What is our primary use case?
Our clients' primary use case for BeyondTrust Password Safe is managing Windows Privileged Accounts, Linux, and Fit client databases, and for accessing a different database, like Visual Studio, SQL Manager, and things like that.
We usually deploy it in a double server, high availability with disaster recovery.
It is the primary software architecture.
How has it helped my organization?
BeyondTrust Password Safe allows the client to standardize the onboarding of privileged users as well as dynamically onboarding newly discovered assets and privileged accounts and dynamically adding them into Password Safe. Based on administration models, they can dynamically apply policy based on those standards, like a Linux policy versus a Windows policy. Once you create it, it's set and forget until you need to add another platform.
Additionally, you can expand your domain if you need to support multiple domain directories, etc. For that you would need to go in and do some administration, but otherwise, the administration model is much lower. CyberArk's is pretty stiff. I told you the CyberArk administrators were very expensive to train and no sooner do you train them, then they get a job for $20,000 more to be an engineer because you trained them too well.
What is most valuable?
BeyondTrust Password Safe's features that I have found most valuable are really those that are knitted in. That is their Smart Rules and Smart Groups, where you design your administration model so you create your AD groups and your asset groups, and configure Password Safe. To onboard a new account you can run the discovery engine and use rules automatically to dynamically onboard the asset or the accounts and add them to particular groups based on naming conventions. For example, WADM for Windows Administrator, LIN for Linux Administrator. You'll have a user with their name plus LIN for Linux administrator or WADM for Windows Administrator and BeyondTrust uses those naming conventions for standards, dynamically adds them to the appropriate groups, and then links them dynamically based on them. They would not get added dynamically to Linux.
Because you do your administration design upfront, there are very few changes you need to make in the future unless you're adding additional platforms, which is actually what I'm going to do with a client. I'm going to be going there and expanding their platforms, adding network devices, adding application embedded accounts, and probably Windows because they currently are only managing a Linux platform. They have the ability for automatic connections using the remote app.
Remote app is like a Windows terminal session. So you do an RDP connection to a server, but when you connect the only thing you can run is a specific application like SQL Server Manager and you don't know the password. The ID and the password are automatically inserted and you connect, do your database work and log out. BeyondTrust has that very nicely, CyberArk has it, Xceedium has it. But not everybody has it.
What needs improvement?
There's always room for improvement. But as of right now, I believe BeyondTrust is one of the best kept secrets.
The only negative thing I can say is that BeyondTrust was recently bought by Bomgar and the marriage of the multiple companies coming together in the merger has caused a little bit of a hiccup right now in their software versions. For example, the online training courses are two revisions older than the currently released software and some of the guides don't match what you see on the screen. So it's a growing pain. Because they were purchased by Bomgar the people who used to make decisions in BeyondTrust are not necessarily the ones making them now or they've got other people to report to and get approval. Right now they're in a little bit of flux online with their BeyondTrust University.
For how long have I used the solution?
I have been using BeyondTrust Password Safe for about six months.
What do I think about the stability of the solution?
BeyondTrust Password Safe's stability is like a rock.
What do I think about the scalability of the solution?
BeyondTrust Password Safe's scalability is very good. Of course it's only dependent. The scalability and the horsepower are dependent upon how well you architect it, determining the number of assets and the number of concurrent users.
But you can run these on virtual servers, so you can allocate additional RAM or additional CPU's if you find you're running low on power or, like in the case I'm at, going up from two to six cores on the VM's when we add Windows. Windows requires a lot of overhead so we're going to bump up the CPU, probably to triple the RAM and probably expand the sum volume as well for the storage. This is because they have hundreds and hundreds, if not over a 1,000, Windows servers.
Each server is an asset maintained in a database, and the managed accounts are discovered on those assets. You basically just create the rules to add the managed accounts, which are the privileged accounts. Once you create them dynamically you basically do it in Windows platforms. I usually break them up into print servers, file servers, database servers, web servers, and usually application servers. Those will be the five different types of Windows platforms that will have different administrators. You're going to have an OS administrator across all of them, but the OS guy is not going to be able to get into SQL or into Apache Web Service. So you have a great adherence and excellent segregation of duties, and once you create the rules for each platform type, it all happens dynamically.
