CyberArk Privileged Access Manager Reviews

Our primary use case is to control the technical accounts used in our DevOps environnment. The primary goal was to automate to the maximum all privileged accounts used by applications. It was a big issue because al dev guys were always using the same account/password couple. CyberArk is doing this for them transparently. Through time the scope was extended to all interactive users with the target to avoid them knowing the password. The automated password change was implemented to 99% of all accounts inside the company.

Before the CyberArk implementation passwords were never changed and known by everyone. We were also not able to track who is supposed to have access to what and who did what. With the successful CyberArk implementation, we are able now to:

- Guarantee the password is known by no one or for a maximum of eight hours.

- Full visibility about who is doing what.

- Full control about who is supposed to access what.

The risk of lost password and forbidden access to resources has been drastically reduced which increased the security level for the entire company,

In order to reduce the attack surface, the automated password change was pushed to the maximum. This way we know that no password is known or not for more than eight hours. It simplified the life of the operational teams because they do not need to take care of the secrets and keep their attention to maintain the infrastructure.

What also helped is the ability to constantly track who accessed which object. We took the opportunity to change our process in order to comply it. Now the activities can be done faster with better user experience.

CyberArk lacks the following functions for a better IAM like solution:

- Provision accounts for systems and directories.

- Create access to the systems.

- Monitor if any new account has been created into the system.

- Better GUI for the end-user and also for administrators. The learning curve is quite long and requires lots of training for good usage.

- More automated process for account provisioning into CyberArk. For example when a new DB is created.

- Better documentation with more examples for the configuration files and API/REST integration.

I have been using CyberArk PAS for eight years.

The stability is very good. We never had any crash in eight years.

Scalability is good because of the big variety of modules. Except for the redundancy which is quite limited with the not live replication. Also, the speed is quite slow for application accounts.

Very good always reactive. The commercial part was more difficult.

The initial setup is complex because it requires a clear company structure which was not the case. Technically also CyberArk is hard to address at the start because of its technical complexity and abilities.

In house. Very good.

Not calculated. Users and administrators more happy than before which is the best RIO.

CyberArk is quite expensive and they should have a better pricing model.

BeyondTrust, Hitachi ID, CA.

Hard to implement and to get acceptance from the users and management. But when installed the solution is rock solid.

So far, CyberArk has done everything that we've needed it to. We are growing and moving into the cloud. We have a pretty complex environment. Everything that we've needed it to do in terms of managing our privileged accounts, it has done.

We have been able to really transform how all of our sysadmins manage all our infrastructure. Before, it was like the Wild West. Everybody was way over privileged and had access to everything all the time. Now, we finally have everybody into least privileged and auditing through PSM, which has been fantastic. We also have implemented dual control and just-in-time. So, it's moved the ability to manage a lot of our privileged users to where we need them to be.

CyberArk has been easy for us to implement and the adoption has been good. We've been able to standardize a bunch of things. We've been able to standardize relatively easily with the use of the platforms and managing the policies.

I like how thorough and complex it is. We have a solution, and it meets the needs that we need.

The most recent improvement with the user interface upgrade was really nice. It makes the end users very happy. It is way more intuitive. The information that they need to have is now available to them. So, I appreciate that as an update.

The user interface was a previous problem that has been overcome. 

We have implemented our own redundancy into the product. That has worked for us very well.

We have been able to find a nice process for implementing CyberArk in terms of user adoption and onboarding. It's been pretty slick, and it works very well for us.

We were lucky to have a board of directors who really embraced security. With their support, we were able to establish the need for a PAM solution. 

When we originally implemented CyberArk, we did so incorrectly. With the help of CyberArk Professional Services, we were able to reorganize, reinstall, and upgrade within a week, then apply best practices to the implementation of CyberArk. So, I would say that it took us about a week to get setup correctly.

At first, the integration of CyberArk into our IT environment was a bit rough. People didn't want to give up the rights and privileges that they had. But, we were able to show them how easy it was for them. We even layered in multi-factor authentication to access the accounts that they needed, which were privileges for appropriate functions. Once we were able to show them how they could quickly and smoothly get the access that they needed, it was not a bad thing, as they found out.

The return of investment for the CyberArk implementation within our organization has come from the reduction of risk. That is a little tricky to quantify, but it's definitely there. 

We have improved our processes in terms of efficiency when it comes to creating accounts, managing the privileged ones and providing the correct access at the right time.

