Symantec Privileged Access Manager Reviews

I see it performing really well. It has a really good scalability attribute, where you can continuously keep dumping on new users and giving them only the access they need on the projects that they would view. It is very controlling and I really like that.

Whoever built it from the ground up, they understand how an organization is laid out. You can tell. When a user comes in, it automatically picks up their information. It is very easy to use. The interface is very friendly, colorful, and bold. I really like that. It is friendly to the users. 

What PAM does is when a user signs in, or when a user gets prompted to an organization, they are classified based on what teams, job titles, and roles that they have. 

One feature I would like to see is instead of just giving passwords to the user based on job function, from auditing perspective, turn that cycle around. Let us have a reporting feature that will say, "Can you please show me all the users who have access to the DB admin account essay." That would really help from an auditing standpoint. 

There is already a feature for that. It is not too great to use. Instead of being Splunk, maybe have a feature built into the application. 

There have been no issues with CA technical support.

After doing a little bit of research in the PAM market, there are not too many PAM players out there. Obviously, there is CyberArk but the other big player is CA PAM. I took a look at CA PAM. CA's rep gave me every reason to pick CA PAM over CyberArk.

CyberArk is harder to set up. You need a stand up infrastructure to back up CyberArk. PAM, on the other hand, is much more simple to use, and you do not need as many Windows servers to back it up as far as I know. 

1. According to the users who have actually used CyberArk and CA PAM, they have said that CA PAM is ten times easier to use and manage. 
2. Also, according to the users, CyberArk is only in the Windows area. They only control passwords in the Windows area. I am not sure how true that is, but that is a huge thing. 

If your company has Windows, Unix, and Linux, and has accounts all over the place and you need to management it, look into CA now. 

I feel like I have to learn more about CA PAM, because there are a lot of questions I still have for the product and I do not know them yet. 

Most important criteria when selecting a vendor: technical support. Always having someone there who knows a lot about the product, but at the same time, they will be straight up with you about the difficulties. I really do like when people tell me, this is not working, and tell you straight off the bat. I really like that straightforwardness.

We use Symantec Privileged Access Manager for controlling administrator and privileged user access. We can check the activities in the server for fragile files and documents in case of any issues.

There should be some training platform similar to Microsoft and IBM. We can't find useful documentation or YouTube videos to learn about the process. They should include some assignments in the test environment to explore the product's features.

We have been using Symantec Privileged Access Manager for four months.

It is a stable platform.

It is a scalable platform.

The product is easy to install.

The product's pricing depends on the agreement. They offer per-device, per-user, or monthly and yearly licensing models.

I rate Symantec Privileged Access Manager an eight out of ten.

The key benefits are we improve our governance. We ensure we can build more trust in the way we run and operate our environment, and most of all is the accountability. Where things do go wrong from time to time, we are in a good position to ensure that we can recover quickly.

One of the key things for us about the product is around its simplicity. Being able to put in the technology that allows the business to remove complexity and also allow the security improvements. This is high on our agenda. 

As with most things CA, once we are bringing more technology into the portfolio and being able to collapse those products into a much more integrated way, that will definitely come over the time. 

In terms of improvement, keep listening to customers and their challenges and make sure the roadmap is very responsive. It is all about being agile, so we need to make sure the product is very easy to work with. It does not constrain us further down the road.

At the moment, we are going through several evaluations. We found that the architecture is scalable and very resilient. In terms of scaling up, it has yet to be proven, but so far, so good.

We have worked with CA before, so we understand that each engagement is slightly different. One thing we do make sure is we always do things like test runs as part of any onboarding of a system. This would be no different if we go down this path in the future.

It is fairly mature in the world of what it have known as a vault. When you look in a wider context of how to bring it into an organization, it is not necessarily just the technology side. I would rate it from the technology side between a seven and an eight. Actually, how it becomes too much of an adopted technology in a much more wider industry, they are still around about a five to six, but it has to do with the vendor across the industry.

Most important criteria when selecting a vendor: It is about really understanding what the security challenges are in the industry, but also being able to align with specific use cases each organization is going to deal with. You have a generic capability that we can take off the shelf, but we should be able to customize when you need it. Having that right balance is really important. I think from my of view, CA has started to move in that direction more. I would like to see more of that.

I think like most evaluations, it takes a lot of time and effort. We do look at things around where the history of the technology, where it's born out of, where they are currently going, and the direction they are going. Also, in terms of how well they are going to integrate into the wider portfolio. Evaluations are not just about features and functions of this specific product, but it is taking that holistic view around what else we can get out of it in the next three to five years. It is really important for us to have that clear roadmap and one that we believe in and trust.

CA PAM has session recording, which is a very valuable feature. Overall, it is generally easy to use. It's a relatively simple product to setup and configure. You're not looking at tons of Professional Services hours to get it running.

