Enables granular and secure access with just-in-time access and Zero Trust model
What is our primary use case?
We are a consulting company, and we provide consulting for solutions like CyberArk, HashiCorp, and similar offerings. I provide consultancy for various industries such as finance and hospitality.
Our clients use this solution for their critical assets and crown jewels. They want good identity and access management or privileged access management for their critical assets. A lot of mid-tier clients would have also implemented CyberArk on their servers if its pricing was better. Usually, they deploy it for their critical assets. They have implemented policies, just-in-time access, etc.
How has it helped my organization?
Having an efficient Privileged Access Management solution like CyberArk helps you stop bad actors early in the cyber attack chain process. You have an additional layer of security for your assets.
CyberArk Privileged Access Manager provides a good amount of granularity in giving access.
CyberArk Privileged Access Manager has a policy for blocking out everything as per the Zero Trust model, which can be helpful in a breach situation.
CyberArk Privileged Access Manager ensures data privacy by locking down your assets and recording each and every instance. That helps with the data information protection piece.
Privileged access management solutions like CyberArk Privileged Access Manager make it difficult for malicious entities to gain information or expose sensitive assets. Even if a specific asset not part of the PAM group gets breached, your critical information remains safe as access to specific resources or ports is not allowed. Implementing privileged access management in a way that blocks necessary threats makes it difficult for bad actors to access sensitive information.
What is most valuable?
The whole concept of Zero Trust and implementing it with CyberArk, which somewhat adheres to the 'never trust, always verify' principle, is very valuable. I really appreciate this aspect. Moreover, the just-in-time access is impressive, allowing access for a specific time.
Apart from CyberArk's PAM solution, I like CyberArk Conjur for secrets rotation. The constant rotation of secrets makes it hard for bad actors to gain access to environments.
What needs improvement?
CyberArk provides a good amount of control over access types. However, as a future enhancement, having additional features for cross-platform integration would be beneficial. It would be good to have integrations with other tools and firewalls, such as Zscaler and CrowdStrike. Although I am not fully aware of recent updates, more cross-platform integration would be valuable. A SOC analyst would like to have centralized access in terms of information flowing in even for privileged access management. They would like to have control over everything instead of opening four to five tabs for different sorts of information. Cross-platform integration would help with that.
Customers also want CyberArk's pricing to be better so that they can implement it further and have more licenses.
Implementing a privileged access management solution can be challenging. It would be great if CyberArk could provide recommendations based on the compliance standards of an organization. It would help system admins ensure that all the required ports are closed and the systems are being managed properly. If any system is not being used anymore, any ports opened for that system need to be closed. Having such recommendations would be helpful.
For how long have I used the solution?
I have been associated with CyberArk since it became popular two to three years ago. I have been working with CyberArk tools on the client side and the consultant or vendor side.
What do I think about the stability of the solution?
I cannot think of any stability issues.
What do I think about the scalability of the solution?
I cannot think of any scalability issues.
How are customer service and support?
In terms of tech support, I have had a positive experience with ManageEngine support, and I wish that a similar experience was there with other vendors and products. With ManageEngine, I appreciated the chat option. When I was stuck, I did not need to go through a dedicated portal or wait hours for a solution. A chat system providing quick access to a technical engineer, within four to five minutes, is very helpful.
I would rate CyberArk's technical support a seven out of ten.
How would you rate customer service and support?
Which solution did I use previously and why did I switch?
I worked with HashiCorp, specifically HashiCorp Vault, and had collaborations representing CyberArk's perspective.
CyberArk focuses on privileged access management for enterprise security. They offer CyberArk Conjur, but if customers need secrets management or infrastructure automation, HashiCorp has a better solution with HashiCorp Vault. In terms of PAM, CyberArk excels. For Conjur-type products, HashiCorp is better. CyberArk caters to traditional infrastructures and security or IT admins, while HashiCorp has good cloud-native, DevSecOps, or DevOps services.
How was the initial setup?
About two years ago, people focused on the on-prem side of things, but now the cloud version is gaining popularity.
The solution has so much to offer that it becomes a little bit complex. Every infrastructure is different, and you need a customized solution as per the infrastructure design. CyberArk has a lot to offer. It has a lot of buttons to push in terms of security, so it becomes a little bit complex when you are deploying it for a big organization.
During on-prem deployments, we followed specific steps for the right deployment process. The order of deployment is crucial, such as deploying necessary components first and then setting up CPM policies. This order is essential whenever deploying CyberArk.
Two to three years ago, its integration was difficult. We had to take different routes to integrate those solutions, but now, we see a lot of plug-ins. For example, Microsoft Sentinel does have a CyberArk plug-in.
What about the implementation team?
For deploying a CyberArk solution, you would need at least two security analysts, two to three system admins, and one network administrator. The security admin provides the right infrastructure and access. The network administrator helps with all VLANs or separate segmentation for specific sites or resources. The security admin works on the CPM policies and more.
In terms of maintenance, like any other solution, it requires keeping an eye on it and any updates. You would need someone to support it.
What was our ROI?
A strong identity and access management solution aids in navigating significant incident responses or breach situations. Omitting important solutions can be highly costly. Implementing a privileged access management solution can help avoid such expenses.
Its value can be seen after one or two months of proper implementation. It makes the life of a security admin easier.
What's my experience with pricing, setup cost, and licensing?
I focus more on the technical side, but I hear customers say that if CyberArk was more affordable, they might have acquired more licenses. Some clients consider alternative solutions due to pricing concerns. If CyberArk could address this, it would help in offering their solution to additional customers.
What other advice do I have?
With a PAM product, most customers want to block access to critical assets and have a strong policy set. They also look for cost-effectiveness.
For a financial organization, even a compromised password can trigger a domino effect in terms of exposure of sensitive information, leading to a failure to meet specific compliances being followed in a specific region. They might have to let consumers know. Having an effective PAM solution can save a company from such a situation. Generally, it is not that the solution is not efficient. It is usually that the implementation is not done correctly. Every infrastructure is different, so you need to have a proper plan and make sure it is implemented as per your industry requirements.
CyberArk Privileged Access Manager helps with compliance to a certain extent, but it is not a compliance solution. For compliance, we still rely on other solutions.
I tell my clients that having an additional piece of PAM helps protect against threats and provides an extra layer of security. Identity and access management are fundamental in cybersecurity. Done right, it offers peace of mind and safeguards against unauthorized access to sensitive information. In the financial sector, where data is highly sensitive, exposure to bad actors can lead to significant breaches and potential damages. A breach can cost a million of dollars.
I would rate CyberArk Privileged Access Manager an eight out of ten.
Makes privileged access management easy with automation and granular control
What is our primary use case?
I started as a CyberArk administrator for a fairly large bank in the US. They are a large global company. They formed a US branch, and I was the sole CyberArk administrator there. They had a basic CyberArk setup, and that is where I gained my initial experience before moving on to consulting.
