BeyondTrust Password Safe Reviews

We use Password Safe to protect privileged identities and privileged access. The difference between any PAM and IM is that IM is basically for all the identities and the users in the organization. PAM mainly focuses on privileged access. For example, it can be to any database, or a Windows machine where someone is an administrator, or on a Linux machine where someone is root or equivalent to root, or any other web-based application where someone is an administrator. The focus was that any user should log into the infrastructure using PAM.

Every user, administrator, and developer who logged into IT infrastructure used BeyondTrust Password Safe.

I used BeyondTrust in my previous organization. We used version 22. They recently changed their version number so it matches the year. For instance, in 2022, the version number is 2022.

BeyondTrust Password Safe is used so that all the activities can be recorded and logged. Sessions can be monitored, and all of that data can be audited later if needed. Generally in organizations, IT departments, or teams, people find it difficult to rotate passwords. If it's an administrator account, the passwords are generally not rotated. They're either shared between teammates, or the passwords are written down somewhere. With BeyondTrust, you can automatically rotate the password, and set the complexity of the password, the letters, the characters, special characters, upper case, lower case, etc. You can choose when the password should be rotated, and if the password should be rotated every day, every month, or after every use.

You can enforce your password policies on these privileged accounts, which previously were not rotated that much. There are so many breaches. Recently, there was a SolarWinds attack where the password was solarwinds123. The privileged accounts were not safeguarded, and the passwords weren't rotated. People knew the password. But with this solution, no one needs to know the passwords. If it is implemented in the perfect sense, the passwords will be rotated regularly. Administrators who are logging onto the system's servers and databases don't need to know the password because the session is proxied by Password Safe's solution directly. You will see the applications, and it helps enforce least privilege, which is one of the main principles.

With least privilege, if you are allowed to have access to only two servers out of ten, then you will only be given access to those two servers. You click on the machine you want to log into, and you will get the link. If you want to do RDP or SSH, click on that and the session will be launched. You don't need to know the password, and passwords are automatically rotated.

The solution is deployed on-premises.

In my organization, there were hundreds of users. There were different teams. In other organizations, I have seen 1,000 users at different points. At any given time, there might be 400 or 500 users.

They are mainly admins and end users. End users can vary a lot and have different roles. They are the people who log onto the servers, databases, network devices, and web applications. There are a few admins, developers, and network administrators. Administrators are also end users in any particular instance because they're also the users and consumers of that particular service.

It's a security product that gives users flexibility. They can open an RDP system and then go into it. When you introduce a layer into a security system, users are forced to do things that they weren't doing before. If you ask any operational team, they will say that they used to do a task in five minutes, but now it takes them ten minutes. They aren't happy with having any solution in between. That's always a security versus operations issue. 

It definitely improves security, and audit compliance is also well taken care of when you include software like that.

The best aspect of the product is the ability to onboard devices. You can scan the IP subnets and onboard all the devices. You can then segregate them if it's a network device or a firewall. If it's a Windows server or a UNIX, you can basically scan your IT infrastructure and onboard the efforts, which should be managed. Once they have been onboarded, then the session management and password management are easy and nicely configurable. 

The session recording features are part of session management, and you can search for any keystrokes or mouse clicks. The analytics and reporting provide a very comprehensive view that shows all of the users who are using Password Safe, what servers they're using, with what access, what time, and for what reason. The analytics and reporting provide good auditing data.

Password Safe provides integrated password and session management in one solution. The session recording is quite important when you're safeguarding your privileged accounts. If the user knows the password, then you have to do some other actions like network changes, or else users will open the sessions directly. They will not use the session recording, or the session management part. They won't go to the PAM solution to access any servers. They'll directly open a Linux session or RDP session without being monitored if they have the password. If the password is compromised, then that's a problem. If the password is being rotated but there's no session recording, then it's like a password vault where you take out the password and use it.

