CyberArk Privileged Access Manager Reviews

An example of one of the ways CyberArk has benefited our company is one of the simplest. And this one is something that a lot of companies struggle with: domain administrators and server administrators. These are among the top accounts that most companies need to protect. As part of our deployment, we decided to go with these first when we deployed PSM.

What we found out was that there's always that friction with operational teams where they don't want to do this kind of work because it is another thing they have to do. But once the product was deployed and we were able to give them all the tools that they have today, and they did not have to go through attestations and audits anymore and, when team members were coming in and leaving, all they had to do was put in a ServiceNow request to complete all the work, it was just something so different for them that all that friction just went away. It was one of those simplest things, but one of the biggest things that you can do in your company to protect it.

I don't know if CyberArk really helps with meeting our availability requirements, but it definitely helps a lot with managing the accounts and managing the credentials. Availability? It helps to an extent. If there is an event of some sort, yes, you can always go back and look at the logs and you can figure out through recordings what happened. But it's more about manageability than availability.

In addition, when we started with RPA, there was a requirement that every credential and the bots themselves be protected through the PAM system. From the get-go, we've had CyberArk in the middle. We use standard products for RPA and all credentials are managed through CyberArk. All bots are protected via CyberArk, through PSM, and also through CCP calls. We've got a pretty robust RPA implementation with our PAM platform. Users, bots, the credentials — everything is managed via our PAM solution. From a cost perspective, this was something that was a requirement, so cost was never really an issue here.

The solution's ability to secure robots’ privileged access is pretty good. We've been able to secure our bots. In fact, we take care of our bots right from a development environment, using our development instances. So when our developers are building the scripts around those bots, they're already aware of what's going to happen when things finally go into production. Obviously, the level of security doesn't need to be the same, but we do it through the complete lifecycle.

PSM has been one of the most valuable features. We started on this journey a while back. Initially, when we did not have PSM, we started with AIM and that was our first use case. But an audit came along and we had to go towards something a little bit better and we had to migrate more applications. PSM came along and did exactly what we needed it to do. To take care of all the deficiencies that we had, PSM was the right thing to do.

We work with CyberArk's customer success team and we work with its engineering team back in Israel. We've been doing things on CyberArk which a lot of its customers, we know, have not been doing.

The one place where we found that this product really needs to improve is the cloud. Simple integrations don't exist, even today. We don't have anything specific on CyberArk for managing SaaS products, SaaS vendors, and SaaS credentials. I understand it's a vendor-based thing and that they have to coordinate with the other vendors to be able to do that, and there are integrations coming, but these are the major places where CyberArk definitely needs to invest some more time. Because this is what the future is. You're not going to have a lot of on-prem applications. Most stuff is going to the cloud.

Not every product is 100 percent stable. CyberArk does have some issues once in a while. But the core product, the vault system, has been extremely stable. We haven't had a single problem since we got this thing deployed, and it's been more than six years now. We've not had a single problem with the vault. 

Related to the software, there are other things that can cause problems. You could have clusters going down or you could have issues with hardware, but the product itself has been very stable. 

There are the usual quirks you have sometimes with PSM, but it's been a very stable product for what we need it to be.

In terms of the product's ability to manage all our access requirements at scale, about 80 percent of it can be managed. There is no product in the market which can say, "We can do 100 percent, we can do everything." Or, they say that they can, but when it comes to it, it doesn't really happen. But with CyberArk, we've had the benefit of it being a little scalable, plus very easy to configure for the different use cases we have. So we can cover around 80 percent. But then we have to put some compensating controls around the other 20 percent.

It has scaled for our use cases. We built it according to the very large specification and it has scaled. It has done exactly what we need it to do. We've not yet had a performance issue to date.

We've had good relationships with their technical department. My team usually does more engineering. We work with CyberArk's customer success team more often than the regular technical support. My operations team usually deals more with tech support.

When it has really come down to major issues, if we've ever had a Sev 1, they've been on point. They have picked up the phone, they've called us and they've helped us.

We did not use a different product. We had an in-built vaulting system for managing our own credentials. We've been a CyberArk customer for a while. We had the document vault. Privileged Access had just come out and CyberArk was one of the easiest choices we could make at that time. That's how we decided to go with it.

