BeyondTrust Password Safe Reviews

We're using it as a vaulting solution. We're doing password vaulting, and we're doing password rotations. We also do session management and session proxies.

We probably are using version 7.2. 

From a management and audit perspective, we've seen a lot of improvement because now, we're secure in the sense that we know where that access is coming from, and we know who is requesting the access. From that perspective, we're very happy, and it has provided a lot of value, but from a user perspective, it has been negative. When we talk to our frontline guys, who actually use this solution, they're not too happy with the whole solution itself only because they feel that it has added a step in their whole process and procedures.

We use PuTTY, and we didn't find it very difficult to integrate session management into existing business processes. It was pretty good. It all comes back to how you would define the users and how you define the administrative access. If sudo and those types of things are kept out of the picture, then by getting access to a privileged role or group or SSHing into a session with the root privileges, they're able to do everything they need to do without having to go through the virtual model of sudo to access something. The seamlessness was that they didn't have to go and make that connection happen. It was just all integrated within the solution itself. They just click on the asset that they wanted access to, and it would provide SSH access to that system.

So far, we have been able to integrate session management without disrupting business processes, at least for the assets that we've been on. That's very important to us. The main feature is the session recording. If we can continue to have session management, and we get those session recordings, that's the key for our auditing team.

The vaulting features are valuable. 

It provides integrated password and session management in one solution, which is important for us because, from an auditing standpoint, we are accountable for the type of access being used. We need to ensure that accounts are securely stored and there is the right type of accountability around who is gaining the access. After gaining it, how they're using it, where they're using it, etc.

In terms of intuitiveness, the UI for a generic user is good. I wouldn't call it great because, at times, some of the capabilities are difficult. While trying to get to the password itself or trying to find the asset itself, it sometimes gets difficult to narrow down or identify which asset you can get credentials for. There were some search features and the ability to have a favorite, but in a lot of cases for our user community, it wasn't very useful.

The RDP access needs to be improved. I wasn't very keen on that. It downloads an RDP file every time you want to access the solution. It builds up these sessions on your laptop. That was one of the pain points that a few of our administrators had talked about.

Named accounts don't work well in this solution. If you use named accounts for your administrative access, the way Smart Rules work is that it takes your SAM account name and matches it to the account name of your privileged ID, which creates limitations on size and how big those names can be because the directory has a 20-character limit. 

I've been using BeyondTrust since 2018. So, it has been about four years.

It is very stable. It is good. We haven't had any major incidents with the product.

It is good. It is very easy to add new VMs to the solution and integrate them with the existing hardware. Scalability is very easy.

To date, if I remember correctly, we have 200 users as administrators using the solution today, and they are the domain admins from a Windows perspective and the root access administrators on a Linux box.

Its usage is not as extensive as the organization first hoped. They are not planning to make it any larger than it is today.

I didn't like it at all, but that was about two years ago. I'm not on the site anymore. I was the architect, and during the time of implementation, there were things on which our developers had more input than the BeyondTrust team. I would rate them a five out of ten.

Neutral

In the organization I'm in, we had CyberArk previously. We made the switch because there was an initiative to improve our stance on privileged access management, and the CyberArk solution that was deployed wasn't kept up to date. It was outdated and needed to be upgraded. 

It was a real competition between CyberArk and BeyondTrust, and the company eventually chose to use BeyondTrust. Between CyberArk and BeyondTrust, there were no real big differences at the time. Both of them achieved whatever goals that we wanted, but it was really a cost factor. BeyondTrust was significantly cheaper than CyberArk at the time.

We didn't deploy in the cloud. We deployed on-prem. It was a VM image that they provided to us. It was a huge factor that it was so quick to deploy, and they gave us that VM image. We went into VMware and created a space where we could deploy that image, and it was ready to go.

The initial setup was pretty straightforward. We needed their help a little bit, but for the most part, it was pretty straightforward. Their documentation was good at guiding us through. It mainly had the configure/next type of screens. So, it was a lot easier to implement and deploy.

