CyberArk Privileged Access Manager Reviews

The primary use case of the solution is mining the credentials on our Windows unique network.

The solution is able to rotate the credentials and session recording. CyberArk has the ability to change the credentials on every platform.

The initial setup has room for improvement to be more straightforward.

I have been using the solution for three months.

The solution is extremely stable.

The solution is extremely scalable.

The technical support is fantastic and quick to respond. 

I give the initial setup a five out of ten.

The initial deployment requires a couple of weeks and for the on-premises portion an additional two to four weeks. The deployment required one full-time architect and one full-time senior consultant. 

The solution is costly but we get what we pay for.

I give the solution a ten out of ten.

For maintenance, we require one part-time architect and two operations people.

I recommend the solution to others.

We're in the process of rolling it out. We haven't finished our rollout yet. Most of my co-workers have been doing a lot of hands-on, and I haven't been the one with the most hands-on.

We're not in production yet. We're still in tests, but it will give us the ability to manage the privileged accounts. It'll make that a lot easier. One of the things that we've been having trouble with is that we haven't been changing the passwords on our service accounts, for instance, for a long time, because it is so difficult to do. That was one of the main reasons we started down this road. We decided we would also expand out into managing things like the local administrator accounts on our laptops, etc. We've started there with local administrator accounts because it is an easier thing to tackle, rather than doing the service accounts and all of that. We're going to start there, and then we'll move into service accounts, and then we're going to move into administrative accounts that are human-owned rather than service accounts. At this point, we're still dealing with the things related to local administrators.

I'm pretty sure we are using its latest version. In terms of deployment, we're split between an on-prem and public cloud setup.

We like it for the ability to automatically change passwords. At least for my group, that's the best thing.

It should be easier to install. It is a comprehensive product, which makes it difficult to install. You need to have their consulting services in order to get it all installed and set up correctly because there is so much going on. It would be nice if there were an easier way to do the installation without professional services. I suspect they get a fair amount of their money from professional services. So, there is not a huge incentive.

It would be nice to do personal password management so that we could roll something out to the entire organization to manage people's passwords. At the moment, we're rolling out LastPass to do that, at least to some groups. I'm not sure if everybody in the organization is going to get it because most people only have a couple of accounts that we're concerned about. We're using LastPass because it is significantly less money than the CyberArk solution. CyberArk has one, but it is rather expensive. The LastPass solution is integrated into browsers. So, you can use it in your browser. I don't remember if I had to install a client on my machine or not. I probably just installed a browser extension. So, I'm not sure how that'll work with some of the other things. There must be a client that I didn't get around to because that's also in the very beginning currently. They have sent me links to training on how to use it and set it up, but I haven't had time to take the training yet.

It has been a little over six months.

It seems to be doing everything it is supposed to, and we haven't had any serious issues. The few issues we have had were pretty quickly resolved.

It certainly appears to be scalable. Because we're still in the rollout stage, we don't know for sure, but it doesn't look like there will be an issue with scaling.

Its usage is limited to under 50 people. There are 12 people in my group. SSA has another 8, and the service desk has probably 20. Then, the Information Security Office probably has another 15 or so. Overall, we're under 50. We're only looking at privileged accounts and not everything.

I haven't used them myself, but I've been in the loop. The person driving the project at this point is somebody from the Information Security Office, but he has been keeping everybody else in the deployment team in the loop about what's going on. So far, the support seems to have been pretty good. When he reaches out to them, they seem to be able to resolve the issue pretty quickly.

We weren't using anything before. 

It is difficult to install. You need to have their consulting services to get it installed and set up correctly.

I haven't seen the numbers. I know it is not cheap, but I don't know what it is. I would rate it a six out of ten in terms of pricing. It is definitely more expensive than the other product, but it also provides more functionality, and it is modular too. So, we pay for the functionality we're actually going to use, and that's nice.