After evaluating several vendors, we found that CyberArk met our needs.

I would rate CyberArk an eight point five on a scale of one to 10 because it has done everything that we have asked of it. There is a bit of a learning curve, but it's a pretty complex solution. They do have ways to make it easier, but it's easy to fall down the rabbit hole when you're going into a deep dive. However, if you follow the trail, you will find some pretty cool stuff.

An example of one of the ways CyberArk has benefited our company is one of the simplest. And this one is something that a lot of companies struggle with: domain administrators and server administrators. These are among the top accounts that most companies need to protect. As part of our deployment, we decided to go with these first when we deployed PSM.

What we found out was that there's always that friction with operational teams where they don't want to do this kind of work because it is another thing they have to do. But once the product was deployed and we were able to give them all the tools that they have today, and they did not have to go through attestations and audits anymore and, when team members were coming in and leaving, all they had to do was put in a ServiceNow request to complete all the work, it was just something so different for them that all that friction just went away. It was one of those simplest things, but one of the biggest things that you can do in your company to protect it.

I don't know if CyberArk really helps with meeting our availability requirements, but it definitely helps a lot with managing the accounts and managing the credentials. Availability? It helps to an extent. If there is an event of some sort, yes, you can always go back and look at the logs and you can figure out through recordings what happened. But it's more about manageability than availability.

In addition, when we started with RPA, there was a requirement that every credential and the bots themselves be protected through the PAM system. From the get-go, we've had CyberArk in the middle. We use standard products for RPA and all credentials are managed through CyberArk. All bots are protected via CyberArk, through PSM, and also through CCP calls. We've got a pretty robust RPA implementation with our PAM platform. Users, bots, the credentials — everything is managed via our PAM solution. From a cost perspective, this was something that was a requirement, so cost was never really an issue here.

The solution's ability to secure robots’ privileged access is pretty good. We've been able to secure our bots. In fact, we take care of our bots right from a development environment, using our development instances. So when our developers are building the scripts around those bots, they're already aware of what's going to happen when things finally go into production. Obviously, the level of security doesn't need to be the same, but we do it through the complete lifecycle.

PSM has been one of the most valuable features. We started on this journey a while back. Initially, when we did not have PSM, we started with AIM and that was our first use case. But an audit came along and we had to go towards something a little bit better and we had to migrate more applications. PSM came along and did exactly what we needed it to do. To take care of all the deficiencies that we had, PSM was the right thing to do.

We work with CyberArk's customer success team and we work with its engineering team back in Israel. We've been doing things on CyberArk which a lot of its customers, we know, have not been doing.

The one place where we found that this product really needs to improve is the cloud. Simple integrations don't exist, even today. We don't have anything specific on CyberArk for managing SaaS products, SaaS vendors, and SaaS credentials. I understand it's a vendor-based thing and that they have to coordinate with the other vendors to be able to do that, and there are integrations coming, but these are the major places where CyberArk definitely needs to invest some more time. Because this is what the future is. You're not going to have a lot of on-prem applications. Most stuff is going to the cloud.

Not every product is 100 percent stable. CyberArk does have some issues once in a while. But the core product, the vault system, has been extremely stable. We haven't had a single problem since we got this thing deployed, and it's been more than six years now. We've not had a single problem with the vault. 

Related to the software, there are other things that can cause problems. You could have clusters going down or you could have issues with hardware, but the product itself has been very stable. 

There are the usual quirks you have sometimes with PSM, but it's been a very stable product for what we need it to be.

In terms of the product's ability to manage all our access requirements at scale, about 80 percent of it can be managed. There is no product in the market which can say, "We can do 100 percent, we can do everything." Or, they say that they can, but when it comes to it, it doesn't really happen. But with CyberArk, we've had the benefit of it being a little scalable, plus very easy to configure for the different use cases we have. So we can cover around 80 percent. But then we have to put some compensating controls around the other 20 percent.

It has scaled for our use cases. We built it according to the very large specification and it has scaled. It has done exactly what we need it to do. We've not yet had a performance issue to date.

We've had good relationships with their technical department. My team usually does more engineering. We work with CyberArk's customer success team more often than the regular technical support. My operations team usually deals more with tech support.

When it has really come down to major issues, if we've ever had a Sev 1, they've been on point. They have picked up the phone, they've called us and they've helped us.