In terms of duration, the server build wasn't very long. It took us a few weeks up to a month at the max. However, the actual implementation of getting the accounts in, identifying privileged accounts, and getting all those things sorted took roughly about a year and a half. 

We didn't have to go through the migration strategy. So, it didn't apply to us. We have gone through an upgrade process with Password Safe. It was much more difficult than the actual setup. It wasn't as easy as we thought it would be. There were a lot of components. For example, the database required special scripts to be run against it. That was more complex than we'd like. As per my Ops teams, the biggest issue was some of the coordination with database teams because when the upgrades happened, there were some schema changes or custom changes on the database that had to be implemented. Coordinating these changes was a bit difficult, but application-wise, the solution itself wasn't very hard to upgrade.

We used BeyondTrust and Optiv. Our experience was interesting because midway through, the BeyondTrust resource that we had either left or was let go, but we had continuity after that. Depending on who you talked to, it was mixed in terms of engagement.

For maintenance, we have a centralized identity management group that manages a solution, and then we have a database group that helps. Altogether, there are roughly about five resources to keep the solution up and running.

You see the value in it based on your data leakage and your ability to secure privileged access to the systems. I don't know if you see a real value right off the bat, but the biggest value you'll see is on your auditing side. After a year, during the audit, the audit team will see its benefits.

At the time, BeyondTrust was significantly cheaper than CyberArk. Pricing-wise, if I remember correctly, it goes by assets. The pricing was negotiated for our instances based on the number of assets that we onboard into the system. It is a little different from CyberArk, where the pricing is by users. So, it depends. If you have a lot of assets, it can get very expensive.

We also evaluated the CA solution. The reason why the CA solution was immediately taken off the shelf was that a client was required on every desktop. That was one of the main reasons why the organization didn't want to go with that solution.

The biggest lesson that I have learned from using this solution is that named accounts don't work well in this solution.

My advice would be to really understand your use cases. If you have use cases that are specifically for named access where your privileged access is not shared but it is named to specific users, then you might want to look at their Smart Rules capability and what it can do. If you're using a shared pool of administrative access and you're reusing privilege access from that shared pool, the solution beats everyone out there, hands down.

We haven't used the Team Passwords feature to securely store credentials owned by small groups outside of traditional privileged user roles. It came up afterward, and we haven't yet implemented it here. We also didn't try to customize anything because we try to go out of the box as much as possible.

I'd rate it an eight out of ten.

On-premises

The use case was to integrate BeyondTrust with the organization and onboard servers and accounts. We created Smart Rules and used other features for automatic onboarding and integrating BeyondTrust with various components in the organization, such as SNMP, SIEM, and AD.

It reduces risks. Beyond Password Safe manages all privileged credentials. It takes care of the automatic rotation and connection to the target servers. It reduces a lot of risks of cyber attacks, malware, and ransomware.

It is very important to us that Password Safe provides integrated password and session management in one solution.

Its customization features help us to manage most assets, databases, and applications. With the plugins and customization features, we can connect to databases. We can also connect to Windows and Linux. When I worked with it in 2018, we also had to use one of the plugins to connect to a mainframe. It supports a lot of different platform connections.

The Direct Connect feature allows us to use existing tools such as MobaXterm, PuTTY, or SecureCRT. There is a feature that power users can use to connect to the log server every day. This way, they don't have to go through the web portal. They can just connect to their target server by using MobaXterm, PuTTY, or SecureCRT.

Smart Rules is a nice feature in BeyondTrust. It is a unique feature that BeyondTrust has as compared to other vendors such as CyberArk. With Smart Rules, you can do automatic onboarding of accounts. There are a lot of options and features. For example, you can do onboarding based on different AD attributes. It is a nice feature in BeyondTrust that some of the other PAM vendors don't have. With other vendors, we have to create our own scripts, whereas, with BeyondTrust, we can just use the in-built Smart Rules.

In terms of the intuitiveness of the user interface, I find it to be pretty good as compared to the other products. It is user-friendly, and in terms of the looks and feel, it is one of the better ones.

