CyberArk Privileged Access Manager Reviews

We mainly use it to protect servers from inappropriate access and ransomware.

We started with on-prem solutions years ago. Our most recent implementations were done in data centers and the cloud. However, we are not in the cloud for CyberArk.

It is a really valuable tool. From the very beginning of my career in cybersecurity, I found that CyberArk is one of the best solutions that I could recommend to our customers. While it is usually seen as an access and identity management solution, it is a cybersecurity and cyber defense tool from my colleague's and my point of view.

It is a single tool that isolates possible kinds of malware. You get lateral movement blocking and auditing information, e.g., you know who is doing what. You are getting protections from the service as well as a useful environment. All your admins can easily go in and out of your company while accessing your servers in a secure way, even if they are working abroad.

One of the best points is that it gives you full control for all the use cases in your infrastructure, in terms of servers, applications, social networks, batch processes, etc. 

It gives you the ability to know what is happening, who is executing everything, and recover that information over time. Everything is recorded there. This is useful, not only for auditing proposes, but for admins and users. This also helps with troubleshooting. For instance, an application or system starts failing at 4:30 in the morning on a Sunday. Usually, the first questions that you ask yourself is, "What changed at 4:30? What has happened? Who was touching that server?" WIth CyberArk, you have the ability to search for that information and find it in minutes. It is really useful for troubleshooting.

The PPA from CyberArk provides a lot of information about access and allows for possible detection of fraudulent use or different tries of accessing, even for family Internet users. Thus, it gives you another source of information regarding risk.

We are using Secrets Manager with some of our customers. We are using it mainly for containers and DevOps. This secure access is really important, and becoming more important every day. We are constantly moving customers to the cloud. Every day, containers are more important for our customers as they extend into microservices, etc. 

The possibility to integrate with the DevOps cycle is vital right now. Sometimes, containers are deployed while some clients have them very protected. They have a lot of things with Panorama, Microsoft, etc. That is a risk because you are deploying things quickly, along with errors and other things that you are developing. So, having to use hard-coded passwords here would be a big mistake. 

Secrets Manager accelerates a lot of the possibilities and simplifies the process, since development teams just need to use credentials. When they arrive on a project, there are new people or resources in their development teams. Thanks to CyberArk, they just need to manage their identities to have access to everything. They don't need to receive credentials nor search for them. They have everything the day that they start working.

We find it easy to use CyberArk PAM to implement least privilege entitlements. We usually do some interviews at the very beginning with different teams to understand their real needs. We define saves and different AV groups for the kind of users that we are going to prepare. Then, the process to assign permissions to different groups is really easy and straightforward. If you want to change or reduce access, that can be easily changed at any moment.

I have been using it for more than 10 years.

In the last year, it has been a very stable platform.

Scalability is fantastic. It has been really easy to scale. In fact, most of our customers who start, or have doubts about how to start, we propose to them, "Well, if you are not sure or don't have the budget right now, you can start with a small deployment, then we will grow." It easily grows and you can add components. 

Other customers have started with a small CPD deployment, then replicated. We put high availability on another CPD. It is really good for public clouds.

We have some customer environments that are over 10,000 servers as well as some environments with more than 50,000 managed identities.

I would rate their technical support as eight out of 10. They are usually really good and quick about answering any questions that you raise. However, they are sometimes not flexible with things. For instance, from one day to another, there might be something that had been done years ago by CyberArk, then they say, "We do not support that." You then have to initiate a complaint and start working with them. Things might become complicated and months pass while you are working with them. Usually, they are good and fast, but sometimes they seem to be blocked with problems, e.g., you will suddenly be working with another team instead of the team that you were working with the day before.

Positive

I have been working with CyberArk and with the CyberArk teams for years. They have been able to adapt the solutions that they have developed or bought. They have grown a lot with the acquisition of different companies. They have been able to adapt them, make them valuable, and helpful.

The initial setup is straightforward because we have a lot of experience with it. While there are a lot of components, I don't find it difficult.

A deployment can typically be done in less than a week, but it does depend on the environment.

We have developed our own methodology for the implementation and deployment of CyberArk. We put the final users at the center of their strategy. One of the things that we have found that fails when deploying a PAM solution is that everyone focuses on the tool. CyberArk works and we know the tool is there, so we just focus on how the different groups are working with their servers, applications, etc. We focus on adapting the deployment in a way that does not disrupt their jobs. We try to be non-disruptive and not change the way users work.

We adapt the solution to already existing workflow processes, tools, accesses, etc. This is one of the best parts of CyberArk. It provides a lot of flexibility to adapt.

