The primary use case and the most used functionality of CyberArk PAM is managing privileged access (an easy way to pass permissions to specific servers to specific users granularly) and password management (an automated solution that manages password validity, expiration, etc.). PSM gives a possibility to set all connections secure and it is possible to re-trace actions made by users during such sessions. It is a good tool for extending usage to new end targets sometimes even out of the box.

CyberArk PAM ended a scenario where several dozens or even hundreds of privileged accounts had the same password or administrators had passwords written down on sticky notes.

I have experience with onboarding thousands of accounts - mostly Windows, Unix, and network devices. I have developed (customized based on defaults) password management plugins for Unix systems and network devices.

I like the integrations for external applications. There are actually infinite possibilities of systems to integrate with - you would just need to have more time to do that. It is not an easy job, yet really valuable. I am not an expert on that, however, I try every day to be better and better. I have the support of other experienced engineers I work with so there is always someone to ask if I face any problems. End-customers sometimes have really customized needs and ideas for PSM-related usage.

The Vault's disaster recovery features need improvement. There is no possibility to automatically manage Vault's roles and for some customers, it is not an easy topic to understand.

I noticed that CyberArk changed a little in terms of the documentation about disaster recovery failover and failback scenarios. Still, it is a big field for CyberArk developers. Logically it is an easy scenario to understand - yet not for everyone, surely.

I've used the solution for around five years. I have been using CyberArk PAM as an end customer for three years. For another two, I work as a CyberArk support specialist.

Stability is overall good. However, there are many error messages that are like false-positive - they do not produce any issue yet logs are full of information.

The scaling has been mostly positive. It seems not hard to scale it up.

Sometimes it is hard to understand the capabilities, limitations, etc. They try to help with that.

I've never used another solution that would have the same or similar capabilities.

The initial setup can be complex. It is important to go really carefully step-by-step with instructions. When you do that, you can be 100% sure everything will work well.

When I was an end-customer I recall using a vendor for the implementation and support. Now, I am a vender and therefore I do it by myself.

Licensing may sometimes seem a little complicated. A good partner from CyberArk can work it out.

Unfortunately, I have not participated in evaluating other options.

Overall, I am really glad I worked with CyberArk for five years.

In a large financial institution, CyberArk Privileged Access Management (PAM) plays a pivotal role in ensuring the security and integrity of sensitive financial data. With numerous systems, applications, and databases holding critical client information and transaction data, the institution faced the challenge of managing and protecting privileged accounts effectively.

The PAM solution was seamlessly integrated into the existing IT infrastructure. It introduced granular access controls, requiring all employees to log in with standard user accounts, regardless of their role. When a privileged action is required, the PAM system enables the temporary elevation of privileges through just-in-time (JIT) access, granting access only for the necessary time frame. This reduces the window of opportunity for potential cyber threats.

CyberArk Privileged Access Management (PAM) has been a game-changer for our organization's security landscape. With PAM in place, we've experienced a significant reduction in potential security breaches. The meticulous control it offers over access rights ensures that only authorized personnel can access critical systems and sensitive information. The implementation of just-in-time access has effectively minimized our attack surface, making it incredibly challenging for unauthorized users to exploit vulnerabilities.

The most valuable features of CyberArk Privileged Access Management (PAM) are its granular access controls and just-in-time (JIT) access provisioning. These features ensure that only authorized users have elevated privileges and access to critical systems. JIT access reduces the attack surface by granting privileges only when needed, minimizing exposure to potential threats.

Additionally, robust auditing and real-time monitoring capabilities enhance security by tracking privileged activities, aiding in threat detection and compliance. PAM's ability to seamlessly integrate into existing infrastructures and streamline workflows further adds operational efficiency, making it an indispensable tool for modern cybersecurity.

CyberArk PAM could greatly benefit from an under-the-hood update; integrating machine learning algorithms could provide predictive insights.

The user interface lacks intuitiveness; revamping the UX of the web access panel through intuitive navigation, customization, contextual assistance, visual coherence, and accessibility considerations will undoubtedly result in higher user satisfaction, increased engagement, and ultimately, a more competitive offering in the market.

In addition, several tools seem to be outdated, however, you can see that CyberArk is constantly working on them.

I've used the solution since 2017.

The solution is used to provide privileged access management to our datacentre environments, for anyone with admin rights with infrastructure or applications within the datacentres. Authentication to the solution in the PVWA (Password Vault Web Access) with onward connectivity via the PSM for Windows (PSM) as well as the PSM for SSH (PSMP). These provide the session isolation, audit, and session recording capabilities that CyberArk offers. The use of Privileged Threat Analytics (PTA) adds more control functionality to the solution.

The product has allowed us to improve both the management and access to privileged credentials, while also creating a full audit trail of all activities happening within isolated sessions of all tasks and activities taking place within the solution.

This includes sessions via the solution and sessions to administer the solution itself. From a user perspective, we no longer need to try and create or remember complex passwords or have to be concerned about when they will change as the solution takes care of this and can and does populate these credentials for you so mistyping a complex password is a thing of the past.

Password management is a great feature, as all passwords are changed more frequently. This can be scheduled in line with a specific policy requirement or each time the credentials are returned to the pool for reuse and are always compliant with the password policy however long or complicated the policy states that they need to be.

Another great feature is the Privileged Threat Analytics (PTA) as this can stop a session based on prescribed risk and bring it to an end or pause it pending approval to proceed.

The admin interface of the Password Vault Web Access (PVWA) is moving from an old style (the classic interface) to a new style (the v10 interface) and unfortunately, this process is quite slow. That said, it has been moving in the right direction with features becoming available in the v10 interface and some user features are available in both classic and v10 interfaces. I would love to see all the classic interface features moved into the v10 interface or available in both interfaces within the next version.