We did not use a different product. We had an in-built vaulting system for managing our own credentials. We've been a CyberArk customer for a while. We had the document vault. Privileged Access had just come out and CyberArk was one of the easiest choices we could make at that time. That's how we decided to go with it.

The initial setup was not straightforward. The very first setup that we did was specifically for AIM, which was obviously simpler. We had an in-built vault which we replaced with the AIM setup. 

Our PSM setup was very complex. We had about 450 applications that we had to onboard over a period of one year, and we had to remove close to 16,000 accounts. It was a very complicated setup. We built close to 35 different connection components to get this product in.

The total cost of ownership, over credentials, is definitely something that goes down if you have a vaulting system. But if you have deployed it correctly, that's the only time you can get that. We've definitely seen some improvements. There are additional costs associated with getting every application onboarded, but in the long run, it keeps the company secure and I don't think you can put a price on that.

We use the solution with AWS. In fact, we set up a custom setup for AWS. We worked with the CyberArk engineering team to get it working, to come up with a custom solution to integrate our AWS EC2 instances. There were some limitations, as I mentioned earlier, with how the product integrates with AWS, so we had to make some major changes to how the integration works. As far as monitoring is concerned, it's standard CyberArk monitoring. We don't see anything specific to AWS, as far as the monitoring is concerned. This is the one place where CyberArk can improve.

Privileged access management is one part of IM. Anything that goes through has to get approved through the IM team, and our product of choice for privilege access is CyberArk. When we decided to go to the cloud, this was the natural choice because this was the product that the enterprise uses. We've had challenges. We've had to customize the product to meet our requirements. It might not be the same for every customer because our requirements are a little unique. But it eventually worked out. We've been able to meet most of our use cases.

CyberArk is an eight out of 10. It can do a lot. But there is definitely scope for improvement.

I come from the IM world, but I was more into access management. CyberArk was just one of those products which was thrust on me. Now I'm head of privileged access management, so CyberArk has been pretty good for me, going from the access management space to privileged access management. It's definitely had an impact on my career.

We're a small IT shop of a few hundred people and the company has only a couple of thousand employees. We had some SharePoint workflows that people had used to get access via submitting a ticket. We had updated those processes by using some DevOps, some JAMS jobs that run in Azure, and they were breaking frequently. We have gotten people to understand now that they can just go to CyberArk. They don't have to submit a ticket, they don't have to go through a workflow, they don't have to put in the right server name or wait for an approval. It's just there. People really like that.

The solution standardizes security and reduces risk-access across the company. It's what the solution does. It's just a requirement. Standardizing access is taking away the "onesie-twosies." With the DNA scan, you're running a full report of everything on all your servers that you're targeting, or all the servers period, and finding those onesie-twosies accounts and getting rid of them. Standardizing and making local accounts on the servers, accounts that have least privilege and that don't have access to anything else, and giving people only that access when they log onto a box; that's pretty cool standardization.

In terms of being able to have a quick win using the solution, we were given a ridiculous deadline to meet an external customer requirement to have privileged access management in place within a couple of months. That was to include signing the purchase order, getting it installed, and having it up day one to take in what we thought were 17 servers. Actually, we found out it was 53 and, two weeks after we had it running, we found out there were upwards of 60 to 70 servers. Getting all those servers in, the accounts in place, by the deadline — even just installing it — was all an immediate win. People said it couldn't be done.

Right off the bat, the most valuable feature is the DNA scan. It gives us the ability to scan our environment and find the accounts that we're going to need to take under control.

We're quite new with CyberArk. We've just installed it this past summer and we've taken off with the Microsoft tier model. Tier 0 is our domain admin accounts and our local admin accounts on some applications are specific to SOX requirements. That's been amazing. It's basic-use PAM, but it's been really fast and easy because of the DNA scan. We knew what was there and we were able to go find who owned those accounts. Step one, step two, step three are really easy.

We're pretty excited about Alero, the third-party access management. As a small company we lean on vendors quite a bit and we do that in multiple areas. That's going to be a big one for us. It's just gone from beta to production. It's one of those things that's on our roadmap, but being so new to the toolset, we're just growing into the tool. We're not quite there yet.

The product has been around forever. In a way, it's a bit old-school. I came from a Windows Server environment, so I get how it's built. It's INI files, it's apps that run on Windows Servers. I'm sure there are other ways that it runs, such as in the cloud as well. There are other directions. But the base of the product is old-school. It just works. So the stability is there. My new engineers can do the install, they can understand how it works. It's quite stable.