Its primary benefits are the ability to regulate and control privileged access accounts, and their usage. Say for instance, that you have an administrator account for your Oracle EBS system: you obviously don't want your system administrators all sharing a single account. If you do find yourself in a situation where you only have one administrator account, you can setup Privileged Access Manager to track which administrators are using that single administrator account. That is very useful.

They actually just announced adding features that I would have liked included in the release that we're using. These new features all revolve around reporting and analytics. The basic reporting that comes with it is basic. They are not broad enough or deep enough. Apparently, with the latest release that was announced yesterday, there's a new analytics piece to it that really expands on its reporting capabilities.

Some of the key analytics that I would like to see are consolidated dashboard views with information about any privileged access usage that is out of the norm from a security perspective. That is now included in this new module; but I don’t think that this module is part of the Base Privileged Access Manager

Also, the licensing model, with cost as you scale with the number of users and recordable sessions. If it was cheaper, I would give it a perfect ranking.

I have had no stability issues whatsoever with it.

We have a relatively small implementation, but from what we've seen so far, it would scale pretty well.

We’ve used a little bit of technical support. It was really just a couple of questions here and there, and the support has been very good so far.

We did not have a solution in place.

Initial setup is pretty straightforward.

My organization had a push to increase our security posture this year. One of the areas we're looking at concentrating on is the use and control of privileged accounts. We obviously looked at the feature functionality set; then cost, then ease of use with a proof of concept demo.

We considered Thycotic Secret Server and we looked at a ManageEngine product. Ultimately, it came down to a choice between the Thycotic product and CA's PAM.

The only advice that I would give is to also consider some of the new pure Cloud-based offerings that are out. They weren't necessarily strong enough for us to consider when we were looking.

So far the best value is the centralized management of all administrative accounts. Before PAM, domain administrators, Unix administrators with root access, end-users with elevated desktop privileges, and so on, were managed by those individual groups themselves. Now we have a way to separate the management of accounts with and without elevated privileges. This provides better control over who can see what information, and who can perform which actions.

So all the different roles (such as database admin, Unix admin, network administrator), are now centralized into one system. Users are authenticated with a single sign-on to access only what is appropriate for their role. It also enables us to take a generic role, like an administrator, and grant certain access rights to that role. Then you can apply the generic role, but go inside and make it granular. That isn't available in the product off the shelf, like in Microsoft or Red Hat.

It also integrates with our identity management system in which the roles and responsibilities are defined. Syncing the two systems is very helpful as well.

It is very helpful with passing audits. It’s one thing to say you have a control; it’s another to show your control. This is very easy to show. It also simplifies the security team's role in that we aren't chasing as many accounts with elevated privileges. We have a central place to go look for them.

A secondary feature is that it tracks normal behavior, and then sends notifications about anything out of the norm. An example of that is: a network administrator would add accounts on a regular basis at a rate of 10 a day; if 50 were to show up in one day, it would automatically flag it and say, "Something's not right, take a look."

I would like to see better integration with Security Incident Management solutions, a SIM, like a Splunk.

The integration with IBM’s Guardian is useful, but it is not a specific plug-in or API. It is just log information; so a little more detail would be useful there.

So far, so good. It is new. We haven’t had any issues yet.

So far, so good. It is new. We haven’t had any issues yet.

Technical support been good too. We had professional services onsite with us, so that made things easy. We have transitioned away from that, but so far things have been fine. We haven't had any major issues.

We were not using anything else previously.

It was a little bit of both. There's some internal politics, and the internal infrastructures, as well as bringing in a new product,; but overall it was fine.

There was lack of knowledge from my team; and then learning from the other team, as well as the professional services team learning our infrastructure and its intricacies.

How do you get a change control approved so we could do something quickly?

We went with it because of internal customer needs, the regulatory and audit requirements, ease of installation, and auditor funding.

I would say do your research. We did, and that's why I said there weren't any real competitors. There always; but in this space, I don't think so – not today.

• Session Management (Session Control and Recording)
• Very good in reliability
• Deployment Model: Available in both hardware and software appliance with one step installation only

Not applicable. I’m distributor of this product, not an end user.

Live session

GUI command keystroke and filtering

Session limitation

Live Session is a common feature now on PAM technology. By having this feature, an Administrator can monitor on live session about a privileged user activity, same like what we saw in CCTV. CA should add this feature on their PAM product, then they can compete with competitors.

Command keystroke and filtering on GUI session is needed to record and filter which commands allowed or not allowed privileged user work on GUI sessions, i.e., RDP Windows. By having this feature an Administrator can prevent dangerous commands when a privileged user on an RDP Session and open PowerShell or Windows Command or Database Engine CLI (MySQL, Oracle, etc.)