I find it a little bit confusing because you have the management console, and then within the management console, you have access to different admin consoles. There are probably two or three different ones. I wish they would place all those different types of consoles into one main one so that we don't have to access two or three different consoles to do the work.

When we deploy BeyondTrust, we have to deploy our own database on a SQL server. It doesn't deploy the database. I wish BeyondTrust packages the whole solution in one and includes the MySQL database so that when you deploy it, it deploys everything for you. BeyondTrust gives you the software, but you are in charge of setting up your own database. It is a single appliance just for the BeyondTrust portion but not the database. Unless that has changed in later releases, you have to set up your own database for BeyondTrust Password Safe. I find that part complex because we then need the expertise and help of the database team to set it up, which also increases the deployment time. If they can deploy the database, it will reduce the deployment time.

Their documentation is not very detailed and thorough. In case of any issues, a lot of times, we have to go through their professional service. They need to update their documentation and create a good knowledge base for us so that when we run into problems, we can go there and search for common issues or problems.

I have been working with this solution for about three years. I have used it on and off depending on the companies I worked for.

It is average because we did have issues with some parts of the solution.

Its scalability is good. It is very scalable. We didn't have too many users because we switched over to CyberArk after two years, but the plan was for 500 end users.

We don't have plans to increase its usage because we switched over to Cyborg earlier this year.

Their documentation is not very detailed. A lot of time, we have to go through their professional service. We do get really good people, but they should provide more and better documentation and knowledge base so that we can solve a lot of issues on our own instead of going through their professional service.

Their professional service or technical support is very good. When we opened a case, sometimes, they answered within a day, and sometimes, it took five days before someone answered the ticket, but when we do get someone, in general, I found most of them to be very good. I would rate them an eight out of ten.

Positive

We didn't use any other solution before BeyondTrust, but we recently switched over to CyberArk.

The process of migrating end users to Password Safe varies from organization to organization, but overall, if you have all the proper workflows, it isn't difficult. With PAM, half of the work is related to processes and policies, and the other half is related to technology. In terms of the technology, I found it to be pretty straightforward, but you need to have all the policies defined in advance.

It wasn't too difficult for us to integrate Session Management into existing business processes. You have to provide the connection strings. The difficulty level was average.

I was the integrator for one of the projects. As a part of their purchase, they also got a certain amount of hours of professional services from BeyondTrust.

We had a team of about five people for its deployment and maintenance. There were two DevOps and two BeyondTrust admins.

We didn't see a return on our investment.

The pricing of BeyondTrust is very good as compared to other products. That was the main reason we decided to go with BeyondTrust at first.

I wasn't involved in its procurement. They had to go through their due diligence. They probably had four PAM vendors, and they went through their procurement process.

Functionality-wise, it works. Everything works well, especially with using Smart Rules. There is a big learning curve to deploying and maintaining it because when you buy this solution, it doesn't come with a Password Safe database. You have to deploy that yourself. If they can package a database with Password Safe, it would be better and more user-friendly. It will cut down the deployment time. They should also improve their documentation, knowledge base, and support on their website. There is not a lot of good information.

I would rate it a six out of ten.

The use cases are essentially the same as those for any PAM solution. Like addressing security compliance, securing the network against threats, and protecting all identities with intelligence and minimal concerns.

It also includes cloud security management, handling different shifts, and addressing workforce access, passwords, and the likes of compiance. It simplifies analytics, reporting, and secret implementation.

Additionally, it reduces servers while increasing stability in privileged access. These are the general use cases that apply to all PAM solutions.

BeyondTrust Password Safe provides proper security for your network. Its primary feature is identity governance. It allows you to manage your users effectively and implement robust governance. The solution includes reporting, which aligns with the National Security standard and enhances cybersecurity resilience.

This protection safeguards against attacks. When discussing the management of essentials post-classification, BeyondTrust Password Safe also assists with this. It plays a critical role in preventing cyber identity theft. Without BeyondTrust Password Safe, your system is more susceptible to identity theft. It's an all-encompassing solution that significantly reduces such risks.

BeyondTrust Password Safe is specifically designed to limit cyber identity theft. It's highly effective in preventing incidents of identity theft.

