CyberArk Privileged Access Manager Reviews

The primary use case is increasing security and our security posture at our company, helping to prevent any future breaches and secure as many privileged accounts as we can. We have a lot of use cases, so there is not really a primary one, other than just trying to increase our security and protect our most privileged accounts.

We do not have a large cloud presence as of yet, but like other organizations, we are starting to get into it. We have a fantastic adoption of CyberArk that extends all the way up through executive leadership. A lot of times, projects and proof of concepts that we want to go through are very well-received and well supported, even by our top leadership. Once we get to the point where we are ready to do that, I think we will have executive support, which is always incredibly important for these types of things. 

We are in healthcare, so we are a little bit behind everybody else in terms of adoption and going into these types of areas. We are a little bit behind others in terms of cloud, but we will definitely get there.

Right out of the gate, three years ago, we secured all of our Windows Servers and all of our local administrator accounts. We followed that with all of their root accounts for our Unix servers. We were able to greatly increase our posture with local accounts. Then, we went through domain admins and reduced the landscape and password age of those accounts. We have demoted a lot of domain admins and taken a lot of that away from people, giving it a shared account structure. This has worked well for us to be able to protect our most sensitive assets. We call them crown jewels. It has been important to be able to do that, and CyberArk has allowed us to do that, which has been great.

We have tightly integrated CyberArk into a lot of our different processes. Our security organization is massive. We have a lot of different teams and different things moving. Not only have we integrated this into our identity access management team, so onboarding and offboarding, but we also have integrated it in our threat management side where they do security configuration reviews before we have applications go live. We require these accounts that operate those particular solutions to be vaulted immediately. We have implemented them into a lot of our policies, standards, and processes. It has helped us with our adoption with other teams, and it has also helped us to integrate it at the ground level.

It has an automatic password rotation. We have so many accounts, and being such a large organization, it helps take a lot of maintenance off of our plates, as well as automating a lot of those features to help increase our security. Having this automation in place, it has really been beneficial for us.

We do use their AIM solution for application credentials.

One of the things that I have been wanting is that we use the Privileged Threat Analytics (PTA) solution, and it is a complete standalone solution, but they will be integrating it into the vault and into the PVWA. So, we will have that singular place to see everything, which for us is great because it's one less thing to log into and one less thing that you feel like you have to jump over to get a piece of information. Having a centralized place to manage the solution has been something that I have always wanted, and they are starting to understand that and bring things back together.

Three to five years.

It is phenomenal. We have three data centers across the United States. This was last year or the year before, we had one of our data centers altogether go out, and a very large amount of our critical applications went down. CyberArk stayed up the entire time. We had redundancy in another data center and we had disaster recovery plans already set up and ready to go. In that time, when everything was so hectic and everybody was scrambling, trying to get the data center back up and available, they were able to access the privileged credentials that they needed because our solution remained up and available.

This was a huge for us. To have the users of the system feel that it is stable, trustworthy, and dependable. We have had great success with the disaster recovery functionality that we have with CyberArk vault. We test it frequently, and it is stable for us. We have been very pleased with the stability of the solution.

So far, it has been fantastic. We are a very large organization. We have approximately 110,000 employees and almost 20,000 accounts vaulted, where there is a lot of room for us to continue to grow. Even at the scale that we are at now, it has never had any kind of issues. We have never had any issues with deploying additional things. We do have some room to grow in some of our components servers if we need those, but everything that we have stood up so far has been operating flawlessly. We have not had any issues with our scale. It has been great.

We have contacted them less frequently as we have become more familiar with the solution. A lot of times now engaging technical support is more for sanity checks, and saying, “Are we doing this right or are we missing anything?” We have utilized them and have had pretty good success with having them help us with particular issues.

When we have called them, it has been something which has been a challenge for us. We generally get to the right person. Sometimes it takes us a bit of time and some further explanation to say, “This isn't exactly what we're asking." Then, we need to pull in somebody more technical or a next level of escalation. 