For the duration of time that the password is not rotated, that password remains vulnerable. If you have a rotation policy of one week or one month, and then someone has taken out that password from the vault, that password remains vulnerable for one month. That's why session management and password management go hand-in-hand because the passwords are rotated regularly, nobody knows the password except the system itself, and the system opens up the sessions without telling you the password. It will just note down the entry that you have opened this session. Depending on the configuration, it will rotate the password in the back end, and it should be seamless. Nobody needs to know that there was a password, what the password was, and if it has been changed or not.

The Smart Rules feature is very helpful for management. If I have to do something manually, it will take me loads of time. There are chances that I make mistakes. It's a very painful task to onboard a managed system one by one. If you have 1,000 Linux servers that follow the same policy, you can manage them under one smart tool, which is a five-minute job. 

If there are 1,000 systems, I can onboard them in one day with smart tools. Without smart tools, it will take weeks.

I have used the solution's software development kit to create a plugin to support new applications. They have recently made some changes. It was a bit tricky when they were using AutoIt to do this, but recently they have made some changes. Now, it's quite easy to create new applications which you can use to open sessions.

The intuitiveness of the solution's user interface is much better. Before, it was using Flash content, which has been removed. Now, it's using HTML5, and the user experience has improved. There are two perspectives. One is administrator, for people like me who are managing the system, and one is for end users. For end users, it's quite simple and easy to use. The UI is very clean, so you don't have to go to multiple pages back and forth to reach the end goal, which is opening up your session. 

We use the team password feature to securely store credentials owned by small groups outside of traditional privileged users. The entire team can easily share passwords, and it provides an audit trail that shows who has added, deleted, viewed, or copied the passwords.

We use the solution to integrate Password Safe session management into existing business processes using existing tools, like Putty. With Putty, it's simple. There are some changes that need to be made in the registry, so the system knows what SSH tool you are going to open. For MobaXterm or WinSCP, it provides a link URL. You can use a connection string to open sessions like that if there are any thick or thin clients. Thick clients are applications that are downloaded on your machine. Thin clients are web applications.

When a PAM administrator creates an application and maps it to the smart groups, the users will see that there is a link and will open the session. There's an intermediary solution in between called a terminal server or Remote Desktop Server, RDS. That terminal server can be hardened, and that opens the application. It could be a web application like Splunk or a thick client, like Putty, Oracle, or MSSQL. It can open that user interface for you. It basically gives you a restricted user interface where you only see that application opening up for you, and you can do the tasks you need to do.

Some integrations are easy, and some are complex. It depends on the business application. If the application is simple and straightforward, then it is easy. If they need manual intervention, it's more difficult. In Password Safe, we see how someone is logging onto any business application, manually. Then we try to automate those things using SDKs, the AWS app, or AutoIt. It depends on how simple the login process is without the PAM solution.

We're able to integrate session management without disrupting business processes. We don't touch business processes in most cases. Usually, we try to replicate what the users are doing. Otherwise, the only thing we add is a layer in between.

The database instance onboarding should be simplified. The problem is that you can scan the assets and databases inside a server, but you cannot onboard them or manage them with the smart tools. It has to be done manually. I think they should try to include more custom platforms.

With the databases, there were some issues. The databases are inside the servers, and it was a bit difficult to scan the databases. Apart from that, the rest of the assets were easy to scan and integrate. It's difficult to onboard the database. You can scan and find them, but you have to onboard the databases manually. You cannot onboard databases using Smart Rules databases. Database instances are difficult to onboard and must be done manually.

The applications should be more like in the SDK. They have good API support now.

I have used this solution for five years.

The solution is stable. There haven't been any challenges with stability.

If you have active-passive infrastructure, then you cannot scale. Active-passive means there are only two servers and the databases are internal. If the infrastructure is active, you can scale it as much as you want. You can increase the number of password servers, databases, and terminal servers. Everything can be increased if it's active.

I would rate support as nine out of ten. Technical support is good and has improved over time. At one point, most of their support was in the USA  and Canada. Now, they have support in Singapore, the UK, and the Gulf region. Technical support has increased, the number of people has increased, and the services have also increased. I haven't had any problems with the technical support. They are as helpful as possible.

