Architect at a tech services company with 11-50 employees
Real User
Top 10
2023-08-08T18:50:00Z
Aug 8, 2023
Overall, I would rate the solution an eight out of ten. One of the more important areas to focus on is knowing your environment pertaining to the assets and accounts before deployment is attempted. Not knowing what needs to be protected will make the deployment more challenging. Although BeyondTrust excels in the discovery of assets and accounts, knowing WHERE to look can be challenging. Deploying the product using only a percentage of its capabilities can lead to frustrations and reduced ROI. Not managing service accounts, networking, and database teams that are typically more challenging can lead to vulnerabilities as well. You can't just focus on privileged access management. Privileged Remote Access, as well as solutions such as endpoint privilege management, are all part of a complete identity and access management solution that must be designed and deployed correctly. If not designed and deployed correctly, it will have the opposite of making the environment secure. Least privilege, zero trust, and cloud security awareness are all buzzwords we see often. Privileged Access Management (PAM) is a part of the layered security approach that will keep your company out of the cyber news headlines.
Senior Specialist at a financial services firm with 1,001-5,000 employees
Real User
2022-10-24T19:29:00Z
Oct 24, 2022
I rate the solution a six out of ten. The earliest version of the solution's interface could have been more intuitive, and we sometimes experienced issues with request check-ins and check-outs. However, the recent introduction of the Team Password feature allows users to collaborate and share passwords within a managed team. Some elements of this feature lagged in our first few weeks with it. We used some of the solution's customization features, and it works fine; however, we had some significant issues when doing Discovery Scans. We encountered strange errors, especially on custom platforms, and it took a lot of work to understand the problems. As a result, we stepped away from customization as the issues around Discovery became extremely hard to deal with for us. We saw the benefits of using the solution very quickly, especially for the more basic elements at the beginning of the implementation. By targeting highly privileged accounts in the first round through the Active Directory, those can be up and running in two weeks maximum. The more complex and detailed configuration becomes, whether with discovery, dependency, or multiple-layer applications, the time to value increases correspondingly. I advise potential users to stay manageable and not try to do everything simultaneously. Build slowly and keep an eye on the capacity; only deploy with one appliance, or you are destined to fail and will run out of capacity fast. It's better to refresh the UVM appliance version every two to three years with a new image and migrate rather than upgrade because upgrading is the worst part of this product. It'll cost money to keep migrating to newer appliances, but it's worth it to avoid the experience of upgrading.
I would rate this solution a nine out of ten. There are multiple ways to go through an upgrade process, but generally there is an easier way for the enterprise update server. With the UX, the upgrades are quick. The web UI allows you to configure the upgrades. You have a different URL for upgrading your pre-production or test environment first, and then you can start using it. It only takes a few clicks. You should know how to configure it in the beginning. The time to value is six months to one year. The timing depends on your internal IT infrastructure. There are struggles with these implementations and deployments because of network changes, user awareness, and user readiness. It's tricky to make a solution perfect in comparison to a real world solution. When you go into the world of security and start going down the rabbit holes, that's where you start consuming a lot of time. If you have a clear-cut vision, an efficient IT infrastructure, a good networking team, and full support from the management, it should be top-down. It should never be bottom-up. If there is a push from management, management cascades to its team leads and the team leads provide support, then the time to value can be six or eight months, depending on how big the infrastructure or setup is. Generally, it takes six months to a year. I have seen projects that have lingered for three years and still haven't produced value. They didn't have experts to carry on the project. There are many variables, but if you have the right people, attitude, management, and plan, you can deliver in six to twelve months.
