CyberArk Privileged Access Manager Reviews

Our primary use of CyberArk Privileged Access Manager is to bring control on to the privileged access. For a while, there were individual IDs having privileged access. We wanted to restrict that. We implemented the solution so that it can be more of internal control. We can have session recordings happening and reduce our attacks.

There are two main ways CyberArk Privileged Access Manager Server Control has been helpful to us.

1. Any administrator using his own or her own ID and password to connect to the server or the domain that has been removed and the credentials for accessing the domain or the servers has been locked down into the password wallet, the access to it is controlled now through that group. Now we know who has access and what kind of access. Also, we control access through tickets. Unless there is an approved ticket, an administrator cannot just log onto a server and make changes. In this way, we are ensuring that an attack cannot just steal somebody's ADID and get into the server and create problems.
2. Through the application and team managers, we have removed the hardcoded user ID and password in our applications. Those are now in a password vault that is not known to anyone. The vault knows and changes the password, then connects the applications to the database.

The features that we find most valuable are:

• Enterprise Password Vault
• Privilege Session Manager
• Application Manager
• Team Manager

These modules help us in locking down the credentials, rotating passwords automatically without us having to worry about it, isolation of servers from the user machine and availability of privileged session recordings for us to check on demand.

I think that the connectors, the integration pieces, the integration to ticketing system. This is something which is not meeting our requirements via out-of-the-box solutions, so we have to look for a customized solution, that could be improved.

Integration with the ticketing system should allow any number of fields to be used for validation before allowing a user to be evaluated and able to access a server.

Additional features: We are looking at the connectors. The connectors to be more robust and provide more flexibility for out-of-the-box implication.

It's quite stable so we've not faced any problems so far and it's been working smoothly for us. Initially, there were some technical issues, disconnections happening, and the slowness was there, but we've been able to overcome those challenges. Now for the past 15, 20 days, it's been running smoothly.

The software is scalable enough, so if we want to add more domains, we can just go ahead and do it. I don't see a challenge with that. There are a couple of other parts of the solution that we are not rolling out, but we'll be doing that.

The support has been good. Turnaround times have been okay. They have not been immediate, but they do respond in a few hours, or in a day.

We didn't have a previous solution at the time.

AIM was a complex piece, but the install was straightforward. It took us around five months.

We went with an implementation partner for the deployment which included a number of admins. Currently, there are around 60 users but they are going to be 150 plus in a month or so.

We want the implementation partner for supporting it for the next three months, and then we will make the call whether we want to continue with them or maybe our resources should be good enough internally to support it.

The cost and licensing fees of the software are fairly reasonable.

There were a few competitors we evaluated like CA Technologies, Arcos, Oracle, and Microsoft.

My advice would be to plan ahead of time. Put up the plan for all the modules that you are going to implement. Look at what the dependencies of those are and plan for those dependencies in advance, then start the project.

Especially where it is the application identity manager, the AIM part, which is not only dependent upon the implementation partner but also the customer dev team to make the changes.

That's what makes it critical to plan ahead, ensure all stakeholders' commitment of their time and support, then start the implementation.

I would rate it nine out of ten.

It provides a tamper-proof solution for privileged accounts and third-party access to corporate assets.

We have different teams that hire out consultants from various vendors. For those consultants, there was a challenge in providing access to our critical infrastructure. CyberArk PAS provides isolated and recorded sessions for third-party/outsourced admin access. 

Automatic password management based on a strong password policy. Because still, many people choose not strong enough passwords for administrative accounts.

The product should be improved in order to support more platforms. It will be awesome if google cloud API keys are being supported like AWS and Azure.

Pretty scalable in the sense of PSM and storage.

No, we didn't use any.

Yes, there was a POC which took place among BeyondTrust, Thycotic and CyberArk.

Our primary use case of this solution is for elevated access.

The primary improvement to my organization is the fact that now the users are aware that: one, the work that they do will be recorded and so there will be an audit trail of what has happened; and then, two, we don't have to worry about people sharing passwords because they are given out on a case by case basis.

• Session recording 
• Password rotation

Some folks would like to have keystroke tracking and some would not. I guess if they could make that an option that might be interesting for certain organizations.

Scalability and stability are both excellent. We have around 250 users. All individuals with privilege to elevated access will be required to use this after a certain amount of time.

Thus far technical support is excellent. We haven't had any issues or difficulties.

The initial setup was pretty straightforward. Deployment took approximately six months. For the deployment, there was a group of about five to six individuals. For sustainment, we just have gotten into a training mode and we will have our support team giving them assistance.

