CyberArk Privileged Access Manager Reviews

Our primary use case for the solution is to support privileged identities.

The password management feature is valuable.

The solution can be improved by including more connectors to other third-party systems for integration.

We have been using the solution for approximately five years.

The solution is stable.

The solution is scalable. Approximately 150,000 people are using the solution.

We previously used One Identity.

The initial setup was a bit complex.

We deployed the solution in-house.

We have seen a return on investment. The solution makes our procedures better, making the environment more secure and changing the mindset of people. 

I rate the solution a seven out of ten.

Our clients primarily use the CyberArk Password Vault for password rotation and password management.

The feature I find most valuable is the password credential rotation.

With regards to potential improvements for the CyberArk product, I find the product quite expensive and I would like to see the cost reduced. 

I have been using CyberArk Password Vault for 8 years. 

CyberArk Password Vault is super stable once you are on a tried and true platform version. 

The product is also easy to scale. 

I have utilized CyberArk technical support for issues and this was very straightforward to work with. The response time was a little slow. 

I have previously deployed and installed Thycotic as an alternate password vault solution, but I find CyberArk to be much better.

With installation of CyberArk Password Vault, there are some complexities to setting it up, I would say it is not straight forward to setup. 

We use CyberArk Enterprise Password Vault and we provide it to our customers.

We use this solution for password vaulting and session management.

The most valuable feature is privileged session management.

The installation process could be simplified.

I would like to see a simplification of the product.

I have been dealing with CyberArk Enterprise Password Vault for ten years.

Depending on the needs of the client, it can be deployed both on-premises and in the cloud.

CyberArk Enterprise Password Vault is a stable solution.

CyberArk Enterprise Password Vault is scalable.

We use Teams for virtual meetings and storage, with SharePoint serving as the backend.

I've never liked the idea of using Zoom because the security was never great.

The installation is not straightforward. It's complex. You would have to be very knowledgeable about the product to do this.

We need two to three administrators to maintain this solution.

Licensing fees are paid on a yearly basis.

Our laptops are containerized, we don't see what antivirus is on there. Our organization strips out all bloatware. If it is not sanctioned or proprietary, we don't use it.

Try to complete as much of the CyberArk training as possible.

 I would rate CyberArk Enterprise Password Vault a nine out of ten.

We use it for storing and rotating passwords.

Within our organization, a lot of people are using this solution for a lot of projects. We have already implemented CyberArk as a SaaS solution. We are not using the core parts, but we are using the software as a service for a project.

At my previous job, there was a team of seven people who were in charge of maintenance. Mostly analysts, senior analysts, and a technical lead used this solution. 

It completely depends on the requirement. For some of the RPA robotic types of user identity, we prefer for it to happen in an automatic way, but some of them are highly critical, so we don't do it automatically. As for the end-user experience or expectation, if they want to change it at their end, they can do it.

I don't see any problems because it's highly secure and very flexible. It gives us all types of storage options and it gives us a high level of security. From my experience, overall, I don't see many problems that need to be rectified.

The only problem involves granting access to people who are authorized to view it. This user management area is the most critical. We have to constantly check on that area and we have to review and give proper access. Nobody should have more access than they are authorized for.

I have been using CyberArk Enterprise Password Vault for eight years.

It's scalable at the component level. If you want to add some of the latest components, or if you want to implement biometrics or MFA, this solution can handle that — it's very easy to implement.

The tech support is amazing. If you have any issues that you need help with, the CyberArk support team reaches out very quickly, depending on the criticality of the issue. If it's critical, they will reach out to you within hours.

The vendor support is really good.

The initial setup is quite straightforward. These days they have an automatic script — It is much less time-consuming.

We used to do it manually which would take almost two to three hours in total.

We did it in-house. I'm certified in CyberArk; I've also installed it for clients as well.

The licensing plan is either six months or one year — it's not on a monthly basis.

Every company will have a different license fee, but ultimately, it comes down to how many users you want to manage and how many companies you want to support. If you want three CPMs, then you'll need licensing for three. It's per-company, license-based.

I am currently evaluating other solutions. A few of them do not support PTA. Some of them don't have DevOps properly managed. Others don't give you the DNE facility, which is free of charge with CyberArk.

I would definitely recommend CyberArk Enterprise Password Vault.