My first consulting gig was for two and a half years with a defense contractor. They had a very complex environment. The complexity is typically gauged, especially for PAM products, by the number of passwords being managed. Many organizations have 10,000 or 20,000, whereas this organization had 750,000. This included the number of machines required to rotate all these passwords and integrations with their API and SailPoint to provision and de-provision users. We initially helped them change from a standalone vault architecture to a clustered vault architecture for high availability failover. Once we completed that, our work expanded, similar to being the IT person for the family—each task leading to another. This extended our engagement.
How has it helped my organization?
CyberArk Privileged Access Manager provides granularity. You can break things down into individual safes. You have specific access to safes by individual or group. The interface is with AD, with LDAP, or with local CyberArk passwords. You also have the ability to establish policies for your individual credentials. If you want them rotated at a certain time of day or you want the password complexity to forbid certain characters, you can create a new policy and fine-tune those elements. It provides excellent granularity because you can control all the factors related to password complexity requirements, password rotations, allowed connections, etc.
CyberArk Privileged Access Manager’s ability to safeguard the infrastructure is extremely important. Otherwise, clients would be keeping passwords in Excel spreadsheets. Consider having an isolated, non-domain joined vault that cannot be accessed from DNS. The vault itself takes over control of the local Windows Firewall and even things as simple as emails. It keeps the ports closed. If it is time to send out a notification to someone, it opens the port, sends the email, and closes the port. It cannot get any more secure than the vault system of CyberArk. People who land on a user credential and try moving laterally throughout your network, scraping RDP connections or hashes, will never find any information about how to get to the vault because it is non-domain joined.
CyberArk Privileged Access Manager is excellent for meeting compliance and regulatory requirements. The need for compliance is the main reason why organizations implement a PAM solution in the first place. They have to be SOX compliant in terms of log retention, audits, and even video recordings of people's actions. They all have varying retention periods depending on the organization.
CyberArk Privileged Access Manager provides operational efficiency with automation. It saves a lot of time for password rotations, managing SSH key rotations, and doing automated discovery at periodic intervals to reach out to your servers and check which credentials are there on those servers. If they are not managed in CyberArk, they are added to your CyberArk queue to be onboarded and automatically managed. These things save a lot of time throughout the organization.
What is most valuable?
Many people underestimate the value of these tools because they treat them as simple automated password management. Once you realize the volume of passwords in your organization and factor in nonhuman passwords, you realize its value. Last year, CyberArk Impact cited 45 nonhuman passwords for every human password. If you have 10,000 employees, you can imagine the number of passwords. There are also many other operations. For example, you have a Qualys scanner that needs to reach out and touch all your endpoints and scan them for vulnerabilities. They use an API call to CyberArk to pull out a Privileged credential that allows them to log in to that target. This is an automated machine call. It is tapping into CyberArk to get that credential. There can be hundreds of thousands of those operations a day. You do not want to manage those passwords by hand. Some people marginalize the significance of such a solution by saying that it is just a fancy password changer. It goes well beyond that, especially with API calls and automation. Its importance extends beyond merely changing passwords; it involves automation, API calls, and process integration, crucial in agile environments for standing up new Amazon servers or other processes needing privileged credentials. CyberArk can automate these tasks into their build processes.
Another critical feature is the proxy service via Privileged Session Manager (PSM), providing not only a proxy between your user and the target servers, protecting against malware but also offering session recording. Many companies I have worked with implemented a PAM product as a knee-jerk reaction to SOX audit requirements. They discovered they needed session recording and retention for regulatory compliance. This has become a major factor for clients instituting CyberArk, so PSM is a big deal in addition to regular password rotation.
What needs improvement?
CyberArk reporting is notoriously poor, offering about 5 reports out of the box. I am certified in Delinea, which includes 60 reports plus a custom report generator out of the box. Improved reporting would be beneficial.
For how long have I used the solution?
I have used CyberArk Privileged Access Manager for seven years.
What do I think about the scalability of the solution?
I encountered some unique challenges while working with a client managing 750,000 credentials because the underlying MySQL database is not exactly enterprise-level, unlike Oracle and Microsoft SQL Server. MySQL is free, and CyberArk's updates are infrequent. They went through many iterations starting with version 7 but did not update the underlying database version until version 12. We experienced database response and connectivity issues due to having too many credentials. That was a very unique case and a very large implementation, but they did have to do some tweaks to the database.
They also had an issue where they had too many passwords in a single safe. It is like the old Windows limitation where you can only have 512 entries in a particular folder. I had never seen that before, and that was because CyberArk retains the previous x number of password revisions for any given password. If you have 20,000 passwords in a safe, it also saves the last ten iterations of that password for each one, so you technically have 200,000 passwords in that safe. CyberArk literally issues a warning if you exceed 300,000. I have never seen that in my life, and it happened with one client. It caused the replication to the DR server to fail. We saw that in the logs, and then we had to do the math. They had 40,000 passwords in this one safe, and it was saving the last ten iterations of each password object. That means they had 400,000 password objects in this safe. They exceeded the limit. I do not expect to see this kind of issue again, but it happened.
How are customer service and support?
When your client base grows from a few hundred to over three thousand, the number of tech support calls increases drastically, which is understandable. The support structure is tiered: L1, L2, and L3. L1 personnel follow a set procedure to gather information and logs. If they cannot solve the issue, it escalates to L2, possibly involving live sessions. Only complex problems reach the L3 experts in Israel. This normal tiered support approach can delay resolution, resulting in frustration. Response time is not ideal, and reaching someone knowledgeable can take time. It could be forever until you talk to someone who knows what they are doing.
How would you rate customer service and support?
Which solution did I use previously and why did I switch?
Its primary competitor is BeyondTrust, which is not very highly rated based on the feature set. There is senhasegura, a company from Brazil. They are new to America. They are barely making their way in now. ForgeRock has been around for a while, but CyberArk's closest competitor in terms of feature set and Gartner ratings would be Delinea. I am currently assigned to Delinea at my client. I have been working with that for the past year. I do see some benefits. There are certain things I like better about CyberArk, and there are certain things that are better about Delinea, but both of them are pretty competent.
How was the initial setup?
It is quick because CyberArk follows the 80:20 rule. If you can get domain admins and local administrators into CyberArk, that is 80% of your exposure. That is a very quick turnaround. That can be a matter of a couple of months.
There is a specific order required to implement components: the vault is installed first, followed by CPMs, PVWA, and then PSMs. It is a fairly straightforward process, with some necessary preparation for the servers. CyberArk has incorporated scripts over the years, particularly for complex PSM setups because you have to utilize AppLocker scripts to enforce or specifically allow executables. Customization requires file reconfiguration and rerunning server hardening scripts. PowerShell scripts are now available to aid automation. Understanding the configuration and exceptions in scripts remains important for effective customization.