The customer success team has been monumental in helping us get the right people involved. If we log a support ticket, for example, and we are at a point in our maturity and our understanding of the solution that Tier 1 support is usually not what we need. We have done a lot of our own checks and troubleshooting, and we are able to say, "Here is all the stuff that we've done. We need the next level of support."

The customer success team has been monumental in pulling in the right people and helping us get to the right people on that side rather than working with the support person and saying, “We pulled this person in.” Sometimes, it is pulling in the solution manager or the team lead for that solution and getting to the top of that team almost immediately. We have had great feedback. The customer success team has been at the center of helping us get to that point.

We did not use another solution before CyberArk.

The big thing that was a catalyst for us to look at CyberArk was the Anthem breach that happened back in 2014 or 2015. Being a healthcare organization, our executive leadership realized that we are a big company. We are not immune to these sorts of attacks either. We have got to get something in place. Being best of breed, we turned to CyberArk for that. Again, it has been a fantastic partnership, and has both ways; we've been able to help them. They have been able to help us quite a bit as well. 

The initial setup was straightforward. We did have an implementation engineer from CyberArk who walked through it with us. He guided us through the process. Even though the documentation is straightforward, there is a lot there to do with a lot of different components which make it up. In and of itself, there are a lot of moving parts, but having that implementation engineer onsite, helping us walk through it helped us be very successful quickly. We also had the same experience when we went through upgrades where we contracted with professional services to help us. They have always had someone out there who guided us through it, either onsite or remotely. We have had both instances and both have been very successful.

I was the primary engineer and lead engineer who stood up the entire solution. I was both solution architect at that time, as well as the solution engineer. I have since moved into the architect role and have backfilled my position. However, I was there at the very beginning and did all of the initial setup.

The first year that we were standing up CyberArk, our organization did an annual pen testing. In one of our organizations, where we didn't have CyberArk deployed yet, they were able to escalate privileges and get all the way to a domain controller, and go all the way that an attacker would be able to. The next year that they did their annual pen testing, after we had deployed in that same region, they basically got stopped almost immediately, and they were never able to escalate their privileges. We stopped the pen test in their tracks because of the solution being in place.

While that may not have a dollar amount because it was just a test, it gives us a lot of peace of mind. Of course, we can't always say that it is impossible for somebody to get in. Someone is going to eventually get in, that is bound to happen. Knowing that we have the solution in place and reducing that threat landscape as much as we have, has been phenomenal for us, at least from an intrinsic value standpoint.

We did not evaluate other solutions. We automatically went with CyberArk.

CyberArk is a fantastic solution. They understand what the industry is trending towards. They are able to meet that very quickly. Being in healthcare, we are a little bit behind the times and we follow people a little further behind (for example, the financial sector has been doing all this stuff for so long). However, healthcare, as an industry, is always a few steps behind because we are clinical and have to support a lot of different clinicians, physicians, and regulations, which sometimes makes us move more slowly. Just having this has been huge for us.

One of the things which has differentiated us from other customers from CyberArk is we have been tremendously successful in rolling out different implementations. There are a lot of clients whom I have talked to personally who have bought the solution, but have never implemented it, or they have been met with a lot of struggles or a lot of uphill battles with their staff and adoption. My best advice would be to start out and find the quick wins, the low-hanging fruit; these things you can provide to your organization to have them understand and see the same value that you are seeing as you are implementing.

I am familiar with the the new plugin generator utility. I have not used it because I think it is a newer version than what we have, but I am excited about it. I am looking forward to utilizing it. It is similar to what they have for their PSM solution. They have some new web services framework, so they do not have to use the AutoIt tool because it takes a long time to create plugins today. Like the plugin creation utility, it will allow us to take a whole lot of time off of our turnaround to be able to provide some of these connection components.

