CyberArk Privileged Access Manager Reviews

The most common use case is when you need to hide the management for the servers, switches, routers, et cetera. You can use privileged access for remote use cases.

In my company, we have a lot of servers, and the problem is when the users want to access these platforms. You can access all the architecture and knowledge with this product. It provides more access and visibility.

The password rotation and cyber gateway have been quite useful. It's a solution that allows you to search for passwords for your servers and accounts. This is the most feature power.

The solution is quite stable.

It is scalable on the cloud. 

The implementation is hard. For example, the on-prem implementation specifically is really hard to deploy. 

The solution does not scale well on-premises. 

This is an expensive product.

It's hard to get help from support if you are not certified. 

I've been using the solution for five years. 

The product is really stable. You just need to deploy a higher viability solution. However, you need to do a lot of budgeting to deploy that higher viability solution. You need at least 12 servers. It's really, really difficult to have a budget for that.

It is easy to scale on the cloud. It is difficult to expand it on-premises. 

We have 30 people using the solution in my company.

At this point, we do not have plans to increase usage. 

The technical support is really excellent. However, if you don't have a certification, it is impossible for you to receive technical support.

We previously used BeyondTrust and Centrify, among other solutions.

The initial setup is pretty difficult and it takes a while to put into place. 

You need at least six servers to deploy it and it's really difficult to have a budget for that - plus, the implementation itself is really hard. You likely have to dedicate one week to deploy the solution and another week or two to onboard all the accounts.

Basically, it's pretty complex to implement. 

We've used a consultant to assist us with the implementation. 

The ROI is really quick. If you have a compromised account, it can compromise your infrastructure, and the loss of the business is really high. With this product and the protection it offers, you can witness ROI immediately.

You need a large number of servers, and therefore it gets expensive to deploy the product.

The license is expensive. It costs us around $200 per user. 

We are using a privileged cloud and an on-prem cloud, an on-prem APD. We have a hybrid setup.

I'd advise potential new users to have very good scripting at the outset. If you don't, you'll have difficulties in the long run. 

While the solution is expensive, it's excellent. I would rate it ten out of ten. You definitely get what you pay for. 

We have the identity provider for all the authentication processes. However, sometimes, we need access to different applications for customers or clients that are not integrated into the identity provider. For these, we need to store a password to gain access. For example, we use the CyberArk Password Vault for third-party services. This vault needs to be shared with many people in our company. 

This allows us to store passwords and create privileged access for some users without them needing to know the password. The system inputs the password into the endpoint URLs they use for authentication, but the users never see the password. This is crucial because people may leave the company, posing a high risk. If we had integrated it into the identity provider, we would have policies for active directory users but not for users outside the company.

For example, our development teams need to connect to databases, systems, and cloud services during development. The developers don’t get access to third-party services. We use the solution to manage this access. The application being developed and deployed integrates with CyberArk Password Vault services.

The main challenge was integrating with in-house IT and business applications, which are not standard. We needed to create special updates for that kind of integration.

I have been working with the product for three to four years. 

The solution is 99 percent scalable. 

Sometimes, support is not easy because you need to share the company's architecture. Maybe they are on time, but they don't understand the specifics we're talking about. Communication can be an issue, especially when speaking with people whose first language isn't English. There can be difficulties with understanding and making sense of conversations. So, outsourcing support can sometimes be challenging.

Neutral

CyberArk Enterprise Password Vault's deployment is complex. 

I have been working with the new services and don't see any additional issues at this hour. The key requirement is to have people who understand not only the tool but also the concepts and how to view it from an architectural perspective. 

One problem is that people may not know how to work with the tool, and another is that they don't understand the concepts. So, I think focusing on proof of concepts is good. For example, what I do at first is request information for identity providers and key management services.

I rate the overall solution a nine out of ten. 

In my organization, we are using CyberArk Privileged Access Manager to enhance the security of an organization's critical systems, mainly by securing privileged accounts (e.g. administrator passwords, SSH keys, and API tokens). 

We are also using Cyber-Ark for access control by ensuring that only authorized personnel can access privileged accounts and sensitive systems. 

very important for us is also Session Recording and Monitoring. We can record and monitor privileged user sessions in real time for auditing purposes. 

