CyberArk Privileged Access Manager Reviews

The secured vault storage offers great capabilities for structuring and accessing data.
Central Password Manager is useful for agentless automated password management on endpoints.

Privileged Session Manager is good for provisioning, securing, and recording sessions to the endpoints.

CyberArk provided an audit trail for all account operations, including session recordings for all activities performed with high privilege accounts. It also gave us the ability to define various access controls per group, enabling us to differentiate between internal and external IT staff accessing the accounts.

The product documentation could be a little more precise in certain aspects with clearer explanations for functionality limitations. New functionalities or discovered bugs take a little longer to patch. We would greatly appreciate quicker development of security patches and bug corrections.

I have been working with CyberArk solutions for 7 years already.

I was involved in many implementations, proofs of concept, operational and development activities. I have worked with or test all CyberArk releases since version 5.5.

Unfortunately, I did have some problems with stability caused by not following the recommended configurations. But the recommended configurations are very strict, and it is not always possible to implement in a corporate infrastructure. Interference with other applications can also cause problems with CyberArk components.

We did not have any problems with scalability. Each component of the solution is highly scalable and enables us to quickly increase capacity.

Customer service is very responsive and they are willing to help you with any deployment decisions, production issues or just various questions you might have.

The technical support was great. They were very responsive and eager to help. We were able to have professional communication and the involvement of all levels of technical personnel as needed.

I used another solution before CyberArk and its limited functionalities were the main reason for switching. We chose CyberArk because of its great functionalities, the ability to be deployed granularly at a different scale for each function, and the ability to be deployed in a distributed infrastructure.

The initial setup is straightforward if you prepare for it properly and test the major functionalities using the configurations that you’ll actually require before you use it in a production deployment.

CyberArk documentation contains a lot of information, so the hardest part is to choose the right setup and deployment strategy.

Plan ahead regarding the licensing costs. You can get a better prices per license as the number of licenses increases. CyberArk is open to providing a test license so you can test any particular functionalities prior to buying the real license.

We evaluated ObserveIT and IBM’s Privileged Identity Manager solution, which was still under development back in the times. We chose CyberArk because of its flexible installations, so that it was able to cover most of the deployment scenarios we required.

Study and test it first, before going wild in the production.

It is very easy to create a disaster in production with even the smallest changes.
CyberArk has great resiliency capabilities; use them wherever you can.

• EPV: Enterprise Password Vault
• PSM: Privileged Session Manager
• AIM: Application Identity Manager
• The latest version of the product is mature and there is more functionality than we need.

• Improved security
• Reduced the overhead to protect enterprise data from delays
• Receives logs about all activities
• Compliance with several standards

I’m not the end-user. As a solutions architect (consultant), I designed and planned the solution in a very complex network environment.

We have not encountered any stability issues. After more than six years with my first CyberArk client, everything works great.

We have not encountered any scalability issues. The solution was scaled right at the beginning of the project.

We called technical support a few times and they came back to us very quickly. They fixed our problems very quickly. The problems were caused mainly by changes in the network.

We did not use any previous solution.

We were assisted for the initial setup by a CyberArk consultant for one week.

A good architecture will help to gather the business requirements. You can then come up with the right sizing and licenses. If it is a large installation, implement in phases to become familiar with the products, and then purchase the licenses at the right time.

All other top solutions in the Gartner Magic Quadrant were evaluated and CyberArk came up as the best and most mature choice. I compared all solutions using my client business requirements and what the solutions offered to them on the top of the business requirements. The scope of the project became wider.

I would recommend being well prepared. Do not improvise. Understand what you are doing. Take the time to read the technical documentation, and not just the marketing material, to understand CyberArk. It will not be a waste of time.

Take the time to prepare, clean, and document all your privileged, services, and application accounts. Use the product for its intended design.

• Client-less feature
• Flexible architecture support
• High level of customization for maximize utilization
• User friendly and Flexibility of multiple choice
• Adhere to Security Compliance

This tool is in Leader's quadrant in Gartner Quadrant report. Not just because it has more features than other but also it improves the way organization function. CyberArk can be used as many as you can think of. Such Granular ways of utilizing parameters, features and restrict permissions that no other tool can grant you. This tool has always surprise me with its capability and features.

Since this tool major utilizing modules are PAM and PSM, hence AIM and OPM are least considered by client. Client is somehow reluctant to use these features. Yes, i do agree that these Modules are not that friendly but also CyberArk do not providing proper training on these modules. Reports are also one of the major concern, as it gives a very basic kind of reports. CyberArk must provide some graphical reports which can be customized as per client requirement. After all presentation does matter.