In terms of scaling, we're not there yet. We have a number of offices, we're a small company but we're spread globally and we're installing servers in Brazil. We also have servers in London, so we can scale geographically quite easily because it's applications running on servers. There's also a DR capability, having those vaults where needed, so we can scale that way.

There are a lot of new things coming out about endpoints, and third-party management is going to be big. We can scale geographically and we can scale outside of our borders and that's going to be cool.

We had no PAM program when I came to this company.

The initial setup is very straightforward. It's well-documented. We sought to have external advisors and third-party consultants help, in addition to CyberArk's help, because we had such tight deadlines. We were installing multiple environments with a turnaround in weeks and had to complete the training at the same time. Junior engineers were coming in and they could walk through it. We found out that it's almost self-doable. But that's probably not advised in any solution. The help was appreciated but it's straight-away easy.

In a previous life, I worked with TPAM, Quest products, and Safeguard. We evaluated five different toolsets when it came to my new role here — all the major players. The last two were Quest and CyberArk and I had a strong relationship with both groups. A lot of it came down to dollars and cents, but CyberArk also had that marketplace that told us that we could do certain things out-of-the-box. That was very important to us, enabling us to get stakeholders' buy-in: strategic alliances within our customers or the companies that we own. We got them bought-in to the idea that they were going to be using this tool. It came down to the marketplace.

I'd never ever rate anything a 10. I'd probably never rate anything a one. I'd rate CyberArk as 7.5 out of 10. We actually did surveys of all the people that saw all the demos of all the new solutions we looked at. CyberArk was a seven or eight consistently, from all the people who watched it. The benefit of it is it's stable, it's old-school, it just works. The downside is that it's a big program. To scale excessively, locally, on an on-prem application, takes a lot of servers. Those are the highs and lows. It could be amazing if it all ran in the cloud, but that wouldn't be possible.

I started as a PAM engineer eight years ago. Learning PAM and understanding how it protects people and being the liaison who needs to take passwords away from engineers is really tough. But it put me in a good spot. I grew from a PAM engineer to an identity engineer to identity team lead to identity manager. Within the last year-and-a-half, I came into this company because of a PAM role. They hired me as an identity manager because I knew PAM and because I had a relationship; I was working on bringing CyberArk in as part of my previous role and they wanted me to come in and do that same evaluation here. So knowing CyberArk got me my job and, within three months, they said, "We don't need just one team like this doing these assessments. We need multiple teams. So you're an associate director." I said, "Thanks, I don't want to do that. I just want to play with PAM."

Previously, we used to share passwords for service and normal admin accounts among team members. However, since we started managing it through the product, we've transitioned to individual admin accounts or implemented dual control for shared accounts. With dual control, exclusive checking and checkout options are available, and passwords are not stored in clear text anywhere in the credentials.

The solution's most valuable features are automatic password rotation, privilege manager, and secret manager. Previously, IT personnel had admin rights on their regular accounts, allowing them to log in to domain controllers. However, this posed a security risk as compromised accounts could grant unauthorized access to domain controllers. To mitigate this risk, we implemented separate DA accounts for IT staff. These DA accounts were restricted from logging in to domain controllers and did not have associated email addresses. They were dedicated AD accounts solely for accessing domain controllers, and the solution handled their management.

Previously, manually rotating admin credentials was a time-consuming task. However, implementing the tool's automatic password management feature has made this process easier. We've configured defined policies within the solution to dictate when these credentials should be changed.

The tool's UI has bugs and lags. It needs to be improved. The deployment process can be complex due to multiple components for various functionalities, each requiring separate infrastructure management. To simplify this process, consolidating all these components into a single platform could be beneficial. The product's pricing could be cheaper. 

I have been using the product for eight to nine years. 

I rate the product's stability a seven out of ten. 

I rate the tool's scalability a seven out of ten. 

The tool's support gets worse each year. Support is outsourced to smaller companies, which doesn't work fine. Its support was good eight to nine years back. Over the years, it hasn't improved but degraded. 

Negative

I work with BeyondTrust. BeyondTrust's UI and support are good and never lag. BeyondTrust is also cheaper. 

