What needs improvement with CyberArk Privileged Access Manager?

The main challenge was integrating with in-house IT and business applications, which are not standard. We needed to create special updates for that kind of integration.

The solution should be able to completely mitigate internal threats. For instance, if an employee of a company saves the CyberArk passwords in a system, then another employee might be able to use it and log in, so there remains an internal threat when using the solution. The feature of giving user access through a Safe should be modified. The solution should allow users access directly through an account, and the Safe concept needs to be improved.

The product’s pricing could be improved.

Cost management. There should be more models and licensing plans for this software. They should also be flexible, allowing you to purchase selected features at a favorable price. User Experience. The current interface is OK, however, sometimes it is not very intuitive. There is also no possibility of advanced modification and adaptation to your own needs and requirements. Performance. The performance of the application could be a bit better, especially in the case of remote sessions - delays in remote sessions can be annoying.

The Vault's disaster recovery features need improvement. There is no possibility to automatically manage Vault's roles and for some customers, it is not an easy topic to understand. I noticed that CyberArk changed a little in terms of the documentation about disaster recovery failover and failback scenarios. Still, it is a big field for CyberArk developers. Logically it is an easy scenario to understand - yet not for everyone, surely.

CyberArk PAM could greatly benefit from an under-the-hood update; integrating machine learning algorithms could provide predictive insights. The user interface lacks intuitiveness; revamping the UX of the web access panel through intuitive navigation, customization, contextual assistance, visual coherence, and accessibility considerations will undoubtedly result in higher user satisfaction, increased engagement, and ultimately, a more competitive offering in the market. In addition, several tools seem to be outdated, however, you can see that CyberArk is constantly working on them.

The admin interface of the Password Vault Web Access (PVWA) is moving from an old style (the classic interface) to a new style (the v10 interface) and unfortunately, this process is quite slow. That said, it has been moving in the right direction with features becoming available in the v10 interface and some user features are available in both classic and v10 interfaces. I would love to see all the classic interface features moved into the v10 interface or available in both interfaces within the next version.

A more friendly and functionally complete user interface would be nice to have. The current interface is not very intuitive. It is somewhat clunky and difficult to navigate, and many times have to toggle between the somewhat underdeveloped new interface and the older classic UI. This state of basically having two interfaces is a prime opportunity for CyberArk to improve its product. Also, it would be nice if the vaults could run on Linux instead of Windows.

The greatest area of improvement is with the user interface of the Password Vault Web Access component. The latest long-term support version of CyberArk (12.x) still includes and still leverages the version 9.x UI in order to maintain some of the administrative functionality. The performance of the 9.x UI leaves much to be desired and there are still some administrative tasks that require the use of a thick "PrivateArk" client. Many improvements have been made over time, however, there is still work needed.

As configuration options are very extensive, it is sometimes hard to find the correct and complete way of customization or specific configuration. The documentation is rather basic and it is missing many use cases. It's also hard to test solutions without a development environment as CyberArk doesn't provide the possibility to run the environment for personal purposes.

Remediation of some of the platform settings in the master policies section would be handy. Overall what I would really love to see is the third-party PAS reporter tool pulled more into the overall solution, ideally as its own deployable component service installation package, that could be installed/branded alongside the PVWA service, and build out API integration so that third party calls could draw valuable data directly out of the management backend with very little amount of additional admin overhead.

My personal wishlist of features has been fulfilled with versions 12.6 and 13.2, which provide a host of improvements that the administrator community has been asking for. With these version releases, that leaves my only "unfulfilled" product improvement request to be the creation of some kind of memo field for each device account, which could be used, in our network at least, to leave a note about the device for either the security or network engineering team members.

There is room for improvement in the pricing model. From a technical point of view, there are no issues. Support could be faster, though. We have mentioned that better support from CyberArk would be beneficial. So, support could be faster, and pricing can be improved.

The support could improve for CyberArk Privileged Access Manager.

There is room for improvement in the availability of custom connectors on the marketplace for this solution. Additionally, their services for the CICD pipeline and ease of integration could be improved.

The initial setup has room for improvement to be more straightforward.

The solution can be improved by including more connectors to other third-party systems for integration.

The components of their web view, policy manager, and session manager, most of them are separated. We need something which can unify those components into a single appliance. Sometimes the infrastructure team is hesitant to provide more resources. They have a lot of out-of-the-box integrations with a lot of other products. However, I would want them to bring on some kind of similar platform. If they can bring up the SSO on-prem, that would be ideal, as they don't have those things on-premises. They only provide that for the cloud. If they can do that, it would actually help a lot of us and keep us from trying to acquire multiple technologies for solutions.

The support services could act faster when people reach out to resolve issues.

CyberArk Privileged Access Manager could improve the integration docking, it should have more layers. For example, integration with OpenShift.