We looked really hard at another option, but I can't remember their name. We almost went with them until we got the ISO involved, and they said, "We like CyberArk better because they're more flexible. They do more, even though it is going to be a little bit harder to manage." So, we reassessed and decided on CyberArk instead of the other solution. We had looked at a third one, but the third one wasn't close to CyberArk and the other one we evaluated. They just didn't have the breadth of capability of doing all the things we were looking for.

We did a real quick proof of concept of the other software, and then it changed names, which is why I can't remember it. We've been working on this for about three years now. We couldn't get traction with management to do anything. The thing that really got management interested was when ISO said, "We really need to do something here." Then management decided that they were willing to spend some money, but we did a really quick proof of concept with the other product. We installed it on a server, on-prem, and we did a quick run-through on some test servers that were immediately erased right after we finished the PoC, and it worked really well. It was also really easy to install, but it didn't have the flexibility to do all of the things that CyberArk is doing for us or will be doing for us in the end.

Before you get started, make sure that you know what it is that you're looking for from the product. That's one of the things that we went through. We had all of the groups involved, which included the Information Security Office, my team with the servers and the networks, and people who were managing the accounts. We all got together and submitted scenarios for what we wanted out of the product, and then we went to CyberArk and asked them how they were going to meet these needs, and they were able to meet pretty much every need. There were only one or two minor things that they couldn't manage, and those weren't that important. So, we were willing to go with it. I don't know if the other company was able to meet those either. My advice would be to make sure what it is that you want first before you go talk to them because they have a huge list of things that they can do for you, and you don't want to buy the things you don't need.

I would rate it an eight out of ten in terms of flexibility in everything because it does almost everything. The biggest drawback is because of the complexity, it is hard to manage. It is not impossible by any means, but it is not the simplest thing to manage. Cost-wise, it is not a cheap product, but it does a ton of things, and it does them well.

The solution is primarily for security and access control. 

It's used to ensure and protect the complete IT infrastructure administrative account and the administrators and limit them to do any particular activities on the server and record all the activities on the server. it's for auditing purposes and for forensic usage.

We use it o identify if somebody internally hits the organization or tries to intrude and try to do a data breach or try to steal the information or do some kind of internal hacking. That risk can be eliminated using the tool.

CyberArk is one of the greatest platforms. It supports lots of requirements in the privileged access management area. 

From a configuration point of view, it is not very straightforward as per the deployment. The configuration is typical. However, when it comes to the integration piece, it has flawless integrations with lots of applications, whether it is out-of-the-box or customized. It supports any number of platforms. 

The company is very keen on looking at new applications to build out-of-the-box plugins. The support for the privileged single sign-on configurations with the application is excellent. 

Security-wise, the security is unbeatable compared to any other tool in the industry. They have a vault concept. They consider it similar to a bank vault. This is where they keep all the privileged admins' passwords. That particular vault has seven layers of security, which are unbreakable. It basically cannot be hacked. It cannot be hijacked. 

If something goes wrong, for example, if the vault is destroyed, your data is still protected. You can easily revive your data from that particular vault. It's a great capability. The security is excellent. It is very, very tight here. They support one signal protocol kind of communication with the internal products.

Where your password will be residing that is protected by a seven-layer of security. It has a web interface hosted on an IAS server on Windows. It has a CPM called central password management, which will do the password rotation. That is sitting on one other server. It has a session manager, which provides the single sign-on mechanism, privileged single sign-on mechanism, or automatic single sign-on to log into any infrastructure servers and applications. These are the four core products, and they integrate with each other and they integrate on one single port.  

If you try to intrude on the system or any hackers try to intrude the system, they will not be able to do that as the communication through this port is entirely encrypted. They will not be able to revive the data in real-time. It's a great security feature.

It supports hybrid deployments as well. It supports single standalone deployments for high availability with different kinds of deployment structures or topologies. This is a growing trend in the market. 

They can work on the pricing part. Its pricing is a big challenge here. When it started, the product came in at a very low cost. Now, they are the leaders in the market, so the cost has grown and is quite huge. 

