We're using CyberArk Privileged Access Manager to manage our service accounts, privileged service accounts, and password rotation. We also use Conjur.

CyberArk Privileged Access Manager has helped our organization remain compliant in the privileged access management space. It is very helpful for meeting compliance and regulatory requirements such as SOC, SWIFT, and PCI DSS.

CyberArk Privileged Access Manager has helped us become more efficient in managing these service accounts.

CyberArk Privileged Access Manager feels quite secure in ensuring data privacy.

CyberArk Privileged Access Manager has a very strong potential for preventing attacks and lateral movements, but it has not had an impact one way or the other on the number of privileged accounts in our organization. They are just managed differently.

CyberArk Privileged Access Manager makes it easy for users to retrieve and manage their passwords.

I have been using CyberArk Privileged Access Manager for a few months. I am still learning, and I appreciate all the networking and education at the CyberArk Impact in Boston, which is going to set me up for success as I take on my role.

In CyberArk Privileged Access Manager, the UI has room for improvement, as does the dashboard reporting, which could be made better or easier to use. The interface needs to be more intuitive in CyberArk Privileged Access Manager. There should be dashboards in CyberArk Privileged Access Manager with more data and reporting capability for the non-compliant scenarios.

My company has been using it for a long time; I have been using it only for a few months.

I have not had any support experience with CyberArk at this point in my journey.

I found the CyberArk Impact event to be much more effective as an educational experience.

The time-to-value for CyberArk Privileged Access Manager was recognized pretty quickly after implementing it.

I hope to learn how the pricing works so that I can understand it better, but I am certain it is not inexpensive.

It is absolutely necessary to have a PAM tool like CyberArk Privileged Access Manager, even if someone is using other security tools.

Based on my experience thus far, I would recommend CyberArk Privileged Access Manager to other users.

I would rate CyberArk Privileged Access Manager as an eight out of ten. It is early in my journey with this solution.

My use cases for CyberArk Privileged Access Manager are specifically for privileged access management. We are using it along with other products. They have access management, their own certificate manager, and other managers. CyberArk Privileged Access Manager is for privileged access for users who require more than normal access, such as administrators and engineers. We can rely on this tool to manage that access.

You can see the benefits of CyberArk Privileged Access Manager immediately. This is risk management. You are not getting any features from the tool. It's not something that you are installing because you want it, for example, ChatGPT. With CyberArk Privileged Access Manager, you're getting control. You're not getting any additional features for your platform or systems. You are just controlling the risk. Users can't do what you aren’t allowing them. They can't make any change without approval, so it controls risks. Once you see that value, you're controlling what the privileged users in your system are doing.

The most valuable feature I find in CyberArk Privileged Access Manager is that we can record the sessions. It provides flexible workflows. I can change the workflow to specify if it needs one approval or two approvals, and I can approve my peer. We can record sessions for external people who want or require privileged access to our systems. That is very flexible. We can record what people are doing in the platform.

I find it hard to mention a point of improvement because I'm happy with the platform. The only thing I would say is that they can improve their price.

I have been using CyberArk Privileged Access Manager for three years.

Regarding the stability of CyberArk Privileged Access Manager, I have seen a couple of times that the server was not available. In three years, it has only been a couple of times. It has high availability and low impact. In terms of the platform, it is stable.

The scalability of CyberArk Privileged Access Manager has been good; the only thing is the license. The platform is very scalable, but you need to get more licenses in terms of users.

I don't handle that kind of interaction, but my engineer does. Sometimes it requires escalation, but I have not heard of any complaints from him in terms of the support received. It is good.

I have used Delinea but not in this company. I prefer CyberArk over Delinea.

It is not that easy. You need to load the users and platforms that you will be using. You need to teach the users how to do it. It requires some change management. It is a bit complicated, but it is expected. It is not just plug-and-play.

Its maintenance depends. You can have an on-premise solution or you can have a cloud solution. We have an on-premise solution, so it requires some maintenance on the infrastructure.

Its implementation requires a team effort

With the current model of licensing, for my use cases, sometimes it's hard to convince the management and get budget approvals for it. It's expensive and you're not getting anything new. It's just a control, but in terms of risk, you are covering a big impact on the company. Improvement in the licensing prices is something I would want to have.

I would rate CyberArk Privileged Access Manager as an eight out of ten.

We use CyberArk Privileged Access Manager for privileged access management (PAM) escalation, securing our website, and applications. Our cybersecurity team actively utilizes its features.

The PAM escalation is valued. The access control feature and privilege and role-based assignment are outstanding. Dividing the user admin for security protection is the best feature. Additionally, its remote access allows easy connection for my team, and it efficiently manages identity.

Initially, it was challenging to understand and use all the features incrementally. Having a better user journey with a support team to connect would improve the product and services.

I have been using CyberArk Privileged Access Manager for about eight months in our company.

The solution is quite stable. We have not faced any issues related to stability since using CyberArk Privileged Access Manager for eight months.

CyberArk Privileged Access Manager is scalable. As a startup, it initially handled fewer users, but it scaled well as we grew.

Technical support was fast in its replies and always supportive, helping to resolve any issues efficiently.

We used miniOrange, an Indian-based cybersecurity product for access management and PAM escalation. We also used one more product, which I don't remember the name of.

The initial setup was straightforward due to well-documented resources and tutorials.

Our cybersecurity team, comprising two to three people, worked on the deployment and feature implementation.

The pricing is quite well-structured with monthly and weekly plans.