It is very easy to deploy. It's easy to use. That's the major thing I like about it.

The pricing is not cheap, but it could be better.

I'm familiar with BeyondTrust. I have been with it for around a year.

The stability is perfect.

It is highly scalable.

The technical support is very good.

I'm familiar with both BeyondTrust and Password Safe. It's actually a Privileged Access Management (PAM) solution. It is a good competitor to Deliena, One Identity, and WALLIX.

It is very easy to set up. It is very easy to deploy. Depending on the environment, it can be deployed quickly. So it's very good. I like it.

The deployment model depends on the customers.

The pricing is nice. It is a yearly basis license. I would rate the pricing a seven out of ten, where one is cheap and ten is expensive.

I would recommend using this solution. Overall, I would rate the solution an eight out of ten.

We use BeyondTrust Password Safe for server and database management of the accounts noted. We will be moving ahead with application management as well.

BeyondTrust Password Safe has good reporting and Smart Rules which makes it easy. Though Smart Rules are easy, those who do not have much experience with such things may find it difficult to understand how it works. Otherwise, I find Smart Rules very easy to work with.

There are multiple features that have issues, although they could be specific to our environment. What we have seen is that whenever a user gets added to the authentication store, the sync between Password Safe and the authentication store, which is generally easy, takes a lot of time. It does not occur immediately.

This is persistent for Password Safe used by administrators who require immediate access. If immediate access is not possible, then access should be made possible at least within one hour or so. This does not happen in our environment. The access takes more than three to six hours to happen.

Whenever a new end user is provisioned for access, it would take twelve hours to twenty-four hours. Since they are end users, the time taken is fine. However, when we consider administrators, they might need access at different times. The three-hour time frame for the administrators in our environment is a lot of time.

I have been using the solution for more than one and a half years.

I would rate the stability of this tool as seven out of ten because of the immediate access.

The scalability is good and I would like to rate it eight out of ten. We have around 1200-1500 users.

The support that we have from BeyondTrust is good.

The setup for BeyondTrust Password Safe is not so easy and not complex as well. They have documentation available.

I had compared many vendors sometime back in 2019. The other vendors have either added new features or merged with others.

I would rate the solution an eight out of ten. I would recommend it for monitoring.

Hybrid Cloud

There are a lot of customers, worldwide, who use this solution, especially in the education sector. This solution is so niche that it's not like TeamViewer. It's basically designed and developed with enterprises in mind—it's an enterprise solution. It's built for a highly privileged and secure environment. It starts with a virtual appliance and physical appliance and then, now, to what's basically a cloud-based type of access. 

One of the most valuable features is that this is a product designed with enterprises in mind. 

I think that BeyondTrust Password Safe could be improved with more testing. In the beginning, they were practically using customers as beta testers. 

Maybe the product has evolved since I last used it, but if you look at PAM, privileged access management, whatever's out there has already been done. I don't see there being any other enhancements that are being made regarding PAM, except to support more cloud-based applications. 

I have been working with this solution for over 10 years. 

The early version of this solution was not stable. It was terrible, but I think they eventually got their act together and it's better now so that they can compete. I haven't tried a cloud version, but if you imagine a solution is 100% on-prem and suddenly turns to the cloud, you can imagine there will be a lot of testing and bugs and all that. I'm not saying the product isn't good, it's just that when you have a vendor that starts out on-premise and only turns to cloud in the past couple years, they have a long way to catch up to leaders such as Thycotic or Centrify. 

You've got to patch it every month, so how could that be stable? 

This solution isn't really scalable because it's Windows-based. How could any Windows solution be scalable? This is strictly my personal opinion, but I would believe that about 80% to 90% of people will agree with me. Windows platforms aren't scalable. 

I think that customers could see an ROI eventually. A lot of customers purchase the product because they have to get something implemented for GRC: governance, risk, and compliance reasons. So, if you don't buy any of them, then the auditor will say that you didn't pass the audit because you don't have that mechanism in place. This solution is expensive. Is it worth ROI? Yes and no. If they have to meet compliance and whatever standard requirements, I would advise the customer to at least look at two complete products first. This wouldn't be my first choice. 