In terms of integration, out of the box, it has integration with Windows and Linux. They have a Telnet connector. It is a matter of CPM connectors being able to talk to the various systems and rotate their credentials because each operating system is different. AIX is different from HP. UNIX is different from Linux which is different from Windows. Windows is different from the mainframe. They have a lot of connectors out of the box, and they also have a plethora of additional connectors on their marketplace, which is their common website. Some of them are verified by CyberArk and some are not. They periodically review the ones that are uploaded based on the amount of time they have. Eventually, a connector could be certified by CyberArk. The big difference is whether a connector is officially supported by CyberArk or not. CyberArk does not address your support ticket if it is not a vetted connector.
Connectivity from SailPoint to CyberArk is done through SCIM servers. CyberArk has its own SCIM server set up, complete with documentation, for establishing that. I have done that before. When people are onboarded, most people in a lot of organizations get assigned an administrative credential so that they are not reaching out to target servers with the same credentials they use to log into their computers. As soon as they are onboarded, SailPoint sends over REST API calls through this SCIM server to create a safe for this person based on agreed-upon nomenclature. The account creation and assignment of permissions are done through calls and are automated.
What was our ROI?
Last year's Impact estimated the cost of an average breach to be nine million dollars. Once you have a breach, customers are hesitant to use your goods and services because you have had a major issue. It is difficult to put a price on your name going downhill.
The time savings primarily come from shifting from manual to automated management for all your passwords. With other tools such as Okta where you have self-service for resetting your own passwords and things like that, the average savings is 12 minutes, which is six dollars for a password reset, and you can extrapolate that over your organization. You do not really do that with CyberArk because it is managing the credentials. The manual work of managing all these credentials as opposed to the automation is where your time savings come in, but savings are difficult to calculate.
What's my experience with pricing, setup cost, and licensing?
CyberArk has been Gartner's number-one pick for the past ten years, so you can infer that their pricing is higher than everyone else. When you are the best, you will charge appropriately for it. It does get fairly granular because they have separate licensing based on the number of users, the number of API call accounts that you can have, and the number of disaster recovery servers you can have in the system. A license is broken down into so many subcomponents.
They have a core product covered in the license. It includes the vault, the CPM that rotates the passwords, the PSM that does the proxying and the session management, and the PVWA, which is the web interface. Other things like Privileged Threat Analytics, Endpoint Privilege Manager, and other tools are bolt-ons with their own licensing. It gets a little hectic. At one point, they were offering a flat fee that was exorbitant at the time, like a million dollars, and you got everything, but they do not do that anymore. It is piecemeal now, and you have to pay for all different areas of licensing, which is problematic.
What other advice do I have?
CyberArk recently introduced an identity bolt-on product. PAM tools and IAM tools are broadening their horizons to become a one-stop shop. Okta has a PAM solution which is not very effective but it is an attempt to be an all-in-one shop. CyberArk Cloud has gained traction, particularly among small to mid-size companies not needing the full customization and feature set of the tool. As with most cloud offerings, CyberArk's Cloud service expects out-of-the-box usage, with vendors maintaining and upgrading the system, limiting customization. This offers a viable solution for companies without significant on-premises needs, saving costs on servers and full-time employees.
I would advise evaluating whether you can manage with the cloud version's feature set, as it is simplified and requires minimal on-premises resources. An on-premises connector minimizes firewall rules and facilitates cloud communication, allowing the on-premises connector to interact with other targets. Delinea's cloud offering similarly requires an on-prem component called a site connector. If a simplified cloud feature set suffices without extensive customization needs, choose the cloud version to potentially save money, eliminating the need for assets on-premises and full-time employees for upkeep.
If someone thinks that they do not need a privileged access management tool because they are already using other security tools, I would wonder what features their tool is providing. Does it have account discovery and onboarding? Does it have proxying, web recording, and retention for videos of people accessing their assets? Does it support automatic pass or remote rotation? I would like to compare feature sets.
CyberArk Privileged Access Manager has not helped reduce the number of privileged accounts. In most organizations I have joined, users have their own account for logging in, and in the interest of security, a separate administrative account is created that gets vaulted in CyberArk. So, they have doubled credentials because people have a normal login plus an administrative login for doing privileged activities. You also have to factor in roughly 45 nonhuman privileged accounts or identities for every human identity because of your scanners, robotic process automation, and automatic agile builds from your CI/CD tools. All of these nonhuman factors are also reaching out and getting credentials from CyberArk. The point of a PAM system is not to reduce the number of privileged accounts. The point is to find accounts that are already in your system with account discovery and make sure they are managed by the tool. That extends to things like SSH keys. Most organizations have no clue how many SSH keys they have in their environment. CyberArk offers SSH key management as well. So, it does not reduce the number of privileged accounts. If anything, it encourages people to have more because they now have a tool to do all this work for them, and they do not have to do it manually.
I would rate CyberArk Privileged Access Manager an eight out of ten.
Session recordings and timestamps make activity monitoring easy
What is our primary use case?
I work in the cybersecurity team. We typically provide access to other end users or IT administrators through this solution. We monitor their activity on servers, provision access, and review all logs.
By implementing this solution, we wanted identity management and access management.
How has it helped my organization?
Over these three years, there have been a lot of improvements. User management is more efficient. The interface is user-friendly, and I can create comprehensive reports.
What is most valuable?
Session recordings and timestamps are valuable features. They allow me to specifically select the time a particular command was executed, so I do not have to review the entire recording. I can click on events to determine where and when they happened.
What needs improvement?
We are looking for improvements in user provisioning, such as access provisioning and revoking access. We still have to test these improvements in the latest version.
Updates have been somewhat difficult, resulting in challenges when moving from one version to another. The current version includes automatic updates for minor patches, which should be easy.
For how long have I used the solution?
I have been using the solution for more than three years.
What do I think about the stability of the solution?
It has been stable so far, so I would rate it a nine out of ten.
What do I think about the scalability of the solution?
Its scalability is very good. It is in the cloud, so we can just expand it. I would rate it a nine out of ten for scalability.
How are customer service and support?
We haven't used customer support so far apart from implementation.
How would you rate customer service and support?
Which solution did I use previously and why did I switch?
I have not used any PAM solutions apart from this one.
How was the initial setup?
Its implementation was very complex. It needs different servers and setup parameters involving load balancers, certification, encryption keys. The implementation took more than a month.
It requires maintenance once in six months and has been hard previously.
What about the implementation team?
It was implemented by inhouse staff with oversight from vendor.
What was our ROI?
When it comes to compliance and audits the ROI on this is very good.
What's my experience with pricing, setup cost, and licensing?
Licensing is little hard as they are perpetual and can't be used from a pool of resources.
What other advice do I have?
I would recommend implementing CyberArk Privileged Access Manager as it is the best so far.
I would rate CyberArk Privileged Access Manager an eight out of ten.
Which deployment model are you using for this solution?