Most important criteria when selecting a vendor: Because we have so many applications and solutions across our organization, interoperability is a big thing. I am in charge of CyberArk, as well as Duo, who we use for our two-factor, and having that integration point or the ability to integrate with these solutions is huge for us. As we try to standardize across all of our different organizations, which is very difficult in our industry, what we offer for a particular solution rather than having 30 different iterations of different applications, has been huge for us. Standardization and integration is a huge point for choosing a vendor.

We use the solution for privileged access to internal systems and multiple customer environments.

We have distributed PSM and CPM components throughout multiple sites and customer domains access over the VPN, with PSM load balancing handled via third-party hardware load balancers. 

Environment segregation and security are high on the criteria for the implemented solution, however, not at the overall expense of performance. 

We tend towards providing access to privileged admin applications direct from the PSM servers wherever suitable, yet offload additional workloads to siloed RDS collections if the need arises. 

I appreciate the ease of use for support analysts. We provide a single pane of glass access to our analysts where segregated admin access is provided via safe access groups. The overall goal is to provide the analysts with just enough access to function without being totally impaired by security constraints. With the piece of mind that the auditing and recording capabilities allow. We provide access to fully managed systems via distributed PSMs, or where the need arises we can provide access to online third-party access points via a central pool of web-enabled PSMs.

The most important feature is the password rotation and recording to align with customer security requirements.

The reporting and auditing functions allow us to provide evidence-based accounting to customers or security personnel when or if required. Being able to prove that "it does what it says on the tin" is a very key selling point or point scorer in project and planning sessions.

The marketplace default connectors are constantly evolving and simplifying administration. In the case of one not being available then the majority of additional requests can be catered for with some clever AutoIT scripting.

Remediation of some of the platform settings in the master policies section would be handy.

Overall what I would really love to see is the third-party PAS reporter tool pulled more into the overall solution, ideally as its own deployable component service installation package, that could be installed/branded alongside the PVWA service, and build out API integration so that third party calls could draw valuable data directly out of the management backend with very little amount of additional admin overhead.

I've used the solution for eight years. 

The solution is very stable; if instability is ever experienced it is likely to be as a result or symptom of a problem elsewhere, such as external factors (updates, network etc.).

The solution is fairly scalable, although depending on how far and wide you stretch your footprint, you may be better suited to multiple smaller vaults and component environments, than one large pot.

Initial call logging can be tedious at times. If you clearly articulate an issue yet are then required to collate entirely irrelevant logging information or jump through a default set of "have you tried this" questions it can cause frustration. Call escalation via account management has improved and when needed we have then progressed with support at a faster pace.

Positive

I have not worked with a solution with a focus explicitly for PAM.

The initial setup was both straightforward and complex in equal measure.

The majority of the setup was in-house. On occasion, we have engaged the vendor team and always had a positive outcome.

I'm not in the loop to be able to answer to ROI.

Engage with Cyberark account management and professional services to fully understand your current, expected, and future requirements. 

Some default settings applied early on may be very time-consuming to amend at a later date (for example, set a default attribute in a platform, extrapolate that platform out to 300 other platforms and a single change may then have to be retrofitted 300 times). So the more scope you can define at deployment the better.

I believe other vendors were evaluated prior to selecting CyberArk.

I'd advise other users to take their time, measure twice, and cut once.

The concern on our end was separating the components, including the password storage component, and having everything completely separated. 

The scalability is very easy.

The most valuable aspect was being to be able to manage it through multiple mediums. We can manage it through its command line interface, web view, and directly logging into the digital environment with permission. You have multiple mediums. You don't have to give direct access to the world every time you want to limit what admins should do and what they should not do.

CyberArk has the biggest number of features available when you compare it to other PAN solutions like BeyondTrust, Thycotic, and Delinea. They tend to have a lot of separate components.

Performance-wise, it is excellent. 

The components of their web view, policy manager, and session manager, most of them are separated. We need something which can unify those components into a single appliance. Sometimes the infrastructure team is hesitant to provide more resources. 