The main problem for the tool is its licensing. I work for a really big company. When you try to develop this as a service, usually you work with leverage teams who are formed with dozens of members. You might dedicate one FTE, or less, for something, e.g., an antivirus administrator. You might have half an FTE's effort dedicated to administering the antivirus, but then you have a team of about 30 users who might access that ticket. The problem is that CyberArk eliminated the possibility of concurrent users years ago. This is a big problem for companies who work with leverage teams.

You need to pay for everyone. 40 licenses are used by 20 or 30 people. This is a big problem because licenses are not precisely cheap.

It provides the broadest point of view for privileged access management solutions in the market. We have tested several other proposals and tools for our customers and ourselves. There is a huge difference with using CyberArk.

We evaluated CA PAM and another solution. The main difference is that they cover just a part of the solution. They promise the solution will be very simple to deploy because they only have a simple appliance. However, they are actually really difficult to deploy for an entire project as well as give you value. We have experienced a lot of support and integration problems. You need to do a lot of things by yourself. Whereas, in CyberArk, you have plenty of plugins and developed material in the marketplace. 

This is the big difference at the moment. When you are deploying, it seems like a very simple project, and the other solutions will tell you, "Well, it's just an appliance," and then it becomes a nightmare. Whereas, CyberArk does what it does. You need to deploy several servers, but it works.

From time to time, people in the market are like, "Wow, it was born as a cloud-native solution." Sometimes, this is real and means something, but usually it is mostly a marketing thing. Why would we ignore all a solution's previous experience just for something born in the cloud? Most of the IT solutions that we use in the cybersecurity market are not born in the cloud. For instance, if you go with Securonix or Sentinel, there is a huge difference in the way they were conceived and the way they were born. Just because something is cloud-native or new doesn't mean that it is good. I wouldn't go for something that is cloud-native, just because it is.

I would rate CyberArk as nine out of 10. I won't give the 10 because I have my problems with the licensing. However, the solution is completely recommendable and a must-have in every environment.

I work in the cybersecurity team. We typically provide access to other end users or IT administrators through this solution. We monitor their activity on servers, provision access, and review all logs.

By implementing this solution, we wanted identity management and access management.

Over these three years, there have been a lot of improvements. User management is more efficient. The interface is user-friendly, and I can create comprehensive reports.

Session recordings and timestamps are valuable features. They allow me to specifically select the time a particular command was executed, so I do not have to review the entire recording. I can click on events to determine where and when they happened. 

We are looking for improvements in user provisioning, such as access provisioning and revoking access. We still have to test these improvements in the latest version. 

Updates have been somewhat difficult, resulting in challenges when moving from one version to another. The current version includes automatic updates for minor patches, which should be easy.

I have been using the solution for more than three years.

It has been stable so far, so I would rate it a nine out of ten.

Its scalability is very good. It is in the cloud, so we can just expand it. I would rate it a nine out of ten for scalability.

We haven't used customer support so far apart from implementation.

Neutral

I have not used any PAM solutions apart from this one.

Its implementation was very complex. It needs different servers and setup parameters involving load balancers, certification, encryption keys. The implementation took more than a month.

It requires maintenance once in six months and has been hard previously.

It was implemented by inhouse staff with oversight from vendor.

When it comes to compliance and audits the ROI on this is very good.

Licensing is little hard as they are perpetual and can't be used from a pool of resources.

I would recommend implementing CyberArk Privileged Access Manager as it is the best so far.

I would rate CyberArk Privileged Access Manager an eight out of ten.

I use the solution mainly for credential tasks. For instance, if the company I work for has recent data stored in a privileged report and needs security from cyber attackers, CyberArk Privileged Access Manager is used. The solution helps provide access only to authorized users and rotate passwords every sixty or ninety days. CyberArk Privileged Access Manager also allows the configuration of the password either manually or automatically. 

In our organization, Privileged Session Managers (PSM) assist in recording sessions of a particular server using the solution. The product allows users to utilize different permissions, such as end-user, auditor, and administrator permissions. For CyberArk Privileged Access Manager, administrators have the major access to implement tasks like creating, changing, rotating the password and adding new users. 

The most valuable feature of this tool is the password rotation feature. Another vital feature of the solution is the Safe feature, which acts as a container. Only accounts included within the Safe can access a particular server. 

The solution allows the distinguished use of PSM and PSMP for a Windows and Linux server, respectively. The tool makes all session recordings compulsory and cannot be tampered with. It also eliminates hard-coded credentials and supports demand-based applications.  

CyberArk is very popular and provides a lot of features compared to competitors' PAM tools, which is why many customers are migrating to CyberArk's Privileged Access Manager. 