The initial setup was not straightforward. The very first setup that we did was specifically for AIM, which was obviously simpler. We had an in-built vault which we replaced with the AIM setup. 

Our PSM setup was very complex. We had about 450 applications that we had to onboard over a period of one year, and we had to remove close to 16,000 accounts. It was a very complicated setup. We built close to 35 different connection components to get this product in.

The total cost of ownership, over credentials, is definitely something that goes down if you have a vaulting system. But if you have deployed it correctly, that's the only time you can get that. We've definitely seen some improvements. There are additional costs associated with getting every application onboarded, but in the long run, it keeps the company secure and I don't think you can put a price on that.

We use the solution with AWS. In fact, we set up a custom setup for AWS. We worked with the CyberArk engineering team to get it working, to come up with a custom solution to integrate our AWS EC2 instances. There were some limitations, as I mentioned earlier, with how the product integrates with AWS, so we had to make some major changes to how the integration works. As far as monitoring is concerned, it's standard CyberArk monitoring. We don't see anything specific to AWS, as far as the monitoring is concerned. This is the one place where CyberArk can improve.

Privileged access management is one part of IM. Anything that goes through has to get approved through the IM team, and our product of choice for privilege access is CyberArk. When we decided to go to the cloud, this was the natural choice because this was the product that the enterprise uses. We've had challenges. We've had to customize the product to meet our requirements. It might not be the same for every customer because our requirements are a little unique. But it eventually worked out. We've been able to meet most of our use cases.

CyberArk is an eight out of 10. It can do a lot. But there is definitely scope for improvement.

I come from the IM world, but I was more into access management. CyberArk was just one of those products which was thrust on me. Now I'm head of privileged access management, so CyberArk has been pretty good for me, going from the access management space to privileged access management. It's definitely had an impact on my career.

I use the solution for administration. If the customer requires Alero or HTML, we will deploy the solution in that particular environment. Otherwise, if the end users are accessing the solution via VPN or from inside the network, we will not deploy Alero or HTML. We will instead focus on CyberArk's core PAM, which includes the vault password rotation component, the web interface component, the jump server, and PPA. These are CyberArk's four main components which we deploy for every customer.

CyberArk has a lot of modules, such as Enterprise Password Vault, which is the heart of the solution and needs to be up and running at any time. Privileged accounts and session recordings get stored inside the vault itself.

Likewise, we can configure high availability for the vault, like an active/passive or an active/active configuration. Replication disaster recovery is also supported.

CyberArk is also capable of rotating the credentials for a lot of endpoints. It has the CPM plugins by default for password management, Windows and Linux, as well as databases like Oracle and MS SQL, and can also rotate to some network devices like Cisco 9000.

We have Privileged Access Management, a general server between the user's and the target's machine. All of the sessions go from that server to the target endpoints. Once the end user disconnects the session, the session recordings and live monitoring will be uploaded to the vault. That recording will be stored for 180 days for auditing.

Another component is Privileged Threat Analytics. It detects any threats on target machines. For example, an end user might connect to a Linux endpoint and try to run privileged commands. Those commands are customizable and can be defined in the PTA as well. Whenever those users run those particular commands on the target, the PTA will report suspicious activity and report to security admins in the organization via mail or even on the web portal. We have a separate tab for security.

Within security events, these particular suspicious activities will be detected as threats and attain a risk score, "This is the user who connected to this particular target and ran these particular commands or applications."

CyberArk has a remote access solution called CyberArk Remote Access Alero. CyberArk also supports HTML gateways so that users can connect from outside the network without a VPN connection.

The solution has many advantages, such as the user interfaces and remote app features when using local applications when sessions are getting established over RDP, SSH, database, and web browsers. It is easy for administration as well.

Password management for all the endpoints needs improvement.

CyberArk can handle password management for Windows, Linux, databases, and network devices. However, there are solutions like Tenable or Skybox, Palo Alto, and other security devices for which we cannot provide password rotations on CyberArk. CyberArk should look into development for those particular plugins. I heard they had developed them, but they are not widely available. So if, for example, a customer requires CPM's password management plugin for Tenable, they need to send a request to CyberArk themselves so that the CyberArk team will then sell it to the customer. It does not come with an implementation license. It's a separate thing that a customer needs to purchase. CyberArk will assign it to that particular customer ID, and that plugin will not be supported for other customers. But those are their business tactics. They will not reveal all their plugins, only the basic ones.