They have a lot of out-of-the-box integrations with a lot of other products. However, I would want them to bring on some kind of similar platform. If they can bring up the SSO on-prem, that would be ideal, as they don't have those things on-premises. They only provide that for the cloud. If they can do that, it would actually help a lot of us and keep us from trying to acquire multiple technologies for solutions.

I've used the solution for six or seven years at this point. 

We are very stringent on the performance metrics and would rate the solution very high. It's stable. 

We found that scalability was much easier in CyberArk. In BeyondTrust, scalability required purchasing extra virtual machines every time we wanted to scale it up. However, in CyberArk, we don't need to purchase extra components. It comes along with the line.

Currently, we have around 78 to 80 admins, and there are around 200 underlying accounts. 

We previously used BeyondTrust.

I haven't compared it to Thycotic yet, however, from what I have read, it looks like CyberArk is better. I've also looked into Delinea.

We are reselling the solution to customers.

I'd rate the solution nine out of ten. It's quite a good product.

We use the solution as a vault for whatever passwords we use for connecting to an API or job services. The admin passwords we store in Password Vault. Via CyberArk, we have made a use case where we can track the session, keep a record, and log it, to whoever is logging into the servers.

CyberArk is basically used for privilege access management. It used to be hard to control security from internal employees. For products, and production servers, tracking used to be very difficult. 

Although One Identity Manager also provides similar services that CyberArk provides, they are no match to CyberArk basically. The amount of details and logging that CyberArk provides is command level. That really streamlines the process of tracking those internal servers. That's one significant advantage, I would say.

CyberArk's best aspect is it lets you store the password, and it allows you to connect to those connected systems' passwords. For example, there is an AD in your organization, and you have stored the AD password. Say you want to change the AD password; you just have to change it in CyberArk. CyberArk itself will change the password in the connected system. That's one nice feature they have introduced in the latest features. 

CyberArk is not friendly in terms of having a Community Edition. It's enterprise software. They could maybe give a Community Edition that you can just play around with and see how the software is. It's a very, very costly app. 

Therefore, they can definitely give a demo version or some sort of a Community Edition with partial features at least to help potential users understand its capabilities. 

The initial setup can get complex. 

I've used the solution for about four and a half years.

In terms of stability, there are no complaints. CyberArk, I would say, is an industry leader in this portfolio, especially in Privileged Access Management. There are so many identity access management tools, and almost all of them say that they are both IAM and PAM service providers. However, CyberArk is the only one that is specifically for Privileged Access Management, and they really do mean it. With CyberArk, the PAM is really too good.

We have 5,000 users at least on the solution. 

For Privileged Access Management, it's been used extensively.

I've never dealt with technical support. I'm more of an end user in this case. We rarely have to literally dig down into the implementation. There is a different team that exclusively works on CyberArk, and that's the team that basically deals with day-to-day CyberArk operations.

In both organizations I have worked, they've used identity access management as Dell One Identity Manager, and for Privileged Access Management, CyberArk.

We basically used to have a separate Password Vault that was KeePass. 

With KeePass, there was a security incident in our organization where a few of the passwords got leaked, and then it was challenging to track how the leak happened. With all that considered, G-PAM or CyberArk Password Vault was considered the next solution to prevent these sorts of things from happening again.

The implementation process is a bit complex. If you know this software or the product very well, then setting it up is not that big a deal. However, if you're a newcomer, then of course, it's not a piece of cake. As a new user, I'd rate it 2.5 out of five in terms of ease of setup.

We started from the development stage, where the maximum amount of time was spent. In a live environment, you can't have that much downtime. Roughly you are allowed for one and half hours, or a maximum of three to four hours for downtime. In a live environment, once we could identify the clicks and hacks of the software in the lower environment, it was pretty easy to do. There, it took roughly one to one and a half hours to do, and that part was pretty smooth.