It should be easier to install. It is a comprehensive product, which makes it difficult to install. You need to have their consulting services in order to get it all installed and set up correctly because there is so much going on. It would be nice if there were an easier way to do the installation without professional services. I suspect they get a fair amount of their money from professional services. So, there is not a huge incentive. It would be nice to do personal password management so that we could roll something out to the entire organization to manage people's passwords. At the moment, we're rolling out LastPass to do that, at least to some groups. I'm not sure if everybody in the organization is going to get it because most people only have a couple of accounts that we're concerned about. We're using LastPass because it is significantly less money than the CyberArk solution. CyberArk has one, but it is rather expensive. The LastPass solution is integrated into browsers. So, you can use it in your browser. I don't remember if I had to install a client on my machine or not. I probably just installed a browser extension. So, I'm not sure how that'll work with some of the other things. There must be a client that I didn't get around to because that's also in the very beginning currently. They have sent me links to training on how to use it and set it up, but I haven't had time to take the training yet.

It can be made user-friendly, in the sense of the console is pretty outdated. They could add more enhancements, et cetera. They could add more built-in connection components to support various other application platforms. The built-in connection components available are mostly not fit for our purpose. We need to do additional customization to make it work.

In the beginning, CyberArk Privileged Access Manager didn't have a multifactor authentication feature, so that was an area for improvement, but now it's part of the solution. Having just one console for two CyberArk products would be good, particularly for the CyberArk Privileged Access Manager and the CyberArk Endpoint Privilege Manager, with the latter being a product for endpoint management that supports the workstations and allows you to manage workstations. In the next update of CyberArk Privileged Access Manager, it would be good to have a local agent where you can manage all users and processes, and have an agent on the servers such as Linux and Windows.

Report creation could be improved. The policies could be more customized.

What could be improved in CyberArk Privileged Access Manager is the licensing model. It should be more flexible in terms of the users. Currently, it's based on the number of users, but many users only log in once in four months or once in five months. It would be great if the licensing model could be modified based on user needs. We even have users who have not logged in even once. Another area for improvement in CyberArk Privileged Access Manager is the release of vulnerability patches because they don't release it for all versions. They would say: "Okay, you should upgrade it to this point. The patches are available", but sometimes it is not feasible to do an upgrade instantly for any environment, because it has to go through the change management process and also have other application dependencies. If that can be sorted out, that would be nice.

The solution could improve by adding more connectors.

There is a lot of room for improvement in the report section. I also work on other tools, such as Thycotic, which allows you to create customized reports for your organization's needs. In CyberArk, there are limited reports, whereas in Thycotic or some of the other PAM tools, because the database is different, you can customize the report based on your needs through SQL queries. The GUI part can be better. Previously, they had a classic one, and then they upgraded to the new one, but it is less user-friendly than other PAM solutions. Its GUI is a little bit complex.

The PTA could be improved. Currently, companies often have multiple domains and sometimes it's difficult to implement CyberArk in this kind of infrastructure. For example, you can add CPM (Central Policy Manager) and PSM (Privileged Session Manager and PVWA (Password Vault Web Access) for access, but if you want to add PTA (Privileged Threat Analysis) to scan Vault logs, it is difficult because this component may be adding multiple domain environments. CyberArk, as a solution, can easily adapt to a lot of environments, and you can add a lot of components to different zones, and that will work with the Vault. But not all the components, such as the PTA, can do so. Also, it would be helpful if CyberArk added some features for monitoring machines when we access them. For example, they need to improve the PVWA. In general, when we don't use the PVWA, we don't have a lot of problems. For me, the PVWA is not perfect. I would like to see more features in the PVWA to administer our machines and to improve the transfer of data.

More than the product itself, there is room for improvement in the documentation. The documentation should be very detailed and very structured. It has a lot of good information, on one level, but I feel that it could be more elaborate and more structured. That would make it easier when somebody is implementing it or referencing the documentation.

Some aspects of the administration need improvement, though they have recently made improvements to the API. However, the management with the interface and configuration are not so user-friendly. It has not changed much during all the years that CyberArk has been on the market. The management part, like platform management as well as PSM connectors definition and management, could be improved, even if it has already been done with the API. Onboarding is always a difficult path for every PAM solution. It is not immediate.

The continuous scanning of the assets is limited to Windows and Unix. We like to have the solution scan any databases, network devices, and security devices for privileged accounts. That would be very helpful. For least privilege management, we need a different level of certification from privileged management. Least privilege management comes under endpoint management. It takes time to get used to it, as it is not straightforward.

It should be easy to use for non-technical people. Its interface can be a bit difficult. Some parts of its interface are not very intuitive. Some of the controls are hidden, and instead of having a screen with all the controls for that account on it, you have to use menus and other similar things. Its documentation could be better. Some of the documentation lacks details for people who aren't super technical.