I evaluated miniOrange and one other product.

New users should watch the YouTube channel, read the documentation, check the resource section including CyberArk University, and see if it works well with their product. I rate the overall solution a nine. My overall product rating is 9 out of 10.

We use CyberArk Privileged Access Manager to provide a protective layer for our infrastructure, as well as for our customers.

Additionally, the audit functionality that it provides is used as protection for our employees. It offers evidence, so if there's any question about wrongdoing, there's proof that the job was done correctly.

It's predominantly addressing challenges around reducing open access to critical infrastructure and providing a mechanism to control who can get to what and with what credentials.

It's improved the organization by making it easier to access privileged accounts. There are so many accounts needed by most people now and to have a a tool that can not only store those credentials for you, but manage them and give you easy access to them, has made life a lot easier. The removal of the need to manage and maintain those credentials and cycling passwords regularly is a pain for anybody. The tool manages all of that for you whilst giving you a simple means to use them.

The most beneficial feature in CyberArk Privileged Access Manager is its simple user interface. It is definitely advantageous. I also appreciate the enhancements that come along with the continual updates that are provided.

It has improved the organization by making it simpler to gain access to privileged credentials. There are so many accounts needed by most people now, and having a tool that can not only store those credentials for you but also manage them and give you easy access has made life a lot easier. The tool manages credential cycling, which is typically a pain for anybody, while providing a simple means to use them.

The solution is very good for protecting full levels of data privacy. We silo out different parts of the solution for access to to different types of infrastructure in the same way we would to our customers so that we can restrict who can get to something. In combination with our IM processes, we can be quite granular about who has access to what.

We can stay updated on regulations. The updates that are coming through help to keep the product secure and also add in updates and enhancements that give greater functionality and keep it relevant in terms of requirements.

The controls are fairly granular. We can control who can administrate it and who can use it and what they can use when they're using it. It has positively impacted visibility. As we leverage the product for administration of the product, we're able to be much more granular in how we provide the access. The audit controls allow us to see who is doing what, and when, it should be required.

It safeguards credentials. This is very important. The ability to have the product manage and maintain credentials and only provide them to authorized individuals, whilst not actually allowing them to retrieve those credentials, has become more paramount as we look to increase the security based on sort of ongoing real-world threats.

It's helping with compliance, specifically around securing and hardening of infrastructure. It allows us to harden while still maintaining usability.

In terms of operational efficiency, it depends on where you're coming from. Some things are more efficient, some things are a little less efficient yet more secure. It's that ongoing balancing act between operation efficiency and security that we must deal with.

We've been able to reduce the number of privileged accounts in the organization with the ability to have shared accounts. Since the credentials are not specific to a user and they're made available to a user for the duration of their session, we can reduce the number of privileged accounts we have within the organization. We've reduced the accounts by a half to a third between ourselves and our customers.

I would like to see an easier way to define delegated roles within the administration of the core product. There is granularity within the tool, however, it is not simple to define those specific delegated roles.

I have used the solution for about nine years; it's been quite a while.

We have had some performance and stability issues. We have had instances where things weren't as they should be, however, we worked closely with the development support teams once the issues were escalated and managed to find either a resolution or a workaround to stabilize the solution. Typically, it is fairly stable.

Initially, we found some issues with scalability, however, over time, the guidelines and recommendations from the vendor have changed. By working closely with the available guidelines, the scalability is absolutely fine.

The customer service is generally quite good, although if it's more complicated, you have to wait for it to be passed back to their dev support, which can take more time. For simpler issues, the turnaround is relatively quick. If more complicated, it can take longer to get the right level of support.

However, the support they provide is usually good, particularly their dev guys, who certainly know what they're talking about.

Before CyberArk Privileged Access Manager, we didn't have a PAM product itself. We were using Citrix to provide remote access, but the need to move into the PAM space arose to provide extra security and audit control.

Although I wasn't involved with the process, there was a competition to define which product would be used, and the CyberArk Privileged Access Manager product came out on top.

The initial setup is relatively straightforward once you've done it. It is certainly a lot easier to repeat. We have multiple instances of the on-prem deployed, so we've done it a few times now.

The deployment involved approximately four or five people, based on role separation. In a smaller organization, it could likely be done with one or two people. However, due to the need to separate functions for design, implementation of the service, product implementation, network and firewall requirements, and IAM processes for all accounts, several people are required to ensure these functions are covered.

From a security perspective, we started seeing value right away because we didn't have a PAM solution at the time. Over the next sort of months and years, we settled into the product and started to look at how we could make it work for us. This has been an ongoing process over the years, particularly with product enhancements and new features, which provide additional benefits against the incurred costs.

I'm not involved in the pricing.

About a year ago, we started looking at potential alternatives. There were two others that were considered and were ruled out for various reasons before looking at additional proof of concepts to see what other features could be leveraged from CyberArk Privileged Access Manager that we weren't using. It managed to pass all of the requirements.

We have customers for various industries and use the product internally ourselves. We are in the IT sector and provide services to organizations in a variety of sectors.

It's definitely worth looking at as a PAM tool. I would steer towards the SaaS version since everything suggests that it is potentially a better way to go than on-prem. However, on-prem would still be suitable for those who must control and own their data.

It's still worthwhile implementing, and overall, I'd probably give it an eight out of ten.

My company partners with CyberArk. I come from a service provider standpoint, so I don't use CyberArk within my company, however, I implement and support it for customers.