I would rate this solution a 9.5 out of ten. To get it to a ten it should give other possibilities to select if you could follow the keystrokes. It should have a flexibility with things in which people can use it a lot faster.

The main usage of our implementation is to limit the credentials exposure to our third-party teams. They are able to connect to the end-points in a secure and isolated manner without needing to know any end-point credentials.

Our third-party teams are able to connect to the end-points in a secure and isolated manner without needing to know any end-point credentials. Besides this, end-points themselves are back in control when the passwords are managed by the CPM.

The two main features are the CPM and the PSM. This is to make sure that the credentials are managed in a controlled manner and the sessions that are launched are set up in an isolated way.

We are aware that in 10.6, the "just in time" access has been created. I would like to see this developed further.

The vault is almost a set-and-forget solution. Once the vault has been installed and configured, not much needs to be done in there apart from the occasional upgrade.

The environment is very easy to scale out. Especially running the CPM and PSM components in a load balanced virtual environment gives you the flexibility to quickly expand the environment.

This has been excellent for me. They always replied quickly, and most of the time the issue was resolved. The only downside — as soon as a ticket goes to the R&D engineers, you will have to wait a bit.

We did not use a PAM product before this.

The initial setup (for a UAT environment) was straightforward. During the planning of the PROD environment, it became a little more tricky with different network segments and method for accessing the environment itself.

We had a combination of in-house (with training), vendor (CyberArk) and third-party vendor. The third-party vendor Computacenter helped us with creating some design and documentation. I would not recommend this third-party to other people as they did not fully work with us and listen to our requirements.

We are still rolling out in our environment which makes the ROI difficult to calculate.

Make sure to use the latest licensing model as that will give you most of the "cool" features to work with.

One of the most important aspects is to ensure that the business is behind the solution. CyberArk suite will only work well if all users adopt the system.

Privileged account access into customer environments.

A higher level of password rotation and usage auditing.

• OTP
• Session recording
• Auditing
• It takes away all ambiguity around "known" admin accounts.

The native PSM components are really good, however, if you have to apply environmental tweaks to an application launch, custom AutoIt scripts are needed. 

Options for specifying drive mappings or script execution without the need for AutoIt based scripting in the native components would be good.

We are using the solution for privileged account management. (Rotation, session isolation, checkout, etc.)

Accounts are managed, passwords change frequently, and we have better audit logs! When something happens, there is a better chance you can determine the who/what/where/when/why of the situation.

The vaulting technology as well as the privileged session management: Having the vaulting tech ensures that the credentials are secure, and PSM ensures that the end user can perform needed tasks without knowing or needing the credentials.

A greater number of out-of-the-box integrations with other vendors: They are working on it, but more is better!

Rock solid! I would say it is, set it and forget it, but the vendor keeps on top of upgrades and enhancements.

It seems to work well for any size of organization, or any size of deployment in my experience.  

Pretty straightforward, a lot of time will be spent on the initial engineering phase where you determine how you want to use the solution, naming requirements, admin accounts, etc.

As with everything, try before you buy. Get a trial licence, set up a demo environment and see if it meets the use case for your enterprise.  

• PAM interface for staff to support customers which may include CyberArk solutions of their own.
• Managing large environments with varied and diverse environments.

Improved our user access and tracking, thereby safeguarding the organization and its customers. Being a user makes us a better reseller.

Shared-service accounts reducing the number of potential entry points as well as the ability to standardise our PAM across a diverse estate.

Multi-tenancy vaults should really have the same release cycle as single tenancy vaults; this will enable us to meet even more customer demand. We are striving to be at least on the latest release minus 1 (n-1) and for us to run both Single and Multi-Tenant core systems the difference in release cycles will result in a wide gap. Considering the considerable changes including user interface we have seen recently, the one concern is that we may end up with users having different interfaces to deal with different customers. 

Very stable with no own goals in three years.

Scalability is very good.

We get excellent feedback from customer service, irrespective of the level of issues raised.

Yes, we decided to change to CyberArk in line with our strategic intent to provide as safe a central and customer environment as possible.

Initial setup was complex and time-consuming but the later versions are a lot faster to implement.

We implemented through in-house specialists.

Standardised offerings that allow for customer-specific flexibility.

Primary use case: having privileged access management and ingress into customer networks and infrastructure.

The auditing and recording functionality along with stringent password-change policies and one-time password use has made compliance with customer requirements a much clearer and easily managed process.

• Recordings
• Exclusive use, and 
• OTP. 

There can be no ambiguity: An account can only be in use by one single known user, and they have no knowledge of the password.

Functionality to enable drive mappings to platforms and default connectors without the need to use AutoIt.