Hybrid Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Makes periodic password rotations and access management easy but needs better UI and simplicity
What is our primary use case?
I use CyberArk Privileged Access Manager to manage privileged access within the organization.
By implementing CyberArk Privileged Access Manager, we wanted the management of periodic password rotation, management of privileged access, and discovery of privileged access.
How has it helped my organization?
CyberArk Privileged Access Manager’s ability to safeguard credentials for our organization is very important because it helps in managing the keys to the kingdom, especially the privileged access for various platforms. It is quite important for the organization, and it is one of the must-have applications. It plays a key role in managing privileged access for the organization.
We are able to manage close to 20,000 accounts without many cases by using out-of-the-box features available in CyberArk Privileged Access Manager.
CyberArk Privileged Access Manager helps in meeting certain compliance and regulatory requirements and closing any gaps.
CyberArk Privileged Access Manager has not helped reduce MTTR. When we have an incident with CyberArk, it takes time for us to recover. There is always an increase in MTTR because of the complexity of the CyberArk infrastructure itself.
From an operational efficiency perspective, CyberArk Privileged Access Manager has reduced a lot of manual work, such as changing passwords and managing privileged access accounts manually. By automatically rotating passwords within a set period of time, it streamlines many processes. It has improved operational efficiency for privileged access, but managing the infrastructure is one of the things that we are working on. It is a complex product.
CyberArk Privileged Access Manager has not helped reduce the number of privileged accounts in our organization. Privileged accounts are the key entities within CyberArk. There has not been any decrease in the number of privileged accounts, but there are areas that we, as an organization, have not touched, such as cloud infrastructure, etc. We are working closely with CyberArk engineers to have them onboarded and manage those privileged accounts through CyberArk. That is in our road map.
What is most valuable?
The most valuable feature is platform management. It is quite easy to manage privileged access for certain target platforms with CyberArk Privileged Access Manager as compared to other products I have worked with.
It is very out-of-the-box and straightforward to configure periodic password rotations and access management for the platforms my organization is working with. That makes things easier in terms of what needs to be done. We do not have to spend time troubleshooting and working with support to figure out why something is not working, which is what I have personally done with other competitors.
What needs improvement?
One area for improvement is the user interface. It needs significant enhancements. It is outdated and does not align with the stress and challenges happening across the IT products landscape regarding user experience. CyberArk definitely needs to improve user experience and reduce complexity.
It is quite complex. CyberArk needs to reduce complexity. The product is currently very complex and challenging to understand without training. The product should be user-friendly and easy to use. CyberArk should understand that a product should not require training after a customer subscribes. Hence, user experience should be given the utmost priority.
Maintaining the infrastructure is not easy. Patching CyberArk Privileged Access Manager when there is an update or patch release requires professional services due to the complexity of the product. It takes us three months to six months to do an upgrade. For managing or monitoring the infrastructure, CyberArk Privileged Access Manager does not have any inbuilt tools. We have to rely on other tools which CyberArk does not recommend. There is no other way to monitor those infrastructure components. It is quite taxing and resource-intensive. For an organization of our size, at least five people are required to work full-time with CyberArk and monitor and maintain the infrastructure.
For how long have I used the solution?
I have been using CyberArk Privileged Access Manager for more than two years.
What do I think about the stability of the solution?
Regarding the stability, it is pretty stable. We do not need continuous management. The performance is also very good for the size of our organization and the user base we are working with. We have not had any performance issues so far.
What do I think about the scalability of the solution?
It is not easily scalable due to the on-premises infrastructure we use. It is not elastic like cloud-based solutions.
We have approximately 6,500 users. We have sized the environment accordingly. As an organization, we have done our own risk assessment to understand how CyberArk will grow in the next three years. We sized the environment accordingly so that there are no performance issues if it grows vertically or horizontally.
How are customer service and support?
We use their premium support, but we do not get the value for the price we pay for the support.
For some questions, CyberArk support recommends professional services, which takes us on a financial route. From a customer perspective, it is unclear why I need to reach out to professional services for certain issues. If I have straightforward questions, I get answers from technical support easily. However, there have been instances where we were redirected to services requiring additional payments to get certain questions answered or receive suggestions.
How would you rate customer service and support?
Which solution did I use previously and why did I switch?
In my previous organizations, I have used multiple products. I have also worked in a company competing with CyberArk. I worked on the development of a competitive product for CyberArk.
I also implemented a competitor product in another organization which is listed as a leader alongside CyberArk. It was much easier to work with in terms of user experience compared to CyberArk. It was pretty easy to use and could be self-learned.
How was the initial setup?
Its implementation is complex. If a new customer is onboarding CyberArk as a product to manage privileged access, it is quite complex.
Its integration is pretty straightforward. There are many out-of-the-box connectors. There are also a lot of connectors available in the marketplace to have CyberArk integrated with various systems. For a particular connector, testing to production took close to six weeks.
What about the implementation team?
As CyberArk always recommends, we went with one of their partners to implement it within the organization.
We have three key engineers within the team responsible for managing the entire CyberArk architecture. They handle monitoring and management. They also work with other business units to have the privileged access vaulted and determine the road map for privileged access management. They also help in performing certain day-to-day business activities or tasks.
What was our ROI?
It took us close to three years to see its value and understand why it was chosen over other solutions.
What's my experience with pricing, setup cost, and licensing?
I have heard from my leaders that CyberArk is costlier in terms of licensing. The support and maintenance are also costly. We use their premium support, but for the price we pay, we do not get the value.
What other advice do I have?
CyberArk Privileged Access Manager is pretty costly, and it takes a lot of time to implement it. It is quite complex to implement CyberArk Privileged Access Manager, but once it is properly implemented, with the user community that is available with CyberArk, it is pretty straightforward and easy to use. Once implemented, it does provide value for the organization.
I would advise sizing it appropriately and building the infrastructure accordingly so that it is scalable. When it is sized properly in terms of CPU, RAM, memory, and disk size, it works smoothly without requiring specific maintenance, such as clearing logs. That is what I would recommend to any of my peers or colleagues working in other companies.
I would rate CyberArk Privileged Access Manager a six out of ten. Four points are deducted because of its complexity.
Which deployment model are you using for this solution?
On-premises
Safeguards credentials, improves security posture, and reduces IT resources
What is our primary use case?
The main use of CyberArk Privileged Access Manager is to manage identities and access for our clients. We mainly focus on use cases like managing shared accounts, automatic password rotation, and recording sessions.
Its quite difficult to track for client who has access and at what time, which activity was done with that account, especially for built-in administrator accounts and Shared accounts.
Automatic password rotation is another use case. CyberArk Privileged Access Manager has the capability to rotate automatic passwords in the defined period of time. CyberArk Privileged Access Manager is also used for recording and session monitoring .
With CyberArk DNA, we can discover the accounts and their associated dependencies and usage.
How has it helped my organization?