Through the CyberArk partnership, I am certified in CyberArk. I perform activities such as demonstrations, presentations, deployments on-premises, and cloud solutions.

CyberArk is now a comprehensive identity security solution. My interaction with CyberArk is mostly on the implementation side for our customers, focusing on design and integrating it into customer environments.

It's used in industries such as banking and finance.

I find the discovery feature, which includes credential management, session management, monitoring, and remediation within a session, to be very valuable. It can remediate bad activities occurring in sessions. It offers good management and monitoring as well as good remediating within a session to help users remediate within managed sessions. There's good auditing and activity monitoring.

The session monitoring helps enhance security protocols. With it, users can have more control over what's happening within the session. You have more visibility and can restrict certain activities from happening, such as someone running a malicious command or someone trying to open or edit some sort of platform configurations. You can also send notifications and remediate or terminate sessions. Monitoring helps you build in polices around how to build polices around what's happening within a session.

The implementation of CyberArk impacted our customers' compliance with the regulatory standards in a positive way. Now customers are very happy since they can ensure credentials are compliant. In terms of password management complexity, since they're managing everything through CyberArk, they're able to create complex passwords. The user doesn't really need to remember passwords since the session is entirely being launched through CyberArk. That means that they're able to have much more compliant account management within an organization. They're also able to run reports as well as activity and compliance reports in terms of data related to accounts. It is much easier when you have a tool that manages that. Before CyberArk, having reporting and visibility around usage of accounts was really tricky. In terms of compliance, it's able to cover that by giving just a whole overview of accounts within the organization.

CyberArk incorporates AI to improve Privileged Access Management. It's consistently improved as well. They do have a previous threat analysis analytics engine, which also can ingest logs from a SIEM solution if it's in place at the customer site. It's able to ingest this information and then give much more correlated security events. This module, the privileged analytics, is able to utilize behavior analytics and AI-related capabilities to be able to give security alerts to the teams. They can action alerts, or even automate to be able to have things blocked or terminated. For example, if someone changes their location. It has a geolocation that's able to then trigger maybe a password or QR code or email with a verification code to check it's that person. It utilizes AI capabilities or behavior analytics capabilities to have capabilities like that enforced.

It has the most plug-ins. Maybe thousands. So in terms of integration within different customer environments, it's much easier compared the competition. CyberArk a pioneer for PAM. They've always been the leader in terms of research and development and bringing new capabilities to the PAM. It will be able to cover 99.9% of most use cases.

In terms of improvement, since I am familiar with the product, there are no major issues.

However, customer feedback suggests that unless it's on-premises, complaints about resources are justified as it enhances security with multiple functionalities. The managed cloud deployment option by CyberArk is easier to manage. Resource issues could be mitigated by choosing this option.

I suggest adding more plugins and systems, which are often introduced later. Essentially, as long as capable personnel manage it, the solution works well.

They should continue refining it and adding more dashboards and reporting features. Improved user-friendliness, granularity, and functionality would enhance the product further.

I have been using the solution for maybe four or five years. I would say it's closer to four years.

At the moment, I work with CyberArk mostly. I haven’t interacted much with other solutions like Imperva, as other engineers have taken over those responsibilities.

We are resellers, working ideally with partners, and I am certified with CyberArk. I am a certified delivery engineer for CyberArk PAM, and my experience is vast with the projects and teams I've been involved with.

When looking at Privileged Access Monitoring, many IT administrators have access to numerous privileged accounts, which increases the attack surface. CyberArk's PAM solution manages these credentials, providing value by reducing risks like data breaches or financial losses. The return on investment lies in improved security infrastructure, addressing over-privileged access, and reducing the risk of credential compromise, which is a major source of data breaches.

We're a service provider and offer services to customers that acquire CyberArk. I come from a design perspective for those implementing CyberArk.

The company is open and shares information with partners. They inform us about new versions and allow enhancement requests through a portal. Many enhancements have come through this channel. If they keep going this way, everything will be good with CyberArk.

I'd recommend the solution to others.

Overall, I would rate the product nine out of ten. They've been the leader in PAM for maybe six years.

Our main use cases are to monitor all privileged accesses. It can be HTTPS, LDAP, SSH, or SQL management, so anywhere we have privileged access, we want to monitor it and place it under CyberArk.

Its monitoring capabilities are good. Whenever the end users start their session, it quickly allows you to monitor. However, if there are no firewall rules, it creates a video, but it does not take all the audit logs. For audit logs, you need firewall rules. It is very well described in their documentation. At the start, they communicate this to clients. The documentation is well-defined.

The features that are most effective, like every PAM solution, include monitoring and password rotations.

The best thing about this solution, especially on-premises, is that we can interact with it directly. If we need to develop something, we are allowed or can do it by ourselves, which is most effective for us as administrators. It is not a black box. We have the ability to customize, especially the connection components.

There are some options in the web portal where they can improve the user experience. For example, in remote, there is a parameter called 'access to remote machine.' When we put host names in that field, we are not able to search it. It would be useful if a search feature was there to check if a machine is already onboarded. When we onboard a few machines in the same domain using just one account, we put the domain name in the address field and host machine names in the remote access parameter. However, we are not able to search within that field, which makes it difficult for us as admins to know if a machine has already been onboarded.

Other than that, I do not have any areas for improvement. Whenever we find any bugs or have a need for a feature, we open a ticket with them. They usually work on that if the same request has also come from other people. They are already good at doing that.