The solution should be able to completely mitigate internal threats. For instance, if an employee of a company saves the CyberArk passwords in a system, then another employee might be able to use it and log in, so there remains an internal threat when using the solution.  

The feature of giving user access through a Safe should be modified. The solution should allow users access directly through an account, and the Safe concept needs to be improved. 

I have been using CyberArk Privileged Access Manager for the past two years. 

In my organization, about ninety to one hundred people are using CyberArk Privileged Access Manager. 

It's easy to setup and install CyberArk Privileged Access Manager. Multiple components need to be installed for the solution. Often, the PVWA, PSM, and CPM need to be installed. If an organization has a Linux account, then PSMP needs to be installed for using the solution. While installing the solution, the Vaults need to be defined, if it's a standalone Vault or a cluster Vault. A cluster Vault is mostly implemented for disaster recovery to replicate data when something happens to the main Vault. 

CyberArk Privileged Access Manager comes at a high cost. But the solution is worth its price. 

I would recommend the solution to others depending on their goals. If the aim is to protect an organization's data and use PAM, then one should use CyberArk Privileged Access Manager. If the goals include detecting malicious activity, onboarding privileged accounts, and maintaining data accounts, then an organization should adopt the solution.   

I have used the solution's session monitoring capabilities to monitor user activities. The solution's session monitoring feature can be useful for monitoring a user while the person logs in or performs other molecular activities.  

CyberArk Privileged Access Manager is difficult and time-consuming to learn in comparison to other IAM tools. There are multiple components, like the vault, that need to be understood before using the solution. But basic administrator tasks like onboarding accounts and rotating passwords will be easy for a beginner user of CyberArk Privileged Access Manager. A beginner-level user of the solution may face challenges with secret rotating, management and AIM handling.  

I would rate CyberArk Privileged Access Manager an eight out of ten. 

We use CyberArk to manage our privileged accounts, our passwords for our critical infrastructure. We have a lot of root administrator level accounts and other application and node accounts that are critical to our business. We use CyberArk to keep those rotated, keep them secure, in an encrypted environment giving us a lot more control and auditing capability.

We are not planning to utilize CyberArk to secure infrastructure for applications running in the cloud because, in our particular business, we like to keep things in-house. Although we have a very small use case scenario where we have one application published to a cloud service, for the vast majority of our infrastructure, we keep it in-house and manage it ourselves.

In terms of utilizing CyberArk's secure application credentials or endpoints, I'd have to think through what CyberArk means by "endpoints," exactly. We do some application management right now. We're mostly doing more server-router, switch, node. And we have some custom vendor nodes that are not your normal off-the-shelf things, that we're trying to get under management right now. As we move along and become more secure, we'll probably do more and more of the application management like that.

It has given us a common environment where all of our critical infrastructure credentials can be stored. From the pure usability and administrative perspective, I can't imagine doing what we do without it. And we're a fairly small business. We don't have 10,000 servers or 5,000 systems to manage. Still, the smaller the business, the smaller the company, the smaller the number of support people you have. So we still end up with a lot of people having to do a lot of work. 

I would say the security, having all the credentials in one place, having a two-factor login to the system available to us, which we use, and then that administrative aspect of it, being able to lighten our administrative load, so once we hand over certain things to CyberArk, that administrative work is done by CyberArk and not by us anymore. It enables us to get a lot more done with a smaller crew.

The first thing that pops into my head is, when you're dealing with some old-school people who have been around our business for many, many decades, who are accustomed to writing down passwords on pieces of paper on their desk, getting those people off of the desktop and into an encrypted environment, that alone, is an enormous improvement.

We literally had people, just a few years ago, who would have pieces of paper written with everything - address, username, password - sitting in plain sight on their desktop that the janitor at night could come in and see laying on their desk. Just within the last few years, I've even seen higher-level people who have the little sticky note out on their desktops, on top of their screen, with credentials. It's all electronic but, still, you get to their desktop or you look over their shoulder and you see everything.

Going from that to having an encrypted environment, that alone was a huge improvement. Working with a lot of people who have been around the business for a long time, who have more of an old-school mentality, getting those credentials moved into a more secure environment and getting them rotated automatically, that's a huge improvement by itself.

The basic features are, themselves, highly useful. I was just saying to some CyberArk people that I came to understand fairly early on that CyberArk is not just an IT security or cybersecurity tool. It's also an administrator tool.

I had a fair number of systems where the passwords were not fully managed by CyberArk yet, and they were expiring every 30 or 45 days. I was able to get management turned on for those accounts. From an administrator perspective, I didn't have to go back into those systems and manually change those passwords anymore. CyberArk was taking that administrator task away from me and handling it, so it lightened the load on our administrative work.

