. Disaster recovery has to be thoroughly vetted, discussed, and documented because as you onboard and manage those privileged accounts, you need a way to get to them if something goes wrong.

It took about a month to get the product running and several months to onboard users. And when we start talking about Application Access Manager, that's ongoing, and I think that'll probably be ongoing for a very long time. We were targeting our specific use cases, so we started with interactive users. The whole idea was to restrict, manage, and monitor those interactive users. Our rollout proceeded from the most privileged users to the less privileged users. Then we started targeting service accounts and that kind of stuff. So it was a phased approach from highest risk to lowest risk to lower risk.

CyberArk PAM requires a lot of maintenance. Right now, we have about one and a half people, but I would say we need to add several more people to do a better job and add a lot of functionality. It requires a lot of maintenance and monitoring. They've relied on many different Microsoft features to secure the privileged session manager. It requires a lot of tuning, monitoring, and managing those solutions. They use AppLocker to restrict and isolate these running sessions, and AppLocker breaks all the time, so you have to go in and troubleshoot why it's broken and tweak it. That could mean adding a new rule or updating an application. It is a lot of maintenance, depending on your use case. But then again, we have gone very hard into privileged session management and developed over a hundred custom connectors. Another customer might deploy RDP and call it a day, drastically reducing maintenance.

If you ask me the ROI, I'm not sure I could give you an exact number. Security tools are pretty tricky when it comes to that. But if you're adopting a risk-based approach, this substantially reduces risk. It brought a lot of visibility and allowed us to monitor all of our privileged users, so it is valuable from the perspective of KPI, modern solutions, and risk reduction. If we were to score this on an internal risk review, our previous risk would rank four out of five, and we've lowered this to a low severity risk.

CyberArk had just changed switched their licensing model to perpetual licenses when we purchased, including the whole PAM Suite. Before we bought it, they were licensing each function individually, which got complicated and very expensive. When we decided to buy it, it was much more straightforward and still quite expensive, but it brings a lot of value and risk reduction to the organization. 

In the last year or so, it's my understanding that they have switched from a perpetual licensing model to pushing companies to a subscription-based model. I have not dealt with this yet, so I'm not sure my feedback on licensing would be too valuable because they've moved away from the license type we purchased.

This was our first foray into the PAM space. We did a proof of concept evaluating three different solutions, so CyberArk was the clear winner. I don't want to speak ill of any other solutions, but I will say that CyberArk's architecture was much more secure. Other competing solutions may leverage an agent that is installed on your local machine and runs your privileged applications locally, leaving a lot to be desired from a security perspective. 

CyberArk uses remote desktop gateways similar to Microsoft's RDS functionality, and it abstracts that privileged application from your workstation. So even if you're compromised, a malicious actor on your laptop or workstation would not be able to get to that privileged application. This was very valuable to us. Other solutions did not have that functionality.

As it stands today, I would rate CyberArk PAM nine out of 10. However, I'm concerned about the future of the platform. While I've had nothing but great experiences so far, I have concerns about how they've been pushing that cloud solution in the last year and a half. I feel like they're going to pressure us to move to the cloud even though they're not mature enough in the cloud. 

Rather than create a cloud-native version, they've migrated their on-premise solution to the cloud, but they don't allow cloud customers to access the backend, which I recommend all the time as an on-premise user. Instead, you have to submit a support ticket and have their support do things on your behalf, which delays your ability to work with the tool. Furthermore, they may not be willing to make the modifications you want because it would affect their ability to impact the solution consistently. CyberArk designed the on-premise version to be incredibly flexible, and I have never found a use case where I can't do the work I want to do. Their cloud model discards a lot of that flexibility, which is where I see a lot of value, so I have concerns about the future of the tool.

Also, I'd like to point out that service account management is incredibly hard, particularly in a company that's been around for a while. Any company looking to adopt service account management needs to know that it's not as easy as vendors make it sound. Many things don't work right out of the box, so the most important lesson we've learned is to calibrate the expectations of senior management when it comes to service account management because it is a lot harder than anybody thinks. You're likely to break things in the process of trying to manage these accounts. 

Within our organization, our security requirements, which are set by our customers, require CIS compliance. Those requirements mandated securing privileged passwords with encryption, both in transit and at rest. CyberArk PAM was selected as our solution, and CyberArk's Professional Services team conducted the initial installation and implementation. 

Three years later, I was tasked with implementing the product more fully, integrating more of the out-of-the-box privileged password change management automation features of the product within our environment.  