CyberArk Privileged Access Manager significantly improved our organization's security. Mainly, it has enhanced our ability to secure privileged accounts. Centralized management of identities ensures that credentials are stored securely. Also, the automated rotation of passwords reduces the risk of leaks.

The session recording feature adds great value and helps with auditing administrative activities.

CyberArk PAM can be easily automated, which saves a lot of time and administrative effort.

For our organization, the most valuable features of CyberArk PAM are:

• Credential Management. The automation of the retrieval and injection of credentials into sessions, and automation of password rotation.
• Session Recording. It gives us the possibility to record privileged user sessions for auditing and compliance purposes. 
• Ease of integration. CyberArk can by integrated with multiple systems and applications.
• The possibility of using Multi Factor Authentication (MFA) which increases security
• Reporting module. This allows us to generate reports based on session activity

Cost management. There should be more models and licensing plans for this software. They should also be flexible, allowing you to purchase selected features at a favorable price.

User Experience. The current interface is OK, however, sometimes it is not very intuitive. There is also no possibility of advanced modification and adaptation to your own needs and requirements.

Performance. The performance of the application could be a bit better, especially in the case of remote sessions - delays in remote sessions can be annoying.

I've used the solution for about five years. 

We use the solution for cybersecurity and regulation.

The tool has safe vaults. We keep our passwords in the Vault. The tool’s recording feature is also valuable for us.

The tool needs to improve its usage and interface. They need to have a modern and useful interface. I want the product to improve its integration capabilities as well since some of the integration features do not work always.

I have been using the solution for five years.

The solution is a stable product.

The product is scalable. You can manage 100,000 scripts or 1000 secrets with the solution.

I would rate the tool’s support an eight out of ten. The tech support is good and not complex. You can escalate the problems easily.

If you do not have prior experience, then the tool’s setup is complex. It has a complex installation process. You need to do pre-configuration correctly. The deployment takes around two to three days to complete. One experienced person is enough for the deployment.

The product’s pricing is feasible for enterprise customers. The pricing is expensive for smaller businesses. You need to pay additional costs for service implementation and local support.

I would rate the product a ten out of ten. We recommend this product for enterprise customers. The tool’s pricing and operation are a problem for small customers. They need to opt for Software as a Service. Companies need to install this product since they have a lot of accounts and passwords.

I'm a security solutions architect. I design solutions and hand them over to the client once they're implemented. We educate the users on how the solution works or turn it over to our managed services department

CyberArk PAM is an identity management solution used to manage privileged accounts on domains and local servers, including admin accounts in Windows environments and root users in Unix. 

With CyberArk, you can be fully confident that your existing accounts are secure. You will be 100 percent secure against attacks if you have all the right policies in place.

PAM could be more user-friendly and CyberArk could update the documentation to include more real-world examples. You have to learn it yourself through trial and error. In particular, the online documentation should have more information about troubleshooting.

I have used CyberArk PAM for two years. 

CyberArk PAM is stable.

CyberArk PAM is scalable. Managing 80,000 accounts is almost as easy as managing a thousand. 

CyberArk has a solid community. It's easy to get support and feedback from the forums. However, it can be difficult to access official technical support if you don't have a CyberArk certification because they have a process to limit unnecessary calls. You get excellent support once you're certified. 

Deploying CyberARK is complicated, but it is relatively easy for me because I have excellent scripts for implementing the prerequisites. It might be challenging for the average end user. It would be ideal to educate them in a demo environment because hard to explain this to a user without them. I would need to build an environment to show them. A simulated lab environment is one thing CyberArk PAM lacks.

We set up the prerequisites and discover the privileged accounts in the environment. CyberArk has a tool that scans the servers and detects accounts. This works best in a Microsoft environment. It's more difficult without Active Directory because you have to rely on the information the customer provides. You can begin the onboarding process once you've identified the accounts. 

It takes a month to set up the prerequisites and two or three days to install CyberArk PAM. Once it is deployed, it takes eight months to a year to tie up some loose ends. You may need to identify some accounts that you missed. The total time depends on the size and complexity of the user's environment. If you've configured everything correctly, it's simple to maintain. 

