CyberArk Privileged Access Manager Reviews

The features that I value most are the PSM connect option, where an authorized user doesn't even require a password to open a session to perform their role. Another feature that I think is really valuable is being able to monitor a user's activity; there is always a log recording activities performed by the privileged accounts in CyberArk.

This tool has definitely helped us manage all the privilege accounts, which mostly have access to the organization's crown-jewel data. Additionally, having a monitoring system puts extra visibility on these account's activities, so any irregular activity is highlighted and quickly escalated.

I think there can be improvement in providing information on how to develop connectors for various applications’ APIs.

Additionally, I think the user experience needs to improve. It's not very intuitive at the moment. An account could be more descriptive, and could have more attributes based on its functionality.

I have used the product for almost a year. I have been part of the implementation project and post-release, supported account onboarding.

For the most part, there weren't many stability issue. Usually the issue persisted with system/application accounts, with the API and the object ref ID not being in sync.

I didn't feel there were any scalability issues.

Although I was part of business side of the team, and I only had interaction with internal engineering team, I found the internal engineering team very helpful and knowledgeable about the product and how it worked.

We previously used a different solution, and then we updated it; we did not switch.

I am unable to comment on this, as I was not part of product evaluation team.

My advice is that this tool does what it advertises. If your business/organization has crown-jewel data, this is the tool to use.

From a security standpoint, I find the tool very reliable and innovative. However, it could improve the user experience and become more intuitive. When the user experience becomes more intuitive, then I am willing to rate the product even higher.

Auditing and control are the most valuable. You can control password management almost to the max, giving you, your users and your auditors great flexibility without compromising security.

The auditing and control is more valuable to the enterprise than to myself. Apparently one of the overseas offices was able to track and identify misuse of a privileged account. In addition, it is heavily used during the periodic user/account recertification process.

Recertification of accounts and users, whereas previously 100s of accounts reside on devices, targets, applications, etc., now, due to using the vault and recertification, owners are in total control of their accounts and usage. Dual control forces owners to approve access to their safes and usage of passwords. The number of audit points regarding rogue accounts is falling dramatically.

Small things such as resizing pop-ups but mainly the reporting possibilities: These are quite poor in my honest opinion. If you really want custom reports you actually need to export data to an Access database and create your own queries and reports. The default reports are just that.

The reporting functionality is currently limited to default reports, listings and overviews. For more detailed and in-depth reports, you need to export the data to an external app such as Access or MS SQL. For example, if you need a report listing all safes, owners, members and accounts (like we do), you need to create a bespoke report. Ideally, in 2016, perhaps a graphic drag & drop reporting interface would be ideal.

I have been using the product now for a little over four years from the support side.

No stability issues at all; we have a 24/7 standby and have yet to be called out on issues other than locked accounts. These are almost always user-related. We have had no downtime other than planned DR tests.

I have not encountered any scalability issues; we have actually scaled down since the new releases. Where previously we had CPMs & PVWAs throughout the world, we now have load-balanced CPMs and PVWAs in just two locations.

It can take time before you get a solution. Frequently, we have already solved it ourselves. CyberArk is re-arranging its support teams to improve communication with clients and to resolve cases quicker. As there is a release every six months, this might prove to be a challenge.

I did not previously use a different solution.

The vaults are installed on dedicated servers and subsequently hardened in their own dedicated workgroup. In our organization, there was a heavy battle with Server Support, who refused the workgroup setup and demanded that the servers join a/the domain. Do not agree! The servers have to be separate from the general server population and have nothing installed except the vault. Nothing has access, so no MS updates, AV software, etc. It took a while to convince them.

Before choosing this product, I did not evaluate other options.

Do not take it lightly. It takes a lot of hard work to analyse and implement. Involve the entire organization from the start. As you will be working with security teams, you might encounter a certain level of distrust (you are in their domain right?). Involve them, liaise frequently and get everyone onboard.

I think that one of the advantages of the CyberArk PAS suite is that it is modular. On top of the basics, you can implement modules to:

• Manage (verify, change and reset) privileged passwords and SSH keys
• Manage (isolate and monitor) privileged session to the different types of devices
• Control Applications (e.g., malware)
• Detect, e.g., backdoor use, unusual behavior, and Kerberos hacks of privileged accounts
• Avoid/remove hardcoded passwords in applications/scripts
• Implement the principle of least privilege

Even those components can extend their operational area by use of, e.g., plug-ins, making it possible to manage about any kind of privileged account or session.

