CA Privileged Access Manager Review
Transparent Logins Prevent Password Sharing Yet Reporting Is Limited.


What is most valuable?

Transparent login for users of privileged IDs (Linux, Windows). This prevents sharing of the password because it is never seen.

How has it helped my organization?

Once we implemented the solution, we found that support groups were sharing the Root password with some application teams to facilitate implementations and upgrades. The applications required Root due to software requirements or other issues. This process was never documented and therefore was unknown. We are now working on getting these applications under proper controls. They will either need to use PAM if Root is still required or proper access will be implemented where Root will not be required for day to day support.

What needs improvement?

Reporting. It's difficult to locate the reports, there are limits on what reports can be run from the GUI, and the report formats are lacking. I have already spoken to product management about this specific area.

For how long have I used the solution?

Four months.

What do I think about the stability of the solution?

Not yet.

What do I think about the scalability of the solution?

Yes, we noticed that when trying to rotate 1400 privileged passwords with a single job, the results were not consistent. Support suggested we break the job up into smaller groups. We will likely have well over 200,000 managed accounts in the system when we are fully deployed. We should be able to submit mass password changes without having to break them down into groups of 50 or less.

How is customer service and technical support?

For the most part, support is good. We do run into problems sometimes with respect to getting support for APIs. Our experience has been that engineering has to become involved due to limitations with the support staff's knowledge/experience in this area.

Which solutions did we use previously?

We have been trying to get approved for a solution (this or others) for 15 years. We finally have a CIO who understands the need for and benefit of this product and it was approved late in 2016.

How was the initial setup?

Appliance setup was not difficult. We did have issues with network setup (behind a load balancer, or not; these were mostly internal issues and not the problem of the product). We selected this product (in part) because of the initial ease of implementation. We did a PoC and had the appliances set up in less than a day.

What's my experience with pricing, setup cost, and licensing?

Appliances are relatively cheap, don’t skimp. Make sure you have redundancy, high availability, and enough appliances to manage the concurrent workload. Definitely make sure you include training in your budget and purchase. There are at least three specific courses that are a must for any administrator of the product. Courses can be classroom, virtual, on site or web-based. A2A licensing will be the cost that continues to grow over time. As you begin to deploy and work with various groups, you will find more uses for the A2A component and this is licensed by agent deployed on a server.

Which other solutions did I evaluate?

We had a project to review eight vendors and their PAM products: IBM, Hitachi, CyberArk, BeyondTrust, CA, Enforcive, Centrify, and Lieberman.

What other advice do I have?

Definitely do your homework. CA PAM was the best product for us but if you are strictly a mainframe shop you might like a different solution and similarly for a Windows only shop. For us we have all platforms (Windows, Linux, Unix, mainframe, databases, network devices, appliances) that need to be managed. This product was relatively simple to implement but again do your homework. Make sure you document your use cases, and I strongly recommend setting up a test environment before deploying into production. We were told to get ROI so we started with production and are now standing up a fully supported test environment. If I had the time, I would have done this the other way around.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
1 visitor found this review helpful

Add a Comment

Guest
Why do you like it?

Sign Up with Email