I have been working with PIM solutions since Apr 2011 and I was introduced to CyberArk around four years ago. I started with version 7.2 and I’m now working with version 9.6. Other than this CyberArk, I had experience on Dell TPAM, CA PUPM, Arcos PAM, BeyondTrust PIM etc with some more expertise on Imperva SecureSphere, Guardium, Tripwire Enterprise, Novell Access Manager etc.

Ofcourse, which deployment does not encountered any issue, however it depends upon your planning whether you are facing critical issues or just small hiccups. From my point of view, yes you need to plan it well, think from everyone prospective and also but most important it should be give ease of working not make end user frustrate. Understanding this tool and its utilization is more important in order to deploy it. Since the planning is not only limited to installation of CyberArk components but also it go beyond it such as GPO, AD Configuration, OU Setup, User usage, account management and so on. I face many issues during deployment and also after deployment. Plan it well before implementation.

Earlier in 9.0 version I faced some stability issues, yes there are some stability issues with CyberArk such as memory leakage, password unsync etc. These are some common problems but frustrating. In this version of CyberArk, memory leakage is a quite common and frequent issue which lend up access issue to end users.

As I said above, you need to plan wisely before you implement it. You need to consider all prospects of this tool before implementation.

CyberArk support is one of the best support I have ever seen. I worked on multiple tools and had a conversation with their customer support, CyberArk support is one of best one i have encountered with. They are very patient and calm. However sometime they are not much aware about the issue and could not provide the solution until it escalated to L3. It would give 8 out of 10 to CyberArk support.

Refer to customer service. Technical support is 8/10.

I started my career with Quest TPAM (now Dell TPAM) and also worked on BeyondTrust, CA PUPM, ARCOS, etc. BeyondTrust and ARCOS were introduced in market at that time. These tools are good but doesn't seems to be user friendly as CyberArk PAM. These solutions are bit complex to implement, configure and usage. Even if these tools have some good features which keeps them running in market but one feature in which all these tools are beaten up by CyberArk is User Friendly.

Users are more confident in using CyberArk, more convenient in installing and deployment and easier to customize as per client requirement.

Again, it completely depend upon your architecture design of CyberArk and planning. More complex Architecture leading to more complexity in implementation. Understand the Architecture, understand client requirement and only then design and implement. The sure shot guarantee of successful implementation is "Keep It Short and Simple".

Initially, I took some help but have never got a chance to work with Vendor team. I use to implement CyberArk for my client based on their requirement. I still not consider myself as an expertise, as I am still learning this tool and it always surprise me, however I would rate myself on overall - 6 out of 10.

Learning, keep involve yourself in learning. This is best ROI you will get.

Please contact your local CyberArk Sales support, they will better guide you.

In case of CyberArk, No .. Never.

The proxy solution using PSM and PSMP is valuable. It gives leverage to reach out to servers which are NATed in separate networks and can be reached only by using a jump server.

Security has been improved. It has improved compliance and there is more control over the privileged users.

The performance of this product needs to be improved. When the number of privileged accounts increases, i.e., exceeds 2000, then the performance of the system reduces. The login slows down drastically and also the connection to the target system slows down. This is my observation and thus, the server sizing needs to be increased.

I have used this solution for three years.

We have not encountered any stability issues so far.

We have experienced some scalability issues, in terms of the performance.

The technical support is good.

Initially, we were using the CA ControlMinder. There were many issues with this solution, mainly in regards to no proxy solution and poor performance.

The setup has a medium level of complexity.

One should negotiate well.

We looked at other solutions such as CA PAM, Lieberman Software, Thycotic and ARCOS.

This is the best product from its breed.

Some of the valuable features are:

• The different server vault is used to store data with 7 layers of security for protecting the data.
• The Application Identity Management Module is also very useful and easy to handle.
• AutoIt scripting is useful to simulate single sign-on for thick and thin clients.

It makes compliance of the organization with password management easy. This results in a handy auditing process and adheres to all risk compliance as well.

Some areas of improvement are:

• PSM: It should be hosted on UNIX rather than on Windows. In such cases, no extra OS license needs to purchased at the client's end.
• PVWA: The admin console should be in the Windows installer instead of a web application for admin users. It makes the work faster for admins; otherwise, it seems slow for the web interface.
• PSMP: It looks a bit complex to deploy and maintain.
• OPM: This module should be integrated with PrivateArk app.

I have used this solution for three years.

CyberArk is quite stable and no issues have been exprienced on regards to stability.

We have not encountered any scalability issues. It is very scalable with any requirements.