I deducted one point because sometimes they'll say, "This is a development task or a professional services task, so we don't touch it," but it's good overall.

Positive

The initial setup is okay. If you're doing active configuration, you need an external database. That external database part can be tricky at times, but everything else was straightforward.

If you have everything ready, like the traffic, then deployment generally doesn't take long. It can be completed within two days. The problems happen in IT infrastructure if the servers, network ports, or accounts aren't ready or created. The terminal servers need admin accounts. IT infrastructure causes the delay. Most of the time, the teams don't have that prerequisite list, so it isn't clear-cut. Even if they have that, opening up network ports is always a challenge during the initial deployment and onboarding.

Organizations have to understand what could cause delays, but deploying it was not that difficult. The reporting and analytics part is a single point of failure. Generally, you cannot deploy A&R in high availability.

The amount of staff needed for deployment and maintenance depends on the size of the system. If you have active-passive, a couple of people can do the job. If you have four UVMs, external databases, and terminal servers, then you need three to four people. If you have a very big infrastructure and a huge development team with 10 or 12 appliances and thousands of users, you would need a team of seven or eight people for development, administration, and business analysis.

The pricing structure is better than the competitors. It's much cheaper than CyberArk. They do the licensing on the basis of assets, not on the number of users. For CyberArk, they base the licensing on the number of users, and they have an expensive model of pricing. BeyondTrust has a cheaper model.

I would rate this solution a nine out of ten.

There are multiple ways to go through an upgrade process, but generally there is an easier way for the enterprise update server. With the UX, the upgrades are quick. The web UI allows you to configure the upgrades. You have a different URL for upgrading your pre-production or test environment first, and then you can start using it. It only takes a few clicks. You should know how to configure it in the beginning.

The time to value is six months to one year. The timing depends on your internal IT infrastructure. There are struggles with these implementations and deployments because of network changes, user awareness, and user readiness. It's tricky to make a solution perfect in comparison to a real world solution. When you go into the world of security and start going down the rabbit holes, that's where you start consuming a lot of time. 

If you have a clear-cut vision, an efficient IT infrastructure, a good networking team, and full support from the management, it should be top-down. It should never be bottom-up. If there is a push from management, management cascades to its team leads and the team leads provide support, then the time to value can be six or eight months, depending on how big the infrastructure or setup is. Generally, it takes six months to a year. I have seen projects that have lingered for three years and still haven't produced value. They didn't have experts to carry on the project. There are many variables, but if you have the right people, attitude, management, and plan, you can deliver in six to twelve months.

The solution was implemented to secure privileged access management in a large-scale corporate environment.

Privilege access management protects the accounts that have administrative privileges and secures those in a secure and encrypted vault so that they are secured and protected. Not having the credentials "on the wire" is only one part of what the solution offers. If the credentials are exposed on the network, they can be exposed to various vulnerabilities and increase the attack surface areas.

Protecting privileged accounts reduces the attack surface area. It is estimated that around 70% to 80% of all compromises in cybersecurity are due to unauthorized privileged credential exposure, either by lateral movements or phishing attempts. By securing those accounts, we tackle a significant part of the problem. 

Additionally, knowing who, when, and how the privileged credential is being used via the reporting and analytics module allows visibility into a previously unknown area.  

The actual innovations offered by the vendor stand out to me. They are quick to respond to market demands and the changing environment of privileged access management. I see BeyondTrust Password Safe as an innovation leader compared to some of the other vendors in the market.

Documentation is the primary area of improvement. Their documentation has improved over the last three to five years, but there's still room for improvement. A more intuitive search and not having disparate documentation categories would be helpful.  

While they are quick to market for improved features, there are still additional features that other vendors have that they don't have like a credential injection for the users' web browser extension.  

I have been using this solution since 2013. 

The solution is very stable. Part of my role is to design and implement disaster recovery and business continuity planning. Although planning is important, these are rarely put to use.

The solution is very adaptable. The solution can be deployed in environments with a single domain and then scaled up to handle multiple domains positioned globally as well as adding cloud security. 

Customer service and support are great! 