Data is secure. The passwords are stored in an encrypted format. The data privacy is very high, and it is quite challenging for someone to retrieve credentials from CyberArk Privileged Access Manager.
With Privileged Threat Analytics (PTA), which is a different component in CyberArk, you can put some additional control. For example, you have an account onboarded on CyberArk. If someone wants to access the system without using CyberArk and copying a password, which they might have stored in the notepad or their system, an alert gets triggered. There is also an additional control for ad hoc admin access if someone wants to access an admin privilege or and want to access some critical application after business hours. PTA provides more control.
It improves the overall security posture and provides more control. We have better governance. Credentials are stored in the safe vault.
It reduces the need for IT and help desk resources. There is a streamlined change process without relying on the L1 team to reset the admin account credentials. There is also better compliance and segregation of duties. We can meet the compliance requirement for retention of logs, password rotations, etc. It helps client to meet different compliance requirement / standards, such as HIPAA, SOX, ISO 27001, etc.
With no manual intervention, there is also a reduction in human errors. Based on the number of available accounts for the organization and the user entitlement, that is 300 to 400 hours.
It improves operational efficiency. With the control that we have with CyberArk Privileged Access Manager, there is a reduction in the manual effort for validation of the admin accounts. Without it, a person has to extract the accounts from the servers and revalidate them with the owners or approvers. That is quite tricky.
It can help to reduce the number of privileged accounts. For example, if the Windows team has 10 or 15 members with individual accounts. It is better to create one shared account based on their role such as L1, L2, or L3, reducing it to 2 accounts. It will reduce the number of privileged accounts in the organization as well as threats.
What is most valuable?
The main feature of CyberArk Privileged Access Manager is the ability to manage who has access to what and when, especially with shared accounts. With individual accounts, that is easy, but with shared accounts, it is quite challenging for clients.
The sessions are being monitored based on the Safe design and the ownership of a respective Safe. And its maintain individual accountability, Also check-in and check-out the passwords.
What needs improvement?
The reporting should be improved. There should be more customization. The report should show how we are going to mitigate the risk because we cannot show the system environment to each and every auditor. Some kind of custom report should be there so that we can give a clear output about the risk.
There should be improvements in the dashboard visibility within CyberArk Privileged Access Manager. It should give more visibility in a single go rather than having to compare different reports.
Furthermore, having out-of-the-box dependency discovery for accounts, such as scheduled tasks , services and application pools, would be beneficial to improve overall functionality.
For how long have I used the solution?
I have a total of 16 years of experience, and I have been working with CyberArk for about twelve to thirteen years.
What do I think about the stability of the solution?
There have been no stability or performance issues as long as the design meets the requirements. It is essential to adhere to the recommendations for concurrent session capacities.
What do I think about the scalability of the solution?
The solution is quite stable and scalable. It does not seem to have any gaps.
How are customer service and support?
The technical support from CyberArk is quite impressive. They are responsive and provide detailed information when needed. I would rate them a nine out of ten because sometimes there are delays due to different reasons or misunderstandings.
How would you rate customer service and support?
Which solution did I use previously and why did I switch?
I have worked in CyberArk, Delinea, CA PAM, ARCON, and BeyondTrust. I am parallelly working on other PAM tools along with CyberArk. I started to work in CyberArk PAM since version 7.1.
How was the initial setup?
For on-premises, there is complexity due to the need for physical servers and cluster configuration, which might require going to data centers. However, after several deployments, it becomes less challenging. A cloud deployment would be easier.
Its integration capabilities are quite good. We are using CyberArk identity as a multifactor authentication with RADIUS. That is quite impressive because, with one dashboard, we can manage the users' identities.
In terms of the deployment strategy, we first identify the scale and then design the solution. If the number of admins is high, there will be more concurrent sessions and recordings.
It is not tough to maintain. We once had an issue because of human error, but overall, it is easy. For 8X5 support, five members should be there.
What about the implementation team?
For a large-scale deployment, two to three people are sufficient.
What was our ROI?
The cost savings vary based on the organization. A larger organization will definitely have more cost savings with the reduction in the manual effort in managing the accounts in the system.
What's my experience with pricing, setup cost, and licensing?
The pricing is slightly higher compared to other solutions, but it is reasonable because there are better security features. Initially, it was based on endpoints, now it is based on the number of users, which offers cost savings based on administrative accounts.
What other advice do I have?
I would recommend CyberArk Privileged Access Manager. My recommendation would be to ensure that the benefits of the solution are highlighted by presales, such as risk mitigation and meeting compliance posture.
The overall rating for CyberArk Privileged Access Manager is ten out of ten.
Which deployment model are you using for this solution?
On-premises
Personalized assistance, session recording and monitoring capabilities make it the best option for us
What is our primary use case?
The primary use case for CyberArk Privileged Access Manager in our organization is to ensure we move away from named identity admin access, which lacks protection such as MFA and other features offered by cloud privileged identity management solutions. Our goal was to protect anything on-prem related to Active Directory privileged access, so we chose to go with CyberArk Privileged Access Manager.
How has it helped my organization?
I am the cybersecurity lead in my organization. Every single year when we do the audit, one of the things that consistently comes up is how there are hashes floating around the environment. Since switching over from named admin-privileged identities to CyberArk PAM identities, like PAM accounts, there have been almost no breadcrumbs left behind. There are no hashes and that sort of thing. We hardly see any hashes floating around the environment. We have not done the audit yet, which is due next month, but I have been keeping an eye on the hashes and it is looking promising.
What is most valuable?
The session recording and monitoring capabilities are valuable. We have real-time session management ability to record, audit, and monitor any privileged user activities. That is a big deal.
Automatic credential rotation and granular access control for target resources accessed by admins add to the value.
Seamless integration with the SIEM, especially Microsoft Sentinel, is valuable.
Lastly, the platform's versatility allows for the use of different types of platforms beyond just RDP and SSH, including SQL and web applications.
What needs improvement?
There is room for improvement, particularly with Vendor PAM. We were previously using a competitor product that allowed vendors to manage their own teams. CyberArk has brought a feature called Vendor Team Manager, but it does not provide full access. It requires the vendor team leader to be onboarded as a local account instead of using their email address. Improvements could be made to onboard the vendor team leaders using their email, allowing them to manage their own team. That would greatly reduce the overhead in managing vendor team members. We have 50 to 100 vendors. Each vendor has at least 10 to 20 accounts., so we are talking about 500 to 1,000 accounts. It would be easier if we could just manage those 50 vendor team leaders rather than hundreds.
For how long have I used the solution?
We have been using CyberArk Privileged Access Manager for six months, having started on the first of July.
What do I think about the stability of the solution?
Stability has been impressive. We have not experienced downtime for any reason. We did encounter one bug, but it was resolved once a patch was applied. The system is very stable and seamless. It requires minimal intervention to maintain high functionality.