I would give the technical support a 9/10 rating. It has superb technical support for U.S. clients.

However, for Indian origin clients, i.e., for foreign clients, the support is poor thus I have rated it a 4/10.

It is very expensive. They charge for every single thing they offer.

• Session recording
• Password and access management

• Increased security and visibility

Error messages are useless; better documentation of error codes would be helpful.

I have used it for two years.

I encountered stability issues.

I have not encountered any scalability issues.

Due to meaningless error messages, it is not possible to repair non-trivial errors without support. However, with support, we solved every problem.

I did not previously use a different solution.

You have to exactly follow the installation manual; otherwise, installation can crash with a non-solvable error.

Before choosing this product, I evaluated BalaBit and ObserveIT.

You have to exactly follow the installation manual.

The features that I value most are the PSM connect option, where an authorized user doesn't even require a password to open a session to perform their role. Another feature that I think is really valuable is being able to monitor a user's activity; there is always a log recording activities performed by the privileged accounts in CyberArk.

This tool has definitely helped us manage all the privilege accounts, which mostly have access to the organization's crown-jewel data. Additionally, having a monitoring system puts extra visibility on these account's activities, so any irregular activity is highlighted and quickly escalated.

I think there can be improvement in providing information on how to develop connectors for various applications’ APIs.

Additionally, I think the user experience needs to improve. It's not very intuitive at the moment. An account could be more descriptive, and could have more attributes based on its functionality.

I have used the product for almost a year. I have been part of the implementation project and post-release, supported account onboarding.

For the most part, there weren't many stability issue. Usually the issue persisted with system/application accounts, with the API and the object ref ID not being in sync.

I didn't feel there were any scalability issues.

Although I was part of business side of the team, and I only had interaction with internal engineering team, I found the internal engineering team very helpful and knowledgeable about the product and how it worked.

We previously used a different solution, and then we updated it; we did not switch.

I am unable to comment on this, as I was not part of product evaluation team.

My advice is that this tool does what it advertises. If your business/organization has crown-jewel data, this is the tool to use.

From a security standpoint, I find the tool very reliable and innovative. However, it could improve the user experience and become more intuitive. When the user experience becomes more intuitive, then I am willing to rate the product even higher.

Auditing and control are the most valuable. You can control password management almost to the max, giving you, your users and your auditors great flexibility without compromising security.

The auditing and control is more valuable to the enterprise than to myself. Apparently one of the overseas offices was able to track and identify misuse of a privileged account. In addition, it is heavily used during the periodic user/account recertification process.

Recertification of accounts and users, whereas previously 100s of accounts reside on devices, targets, applications, etc., now, due to using the vault and recertification, owners are in total control of their accounts and usage. Dual control forces owners to approve access to their safes and usage of passwords. The number of audit points regarding rogue accounts is falling dramatically.

Small things such as resizing pop-ups but mainly the reporting possibilities: These are quite poor in my honest opinion. If you really want custom reports you actually need to export data to an Access database and create your own queries and reports. The default reports are just that.

The reporting functionality is currently limited to default reports, listings and overviews. For more detailed and in-depth reports, you need to export the data to an external app such as Access or MS SQL. For example, if you need a report listing all safes, owners, members and accounts (like we do), you need to create a bespoke report. Ideally, in 2016, perhaps a graphic drag & drop reporting interface would be ideal.

I have been using the product now for a little over four years from the support side.

No stability issues at all; we have a 24/7 standby and have yet to be called out on issues other than locked accounts. These are almost always user-related. We have had no downtime other than planned DR tests.

I have not encountered any scalability issues; we have actually scaled down since the new releases. Where previously we had CPMs & PVWAs throughout the world, we now have load-balanced CPMs and PVWAs in just two locations.

It can take time before you get a solution. Frequently, we have already solved it ourselves. CyberArk is re-arranging its support teams to improve communication with clients and to resolve cases quicker. As there is a release every six months, this might prove to be a challenge.

I did not previously use a different solution.

The vaults are installed on dedicated servers and subsequently hardened in their own dedicated workgroup. In our organization, there was a heavy battle with Server Support, who refused the workgroup setup and demanded that the servers join a/the domain. Do not agree! The servers have to be separate from the general server population and have nothing installed except the vault. Nothing has access, so no MS updates, AV software, etc. It took a while to convince them.

Before choosing this product, I did not evaluate other options.

Do not take it lightly. It takes a lot of hard work to analyse and implement. Involve the entire organization from the start. As you will be working with security teams, you might encounter a certain level of distrust (you are in their domain right?). Involve them, liaise frequently and get everyone onboard.