Symantec Privileged Access Manager Reviews

The key benefits are we improve our governance. We ensure we can build more trust in the way we run and operate our environment, and most of all is the accountability. Where things do go wrong from time to time, we are in a good position to ensure that we can recover quickly.

One of the key things for us about the product is around its simplicity. Being able to put in the technology that allows the business to remove complexity and also allow the security improvements. This is high on our agenda. 

As with most things CA, once we are bringing more technology into the portfolio and being able to collapse those products into a much more integrated way, that will definitely come over the time. 

In terms of improvement, keep listening to customers and their challenges and make sure the roadmap is very responsive. It is all about being agile, so we need to make sure the product is very easy to work with. It does not constrain us further down the road.

At the moment, we are going through several evaluations. We found that the architecture is scalable and very resilient. In terms of scaling up, it has yet to be proven, but so far, so good.

We have worked with CA before, so we understand that each engagement is slightly different. One thing we do make sure is we always do things like test runs as part of any onboarding of a system. This would be no different if we go down this path in the future.

It is fairly mature in the world of what it have known as a vault. When you look in a wider context of how to bring it into an organization, it is not necessarily just the technology side. I would rate it from the technology side between a seven and an eight. Actually, how it becomes too much of an adopted technology in a much more wider industry, they are still around about a five to six, but it has to do with the vendor across the industry.

Most important criteria when selecting a vendor: It is about really understanding what the security challenges are in the industry, but also being able to align with specific use cases each organization is going to deal with. You have a generic capability that we can take off the shelf, but we should be able to customize when you need it. Having that right balance is really important. I think from my of view, CA has started to move in that direction more. I would like to see more of that.

I think like most evaluations, it takes a lot of time and effort. We do look at things around where the history of the technology, where it's born out of, where they are currently going, and the direction they are going. Also, in terms of how well they are going to integrate into the wider portfolio. Evaluations are not just about features and functions of this specific product, but it is taking that holistic view around what else we can get out of it in the next three to five years. It is really important for us to have that clear roadmap and one that we believe in and trust.

I have been in the security business for almost 30 years. We have never had a solution in place where we could really manage and control privileged accounts in the company. This solution really makes a big difference. We started rolling it out for our Linux base. It has been invaluable to us already, and it has only been a year.

We are a multiplatform shop, so we have Windows, Linux, mainframe. The mainframe piece of it is coming along, but we would like to see a little bit more integration with the non-CA mainframe component, such as RACF. That is what we use, but they have more features which are coming out in the next month or so, which is a huge. They are listening to their customers. I think that is great, but they need to do a little bit more on the mainframe side.

Solid as a rock. It is a hardened appliance. We went with that version versus the virtual, and we set it up in less than half a day, and have had no problems since. It has been running fine.

Based on the purchase that we made, we bought an awful lot of appliances. We are using only a small portion of it right now, because it can handle so much volume. We know we can scale up with what we have, and we probably will not need to buy any further appliances down the road. So, that is huge.

It is very easy to set up the initial piece. We even did it without CA on-site for the first day. We got it up and running, then they came in and helped us tweak it and make it a little bit more efficient. However, setting it up out of the box, it was a no-brainer. It was very quick.

Right out of the box, right now, I would say it is a solid eight. I think 10 is doable, and they are very close. We are still only a year out. We have only really done one platform, so I am kind of saving the nine and 10 for once we are fully deployed.

Most important criteria when selecting a vendor: Support is a big deal. Reputation is great, but the support is what we use most. After the sale is over and the initial deployment is done, we need to work with support, and if support is not strong, then that hurts us. We can't get the product to be what we want it to be.

I see it performing really well. It has a really good scalability attribute, where you can continuously keep dumping on new users and giving them only the access they need on the projects that they would view. It is very controlling and I really like that.

Whoever built it from the ground up, they understand how an organization is laid out. You can tell. When a user comes in, it automatically picks up their information. It is very easy to use. The interface is very friendly, colorful, and bold. I really like that. It is friendly to the users. 

What PAM does is when a user signs in, or when a user gets prompted to an organization, they are classified based on what teams, job titles, and roles that they have. 

One feature I would like to see is instead of just giving passwords to the user based on job function, from auditing perspective, turn that cycle around. Let us have a reporting feature that will say, "Can you please show me all the users who have access to the DB admin account essay." That would really help from an auditing standpoint. 