It is a good security tool, but it's also a great administrator tool in that respect.

Things that they were speaking about, here at the Impact 2018 conference, are things that we've already been looking it. They have been on our radar, things like OPM. We're beginning to use PSMP a little bit ourselves. We already have that implemented, but we haven't been using it a lot. The number one thing might be OPM, that we're looking at, that we think might help us in our business, but we haven't implemented them yet.

There are so many options that are currently available, and there are already efforts, projects within CyberArk, that they're working on right now, that I haven't really had time to think beyond what they're already offering. There are so many things that they have that we're not using yet, that we haven't licensed yet. There is a lot of stuff out there that we could take on that we haven't yet for various reasons, including budgeting.

It's always the need to do a cost-benefit and then doing a business case to management and convincing them that it's something that would be good for us and that it's worth spending the money on.

Right now, it's just trying to implement what's out there and use some of those tools that would give us the most bang for the buck.

Stability is very, very good. We did have a minor incident. It could have been a major incident. The customer support people were spot on in getting us back in order pretty quickly. I think it's a little bug in the version that we're at. That's one of the reasons we need to upgrade right now. We're just trying to decide which version we want to upgrade to before we pull the trigger.

Beyond that, as far as stability and reliability, there really haven't been any major issues. We've had one little incident. We got it mitigated within a very short amount of time thanks to, on that day, really good, quick tech support from CyberArk. And beyond that, it's been a very stable and reliable system. There hasn't been any other downtime that I can point to and say it was CyberArk's fault.

I painted myself into the corner a couple of times, and had to jump through some hoops to get myself back out; those were my fault, a lack of experience.

For the most part, over the two and a half years we've used it, we've just had that one little incident that caused us a little bit of concern. Like I said, it was mitigated very quickly and didn't cause a huge storm within the company and didn't have a huge impact that particular day, fortunately.

We haven't scaled it up much since we took it on. From everything I've seen, I think scalability should be excellent. You can spin up as many component servers as you need to get the job done. Obviously, at some point, licensing is going to come into that. I don't see how scalability would be any kind of problem for anyone. I think you can make it as big or as little as you need it to be.

This is coming from a person who spent two-and-a-half years in customer support, so I do have a certain amount of empathy towards customer support people and the challenges they deal with. It depends on who you get on the other end of the phone. When you call in, you may get the young lady that I got the day we had that major issue. She very quickly found exactly what we needed to do and told us how to do it, and we got the problem settled.

I've had other situations on much more minor issues, like how to configure this or how to make that work and I haven't had as good an experience on all of those. Sometimes I do, sometimes I don't. I think it depends more on who you get rather than on the company in general. Some support reps are always going to be better than others.

I've only had a very small number of experiences with them. When I have an issue like that, I don't just open up a ticket and then leave it alone until they get back with me. I usually go back and continue to dig for a solution. About half the time, I find my own solution anyway. But I don't think it was commonly the case that they were not attempting to get back with me.

Sometimes they didn't always offer, for the less critical issues perhaps, a quick, easy, how-to-implement it solution. This is probably a common thing, but they do ask for a lot of log files, a lot of information. They ask you to provide a lot of information to them before they're willing to give you anything at all upfront. It would be nice if they did a little bit of more give and take upfront of, "Well, why don't you try one or two or three of these common sense things, the first things that pop up on the radar on this type of issue, and see if any of them help? And we'll take the information that you gather and we'll go in the meantime." 

Instead of throwing it all in your lap to go and collect a whole huge collection of data to bring them before they give you anything, perhaps it would be better if they were a little more give-and-take upfront of, "Why don't you try these couple of things while we take your log files and stuff and go research them?" A little bit of that might be more helpful.

We were using KeePass before we got CyberArk, and I can't imagine trying to manage the number of accounts and credentials we have today, and the number of systems, with something like KeePass. It would be a nightmare.

We switched because of the scale of where we were going. All of our infrastructure passwords, prior to three-and-a-half years ago, were decentralized. The people who worked on a particular system managed the passwords for that system in their own particular way. There was no across-the-board system. There was no standard regarding these having to be encrypted versus those. Everybody came up with their own way of handling that. We tried to implement some standards during the years leading up, but they were not mandatory. So people ended up just doing what they wanted to do.

Now, with CyberArk, there is a mandate from upper management that we all use this tool. All the credentials go into it and they are all encrypted. Eventually, everything, 100 percent or as near 100 percent as we can get it, will be under full management.