I have been working with CyberArk for almost six to seven years.

The solution is very stable. If you install the solution with CyberArk's guidelines, it remains stable. I also offer 24/7 services, and in three years, I have received two or three calls from clients indicating the solution was not working. It means the solution is very stable.

It is scalable. If a client has 100 users and wants to add 100 more users, it is possible. They can make it bigger and smaller, depending on their needs.

Our clients are medium enterprises.

Their technical support is good. They provide solutions and also the documentation if you ask. If you cannot find something, they point you to the right documentation. With support, I have never found any problems.

There is a lot of complexity if we are installing the solution on-premises. On the cloud, there is no such complexity, but on-premises, it is complex because there are different components like Vault, PVWA, PSM, and CPM. There are many components, and we need to follow a sequence to install these products. One needs a good knowledge of these components to install because we cannot just follow the documentation and install it. The documentation is vast. First, we need to read all of it. For first-time users, it is a bit difficult, but with experience, it is not a big deal. In terms of ease of use, I would rate it a six out of ten for on-premises and a nine out of ten for the cloud.

The deployment model depends on the clients. Our clients from banks usually use it on-premises. Clients in other fields do not want to install the machines on-premises because that is resource-consuming, so they go for the cloud deployment.

With the cloud deployment model, the clients need to deploy fewer components in their infrastructure. Vault and PVWA are already in the cloud, but other components like PSM, CPM, and PSMP are on-premises. It is not that all the infrastructure is on the cloud. There are a few components that are on-premises. However, in the case of on-premises, all the components are on-premises inside the infrastructure of the client, and they are responsible for maintaining that.

Our clients have seen an ROI.

If you want a Ferrari, it will cost you. The solution is really nice, so it costs the client, but in the long run, it is very good. If you buy a solution that costs a lot to maintain because it is not stable, and you are frequently asking for consultant support, it costs more. It is better if the client spends a little more money initially. In the long run, it is very good.

My recommendation depends on your needs and what you want to achieve. If you just want SSH, LDAP, and basic monitoring, you can consider other solutions like Wallix or One Identity, which cost less. If you need a lot of customization, such as you want to put in a lot of HTTPS ports and change the passwords of internal applications, this solution is much better than others.

I would rate it a nine out of ten.

The use cases include end-to-end privileged access and session management and complete password rotations. All the privileged accounts are secured within the vault, monitored, and rotated from there.

It helps manage non-human or application accounts used in scripting or containers. All can be managed in CyberArk. They have Secrets Manager as well.

Session monitoring includes recordings of all activities performed. For instance, if I connect to a server, whether it is Windows or Linux, and perform some activities, all actions are recorded. It is a video recording.

It can integrate with Splunk, SNMP, and other solutions and technologies. We have integrated it with Splunk for the audit logs.

Its price might be high for some people, but the quality is top-notch.

Their support can be better. Their SLA timings are higher than others. If Delinea has an SLA time of three days, CyberArk is going to have an SLA time of five days. They do not breach the SLA.

I have been working with this solution for around eight years.

Support is available through different models, depending on the license agreement. Dedicated customer support personnel can be assigned to specific clients. Additionally, professional service hours are available for purchase.

Typical case resolution can take between a week and two weeks, although priority cases may be resolved in a day. There are different levels of support. Initially, a case goes to a level one engineer. If unresolved, it escalates to level two and then to R&D if needed.

CyberArk has a large number of customers. If you compare it to other vendors, they are doing better than CyberArk because their numbers are less, so they are able to support in a better way. With CyberArk, we have a longer waiting time.

There are two models: on-premises and cloud. For on-premises, we have virtual machines hosted on Hyper-V, but physical servers are recommended by CyberArk. Installation requires technical expertise.

SaaS deployment is faster than on-premises because most of the components are handled by CyberArk. The deployment is faster in SaaS, but the cost of SaaS is a bit high. They have different licensing costs.

From my perspective, the capabilities the tool provides match the investment. For small businesses, the price is fair compared to other tools. While the cost may be higher, I believe it is a top-tier solution.

It is a leading solution and one of the best SaaS solutions in the market. CyberArk is good at what they do, and the price reflects that. You have to pay the price for the same.

The price can vary based on the capabilities you need. We are paying a fair price for our environment. Compared to other solutions, its price can be high, but you are getting the best solution available in the market.

For 1,000 SaaS licenses, 100K euros might be required.

I would rate the solution a nine out of ten.

My first use case is seamless recording and seamless connection to the area target, as well as the recording of ten sessions with command restriction. This is the first use case.

Secondly, I can perform password rotation without needing to know or use the password of the privileged account. I can connect and rotate my password as needed. Various customers have password rotation for each day.

These are the two main use cases currently employed: password rotation and a seamless connection to end targets with the recording feature.

It's a one-stop solution. Whatever I need, whether securing identity, web applications, privileged accounts, RDP, Windows, Linux, or other devices like switches or firewalls, CyberArk supports it fully. It eliminates the need for me to search for other solutions.

Its identity compatibility with CyberArk Identity Solution provides extra security, including free MFA with the licensing cost. Premium accounts can increase security using the EnCon Privileged Manager. CyberArk's integration with PaaS solutions makes it the most comprehensive solution, eliminating the need for me to explore other Gartner solutions.

The best feature is vaulting. CyberArk has a separate vault, which is their proprietary vault, which provides multiple encryptions for every password object, as well as tamper-proof recording. Recordings are sent to the vault. This is the best feature since all data and security we have are situated in the vault.