I've used the solution for four years now. 

The solution is very stable. It's reliable and the performance is good. 

Every organization is different. Some are small, some are large, and some are medium-sized. This product fits all organizations. It is designed to be scalable. 

Technical support has been excellent overall. We are pleased with their level of service. 

The setup process is typical. It's not easy to set up. It depends upon the environment, the requirement, what the customer is looking for, et cetera. If, let's say, there's 1,500 accounts, which need to be protected and 10,000 servers, which need to be protected, the deployment can be done with the two-node setup. The two-node setup is okay. However, when it comes to the larger organization where we have lots of privileged accounts and lots of servers or when the account increases to 100,000 servers and 100,000 or 200,000 privileged accounts, in those cases, the product is complex.

You need to be well trained in order to be able to execute an implementation. 

The pricing used to be very competitive. I can't speak to the exact pricing. However, it is my understanding that it has gotten more expensive. 

I'm certified in CyberArk. Earlier, we worked with CyberArk as a partner. At this point, our contract is in a renewal state.

I'd rate the solution nine out of ten. 

It is a great product when it comes to security. From the security point of view, I would advise a new user to use this tool and deploy it in your environment since the security is unbeatable.

I use CyberArk as a password vault and session recordings and to connect the server sites. I use some critical systems if I can access them, including workflows and mechanisms. 

It's really good. 

The digital vault is great. It protects our passwords and manages those passwords and changing periods.

There is some third-party access to our system's recording process. It's very, very important for us and we're glad they allow it.

It is a robust product. It's very stable and reliable.

The solution can scale well. 

The interface could be updated a bit. Right now, it's not very good. 

It is very complex and difficult to set up the solution. 

Maybe some customers have a lot of systems. For example, we have 1000 Windows systems and 500 Linux systems. I need a remote desktop management solution for the CyberArk. I'd like to be able to change desktops with one click. We'd like the next release to have remote desktop management tools. 

I've been using the solution for the last five years. 

The solution is very stable.

We no have had no performance issues; it's a really robust product. If I need more performance, I use another server, install another server, and improve our performance.

It is very easily scalable. 

We have 50 admins on this solution. 

We are using the solution to 70% capacity. We do plan to increase usage. 

We did use Delinea, formally Thycotic. That solution is really good, however, not fully secure. CyberArk is a more secure product - much better than Thycotic. Thycotic may be better in terms of its admin-friendly interface and integration, however, CyberArk offers more than vendor integration. It has massive integration capabilities.

The implementation and integration process is very, very complex. It is a robust product, however. I don't have to do a lot of setups, luckily. However, when you first set it up, it's very difficult as you don't really know what you're doing. 

The first 27% of the implementation took us maybe three months, however, for more than 95% of installation, it took us over one year. We had all the features up and running, however. 

We started with connection and session recording features, however, items such as password changing and other integrations, for example, firewall connection and switch interface connection were rolled out over the year.

You only need one person to maintain the solution. 

We had a third party help us with the implementation process. 

It's a yearly license that we pay. It is more expensive than other options. There are competitive products that are cheaper. 

I can't speak to the exact price. On a scale of one to five, with one being the most expensive, I would rate it a one. The license covers five servers. If you need more servers, you pay more. The same is true with disaster sites. If you need a disaster site, you are fine. It is included. If you need more, you need to pay for it. 

We did look at multi-factor authentification options and zero-trust network access. 

I'm not sure which version of the solution we're using. It's likely the latest version.

This is a fully secure product and integrates with a lot of different systems. I'd recommend the product to others. 

I'd rate the solution eight out of ten.

We use the solution as a vault for whatever passwords we use for connecting to an API or job services. The admin passwords we store in Password Vault. Via CyberArk, we have made a use case where we can track the session, keep a record, and log it, to whoever is logging into the servers.

CyberArk is basically used for privilege access management. It used to be hard to control security from internal employees. For products, and production servers, tracking used to be very difficult. 