When we took over as system owners of CyberArk, I thought every single time there was an update, we would have to stay up the night to do the patches and make sure it worked, but it has been very smooth and seamless. There is no friction. Everything has been taken care of at the back end, and we have not had to do anything out of hours. It has been very good.
I would rate it a ten out of ten for stability.
What do I think about the scalability of the solution?
So far, scalability has been excellent. Initially, we deployed the architecture for 10 to 20 users, but we have onboarded 30 users while still on that mid-tier configuration. We have had no issues.
Being a mining company, we do have operations at various sites. That includes multiple sites in Australia as well as a couple of sites in Northern America. We do have multiple sites with critical infrastructure on every single site.
At the moment, we have 50 user licenses, and so far, we have onboarded 30 users. We have 20 more users and some more coming on board in the new year.
I would rate it a ten out of ten for scalability.
How are customer service and support?
CyberArk's support is excellent, providing personalized assistance through a dedicated local account manager and sales engineer. Their responsiveness is impressive, even though our location is quite isolated. We receive prompt support, which often exceeds expectations.
The dedicated local account manager has been providing us with personalized assistance tailored to the unique challenges that we have as a mining organization. The sales engineer supported us with his expert technical guidance during the deployment as well. It has been amazing. Both of these guys ensured smooth implementation.
For any issues that are not important, we raise tickets for customer support, and they have been very responsive. They get us back promptly. That is something unheard of because we are a very isolated city in Australia. Ours is the most isolated city in the world. The nearest city to us is 2,400 kilometers away. For someone like us, the support has been amazing. Sometimes, with other vendors, we have to wait a couple of days to hear back from them, but CyberArk has been exceptional in coming back to us with immediate responses. Their support has been perfect. I would rate them a ten out of ten.
How would you rate customer service and support?
Which solution did I use previously and why did I switch?
Previously, we used BeyondTrust. We decided to switch to CyberArk due to its superior support, scalability, adaptability, and the local presence of account managers and sales engineers, which facilitated a smooth and effective experience.
While other products in the market may offer certain features at a competitive price, they often compromise on support, scalability, and adaptability. The main thing for us was the support. CyberArk combines top-notch technical capabilities with the local human touch of the local account managers and sales engineers. That was a big thing for us because that ensured a smooth and effective experience throughout the journey, which other products lacked.
We are in the West of Australia, and all the competitors are in the East. The only way to communicate is over the phone, and we would only see them once or twice a year. Having local account managers and a sales community was a game changer. Also, considering the reputation and the gold standard for Privileged Access Manager, others cannot compete with CyberArk.
How was the initial setup?
It is a fully SaaS model, but because of the way CyberArk is architected, we do have our jump servers, PSM connector servers, and Secure Infrastructure Access servers in Azure, but it is not self-hosted. It is a cloud solution.
The jump start that was offered as a part of the product licensing was a game changer. When it comes to CyberArk, the complexity is quite high. That comes with security. Security and usability do not go hand in hand, but we have had help throughout our journey. The initial setup was detailed and supported actively by CyberArk's jump-start engineer. Every question was addressed, and the deployment was well-structured.
To realize its benefits, we had to wait until the users were happy using the PAM accounts. The individual privileged identities were still being used, so it took almost three months. That was the time it took for us to onboard the PAM accounts, hand over those accounts to the users, and confirm that it was working as expected.
In terms of maintenance, I thought there was going to be a lot of maintenance because we are the system owners, but so far, it has not skipped a beat. All the updates were very smooth. We did not have to do any work installing the patches, apart from underlying Windows patches, which is the sysadmin's job. If sysadmins are able to patch them, the product is resilient enough to come back up and do its function. Any updates related to the product itself are installed in the background, and it is very transparent for the user. It has been very seamless.
What about the implementation team?
CyberArk's jump-start engineer played a crucial role in our successful deployment. He helped us all the way. Even now, about six months into the journey, he is helping us out with a few bits and pieces. Having that jump-start there was a game changer.
What was our ROI?
During our quantitative analysis, we estimated potential savings of one to ten million dollars a year by using a PAM solution. A cyber breach relating to admin-privileged access could lead to a financial loss of ten million dollars. If a standard user account is breached or compromised using their credentials, they cannot escalate to our higher privilege ones or cannot move laterally within the network. That was a game-changer.
What's my experience with pricing, setup cost, and licensing?
CyberArk Privileged Access Manager is perceived to be somewhat overpriced compared to similar market products. It is a little bit overvalued. It could come down a little bit for my liking. However, the industry-leading reputation and the quality of service justify the high price point to some extent.
What other advice do I have?
I would highly recommend CyberArk Privileged Access Manager. It is a leader in the privileged access management space, offering robust tools to secure credentials across IT and OT environments. We are very heavy on OT environments. It has been nothing but the best.
I would rate CyberArk Privileged Access Manager a ten out of ten.
Which deployment model are you using for this solution?
Public Cloud
The ability to ensure compliance with both our internal and industry standards is invaluable
What is our primary use case?
I use CyberArk Privileged Access Manager to manage the privileged credentials of our environment.
How has it helped my organization?
When I arrived at my company, CyberArk Privileged Access Manager was already deployed, so I didn't set it up myself. However, I've increasingly taken over its management during the past five and a half years. I saw its benefits almost immediately. Much of the value is tied to user adoption; as the end-user base becomes more familiar with CyberArk and embraces it, the benefits increase. Conversely, when we have users who know CyberArk exists but don't trust it, prefer their own methods, and avoid using it, its effectiveness is reduced. Ultimately, the more users embrace CyberArk, the greater the benefits I observe.
What is most valuable?
The best feature of CyberArk Privileged Access Manager is its core function: automatically managing and securing credentials. The ability to ensure compliance with both our internal and industry standards is invaluable, particularly in the current environment. While managing a couple of thousand accounts may not be a large number within the CyberArk community, it significantly simplifies our work in ensuring compliance and maintaining standards. The PSM feature is also excellent, as I've found it increasingly helpful in establishing connections without exposing passwords. Although a bit clunky when I used it a few years ago, it runs much smoother now. Overall, it's a great product, and I appreciate most of its features.
What needs improvement?
We use the privileged cloud model. However, transitioning from a traditional on-premises deployment to the privileged cloud has resulted in losing access to many logs and administrative tools typically available on the back end. For instance, we can no longer examine safes directly, delve into the vault to set permissions more granularly, diagnose port issues, or manage license allocation. These functionalities were readily accessible with our on-premises setup, but the cloud environment significantly restricts them. One highly desirable feature, for which I've seen an enhancement request already submitted, would be the implementation of more comprehensive logging around platform and policy changes, including details on the nature of the change when it occurred, and who made it. I recently encountered an instance where one of our platforms was altered without knowing when or by whom. This lack of auditability makes it impossible to understand the rationale behind the change, even though it appears relatively intuitive. Therefore, enhanced logging would be a valuable addition to our current system.