CyberArk's web console isn't in a great state. Over the last three years, if not more, it has been transitioning from what they call the "classic UI" to its modern interface. However, there are a lot of features that you can only use in the classic interface. Hence, each version seems to put more makeup on the modern interface, but all of the complex functionality you need is still in the classic UI. I'm not sure they've figured out how to transition, and they're kind of in a weird state. So, while CyberArk has made strides, the web interface is painful, particularly as an administrator, because you have to bounce between these different user interfaces. It is an incredibly complex solution that requires at least a dedicated employee or more to maintain it, support it, and understand it thoroughly. If you don't have that, it's just not the right solution for you because it is very complicated. Many of the infrastructure folks who use the product dislike it because it complicates their workflow. They get a little less control, and they have to go through a specific solution. It proactively logs in for them, which obfuscates some of the issues that they may be troubleshooting. And I think some of the consumers aren't big fans of the product. Also, I feel that in the last year or so, CyberArk has been pushing very hard for customers to go to their cloud solution. It doesn't have the same flexibility as the on-premise version, which is problematic because that's where I see a lot of value in the solution.

I would like advanced RPA in the basic license. CyberArk has RPA, but we would need to buy additional licenses. It is not out-of-the-box. I would like better support.

There are always improvements that can be made, but nothing really stands out. It's hard for me to say as I am not a direct user.

The product could be easier to use. More work needs to be done on this aspect; it is not good enough yet. It also takes up a lot of server space. Sometimes we need to use up to seven servers.

Their post-sale support area requires a little more attention to our region ( ME/UAE. The current support model does not allow the end customers to open a ticket directly with CyberArk. Customers have to inform the distributor or bring in partners who have access to the support portal to open support cases. The support teams liability is limited to product issues and they usually do not get into configurations and integrations, unless estimated and paid for PS services. This indirectly helps Service providers like us to make extra revenue. The default 24/7 support to our region, is effective when there is an emergency like a serious software issue, or if password vault is down etc, for such cases they provide immediate attention. For the rest of the low priority like migrations, upgradations, backups etc ( in some site it shall be considered high ), they take more time to respond. Looking forward to new features line API security

The authentication port is available in CyberArk Alero but not Fortinet products.

We found a lot of errors during the initial setup. They should work to improve the implementation experience and to remove errors from the process. The solution could be more stable. It should have more specific configurations. There are lots of types of servers and devices. The product should have a more detailed, specific configuration and integration with other products.

CyberArk lacks the following functions for a better IAM like solution: - Provision accounts for systems and directories. - Create access to the systems. - Monitor if any new account has been created into the system. - Better GUI for the end-user and also for administrators. The learning curve is quite long and requires lots of training for good usage. - More automated process for account provisioning into CyberArk. For example when a new DB is created. - Better documentation with more examples for the configuration files and API/REST integration.

We're pretty excited about Alero, the third-party access management. As a small company we lean on vendors quite a bit and we do that in multiple areas. That's going to be a big one for us. It's just gone from beta to production. It's one of those things that's on our roadmap, but being so new to the toolset, we're just growing into the tool. We're not quite there yet.

We work with CyberArk's customer success team and we work with its engineering team back in Israel. We've been doing things on CyberArk which a lot of its customers, we know, have not been doing. The one place where we found that this product really needs to improve is the cloud. Simple integrations don't exist, even today. We don't have anything specific on CyberArk for managing SaaS products, SaaS vendors, and SaaS credentials. I understand it's a vendor-based thing and that they have to coordinate with the other vendors to be able to do that, and there are integrations coming, but these are the major places where CyberArk definitely needs to invest some more time. Because this is what the future is. You're not going to have a lot of on-prem applications. Most stuff is going to the cloud.

The user interface was a previous problem that has been overcome.

CyberArk has captured the individual privileged access space well. They've captured the application-to-application and DEVOPS space quite well.. They should continue to invest in optimizing the services, and help companies drive down risk associated with application based passwords, as this is an industry that is being closely watched by external regulators. CyberArk continues to stay close to the industry and are always looking for ways to improve their products and service offerings accordingly. There are 3 areas that I would call out, that CyberArk should continue to focus on: 1) Continue to help organizations understand how they align their strategies and roadmaps to industry trends and the overall cybersecurity threat landscape. 2) Continue to help the industry innovate on talent , and position customers to be more successful in supporting their CyberArk implementations. 3) Continue to help customers understand the Risk reduction capabilities and scorecards associated with their deployments. Initiatives like the CyberArk Blueprint will help enable enable informed customers.

Privileged Threat Analytics (PTA) that can function in more that one AD domain at a time. The recent enhancement that allows resilience in PTA is great, but operation in more than one domain is required as many organizations have multiple AD domains. Even if it’s just prod and test or PPE split, you still want to know what’s going on in it.

I would like to see a product enhancement with the Secure Connect feature. Today, there is no functionality to create "Accounts" using Secure Connect to permanently store a user's working tab. It is a tedious manual process of entering host IP information and user credentials to a privileged target system. Currently, in Secure Connect, an end user is required to enter account information manually, and cannot save any of this information for future use. It’s a manual process of entering information all the time. Unless, you are working with accounts already stored in “Safes”.