There is already a feature for that. It is not too great to use. Instead of being Splunk, maybe have a feature built into the application. 

There have been no issues with CA technical support.

After doing a little bit of research in the PAM market, there are not too many PAM players out there. Obviously, there is CyberArk but the other big player is CA PAM. I took a look at CA PAM. CA's rep gave me every reason to pick CA PAM over CyberArk.

CyberArk is harder to set up. You need a stand up infrastructure to back up CyberArk. PAM, on the other hand, is much more simple to use, and you do not need as many Windows servers to back it up as far as I know. 

1. According to the users who have actually used CyberArk and CA PAM, they have said that CA PAM is ten times easier to use and manage. 
2. Also, according to the users, CyberArk is only in the Windows area. They only control passwords in the Windows area. I am not sure how true that is, but that is a huge thing. 

If your company has Windows, Unix, and Linux, and has accounts all over the place and you need to management it, look into CA now. 

I feel like I have to learn more about CA PAM, because there are a lot of questions I still have for the product and I do not know them yet. 

Most important criteria when selecting a vendor: technical support. Always having someone there who knows a lot about the product, but at the same time, they will be straight up with you about the difficulties. I really do like when people tell me, this is not working, and tell you straight off the bat. I really like that straightforwardness.

It is for all admins. We need to have a two-factor authentication. So for that, we are using the PAM, Privileged Access Manager product called Xceedium.

We have just put it in QA, so it will go live in production by March or April. 

It will provide us with more security. Anybody who has access can only get it. It makes admin access more critical. People are not building service accounts. 

It will provide more security and monitoring. 

The session recording is useful. We can capture what each of our users are doing.

It gives you list of servers, so you can see which users have access to which servers. This is really useful, so we can make sure nobody is getting extra access than what is needed. It is also isolated from Internet, so there is no way hackers or anybody can come into the systems.

We are going to work on Trade Analytics, so we wanted to see how Trade Analytics work and all.

They need to work on some of the enhancements, which we have already given to them. 

They need to have zero tier and active-active setup with zero minimum downtime, which they are working on it. 

So far, it is stable in our development and QA. Once we go in production, we will know it. We have just started testing on the products, especially integration testing and performance testing. After that, we will know the stability, and we are putting Splunk and monitoring alerts on right now. 

For scalability, we had some performance issues with the regular virtual jump servers. Therefore, to make the improvement better and all, we ordered bare metal physical servers. This way we will have better results and the performance will be good. 

We are using the technical support. We also have a list of all the security enhancements, which are needed. We gave it to CA. They are working on it, and for any issues, we are escalating the issues and working with the product team directly. 

They are really good at answering us quickly. Some of them, they also provided us a patch, and some of them are going into the new version, which is 301, so we are upgrading our environment to 301 now in our development and QA next week. 

It was a straightforward setup.

Cost-wise, CA was better compared to others in the market. 

One of the goals for one of our projects this year was to implement Privileged Access Management. We tried different products in the market: Xceedium, CyberArk, etc. This is when we decided on Xceedium. 

All were almost good, but CA's UI was much better. Performance-wise, CA was good. One of the advantages was Unix, which was not on CyberArk. It was more Windows-focused. We have been using Windows and Linux both. 

When we started analyzing different products, CA was really good. They are more proactive every time. 

They really worked hard in the PoC. They made sure all of our use cases are validated, and they would even provide us patches during our PoC. 

Depending on your requirements, you can compare different products and decide what you want. This product so far seems good to us.

Most important criteria when selecting a vendor: Our use cases, all of them, should be validated: the product performance and how the product behaves. We do a full end-to-end PoC to make sure how the product performs. Basically making sure all of the use cases have been satisfied and each have a proactive active-active setup. 

Transparent login for users of privileged IDs (Linux, Windows). This prevents sharing of the password because it is never seen.

Once we implemented the solution, we found that support groups were sharing the Root password with some application teams to facilitate implementations and upgrades. The applications required Root due to software requirements or other issues. This process was never documented and therefore was unknown. We are now working on getting these applications under proper controls. They will either need to use PAM if Root is still required or proper access will be implemented where Root will not be required for day to day support.

Reporting. It's difficult to locate the reports, there are limits on what reports can be run from the GUI, and the report formats are lacking. I have already spoken to product management about this specific area.

Four months.

Not yet.