For how long have I used the solution?
I have been using Privileged Access Manager for five and a half years.
What do I think about the stability of the solution?
Generally, the performance of CyberArk Privileged Access Manager is quite good, and we've experienced very few issues. Specifically regarding the PSM, the response time is typically excellent. However, some users have reported occasional timeout issues where the PSM session terminates unexpectedly. The source of this problem is unclear, as it could originate from the target server or the PSM server itself. While I encountered more issues with the PSM a couple of years ago, the response time has significantly improved recently. There are inherent challenges due to the multiple network connections involved, mainly when mapping network drives to transfer files within a PSM session. This connection can be slow, especially when enumerating folders during file system traversal, but it's likely an unavoidable consequence of the process.
What do I think about the scalability of the solution?
Scalability is straightforward. While the initial deployment presents some challenges, deploying additional servers afterward is quite simple. The servers are robust in terms of their handling capacity. In discussions with CyberArk engineers, I learned that the expected load for the CPM and PSM was discussed. The CPM, in particular, can reportedly handle up to 50,000 accounts independently without issue. Given that we only have a couple of thousand accounts rotating, deploying an additional CPM would be a relatively easy task, achievable in less than a day. Therefore, scaling up appears to be quite feasible if necessary.
How are customer service and support?
We subscribe to premium support, and it's been excellent, providing us with relatively rapid responses and overall good experiences. Previously, with regular support, the quality was inconsistent and heavily dependent on the technician assigned to our ticket. Some technicians were excellent, diving right in, carefully reading my notes, and offering helpful solutions. Others seemed to overlook the details I provided. For instance, I'd explain that I'd already consulted a specific knowledge base article and implemented the recommended solution without success, only to have the technician suggest I review that very same KB article, which I had just referenced.
How would you rate customer service and support?
Which solution did I use previously and why did I switch?
What other advice do I have?
I rate CyberArk Privileged Access Manager eight out of ten.
The connector servers require minimal maintenance. The only constraint is keeping the browser drivers up-to-date for web application connections, which can be more of an annoyance than a hindrance. Overall, there is not much maintenance involved for CyberArk Privileged Access Manager.
My advice for new users is to read the documentation. There's a lot of good information in there. I know it can be a bit of a drag to go through it all, but as you work, especially on the administrative side, you'll find that it contains a lot of information that can save you headaches. It would help you avoid opening tickets just by reading and following the guidelines. The documentation is pretty good, though not perfect; there are actually several errors. However, for most day-to-day activities, it's quite helpful.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Other
Facilitates secure password rotation and out-of-band session management but the process for accessing RDP could be improved
What is our primary use case?
We currently use CyberArk Privileged Access Manager for password vaulting. Our roadmap includes managing service accounts, rotating passwords, and expanding to SSH keys, AWS keys, and other login credentials. We've already implemented local administrative accounts and rotated elevated domain administrative accounts. Additionally, we've integrated Okta for multi-factor authentication, using Okta Verify, and plan to expand this to workforce identity for broader end-user security and credential management.
What is most valuable?
CyberArk Privileged Access Management's most valuable features are primarily its password vault functionality, specifically CyberArk's Core Privileged Manager and Privileged Session Manager. These components facilitate secure password rotation and out-of-band session management, addressing our organization's critical security needs.
What needs improvement?
The current process for accessing RDP through the CyberArk or administrative portal involves downloading an RDP file. This is inconvenient for users and problematic due to security restrictions that prevent accessing servers via downloaded RDP files. Ideally, the process should allow for a direct RDP connection upon providing server details, eliminating the download step and streamlining access. This issue represents a significant challenge and source of frustration for users.
The product is complex and requires extensive configuration. More tutorials and detailed use cases with troubleshooting steps would be beneficial, particularly for first-time implementers. Despite the excellent customer service, resolving issues can be time-consuming due to the product's complexity. Compared to lightweight solutions like Okta, CyberArk requires more background experience and is not as straightforward to learn and implement.
For how long have I used the solution?
I have been using CyberArk Privileged Access Manager for almost five years.
What do I think about the stability of the solution?
The performance of CyberArk Privileged Access Management sometimes lags or crashes, but this is not a significant concern.
What do I think about the scalability of the solution?
We have not reached platform limitations yet, as CyberArk supports up to eight hundred platforms per tenant, and documentation is clear about scalability limits.
How are customer service and support?
Customer support has been very helpful and responsive. My customer success manager facilitated many calls with technical experts, efficiently resolving critical issues.
How would you rate customer service and support?
Which solution did I use previously and why did I switch?
How was the initial setup?
CyberArk's environment setup was straightforward, but we encountered issues during the Proof of Concept stage, specifically with PAM account discovery. While the CyberArk Manager displayed discovered accounts, we couldn't download the data into a usable format like an Excel sheet. This hindered our ability to identify efficiently and inventory discovered accounts, particularly from Windows systems, for phased onboarding. Although we eventually received instructions from CyberArk support on downloading the data, the process was complex and time-consuming. Simplified data export features would greatly benefit administrators.
What about the implementation team?
I received excellent support from CyberArk's technical team and customer success manager, who arranged calls and helped resolve implementation issues.
What's my experience with pricing, setup cost, and licensing?
Although CyberArk Privileged Access Management is expensive, its protection capabilities outweigh the cost.
Which other solutions did I evaluate?
I also evaluated CyberArk, along with Okta PAM and BeyondTrust, because it encompasses all the features we require, and Gartner recognizes it as an industry leader.
What other advice do I have?
I rate CyberArk Privileged Access Management seven out of ten.
To streamline project setup, new users should receive guidance on planning and implementation scopes. Scheduling a jump start without such direction can complicate learning.
Which deployment model are you using for this solution?
Hybrid Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Other
Enhanced my organizational capabilities by providing important security reporting features
What is our primary use case?
The primary use case for CyberArk Privileged Access Manager is within the IT security industry. It manages privileged access and generates reports, particularly for clients in sectors like finance. The system facilitates account management, enables the generation of on-demand reports, and helps maintain security protocols for these clients.
How has it helped my organization?
CyberArk Privileged Access Manager has enhanced my organizational capabilities by providing important security reporting features.
What is most valuable?
The most valuable features of CyberArk Privileged Access Manager include its search capabilities. Searching was previously a challenge, especially with Windows servers. When searching, we could only search based on the account name itself, as the system couldn't identify which accounts had access to which systems. This functionality caught my attention. Another standout feature is CyberArk Compass, which is planned for an upcoming release or has potentially already been released for Prisma Cloud. Finally, managing user accounts through the PWA is quite helpful. When a user is suspended, we can activate the account using the PWA instead of the private client.
The ability to manage user accounts and suspend them with ease through Password Vault Web Access rather than a client is a significant feature.
I like the integration with tools like Compass and the ability to search based on account names and systems.
What needs improvement?
