Symantec Privileged Access Manager Review

It can wrap system connectivity information into its internal Java-based shell. Online Help is not detailed enough.

What is most valuable?

  • Ease of use.
  • The way in which it can learn about the connectivity to systems, e.g., VMware vCenter Console; it can wrap that into its internal Java-based shell. Therefore, one does not need a terminal server solution.
  • The non-Java based client.
  • Two integration options with AD using SAML and the AD GC ports.
  • The API explorer.

This system comes with a built in Java client which handles the connectivity to remote systems, e.g. the VMware vCenter Console Web Interface.

When you add the system to the CA PAM, you can put the connection into “learn mode” where you map out where the username and the password and submit fields are. You can then configure the system in PAM with the relevant credentials and then based on the information it “learned” about where the username and password and submit fields are and what needs to go where, it presents you with a vCenter Web Interface and logs you onto vCenter automatically based on your PAM permissions. This vCenter Web Console is effectively proxied via this Java Client that CA PAM has available and happens through the PAM system – the end user does not make a direct connection to vCenter.

In other PAM solutions that we tested, one had to setup a Microsoft Remote Desktop Server (TS) and publish the vCenter Web Interface and integrate that published app with the PAM solution so that when a user wants to access the particular vCenter server, PAM initiates the Remote Desktop Server published app – inserts the credentials – to provide you with access to vCenter.

When integrating with Active Directory for authentication purposes – most vendors support LDAP. For larger AD environments, the LDAP integration supports the Microsoft MSFT ports (3268 & 3269) that allows one to look for nested group memberships across multiple child domains. Another way to integrate with AD is to use SAML.

We were able to use both methods with the CA PAM solution. With another vendor we tested, they did not support SAML.

How has it helped my organization?

We only did an evaluation of the product, but we do feel that it will improve our security and governance posture and shave time off our engineers having to connect to systems managed by the PAM solution. It also gives us the accountability we are looking for.

What needs improvement?

  • Reporting is very limited.
  • Online Help is not detailed enough.
  • Canned reports provided results for all targets and cannot simply be run for a particular customer when used in a service provider environment; one has to create some custom filtering.
  • Multi-tenancy (reporting, AD users, customer devices, customer credentials).
  • Interface and routing configuration (no individual routing tables per interface, cannot see routing table).
  • Network connectivity to multiple networks where these networks might have overlapping IP address spaces.
  • Session recording not included by default without an additional license.
  • Session recording mount point is often disconnected after a system restart.
  • Additional configuration required for multi-domain AD forests in order to find groups in child domains and to expand their membership.

For how long have I used the solution?

We used it over a period of about 2-3 months, up to slightly less than two months ago as part of our proof of concept tests.

What do I think about the stability of the solution?

I have not encountered any stability issues; it is very stable.

What do I think about the scalability of the solution?

I have not encountered any scalability issues; it scaled easily.

How are customer service and technical support?

Technical support is very good.

Which solution did I use previously and why did I switch?

I did not previously use a different solution.

How was the initial setup?

Initial setup was straightforward, but we had some problems initially understanding what needed to be done to get an end device under management and how to set up the networking.

What's my experience with pricing, setup cost, and licensing?

  • Take note that Session Recording is not included by default.
  • One would likely also have to invest in other infrastructure in a service provider environment when wanting to use the same solution for multiple clients to allow for the necessary networking.
  • Additional costs that need to be catered for:
    • Storage space, NAS or SAN for session recording data.
    • A Terminal Server and CALs for more-complex end devices, e.g., Cisco UCS – the client needs to be run from a Terminal Server as a published application by the PAM solution

Which other solutions did I evaluate?

We ran a PoC with CA and BeyondTrust at the same time.

Which version of this solution are you currently using?

**Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
More Symantec Privileged Access Manager reviews from users
Find out what your peers are saying about Broadcom, CyberArk, BeyondTrust and others in Privileged Access Management (PAM). Updated: July 2021.
523,372 professionals have used our research since 2012.
Add a Comment
ITCS user
1 Comment

author avatarit_user521199 (Sr. Solution Strategist Security - Platinum Accounts at a tech company with 10,001+ employees)

Session recording is included and only additional infrastructure required is storage space for session recording.