We have a deal in the works for a company with less than a 100 employees. There are only 70 servers, but it is a multi-billion dollar retirement fund management company. They're responsible for billions of assets so they have stiff requirements for security. And their primary is PII. They have to be very careful with the privilege or personally identifiable information. If they get hacked, and there's lots of social numbers out there, there are addresses to banks, most likely bank accounts, because the retirement fund is being attached to somebody's bank so that they can transfer funds for their 401(k) or Roth IRA or whatever. They are very concerned about security. But they're a very small company. There is another one, which is a huge company with a very small footprint, but with an insanely large reach in size and complexity. I can't go into any detail about it.
How are customer service and technical support?
Customer service is off the charts. It is awesome. CyberArk's can be really good as well. But CyberArk can also have a little bit more of a personality. Sometimes I feel like they just want to poke you in the eye. They're now a 150 person company. When I first met CyberArk I think there were only 33 employees.
I would give BeyondTrust Password Safe's tech support a 10 out of 10. No problems at all. Absolutely. Abso-freaking-lutely. They are company of human beings and treat you like a human being. CyberArk's is a little silicon, they have a little bit of a harder surface. They're very successful, a top player in the game and they act like it. But BeyondTrust is still a very competitive company to CyberArk, better in some ways. In fact, I would actually say better in most ways. The hardware footprint is significantly lower. But then again, that's also the disadvantage because if you have a disparate network, and let's say you have a global footprint, you're going to have multiple servers in each continent because you don't want the British accessing over here in America. The latency will be awkwardly terrible. So you would have a larger distribution.
One client that I was putting a bid together for had CyberArk. This company was very large, they had 13 CyberArk instances. They would distribute by corporate standards. They had a separate accounting which had tens of thousands of managed accounts and users. Then they had PAYE for the payroll, and they had accounts receivable, accounts payable, because they were so large, even CyberArk couldn't scale for it. And their hardware footprint at this bank had, I think, 120 total CyberArk servers.
I think BeyondTrust would have scaled better for them.
CyberArk requires has a huge footprint and BeyondTrust would not require that large a footprint.
How was the initial setup?
The initial setup is straightforward. Practically, my daughter could have done it.
You can use a standard Windows build or you can use a Linux server. You unpack the files for Linux and run the install or you run the executable for Windows, then you install SQL on both and you're just about done. Then, when it starts, you begin getting ready to populate the database SQL.
You can have it "active active" with high availability so if one server fails the other one takes over. If two of them are up and going, you can do a load balanced pair, and then have a DR server set off in another environment that can take over in the event of a disaster.
What other advice do I have?
BeyondTrust Password Safe is very robust and very powerful, very scalable, and very nimble.
My advice is to first make sure all their use cases match your need. Then I recommend to engage with their salespeople, get a good sales presentation and understanding of the cost, and then to get a technical presentation followed by a demo.
We have a client whose main use case is Rapid7 SIM with API integration. So far I have found that CyberArk is the only one that can do that. But CyberArk is too expensive for this client. You have to sit down with a client, find out what their use cases, business requirements, and technical requirements are because sometimes they may want you to integrate with ServiceNow, and it's not easy to do that. With CyberArk, Beyondtrust, Thycotic and Centrify it is. Actually BeyondTrust is really a leader. I call them the best kept secret.
It's a great product. I like it because the administrative overhead is so much lower. Remember how I said that CyberArk requires a very high administration overhead but because of the dynamic rules and smart rules you basically create a boolean if and then, and you can segregate. If your system or your name ends with dash ADM you're an administrator and you can access these assets and these accounts dynamically. Just by joining the company, getting a username with a dash ADM on the end, which I don't recommend by the way. I recommend having something nondescript because a user account with a _ADM, just screams, "I'm an administrator come and get me." Come up with something else, like an A-3-D. Come up with a different naming convention that would make it discreet.
On a scale of one to ten, I would rate it high. I would rate BeyondTrust Password Safe a 10 because the fruits of your labor during the implementation phase pay off for an extended period of time. Rather than the ongoing pretty stiff administration requirements of some tools.
Which deployment model are you using for this solution?