I see companies that already have thought about their privileged accounts, while others have not (to that extent). Implementing the CyberArk solution, it helps (and sometimes forces) these companies to think about their privileged accounts. Are they really needed? Who needs access to them? What kind of privileges do these accounts need (service accounts/log on accounts/etc.)? And so on. Thinking about these things helps customers to organize their data/privilege accounts in the CyberArk solution. It then helps the organizations to get control of their privileged accounts and to safely store and manage these, knowing that only the correct persons can access these accounts and that the different devices can only be managed via one central entry point to the datacenter.

With every version, I can see that the product wins on functionality and user experience. On the latter though, I hear from customers that on the UI level, things could be better. CyberArk continuously asks for feedback on the product (e.g., via support, yearly summits) from customers and partners, and hence, with version 10, they are addressing these remarks already.

The web portal (and hence the user interface) has some legacy behavior:

• Some pages are created for past-generation monitors. With current resolutions, filling the pages and resizing some elements on the pages could be handled better.
• They are not consistent with the layout of different pages. Some have, let’s say, a Windows 7 look and feel, while others have the Windows 8 look and feel.

Nevertheless, even with those remarks, it does what it is supposed to do.

I’m working as a partner of CyberArk for about four years now. I started on version v7.1 (currently on v9.7) and I have served about 20 happy customers.

As no software is perfect, I don’t think it is any different with CyberArk. Their support, however, is able to tackle most of the problems. Sometimes patches are distributed. The CyberArk solution highly integrates with different platforms (Windows/Linux) and applications (AD, SIEM, email, etc.). So, not configuring it well can result in unexpected behavior. You need to consider the limitations of the platforms it is installed on, as well.

As mentioned, one of the advantages of the CyberArk PAS suite is the modular build up; not only on covering the functional area, but also on size of your network/datacenter. If you, e.g., notice that the number of privileged accounts to manage increases, you can simply add an additional module/component that manages those passwords.

Their support is good. It is split up into different areas (technical, implementation, etc.) and I always have a quick answer. And they go all the way for their customers.

I saw customers using another product for their privileged accounts. Due to its limitations (e.g., on password and session management) and stability, they decided to switch to CyberArk.

This question goes both ways; initial setup can be straightforward and it can become complex. The architecture in the network and installation of the software itself is pretty straightforward. Most of the modules/components are agentless. This makes it possible to install the solution in the datacenter without impacting any existing devices (no impact on running systems, and simplifying change and release management). Integrating the systems (privileged accounts) in the CyberArk solution can happen gradually.

The flexibility of the product, on the other hand, has as a consequence that there is a lot to configure. Depending on the existing infrastructure and functional demands at the different organizations, care has to be taken to have a correct implementation.

As far as pricing, personally, I’m not involved in the sales part. So, I cannot elaborate on this topic. For licensing, I can advise the same thing as mentioned elsewhere: Start small and gradually grow.

Before choosing this product, I did not evaluate other options (being a partner, not customer).

The Privileged Account Security product is a suite. That means that the product consists of different components/modules that cover a particular functional area (check their website) on privileged accounts. Plugging in more of those components in the environment results in covering a greater part of that area. Of course, there is a common layer that is used by all components. This is the security layer that holds and protects the privileged accounts.

Start small. Use first the basic components that, e.g., include password management. Gradually grow the number of components/modules/functional area to include, e.g., other types of accounts, session management, intrusion detection, end-point protection, etc. Having a project scope that is too large will make the step of using the solution too big. Make sure every stakeholder in the project is aware and let them gradually ‘grow’ with the product.

Account discovery, account rotation, and account management features make it a well-rounded application.

Account discovery allows for auto-detection to search for new accounts in a specific environment such as an LDAP domain. This allows CyberArk to automatically vault workstations, heightened IDs, servers, and other accounts. Once the account is automatically vaulted, the system then manages the account by verifying the account on a regular basis or reconciling the account if it has been checked out and used. The settings for the window that account is using is configurable to the type of account being used.