Although One Identity Manager also provides similar services that CyberArk provides, they are no match to CyberArk basically. The amount of details and logging that CyberArk provides is command level. That really streamlines the process of tracking those internal servers. That's one significant advantage, I would say.

CyberArk's best aspect is it lets you store the password, and it allows you to connect to those connected systems' passwords. For example, there is an AD in your organization, and you have stored the AD password. Say you want to change the AD password; you just have to change it in CyberArk. CyberArk itself will change the password in the connected system. That's one nice feature they have introduced in the latest features. 

CyberArk is not friendly in terms of having a Community Edition. It's enterprise software. They could maybe give a Community Edition that you can just play around with and see how the software is. It's a very, very costly app. 

Therefore, they can definitely give a demo version or some sort of a Community Edition with partial features at least to help potential users understand its capabilities. 

The initial setup can get complex. 

I've used the solution for about four and a half years.

In terms of stability, there are no complaints. CyberArk, I would say, is an industry leader in this portfolio, especially in Privileged Access Management. There are so many identity access management tools, and almost all of them say that they are both IAM and PAM service providers. However, CyberArk is the only one that is specifically for Privileged Access Management, and they really do mean it. With CyberArk, the PAM is really too good.

We have 5,000 users at least on the solution. 

For Privileged Access Management, it's been used extensively.

I've never dealt with technical support. I'm more of an end user in this case. We rarely have to literally dig down into the implementation. There is a different team that exclusively works on CyberArk, and that's the team that basically deals with day-to-day CyberArk operations.

In both organizations I have worked, they've used identity access management as Dell One Identity Manager, and for Privileged Access Management, CyberArk.

We basically used to have a separate Password Vault that was KeePass. 

With KeePass, there was a security incident in our organization where a few of the passwords got leaked, and then it was challenging to track how the leak happened. With all that considered, G-PAM or CyberArk Password Vault was considered the next solution to prevent these sorts of things from happening again.

The implementation process is a bit complex. If you know this software or the product very well, then setting it up is not that big a deal. However, if you're a newcomer, then of course, it's not a piece of cake. As a new user, I'd rate it 2.5 out of five in terms of ease of setup.

We started from the development stage, where the maximum amount of time was spent. In a live environment, you can't have that much downtime. Roughly you are allowed for one and half hours, or a maximum of three to four hours for downtime. In a live environment, once we could identify the clicks and hacks of the software in the lower environment, it was pretty easy to do. There, it took roughly one to one and a half hours to do, and that part was pretty smooth.

CyberArk is such a stable product that either they launch a new version, which you have to latch onto very quickly as they censored the support for older versions, and with these security products, you can't really stay along with the older versions. Usually, the products are very stable. They don't need multiple patches or updates. One version itself is self-sufficient. At least in my four and a half years of experience with this product, I have seen fewer intermittent updates. Once they launch a new version, that's a different thing. However, from a maintenance point of view, it's very user-friendly and lightweight. Even usage of the tool is very speedy. It doesn't lag one bit.

We handled the initial setup completely in-house.

This is very costly software. However, I haven't really dug into the licensing. My organization gives all its employees a free license and therefore I don't have to worry about pricing. My organization is a partner with CyberArk also. Even so, we just have one instance as a practice instance. 

I did not choose this solution, and I'm unsure if other options were considered. 

The hired architect chose it. I just had the opportunity to implement it. If he evaluated other options first, I have no knowledge of them. 

My company has various levels of partnership with CyberArk.

I'm typically using the latest version of the solution. CyberArk sunsets their older versions very quickly. They won't let you use the old versions.

CyberArk has many components. Password Vault is one of the components. Then there is the CyberArk for server monitoring and logging. These are the two components that we have used extensively. However, apart from that, there are many more applications for CyberArk also, which I haven't used at the moment.