CyberArk provides me with a single account page to access all endpoints or privileged accounts, simplifying connection without the hassle of password maintenance.

I sometimes require learning resources when there is a new solution for CyberArk. I need to mark favourite accounts or group accounts which point to needed improvements. Some users wish to bypass providing a reason when logging into some target servers.

Additionally, some users could be excluded from certain requirements, but this is not currently possible. A gradual setting could be added to exclude users from regular routing, allowing direct access without entering a reason.

Also, improving the support process is necessary. They are focusing on cloud solutions instead of on-prem. They are taking two to three days for resolution are too slow. Customers, including myself, do not want to wait this long for solutions. It is vital for CyberArk to focus more on enhancing support, though CyberArk is committed to monitoring customer reviews and is making progress in its solutions.

I have deployed and implemented CyberArk for various customers. I have been installing and deploying CyberArk to different clients and regions for more than four years.

In my four years of experience, I did not encounter any glitches or big problems in CyberArk. I have only encountered minor issues, such as a learning curve, which cannot be changed. There are also a few items that are mandatory and not optional in terms of being able to change things. Even if the customer does not want it, it is a one-stop solution.

Apart from these minor issues, CyberArk is perfect for daily operations when compared to other solutions. It secures my organization despite some mandatory features that clients do not want.

I'd rate stability nine out of ten.

I'd rate scalability ten out of ten.

I'd rate the technical support seven out of ten.

I have experience with CyberArk support, where I had some unresolved issues. The support provided me with a different solution, which was unrelated to my request. The support staff appeared lacking in technical knowledge, which resulted in dissatisfaction for both myself and the customer. Consequently, they hired partners and services to manage their CyberArk application.

The initial setup depends entirely on the investment. CyberArk consists of several components, such as four to five for a standard setup or eight to ten for distributed or high-availability configurations.

This increases investment costs. SaaS, which requires fewer components, might be chosen yet comes with disadvantages, as Vault and PVWX come with the application. Compared to on-prem solutions, it's a bit more expensive, however it gives more rights to the customer.

The initial setup is straightforward. The customer can use it almost right away.

The process might take 20 minutes with troubleshooting all the way up to three months for a full project.

Most of our clients are bigger enterprises.

CyberArk does not need any maintenance. It deploys custom management, so you don't require anything beyond an administrator that can handle any downtime. It automatically upgrades.

Our team currently consists of up to ten members working, depending on the project's requirements.

The ROI is a big concern. It's a total solution, and most customers are totally satisfied with their solution right now. Most customers are satisfied with having this single solution, having initially wanted different solutions. After experiencing CyberArk and its demo, customers are fully satisfied. CyberArk's capabilities and functionality outperform other solutions.

CyberArk is not inexpensive. It offers a two-way model: access is a licensing cost based on the number of users, and the implementation cost is handled by partners. Although it is somewhat expensive, paying only for licenses instead of the number of devices can be considered fair. Yet, it is not labeled as cheap, it is somewhat falling on the expensive side.

CyberArk is a bit expensive and enterprise clients are the ones that are using it right now. It works well in big organizations with big architecture.

I have experience with CyberArk as well as other on-prem solutions. CyberArk offers numerous solutions. Compared to others, CyberArk's identity system is bundled with access solutions and securing privileged access. The admin gateway first checks user legitimacy before granting access to the PaaS solution or privileged accounts. CyberArk integrates various cybersecurity solutions, such as identity, endpoint privilege manager, and PAM solution, apart from VPN-less access and dynamic privilege access.

Other solutions only offer traditional features. CyberArk is progressing in AI and ML. It's allowing web applications and scripts onboarded without credential hassle. Hence, CyberArk is a leader in time solutions.

Overall, I would rate the product a nine out of ten.

It's a one-stop solution. CyberArk has total support for everything, saving you from finding any other solution. You get strong security for your license costs.

I'm a partner of CyberArk.

We are a consulting company, and we provide consulting for solutions like CyberArk, HashiCorp, and similar offerings. I provide consultancy for various industries such as finance and hospitality.

Our clients use this solution for their critical assets and crown jewels. They want good identity and access management or privileged access management for their critical assets. A lot of mid-tier clients would have also implemented CyberArk on their servers if its pricing was better. Usually, they deploy it for their critical assets. They have implemented policies, just-in-time access, etc.

Having an efficient Privileged Access Management solution like CyberArk helps you stop bad actors early in the cyber attack chain process. You have an additional layer of security for your assets.

CyberArk Privileged Access Manager provides a good amount of granularity in giving access.

CyberArk Privileged Access Manager has a policy for blocking out everything as per the Zero Trust model, which can be helpful in a breach situation.

CyberArk Privileged Access Manager ensures data privacy by locking down your assets and recording each and every instance. That helps with the data information protection piece.

Privileged access management solutions like CyberArk Privileged Access Manager make it difficult for malicious entities to gain information or expose sensitive assets. Even if a specific asset not part of the PAM group gets breached, your critical information remains safe as access to specific resources or ports is not allowed. Implementing privileged access management in a way that blocks necessary threats makes it difficult for bad actors to access sensitive information.

The whole concept of Zero Trust and implementing it with CyberArk, which somewhat adheres to the 'never trust, always verify' principle, is very valuable. I really appreciate this aspect. Moreover, the just-in-time access is impressive, allowing access for a specific time.

