Symantec Privileged Access Manager Reviews

The most valuable element is the keystroke tracking feature.

We use the tool in our FedRAMP data centers. Whenever an employee does some work at the command line in the servers, app servers or database servers, we need to track what they do.

We use the tool to do just that. We bought it for that purpose. That is why this is the most important feature for us.

The product has not improved our organization. It is an intentionally limiting product. That’s why we have it.

It limits the number of CIs. Why not have unlimited CIs?

As I understand the licensing, we purchase the PAM product and pay for it based on the number of CIs. (A “CI” is a “configuration item”. It’s an ITIL term.)

That means the number of servers, routers, switches, etc. for which PAM controls access and tracks activity. Why not charge us a flat fee and give us unlimited CIs?

We have been using the solution for around four years.

We did not encounter any issues with stability.

We had scalability issues, particularly in regards to the limit of CIs.

The technical support is very good. They are very helpful. They are knowledgeable and follow-up when we have issues.

We did not use a previous solution.

I don’t know about the initial setup. I was not involved in the initial setup.

I am not involved in pricing and licensing.

I don’t know about the evaluation of other products. I was not involved in that part of the process.

Make sure you can track enough CIs and have room for growth.

We look to make sure that there are two HyperACCESS specifications: 

1. Privileged managements: These are ordered to ensure that all the passwords assume one location so a user can enter and all their passwords are protected. Their passwords cannot be shared because they are rotated. 
2. The odd user: This user has to go through the system and exercise a chair relay. This should be our Gateway for login. 

The most common features that I use are password vaulting and password management. 

I would like this solution to be simpler. It should have a one-click access that works together with AWS. 

Scalability has been good. 

We have received good support from the tech support team.

We used IBM before.

It was a challenge for our newer staff members to install. 

It is more expensive than other solutions on the market.

We have been using IBM extensively because customers demand that we provide this option.

If I remember correctly, it was the two factor authentication, and the single most important capability was it supported PIV and CAC as one of the two factors. That was pretty huge for us.

Our organization does and uses cloud-based solutions. Those have to be very secure.

Specifically, administrative access needs to be highly secure. When people are accessing the production environment as administrators or as non-end users, they use CA Privileged Access Manager to be able to access it.

Trouble free installation and configuration and not even noticing that it's installed. There's too many steps involved in accessing the production network. Too many things you have to do to get on.

It'd be great if you just stuck in your PIV card and Windows popped up, asked you for your password. You typed it in, then it remembered your credentials.

For about 10 months.

There were some issues with stability.

From what I remember, people would complain that every 30 minutes to an hour or so, their connection would drop and they'd have to reconnect, but it wasn't clear whether that was a problem with the network we were working on or whether that was a problem with Privileged Access Manager.

We didn't run into any scale issues at all. The more people involved, the more it was able to handle.

Yeah, we worked with technology support. They were actually pretty helpful. The couple of problems we had, they were able to identify and help us resolve.

Yeah, we were using OpenVPN. We were using OpenVPN, and the biggest single reason was dual-factor authentication with PIV and CAC. That was the biggest single reason.

I did not personally do the setup. From what I remember, it took a couple of weeks for the security lead to do the work. That's not out of the question or a surprise with a security product, because just getting it operating usually takes a little bit, then getting it fine tuned takes a whole another round of work.

We looked at about a half a dozen, and this one came out to be the best one. We filtered down.

I would say, test it out in your environment, make sure it works out well. If it configures well, and then, assuming it works out fine, you're in good shape.

When you look at the whole PAM itself, session manager is very important. It records what happens. Access manager and credential manager are very important as well. Those are the key things. Session manager, access manager, and credential manager.

On the access management side, our system administrators, under privileged management, don't have to use their local tools to log on to the production servers.

They basically will log on, but they need access controls. They log on to a web interface, so that they will have access to the servers. From there, they can make the sessions.

What I'm saying is that on 443, with an extra cell connection, you log on to a web server and that web server will basically initiate the sessions from the web server to the production server. At that point, my session is secure because all that is happening inside that subnet or inside that network. All my end user is seeing is training the HTML-file interface.

That makes the access more secure. Even on the session side, the sessions are really between the production servers and the IA PAM. The sessions are not between the endpoint and the production server. So that makes it more secure by using a PAM.

When we look at CA PAM, the multi-tenant deployment is definitely an improvement that we want to see. They don't offer multi-tenancy.

If I have an enterprise, or if I am an MSP and I would like use an instantiation of CA PAM for multiple tenants, I can't do that.