Session limitation is a very critical feature that cannot be addressed by CA PAM. By having this feature, only one username can allowed to login to the PAM dashboard at the same time and prevent another person to login using the same username (sharing password/username).

I have used this solution for two years.

There were no issues with stability.

There were no issues with scalability.

I would give technical support a rating of four out of five.

We did not use a solution before this one.

The initial setup was straightforward and very easy to setup.

There is a combination of user and target devices pricing/licensing. There is no point to charge on target device pricing for 1000+ target devices. I would suggest charging for user percentages.

I’m very satisfied with the product.

The most valuable feature is the general concept of securing privileged passwords. Having worked in IT for a long time, I know how privileged passwords can float around. They pass from person to person and don’t get changed when they should be changed, such as when someone key who knows them leaves the organization. So, I appreciate the value of locking all that down.

Being able to have a centralized place to store the most critical username/password combinations that you have. These are the ones that access your key systems. PAM prevents some of the breaches that we've seen recently where one of those privileged accounts can lead to access to confidential information or financials can really paralyze an entire organization. Breaches can potentially smear organizations in the media when their names get out there in that light. So the whole concept of locking that down is very important.

The product itself is solid. I haven't really seen any deficiencies. It’s more just getting the message out about why it's so important. That's what our organization is trying to do. We're also a reseller. We are trying to convince companies that they need this type of technology. Publishing more use cases would be helpful just to help to convince companies why they need a product like this.

We don't actually use this solution ourselves. We implement the solution for people who buy it. I’ve been doing it for about a year. I haven't used it personally, but I know how it works.

It's very self-contained as a product. Being appliance-based, it's easy to implement. It's stable. No complaints there.

It is very scalable. I know it's used in large organizations like banks and healthcare organizations. It's just a matter of swapping in. I recall on one of the enablement calls that I attended, they had a very defined set of parameters where if you reached a certain threshold, you would then swap in another PAM appliance.

I've actually never called in to their technical support, so I really can't say.

I don't really know much on the pricing side. I'm more on the technical side. We do have an instructor that teaches the PAM enablement classes, and he's a big fan of the course materials. He thinks that they're very valuable and well worth the cost of attending a class. So attend the public CA courses on PAM, because they're very good.

I would say definitely get professionals that can help out. My company is in this space, and this is what we do for a living, so I don't think that it's a product that you want to go and try to implement on your own. Getting professional experience on your side for two or three weeks, or whatever it takes, to deploy the solution is well worth the investment.

Password Management and Session Recording. The simplicity and ease that it is to be up and running out-of-the-box is very much appreciated.

The recording feature uses a proprietary format that is very light, even with high definition videos, allowing you to use very little hard drive space. This has proven very valuable when managing large amounts of sessions.

We are now able to record all technical support requests that require a remote control session, therefore accountability has risen reducing the amount of mistakes or errors.

Clients are also more confident that all activities are recorded and everyone is held accountable when asking for support being provided.

With the recently added feature that supports recording VNC sessions, we have been able to expand the session management to the IT personnel who prefer VNC for remote session management.

The support for other remote assistance tools would be excellent. Free included tools in Windows (Remote Assist) and Microsoft SCCM Configuration Manager (ConMgr Remote Control) allow companies to reduce the amount of RDP connections and expand the usage of the tools are frequently used by companies to provide technical support for remote assistance.

This could increase the amount of purchased licenses, with increasing growth of (remote) managed services (MSPs), and would also allow a company to demand that a provider use a tool such as CA PAM when providing remote assistance, in order to record evidence or increase accountability. Access to online training free of charge is also highly recommended.

Over two years.

Not in my experience. It has proven to be a very stable solution, even when it is run as a virtual appliance.

Not in my experience.

I have had a good experience because they have been able to resolve issues nine of 10 in a short period.

The cons are that you are rarely (if ever) able to talk to a technician when calling support. This is frustrating when the issues are critical or urgent.

This is much worse in out of office hours. At times, when the issues are complex, the resolution times has been longer than desired and the time in between contacts is also too long.

There is a lot of space to improve in this area.

No, I have looked at CyberArk, but never used it as a customer.

Session management is pretty straightforward as is the password management. We were able to get it up and running in no time. It might be a bit complex to follow the flow of creating the devices, users, and single sign on using the password vault, so that process could be simplified for those getting started with the solution.

Can’t say much. The prices are not low, but one can ask for a discount. It’s not the cheapest PAM solution.

Yes, CyberArk. We found it too complex and with more features than one would probably need.

If looking for a solution with privileged session management, great recording features with an integrated password vault and Single Sign-On that is pretty straightforward to implement out-of-the-box and does not overwhelm you with unnecessary features, it the best way to go.

It has space for improving the user interface and remote connection tools, but surely this is something that should be in their roadmap.