Apart from CyberArk's PAM solution, I like CyberArk Conjur for secrets rotation. The constant rotation of secrets makes it hard for bad actors to gain access to environments.

CyberArk provides a good amount of control over access types. However, as a future enhancement, having additional features for cross-platform integration would be beneficial. It would be good to have integrations with other tools and firewalls, such as Zscaler and CrowdStrike. Although I am not fully aware of recent updates, more cross-platform integration would be valuable. A SOC analyst would like to have centralized access in terms of information flowing in even for privileged access management. They would like to have control over everything instead of opening four to five tabs for different sorts of information. Cross-platform integration would help with that.

Customers also want CyberArk's pricing to be better so that they can implement it further and have more licenses.

Implementing a privileged access management solution can be challenging. It would be great if CyberArk could provide recommendations based on the compliance standards of an organization. It would help system admins ensure that all the required ports are closed and the systems are being managed properly. If any system is not being used anymore, any ports opened for that system need to be closed. Having such recommendations would be helpful.

I have been associated with CyberArk since it became popular two to three years ago. I have been working with CyberArk tools on the client side and the consultant or vendor side.

I cannot think of any stability issues.

I cannot think of any scalability issues.

In terms of tech support, I have had a positive experience with ManageEngine support, and I wish that a similar experience was there with other vendors and products. With ManageEngine, I appreciated the chat option. When I was stuck, I did not need to go through a dedicated portal or wait hours for a solution. A chat system providing quick access to a technical engineer, within four to five minutes, is very helpful.

I would rate CyberArk's technical support a seven out of ten.

I worked with HashiCorp, specifically HashiCorp Vault, and had collaborations representing CyberArk's perspective.

CyberArk focuses on privileged access management for enterprise security. They offer CyberArk Conjur, but if customers need secrets management or infrastructure automation, HashiCorp has a better solution with HashiCorp Vault. In terms of PAM, CyberArk excels. For Conjur-type products, HashiCorp is better. CyberArk caters to traditional infrastructures and security or IT admins, while HashiCorp has good cloud-native, DevSecOps, or DevOps services.

About two years ago, people focused on the on-prem side of things, but now the cloud version is gaining popularity.

The solution has so much to offer that it becomes a little bit complex. Every infrastructure is different, and you need a customized solution as per the infrastructure design. CyberArk has a lot to offer. It has a lot of buttons to push in terms of security, so it becomes a little bit complex when you are deploying it for a big organization.

During on-prem deployments, we followed specific steps for the right deployment process. The order of deployment is crucial, such as deploying necessary components first and then setting up CPM policies. This order is essential whenever deploying CyberArk.

Two to three years ago, its integration was difficult. We had to take different routes to integrate those solutions, but now, we see a lot of plug-ins. For example, Microsoft Sentinel does have a CyberArk plug-in.

For deploying a CyberArk solution, you would need at least two security analysts, two to three system admins, and one network administrator. The security admin provides the right infrastructure and access. The network administrator helps with all VLANs or separate segmentation for specific sites or resources. The security admin works on the CPM policies and more.

In terms of maintenance, like any other solution, it requires keeping an eye on it and any updates. You would need someone to support it.

A strong identity and access management solution aids in navigating significant incident responses or breach situations. Omitting important solutions can be highly costly. Implementing a privileged access management solution can help avoid such expenses.

Its value can be seen after one or two months of proper implementation. It makes the life of a security admin easier.

I focus more on the technical side, but I hear customers say that if CyberArk was more affordable, they might have acquired more licenses. Some clients consider alternative solutions due to pricing concerns. If CyberArk could address this, it would help in offering their solution to additional customers.

With a PAM product, most customers want to block access to critical assets and have a strong policy set. They also look for cost-effectiveness.

For a financial organization, even a compromised password can trigger a domino effect in terms of exposure of sensitive information, leading to a failure to meet specific compliances being followed in a specific region. They might have to let consumers know. Having an effective PAM solution can save a company from such a situation. Generally, it is not that the solution is not efficient. It is usually that the implementation is not done correctly. Every infrastructure is different, so you need to have a proper plan and make sure it is implemented as per your industry requirements.

CyberArk Privileged Access Manager helps with compliance to a certain extent, but it is not a compliance solution. For compliance, we still rely on other solutions.

I tell my clients that having an additional piece of PAM helps protect against threats and provides an extra layer of security. Identity and access management are fundamental in cybersecurity. Done right, it offers peace of mind and safeguards against unauthorized access to sensitive information. In the financial sector, where data is highly sensitive, exposure to bad actors can lead to significant breaches and potential damages. A breach can cost a million of dollars.

I would rate CyberArk Privileged Access Manager an eight out of ten.

I started as a CyberArk administrator for a fairly large bank in the US. They are a large global company. They formed a US branch, and I was the sole CyberArk administrator there. They had a basic CyberArk setup, and that is where I gained my initial experience before moving on to consulting.

My first consulting gig was for two and a half years with a defense contractor. They had a very complex environment. The complexity is typically gauged, especially for PAM products, by the number of passwords being managed. Many organizations have 10,000 or 20,000, whereas this organization had 750,000. This included the number of machines required to rotate all these passwords and integrations with their API and SailPoint to provision and de-provision users. We initially helped them change from a standalone vault architecture to a clustered vault architecture for high availability failover. Once we completed that, our work expanded, similar to being the IT person for the family—each task leading to another. This extended our engagement.

