CyberArk Privileged Access Manager Reviews

It is for the lab. We just onboard all the privileged accounts and then try to make them compliant and provide access to end-users. We are CyberArk administrators, and our responsibility is to onboard the accounts and provide access to end-users so that there is no business impact and the users are able to connect to their target services.

I started with version 10.6, and now, the current version of CyberArk is 12.1. It is deployed on-prem, but in my lab, it is my virtual setup.

It is one of the best solutions in the market. Ever since I started using this solution, there has not been any compromise when it comes to our lab.

There is a lot of room for improvement in the report section. I also work on other tools, such as Thycotic, which allows you to create customized reports for your organization's needs. In CyberArk, there are limited reports, whereas in Thycotic or some of the other PAM tools, because the database is different, you can customize the report based on your needs through SQL queries.

The GUI part can be better. Previously, they had a classic one, and then they upgraded to the new one, but it is less user-friendly than other PAM solutions. Its GUI is a little bit complex.

I have been using this solution for almost five years.

It is a stable solution. It is a top PAM solution as per Gartner.

Its scalability is good.

I have contacted them multiple times. They helped me in a good way. Whenever I raised a ticket, depending on the ticket priority, they provided good support. Sometimes, I got a response within two hours.

CyberArk has a distributed architecture. Therefore, as compared to other PAM solutions, it is a little bit complex. You first need to understand the environment and then install the individual components, whereas, in other PAM solutions, you have to build the database and then simply run the application and directly connect to the application. You can then start using the application.

If you are using this solution for the first time, you need to be a little bit aware of Windows, Linux, and AD. Otherwise, it might be complex for you.

I would rate it a nine out of ten. 

It's a privileged access management tool so it helps in making sure that all privileged accounts are compliant.

The product is an important security measure against credential theft. It ensures session isolation and password rotation including pushing passwords to the endpoints. 

It's also possible to pull the password from the CyberArk to ensure that there are no hardcoded credentials in scrips or DevOps tools. 

It provides a comprehensive access control list and auditing. Reporting capabilities are extensive.

New features are being added in every release, and there are few releases a year.

Enhancement requests can be submitted by the community and are taken into consideration by the company.

As configuration options are very extensive, it is sometimes hard to find the correct and complete way of customization or specific configuration. 

The documentation is rather basic and it is missing many use cases. 

It's also hard to test solutions without a development environment as CyberArk doesn't provide the possibility to run the environment for personal purposes.

I've used the solution for six years.

My company uses CyberArk Enterprise Password Vault for our servers and when our IT partners try to access our mission critical systems. We have also integrated the product with software tools used for authentication purposes. Our company's IT uses LDAP credentials to log in to the PVWA application while also being able to use granted privileges on one or more servers.

The most valuable feature of the solution is session recording.

There is a little bit of confusion in the implementation part, especially when one tries to understand the actual working of the product. The ones involved in the implementation of the product did not show the people in our company how they work on the product. The aforementioned area can be considered for improvement.

I have been using CyberArk Enterprise Password Vault for a year and six months. The product is used in my company. I use CyberArk Enterprise Password Vault Version 12.0. I am a customer of the product.

It is a scalable solution.

We upgraded the solution even though we had subscribed to the product for ten years in our company. In our company, we wanted around 50 employees to be able to operate the solution.

From my end, I have not used technical support. I don't know if my colleagues have faced any problems because of which they had to contact technical support.

The implementation took place over a period of three months.

The solution is deployed on-premises.

CyberArk Enterprise Password Vault is a very expensive product.

I believe that the charges for maintenance and support are already included in CyberArk Enterprise Password Vault's pricing policy.

I will tell those planning to use the solution that it is a very expensive solution. Due to the cyber security constraints of the product, most of the companies are forced to update by paying money to CyberArk, which I feel is one of the problematic areas in the product. Feature-wise, it is a very good product.

I rate the overall product a nine out of ten.

We use it for other use cases, such as automating application authorization, managing files, and securing monetary accounts. We use it for managing privileged accounts.

I like everything about it. It's secure and reliable. I especially appreciate that it's locked down and only allows access to authorized components.