CyberArk is constantly coming up with new ways to perform auditing, bulk loading accounts, quicker access between accounts and live connections, as well as different ways to monitor account usage and look for outliers.

As companies move further toward a “least privilege” account structure, CyberArk sets the bar for heightened account management.

In the past, standard practice was to assign role-based rights to standard accounts. Moving away from this structure allows us to require that all heightened access accounts be “checked out” and only operate within a set window. CyberArk analytics provide real-time monitoring to ensure accounts are only used by the correct people at the correct time.

Like any software, improvements and upgrades are a necessity. As CyberArk is used by many Fortune 100 and Global 2000 companies, they offer custom solutions that need to be continuously improved as the company changes. I am looking forward to new ways to utilize accounts within the current CyberArk system allowing a more seamless flow for technicians.

I have used it for 19 months.

Beyond the servers and security devices necessary to run CyberArk, it maintains surprisingly few dependencies. It is capable of secure hardening with the capacity for multiple failovers that can exist and work without the use of LDAPs or external databases. CyberArk has been the most stable platform I have ever worked on and our redundancies allow for 100% uptime.

Scalability has not been a problem. I have worked on multiple improvements and increases, as we continuously increase the number of domains and types of accounts CyberArk manages. There is not currently an end in sight for the number and types of accounts we are adding.

CyberArk technical support is top notch. They provide ticketing and immediate escalation of issues, as well as direct resources for more immediate problems. CyberArk R&D has also provided valued updates to custom applications we use internally.

With data breaches and ransomware becoming the standard that companies now face, a more elegant solution was desired from standard network and physical security. Accounts that can be found or socially engineered out of people has been a long-standing tradition for criminals and bored teenagers. Reducing the window any account can be used provides a more secure network.

Setting up and learning a new platform is always a complex undertaking. This is why CyberArk provides local hands-on support to get the system set up and the company’s techs trained. The base setup will differ from company to company, based on their immediate needs and what they wish to accomplish immediately. Heightened IDs, local workstation IDs, off-network server accounts, service IDs… the list goes on and on.

There are a handful of options out there providing similar services. However, none of them are as far along or provide as much stability and innovation as CyberArk. Pricing and licensing are going to depend on a great many factors and can be split up from when the system is originally implemented, and upgrades and new software down the line. All that being said, the money in question was not a deterrent in picking CyberArk for our solution.

We have tested a great deal of products, many of which are being used in the company for various other purposes; Avecto, Dell, Thycotic, to name a few. Centrify was the other primary system that we really carefully reviewed. In the end, the features and interface of CyberArk won out.

CyberArk is an innovative set of tools that are easily learned. Getting deeper into the product allows for a great deal of complex settings that can be learned via high level implementation guides as well as a CyberArk certification.

The ability to create custom connector components is the most valuable feature of the product. Once the organisation matures in their privileged access strategy, CyberArk’s customisation capability allows you to target application-level access (e.g., web-based management consoles) as opposed to just the underlying operating system. The API allows operational efficiency improvements, through being able to programmatically provision accounts into the Vault.

It has improved our organization by being able to consolidate several privileged access technologies into a unified tool. Session recording and auditing capability, and approval workflows allow a high degree of control over the organisation’s privileged access requirements for compliance purposes.

• Authentication to the solution: Authentication to the PVWA utilises integration to IIS. Therefore, it is not as strong as desired.
• Reporting capability and customisation: Reporting utilises predefined templates with limited customisation capability.

I have used it for 15 months; approximately nine months in a large enterprise.

I have not encountered any stability issues.

I have not encountered any scalability issues. The solution is fairly scalable. All presentation-level components are operable in highly available configurations.

Technical support is 8/10; level of engagement depends on severity of problem.

I did not previously use a different solution.

Initial configuration is quite complex and takes a considerable amount of time. However, this depends on the management requirements of the organisation. An example of this is connectors to mainframes, which might require a degree of customisation and knowledge of how the password manager functions (and relevant training). Setup regarding installation is straightforward, as the provided guides are quite expansive and include several installation possibilities (e.g., standalone, HA, DR, etc.)

Appropriately scope the organisation’s requirements to ensure licenses are not over-provisioned.