I have to deploy a CA PAM for each tenant, which basically increases the cost and the management side of it. That's a very essential thing.

CyberArk does the multi-tenancy, but CA PAM doesn't have this.

We have used it for two years.

Stability-wise, there were no issues. It met our SLAs. For the most part, it's really stable. There were no significant outages or issues with the stability of the product. We didn't have any of that experience with the solution.

There were some scalability issues. Along with access manager, there's something called a credential manager. The way the CA PAM solution is designed, a credential manager is local to each of these boxes.

If you want to scale to multiple data centers and multiple end points, the credential manager is not centralized anymore. We need to have a way to synchronize that. That seems to be one of the biggest issues of scalability.

It has AD integration, but the way they do it is an issue, because it's not scalable. For every active directory identity, it basically creates a local user. It defeats the whole purpose of using a single identity store. That's not a scalable solution to manage identities itself. That's a big issue.

We did submit an enhancement request to CA on multi-tenancy and the active directory implementation, and we don't think they have released any updates. That's a big issue with this product.

I would give tech support a rating of 7/10. They're not the best, because the product was acquired from a small company. Just updating the portal with the knowledge base and the support took a long time. We had a bad experience with that.

Once they got all the stuff integrated into the CA support structure, the responsiveness was there, but the relevant information of the tech staff to solve the problem was not there.

There were no previous solutions. CA PAM is the new evolution of Privileged Management. We haven't used a PAM solution in the past, and this was our first generation PAM that we used. We didn't move from an existing solution.

Once you have a network, then the reach-out is added. They have something called Outer Discovery, which discovers all the accounts and all the servers’ end points and groups.

I'm not going to say it's very easy, but on the flipside, I'm not going to say it's terribly hard to do it.

The reason it was not easy, was that the end points of the system administrators that have access to PAM needed a version of Java and some Java libraries on the end point.

With logged-on systems in the DOD space, or with the federal space, it's really tough to get those versions installed. The federal government, the central IT, update the Java versions and we don't have control over that. Every time we have an upgrade, it breaks the accessibility of the software.

Even though they say it's a web based tool, they still need a Java version that is compatible and libraries have to be on your client to do it. The Java competence has been a nightmare.

The product installation by itself is fairly easy, but the accessibility is very difficult.

We did reach out to CA and submitted a ticket with them, saying, "Okay, you need to get out of this Java thing, and then have something like HTML-file-based access, so that we don't have to have any of these Java things."

They said, "Great," but nothing has happened so far.

We did evaluate other solutions.

• We did a market research of Xceedium, before CA bought Xceedium Xsuite
• CyberArk
• Dell had a tool to do privileged identity management
• There's another company also, that starts with Cyber, but I don't remember the name

We evaluated these solutions, and Xceedium, which is now CA PAM, stood out.

If you are going for a multi-tenant deployment as an MSP, I would work with CA to see when that feature will be available.

If the local end points are logged down with the Java versions, I would really tell them to pull out the HTML-file-based solution. The accessibility of this tool from the desktops is very, very difficult. Those are two big things for a use case.

I would recommend them to make sure they validate that these things are rolled out and then use it. Other than those two issues, everything else is good.

Asking me to rate the solution is a tough question, because the market research came out well. It stood out. The usability was good.

The accessibility and other issues were big blockers for our customer:

• The local accounts with AD integration
• Multi-tenant deployment
• Java installation on the local machines

Those three elements were the biggest blockers. I would have rated it higher, but because of those three blockers, I'll had to rate it lower. They were very significant blockers for our project when we used it, and we were always putting out fires to do that.

• Consolidates access to all the systems
• Easy to deploy/virtual
• Records access for troubleshooting issues

One example of how it has improved the way my organization functions is that before, we had to deal with the firewall rules between domains to control access. With CA PAM, we simply set the rule once, which can be applied when we add new clients into our cloud environment.

They need to improve how it scales. We end up adding new “appliances” to scale for large or complex environments.

I run a multi-tenant cloud environment so I cover multiple domains and environments. So, as we grow our customer base by adding more systems, new customers or have different security zones for new applications/systems for customers, we end up having to add more appliances….we can only scale the virtual resources so much before we start hitting the performance thresholds on the appliance and the thresholds we have set with a customer.

By segregating and/or adding new appliances we even out the load and still maintain the performance we want with our customers. Obviously, I am talking about customers that have a higher access than some other companies.