The ROI for CyberArk PAM is difficult to measure because the benefit is a reduction in risk. If CyberArk can eliminate most of the customer's security risks, then it's worth what they paid. 

CyberArk isn't cheap, but it's the best. You have to pay for quality. 

I rate CyberArk Privileged Access Manager 10 out of 10. CyberArk is the leader in Gartner's quadrant. I tell my customers that they need to be 100 percent secure—99 percent isn't good enough. The top hackers will exploit that 1 percent hole, and you're finished. You need 100 percent, or else you're wasting your money.  

There are many possible use cases, but in general, CyberArk permits users to target machines and rotate their passwords, and to record decisions. It is used to create security through PTA and to forward Vault logs and investigate events. It also enables users to access passwords in dev code without actually knowing the passwords. There are a lot of advantages to CyberArk.

As a consultant, I have seen a lot of CyberArk configurations. Sometimes we use the CyberArk Cluster Vaults with one DR. I also worked for a company that used only one vault, without a cluster, but they switched data centers when there was an incident.

I used to be a Windows and Linux administrator before I used CyberArk. The difference is that now it is simple for me to connect to my target machines. I can add them to my favorites, making access to the servers simple. 

CyberArk enables confidentiality. The passwords are stored in a fully secured Vault. If you want, you can access target machines without using PVWA. If you act as a remote desktop manager, you can register your connections and connect your target machines through the virtual IP and easily connect to your machines. Your connections and commands would all be registered to the Vault.

All the features of CyberArk are useful for me, but the biggest one is that CyberArk has logs for all the features. That is important when there is a problem. You know where to look and you have the information. In cyber security, the most important aspect is information.

Another valuable feature is that if you don't have access to a machine, you can see the machine in CyberArk. It's the management capabilities that CyberArk enables for a company that are very useful.

Other useful features are optional, such as recording decisions or rotating passwords.

The PTA could be improved. Currently, companies often have multiple domains and sometimes it's difficult to implement CyberArk in this kind of infrastructure. For example, you can add CPM (Central Policy Manager) and PSM (Privileged Session Manager and PVWA (Password Vault Web Access) for access, but if you want to add PTA (Privileged Threat Analysis) to scan Vault logs, it is difficult because this component may be adding multiple domain environments. 

CyberArk, as a solution, can easily adapt to a lot of environments, and you can add a lot of components to different zones, and that will work with the Vault. But not all the components, such as the PTA, can do so.

Also, it would be helpful if CyberArk added some features for monitoring machines when we access them. For example, they need to improve the PVWA. In general, when we don't use the PVWA, we don't have a lot of problems. For me, the PVWA is not perfect. I would like to see more features in the PVWA to administer our machines and to improve the transfer of data.

I have been using CyberArk Privileged Access Manager for more than three years.

I have implemented and maintained CyberArk solutions for clients, including creating administration functionality, such as platforms and support for users, so that everybody has 24/7 access to the account. 

I have also been involved in enhancing the solution by installing useful components and testing them. I would help analyze if a component could be of interest to the client and then implement it in production.

In general, I would help maintain the solutions and make sure that everybody can access the accounts, and that password rotation works.

I would rate WALLIX support at six out of ten, while CyberArk's support is a seven. The reason it's a seven is that we always have to send them the logs. Of course, we do get some response and they work on things, but sometimes we lose time on little tickets.

Neutral

If you have some experience, it is not complex to implement CyberArk. For me, the preparation is more difficult than the installation. Because CyberArk uses binaries, if you add good information, it will work. But if you miss something at the preparation stage, like the opening of the flows that you need, of course, it will be difficult. I know how the solution works, so it's not difficult.

First, you have to install the Vaults, and after installing them you can add PVWA to access the information. After that, you can install the PSM and then the CPM for the rotation, and that's it.

The time it takes to implement depends on the environment. Sometimes we work with complex environments and we have to adapt and collect all the information that we will need. We need to look out how the machines should be set up for the installation. It really depends on the size of CyberArk you want to install, including how many computers will be onboarded to CyberArk. There are technical and functional variables.