In terms of criteria for selecting a vendor, from my perspective, I like to be able to find someone who can speak to me on a somewhat technical level and help me work through technical issues. But I also want them to give me a vision of things, the roadmap or other products and other things that are available, without getting too much of a marketing pitchor sales pitch. I don't mind a little bit of that. I know that's important. But at the same time, I don't just want a slick sales presentation. I want to know the technical end of how does this really work? I want to be able to have some vision as to how we might implement that. Not just what it can do for us, but how would we actually go through the machinery, go through the work, to make it work for us.

It's always good to have a vendor that can provide resources, that can speak to someone like me on a technical level, and that can help me work through issues, whether it's lack of experience or just lack of knowledge in a certain area; a vendor that can help me work through some of those situations and get me to where I need to be.

I went through the proof of concept and then I also went through the initial install of our infrastructure. For our company, I've probably done 80 to 90 percent of the work in CyberArk myself.

The implementation was fairly straightforward. We had a really good implementation engineer. He did a really good job. Of course, every individual brings his own kind of approach to things. They give you insight and then you run into someone else that gives you a little different perspective. It surprised me how straightforward some of the setup is. I've experienced some things since then that lead me to think it is something that CyberArk is constantly improving on: How to implement new installs or upgrades and make them better and easier.

For instance, there was one system that, when we first installed in 2016, we were told upfront that this was not an easy system to spin up and get working. We had made an attempt at it and failed. A year later, I installed it by myself from the documentation and it went as smoothly as could be, no problems. They had improved it over that year to the point where just about anybody could do it.

The team that I'm on, we weren't leading up the investigative part. Our security group did that. They're the ones who brought CyberArk to us and said, "This is the one we're going to go with." There was actually another entity within our corporate parent company that had already been using it for about nine months before we did. We adopted it from there. Since then, another entity has adopted it as well.

One big piece of advice I would give is: Don't ignore user acceptance. If you want people to use CyberArk, you have to pay attention to user acceptance. If your users hate it, then your entire experience is going to be an uphill battle, when you're trying to get people to actually use the tool. It doesn't matter how good the tool is, it doesn't matter how well it does password management. It doesn't matter how well it does all these other things. If your users hate it, you're going to have an uphill struggle with the people that you need to be on your side. You've got to get user acceptance right.

Now, you can't completely sacrifice all those other things just for user acceptance, I'm not saying that. But you have got to keep user acceptance up there, alongside everything else. It's got to be a hand-in-hand thing as you go along, so don't ignore user acceptance. Spend some time doing it.

I tend to shy away from giving anybody a 10 out of 10. I would rate it at about eight out of 10, a pretty high rating. Anything could be improved, and certainly, CyberArk is not immune to that. But I think it's a good tool.

We use CyberArk to secure the last resort accounts by introducing dual control approval, ticket validation, temporary access, and regular password rotation.

It also allows us to introduce location-aware access controls with multiple sites having access to specific location-protected content.

Finally, the session management capabilities allowed us to introduce delegated accounts to secure access to all sorts of devices in an easy way, but without losing the individual traceability. 

It allows us to comply with the regulator requirements allowing us to operate in the different countries and to fulfil the security and compliance requirements.

In the end, it secures all the highly privileged accounts and protects the company from internal and external threat actors.

The solution is multifaceted and includes session management, password management, temporary access, ticketing validation, API access, single sign-on integration, load balancing, and high availability principles.

The credentials management capability is key to ensuring that the credentials are kept secure and that access to them is done on a temporary and event-driven basis.

The session isolation reduces the risk of exposure of the credentials and applying simpler network controls.

Web access allows the introduction of location-aware controlled access so that different locations can only access the data that is allowed to be retrieved from their sites allowing centralisation but fulfilling the regional requirements.

The product is very vaulting-focused. I'd love to see it expanding its capabilities a bit further into areas like just-in-time elevation, and access with non-vaulted credentials.

The upgrade options are good but could be further simplified.

The high availability options could be improved, and the load distribution as well for both the vaults and the credentials managers.

The web interface should allow having multiple sites for location-aware access control within the same web server.

I've used the solution for more than ten years.

We use it to control privileged access within the environment, including domain admins and server admins.

We're using the CyberArk Privilege Cloud version, which is the PaaS.

It provides a one-stop shop for the majority of our administrators to get the privileged access they need. It has enabled us to reduce risk as well, and that is the largest benefit that we've encountered through the solution. We've reduced the number of admins in our environment significantly.