The issue is that in many environments, what I purchase via text is different. We have some policies that are specific to Microsoft environments. For example, my actual manager may not be able to connect to a Microsoft product due to a policy on it. The issue that comes to mind now is how six credentials are managed.

Currently, if you try to log in to any server within the environment, you would need to log in every time, regardless of whether you have already received the credential or if the connecting device is present or not. It is a problem with CyberArk. If CyberArk could find a way to solve this, it would greatly improve the experience.

I'm not sure if it is possible to fix this. It's not a point of entry, but it may require a longer string than the user might want to know, or maybe cheaper right now. If CyberArk can find a solution that improves the experience, it would be beneficial to customers.

Another thing is that there are some time needs that could be improved in the future. One thing that could be improved is to create of a better alternative for fixing group policy fees. We currently use Microsoft, but they have introduced new policies that may not be compatible.

I've been working with it for three years. I'm currently working with version 12 of the solution, and I've also worked with version 10 and partition 11.

The number of users is about 3,305, and it is stable. We don't have any small clients, mainly medium and enterprise businesses.

I would rate stability a ten out of ten, and it's very stable.

I would rate scalability an eight out of ten. It's not perfect, but it's fairly scalable.

Some things need improvement. The solution doesn't provide sufficient support. I contacted them at one point, but it took several months to get a response. Additionally, we had an issue with account balances that took a while to resolve. That was four or five years ago, though. Other than that, it's a decent solution.

Positive

Regarding the initial setup, I would say it's pretty straightforward on a scale from one to ten, where one is difficult and ten is easy. I'd give it a nine. Deployment took less than a week.

I deployed the solution.

It is pretty pricey. I would rate it a seven on a scale of one to ten, where one is cheap, and ten is very expensive.

Overall, I would rate the solution a ten out of ten.

Primary use case is for compliance, SOX, PCI, HIPAA, and securing privileged access accounts. It seems to be performing well. We have had pretty good success with it.

We plan to utilize CyberArk to secure infrastructure and applications running in the cloud with AWS Management Console. We are testing it right now, so we hopefully it will be ready in about two months.

We are maintaining compliance in PCI, SOX and HIPPA, which is a big thing. Auditors really like it, and it has made us stay compliant.

There is at least one place to go to for getting privileged accounts. Now, users have to go through the portal or go through CyberArk front-end, the PVWA, or we could use the OPM or PSMP. It has helped out quite a bit.

We are able to know who is accessing what and when; having accountability. That is the big thing.

Make it easier to deploy. In 10.4, we did it with the cloud and could actually script the installs.

It has been pretty stable. We had some issues before, but customer support has been helping us out quite a bit. 

We think we had some PSM issues, and that was the big problem we had. Basically, it had to be rebuilt.

Scalability is impressive because you can set up clusters, so you can grow as your needs grow.

Technical support has been excellent. They have been really good and knowledgeable. They come out and help us out. They have also helped us do our roadmapping.

We feel like we get the right person the right time that we call.

The upgrading process was pretty straightforward. We had some issues with the platforms when we upgraded. That was probably on our part, maybe we missed something.

The vendor was retained to implement our Cyberark rollout initially.

It keeps us from getting dinged by the compliance officers. Keeps us in compliance.

Understand your needs prior to purchasing. Cyberark team will advise as well which is a plus.

It does what it promised. It secures our platforms, haves the scalability, and it is just a solid product.

Know what you are getting into upfront. Work with IT to ensure you have buy-in from upper management, and work with them to get a roadmap to deploy. 

Most important criteria when selecting a vendor:

• Reliability
• Having good customer support.

The primary use case is increasing security and our security posture at our company, helping to prevent any future breaches and secure as many privileged accounts as we can. We have a lot of use cases, so there is not really a primary one, other than just trying to increase our security and protect our most privileged accounts.

We do not have a large cloud presence as of yet, but like other organizations, we are starting to get into it. We have a fantastic adoption of CyberArk that extends all the way up through executive leadership. A lot of times, projects and proof of concepts that we want to go through are very well-received and well supported, even by our top leadership. Once we get to the point where we are ready to do that, I think we will have executive support, which is always incredibly important for these types of things. 