CyberArk Privileged Access Manager provides granularity. You can break things down into individual safes. You have specific access to safes by individual or group. The interface is with AD, with LDAP, or with local CyberArk passwords. You also have the ability to establish policies for your individual credentials. If you want them rotated at a certain time of day or you want the password complexity to forbid certain characters, you can create a new policy and fine-tune those elements. It provides excellent granularity because you can control all the factors related to password complexity requirements, password rotations, allowed connections, etc.

CyberArk Privileged Access Manager’s ability to safeguard the infrastructure is extremely important. Otherwise, clients would be keeping passwords in Excel spreadsheets. Consider having an isolated, non-domain joined vault that cannot be accessed from DNS. The vault itself takes over control of the local Windows Firewall and even things as simple as emails. It keeps the ports closed. If it is time to send out a notification to someone, it opens the port, sends the email, and closes the port. It cannot get any more secure than the vault system of CyberArk. People who land on a user credential and try moving laterally throughout your network, scraping RDP connections or hashes, will never find any information about how to get to the vault because it is non-domain joined.

CyberArk Privileged Access Manager is excellent for meeting compliance and regulatory requirements. The need for compliance is the main reason why organizations implement a PAM solution in the first place. They have to be SOX compliant in terms of log retention, audits, and even video recordings of people's actions. They all have varying retention periods depending on the organization.

CyberArk Privileged Access Manager provides operational efficiency with automation. It saves a lot of time for password rotations, managing SSH key rotations, and doing automated discovery at periodic intervals to reach out to your servers and check which credentials are there on those servers. If they are not managed in CyberArk, they are added to your CyberArk queue to be onboarded and automatically managed. These things save a lot of time throughout the organization.

Many people underestimate the value of these tools because they treat them as simple automated password management. Once you realize the volume of passwords in your organization and factor in nonhuman passwords, you realize its value. Last year, CyberArk Impact cited 45 nonhuman passwords for every human password. If you have 10,000 employees, you can imagine the number of passwords. There are also many other operations. For example, you have a Qualys scanner that needs to reach out and touch all your endpoints and scan them for vulnerabilities. They use an API call to CyberArk to pull out a Privileged credential that allows them to log in to that target. This is an automated machine call. It is tapping into CyberArk to get that credential. There can be hundreds of thousands of those operations a day. You do not want to manage those passwords by hand. Some people marginalize the significance of such a solution by saying that it is just a fancy password changer. It goes well beyond that, especially with API calls and automation. Its importance extends beyond merely changing passwords; it involves automation, API calls, and process integration, crucial in agile environments for standing up new Amazon servers or other processes needing privileged credentials. CyberArk can automate these tasks into their build processes.

Another critical feature is the proxy service via Privileged Session Manager (PSM), providing not only a proxy between your user and the target servers, protecting against malware but also offering session recording. Many companies I have worked with implemented a PAM product as a knee-jerk reaction to SOX audit requirements. They discovered they needed session recording and retention for regulatory compliance. This has become a major factor for clients instituting CyberArk, so PSM is a big deal in addition to regular password rotation.

CyberArk reporting is notoriously poor, offering about 5 reports out of the box. I am certified in Delinea, which includes 60 reports plus a custom report generator out of the box. Improved reporting would be beneficial.

I have used CyberArk Privileged Access Manager for seven years.

I encountered some unique challenges while working with a client managing 750,000 credentials because the underlying MySQL database is not exactly enterprise-level, unlike Oracle and Microsoft SQL Server. MySQL is free, and CyberArk's updates are infrequent. They went through many iterations starting with version 7 but did not update the underlying database version until version 12. We experienced database response and connectivity issues due to having too many credentials. That was a very unique case and a very large implementation, but they did have to do some tweaks to the database.

They also had an issue where they had too many passwords in a single safe. It is like the old Windows limitation where you can only have 512 entries in a particular folder. I had never seen that before, and that was because CyberArk retains the previous x number of password revisions for any given password. If you have 20,000 passwords in a safe, it also saves the last ten iterations of that password for each one, so you technically have 200,000 passwords in that safe. CyberArk literally issues a warning if you exceed 300,000. I have never seen that in my life, and it happened with one client. It caused the replication to the DR server to fail. We saw that in the logs, and then we had to do the math. They had 40,000 passwords in this one safe, and it was saving the last ten iterations of each password object. That means they had 400,000 password objects in this safe. They exceeded the limit. I do not expect to see this kind of issue again, but it happened.

When your client base grows from a few hundred to over three thousand, the number of tech support calls increases drastically, which is understandable. The support structure is tiered: L1, L2, and L3. L1 personnel follow a set procedure to gather information and logs. If they cannot solve the issue, it escalates to L2, possibly involving live sessions. Only complex problems reach the L3 experts in Israel. This normal tiered support approach can delay resolution, resulting in frustration. Response time is not ideal, and reaching someone knowledgeable can take time. It could be forever until you talk to someone who knows what they are doing.

Its primary competitor is BeyondTrust, which is not very highly rated based on the feature set. There is senhasegura, a company from Brazil. They are new to America. They are barely making their way in now. ForgeRock has been around for a while, but CyberArk's closest competitor in terms of feature set and Gartner ratings would be Delinea. I am currently assigned to Delinea at my client. I have been working with that for the past year. I do see some benefits. There are certain things I like better about CyberArk, and there are certain things that are better about Delinea, but both of them are pretty competent.