The out-of-the-box functionality, Windows OS Privileged local account password change management, was the first automation feature implemented, and by itself, the automation reduced the man-hour requirement for quarterly local privileged password change management enough to provide a complete ROI on the initial licensing investment.

Continued implementation of more of the out-of-the-box PAM functionality continues to produce man-hour savings, which frees up our security operations group to have more time to monitor, investigate, and resolve potential security issues on the network.

Our implementation is air-gapped from the outside world, and as such, we utilize a completely on-prem solution. Our highest risk is from privileged insiders, and CyberArk's answer to this challenge was the implementation of a Privileged Session Manager (PSM). With PSM, we were able to secure, control, and more importantly, monitor privileged access to highly critical network servers by using PSM to manage accounts and create detailed session audits and video recordings of all IT administrator privileged sessions on our most critical servers. The established sessions on the target systems are fully isolated and the privileged account credentials are never exposed to the end-users or their client applications and devices.

CyberArk PAM is a very broad product as everyone's requirements for implementation are different. In our particular case, the initial implementation was planned and developed by people who didn't know our specific network requirements, so the initial implementation needed to be tweaked over time. While this is normal, at the time all these "major" changes required CyberArk professional services to come in-plant and "assist" with the changes.  

Over time, the CyberArk product team has made this process simpler and has enabled more local administrator configuration and update functionality, which doesn't require sub-contracts.

Our program has been using CyberArk since 2014, although it was not fully implementated until I took it over in 2017.  

The product is very stable, limited only by the Windows Operating System is it built upon.

This product seems to be scalable to any size. Providing vault cluster services, distributed vaults, and DR vault implementations, the product is truly ready for global implementation.

Tier One customer service is not as responsive or as knowledgeable as I would like, however, once your service request is sent to a Tier Two support engineer, the knowledge and experience level increases dramatically.

In addition, within the CyberArk support environment, Technical forums are available in which other customers are very willing to share their experience, and offer possible solutions to non-critical issues.

Positive

This was an initial implementation to meet the regulatory requirements of a federal customer.

In our specific case, the initial setup and configuration were very complex, which was a result of the initial design being developed by our internal engineers and CyberArk professional services, neither of which had the "tribal knowledge" of how the network functioned, or how the processes of network engineering and security had been implemented.

The initial implementation was a joint project with CyberArk Professional Services and our internal Systems Engineers. The Professional Services engineers were very knowledgeable regarding the implementation of their products.

Our program realized the total ROI after the implementation of policy-based automated password change management, which resulted in a significant reduction in man-hours required to conduct password change management (PCM) on a multitude of network elements. 

For licensing on a localized on-prem installation, the CorePAS licensing model enables the most critical component products within the PAM stack, enabling multiple layers of security which can take a while to implement.

At the time of the initial implementation (2013-2014), after looking at the field of available products, CyberArk PAM was significantly more mature than the other available products. For that reason, CyberArk PAM was selected.

The greatest issue that I experienced with the implementation of the CyberArk PAM solution was inter-departmental politics regarding change. To resolve this, I relied on the CyberArk Customer Success team to assist with developing a strategy to get all of the stakeholders to accept the changes. Every CyberArk administrator needs to spend time learning about their customer success team since their purpose is to assist with making sure you have the knowledge you need to make sure your implementation is successful.

An example of one of the ways CyberArk has benefited our company is one of the simplest. And this one is something that a lot of companies struggle with: domain administrators and server administrators. These are among the top accounts that most companies need to protect. As part of our deployment, we decided to go with these first when we deployed PSM.

What we found out was that there's always that friction with operational teams where they don't want to do this kind of work because it is another thing they have to do. But once the product was deployed and we were able to give them all the tools that they have today, and they did not have to go through attestations and audits anymore and, when team members were coming in and leaving, all they had to do was put in a ServiceNow request to complete all the work, it was just something so different for them that all that friction just went away. It was one of those simplest things, but one of the biggest things that you can do in your company to protect it.

I don't know if CyberArk really helps with meeting our availability requirements, but it definitely helps a lot with managing the accounts and managing the credentials. Availability? It helps to an extent. If there is an event of some sort, yes, you can always go back and look at the logs and you can figure out through recordings what happened. But it's more about manageability than availability.

In addition, when we started with RPA, there was a requirement that every credential and the bots themselves be protected through the PAM system. From the get-go, we've had CyberArk in the middle. We use standard products for RPA and all credentials are managed through CyberArk. All bots are protected via CyberArk, through PSM, and also through CCP calls. We've got a pretty robust RPA implementation with our PAM platform. Users, bots, the credentials — everything is managed via our PAM solution. From a cost perspective, this was something that was a requirement, so cost was never really an issue here.