I've used the solution for about eight years.

The solution has been very stable.

The solution performs well, however, based on the user base may require a sizable footprint.

Support does vary depending on how critical your issue is and if it needs to be elevated to dev support.

Our previous solution was not a PAM solution and these days you can't afford to not use one.

The setup is not complicated when trained staff are used.

We handled the initial setup in-house.

Set-up costs can be minimized by controlling the number of applications that are made available within the solution. The newer licenses are per user and open up access to a suite of products, the best value, and security can be achieved by using more of the products.

We looked at other products like Delinia and Wallix.

Take advantage of the vendor's training or use a good partner to provide support and administration.

CyberArk PAM is used to secure passwords and remediate audit findings. CyberArk PAM is used to manage access to passwords, rotating these after use or on a regular basis, and verifying the passwords on the system match what is in the vault on a regular basis. Passwords are managed in this manner on both Linux and Windows servers.

CyberArk PAM ensures that passwords on Linux servers are highly secure, regularly changed, and completely auditable. This saves enormous amounts of time when responding to audits and security concerns. And the scheduled verification of passwords ensures that passwords remain available when needed and stay secure. CyberArk has become the standard tool for password management.

I find value in notifications from CyberArk when passwords fail verification and have other issues. Investigation of these issues often uncovers other issues. The way safe security is handled is outstanding and makes it easy to provide safe access to those who need it and deny safe access to those who should not have it.

Another valuable feature is the agentless architecture of the product. Using native processes to manage passwords and not having to install and update agents is a huge plus.

A more friendly and functionally complete user interface would be nice to have. The current interface is not very intuitive. It is somewhat clunky and difficult to navigate, and many times have to toggle between the somewhat underdeveloped new interface and the older classic UI. This state of basically having two interfaces is a prime opportunity for CyberArk to improve its product.

Also, it would be nice if the vaults could run on Linux instead of Windows.

I have been working with CyberArk for more than ten years in various capacities ranging from end user to safe/vault administrator to application administrator.

The solution is incredibly stable.

We have not run into any scaling issues.

CyberArk support is pretty solid.

I did not previously use a different solution.

The initial setup is more complex than simple, however, not daunting.

We worked with the vendor team who were very knowledgeable during the implementation.

The PAM product isn't low-cost, however, it is worth it. Go with a longer-term agreement to realize lower costs.

CyberArk PAM was chosen before I got involved so I am not aware of which other products were evaluated. However, we have never had to go back and review the decision to use CyberArk.

Use CyberArk professional services when needed. They are very knowledgeable and experienced which means engagements have a high success rate.

We use the solution for the full automation of tens of thousands of credentials across hundreds of different integrations. Our use case includes Windows, Linux, networks, security, storage, mainframe, and cloud (both Software as a Service and Azure platform based). In addition to the credential rotation, we use credential providers and privileged session management to greatly reduce the use of passwords in the environment. Users authenticate using MFA, Multi-Factor Authentication, and are able to access systems based on Role Bases authentication rules.

The solution has improved security posture while greatly reducing administrative burden. We leverage CyberArk to deploy applications without the use of secrets.

Applications authenticate securely to CyberArk using a combination of certificates and other extended application-identifying parameters to promote a secure DevSecOps environment.

The extensibility of CyberArk has enabled us to develop custom integrations into Microsoft Azure leveraging KeyVault to synchronize on-premise and cloud secrets in a consistent hybrid credential management architecture.

Credential rotation automation combined with privileged session management are great aspects of the solution. It enables highly complex passwords that the end user never knows or sees. We have some use cases where administrative users will log in to highly privileged systems using a one-time use secret and immediately following their administrative session the password is rotated

The ability to develop and deploy applications with no stored secrets is very valuable. This keeps code repositories free of secrets and application authentication is centrally controlled and monitored.

The greatest area of improvement is with the user interface of the Password Vault Web Access component. The latest long-term support version of CyberArk (12.x) still includes and still leverages the version 9.x UI in order to maintain some of the administrative functionality.

The performance of the 9.x UI leaves much to be desired and there are still some administrative tasks that require the use of a thick "PrivateArk" client.

Many improvements have been made over time, however, there is still work needed.

I've used the solution for eight years.

The solution has been quite stable for many years and includes the functionality for clustering the multiple site replication, both of which we leverage for a high level of uptime.

The solution is very scalable, however, with scale, there are certainly performance considerations.

Support has been a mixed bag. First-level support has been extremely time-consuming to get to an escalation resource that can help us resolve our reported issue. In all fairness, we have a very experienced staff and generally only contact support for more complex issues. There have been improvements made over the years and the commitment to improving support. Still, there is work needed in that department.

I did not previously use a different solution.

Setup depends on the complexity of the solution. A simple configuration could be up and running in a day.

Our environment is run in-house by a contract team with expertise in CyberArk. However, we do leverage the vendor for major upgrades and have used their technical account manager services in the past

It's a privileged access management tool so it helps in making sure that all privileged accounts are compliant.

The product is an important security measure against credential theft. It ensures session isolation and password rotation including pushing passwords to the endpoints.

It's also possible to pull the password from the CyberArk to ensure that there are no hardcoded credentials in scrips or DevOps tools.

It provides a comprehensive access control list and auditing. Reporting capabilities are extensive.

New features are being added in every release, and there are few releases a year.

Enhancement requests can be submitted by the community and are taken into consideration by the company.

As configuration options are very extensive, it is sometimes hard to find the correct and complete way of customization or specific configuration.

The documentation is rather basic and it is missing many use cases.

It's also hard to test solutions without a development environment as CyberArk doesn't provide the possibility to run the environment for personal purposes.

I've used the solution for six years.