This solution is not cheap—it's a very expensive solution. Very, very expensive compared to the features and functions that they offer. 

This solution is competing with Thycotic and Centrify, the leaders. Only in the past couple years did BeyondTrust turn from 100% on-prem and start offering cloud services, so of course they still have a long way to catch up with them. 

I rate this solution a five out of ten, to be neutral and in the middle. To those looking to implement this solution, I would advise them to fully test it out in their environment before even making the purchase. You've got to thoroughly test it—test everything, otherwise you might regret it. 

We use the solution to login through remote application solutions. 

The product has improved security and login due to the system recordings. In case, there is a doubt that someone has done something which they shouldn't have been doing, we can just go back and check what the user actually did. 

I am impressed with the product's session-logging features. We can also do multi-factor authentication with the product. 

We face screensaver timeout issues and problems with the server. I would like the product to include a server visibility feature. 

I have been using the solution for a year. 

I would rate the tool's stability a seven out of ten.

I would rate the tool's scalability a seven out of ten. If we need to add more users, then we need to add more servers to the environment. Around 500-600 users use the tool on a daily basis in my company. 

The technical support is through our vendor.

Neutral

The solution is difficult to setup due to settings. You need a specialist to configure the product. I would rate the solution's setup a five out of ten. We have two people involved in the tool's maintenance. 

I would rate the product a seven out of ten. 

On-premises

We deploy in client environments. It's not deployed in our environment. Generally, its deployment depends upon a client's environment. Sometimes, it's hybrid. Sometimes, it's on-prem, and sometimes, it's on a virtual hypervisor or VMware.

We are currently deploying it for one of our Indian clients. For this client, we are deploying SaaS-based Password Safe, which is purely on the cloud. They also have BeyondTrust Remote Support. We are integrating both of them. BeyondTrust Remote Support is for tech support for their teams, and Password Safe is for password rotation, screen recording, and monitoring of their employees.

It helps to automate password rotations and manage privileged accounts. If your employees are supposed to rotate passwords for some period of time but they are not doing that, you can automate that.

It provides ultimate security through automation and Smart Rules. You can enforce password policies and access policies. For example, you have local administrator accounts on local systems. If you didn't write any Smart Rules for the local administrators, any employee with administrator privilege can make an administrator account, but that account will not get detected in our system. With Smart Rules, Password Safe can detect that administrator account and onboard and manage that account through an automated process.

The database team of a client had scripted or hard-coded passwords for databases. We were able to use the API scripts provided with the BeyondTrust Password Safe to retrieve the passwords. The database team had already written a script for database login. So, anytime the database team wanted to log in using that script, the password was retrieved from BeyondTrust Password Safe vault.

They offer a jump server or terminal server where we can configure the databases or other applications. A lot of customers have in-house applications, and even products such as CyberArk or Saviynt CPAM do not provide connectors to those because they are not common. BeyondTrust provides some flexibility there for application integration. We can write our own scripts. We can do scripting in our way and integrate it with any application.

Its user interface is easy to use. I also work with other non-PAM solutions, such as SailPoint and Oracle, and as compared to those solutions, BeyondTrust has a very user-friendly interface, and everything is also very well documented.

Screen recording is valuable, and integration with applications is easy. We can customize whatever we want. We did a lot of application integration using scripting.

We don't have much control over the appliance. When anything happens in the backend, we have to depend on the support team. We need to raise a case so that they can update the appliance. If we have control over it, we would be able to troubleshoot easily. 

They can improve application integration. They can provide out-of-the-box connectors for common applications so that we don't need to do the customization and write scripts from scratch for lots of applications. They can provide an application catalog with pre-configured connectors.

It has been two and a half years.

It's pretty stable. From version 21 onward, it has been more stable.

It's scalable. We can add as many active-active appliances. If the number of users of a client increases, we can increase the active-active appliances anytime.

One of our clients from the Middle East has a big environment with almost 55,000 users. That's our biggest client. There are also small-sized and medium-sized clients.