Positive

I worked with Delinea, which used to be called Thycotic and CyberArk.

The decision that clients typically make to choose BeyondTrust is often from a proof of concept (PoC) or through an extensive advisory engagement. One differentiator is shown between a user-centric environment versus an asset-centric environment. The two clear differences between BeyondTrust and CyberArk are that BeyondTrust is more asset-driven, while CyberArk is more user-driven. Both have their advantages, but it depends on the workflow and architecture that suits the client.  

As a person that has been involved in multiple deployments of BeyondTrust Password Safe for various companies, I can say the initial setup is fairly straightforward. 

In-house deployments can be challenging and so leveraging a delivery provider that specializes in PAM deployments provides numerous benefits. PAM/IGA/IAM are unlike many other security solutions as it has their own language and unique demands that are often not as intuitive. Knowing how to overcome project crawl, analysis paralysis, adoption challenges, and executive buy-in can be helpful.  

The ROI can be quickly realized for BeyondTrust vs. some of their competitors. The ease of implementation and the speed to get that initial return on investment is impressive.  

With the BeyondTrust solution, you have the capability to deploy the more secured layered solutions such as Secure Remote Access (SRA), Endpoint Privilege Management (EPM), and Identity Security Insights (recently released this month) that are all designed to protect the entire enterprise.

BeyondTrust has migrated towards subscription-based licensing/annual renewals. They remain competitive and on par with their pricing, often coming in under other competitors. Pricing is one of the reasons clients choose BeyondTrust, but it's not the only reason.

Overall, I would rate the solution an eight out of ten. 

One of the more important areas to focus on is knowing your environment pertaining to the assets and accounts before deployment is attempted. Not knowing what needs to be protected will make the deployment more challenging. Although BeyondTrust excels in the discovery of assets and accounts, knowing WHERE to look can be challenging. 

Deploying the product using only a percentage of its capabilities can lead to frustrations and reduced ROI. Not managing service accounts, networking, and database teams that are typically more challenging can lead to vulnerabilities as well.

You can't just focus on privileged access management. Privileged Remote Access, as well as solutions such as endpoint privilege management, are all part of a complete identity and access management solution that must be designed and deployed correctly. If not designed and deployed correctly, it will have the opposite of making the environment secure. 

Least privilege, zero trust, and cloud security awareness are all buzzwords we see often. Privileged Access Management (PAM) is a part of the layered security approach that will keep your company out of the cyber news headlines. 

We use this solution for password management. It allows us to control and manage passwords in a safe and secure way, and it records sessions.

The solution is deployed on-premises. It's being used extensively in my organization.

Before implementing BeyondTrust Password Safe, our server engineers and database engineers were storing passwords on an actual sheet, which is a plain text password. Since implementing BeyondTrust Password Safe, they're not doing that anymore. We eliminated the risks from storing passwords on plain text. We also have clear data that shows who modified a file.

We use the Team Passwords feature to securely store our passwords. Our team has a lot of shared passwords. Those passwords were shared in SharePoint or in the common share folder. We wanted to eliminate that because it's a risk. Team Passwords lets us securely save a password that's shared between a group of people so nobody else can see it. It's secure, and we don't have to save the password in an Excel sheet.

The Team Passwords feature has affected our level of security in a completely positive way. With a shared password, everybody could see it and someone could log in and change the password. They could also share it with someone else, like a third-party vendor or with someone outside the organization.

Team Passwords gives us better control over our passwords. Someone outside the team isn't able to get the password. Even if it's shared, we're able to see who checked the password.

It's more secure to use and better than using Excel or Notepad to save passwords. It's a really good option.

I like the session recording feature. I also like the analytics and reports. You can pull up a report, and the UI is fantastic. The system is recording when nobody's there, so we have a record of what's happening.

The Smart Rules feature is one of the coolest features. It allows us to automatically onboard accounts based on the criteria instead of manually onboarding. It allows us to manage assets or accounts based on the criteria we search for in Smart Rules. 

The UI is cool. They have different symbols and icons. I think the UI is better and more informative than other solutions.