It is quick because CyberArk follows the 80:20 rule. If you can get domain admins and local administrators into CyberArk, that is 80% of your exposure. That is a very quick turnaround. That can be a matter of a couple of months.

There is a specific order required to implement components: the vault is installed first, followed by CPMs, PVWA, and then PSMs. It is a fairly straightforward process, with some necessary preparation for the servers. CyberArk has incorporated scripts over the years, particularly for complex PSM setups because you have to utilize AppLocker scripts to enforce or specifically allow executables. Customization requires file reconfiguration and rerunning server hardening scripts. PowerShell scripts are now available to aid automation. Understanding the configuration and exceptions in scripts remains important for effective customization.

In terms of integration, out of the box, it has integration with Windows and Linux. They have a Telnet connector. It is a matter of CPM connectors being able to talk to the various systems and rotate their credentials because each operating system is different. AIX is different from HP. UNIX is different from Linux which is different from Windows. Windows is different from the mainframe. They have a lot of connectors out of the box, and they also have a plethora of additional connectors on their marketplace, which is their common website. Some of them are verified by CyberArk and some are not. They periodically review the ones that are uploaded based on the amount of time they have. Eventually, a connector could be certified by CyberArk. The big difference is whether a connector is officially supported by CyberArk or not. CyberArk does not address your support ticket if it is not a vetted connector.

Connectivity from SailPoint to CyberArk is done through SCIM servers. CyberArk has its own SCIM server set up, complete with documentation, for establishing that. I have done that before. When people are onboarded, most people in a lot of organizations get assigned an administrative credential so that they are not reaching out to target servers with the same credentials they use to log into their computers. As soon as they are onboarded, SailPoint sends over REST API calls through this SCIM server to create a safe for this person based on agreed-upon nomenclature. The account creation and assignment of permissions are done through calls and are automated.

Last year's Impact estimated the cost of an average breach to be nine million dollars. Once you have a breach, customers are hesitant to use your goods and services because you have had a major issue. It is difficult to put a price on your name going downhill.

The time savings primarily come from shifting from manual to automated management for all your passwords. With other tools such as Okta where you have self-service for resetting your own passwords and things like that, the average savings is 12 minutes, which is six dollars for a password reset, and you can extrapolate that over your organization. You do not really do that with CyberArk because it is managing the credentials. The manual work of managing all these credentials as opposed to the automation is where your time savings come in, but savings are difficult to calculate.

CyberArk has been Gartner's number-one pick for the past ten years, so you can infer that their pricing is higher than everyone else. When you are the best, you will charge appropriately for it. It does get fairly granular because they have separate licensing based on the number of users, the number of API call accounts that you can have, and the number of disaster recovery servers you can have in the system. A license is broken down into so many subcomponents.

They have a core product covered in the license. It includes the vault, the CPM that rotates the passwords, the PSM that does the proxying and the session management, and the PVWA, which is the web interface. Other things like Privileged Threat Analytics, Endpoint Privilege Manager, and other tools are bolt-ons with their own licensing. It gets a little hectic. At one point, they were offering a flat fee that was exorbitant at the time, like a million dollars, and you got everything, but they do not do that anymore. It is piecemeal now, and you have to pay for all different areas of licensing, which is problematic.

CyberArk recently introduced an identity bolt-on product. PAM tools and IAM tools are broadening their horizons to become a one-stop shop. Okta has a PAM solution which is not very effective but it is an attempt to be an all-in-one shop. CyberArk Cloud has gained traction, particularly among small to mid-size companies not needing the full customization and feature set of the tool. As with most cloud offerings, CyberArk's Cloud service expects out-of-the-box usage, with vendors maintaining and upgrading the system, limiting customization. This offers a viable solution for companies without significant on-premises needs, saving costs on servers and full-time employees.

I would advise evaluating whether you can manage with the cloud version's feature set, as it is simplified and requires minimal on-premises resources. An on-premises connector minimizes firewall rules and facilitates cloud communication, allowing the on-premises connector to interact with other targets. Delinea's cloud offering similarly requires an on-prem component called a site connector. If a simplified cloud feature set suffices without extensive customization needs, choose the cloud version to potentially save money, eliminating the need for assets on-premises and full-time employees for upkeep.

If someone thinks that they do not need a privileged access management tool because they are already using other security tools, I would wonder what features their tool is providing. Does it have account discovery and onboarding? Does it have proxying, web recording, and retention for videos of people accessing their assets? Does it support automatic pass or remote rotation? I would like to compare feature sets.

CyberArk Privileged Access Manager has not helped reduce the number of privileged accounts. In most organizations I have joined, users have their own account for logging in, and in the interest of security, a separate administrative account is created that gets vaulted in CyberArk. So, they have doubled credentials because people have a normal login plus an administrative login for doing privileged activities. You also have to factor in roughly 45 nonhuman privileged accounts or identities for every human identity because of your scanners, robotic process automation, and automatic agile builds from your CI/CD tools. All of these nonhuman factors are also reaching out and getting credentials from CyberArk. The point of a PAM system is not to reduce the number of privileged accounts. The point is to find accounts that are already in your system with account discovery and make sure they are managed by the tool. That extends to things like SSH keys. Most organizations have no clue how many SSH keys they have in their environment. CyberArk offers SSH key management as well. So, it does not reduce the number of privileged accounts. If anything, it encourages people to have more because they now have a tool to do all this work for them, and they do not have to do it manually.

I would rate CyberArk Privileged Access Manager an eight out of ten.