My concern and area for improvement revolves around reporting. I even submitted an enhancement request to CyberArk Software, suggesting that they include a dedicated dashboard page within either Privileged Cloud or their self-hosted PAM solution. This dashboard could feature visual elements like pie charts to display metrics such as account compliance percentages. For example, it could show PTA alerts to visualize security events occurring within a month, quarter, or year. Having such a feature would allow for on-the-spot report generation. Currently, we rely on the REST API to invoke and pull the necessary information. We then have to manually copy the data, convert it from JSON to Excel, and generate the desired report and dashboard. This process is time-consuming and sometimes leads to inconsistencies in the information provided.
For how long have I used the solution?
I have been using CyberArk Privileged Access Manager for six years.
What do I think about the stability of the solution?
The stability of CyberArk Privileged Access Manager is generally good. Minor issues may arise, but they are typically manageable and not major. On a scale of one to ten, I would rate the stability an eight out of ten.
What do I think about the scalability of the solution?
My deployment of CyberArk is scalable, although the scalability differs depending on whether it's on-premises or cloud.
How are customer service and support?
Customer support is somewhat lacking. They are often unavailable on Fridays, and the support process, such as raising a call or case, can take too long. On a scale of zero to ten, I would rate their support as six out of ten.
How would you rate customer service and support?
Which solution did I use previously and why did I switch?
Before using CyberArk, I interacted with BeyondTrust. BeyondTrust features, such as their reporting simplicity, made it easier for me to generate reports. The switch was primarily motivated by cost considerations.
How was the initial setup?
The initial setup was detailed and required steps to ensure security measures were aligned with standards. Efficient sequencing, working with redundancy, and cooperation with load-balancing teams were crucial parts of the process.
The deployment took one week to complete because of the redundancy.
What's my experience with pricing, setup cost, and licensing?
The solution is expensive but not excessively so. Discussions with clients have revealed that costs, especially for Privileged Cloud, are a concern. Improved support could enhance the solution's overall value.
I would rate the cost of CyberArk Privileged Access Manager seven out of ten with ten being the most expensive.
What other advice do I have?
I would recommend CyberArk Privileged Access Manager because it is a leading solution for privileged access management. Although it has room for improvement, particularly in areas like reporting and support, it remains a solid option. I rate it an eight out of ten.
We have deployed CyberArk Privileged Access Manager using various configurations. For instance, active components are located in one location, while passive components reside in another. This is determined by the route to the virtual machine, as the components operate as virtual machines. The primary vault is situated in a separate location, and the disaster recovery vault is placed in another distinct location. Currently, we have a PAM license for 800 users, but we are utilizing it for 650 users.
CyberArk Privileged Access Manager maintenance addresses security bulletins and involves several key steps. We ensure the admin utilizes the security bulletin during maintenance, which begins with raising a change request. Before the change is approved and implemented in production, it is thoroughly tested in a test environment to verify its functionality. Deployment to production follows successful testing. Application-specific maintenance for CyberArk follows the product roadmap, ensuring we remain at most one version behind the latest release. We also promptly apply necessary security patches from security bulletins. Furthermore, from an OS perspective, we maintain alignment with the latest Microsoft patches, ensuring all systems are up-to-date and secure.
Which deployment model are you using for this solution?
On-premises
Privileged Session Manager offers session recordings, logging, and tracking of user activities
What is our primary use case?
I am a senior manager, and we have multiple clients for whom we deploy CyberArk Privileged Access Manager. We also manage or upgrade their instances. We handle migrations and new implementations. We take care of anything related to CyberArk.
What is most valuable?
The feature that I like the most is the Privileged Session Manager. It offers session recordings, logging, and tracking of user workstreams. It keeps a record of activities, allowing me to easily fetch screen recordings to detect any misuse and see who did what and what happened. Its benefits can be seen immediately after the deployment.
What needs improvement?
Based on the user experience that I see on a day-to-day basis, some changes could be made to the Privileged Session Manager tool to make it more user-friendly. The user interface of that tool could be more advanced and understandable to laymen, rather than being more of a developer tool. I would recommend more user-friendliness there.
CyberArk is more focused on the cloud solution. They are not going towards on-prem, but a lot of clients still like the on-prem solution. With the cloud implementation, you have a lot of dependencies on expert services. When you get into some issues, you have to wait for expert services. They usually reply in two to three days. That is something CyberArk needs to make better. If they want clients to move to the cloud, they need to support them in real-time. The client should not be waiting for two days to get a response for the issue. If CyberArk wants people to pay for cloud services, they need to make the cloud services much more real-time.
For how long have I used the solution?
I have been using CyberArk Privileged Access Manager for approximately six years.
What do I think about the stability of the solution?
CyberArk Privileged Access Manager is a stable solution. I have never faced any issues with stability.
What do I think about the scalability of the solution?
CyberArk Privileged Access Manager is a scalable solution.
How are customer service and support?
I have contacted their support a lot of times. The quality of support is okay, but the time frame for replies should be much faster than it is currently.
How would you rate customer service and support?
Which solution did I use previously and why did I switch?
I have not used any similar solution for PAM. However, for managing the accounts, we have used some password management solutions such as 1Password, but they do not give you the accessibility and different components that PAM provides. They are just for password storage and keeping the passwords safe. A PAM solution from CyberArk or BeyondTrust solution provides a lot more than that, so we cannot compare them. There is no comparison.
How was the initial setup?
I have deployed it both on the cloud and on-prem. My one client is on-prem, and another one is on the cloud.
The initial deployment depends on how extensive it is. For one client, it was quite easy, but after the deployment, it was tricky to deploy the components for AEM, EP, and CCP. On-prem implementation is much easier than the cloud. Cloud solutions require better and more immediate support. Cloud deployment is challenging due to dependencies on expert services.
It requires a bit of maintenance but not that much. Once you deploy the solution, it works, but there are always new upgrades. For example, if you deploy a web connector for web applications and Chrome releases an upgrade, you have to see whether CyberArk is supporting that upgrade or not. Accordingly, you have to update the drivers and other things for the web applications. The same goes with PSMP and SMP. If there are any version upgrades or any vulnerability patch fixes, you have to perform maintenance.
What about the implementation team?
We help customers deploy it.
The duration depends on how big the instance is. To deploy all the components, the duration can range from three to six months.
It can be deployed by one person, but it also depends on how many instances of servers you are deploying, what is the concurrent usage, how many users are being onboarded, and what components you have. There is PSM. There is EPM and PSMP. It depends on what exactly the client requires. These are some factors that determine the time frame and number of people required.
What's my experience with pricing, setup cost, and licensing?
From a client perspective, CyberArk's pricing is fair but there is a significant increase each year. They should limit the price increase because this could potentially drive customers to other partners. Price changes should be at defined intervals. There should not be sudden jumps.
What other advice do I have?
I would rate CyberArk Privileged Access Manager an eight out of ten.