The customization features help me manage most assets, databases, and applications. It's more than sufficient for us. The default connectors and plugins are capable of managing the database in the server, units, and systems.

The banners could be improved because they aren't informative. For example, if something is not correct and I open the error notification, the dialogue box simply says, "This is an error." It would be great if they could provide some valuable comments about how to fix the errors. If I try to remove something, the error box says it cannot be removed, which isn't helpful. I have to wait for the account to check in, and then it will be removed. 

The information description in the logs and the error reporting could be improved. For someone who's inexperienced, it's hard to understand.

I have used this solution for more than three years.

The stability is really good. Our setup is Active/Active, so we have more than eight appliances, and everything works well. It might differ for companies that decide to choose Active/Passive and only have two appliances. 

We have enough appliances in our organization, so we don't feel that the stability is lagging.

The scalability is good.

I would rate technical support as nine out of ten. 

Technical support is really good. If we need help, we contact somebody from the customer portal. We don't need to wait. We get a reply from an engineer right away, telling us what we need to do. If somebody's not available, a senior engineer will respond.

I'm amazed by the response time. They are as quick as possible. They have enough support people across the globe.

Positive

Before using this solution, I used Hitachi ID PAM.

There are multiple reasons why we switched. They don't have 24/7 support. We're on Asia Pacific Time, but most of their technical support staff are in Canada and the United States. If something happened in our time zone, they weren't available. Their product is very expensive, but they don't have as many features as BeyondTrust.

Comparatively, BeyondTrust has a lot of features and database inclusion. I would say BeyondTrust is 100 times better than Hitachi ID.

The setup isn't a complex process. There are two different setups. They provide the UVM-based installation and software-based installation. We selected the UVM-based installation.

The installation itself is pretty easy. The documentation is very structured. It's not complicated.

Migrating end users to Password Safe was hard in our case because no one in our organization knew about the solution. People were using Excel or Notepad and manually changing passwords. We created an internal document system, but migrating the accounts was a difficult task. As soon as the host was set up, it was pretty easy.

It's easy to maintain. All our appliances are connected to the internet. We receive patches and updates directly from BeyondTrust. We don't need to ask anyone to provide an update or patch. It's up to us to choose and schedule a proper time for updates.

We did the implementation in-house, but we had a consultant assist us from BeyondTrust. We had a good experience with him. 

We have definitely seen ROI. It's worth buying.

We only pay for Password Safe. Session management is included, but we don't use it. 

There aren't any additional costs besides the standard licensing fees. We pay for an annual license.

We also evaluated CyberArk, but we chose BeyondTrust because of the cost. It's affordable compared to CyberArk.

I would rate this solution a nine out of ten.

The installation is straightforward. If you just follow their instructions, you don't need any experience. They also provide automated ways to onboard accounts. The documentation is very structured.

Our use case was allowing users to connect with their regular, non-privileged user ID and automatically connect to a designated privileged account for target systems or databases. This prevented users from using their regular account as a privileged account. Instead, it used a managed, dedicated account in BeyondTrust Password Safe that only that the user could use. For example, my account "Gary.Jolley" might have a domain admin account "dam-Gary.Jolley" that I'd automatically connect to.

The most valuable feature is the architecture capabilities, which allow designated server components for high availability and failover. It works well with identity and access management solutions, allowing users to be automatically onboarded and offboarded. The account mapping feature makes rollout seamless. The session monitoring capabilities are excellent, with keystroke and graphical monitoring. This enhanced our security posture by providing detailed accounts of user actions. It helped us pass our SOX audits.

The only improvement I could suggest would be standardizing documentation, but that's more the responsibility of the implementing engineer rather than BeyondTrust Password Trust itself. The documentation must be specific and narrow for implementation, not just broad guidelines.

I have been using the product for four years. 

BeyondTrust Password Safe is incredibly stable. During initial server implementation, some processes might appear to hang, but they're actually communicating with each other. It's very intuitive.