I have worked with CyberArk Enterprise Password Vault for four years on a regular basis.

I rate the solution's stability an eight out of ten.

I rate the solution's scalability an eight out of ten.

The technical support is very poor. We handle implementation for our clients, so we do not handle support after. We do the knowledge transfer and if they face some challenges, we will show them how to troubleshoot as well as the documentation. We provide everything to the customer as they are not experts in CyberArk.

If the customer faces any issue, they will raise a case with CyberArk in the technical portal. But once they raise a case, CyberArk will not respond.

Let us say I opened a case this morning. Initially, they will respond, "I am the technical expert handling this particular case. Please provide me the logs." Their first reply will be that they want the logs. The customer will then gather the logs somehow and attach those logs to the case.

However, it will take two days for technical support to investigate their logs and reply. Even after two days, they will reply, and will say, "I am transferring this case to the higher level expert" that is, L2 or L3, "they will get back to you." 

The initial reply will be given by the L1 engineer who doesn't know the product or how to troubleshoot that situation, so every case will go to the L2 level or L3. The time taken in the process is too heavy. So even if I open the case as a "severe" case, even if it is not severe, they will reply to say that this particular case is not severe, so I have to keep it as "medium" or "low." As a result, customers consider hiring support from my company.

Neutral

With CyberArk, we have the direct installer file and setup files for each component, such as Password Vault Web Access, CPM, PSM, and PTA. The implementation engineer should install every component. We also need to have servers for each component. We need to request a set of servers per the architecture and the components count. Once we get those servers, Windows or Linux servers, we need to copy the setup files onto them. We need to deploy the setup files by installing and taking some steps. It contains manual and automatic installation, with CyberArk providing some PowerShell scripts themselves. With those scripts, we can do the installation automatically. 

By comparison, with BeyondTrust, whatever the module is, the virtual appliance is built by the BeyondTrust team itself with all the configurations. We just need to deploy it in our organization network and do the initial networking configuration, and later, we can directly do the integrations.

Also, CyberArk recommends we do hardening for each component for security purposes. After hardening, unwanted firewalls and services will be disabled on the operating systems, which makes the product more secure.

Though there are some efforts required from the implementation engineer, the installation is straightforward. I rate the initial setup a seven out of ten.

Users will clearly understand the solution once they go through the architecture diagram.

To connect to the target systems and view the accounts, view the session recordings, and check if the system health of all the components is working well. Any admin-related task will be done in the web portal, Password Vault Web Access, a separate component in CyberArk.

CyberArk is one of the better solutions which users will want to implement in their organization for securing their privileged accounts and access, and session monitoring for auditing. If they can deploy CyberArk, it's a good product.

The solution's most valuable features are one-time password and exclusive access.

CyberArk is complicated and costly to deploy for Windows servers compared to a few other vendors. It would be helpful if they combined all the components on a single server. Also, they should release a version specific to small businesses with two servers installation architecture.

We have been using the solution for three years.

The solution is highly stable. I rate its stability a ten out of ten.

I rate the solution's scalability a ten. It is the best in the market. It can scale to any infrastructure. We had implemented around 1000 target servers for our previous customers.

The solution's training documentation compensates for efforts to raise the tickets. We can resolve the issues ourselves based on the documents provided by the vendor. If you contact them for any problems, they solve them within a few hours.

I have implemented the solution for small and large enterprises. I haven't come across any bugs or issues. I use the 12.2 version as it is more stable, and I have more experience working with it than the newer version. It is easier to deploy if you know how to use it.

The time taken for deployment depends on specific project requirements. In the case of lesser servers and target machines, it takes about a few weeks. Whereas for a larger number of servers, it takes around two to three months to complete. The process involves setting up servers to host password vault, API access, central policy manager, and SM server. Additionally, for customer-specific requirements, we can set up Distributed Trusted Host (DTH) server for privileged analytics and Privileged Session Manager (PSM) for session management.

Apart from the deployment, it involves configuring policies, setting up additional connection components, etc.

The solution is cost-effective for the features. In comparison, other vendors would charge extra for the same features. Also, its pricing model is based on the number of users rather than the number of servers. Thus, there are no additional costs. I rate its pricing a six or seven.