CyberArk is one of the best PAM solutions and one of the most expensive, but it works better than the others, so the pricing is fair.

I used to work on WALLIX Bastion, but CyberArk works better than WALLIX. WALLIX is a PAM solution, a French version, but when I was at another job I was a consultant on both WALLIX and CyberArk at the same time. That's when I saw that CyberArk is better.

It is simpler to upgrade the CyberArk environment and components than WALLIX. CyberArk has a user interface but WALLIX does not because WALLIX is installed on Linux while CyberArk is installed on Windows, making it user-friendly. Connecting is also simple with CyberArk. When a user connects to the PVWA, there aren't a lot of buttons. When users see the icon, they click "Connect" and connect. It is simple for them.

CyberArk can adapt easily to environments. For example, when we talk about connectors, CyberArk can easily connect to all the target machines these days. CyberArk can onboard network machines, Windows Servers, Linux servers, and Oracle Databases.

Web application passwords can be rotated. With its PSM and Selenium features, it enables the connection of a web application to CyberArk and rotation of passwords, so that it's not system accounts all the time. We can manage the web application accounts as well. CyberArk can also connect to the cloud.

When you work on CyberArk, you have to have more than one skill set. You are not just a PAM consultant because you manage passwords for all kinds of systems. You have to have skills in Windows, Linux, databases, and security because you manage those kinds of accounts. If you don't have those kinds of prerequisites, you can't work with CyberArk.

I started working on CyberArk when it was version 10.x and at this moment it is at 12 and more. The interface has changed and a lot of features have been added over that time. It's a good solution.

It is nothing but privileged access management. Most companies have servers, and for each server, they identify a generic ID to login. For example, if someone is an administrator, they will be using that ID to log in. So, we need to manage those IDs in a common repository, and that is why we have CyberArk PAM. CyberArk PAM is nothing but a common repository used to store passwords and manage them.

Managing passwords is a pain area in any organization. By using this tool, we have a set of policies and emerging technology where we manage these passwords.

It is a central repository. Therefore, if someone needs to access a server, then they go through CyberArk PAM. It provides a secure way to do this and CyberArk PAM records everything. For example, if you are connecting to a Linux server, then once you get into the Linux server and if it is integrated with CyberArk, it will automatically start recording everything that is being done. In most banks, seeing the recordings is very useful. If there are any gaps or something has happened which shouldn't have happened, then we can check the logs and videos. So, it gives security, in a robust manner, to the organization.

We have connected all the endpoints in our organization's servers. This has been an improvement. We are trying to connect any new servers being added into the organization to CyberArk PAM.

When it comes to PAM, it is always about compliance. It has a feature that enables you to access the password in a very secure way using encryption. You also need multiple approvals. For example, if you have access to CyberArk, it doesn't mean that you have access to the server. So, whenever you try to access that server, a request will go to your manager. Once he approves the request, only then will you be able to access the server. These are a few of the features that I like about this solution.

CyberArk PAM provides ease of access based on how they have designed it. It is clearly defined where you have to go and what you have to do. If you are an end user, it is very easy to use and provides a comfort level.

CyberArk PAM is able to find all pending servers that can be integrated, but we cannot get this as a report. We can only see the list of servers on CyberArk PAM. This is a problem that could be improved.

If you are an administrator or architect, then the solution is kind of complicated, as it is mostly focused on the end user. So, they need to also focus on the people who are implementing it.

I started using CyberArk PAM in 2016, so it has been almost six to seven years. I started with version 9, and now it is currently on version 12. So, I have used multiple versions of CyberArk.

Its scalability is good. It is available on-premise and they started having a cloud three or four years back.

Our environment is very small. We are managing around 2,000 users. Whereas, I have seen it managing users of 10,000 to 15,000 servers. We have around 30,000 users, and I have seen that kind of environment, though what I am currently managing is much less. When it comes to the Middle East, it is always regionally focused, it is not international. Our organization is specific to one country and not international.

The technical support is from the US. The only problem is that they reply during their own time zone. It has been a bit difficult to reach them, but we get the answers, they are just a bit delayed.