On a scale from one to ten, I would give this solution a rating of eight.

Primary use case is storing and rotating local domain admin credentials for Windows and Unix network devices.

We're using CyberArk secure application credentials and endpoints on a small scale and we're planning, for the future, to use CyberArk to secure infrastructure applications running in the cloud. We don't have experience using the Plugin Generator Utility.

It is performing pretty well for the most part. We have some issues with RADIUS authentication, some bugs with that. But, generally speaking, it works really well.

The benefit is knowing where your accesses are, who has access to what. Additionally, obviously, it provides improved security around having your credentials locked down and rotated regularly.

Credential rotation. It's tops.

I'd like to see a more expansive SSH tunneling situation through PSMP. Right now you have an account that exists in the vault and you say, "I want to create a tunnel using this account." I'd like to see something that is not account-based where I could say, "I want to create a tunnel to this machine over here," and then authenticate through the PSMP and then your tunnel is set up. You wouldn't need to then authenticate to a machine. Then you could go back in through your native clients and connect to that machine. Also, to have that built out to include not just Unix targets but anything you'd want to connect to.

The stability, overall, is really good, outside of some of the RADIUS problems that we're having. Generally, it is very good.

The scalability, sometimes, is lacking. It works really well for more static environments. I've been at places that had a really static environment and it works really well. You've got X number of CPMs and X number of PVWAs in your vault and everything gets up and going and it's smooth sailing. But for an environment where you're constantly spinning up new infrastructure or new endpoints, sometimes it has a hard time keeping up.

Technical support actually works really well. From time to time there can be some issues as far as SLAs go. Sometimes results will be on the back end of an SLA, which is still fair. It seems like you're complaining that it's "one to three days" and it's three as opposed to one, which is an unfair criticism. 

Generally, everybody is pretty knowledgeable. They're pretty upfront when it needs to be passed off to somebody else. That usually happens in a pretty timely manner.

I have been involved in the initial setup elsewhere. It's actually really straightforward, depending on what you're trying to do. If you have a simpler environment, to set up a PVWA and to set up a vault, is straightforward. It's all pretty much there in the guide. Sometimes the documentation gets a little bit out of sync, where things aren't exactly as they should be but it's always really close. Generally, the documentation is good and straightforward.

I'm not the right person to answer questions about ROI for our organization.

Engage with Professional Services, not just for help with, "Here are the buttons to click," because they've been really helpful as far as how we would want to implement things.

Our most important criteria when selecting or working with a vendor, outside of the product being good, are reliability and timeliness of response. Those are the two big things. I think CyberArk does a pretty good job on these.

I rate CyberArk at eight out of 10. I think the solution, as released, is usually very good. When something comes out, it's generally airtight and works as advertised. However, sometimes they are a little bit slow to keep up with what's coming out. In 2017, for example, they released support for Windows Server 2016, which had been out for a year or so. There is probably some tradeoff that is required to keep things so airtight, by holding back a little bit. But that would be my one criticism: It's slow to keep up, sometimes, with updates.

With the ability to better control access to systems and privileged accounts, we no longer need to manage privilege accounts per user. We are able to manage privilege accounts for the service, which is automatically managed by the CPM as part of the solution. Allowing access to systems by group membership, via safe access, makes controlling actual access much simpler than traditional mapping via the Active Directory.

• The ability to isolate sessions to protect the target system.
• Automates password management to remove the human chain weakness.
• Creates a full audit chain to ensure privilege management is responsibly done
• Creates an environment in which privilege accounts are used, without exposing the password, on target systems.
• Performs privilege functions, without undue exposure, whilst maintaining the ability to audit, where anything suspicious, or unfortunate, may have occurred.

The web interface has come a long way, but the PrivateArk client seems clunky and not intuitive. It could use an update to be brought up to speed with the usability of PVWA.

Whilst the client is completely functional, it's been around for a long time and is reminiscent of XP, or even Windows 95. It could use an aesthetic update, with some of the wording and functions needing to be updated to be more representative of what is found in similar configuration from within the PVWA.