CyberArk is such a stable product that either they launch a new version, which you have to latch onto very quickly as they censored the support for older versions, and with these security products, you can't really stay along with the older versions. Usually, the products are very stable. They don't need multiple patches or updates. One version itself is self-sufficient. At least in my four and a half years of experience with this product, I have seen fewer intermittent updates. Once they launch a new version, that's a different thing. However, from a maintenance point of view, it's very user-friendly and lightweight. Even usage of the tool is very speedy. It doesn't lag one bit.

We handled the initial setup completely in-house.

This is very costly software. However, I haven't really dug into the licensing. My organization gives all its employees a free license and therefore I don't have to worry about pricing. My organization is a partner with CyberArk also. Even so, we just have one instance as a practice instance. 

I did not choose this solution, and I'm unsure if other options were considered. 

The hired architect chose it. I just had the opportunity to implement it. If he evaluated other options first, I have no knowledge of them. 

My company has various levels of partnership with CyberArk.

I'm typically using the latest version of the solution. CyberArk sunsets their older versions very quickly. They won't let you use the old versions.

CyberArk has many components. Password Vault is one of the components. Then there is the CyberArk for server monitoring and logging. These are the two components that we have used extensively. However, apart from that, there are many more applications for CyberArk also, which I haven't used at the moment.

To those considering the solution, I would say when you do the installation, to get on a call with technical support. Keep them on hold. If you are really doing it for the first time and are not aware of the software, you may run into issues.  The public forum of CyberArk is not that good. Their documentation is not that great, and it's not that well maintained. The problems that you may face are seldom covered. Therefore, when you are paying that much money for high-quality software, you can at least ask for better help from them.

I'd rate the solution nine out of ten. 

Our primary use case is to control the technical accounts used in our DevOps environnment. The primary goal was to automate to the maximum all privileged accounts used by applications. It was a big issue because al dev guys were always using the same account/password couple. CyberArk is doing this for them transparently. Through time the scope was extended to all interactive users with the target to avoid them knowing the password. The automated password change was implemented to 99% of all accounts inside the company.

Before the CyberArk implementation passwords were never changed and known by everyone. We were also not able to track who is supposed to have access to what and who did what. With the successful CyberArk implementation, we are able now to:

- Guarantee the password is known by no one or for a maximum of eight hours.

- Full visibility about who is doing what.

- Full control about who is supposed to access what.

The risk of lost password and forbidden access to resources has been drastically reduced which increased the security level for the entire company,

In order to reduce the attack surface, the automated password change was pushed to the maximum. This way we know that no password is known or not for more than eight hours. It simplified the life of the operational teams because they do not need to take care of the secrets and keep their attention to maintain the infrastructure.

What also helped is the ability to constantly track who accessed which object. We took the opportunity to change our process in order to comply it. Now the activities can be done faster with better user experience.

CyberArk lacks the following functions for a better IAM like solution:

- Provision accounts for systems and directories.

- Create access to the systems.

- Monitor if any new account has been created into the system.

- Better GUI for the end-user and also for administrators. The learning curve is quite long and requires lots of training for good usage.

- More automated process for account provisioning into CyberArk. For example when a new DB is created.

- Better documentation with more examples for the configuration files and API/REST integration.

I have been using CyberArk PAS for eight years.

The stability is very good. We never had any crash in eight years.

Scalability is good because of the big variety of modules. Except for the redundancy which is quite limited with the not live replication. Also, the speed is quite slow for application accounts.

Very good always reactive. The commercial part was more difficult.

The initial setup is complex because it requires a clear company structure which was not the case. Technically also CyberArk is hard to address at the start because of its technical complexity and abilities.

In house. Very good.

Not calculated. Users and administrators more happy than before which is the best RIO.

CyberArk is quite expensive and they should have a better pricing model.

BeyondTrust, Hitachi ID, CA.

Hard to implement and to get acceptance from the users and management. But when installed the solution is rock solid.

Our primary case is for AIM. We are a huge AIM customer, and we also do the shared account management.