Neutral

We previously had Hitachi ID PAM. We switched to CyberArk because of the features and interface, where there is a bit of distinct difference between the two solutions. Though, the architecture is the same.

When you do an implementation, it is always challenging internally. While the setup is very easy because they give you tools for installation, you have certain things that you need to keep in mind when you implement it in an organization. These things become a kind of a roadblock. Every time that something comes up that you need to enable from the organization's side, e.g., if you have to unlock a few things on the organization's side, you must go through a process and some teams might not allow you to go ahead with it.

The deployment took three to six months.

For the deployment, we needed a solution architect, two consultants, and two people to work on the BAU. While it depends on your organization's size, we needed around five to 10 people to implement it. 

The ROI depends upon a company's capability to maximize the usage of this application. If you buy something, it is your responsibility to use it at an optimal level.

Previously, the pricing was very meager. They started publicizing and advertising the solution, growing CyberArk, as an organization. They also changed their pricing with that growth, e.g., the pricier the product, the more people who will purchase it.

Bomgar was one of its competitors, now it is called BeyondTrust. Another competitor was Thycotic. 

While CyberArk PAM has survived, it needs to be more flexible. They are currently focusing on the solution's GUI, but rather than the GUI, they need to focus on the solution's internal aspects, e.g., making the steps a bit easier. There are too many things to focus on and be aware of. So, they need to streamline it in a way where it is more compact.

You need to know the sizing of your company and not randomly use it, thinking you may need to use this solution in the future. You need to use most of the features, e.g., if you have 10 features, then your company should use at least seven features of CyberArk. If you are not going to use seven or more features, i.e., if it is below seven, you should not go for this tool.

We were using Secrets Manager for managing a few SSH files, but we are not using it anymore.

I would rate this solution as eight out of 10. CyberArk is a solution to problems being faced by multiple companies and organizations. It removes security threats and vulnerabilities from an organization in a secure way, and your credentials are handled in a secure way. Therefore, it solves this pain area in a company, and that is why I think they are one of the top tools.

The solution is used to provide privileged access management to our datacentre environments, for anyone with admin rights with infrastructure or applications within the datacentres. Authentication to the solution in the PVWA (Password Vault Web Access) with onward connectivity via the PSM for Windows (PSM) as well as the PSM for SSH (PSMP). These provide the session isolation, audit, and session recording capabilities that CyberArk offers. The use of Privileged Threat Analytics (PTA) adds more control functionality to the solution.

The product has allowed us to improve both the management and access to privileged credentials, while also creating a full audit trail of all activities happening within isolated sessions of all tasks and activities taking place within the solution. 

This includes sessions via the solution and sessions to administer the solution itself. From a user perspective, we no longer need to try and create or remember complex passwords or have to be concerned about when they will change as the solution takes care of this and can and does populate these credentials for you so mistyping a complex password is a thing of the past.

Password management is a great feature, as all passwords are changed more frequently. This can be scheduled in line with a specific policy requirement or each time the credentials are returned to the pool for reuse and are always compliant with the password policy however long or complicated the policy states that they need to be. 

Another great feature is the Privileged Threat Analytics (PTA) as this can stop a session based on prescribed risk and bring it to an end or pause it pending approval to proceed.  

The admin interface of the Password Vault Web Access (PVWA) is moving from an old style (the classic interface) to a new style (the v10 interface) and unfortunately, this process is quite slow. That said, it has been moving in the right direction with features becoming available in the v10 interface and some user features are available in both classic and v10 interfaces. I would love to see all the classic interface features moved into the v10 interface or available in both interfaces within the next version. 

I've used the solution for about eight years.

The solution has been very stable.

The solution performs well, however, based on the user base may require a sizable footprint.

Support does vary depending on how critical your issue is and if it needs to be elevated to dev support.

Positive

Our previous solution was not a PAM solution and these days you can't afford to not use one.

The setup is not complicated when trained staff are used.

We handled the initial setup in-house.

Set-up costs can be minimized by controlling the number of applications that are made available within the solution. The newer licenses are per user and open up access to a suite of products, the best value, and security can be achieved by using more of the products.

We looked at other products like Delinia and Wallix.

Take advantage of the vendor's training or use a good partner to provide support and administration.