I would recommend this solution. My advice to others looking into implementing BeyondTrust Password Safe is to follow the instructions, scan broadly, and manage specifically. That's what BeyondTrust allows you to do. You can scan everything, but then select what you want to manage. With some applications, the licensing starts right at discovery, but BeyondTrust licensing is by managed systems. So, I recommend scanning broadly, finding everything you've got, and making your decisions based on the actual numbers. That's one of the advantages of BeyondTrust. So, use it. One organization I went into was primarily concerned with 50 specific servers. They had thousands. When all was said and done and we asked them what about the other servers, they did not specify what they wanted to do with those. They were only concerned about getting those 50, whereas BeyondTrust allows you to handle 10,000 as easily as 50. It is crazy not to leverage that. What you want to do is scan broadly and then manage according to plan. If you've got 1,500 servers and you're only looking at 50, that's like looking through a toilet paper tube. You will have a very narrow view. So, what you do is scan and discover broadly, find out what you have, and then come up with the administration model that'll work for them all. Start with 50, and then roll out the other 950 automatically. If you design it right, the minute a new administrator is added during that night's discovery, that user is ready to start working the next morning, or that server gets discovered and added based on the Smart Rules. So, a new Linux server or a new Windows server becomes available the next morning. A newly hired administrator's account is discovered, and as a member of the administrator group, he is automatically ready to start work first thing in the morning. No intervention is required. We have not used the solution's software development kit to create a plugin to support new systems or applications, but they do have them that you can modify. We're looking at making a modification to an existing platform connector. Their platform connectors are very visual, and you have the ability to compare. We're looking at the original Linux connector, and we want to connect to an SCO server. We have a template to work from. We will speak to the experts regarding SCO and make modifications to another connector to create a new connector. It is pretty dynamic. At this time, my opinion is that it is a 10 out of 10. Based on having experience with three or four other competing solutions, I would give BeyondTrust a 10 out of 10. I normally don't give this sort of a rating, but I do give BeyondTrust a 10. If you read two or three of their advertising and website blurbs and that's what you need, you're going to get it. When they talk about the ease of administration and the ease of implementation, it is all for real.
PAM Consultant at a insurance company with 10,001+ employees
Consultant
2022-07-28T09:21:00Z
Jul 28, 2022
Functionality-wise, it works. Everything works well, especially with using Smart Rules. There is a big learning curve to deploying and maintaining it because when you buy this solution, it doesn't come with a Password Safe database. You have to deploy that yourself. If they can package a database with Password Safe, it would be better and more user-friendly. It will cut down the deployment time. They should also improve their documentation, knowledge base, and support on their website. There is not a lot of good information. I would rate it a six out of ten.
Technical Lead at a financial services firm with 5,001-10,000 employees
Real User
2022-07-25T10:42:00Z
Jul 25, 2022
I would rate this solution a nine out of ten. The installation is straightforward. If you just follow their instructions, you don't need any experience. They also provide automated ways to onboard accounts. The documentation is very structured.
Cybersecurity Architect at a tech vendor with 1-10 employees
Real User
2021-12-24T10:30:00Z
Dec 24, 2021
I rate this solution a five out of ten, to be neutral and in the middle. To those looking to implement this solution, I would advise them to fully test it out in their environment before even making the purchase. You've got to thoroughly test it—test everything, otherwise you might regret it.
I.S. Architect at a insurance company with 10,001+ employees
Real User
2020-12-23T21:35:09Z
Dec 23, 2020
You need to be very clear about how to implement vaulting or the session recording mechanism. If you don't go with an external partner to help you with that, it can very difficult to have a solid implementation of such solutions, whether it is CyberArk, Thycotic, BeyondTrust, or any other solution. Just because you installed these solutions doesn't mean that they would resolve 100% of your work. You need to have some processes for such applications, and you need to do some homework first. With the help of an external consulting company that knows how to implement such solutions, you can progress very fast. I would rate BeyondTrust Password Safe an eight out of ten.
BeyondTrust Password Safe is very robust and very powerful, very scalable, and very nimble. My advice is to first make sure all their use cases match your need. Then I recommend to engage with their salespeople, get a good sales presentation and understanding of the cost, and then to get a technical presentation followed by a demo. We have a client whose main use case is Rapid7 SIM with API integration. So far I have found that CyberArk is the only one that can do that. But CyberArk is too expensive for this client. You have to sit down with a client, find out what their use cases, business requirements, and technical requirements are because sometimes they may want you to integrate with ServiceNow, and it's not easy to do that. With CyberArk, Beyondtrust, Thycotic and Centrify it is. Actually BeyondTrust is really a leader. I call them the best kept secret. It's a great product. I like it because the administrative overhead is so much lower. Remember how I said that CyberArk requires a very high administration overhead but because of the dynamic rules and smart rules you basically create a boolean if and then, and you can segregate. If your system or your name ends with dash ADM you're an administrator and you can access these assets and these accounts dynamically. Just by joining the company, getting a username with a dash ADM on the end, which I don't recommend by the way. I recommend having something nondescript because a user account with a _ADM, just screams, "I'm an administrator come and get me." Come up with something else, like an A-3-D. Come up with a different naming convention that would make it discreet. On a scale of one to ten, I would rate it high. I would rate BeyondTrust Password Safe a 10 because the fruits of your labor during the implementation phase pay off for an extended period of time. Rather than the ongoing pretty stiff administration requirements of some tools.