It provides an automated and unified approach for securing access across environments, including hybrid, multi-cloud, RPA, and DevOps, as well as for SaaS applications. For what we're using it for, it's doing all of that seamlessly in one place. It helps us to quickly adapt and secure modern technology, and that's another reason we chose CyberArk. They already had integrations with solutions that we were either moving toward or that we already had. We weren't going to have to do them as customizations.

The ability, with Secrets Manager, to secure secrets and credentials for mission-critical applications means people don't have to go searching for them. They know where they are—they're in CyberArk—so they don't have to go to a separate place. They have one identity to manage, which is their single sign-on identity. From there, they can go into CyberArk to get the access they need. That's an area that has been very helpful. And from a risk perspective, the multifactor authentication to get to those accounts has also been awesome. That helps us to be in compliance, as well as secure.

The Privileged Session Manager has been the most useful feature because we're able to pull back information on how an account is used and a session is run. We're also able to pull training sessions and do reviews of what types of access have been used.

We also use CyberArk’s Secrets Manager. Because AWS is the biggest area for us, we have accounts in AWS that are being rotated by CyberArk. We also have a manual process for the most sensitive of our AWS accounts, like root accounts. We've used Secrets Manager on those and that has resulted in a significant risk reduction, as well. There's a lot to it, but from a high level, we've been able to get some things under control that would have been difficult otherwise.

For DevOps, we've integrated some automation with CyberArk to be able to onboard those systems. There are some native tools like the CFTs that we're using with CyberArk to get CyberArk deployed automatically to them.

It also gives us a single pane of glass to manage and secure identities across multiple environments; a single view with all of the accounts. It's super important for us to be able to see all of that in one place and have that one-stop shop with access to different environments. We have lots of domains because a lot of acquisitions have happened. It's important for us to be able to manage all of those environments with one solution and we do have that capability with CyberArk.

I've been using CyberArk Privileged Access Manager at this company for two years, and all together for the past six years.

The stability is great. We haven't had problems with it.

The scalability is very good. I'm surprised they keep as many logs and video recordings as they do on their side. But scalability hasn't been a problem. If we wanted to scale up, we could certainly do so. All we would have to do is add more servers on our side, with our PSMs (Privileged Session Managers). The way the solution is built out, you can expand it elastically pretty easily.

We have around 400 users right now who are mostly in IT. There are developers, database administrators, as well as our Active Directory enterprise teams, and some of our cloud implementation and infrastructure teams. We have some in incident response people, from information security, who use it as well.

We're looking to expand it in the coming year. We've already started that expansion. It's the developers we're targeting next and there are a lot of them. We're looking at a couple of hundred more users within a year.

If there is an area that has room for improvement, it's probably working with their support and getting people on the phone. That is hard to do with most products in general, but that seems to be the difficult area. The product is fantastic, but sometimes we want somebody on the phone. I would rate their support at eight out of 10, whereas the rest of the solution is a nine or 10.

From a technical support perspective, they've been really good. There has just been a little bit of trouble with the database stuff, but that's because ours is a very aggressive deployment. Sometimes, when working with support, they aren't as aggressive as we are.

Positive

I've used Thycotic and Hitachi HiPAM, and we've used some custom in-house build solutions.

The reason we switched is that Thycotic opened up the door to that possibility when we talked about pricing. The price came out to be something similar to what we were spending. We were basically going to have to redeploy the whole Thycotic solution to get what we needed, and that opened it up for us to evaluate the landscape.

There were some complexities about the setup, but deploying a solution like this is going to be complex, no matter what solution you go with. CyberArk did an excellent job of making sure that we had everything we needed. They had checklists and the prerequisites we had to do before we got to the next steps. Although it was complex, they were complex "knowns," and we were able to get everything organized fairly easily.

Our initial deployment took about two weeks.

We broke the deployment into four phases. The first phase was called Rapid Risk Reduction, and with that we were getting our domain admins under control, where we went with domain admin, server admin, and link admin. A part of that was the server administrators and Linux administrators. All of that was part of a very short-term goal that we had. 

Phase two was called risk reduction, where we were focused on Microsoft SQL, the database administrators, and Oracle Database administrators. It also included bringing in some infrastructure support as well. 

Phase three was enterprise-grade security, and with that we've been pushing the network tools and AWS admins, along with some other controls. 

And our last phase, which we've just recently started on, is one where we are going to be pushing hard to get developers onboarded into CyberArk. There are a whole lot of little details that go along with all of that. The initial auto onboarding happened in phase three, but we also have auto onboarding that we're looking to roll out across a larger group.