On a scale of one to ten, I'd rate the scalability as nine and a half. BeyondTrust Password Safe's scalability allows different roles and strategically placed servers for better failover. We had thousands of end users across our sites.

The technical support is phenomenal. They were available even for middle-of-the-night outages during scheduled updates.

Positive

BeyondTrust Password Trust's main advantage is its network architecture implementation. It's similar to CyberArk, but CyberArk has some features, like privileged threat analytics, that the solution doesn't.

The initial setup is straightforward if you understand network architecture. Four people helped with deployment across five international locations, taking about two to three days per site after documentation was created. It requires weekly maintenance, which can mostly be done automatically, but some updates need manual triggering. One person could maintain all five sites, and we often assigned this task to new employees as the process was well-documented.

We use the solution as a password safe to keep the privileged credentials secret to make sure they aren't stolen or lost.

We don't have to remember passwords. It's automated. There is a rotation of privileged passwords, which keeps me from memorizing things. 

I like that I don't have to memorize passwords. The whole process is fully automated.

Advanced auditing and forensic features are great.

It simplifies your compliance and tracking to benchmark other credentials and analytics.

The solution can scale.

Their support is not good.

The extensible API is the feature that I like to learn. However, we aren't using it at the moment. 

It has crashed on us in the past.

I've used the solution for about a year.

I'd rate stability six out of ten. It has crashed a couple of times on us.

The solution can scale. I'd rate the scalability eight out of ten. 

We have a user base of less than 250. We do not have plans to increase usage. 

We were down early Friday, and we tried to get a team to help us. It took a whole weekend. They need to be better at supporting and helping fix issues quickly.

Neutral

We previously had other solutions, including Tenable. 

I was not part of the initial setup process. 

We have a three-year license.

The pricing isn't part of my scope. I don't directly deal with licensing.  

We are using the latest version of the solution. 

It's important to do a POC for over a month and negotiate on the pricing. There are other powerful tools that are out there that are easier to use.

Your deployment tends to involve other tools, so check its ability to integrate with them.

I'd rate the solution seven out of ten. 

We primarily use the solution to keep passwords.

The solution offers session monitoring and has a good connection profile. It directs users to specific commands that our organization needs.

The user interface is very nice.

The performance is good. It does depend on how much you are giving to the appliance, however, we've never had any issues.

It's quite interactive.

It's stable.

The solution can scale.

Technical support is helpful and responsive.

We'd like to have incremental backups to ensure the solution's information is protected regularly.

I've been using the solution for three and a half years. 

The solution is stable, and the performance is good. There are no bugs or glitches. It doesn't crash or freeze. It's a very mature solution. 

The solution scales well. I'd rate the ability to scale eight or nine out of ten. We've seen that customers have 120 or 130 users, and they are using it as active-passive. They can also convert it to active-active, and it's fine. It can support more users as well. They can go up the 150 or 155 with no issue. 

Depending on the use case and the willingness of the customer, it can work well for a wide variety of companies, from small to large, including enterprises that can easily buy and implement it. 

I've dealt with technical support in the past, and they are quite good. When I had a critical case, they were available within half an hour. 

I am working with another solution. I've found other options aren't as stable. 

The implementation process is quite simple. I'm using it on-premies, however, they also provide a cloud version.

Having the prerequisites ready in necessary as it does require those for the service account, and often customers don't have that ready. 

We can implement the solution for our clients. 

I'm not aware of the exact pricing.

I have not compared the solution to other options. This is quite an exceptional solution, and I've been happy with the products.

We are partners. 

I'd rate the solution eight out of ten. 

BeyondTrust Password Safe is used to protect privileged accounts and record any activity when using those accounts. Password Safe is able to record and report anything in SSH. It's mainly used for auditing purposes.

We downloaded the virtual appliance and deployed the solution on-premises.

My company's goal is to have mature security and privileged account management. It's mainly used for security purposes and to avoid the usage of credentials.

The ability to manage privileged account passwords is the most valuable feature. It gives us the capability of rotating passwords as soon as an event is triggered. Even if Password Safe protects the privileged account, like an admin account, we can request the password from the profile. As soon as it detects that we have the password and it's used for the first time, the password will automatically change so it can't be used again. The strength of the password will be the same.