I recommend the solution to others and rate it a ten out of ten. It is user-friendly once you understand its functionality.

Account discovery, account rotation, and account management features make it a well-rounded application.

Account discovery allows for auto-detection to search for new accounts in a specific environment such as an LDAP domain. This allows CyberArk to automatically vault workstations, heightened IDs, servers, and other accounts. Once the account is automatically vaulted, the system then manages the account by verifying the account on a regular basis or reconciling the account if it has been checked out and used. The settings for the window that account is using is configurable to the type of account being used.

CyberArk is constantly coming up with new ways to perform auditing, bulk loading accounts, quicker access between accounts and live connections, as well as different ways to monitor account usage and look for outliers.

As companies move further toward a “least privilege” account structure, CyberArk sets the bar for heightened account management.

In the past, standard practice was to assign role-based rights to standard accounts. Moving away from this structure allows us to require that all heightened access accounts be “checked out” and only operate within a set window. CyberArk analytics provide real-time monitoring to ensure accounts are only used by the correct people at the correct time.

Like any software, improvements and upgrades are a necessity. As CyberArk is used by many Fortune 100 and Global 2000 companies, they offer custom solutions that need to be continuously improved as the company changes. I am looking forward to new ways to utilize accounts within the current CyberArk system allowing a more seamless flow for technicians.

I have used it for 19 months.

Beyond the servers and security devices necessary to run CyberArk, it maintains surprisingly few dependencies. It is capable of secure hardening with the capacity for multiple failovers that can exist and work without the use of LDAPs or external databases. CyberArk has been the most stable platform I have ever worked on and our redundancies allow for 100% uptime.

Scalability has not been a problem. I have worked on multiple improvements and increases, as we continuously increase the number of domains and types of accounts CyberArk manages. There is not currently an end in sight for the number and types of accounts we are adding.

CyberArk technical support is top notch. They provide ticketing and immediate escalation of issues, as well as direct resources for more immediate problems. CyberArk R&D has also provided valued updates to custom applications we use internally.

With data breaches and ransomware becoming the standard that companies now face, a more elegant solution was desired from standard network and physical security. Accounts that can be found or socially engineered out of people has been a long-standing tradition for criminals and bored teenagers. Reducing the window any account can be used provides a more secure network.

Setting up and learning a new platform is always a complex undertaking. This is why CyberArk provides local hands-on support to get the system set up and the company’s techs trained. The base setup will differ from company to company, based on their immediate needs and what they wish to accomplish immediately. Heightened IDs, local workstation IDs, off-network server accounts, service IDs… the list goes on and on.

There are a handful of options out there providing similar services. However, none of them are as far along or provide as much stability and innovation as CyberArk. Pricing and licensing are going to depend on a great many factors and can be split up from when the system is originally implemented, and upgrades and new software down the line. All that being said, the money in question was not a deterrent in picking CyberArk for our solution.

We have tested a great deal of products, many of which are being used in the company for various other purposes; Avecto, Dell, Thycotic, to name a few. Centrify was the other primary system that we really carefully reviewed. In the end, the features and interface of CyberArk won out.

CyberArk is an innovative set of tools that are easily learned. Getting deeper into the product allows for a great deal of complex settings that can be learned via high level implementation guides as well as a CyberArk certification.

We use the solution to provide elevated access for developers. We also use it for controlling access between departments and teams.

The most valuable features of the solution are control and analytics.

I have been using CyberArk Privileged Access Manager for two years.

I rate the solution a seven out of ten for stability.

We have 7,000 users and 200 developers working with the solution.

I rate the solution’s scalability an eight out of ten.

We use Splunk for certain use cases and CyberArk Privileged Access Manager for others.

The solution’s initial setup is straightforward.

For the deployment, we sought an external consultant to help us with the design, and then we had to create an operational team.

Six people from the OPS team and three from the engineering team are needed to deploy and maintain the solution. Regarding enterprise, the solution is scalable and has a good feature set. The solution helps us stay compliant with regulations and be proactive in remediating security issues.

Overall, I rate the solution an eight out of ten.

We use it for other use cases, such as automating application authorization, managing files, and securing monetary accounts. We use it for managing privileged accounts.