We implement least privilege entitlements as well. We started out from a high level of not going the least privilege route and, rather, we locked things down in a way that they were managed, at least. Then we started knocking down the least privileged path. You have to start somewhere, and least privilege is not going to be the first option, out of the gate. You're going to have to take stepping stones to the best practices. And that's what we've done. We took this large amount of high-risk access and brought it into CyberArk and then pulled access away over time and have been making things more granular, when it comes to access to the systems. The access within the systems, within CyberArk, is absolutely granular and we have been very granular with that from the beginning.

For maintenance of it we need about one and a half people. My team supports it and, while one full-time person is probably enough to support the solution, my team is split up. The general operations of CyberArk are what take up the most time. The actual running of the solution, from an engineering perspective, is very lightweight; it's hardly anything.

We did not use a third party for the deployment.

We started doing some comparisons of different tools and that's why we ended up switching to CyberArk, after discussions with both Thycotic and CyberArk. When looking at the capabilities, we ended up moving towards CyberArk. We felt it was a more mature solution and that some of the connectivity and reporting was done in a way that we would prefer, for a company of our size.

Thycotic is a good tool. A lot of IT people already understand the structure of how it runs. The upgradability is nice as well. You can just click an "upgrade" button and it upgrades the solution for you. The cons of Thycotic include the way that the recorded sessions are done. In addition, proxy server connections were not available. Maybe they are now, but at the time we were building out custom connectors and we had to go through a third party to get those developed. It was very bad and every step of the way was like pulling teeth. That really soured our relationship with them a bit because we couldn't seem to execute with that solution. When we started talking with them about what we needed it to do to make things easier, they ended up recommending a full redeploy. That's not ideal under any circumstances for anyone. That's why we took a step back and evaluated other solutions.

With CyberArk, some of the pros were that their sales team and engineers were very quick to come in and help us understand exactly what we needed. The deployment timeframe was  also much shorter. We didn't have to work through a third party, as we would have had to with Thycotic. And the type of relationship we've had with CyberArk is one that I wish we had with other vendors we use. They've been phenomenal working with us.

CyberArk's abilities are amazing. We're just starting to hit some limits, but we're able to get through the majority of them. Some of the database stuff is a little bit more involved. The other things, like cloud and all of the Linux and Windows, have not been a problem at all. It's not that the database stuff is a problem, but it's just more complex.

If you want to talk about CyberArk providing an automated and unified approach for securing access for all types of identity, "all types" is a strong claim. I wouldn't ascribe "all types" of identities to anything. But for everything that we're doing with it, it has been a great tool and it's doing that for us.

We use the product to store system accounts. 

CyberArk is a good and adaptive solution. It is easy to adopt and install. It is easy for every use case. 

The challenge with the product is pricing since it's expensive. It also needs to improve the customization. We encountered some stability issues as well. 

I have been working with the product for more than 10 years. 

I would rate the solution's stability a seven out of ten. 

My company has more than 20,000 users for the product. I would rate the product's stability an eight out of ten. 

We have a direct connection with the CyberArk leadership. However, the tool's support is not user-friendly. They will charge you for premium support and push you towards it. 

Neutral

I have used BeyondTrust before. 

The solution's setup is easy. There were some challenges while managing from environment to environment. We experienced some glitches during the installation process. 

The product's licensing is yearly. I would rate the solution's pricing a six out of ten. 

I would rate the product an eight out of ten. We only have the licensing contract with the product and everything else is managed in-house with a team size of four members. 

I'm an integrator and we identify and provide performance discovery, and we select the best product for our clients.

We have users that are administrators in the environment, and we convert them into a shared account model. Many of the organizations have two accounts. One is a regular user account and the other gives them administrative rights.

CyberArk allows for a higher degree of segregation of duties, although CyberArk itself doesn't do that. You have to have knowledge of role-based access control and least privilege principles. It supports it, but you have to implement it.

There is also service recording, service accounts on Windows Systems, and Linux systems, to rotate their passwords.

You will find service accounts with passwords that are 5,000 to 8,000 days old, but not with CyberArk. It creates a very strong service to prevent attacks. 

When passwords don't change it makes them very vulnerable and allows attackers significant lateral mobility within an organization. It gives them the necessary time to scout the environment and choose what their attack will be, whether it's going to be a ransomware attack or a data exfiltration attack or if it's going to go in to cause defamation to the company like creating a denial of service to clients. Also, hacking their Facebook page or their Twitter page are common attacks.

CyberArk probably has probably the best vault on the market because of the multiple layered security and each password getting its own encryption. Each password gets individual encryption. By the time you are able to crack one of the passwords, it's already been changed a dozen times.

The attack surface on a CyberArk Vault is very nominal and in addition, CyberArk also has its own on-staff hackers where companies actually hire them to perform penetration testing, but within, inside the environment.