To those considering the solution, I would say when you do the installation, to get on a call with technical support. Keep them on hold. If you are really doing it for the first time and are not aware of the software, you may run into issues.  The public forum of CyberArk is not that good. Their documentation is not that great, and it's not that well maintained. The problems that you may face are seldom covered. Therefore, when you are paying that much money for high-quality software, you can at least ask for better help from them.

I'd rate the solution nine out of ten. 

Privileged Access Management is basically used to just keep track and log. We have to provision those accesses. If a newcomer comes, they have to be identified to ensure they are the correct users. So for those, there is a web implementation where there are some products that you can order, then they're approved. Depending on that mechanism, it's been decided, oh, this is a valid user. That's how it's been managed.

Privileged Access Management in CyberArk is one of the very first features that was implemented as part of Privileged Access Management. Then came Endpoint Manage and finally the Password Vault. From the very beginning, once Identity Access Management as a service started, with Dell One Identity Manager as the first service. Then came CyberArk. I don't think there is an additional benefit that it has brought. It's sort of an essential commodity in the entire Identity Access Management infrastructure.

For me, Privileged Access Manager and One Identity sort of merge together. For me, the best part of CyberArk is Password Vault and Endpoint, basically. If you ask me what's there that, it's that everything is pretty straightforward. There is no confusion. It's a pretty straightforward application to work on.

It is a scalable product.

The solution is stable. 

They should allow further customization as it's really hard to do any further customizations over CyberArk. We do have a wrapper of customization. However, it's very difficult, especially their web implementation. That's one thing I would say they can improve. With Angular and everything on the market, they still have their in-house web implementation tool, which is sort of a headache. 

I would love them to improve their UI customizing features. 

You simply cannot install the demo UI in every customer, basically. They would always ask for something to make their UI look a little different -  simple things like their logo or some sort of additional information pertaining to their particular customer. Even doing the smallest of changes takes a lot to do. 

The solution is stable and reliable. 

I haven't been faced with intermittent bugs like I do on One Identity.

With CyberArk, we rarely get those situations. It's a very, very stable software. You rarely need to raise any bug or service request with them.

It's pretty scalable. Although we haven't increased our infrastructure once, we have installed the latest version. Even then, adding other infrastructure items into the portfolio is not a big deal once you have done the initial installation.

Our organization is more than 30,000 to 35,000 people. However, only a handful of them are entitled to Privileged Access Management. There might be only 5,000 users. It is used quite extensively.

It sort of was implemented with One Identity Manager when Identity Access Management came into the picture. In early times when there was simply Excel as an identity access manager, and then there was nothing basically. Once there was the onset of proper identity access management without in-house custom tools or proper streamlining process, this solution was added. Initially, One Identity was sort of used as a Privileged Access Management also. However, soon they realized that it lacked in a lot of places for Privileged Access Management. That's when we went to CyberArk. That was way before my time.

I have been part of the initial implementation. However, the day-to-day operational tasks are being handled by a different team.

I was part of a migrational project. When I joined this organization, they were just migrating from the last stable version to the present stable version. It was pretty straightforward. There was, in my organization at least, documentation that was a bit more thorough to follow. That helped me a lot.

The implementation takes quite some time. Even in production, we have to instantiate the service. We had to take a special weekend, which means downtime since this is a critical application. Therefore, moving this takes some time. It's not that there are glitches and all. It's such a heavy application that requires moving so many things. For us, it took around nine to nine and a half hours roughly to deploy. This is considering if I take off all the in-between stoppages and breaks.

Privileged Access Management is a complex topic. I won't say that any of the tools are straightforward. That said, if you are thorough, then it's pretty straightforward for people who are in this industry.

I'd rate the setup process a four out of five in terms of ease of implementation.

With every security tool, new users learning by themselves is a bit difficult since the material isn't openly released. It's released if you have a partnership or if you pay for the software. That makes learning the tool a bit difficult. If you are interested in learning, the only thing is to get a job in that field. If your company is using it, it's like learning by doing. That's the only way you can learn about this product.