Yes, we noticed that when trying to rotate 1400 privileged passwords with a single job, the results were not consistent. Support suggested we break the job up into smaller groups. We will likely have well over 200,000 managed accounts in the system when we are fully deployed. We should be able to submit mass password changes without having to break them down into groups of 50 or less.

For the most part, support is good. We do run into problems sometimes with respect to getting support for APIs. Our experience has been that engineering has to become involved due to limitations with the support staff's knowledge/experience in this area.

We have been trying to get approved for a solution (this or others) for 15 years. We finally have a CIO who understands the need for and benefit of this product and it was approved late in 2016.

Appliance setup was not difficult. We did have issues with network setup (behind a load balancer, or not; these were mostly internal issues and not the problem of the product). We selected this product (in part) because of the initial ease of implementation. We did a PoC and had the appliances set up in less than a day.

Appliances are relatively cheap, don’t skimp. Make sure you have redundancy, high availability, and enough appliances to manage the concurrent workload. Definitely make sure you include training in your budget and purchase. There are at least three specific courses that are a must for any administrator of the product. Courses can be classroom, virtual, on site or web-based. A2A licensing will be the cost that continues to grow over time. As you begin to deploy and work with various groups, you will find more uses for the A2A component and this is licensed by agent deployed on a server.

We had a project to review eight vendors and their PAM products: IBM, Hitachi, CyberArk, BeyondTrust, CA, Enforcive, Centrify, and Lieberman.

Definitely do your homework. CA PAM was the best product for us but if you are strictly a mainframe shop you might like a different solution and similarly for a Windows only shop. For us we have all platforms (Windows, Linux, Unix, mainframe, databases, network devices, appliances) that need to be managed. This product was relatively simple to implement but again do your homework. Make sure you document your use cases, and I strongly recommend setting up a test environment before deploying into production. We were told to get ROI so we started with production and are now standing up a fully supported test environment. If I had the time, I would have done this the other way around.

The tool helps us manage local, domain, and service accounts. It helps us meet compliance standards.

The fact the password is changed after each checkout beats changing passwords manually every few months.

I would definitely like to see improvements in the documentation. It is very plain and doesn't provide details. They are no screenshots either.

We owned this product for about three years. I took over the project about six months ago.

I did not encounter any issues with stability.

I did not encounter any issues with scalability.

Few people I've dealt with know the product well. They are not very helpful. Some technical support team members don't have much knowledge.

I don't think DSS used any other solution prior to this.

I didn't do the initial setup, so I can't answer this question.

I'm the admin and do not know anything about pricing and licensing.

I personally have used RPM and think it is more user-friendly.

Be prepared to call tech support a lot because the documentation is almost worthless.

If I remember correctly, it was the two factor authentication, and the single most important capability was it supported PIV and CAC as one of the two factors. That was pretty huge for us.

Our organization does and uses cloud-based solutions. Those have to be very secure.

Specifically, administrative access needs to be highly secure. When people are accessing the production environment as administrators or as non-end users, they use CA Privileged Access Manager to be able to access it.

Trouble free installation and configuration and not even noticing that it's installed. There's too many steps involved in accessing the production network. Too many things you have to do to get on.

It'd be great if you just stuck in your PIV card and Windows popped up, asked you for your password. You typed it in, then it remembered your credentials.

For about 10 months.

There were some issues with stability.

From what I remember, people would complain that every 30 minutes to an hour or so, their connection would drop and they'd have to reconnect, but it wasn't clear whether that was a problem with the network we were working on or whether that was a problem with Privileged Access Manager.

We didn't run into any scale issues at all. The more people involved, the more it was able to handle.

Yeah, we worked with technology support. They were actually pretty helpful. The couple of problems we had, they were able to identify and help us resolve.

Yeah, we were using OpenVPN. We were using OpenVPN, and the biggest single reason was dual-factor authentication with PIV and CAC. That was the biggest single reason.

I did not personally do the setup. From what I remember, it took a couple of weeks for the security lead to do the work. That's not out of the question or a surprise with a security product, because just getting it operating usually takes a little bit, then getting it fine tuned takes a whole another round of work.

We looked at about a half a dozen, and this one came out to be the best one. We filtered down.

I would say, test it out in your environment, make sure it works out well. If it configures well, and then, assuming it works out fine, you're in good shape.

Access management and security compliance.