I was not part of the selection process.

If an organisation has not utilised a PAM tool before, it is a large cultural change fundamentally in how a user works, and should be taken into consideration accordingly. The solution is complex depending on the requirements; therefore, the implementation should not be rushed and it should be tested appropriately.

I see the Auto IT integration as the most valuable feature.

I have seen improvements compared to the older versions and the integration of Auto IT provided the flexibility to add thick clients and websites.

Session recording search capability has to be improved. It should include more platforms for password management. It should include more thick client integrations.

I used it for almost six years.

There is dependency on Windows tasks and if any AD GPO changes are pushed, it affects the system and stops working.

I have not encountered any scalability issues. The product scales as the organisation grows.

Technical support from the vendor is the worst and that is one reason I stopped using CyberArk.

The initial setup is not so complex, but CyberArk does require more servers for a full-fledged installation.

The solution is costly and the licensing is very complex.

I was using CyberArk for more than six years and I have now switched to ARCOS. I was impressed with ARCOS because of the following reasons:

• Cost-effective solution
• Fewer servers required
• Flexibility, performance
• More features
• Simple licensing
• Good support

I evaluated other solutions such as Leiberman, ManageEngine, TPAM, and Xceedium.

ARCOS seems to be very promising and cost effective. Also, ARCOS doesn’t have a traditional jump server concept, which saves the customer from spending more on hardware. The licensing is very simple (number of admins & target IPs), where most of the features are available by default with the basic license.

CyberArk architecture is good and more secure, but I see the solution as expensive. Support is the worst; CyberArkstaff is not supportive, their professional service team charges for each and every thing.

As a security engineer, I mostly implement the Enterprise Password Vault Suite (Vault Server, Central Policy Manager, Password Vault Web Access) as this is the base upon which every additional component is built. I am using and implementing the additional components, such as the Privileged Session Manager and Application Identity Manager, more and more.

When implementing CyberArk, I see that a lot of security issues are addressed by the solution. For example, audit issues for privileged (non-personal) accounts, which have a sufficient amount of impact on the organization when being compromised or misused.

A major benefit next to the auditing capabilities is the secure storage of the accounts in questions. CyberArk has the most extensive hardening and encryption techniques I have seen in a product, with equal intentions.

Additionally, CyberArk can reduce the attack surface of these accounts by retaining the privileged accounts (protecting the credentials) within a secure environment only to be accessed through a secured proxy server (Privileged Session Manager). What I have also seen is that the Privileged Session Manager can aid in the adoption of CyberArk within an organization as it allows the end user to keep using his personal way of working (e.g., Remote Desktop Manager, Customized Putty).

Another burden that organizations have is the need to manage hard-coded credentials. CyberArk also has a solution for this, allowing the credentials to be stored in the vault, where they can be retrieved by a script or applications through the execution of a command instead of hard-coding the credentials. There is also a solution available for accounts used in Windows scheduled tasks, services and more.

The last generic, relatively new improvement for customers is the ability to monitor and identify the usage of the accounts managed by the suite. By using Privileged Threat Analytics, you can match the usage of CyberArk against the actual (logon) events retrieved from the corporate SIEM. Next to this, PTA profiles privileged account usage to discover malicious patterns such as different IP addresses or usage of an account on an unusual day. This is a very useful practice to gain an enhanced view on these privileged accounts and can eventually limit the impact of any malicious usage because of early detection.

In every product, there is room for improvement. Within CyberArk, I would like to see more support for personal accounts. It can be done right now, but I can imagine changing a few aspects would make this easier and more foolproof.

Next to that, the REST API is not as capable as I would like. CyberArk is getting close, though.

Lastly, I would love to see a password filler that can provide raw input (like a keyboard). There are scenarios where administrators do not have the ability to copy and paste a password from the clipboard. As typing over a long random password is a tricky job, a raw password filler would be a solution that could overcome this issue.

I have been involved with CyberArk for three years now. During this period, I have designed, implemented and supported multiple CyberArk environments.

During the time that I have worked with CyberArk, I was able to conclude - based on experience and colleague stories - that this is one of the most stable products I have ever encountered. I have never seen any stability issue that was not related to a human error or a configuration issue.