I'd rate the solution eight out of ten.

The primary use case and the most used functionality of CyberArk PAM is managing privileged access (an easy way to pass permissions to specific servers to specific users granularly) and password management (an automated solution that manages password validity, expiration, etc.). PSM gives a possibility to set all connections secure and it is possible to re-trace actions made by users during such sessions. It is a good tool for extending usage to new end targets sometimes even out of the box.

CyberArk PAM ended a scenario where several dozens or even hundreds of privileged accounts had the same password or administrators had passwords written down on sticky notes. 

I have experience with onboarding thousands of accounts - mostly Windows, Unix, and network devices. I have developed (customized based on defaults) password management plugins for Unix systems and network devices.

I like the integrations for external applications. There are actually infinite possibilities of systems to integrate with - you would just need to have more time to do that. It is not an easy job, yet really valuable. I am not an expert on that, however, I try every day to be better and better. I have the support of other experienced engineers I work with so there is always someone to ask if I face any problems. End-customers sometimes have really customized needs and ideas for PSM-related usage.

The Vault's disaster recovery features need improvement. There is no possibility to automatically manage Vault's roles and for some customers, it is not an easy topic to understand.

I noticed that CyberArk changed a little in terms of the documentation about disaster recovery failover and failback scenarios. Still, it is a big field for CyberArk developers. Logically it is an easy scenario to understand - yet not for everyone, surely.

I've used the solution for around five years. I have been using CyberArk PAM as an end customer for three years. For another two, I work as a CyberArk support specialist.

Stability is overall good. However, there are many error messages that are like false-positive - they do not produce any issue yet logs are full of information.

The scaling has been mostly positive. It seems not hard to scale it up.

Sometimes it is hard to understand the capabilities, limitations, etc. They try to help with that.

Positive

I've never used another solution that would have the same or similar capabilities.

The initial setup can be complex. It is important to go really carefully step-by-step with instructions. When you do that, you can be 100% sure everything will work well.

When I was an end-customer I recall using a vendor for the implementation and support. Now, I am a vender and therefore I do it by myself.

Licensing may sometimes seem a little complicated. A good partner from CyberArk can work it out.

Unfortunately, I have not participated in evaluating other options.

Overall, I am really glad I worked with CyberArk for five years.

The solution's most valuable features are one-time password and exclusive access.

CyberArk is complicated and costly to deploy for Windows servers compared to a few other vendors. It would be helpful if they combined all the components on a single server. Also, they should release a version specific to small businesses with two servers installation architecture.

We have been using the solution for three years.

The solution is highly stable. I rate its stability a ten out of ten.

I rate the solution's scalability a ten. It is the best in the market. It can scale to any infrastructure. We had implemented around 1000 target servers for our previous customers.

The solution's training documentation compensates for efforts to raise the tickets. We can resolve the issues ourselves based on the documents provided by the vendor. If you contact them for any problems, they solve them within a few hours.

I have implemented the solution for small and large enterprises. I haven't come across any bugs or issues. I use the 12.2 version as it is more stable, and I have more experience working with it than the newer version. It is easier to deploy if you know how to use it.

The time taken for deployment depends on specific project requirements. In the case of lesser servers and target machines, it takes about a few weeks. Whereas for a larger number of servers, it takes around two to three months to complete. The process involves setting up servers to host password vault, API access, central policy manager, and SM server. Additionally, for customer-specific requirements, we can set up Distributed Trusted Host (DTH) server for privileged analytics and Privileged Session Manager (PSM) for session management.

Apart from the deployment, it involves configuring policies, setting up additional connection components, etc.

The solution is cost-effective for the features. In comparison, other vendors would charge extra for the same features. Also, its pricing model is based on the number of users rather than the number of servers. Thus, there are no additional costs. I rate its pricing a six or seven.

I recommend the solution to others and rate it a ten out of ten. It is user-friendly once you understand its functionality.