We are looking into utilizing CyberArk's secure infrastructure and running application in the cloud for future usage.

CyberArk has allowed us to get the credentials and passwords out of hard-coded property files. This is why we went with AIM in the beginning. Then, on the EBB user side, we were able to secure all the server root passwords and admin for Windows. This was a big win for us.

It helps us with our SOX's controls and meeting new client directives.

• AIM
• CPM

I would like to see is the policy export and import. When we expend, we do not want to just hand do a policy. Even with exporting and importing, this will help.

So far, so good. We have not had any downtime. We do not want to jinx it.

We think it is good. That is why we moved to it.

We open the cases. We have made phone calls. We have engaged the professional services and the consulting services to help us move on.

They are mostly up to par. Sometimes, they are a hindrance, when you know you have been through the issue again, and they want to gather the same log files, start from the basics, and we already know we are past that. 

Sometimes, we just need a Level 2 person instead of starting with a Level 1 person, or we need a higher level of support on an issue right away.

We are a long-time customers, so we know what we are doing. The turnover might be an issue, because the support people are not local, or something. Therefore, it takes overnight to receive an answer back. We are hoping we can get local support. Though, recently it is getting better.

We did have one serious case, where our support person and everybody needed a vacation, then took a vacation day, but our leadership needed us to stay on top of the case. It was a day or two where we didn't get any feedback. It would have been nice to know that they were going to be off. They had to hurry and quickly to get somebody assigned to the case. That was probably our only experience there.

Our solution architects, and some of the people on that side, did the PoC and the initially implementation. Then, they handed it off to us.

There is a lot of return of our investment related to SOX compliance.

I would recommend the product. 

We have done a lot of customer referrals for CyberArk. It is good. It fits our needs, and there is not anything else out in the market that can match it.

Most important criteria when selecting a vendor: 

• Good support.
  
• Meeting the each of the requirements.
• Usability of the product.
• Ease of implementation.
• Not a lot of customization; you can get it right out-of-the-box and run with it.

It's a privileged access management tool so it helps in making sure that all privileged accounts are compliant.

The product is an important security measure against credential theft. It ensures session isolation and password rotation including pushing passwords to the endpoints. 

It's also possible to pull the password from the CyberArk to ensure that there are no hardcoded credentials in scrips or DevOps tools. 

It provides a comprehensive access control list and auditing. Reporting capabilities are extensive.

New features are being added in every release, and there are few releases a year.

Enhancement requests can be submitted by the community and are taken into consideration by the company.

As configuration options are very extensive, it is sometimes hard to find the correct and complete way of customization or specific configuration. 

The documentation is rather basic and it is missing many use cases. 

It's also hard to test solutions without a development environment as CyberArk doesn't provide the possibility to run the environment for personal purposes.

I've used the solution for six years.

The product is fairly priced. 

It's stable.

The solution is scalable. 

People are quite satisfied with the way it's working and the support we receive. 

The security is good. 

The interface is fine, although I'm not directly using it too much. 

We found the initial setup to be easy.

We would, of course, always prefer it if the pricing was cheaper. 

I've been using the solution for four or five years. 

It's stable. There are no bugs or glitches. It's reliable. It does not crash or freeze. 

We have more than 100 people on the solution right now. 20 to 30 are likely admins. 

The solution is scalable. We can increase licenses as needed. 

Technical support has been helpful and responsive. We are happy with their support. 

I can't speak to what solutions, if any, we used previously. 

The solution is very simple and straightforward. It's not complex at all. 

I know that CyberArk is now changing the pricing model to subscription-based. My understanding is renewals will be done on the subscription-based models. The pricing is reasonable. We pay annually.

The costs depend on if you were talking about the access of internal or external users. There is also an extra external fee for supporting the licensing.

We are end-users and customers. 

This is a stable, reasonably priced product. It has good security features as well. Since we received the renewal request, it's been working very well. 

I'd rate the product eight out of ten.