Beyond Trust Password Safe is an automated solution that combines password and privileged session management into a single platform. Password Safe delivers secure access control, auditing, alerting, recording, and monitoring.
This free and open-source password manager supports Windows and Linux, and some ports are available for other platforms as well. Their proprietary algorithm, Twofish, is considered highly secure, with the advantage that it is not affiliated with NIST. The Twofish...
I rate BeyondTrust Password Safe a nine out of ten.
I would recommend using this solution. Overall, I would rate the solution an eight out of ten.
I recommend the solution to other users. I am happy with it. Overall, I rate the product a ten out of ten.
I rate the product a ten out of ten.
Overall, I would rate the solution an eight out of ten. One of the more important areas to focus on is knowing your environment pertaining to the assets and accounts before deployment is attempted. Not knowing what needs to be protected will make the deployment more challenging. Although BeyondTrust excels in the discovery of assets and accounts, knowing WHERE to look can be challenging. Deploying the product using only a percentage of its capabilities can lead to frustrations and reduced ROI. Not managing service accounts, networking, and database teams that are typically more challenging can lead to vulnerabilities as well. You can't just focus on privileged access management. Privileged Remote Access, as well as solutions such as endpoint privilege management, are all part of a complete identity and access management solution that must be designed and deployed correctly. If not designed and deployed correctly, it will have the opposite of making the environment secure. Least privilege, zero trust, and cloud security awareness are all buzzwords we see often. Privileged Access Management (PAM) is a part of the layered security approach that will keep your company out of the cyber news headlines.
I would rate the product a seven out of ten.
We are partners. I'd rate the solution eight out of ten.
I would rate the solution an eight out of ten. I would recommend it for monitoring.
I rate the solution a six out of ten. The earliest version of the solution's interface could have been more intuitive, and we sometimes experienced issues with request check-ins and check-outs. However, the recent introduction of the Team Password feature allows users to collaborate and share passwords within a managed team. Some elements of this feature lagged in our first few weeks with it. We used some of the solution's customization features, and it works fine; however, we had some significant issues when doing Discovery Scans. We encountered strange errors, especially on custom platforms, and it took a lot of work to understand the problems. As a result, we stepped away from customization as the issues around Discovery became extremely hard to deal with for us. We saw the benefits of using the solution very quickly, especially for the more basic elements at the beginning of the implementation. By targeting highly privileged accounts in the first round through the Active Directory, those can be up and running in two weeks maximum. The more complex and detailed configuration becomes, whether with discovery, dependency, or multiple-layer applications, the time to value increases correspondingly. I advise potential users to stay manageable and not try to do everything simultaneously. Build slowly and keep an eye on the capacity; only deploy with one appliance, or you are destined to fail and will run out of capacity fast. It's better to refresh the UVM appliance version every two to three years with a new image and migrate rather than upgrade because upgrading is the worst part of this product. It'll cost money to keep migrating to newer appliances, but it's worth it to avoid the experience of upgrading.
I would rate this solution a nine out of ten. There are multiple ways to go through an upgrade process, but generally there is an easier way for the enterprise update server. With the UX, the upgrades are quick. The web UI allows you to configure the upgrades. You have a different URL for upgrading your pre-production or test environment first, and then you can start using it. It only takes a few clicks. You should know how to configure it in the beginning. The time to value is six months to one year. The timing depends on your internal IT infrastructure. There are struggles with these implementations and deployments because of network changes, user awareness, and user readiness. It's tricky to make a solution perfect in comparison to a real world solution. When you go into the world of security and start going down the rabbit holes, that's where you start consuming a lot of time. If you have a clear-cut vision, an efficient IT infrastructure, a good networking team, and full support from the management, it should be top-down. It should never be bottom-up. If there is a push from management, management cascades to its team leads and the team leads provide support, then the time to value can be six or eight months, depending on how big the infrastructure or setup is. Generally, it takes six months to a year. I have seen projects that have lingered for three years and still haven't produced value. They didn't have experts to carry on the project. There are many variables, but if you have the right people, attitude, management, and plan, you can deliver in six to twelve months.