As far as I’m aware, we have not encountered any scalability issues. I have heard of some issues with the database of CyberArk when scaling to excessive amounts of entries, a long time ago. These issues have been fixed, as far as I know.

In addition, it is possible to have issues with the Central Policy Manager when you configure it wrong.

The technical support for our customers is primarily handled by ourselves, with CyberArk technical support to fall back to. I have seen great improvements in the quality of support over the years and they continue to do so. The response is fast and the quality is good.

There is room for improvement in bug tracking. When a bug is confirmed, it is hard to track when or if it will be released in one of the future releases. As CyberArk is building an entire new support portal, I hope that this will be improved someday.

My company did not previously use a different solution. My company has had CyberArk in their portfolio for more than 10 years now.

Our company has set up a ‘generic’ and fast implementation plan based on our experiences and best practices. This plan provides a straightforward approach, which can be customized into a complex solution to suit every customer's needs.

In general, the installation is quick, but the actual work is found in the process of onboarding new account(type)s as this requires a significant amount of communication and coordination.

Try to create a good design with a CyberArk partner before you start thinking about licensing. Then, you will have a good view on the components needed to suit your environment from the start towards a fully mature environment.

Do not think too big at the start.

Every feature of this product - Password Management, Session Management and so on has its own value depending on different use cases, but I like:

• It's a clientless product and does not require any third-party product for any of its operations (Password Management, Privileged Session Management).
• For password and session management, it can integrate with any device/script with a password OOB or via a custom plugin.
• Compared to other products, CyberArk is extremely easy to install and configure.

Due to regular growth of an organization infrastructure, managing passwords within the organization becomes extremely difficult.

In larger organizations with a large user and infrastructure base, it can be very difficult to ensure that the passwords for privileged accounts are changed according to the organization security policy. This can be especially true in case of local admins for Windows and Unix boxes. Unmanaged/neglected local admins accounts lead to a major security threat.

Another major risk is to monitor activities and usages associated with privileged accounts to hold people accountable for their actions.

CyberArk helps organizations to manage all the privileged account passwords (server or workstation) in a centralization location as per organizational security policies. It also helps to hold people accountable by controlling and managing password usage using privileged session management.

Accountability is set up using CyberArk OOB temper-proof reports.

CyberArk has evolved a lot in the last 16 years and has nearly all the features required for effective operation. The only area for improvement is using a native client while connecting to the target device instead of the current method of using a web portal (PVWA). CyberArk seems to be working on this area and we expect these features in coming versions.

It would be great if in the future CyberArk considers launching an installer for Unix-based OSs.

I have been using this product since 2010.

In my seven years of experience with CyberArk products, I have never seen an unstable environment due to product functionality. It's always lack of proper planning, inexperience and faulty configuration that leads to an unstable environment.

CyberArk can be horizontally and vertically scaled, if it is well thought out during panning phase. As an example, if an organization feels that they may need high availability of Vault servers (CyberArk’s centralized storage for passwords and audit data) in the foreseeable future, they should consider installing CyberArk Vault in cluster mode instead of standalone mode. One can't use a standalone vault as a cluster vault or convert a standalone vault to a cluster vault, but in terms of increasing the number of passwords and session recording, underlying hardware can be scale to achieve desired size.

Three-year support (unlimited case and call support) is free with license purchase but I would say sometimes it's not sufficient to resolve the issues with this model.

Nonetheless, CyberArk Profession Services is quite impressive, even though it's a costly affair.

I was part of the PIM product evaluation team at my previous organization. I stayed with CyberArk because is it's extremely easy to implement, and very stable when implemented with well-thought-out planning and experience. It has all of the required features for a PIM product, it does not have dependencies on third-party products for it to function and it is clientless.

Initial set up is super simple and if planned properly, can be installed within a couple of hours.

I cannot comment much on this because CyberArk has different pricing for its partners or resellers, and might also vary according to size of procurement.

Before choosing this product, I also I evaluated NetIQ PIM, Dell TPAM, CA PIM and ARCOS.

Invest as much as possible in the planning and design phase. Consider at least future three-year growth in password and user base such as growth in virtual environments, and size accordingly. Also consider requirements like high availability of vaults, PSM and other components.