To go into more detail- The old PrivateArk client is simply that, old. Looking at the recently released Cluster Manager quickly reminds us of that. Also, the way in which objects are handled within the old client is similar to how objects were handled in older versions of Windows. The PrivateArk client could do with easier to follow links to configuration items and the ability to perform searches and data relevant tasks in an easier to follow process, there may even be room for inclusion of the server management component (lightweight even) and cluster manager components to be made available via the same client, should permissions permit such. As much as the client remains stable and functional, I believe it is time for an update, even if only aesthetically.

Some improvements could be made to the PSM service. However, this could also be a problem with how Microsoft RDS functions, rather than the PSM services.

This product scales amazingly well.

Technical support works with customers and partners to resolve issues in a timely way.

No previous solutions were used.

The manual reads like a step-by-step guide. The installation, although complex, can be achieved by following the installation guide.

I don’t work with pricing, but licensing is dependent on the needs and requirements of each customer.

We evaluated alternatives, but nothing compares.

Make sure you understand your business objects and your technical objects. Plan to scale out to the entire organization, but start small, and grow organically.

Auditing and control are the most valuable. You can control password management almost to the max, giving you, your users and your auditors great flexibility without compromising security.

The auditing and control is more valuable to the enterprise than to myself. Apparently one of the overseas offices was able to track and identify misuse of a privileged account. In addition, it is heavily used during the periodic user/account recertification process.

Recertification of accounts and users, whereas previously 100s of accounts reside on devices, targets, applications, etc., now, due to using the vault and recertification, owners are in total control of their accounts and usage. Dual control forces owners to approve access to their safes and usage of passwords. The number of audit points regarding rogue accounts is falling dramatically.

Small things such as resizing pop-ups but mainly the reporting possibilities: These are quite poor in my honest opinion. If you really want custom reports you actually need to export data to an Access database and create your own queries and reports. The default reports are just that.

The reporting functionality is currently limited to default reports, listings and overviews. For more detailed and in-depth reports, you need to export the data to an external app such as Access or MS SQL. For example, if you need a report listing all safes, owners, members and accounts (like we do), you need to create a bespoke report. Ideally, in 2016, perhaps a graphic drag & drop reporting interface would be ideal.

I have been using the product now for a little over four years from the support side.

No stability issues at all; we have a 24/7 standby and have yet to be called out on issues other than locked accounts. These are almost always user-related. We have had no downtime other than planned DR tests.

I have not encountered any scalability issues; we have actually scaled down since the new releases. Where previously we had CPMs & PVWAs throughout the world, we now have load-balanced CPMs and PVWAs in just two locations.

It can take time before you get a solution. Frequently, we have already solved it ourselves. CyberArk is re-arranging its support teams to improve communication with clients and to resolve cases quicker. As there is a release every six months, this might prove to be a challenge.

I did not previously use a different solution.

The vaults are installed on dedicated servers and subsequently hardened in their own dedicated workgroup. In our organization, there was a heavy battle with Server Support, who refused the workgroup setup and demanded that the servers join a/the domain. Do not agree! The servers have to be separate from the general server population and have nothing installed except the vault. Nothing has access, so no MS updates, AV software, etc. It took a while to convince them.

Before choosing this product, I did not evaluate other options.

Do not take it lightly. It takes a lot of hard work to analyse and implement. Involve the entire organization from the start. As you will be working with security teams, you might encounter a certain level of distrust (you are in their domain right?). Involve them, liaise frequently and get everyone onboard.

CyberArk vouches for access to domain controllers in Unix and Windows Server. 

CyberArk makes our environment more secure and prevents possible attacks by compromised accounts.

The price is high compared to Azure Key Vault. It's the most expensive solution. 

I have used CyberArk for about three months.

We have 98 percent uptime. 

CyberArk is scalable. We have around 4,000 users. 

We previously used Telos. We switched to CyberArk because it has features to deal with a large company that has a complex structure and many partners. 

Deploying CyberArk was moderately difficult. It isn't too hard, but it isn't easy. One person is enough to install it. It took about one month to select the product and deploy it.

CyberArk is more expensive than other solutions, but it's necessary when the company has contacts with other branches and partners. 

I rate CyberArk Enterprise Password Vault eight out of 10. It's more expensive than Azure Key Vault, but Key Vault doesn't have CyberArk's analytics and user tracking. I recommend CyberArk if you need those features. However, it's costly in the Brazilian market because of the conversion fro reals to dollars.