CyberArk has two disadvantages; the first is that it's insanely expensive and the other is it's very complex. 

That's the downside because CyberArk was not built organically. It was built systematically.

They're not built into the product. You have to shoehorn things in. You have to create programmatic interfaces to make things work, but that's why I said it's the most complex product.

CyberArk is still in the model of managing accounts and passwords. When you're logged in as a domain admin, you're leaving footprints everywhere you go. These footprints can be picked up and replicated. So, I think CyberArk is behind the curve in that area.

Customers are already having an issue with the cost of CyberArk and then you have to add another $100,000.00 to the bill for other application accounts.

I would like to see a more streamlined and built-in programmatic onboarding and offboarding process. Something a little bit less complex than what they're currently doing.

The price is the problem and also the architecture can be daunting because CyberArk really strongly encourages having hardware vaults. Most corporations are totally virtualized.

I use virtualized vaults on everything including the high availability configuration.

I started using Cyber-Ark Enterprise Password Vault when they were on version five or six, they are now on 11.5 or 11.6. I have been using this solution for a total of 15 years.

CyberArk is very stable.

If there is a problem, or if a problem does occur, unless you know exactly what to do and how to diagnose it, you may not be able to find it because there are so many moving parts. However, a good administrator can usually diagnose a problem fairly rapidly.

They determine the root cause by performing a root cause analysis. Also, you should inform CyberArk because sometimes a fix might be required. CyberArk stopped performing single sign-on.

CyberArk is very scalable. It's one of the things that I love and it's also one of the things that I hate about CyberArk.

For example, it's a standalone vault that is practically uncrackable. If you want to do a password rotation you need to have a central password manager. It's called a CPM.

If you want session recordings you have to have a PSM. They can be run on the same server, but eventually, the performance is going to be an extensive task. 

A CPM is performing verification on passwords continuously, and to start stacking server roles on top of each other. 

If you're a semi-vault in a small environment, with one server running CPM, PSM, and PDWA all on one box, it would be no problem with less than 10 administrators and only 70 servers.

With other small or larger organizations that have hundreds of servers rendering that capability or that flexibility, you would have to have a dedicated CPM and dedicated PDWAs, which is the administrator web interface.

For a medium-sized company where you want to do a session recording for all the administrator access, it will cause a problem. It will require multiple PSM servers and if you don't have a good administrator who documents the build process well, or they don't update it, then the problem shows when you build a new PSM. If they don't add all the applications to it then you're going to get an intermittent error across the low-balanced PFMs, where eight of the ten work, but two of them don't because they didn't install the SFQL agent. It's a very complex program, albeit very scalable.

If you're a multinational corporation, you can have your vault in one location and have PSMs distributed where the systems are in the data centers. Then, the PDWAs and the CPMs would be in the data centers and you would have the PDWAs where the user populations are. Rather than having one single appliance or one single box that does everything, you end up having boxes distributed all over. This means that they have to do synchronization and it works out very well most times.

We have small to large company clients. We have clients that have tens of thousands of administrative accounts and 1000 or so servers, to clients as small as having 70 servers with maybe only 750 to 1500 accounts.

Technical support is awesome!

CyberArk has excellent technical support. They may not be timely. They're not quick, but they're great.

I would rate the technical support a ten out of ten.

You have to follow the ticket creation process, which is in your benefit because you need screenshots and logs to be able to diagnose the problem. If you do that, then CyberArk comes back with some incredible support help and in most times it's something that I would have never been able to figure out because the product is very complex and it has a lot of moving parts.

I have not used any other solution previously. CyberArk is what I learned first.

The initial setup was very complex. There are a lot of moving parts. The skillsets for some of the advanced features require administrators to know how to program in specific APIs. 

The complexity to implement is very high. On a scale of one to 10, it's a 9.5.

CyberArk is very expensive and there are additional fees for add-ons.

CyberArk Password Vault is probably the top vault on the market and Thycotic would be a close second.

CyberArk is not always suited for our clients but it is the best solution. Eight out of 10 organizations don't implement it. Just because you know CyberArk doesn't mean you understand it.

The SaaS solution is sound but the on-premises is primarily what I have worked on. I am CyberArk certified. When I started off several years ago, I got my CIS as PE. I was put into a security group in EDS. 

Network admins who work for the company have to be administrators, with high skill levels. 

Before implementing CyberArk, I would say do a very aggressive use case creation of everything that you're expecting the vault to do. The security architecture should be able to create high-level bulleted use cases. Security administration should be able to take it down to the next level of detail.

They will have to add Conjure, which is another license for CyberArk.

I would rate this solution a nine out of ten.