It started with the basic features, and gradually they added SCP, FTP, and also the API calls that helped us to meet the Automation at our end.

Role mapping, high availability, coverage of more important AWS data centers in Frankfurt.

I've used this solution for three years

It has been reliable down the line with new features and updates.

Yeah, it still does not support HA in Multi AZ subnets.

Yeah, it's great. I would give it a nine out of 10.

We selected it after the evaluation of multiple products.

It's easy to configure and with the help of their documentation, one can easily do that.

Yeah, this is an expensive product.

It's confidential.

I would say definitely to use it if you've got a high number of systems and are concern about security.

Password Management and Session Recording. The simplicity and ease that it is to be up and running out-of-the-box is very much appreciated.

The recording feature uses a proprietary format that is very light, even with high definition videos, allowing you to use very little hard drive space. This has proven very valuable when managing large amounts of sessions.

We are now able to record all technical support requests that require a remote control session, therefore accountability has risen reducing the amount of mistakes or errors.

Clients are also more confident that all activities are recorded and everyone is held accountable when asking for support being provided.

With the recently added feature that supports recording VNC sessions, we have been able to expand the session management to the IT personnel who prefer VNC for remote session management.

The support for other remote assistance tools would be excellent. Free included tools in Windows (Remote Assist) and Microsoft SCCM Configuration Manager (ConMgr Remote Control) allow companies to reduce the amount of RDP connections and expand the usage of the tools are frequently used by companies to provide technical support for remote assistance.

This could increase the amount of purchased licenses, with increasing growth of (remote) managed services (MSPs), and would also allow a company to demand that a provider use a tool such as CA PAM when providing remote assistance, in order to record evidence or increase accountability. Access to online training free of charge is also highly recommended.

Over two years.

Not in my experience. It has proven to be a very stable solution, even when it is run as a virtual appliance.

Not in my experience.

I have had a good experience because they have been able to resolve issues nine of 10 in a short period.

The cons are that you are rarely (if ever) able to talk to a technician when calling support. This is frustrating when the issues are critical or urgent.

This is much worse in out of office hours. At times, when the issues are complex, the resolution times has been longer than desired and the time in between contacts is also too long.

There is a lot of space to improve in this area.

No, I have looked at CyberArk, but never used it as a customer.

Session management is pretty straightforward as is the password management. We were able to get it up and running in no time. It might be a bit complex to follow the flow of creating the devices, users, and single sign on using the password vault, so that process could be simplified for those getting started with the solution.

Can’t say much. The prices are not low, but one can ask for a discount. It’s not the cheapest PAM solution.

Yes, CyberArk. We found it too complex and with more features than one would probably need.

If looking for a solution with privileged session management, great recording features with an integrated password vault and Single Sign-On that is pretty straightforward to implement out-of-the-box and does not overwhelm you with unnecessary features, it the best way to go.

It has space for improving the user interface and remote connection tools, but surely this is something that should be in their roadmap.

For me, it is the robust API which is the most valuable feature. This allows for low maintenance costs and allows applications to automatically connect. This is great to automate security of the DevOps pipeline for shared secrets across environments. Also, being on Linux and a virtual appliance is great.

Before we had a vaulting solution that had a manual provisioning of the DB and privileged accounts. Now, we can automate this provisioning through APIs which are easy to understand and implement.

I wish it could create local accounts on desktops. But, what I really want to do with it is automatically manage DevOps pipelines through tools like Docker/Puppet/Chef. It would manage shared secrets to the segregated environments. I am hoping that the API is helpful for this.

We have used it just for a PoC, but we are purchasing it soon. From going through the selection process, we felt CA PAM was the best option for our company.

CA technical support has been very responsive the past couple years. It has come a long way.

I have used ERPM, but it was difficult to upgrade the product. The structure of the vaulting policies was not conducive to Ally’s organization. Plus, it ran on Windows, which in our world you want to always go with a Linux solution, when possible.

In the PoC, it seems very easy to get started.

Don’t go with an agent model. Don’t go with a model that has you buying a thousand different parts. Go with PAM that gives you everything, or you’ll just be paying costs of implementing another tool that PAM would have just given you up front. PAM can monitor exponentially more devices than it competitors. This covers a large audit item for us.

We looked at CyberArk, BeyondTrust, ERPM and ObserveIT.

If you truly want to secure a DevOps world that is constantly changing the architecture and number of boxes, then you need CA PAM.