We are in healthcare, so we are a little bit behind everybody else in terms of adoption and going into these types of areas. We are a little bit behind others in terms of cloud, but we will definitely get there.

Right out of the gate, three years ago, we secured all of our Windows Servers and all of our local administrator accounts. We followed that with all of their root accounts for our Unix servers. We were able to greatly increase our posture with local accounts. Then, we went through domain admins and reduced the landscape and password age of those accounts. We have demoted a lot of domain admins and taken a lot of that away from people, giving it a shared account structure. This has worked well for us to be able to protect our most sensitive assets. We call them crown jewels. It has been important to be able to do that, and CyberArk has allowed us to do that, which has been great.

We have tightly integrated CyberArk into a lot of our different processes. Our security organization is massive. We have a lot of different teams and different things moving. Not only have we integrated this into our identity access management team, so onboarding and offboarding, but we also have integrated it in our threat management side where they do security configuration reviews before we have applications go live. We require these accounts that operate those particular solutions to be vaulted immediately. We have implemented them into a lot of our policies, standards, and processes. It has helped us with our adoption with other teams, and it has also helped us to integrate it at the ground level.

It has an automatic password rotation. We have so many accounts, and being such a large organization, it helps take a lot of maintenance off of our plates, as well as automating a lot of those features to help increase our security. Having this automation in place, it has really been beneficial for us.

We do use their AIM solution for application credentials.

One of the things that I have been wanting is that we use the Privileged Threat Analytics (PTA) solution, and it is a complete standalone solution, but they will be integrating it into the vault and into the PVWA. So, we will have that singular place to see everything, which for us is great because it's one less thing to log into and one less thing that you feel like you have to jump over to get a piece of information. Having a centralized place to manage the solution has been something that I have always wanted, and they are starting to understand that and bring things back together.

Three to five years.

It is phenomenal. We have three data centers across the United States. This was last year or the year before, we had one of our data centers altogether go out, and a very large amount of our critical applications went down. CyberArk stayed up the entire time. We had redundancy in another data center and we had disaster recovery plans already set up and ready to go. In that time, when everything was so hectic and everybody was scrambling, trying to get the data center back up and available, they were able to access the privileged credentials that they needed because our solution remained up and available.

This was a huge for us. To have the users of the system feel that it is stable, trustworthy, and dependable. We have had great success with the disaster recovery functionality that we have with CyberArk vault. We test it frequently, and it is stable for us. We have been very pleased with the stability of the solution.

So far, it has been fantastic. We are a very large organization. We have approximately 110,000 employees and almost 20,000 accounts vaulted, where there is a lot of room for us to continue to grow. Even at the scale that we are at now, it has never had any kind of issues. We have never had any issues with deploying additional things. We do have some room to grow in some of our components servers if we need those, but everything that we have stood up so far has been operating flawlessly. We have not had any issues with our scale. It has been great.

We have contacted them less frequently as we have become more familiar with the solution. A lot of times now engaging technical support is more for sanity checks, and saying, “Are we doing this right or are we missing anything?” We have utilized them and have had pretty good success with having them help us with particular issues.

When we have called them, it has been something which has been a challenge for us. We generally get to the right person. Sometimes it takes us a bit of time and some further explanation to say, “This isn't exactly what we're asking." Then, we need to pull in somebody more technical or a next level of escalation. 

The customer success team has been monumental in helping us get the right people involved. If we log a support ticket, for example, and we are at a point in our maturity and our understanding of the solution that Tier 1 support is usually not what we need. We have done a lot of our own checks and troubleshooting, and we are able to say, "Here is all the stuff that we've done. We need the next level of support."

The customer success team has been monumental in pulling in the right people and helping us get to the right people on that side rather than working with the support person and saying, “We pulled this person in.” Sometimes, it is pulling in the solution manager or the team lead for that solution and getting to the top of that team almost immediately. We have had great feedback. The customer success team has been at the center of helping us get to that point.

We did not use another solution before CyberArk.