Smart Rules were created to automatically assign the credentials that belong to each user and their profile. We use the Smart Rules feature for automated privileged account management.

The Password Safe user interface is simple and very intuitive. I would rate it as a four and a half out of five. It just shows us what we need to see.

We weren't aware that the Password Safe virtual appliance runs on a Windows server. As part of our monthly patching process, we ran into an issue. BeyondTrust Password Safe wasn't compatible with the patching we used to put on our server.

We cannot download patches from the Microsoft Windows server and deploy them on the solution. The solution starts failing, and we run into incidents. This is a major issue that they need to fix. We have to wait for months for Microsoft to release security patches.

I used BeyondTrust Password Safe for less than one year.

In my previous organization, I worked on a project to manage all of the privileged account passwords and rotate the passwords to protect the usage of those accounts from unknown credentials.

The solution is stable. We had an issue with upgrading the operating system, but it has otherwise worked flawlessly.

I would rate technical support a three out of five. They take too long to fix issues, but that could be the fault of the person who opened the case.

Neutral

I have also used CyberArk. My privileged account was already onboarded, and I was just an end user. The user interface of CyberArk is less intuitive than BeyondTrust Password Safe. CyberArk is too IT-oriented for the interface, while BeyondTrust is easier to use.

The setup wasn't complex. Installation was straightforward, and we received training before we started to run the solution. We aren't experts on BeyondTrust, so we needed an expert to help with deployment.

BeyondTrust provided a single appliance with everything we needed for deployment. We were able to switch to the second data center where we installed BeyondTrust Password Safe. They accompanied us when we installed and configured it.

We used a third party for integration.

We have seen an ROI because we have audited evidence to show what has happened when there's an incident.

I would rate this solution a nine out of ten. 

We had some challenges with migrating admins to Password Safe. Before we started onboarding, we created a test and faced an issue with the GPU. It prevented Password Safe from rotating passwords. BeyondTrust needs to give more guidance on what to look at when we want to manage our privileged accounts. 

Overall, it's a very good, well-designed solution. You need to have a basic understanding of managed accounts, functional accounts, Smart Rules, and the capabilities to configure SSL and TLS.

Before making any changes to the platform, my advice is to ask BeyondTrust to make sure it won't cause any incidents.

I use Password Safe as a fully-fledged conventional PAM solution; for SSH and RDP brokering to servers, whether that's Linux or Windows, as well as SQL and Oracle.

I also use the product to publish applications using a jump box server and as a vault for user credentials to provide normal use and REST API through CI/CD integration.

We have active and passive appliances and an offsite cold spare.

The RDP and SSH session recording is good. The associated UI is  pretty straightforward, and Direct Connect is a good feature.

Integration with Active Directory is a handy feature. 

The CI/CD and REST API are also satisfactory; the solution has a full PAM feature set and they all work well. 

Password Safe is relatively straightforward to run. 

We use PowerShell and Shell scripting using the solution's libraries. We also use the .NET library, where I worked with developers to create .NET extensions for use in solutions built in-house. We used the product's software development kit to develop plugins to some extent, and mainly we integrated with the REST API for our Azure-developed CI/CD pipeline. This capability is essential because DevSecOps becomes a requirement at some point. We're dealing with privileged accounts to do releases, which must be carefully managed and require password rotation. Thus, we need a source system for these release management pipelines to provide passwords, allowing the user to continue with the following deployment steps. Highly privileged accounts, by their nature, require regular password changes, which is a critical element in our DevOps.

I'm not too fond of the Smart Rules feature, mainly because too many features can cause complexity.

There is a limited capacity on the appliance, which I wasn't informed about when I purchased the product. I can have a maximum of 150 rules per appliance; any more than that and rule processing becomes very complex, especially regarding password revision. Hitting a capacity limit you don't know about can be problematic. Ideally, we would not have a limited capacity, allowing us to be in a completely managed state with password rotation for every service account, not just the highly privileged ones.

