What is our primary use case?
Our primary use of CyberArk Privileged Access Manager is to bring control on to the privileged access. For a while, there were individual IDs having privileged access. We wanted to restrict that. We implemented the solution so that it can be more of internal control. We can have session recordings happening and reduce our attacks.
How has it helped my organization?
There are two main ways CyberArk Privileged Access Manager Server Control has been helpful to us.
- Any administrator using his own or her own ID and password to connect to the server or the domain that has been removed and the credentials for accessing the domain or the servers has been locked down into the password wallet, the access to it is controlled now through that group. Now we know who has access and what kind of access. Also, we control access through tickets. Unless there is an approved ticket, an administrator cannot just log onto a server and make changes. In this way, we are ensuring that an attack cannot just steal somebody's ADID and get into the server and create problems.
- Through the application and team managers, we have removed the hardcoded user ID and password in our applications. Those are now in a password vault that is not known to anyone. The vault knows and changes the password, then connects the applications to the database.
What is most valuable?
The features that we find most valuable are:
- Enterprise Password Vault
- Privilege Session Manager
- Application Manager
- Team Manager
These modules help us in locking down the credentials, rotating passwords automatically without us having to worry about it, isolation of servers from the user machine and availability of privileged session recordings for us to check on demand.
What needs improvement?
I think that the connectors, the integration pieces, the integration to ticketing system. This is something which is not meeting our requirements via out-of-the-box solutions, so we have to look for a customized solution, that could be improved.
Integration with the ticketing system should allow any number of fields to be used for validation before allowing a user to be evaluated and able to access a server.
Additional features: We are looking at the connectors. The connectors to be more robust and provide more flexibility for out-of-the-box implication.
For how long have I used the solution?
Less than one year.
What do I think about the stability of the solution?
It's quite stable so we've not faced any problems so far and it's been working smoothly for us. Initially, there were some technical issues, disconnections happening, and the slowness was there, but we've been able to overcome those challenges. Now for the past 15, 20 days, it's been running smoothly.
What do I think about the scalability of the solution?
The software is scalable enough, so if we want to add more domains, we can just go ahead and do it. I don't see a challenge with that. There are a couple of other parts of the solution that we are not rolling out, but we'll be doing that.
How are customer service and technical support?
The support has been good. Turnaround times have been okay. They have not been immediate, but they do respond in a few hours, or in a day.
Which solution did I use previously and why did I switch?
We didn't have a previous solution at the time.
How was the initial setup?
AIM was a complex piece, but the install was straightforward. It took us around five months.
What about the implementation team?
We went with an implementation partner for the deployment which included a number of admins. Currently, there are around 60 users but they are going to be 150 plus in a month or so.
We want the implementation partner for supporting it for the next three months, and then we will make the call whether we want to continue with them or maybe our resources should be good enough internally to support it.
What's my experience with pricing, setup cost, and licensing?
The cost and licensing fees of the software are fairly reasonable.
Which other solutions did I evaluate?
There were a few competitors we evaluated like CA Technologies, Arcos, Oracle, and Microsoft.
What other advice do I have?
My advice would be to plan ahead of time. Put up the plan for all the modules that you are going to implement. Look at what the dependencies of those are and plan for those dependencies in advance, then start the project.
Especially where it is the application identity manager, the AIM part, which is not only dependent upon the implementation partner but also the customer dev team to make the changes.
That's what makes it critical to plan ahead, ensure all stakeholders' commitment of their time and support, then start the implementation.
I would rate it nine out of ten.