I have used this solution for roughly a year.

At the beginning, we did have some stability issues, i.e., until we understood the product, and then the process was better.

There were scalability issues. The architecture forces us to add systems - similar to a Cisco model.

The technical support is above average.

I have used different systems in the past with other companies that I worked for, so I have been able to compare several of these. CA PAM is the least expensive option than most and is easy to deploy.

The initial setup/configuration was easy. It was more troublesome in finessing the rule sets/processes that needs to be used, which isn’t a product issue but an internal walkthrough of how we wanted the access to be controlled and in what manner.

Negotiate well but more importantly, design your architecture and understand what you will need as you scale (build building blocks).

We also evaluated One Identity, Centrify and Microsoft PIM.

Make sure you fully vet out what is needed for the complete process, and understand what you need up front for the initial set and what will be added at what trigger points.

The most important feature is that we do not need to know the passwords any more; just having access to the end point; and that it’s easy to manage users and the account.

Since we implemented CA PAM in our company, we don't need to pass the passwords to every individual administrator. He just logs in using his own credentials and then searches for the end point he wants to access and that's it. We approve their access and they're ready to administer the end point. This is good because we don't need to change passwords every time one of our colleagues leaves the company.

There are many improvements needed. We are always searching for new features and new ways to improve the solution, because I'm just the local administrator. I have a support company which implements the solution. We are always constantly trying to improve new features to upgrade the solution, to understand more ways to facilitate our databases.

We are going on the third year. We have had many complications during the implementation.

The current release that we are using is much faster than the old ones we were trying. We had several problems with performance and crashes, screens that wouldn’t load up. The final release we are using is much better and more stable.

Now, it is scalable.

I would give technical support a 2.5/5. I'm not sure if this is a problem with my local support or CA support, but when we opened a case, it took several days to get a response. It cost me time to get a reply. They'd come back to us to understand what is going on or what was necessary to give support. Between me opening the case and my local support trying to understand what we want; then, they don't know how to solve it and go to CA support and try to understand again; that takes a long time.

This is the only one. We got this implementation by bid, so we couldn't choose any company. It was the lowest price and a quicker time to implement.

The first setup was complex. The implementation, to me, was very bad.

We did a proof of concept with another solution.

When they came for the proof of concept, we only had access to the system itself. I couldn't try to understand the complexity of implementation or support or all the features that the solution would have to offer. I just saw the main features.

It consists of three components that work well together: access controls, SIEM, and password recording capabilities.

The access control component is solid. It adds another layer of security from the basic OS security of Linux and Windows. A lot of customers use it. The segregation is difficult to achieve as different OS's require different skill sets, but in terms of admin, it’s the same cost, and that’s a key benefit.

The rule management portion and reporting is very weak on its own. Also, the login part and visibility are not user friendly, as is management of the policies. Moreover, I can't easily generate the metrics. Once the rules increase, if you can’t cross-reference it becomes a challenge.

With any deployment, you may have overkill, so it’s up to the business to get balance with rules.

It’s been in the market a long time, so thankfully it is stable.

Scalability is not an issue because of the architecture. The management piece just manages policies, so you can still go the system and are not handicapped.

The initial set up is very straightforward. The complexity is not so much of a problem, but that’s up to the organization.

There are not many players in this arena so there aren't many choices. IBM has a solution, but I don’t think they push it.

Definitely you have to go for a tested solution. This solution doesn’t have bugs, but you should follow CA’s messaging that it’s always good to deploy in small chunks. Applications have problems, and sometimes it’s a process. You just have to expand over time.

It is great for identity governance or identity PAM, CAPAM.

It is simple to integrate. For other solutions, we have to install a component that can directly deploy from the OVA in this system.

We have to do a lot of manual work to automate features. The initial phase is simple, but it is difficult to configure our requirements. In addition, the integration between Symantec Privileged Access Manager and identity governance has to be better.

We have been using this solution for about three years, and it is deployed on-premises. We are planning to deploy on cloud this year.

It is a stable solution for PAM. We sometimes have issues with stability and identity governance.

It is scalable because we can add and remove all the models. We have onboarded around 500 users, and actual users are around 100 to 500.

The technical support is not satisfactory. I rate the technical support a four out of ten. Most of the time, they are not accessible, and we can't directly contact Symantec. There is a middle partner we can use to contact dot com support. We are waiting for a solution to the long wait times.

Neutral

I rate this solution a seven out of ten. I recommend this solution because it is suitable for the initial phase and the small business plan.