CA Privileged Access Manager Review

The most valuable features are session manager, access manager, and credential manager. They don't offer multi-tenancy.


What is most valuable?

When you look at the whole PAM itself, session manager is very important. It records what happens. Access manager and credential manager are very important as well. Those are the key things. Session manager, access manager, and credential manager.

How has it helped my organization?

On the access management side, our system administrators, under privileged management, don't have to use their local tools to log on to the production servers.

They basically will log on, but they need access controls. They log on to a web interface, so that they will have access to the servers. From there, they can make the sessions.

What I'm saying is that on 443, with an extra cell connection, you log on to a web server and that web server will basically initiate the sessions from the web server to the production server. At that point, my session is secure because all that is happening inside that subnet or inside that network. All my end user is seeing is training the HTML-file interface.

That makes the access more secure. Even on the session side, the sessions are really between the production servers and the IA PAM. The sessions are not between the endpoint and the production server. So that makes it more secure by using a PAM.

What needs improvement?

When we look at CA PAM, the multi-tenant deployment is definitely an improvement that we want to see. They don't offer multi-tenancy.

If I have an enterprise, or if I am an MSP and I would like use an instantiation of CA PAM for multiple tenants, I can't do that.

I have to deploy a CA PAM for each tenant, which basically increases the cost and the management side of it. That's a very essential thing.

CyberArk does the multi-tenancy, but CA PAM doesn't have this.

For how long have I used the solution?

We have used it for two years.

What do I think about the stability of the solution?

Stability-wise, there were no issues. It met our SLAs. For the most part, it's really stable. There were no significant outages or issues with the stability of the product. We didn't have any of that experience with the solution.

What do I think about the scalability of the solution?

There were some scalability issues. Along with access manager, there's something called a credential manager. The way the CA PAM solution is designed, a credential manager is local to each of these boxes.

If you want to scale to multiple data centers and multiple end points, the credential manager is not centralized anymore. We need to have a way to synchronize that. That seems to be one of the biggest issues of scalability.

It has AD integration, but the way they do it is an issue, because it's not scalable. For every active directory identity, it basically creates a local user. It defeats the whole purpose of using a single identity store. That's not a scalable solution to manage identities itself. That's a big issue.

We did submit an enhancement request to CA on multi-tenancy and the active directory implementation, and we don't think they have released any updates. That's a big issue with this product.

How is customer service and technical support?

I would give tech support a rating of 7/10. They're not the best, because the product was acquired from a small company. Just updating the portal with the knowledge base and the support took a long time. We had a bad experience with that.

Once they got all the stuff integrated into the CA support structure, the responsiveness was there, but the relevant information of the tech staff to solve the problem was not there.

Which solutions did we use previously?

There were no previous solutions. CA PAM is the new evolution of Privileged Management. We haven't used a PAM solution in the past, and this was our first generation PAM that we used. We didn't move from an existing solution.

How was the initial setup?

Once you have a network, then the reach-out is added. They have something called Outer Discovery, which discovers all the accounts and all the servers’ end points and groups.

I'm not going to say it's very easy, but on the flipside, I'm not going to say it's terribly hard to do it.

The reason it was not easy, was that the end points of the system administrators that have access to PAM needed a version of Java and some Java libraries on the end point.

With logged-on systems in the DOD space, or with the federal space, it's really tough to get those versions installed. The federal government, the central IT, update the Java versions and we don't have control over that. Every time we have an upgrade, it breaks the accessibility of the software.

Even though they say it's a web based tool, they still need a Java version that is compatible and libraries have to be on your client to do it. The Java competence has been a nightmare.

The product installation by itself is fairly easy, but the accessibility is very difficult.

We did reach out to CA and submitted a ticket with them, saying, "Okay, you need to get out of this Java thing, and then have something like HTML-file-based access, so that we don't have to have any of these Java things."

They said, "Great," but nothing has happened so far.

Which other solutions did I evaluate?

We did evaluate other solutions.

  • We did a market research of Xceedium, before CA bought Xceedium Xsuite
  • CyberArk
  • Dell had a tool to do privileged identity management
  • There's another company also, that starts with Cyber, but I don't remember the name

We evaluated these solutions, and Xceedium, which is now CA PAM, stood out.

What other advice do I have?

If you are going for a multi-tenant deployment as an MSP, I would work with CA to see when that feature will be available.

If the local end points are logged down with the Java versions, I would really tell them to pull out the HTML-file-based solution. The accessibility of this tool from the desktops is very, very difficult. Those are two big things for a use case.

I would recommend them to make sure they validate that these things are rolled out and then use it. Other than those two issues, everything else is good.

Asking me to rate the solution is a tough question, because the market research came out well. It stood out. The usability was good.

The accessibility and other issues were big blockers for our customer:

  • The local accounts with AD integration
  • Multi-tenant deployment
  • Java installation on the local machines

Those three elements were the biggest blockers. I would have rated it higher, but because of those three blockers, I'll had to rate it lower. They were very significant blockers for our project when we used it, and we were always putting out fires to do that.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Add a Comment
Guest
Sign Up with Email