The solution does not indicate an issue, but when we hit the capacity limit, rules can become erratic, resulting in password resets during the middle of the day when they're in use. This can be an issue, especially as there is no performance counter so we can track how close we are to the limit, nor is there an indication of when we cross it. This is an element that could use a redesign.

Another feature that could be improved is the password rotation schedule; as a financial organization, that's very important to us. We sometimes require the maintenance window to be on a Saturday instead of during the week. The solution gives the option for the fifth day of the month, the tenth day of the month, the first day of the week etc., but not more specific. I want to be able to set the rule that password changes only happen on a Saturday, for example, and I can't do that.

To compensate, BeyondTrust tells us we can write scripts to set the password resets. This needs to be improved because it results in additional work for us, and they could fix the small scheduling gap in their product.

The MSA element of the solution is fine; there are no significant issues implementing MSA with the interface. However, the interface can be somewhat complicated for admins, though not for end users. Precisely, when troubleshooting user issues, we encountered strange errors. We needed to go into the appliance log to understand what was happening, and the UI needed to be more intuitive to help us.

We were late refreshing the UI, so it had pretty old components until about 2020, and we experienced browser issues. After 2020, the UI improved, but the look and feel of the application are still dated. I carried out POCs for CyberArk and SafeGuard, and both of their interfaces are much better than Password Safe's. I liken the solution to a Toyota; it's a good all-rounder, and it isn't bad though it has some issues.

We had an issue with the Team Passwords feature: the privilege concept needed to be improved. There was no differentiation between contributors of privileged information and the consumers of it. Additionally, until very recently, there was no REST API integration with Team Passwords, so we couldn't publish secrets using REST API. This could have been better, as it meant we needed a different team for CI/CD and Team Passwords, resulting in some cases of duplication.

I've been using the solution for five years. 

The solution is relatively stable, though the stability could be improved as we often encounter issues of various kinds. As such, the tool requires a large team to manage it and stay on top of any problems that occur.

My experience with customer support has been mixed; the US and UK teams are the best, while the others could have been better. The UK and UK support staff are highly professional people who seem very close to the developers and have excellent knowledge of their products.

Some of our cases took up to four months to resolve because there is a difference between Password Safe, the software layer, and the UVM appliance layer, which BeyondTrust essentially treats as a separate product. There have been some significant problems with the UVM appliance layer, especially compared to Password Safe. The latter has some specific issues, but they are usually quick to resolve, whereas, with UVM, we can hit a dead end, even with support.

Positive

ROI is tough to measure, as the solution isn't generating profit. We implemented automation with CI/CD, reducing human effort and saving time on previously manual tasks. I can't tell if this has yielded an ROI, but we achieved a target in that we are more secure, our highly privileged accounts are rotated etc.

I rate the solution a six out of ten. 

The earliest version of the solution's interface could have been more intuitive, and we sometimes experienced issues with request check-ins and check-outs. However, the recent introduction of the Team Password feature allows users to collaborate and share passwords within a managed team. Some elements of this feature lagged in our first few weeks with it.

We used some of the solution's customization features, and it works fine; however, we had some significant issues when doing Discovery Scans. We encountered strange errors, especially on custom platforms, and it took a lot of work to understand the problems. As a result, we stepped away from customization as the issues around Discovery became extremely hard to deal with for us. 

We saw the benefits of using the solution very quickly, especially for the more basic elements at the beginning of the implementation. By targeting highly privileged accounts in the first round through the Active Directory, those can be up and running in two weeks maximum. The more complex and detailed configuration becomes, whether with discovery, dependency, or multiple-layer applications, the time to value increases correspondingly. 

I advise potential users to stay manageable and not try to do everything simultaneously. Build slowly and keep an eye on the capacity; only deploy with one appliance, or you are destined to fail and will run out of capacity fast. It's better to refresh the UVM appliance version every two to three years with a new image and migrate rather than upgrade because upgrading is the worst part of this product. It'll cost money to keep migrating to newer appliances, but it's worth it to avoid the experience of upgrading.