The big thing that was a catalyst for us to look at CyberArk was the Anthem breach that happened back in 2014 or 2015. Being a healthcare organization, our executive leadership realized that we are a big company. We are not immune to these sorts of attacks either. We have got to get something in place. Being best of breed, we turned to CyberArk for that. Again, it has been a fantastic partnership, and has both ways; we've been able to help them. They have been able to help us quite a bit as well. 

The initial setup was straightforward. We did have an implementation engineer from CyberArk who walked through it with us. He guided us through the process. Even though the documentation is straightforward, there is a lot there to do with a lot of different components which make it up. In and of itself, there are a lot of moving parts, but having that implementation engineer onsite, helping us walk through it helped us be very successful quickly. We also had the same experience when we went through upgrades where we contracted with professional services to help us. They have always had someone out there who guided us through it, either onsite or remotely. We have had both instances and both have been very successful.

I was the primary engineer and lead engineer who stood up the entire solution. I was both solution architect at that time, as well as the solution engineer. I have since moved into the architect role and have backfilled my position. However, I was there at the very beginning and did all of the initial setup.

The first year that we were standing up CyberArk, our organization did an annual pen testing. In one of our organizations, where we didn't have CyberArk deployed yet, they were able to escalate privileges and get all the way to a domain controller, and go all the way that an attacker would be able to. The next year that they did their annual pen testing, after we had deployed in that same region, they basically got stopped almost immediately, and they were never able to escalate their privileges. We stopped the pen test in their tracks because of the solution being in place.

While that may not have a dollar amount because it was just a test, it gives us a lot of peace of mind. Of course, we can't always say that it is impossible for somebody to get in. Someone is going to eventually get in, that is bound to happen. Knowing that we have the solution in place and reducing that threat landscape as much as we have, has been phenomenal for us, at least from an intrinsic value standpoint.

We did not evaluate other solutions. We automatically went with CyberArk.

CyberArk is a fantastic solution. They understand what the industry is trending towards. They are able to meet that very quickly. Being in healthcare, we are a little bit behind the times and we follow people a little further behind (for example, the financial sector has been doing all this stuff for so long). However, healthcare, as an industry, is always a few steps behind because we are clinical and have to support a lot of different clinicians, physicians, and regulations, which sometimes makes us move more slowly. Just having this has been huge for us.

One of the things which has differentiated us from other customers from CyberArk is we have been tremendously successful in rolling out different implementations. There are a lot of clients whom I have talked to personally who have bought the solution, but have never implemented it, or they have been met with a lot of struggles or a lot of uphill battles with their staff and adoption. My best advice would be to start out and find the quick wins, the low-hanging fruit; these things you can provide to your organization to have them understand and see the same value that you are seeing as you are implementing.

I am familiar with the the new plugin generator utility. I have not used it because I think it is a newer version than what we have, but I am excited about it. I am looking forward to utilizing it. It is similar to what they have for their PSM solution. They have some new web services framework, so they do not have to use the AutoIt tool because it takes a long time to create plugins today. Like the plugin creation utility, it will allow us to take a whole lot of time off of our turnaround to be able to provide some of these connection components.

Most important criteria when selecting a vendor: Because we have so many applications and solutions across our organization, interoperability is a big thing. I am in charge of CyberArk, as well as Duo, who we use for our two-factor, and having that integration point or the ability to integrate with these solutions is huge for us. As we try to standardize across all of our different organizations, which is very difficult in our industry, what we offer for a particular solution rather than having 30 different iterations of different applications, has been huge for us. Standardization and integration is a huge point for choosing a vendor.

Account discovery, account rotation, and account management features make it a well-rounded application.

Account discovery allows for auto-detection to search for new accounts in a specific environment such as an LDAP domain. This allows CyberArk to automatically vault workstations, heightened IDs, servers, and other accounts. Once the account is automatically vaulted, the system then manages the account by verifying the account on a regular basis or reconciling the account if it has been checked out and used. The settings for the window that account is using is configurable to the type of account being used.

CyberArk is constantly coming up with new ways to perform auditing, bulk loading accounts, quicker access between accounts and live connections, as well as different ways to monitor account usage and look for outliers.

As companies move further toward a “least privilege” account structure, CyberArk sets the bar for heightened account management.