CyberArk Enterprise Password Vault's implementation timeline largely depends on the size and complexity of the infrastructure. A smaller infrastructure with around a thousand servers can typically be implemented within a week or two. However, the implementation process may extend to four or five months for more extensive infrastructures with tens or hundreds of thousands of workstations and accounts. The tool's transition into a security-focused product necessitates strong integration with security orchestration platforms. Prebuilt packages with ready-made integrations are required instead of developing everything from scratch. It lags in automation. 

We have seen 40-50 percent improvements after using the solution. 

I rate the product a seven out of ten.

We use the solution for password vaulting, password rotation, session management, and secret management. 

CyberArk Enterprise Password Vault must incorporate connectors for password and session managers in the marketplace.

I have been working with the product for seven years. 

The product is highly stable. 

CyberArk Enterprise Password Vault is highly scalable. My company has over 3000 users. We use it regularly. 

CyberArk Enterprise Password Vault's support quality is good, but there are delays. 

Neutral

I rate the tool's deployment an eight out of ten. Experienced engineers can complete the deployment in a few days. We need three to four resources to complete the deployment. 

CyberArk Enterprise Password Vault reduces risks. 

I rate the tool's pricing an eight out of ten. 

I rate CyberArk Enterprise Password Vault a nine out of ten. 

To securely manage privileged accounts within the enterprise and automate password compliance where possible. Bringing multiple account types all into a single central repository with an intuitive user interface has greatly improved our security standing. Instead of managing each account in its disparate location like Database, Active Directory, LDAP, and Mainframe, we can now do it from a single solution. This has enabled great strides in standardizations across account types for password and access management.

CyberArk has enabled my organization to monitor and manage privileged accounts in a secure manner while also giving the ability to adhere to password compliance automatically. CyberArk has helped us to remove hard-coded credentials in applications and scripts. Traditional password policies often fall short of providing adequate protection, but CyberArk's PAM has allowed my organization to set robust password policies that require a combination of uppercase and lowercase letters, numbers, and special characters.

AIM has been a great help in automating password retrieval which removes the need for hard-coded credentials. Hard-coded credentials are a risk to organizations as they are easy for attackers to target. Therefore less hard-coded credentials increase the security stance of the enterprise. We have greatly utilized the out-of-the-box usage automation like Windows Scheduled tasks and password config files. The reconcile feature is another must-have to give users the ability to not only change their password but to unlock it as well where needed. 

CyberArk's Privileged Access Management (PAM) stands out as an industry leader, and it is often considered at the top of its class. This comprehensive solution has consistently delivered robust features and innovative security measures that make it an essential component of any organization's cybersecurity strategy. While no system is without room for advancement, CyberArk has continuously demonstrated its commitment to innovation and improvement, and many of the potential areas of improvement are already being actively addressed.

I have been using this solution for 13 years.

This solution is very stable with the ability of satellite vaults and HA.

CyberArk is incredibly scalable. Make sure to check out the unlimited option.

Excellent service and quick responses with engineers who understand the product.

Positive

We started out with CyberArk. When we started to look into using a PAM solution they were the leader in the space (and still are).

For the time saved and security added, the benefit far outweighs the cost.

Check out the unlimited model as it can save money and make for a more scalable solution depending on the size and needs of your organization.

My company evaluated other options, but I was not with the company when this occurred.

Contact the professional help for a demo, and you will not be disappointed. Even if you do not choose CyberArk, they can help identify current security gaps.

We currently employ CyberArk Privileged Access Management, which involves extremely complex processes for ensuring the secure management, verification, and guarantee of credentials. Implementing the professional installation tool represents another challenging aspect of this task.

The most valuable feature of CyberArk Privileged Access Manager is privileged threat analytics.

The support could improve for CyberArk Privileged Access Manager.

I have been using CyberArk Privileged Access Manager for approximately three years.

The solution has high availability.

CyberArk Privileged Access Manager is highly scalable. When compared to other solutions it scales well.

I plan to use the solution more in the future.

The issue of technical support is crucial, as there are not many specialized partners available in Brazil to provide this service. While English language support is of good quality, there is a significant shortage of partners capable of meeting the demand locally.

The initial setup of CyberArk Privileged Access Manager is easy.

We have received a high ROI using CyberArk Privileged Access Manager.

The price of the solution is reasonable.

I rate the price CyberArk Privileged Access Manager a seven out of ten.

Individuals who wish to utilize CyberArk should be cautious when selecting a partner to implement the solution, as proper architecture design is essential to ensure a streamlined and effective implementation.

I rate CyberArk Privileged Access Manager a nine out of ten.