The solution's ability to secure robots’ privileged access is pretty good. We've been able to secure our bots. In fact, we take care of our bots right from a development environment, using our development instances. So when our developers are building the scripts around those bots, they're already aware of what's going to happen when things finally go into production. Obviously, the level of security doesn't need to be the same, but we do it through the complete lifecycle.

PSM has been one of the most valuable features. We started on this journey a while back. Initially, when we did not have PSM, we started with AIM and that was our first use case. But an audit came along and we had to go towards something a little bit better and we had to migrate more applications. PSM came along and did exactly what we needed it to do. To take care of all the deficiencies that we had, PSM was the right thing to do.

We work with CyberArk's customer success team and we work with its engineering team back in Israel. We've been doing things on CyberArk which a lot of its customers, we know, have not been doing.

The one place where we found that this product really needs to improve is the cloud. Simple integrations don't exist, even today. We don't have anything specific on CyberArk for managing SaaS products, SaaS vendors, and SaaS credentials. I understand it's a vendor-based thing and that they have to coordinate with the other vendors to be able to do that, and there are integrations coming, but these are the major places where CyberArk definitely needs to invest some more time. Because this is what the future is. You're not going to have a lot of on-prem applications. Most stuff is going to the cloud.

Not every product is 100 percent stable. CyberArk does have some issues once in a while. But the core product, the vault system, has been extremely stable. We haven't had a single problem since we got this thing deployed, and it's been more than six years now. We've not had a single problem with the vault. 

Related to the software, there are other things that can cause problems. You could have clusters going down or you could have issues with hardware, but the product itself has been very stable. 

There are the usual quirks you have sometimes with PSM, but it's been a very stable product for what we need it to be.

In terms of the product's ability to manage all our access requirements at scale, about 80 percent of it can be managed. There is no product in the market which can say, "We can do 100 percent, we can do everything." Or, they say that they can, but when it comes to it, it doesn't really happen. But with CyberArk, we've had the benefit of it being a little scalable, plus very easy to configure for the different use cases we have. So we can cover around 80 percent. But then we have to put some compensating controls around the other 20 percent.

It has scaled for our use cases. We built it according to the very large specification and it has scaled. It has done exactly what we need it to do. We've not yet had a performance issue to date.

We've had good relationships with their technical department. My team usually does more engineering. We work with CyberArk's customer success team more often than the regular technical support. My operations team usually deals more with tech support.

When it has really come down to major issues, if we've ever had a Sev 1, they've been on point. They have picked up the phone, they've called us and they've helped us.

We did not use a different product. We had an in-built vaulting system for managing our own credentials. We've been a CyberArk customer for a while. We had the document vault. Privileged Access had just come out and CyberArk was one of the easiest choices we could make at that time. That's how we decided to go with it.

The initial setup was not straightforward. The very first setup that we did was specifically for AIM, which was obviously simpler. We had an in-built vault which we replaced with the AIM setup. 

Our PSM setup was very complex. We had about 450 applications that we had to onboard over a period of one year, and we had to remove close to 16,000 accounts. It was a very complicated setup. We built close to 35 different connection components to get this product in.

The total cost of ownership, over credentials, is definitely something that goes down if you have a vaulting system. But if you have deployed it correctly, that's the only time you can get that. We've definitely seen some improvements. There are additional costs associated with getting every application onboarded, but in the long run, it keeps the company secure and I don't think you can put a price on that.

We use the solution with AWS. In fact, we set up a custom setup for AWS. We worked with the CyberArk engineering team to get it working, to come up with a custom solution to integrate our AWS EC2 instances. There were some limitations, as I mentioned earlier, with how the product integrates with AWS, so we had to make some major changes to how the integration works. As far as monitoring is concerned, it's standard CyberArk monitoring. We don't see anything specific to AWS, as far as the monitoring is concerned. This is the one place where CyberArk can improve.

Privileged access management is one part of IM. Anything that goes through has to get approved through the IM team, and our product of choice for privilege access is CyberArk. When we decided to go to the cloud, this was the natural choice because this was the product that the enterprise uses. We've had challenges. We've had to customize the product to meet our requirements. It might not be the same for every customer because our requirements are a little unique. But it eventually worked out. We've been able to meet most of our use cases.

CyberArk is an eight out of 10. It can do a lot. But there is definitely scope for improvement.

I come from the IM world, but I was more into access management. CyberArk was just one of those products which was thrust on me. Now I'm head of privileged access management, so CyberArk has been pretty good for me, going from the access management space to privileged access management. It's definitely had an impact on my career.