Their support is pretty good. They are available for any issues. I would rate them an eight out of ten.

Positive

I used CyberArk and Saviynt CPAM, but BeyondTrust Password Safe is better than both of them. CyberArk is the leader, but BeyondTrust Password Safe can easily take the position of CyberArk.

BeyondTrust Password Safe provides flexibility for customized application integration. BeyondTrust also provides lots of other solutions for remote support and privilege management for Windows, Unix, and Linux. We can also manage Linux servers in the Active Directory domain by using BeyondTrust AD Bridge.

Saviynt also has good capabilities. They don't have a very mature product for privileged access management, but with IGA, they're providing privileged access management, which is a plus point for them. 

BeyondTrust provides a single appliance with everything we need to deploy in the cloud. Nowadays, they're providing UVM appliances, UVM20 and UVM50, which are user license-based. We just need to do network configuration and minimal appliance configuration, such as default settings, threshold settings, etc. Deployment is very quick and easy nowadays.

Generally, the deployment takes a week, but it also depends on a customer's requirements and environment, such as whether they have a high availability environment with two or three appliances, whether we need to open certain ports, and whether we need to integrate with a database for session recording storage. Configuration of a single appliance only takes one or two hours, but there could be some delay from the client side in taking care of all the dependencies, such as opening required ports. That's why we keep one week for deployment in our plan.

Our implementation strategy depends on the client's environment. It depends on how the client wants the environment and whether they want high availability.

I have not handled the process of migrating end-users to Password Safe, but a colleague of mine has handled migration from CyberArk to BeyondTrust Password Safe. It was not very difficult. They could easily do it.

One person can do the deployment and administration of basic things for a mid-scale or small-scale client. It also depends on a client's requirements. If a client wants it done in a short time, we would need another consultant, but generally, one person can easily do these tasks.

You can follow its documentation for implementation. BeyondTrust has documented everything very well. They have clearly mentioned the port requirements and system requirements. They have good training resources on their website. You can easily follow them.

I would rate BeyondTrust Password Safe a seven out of ten.

We are using it for vaulting and proxying the admin session. It is not yet implemented. We will implement it at the beginning of 2021.

Session recording, password rotation, and password vaulting are the most valuable features.

Its documentation can be improved. Its documentation is currently complicated, and it is not good. It needs to be better.

Their technical support can also be improved. It is not bad, but it can be better.

Its stability is pretty good.

It is very scalable. We started with three different sites to implement this product, and we, for sure, will implement it for the fourth site. It is easy to install any kind of component inside this environment.

Their technical support is not that bad, but it can be improved.

I use CyberArk and BeyondTrust. In terms of functionality and how they work, they are pretty close, but I prefer BeyondTrust. For vaulting, I like CyberArk a little bit more. For all other things, such as session recording and proxy, I like how BeyondTrust works. To proxy a session on Linux or Unix with CyberArk, you need to create an account each time on the remote site or the device to which you want to connect. BeyondTrust is different. You use a Windows machine, so you can connect with an AD account. It could be a functional account, a privilege account, or any other kind of account, but you use the same account instead of using a new one each time. Monitoring or auditing is easier with BeyondTrust than CyberArk. BeyondTrust is three times less expensive than CyberArk. 

It is complex, but it is not only about the product. You need to have good governance and guidelines for password management and session recording and for proxying all those sessions. The process before implementing the product involves more work than setting up the application. It took us one year to design and do some testing in a non-prod environment. We will start the projects and deployment at the beginning of 2021.

It has subscription-based licensing. BeyondTrust is three times less expensive than CyberArk.

You need to be very clear about how to implement vaulting or the session recording mechanism. If you don't go with an external partner to help you with that, it can very difficult to have a solid implementation of such solutions, whether it is CyberArk, Thycotic, BeyondTrust, or any other solution. Just because you installed these solutions doesn't mean that they would resolve 100% of your work. You need to have some processes for such applications, and you need to do some homework first. With the help of an external consulting company that knows how to implement such solutions, you can progress very fast.

I would rate BeyondTrust Password Safe an eight out of ten.

On-premises