I would recommend this solution. My advice to others looking into implementing BeyondTrust Password Safe is to follow the instructions, scan broadly, and manage specifically. That's what BeyondTrust allows you to do. You can scan everything, but then select what you want to manage. With some applications, the licensing starts right at discovery, but BeyondTrust licensing is by managed systems. So, I recommend scanning broadly, finding everything you've got, and making your decisions based on the actual numbers. That's one of the advantages of BeyondTrust. So, use it. One organization I went into was primarily concerned with 50 specific servers. They had thousands. When all was said and done and we asked them what about the other servers, they did not specify what they wanted to do with those. They were only concerned about getting those 50, whereas BeyondTrust allows you to handle 10,000 as easily as 50. It is crazy not to leverage that. What you want to do is scan broadly and then manage according to plan. If you've got 1,500 servers and you're only looking at 50, that's like looking through a toilet paper tube. You will have a very narrow view. So, what you do is scan and discover broadly, find out what you have, and then come up with the administration model that'll work for them all. Start with 50, and then roll out the other 950 automatically. If you design it right, the minute a new administrator is added during that night's discovery, that user is ready to start working the next morning, or that server gets discovered and added based on the Smart Rules. So, a new Linux server or a new Windows server becomes available the next morning. A newly hired administrator's account is discovered, and as a member of the administrator group, he is automatically ready to start work first thing in the morning. No intervention is required. We have not used the solution's software development kit to create a plugin to support new systems or applications, but they do have them that you can modify. We're looking at making a modification to an existing platform connector. Their platform connectors are very visual, and you have the ability to compare. We're looking at the original Linux connector, and we want to connect to an SCO server. We have a template to work from. We will speak to the experts regarding SCO and make modifications to another connector to create a new connector. It is pretty dynamic. At this time, my opinion is that it is a 10 out of 10. Based on having experience with three or four other competing solutions, I would give BeyondTrust a 10 out of 10. I normally don't give this sort of a rating, but I do give BeyondTrust a 10. If you read two or three of their advertising and website blurbs and that's what you need, you're going to get it. When they talk about the ease of administration and the ease of implementation, it is all for real.
Functionality-wise, it works. Everything works well, especially with using Smart Rules. There is a big learning curve to deploying and maintaining it because when you buy this solution, it doesn't come with a Password Safe database. You have to deploy that yourself. If they can package a database with Password Safe, it would be better and more user-friendly. It will cut down the deployment time. They should also improve their documentation, knowledge base, and support on their website. There is not a lot of good information. I would rate it a six out of ten.
I would rate this solution a nine out of ten. The installation is straightforward. If you just follow their instructions, you don't need any experience. They also provide automated ways to onboard accounts. The documentation is very structured.
I rate this solution a five out of ten, to be neutral and in the middle. To those looking to implement this solution, I would advise them to fully test it out in their environment before even making the purchase. You've got to thoroughly test it—test everything, otherwise you might regret it.
You need to be very clear about how to implement vaulting or the session recording mechanism. If you don't go with an external partner to help you with that, it can very difficult to have a solid implementation of such solutions, whether it is CyberArk, Thycotic, BeyondTrust, or any other solution. Just because you installed these solutions doesn't mean that they would resolve 100% of your work. You need to have some processes for such applications, and you need to do some homework first. With the help of an external consulting company that knows how to implement such solutions, you can progress very fast. I would rate BeyondTrust Password Safe an eight out of ten.
BeyondTrust Password Safe is very robust and very powerful, very scalable, and very nimble. My advice is to first make sure all their use cases match your need. Then I recommend to engage with their salespeople, get a good sales presentation and understanding of the cost, and then to get a technical presentation followed by a demo. We have a client whose main use case is Rapid7 SIM with API integration. So far I have found that CyberArk is the only one that can do that. But CyberArk is too expensive for this client. You have to sit down with a client, find out what their use cases, business requirements, and technical requirements are because sometimes they may want you to integrate with ServiceNow, and it's not easy to do that. With CyberArk, Beyondtrust, Thycotic and Centrify it is. Actually BeyondTrust is really a leader. I call them the best kept secret. It's a great product. I like it because the administrative overhead is so much lower. Remember how I said that CyberArk requires a very high administration overhead but because of the dynamic rules and smart rules you basically create a boolean if and then, and you can segregate. If your system or your name ends with dash ADM you're an administrator and you can access these assets and these accounts dynamically. Just by joining the company, getting a username with a dash ADM on the end, which I don't recommend by the way. I recommend having something nondescript because a user account with a _ADM, just screams, "I'm an administrator come and get me." Come up with something else, like an A-3-D. Come up with a different naming convention that would make it discreet. On a scale of one to ten, I would rate it high. I would rate BeyondTrust Password Safe a 10 because the fruits of your labor during the implementation phase pay off for an extended period of time. Rather than the ongoing pretty stiff administration requirements of some tools.
It is a steep learning curve, but once automated, it makes your life a lot easier.