In the past, standard practice was to assign role-based rights to standard accounts. Moving away from this structure allows us to require that all heightened access accounts be “checked out” and only operate within a set window. CyberArk analytics provide real-time monitoring to ensure accounts are only used by the correct people at the correct time.

Like any software, improvements and upgrades are a necessity. As CyberArk is used by many Fortune 100 and Global 2000 companies, they offer custom solutions that need to be continuously improved as the company changes. I am looking forward to new ways to utilize accounts within the current CyberArk system allowing a more seamless flow for technicians.

I have used it for 19 months.

Beyond the servers and security devices necessary to run CyberArk, it maintains surprisingly few dependencies. It is capable of secure hardening with the capacity for multiple failovers that can exist and work without the use of LDAPs or external databases. CyberArk has been the most stable platform I have ever worked on and our redundancies allow for 100% uptime.

Scalability has not been a problem. I have worked on multiple improvements and increases, as we continuously increase the number of domains and types of accounts CyberArk manages. There is not currently an end in sight for the number and types of accounts we are adding.

CyberArk technical support is top notch. They provide ticketing and immediate escalation of issues, as well as direct resources for more immediate problems. CyberArk R&D has also provided valued updates to custom applications we use internally.

With data breaches and ransomware becoming the standard that companies now face, a more elegant solution was desired from standard network and physical security. Accounts that can be found or socially engineered out of people has been a long-standing tradition for criminals and bored teenagers. Reducing the window any account can be used provides a more secure network.

Setting up and learning a new platform is always a complex undertaking. This is why CyberArk provides local hands-on support to get the system set up and the company’s techs trained. The base setup will differ from company to company, based on their immediate needs and what they wish to accomplish immediately. Heightened IDs, local workstation IDs, off-network server accounts, service IDs… the list goes on and on.

There are a handful of options out there providing similar services. However, none of them are as far along or provide as much stability and innovation as CyberArk. Pricing and licensing are going to depend on a great many factors and can be split up from when the system is originally implemented, and upgrades and new software down the line. All that being said, the money in question was not a deterrent in picking CyberArk for our solution.

We have tested a great deal of products, many of which are being used in the company for various other purposes; Avecto, Dell, Thycotic, to name a few. Centrify was the other primary system that we really carefully reviewed. In the end, the features and interface of CyberArk won out.

CyberArk is an innovative set of tools that are easily learned. Getting deeper into the product allows for a great deal of complex settings that can be learned via high level implementation guides as well as a CyberArk certification.

The most valuable features of CyberArk Enterprise Password Vault are password rotations and password encryptions.

CyberArk Enterprise Password Vault has a lot of enterprise-level features compared to other PAM products. It's a well-known product, and its implementation is very easy. The solution has good documentation compared to other products. CyberArk Enterprise Password Vault is legitimate software that releases patches as per vulnerability.

We require IAM (identify and access management) capability at the administrator level because we need more identification.

I have been working with CyberArk Enterprise Password Vault for the past six months.

CyberArk Enterprise Password Vault is a stable solution.

CyberArk Enterprise Password Vault is a scalable solution. We have more than 1000 people using the solution.

CyberArk Enterprise Password Vault's technical support team is good. Whenever we require any help, they assist us based on the SLA. The technical support team's response speed and competence are very good.

Positive

The solution was easy to deploy.

We need a basic understanding of the tools needed and customer requirements to deploy the solution. If the customer is looking only for a password deployment, we deploy only the password.

The deployment will require two or three people and a minimum of one week.

CyberArk Enterprise Password Vault's pricing is reasonable. Since CyberArk Enterprise Password Vault is an enterprise-level solution, its cost is higher than other solutions in the market. The solution comes with maintenance for the first year. However, after that, we need to pay for maintenance.

CyberArk Enterprise Password Vault's licensing model is comparatively very easy. It has a single license. We can deploy the solution based on the particular solutions we need.

One or two administrators are more than enough to operate the solution.

A backup strategy and DR setup are more than enough to implement CyberArk Enterprise Password Vault.

Overall, I rate CyberArk Enterprise Password Vault an eight out of ten.