I like everything about it. It's secure and reliable. I especially appreciate that it's locked down and only allows access to authorized components.

The issue is that in many environments, what I purchase via text is different. We have some policies that are specific to Microsoft environments. For example, my actual manager may not be able to connect to a Microsoft product due to a policy on it. The issue that comes to mind now is how six credentials are managed.

Currently, if you try to log in to any server within the environment, you would need to log in every time, regardless of whether you have already received the credential or if the connecting device is present or not. It is a problem with CyberArk. If CyberArk could find a way to solve this, it would greatly improve the experience.

I'm not sure if it is possible to fix this. It's not a point of entry, but it may require a longer string than the user might want to know, or maybe cheaper right now. If CyberArk can find a solution that improves the experience, it would be beneficial to customers.

Another thing is that there are some time needs that could be improved in the future. One thing that could be improved is to create of a better alternative for fixing group policy fees. We currently use Microsoft, but they have introduced new policies that may not be compatible.

I've been working with it for three years. I'm currently working with version 12 of the solution, and I've also worked with version 10 and partition 11.

The number of users is about 3,305, and it is stable. We don't have any small clients, mainly medium and enterprise businesses.

I would rate stability a ten out of ten, and it's very stable.

I would rate scalability an eight out of ten. It's not perfect, but it's fairly scalable.

Some things need improvement. The solution doesn't provide sufficient support. I contacted them at one point, but it took several months to get a response. Additionally, we had an issue with account balances that took a while to resolve. That was four or five years ago, though. Other than that, it's a decent solution.

Positive

Regarding the initial setup, I would say it's pretty straightforward on a scale from one to ten, where one is difficult and ten is easy. I'd give it a nine. Deployment took less than a week.

I deployed the solution.

It is pretty pricey. I would rate it a seven on a scale of one to ten, where one is cheap, and ten is very expensive.

Overall, I would rate the solution a ten out of ten.

The primary use case of the solution is mining the credentials on our Windows unique network.

The solution is able to rotate the credentials and session recording. CyberArk has the ability to change the credentials on every platform.

The initial setup has room for improvement to be more straightforward.

I have been using the solution for three months.

The solution is extremely stable.

The solution is extremely scalable.

The technical support is fantastic and quick to respond. 

I give the initial setup a five out of ten.

The initial deployment requires a couple of weeks and for the on-premises portion an additional two to four weeks. The deployment required one full-time architect and one full-time senior consultant. 

The solution is costly but we get what we pay for.

I give the solution a ten out of ten.

For maintenance, we require one part-time architect and two operations people.

I recommend the solution to others.

We are using CyberArk Privileged Access Manager for securing access to the host or the server. The solution has the capability to record activity on the server, rotate the passwords, kick out an active user, and complete an action if suspicious activity is triggered on the server. We typically only use the solution for accessing the target server and for password rotations.

One of the benefits of using CyberArk Privileged Access Manager is we have an audit trail that fits the requirements of our organization and we are more secure using the features of the solution, such as investigating and tracking.

All of the features of CyberArk Privileged Access Manager are valuable.

I have been using CyberArk Privileged Access Manager for approximately six months.

CyberArk Privileged Access Manager is stable.

The scalability of CyberArk Privileged Access Manager is very good.

We have approximately 300 users using the solution.

The partner support we have in Indonesia is fast and responsive to our needs. They are available if we are facing a problem. However, there is still room for improvement.

I rate the support from CyberArk Privileged Access Manager an eight out of ten.

Positive

I was previously using MEGA HOPEX.

The initial setup of CyberArk Privileged Access Manager difficulty depends on the environment that you are implementing it into. However, it typically is simple.

I rate the initial setup of CyberArk Privileged Access Manager a five out of ten.

We use a third party to do the implementation of the solution. We purchased preventive and corrective maintenance from our partner.

There are additional features added to our CyberArk Privileged Access Manager license. For example, features that allow us to integrate into various kinds of platforms.

I would recommend this solution to others. It has great value and it ensures your environment is secure and it is most important in production. If your company is a financial institution it is a lot of times mandatory to have a solution similar to this in operation because of cyber security concerns. We need to have preventive or professional action and one of those elements is to have a secure platform.

I rate CyberArk Privileged Access Manager an eight out of ten.