We use the solution’s Vault for service account management. It has gotten much better with the most recent update. It has been clunky but that has gotten a lot better. I would give it seven out of 10. There is definitely improvement that needs to be done on it over the long term, but I am very pleased with the progress so far.

I would like a better dark theme. The dark theme is still new but a little harsh on the eyes with the colors it shows

I would like better administrative tools for the Vault.

In terms of improvement, there are two things that come to mind. One is just in terms of the API interface, which needs some work. In terms of the ability to automate the creation of new accounts within it, it's still a bit laborious. The other piece that I would say I've been pushing for this whole period is simply to save a reason for access to the audit file as it's one of the requirements in NIST 800-53. It's been a pain working around that one, even though it's somewhat trivial.

Its management is through two different portals, and you can't get from one portal to the other. I have to literally open up another website and go into it a different way. There are no inner links between the two. They should interlink the actual virtual server and the appliance. In general, there should be one interface for management for admins.

We have been having some problems as of late.

One of our gaps or pain points is having multi-factor authentication at the endpoint and using the PRA password injection from BeyondTrust, which does not work in our environment. We can only have MFA at the login of BeyondTrust to check out the password. Therefore, we can't meet our security requirements of having it on the endpoint.

The solution's Vault seems to do what we need. It has some gaps when it is trying to process the password through multiple applications. If it fails, it doesn't notify us that it has failed. So, we only find that failure when we have an escalation or have to go back through to see what has happened, e.g., why the password didn't reset accurately. While it has some gaps, it works for the scenario that we need for the most part.

When we decided on this solution, it was extremely important to us that PRA was available in multiple formats, such as a physical and virtual appliance or as SaaS. Unfortunately, we can't use PRA because of our environment, which was disheartening. When we were sold the tool, they said that we could, but we can't because our environment is highly customized. We have so many use cases that it is not a feature that can be used across platforms for us.

We use PI and PRA together. If someone has checked out an account in PI, the session is open, and PI closed or checked back that account. Then, someone else checks out an account that is still active in a session, which causes multiple lockouts.

I would love to have a web console and the ability to use the smart card with the web console to provide remote support. If you are on a computer that doesn't have the Bomgar console, you should be able to use the web console to provide support. That's the only thing right now. A web console is nice when you're jumping into a computer, but if you need to elevate the privileges, you currently can't do it with the smart card. If they could figure that out, that would be money.

One thing that's confusing is the way of setting up group policies and permissions. It is very complicated. There are a lot of small pieces to it. The way they have set everything up is weird. I'm sure there is a reason for that, but I feel it should be a lot easier to provide different permissions and things like that.

Improvement-wise, I would like to look at the assessment results. Some of the capabilities in the solution were not as available or not as outstanding as CyberArk. We had to manage whatever little was available for us, especially its recording capabilities, logs, and a number of things.

It is too much of a fortress. It is difficult for us to report on compliance when I need to check for that device. For instance, I need to monitor what version that device is on, and it is quite complicated for us to do that. You can't connect to it traditionally and that is by design. While they have made some improvements in their API connectivity, it is just not quite what I would really like. It requires me to kind of apply some aftermarket steps in order to get what I need.

There is no connectivity to the appliance side. There is no API, and it is just difficult for me to capture what version the device is on without going in and doing screenshots. It is a little too secure in that regard, where they don't even trust their product owner. Since a lot of hacks come from the inside, they are probably doing what they need to do out of necessity. It is just that I have to work pretty hard to produce compliance data on the box.

You can usually API into something and get whatever you need. Or, you can have an SSH saying, "Do whatever you need. Just do a Git version command." There is none of that with BeyondTrust. However, this is the least of my concerns compared to whatever it grants us in freedom for all our security compliance requirements that it helps us meet.

The issue I found with the product revolves around the fact that RDP and SSH sessions take too much time, making it an area of concern where improvements are required. The product should be able to handle RDP and SSH sessions in a span of ten to fifteen seconds.

Multiple areas can be improved. We've seen lots of updates in the past year.  They have a portal where we can submit our ideas. BeyondTrust is immediately implementing user suggestions. The UI could be more informative. Initially, there were two or three connectors, and now we have five or six. It would be nice if they added a few more connectors for third-party integration. There are multiple tools, but the clients may require more for their convenience.

At the moment, I don't see any major problems with it. If anything, they can just change the look and feel of the login screen because it looks too simple to me. It does not have so much information. When you get to the login screen of the solution, you should have more information. We also have BeyondTrust Remote Support, and the login page looks similar to BeyondTrust Privilege Remote Access. I would love to see more rich information on the login screen or landing page so that rather than having a regular sign-in screen or page where you just provide a username and password and get into the solution, you should have more insight into what the solution does. I've mentioned this to them every time I have had an opportunity.

Firstly, when doing protocol panel jumps, the tool does not restrict what is recorded on the user's computer. So if a user has, let's say, three desktop monitors, the tool will expand to the entire desktop and record everything that happens on those screens, and not in the PRA window alone. Since a lot of people hold sensitive information outside of the PRA window, this creates some friction because they do not want that information recorded.

Restricting the recording to the PRA window during a protocol tunnel jump will be an improvement.

The second improvement is that PRA could be more flexible with privilege elevation on Linux endpoints.

The third improvement is that PRA should have more connectors for the most common applications it integrates with.

The solution's Vault is a nice feature. It helps to securely share a security password in teams, but it is not at the level of a password management solution. So, it is just really a vault. We were expecting to have more features to better manage passwords, but that is something that you can work around if you also have a password safe solution. I would like them to have features like password rotation or password auditing, e.g., old passwords.

I would like to improve access to the web application, simplifying the web jumps. I would also like them to improve the Vault, which should have features closer to a light password management solution.

The solution's access process for third-party vendors needs to be simplified. It should eliminate the process of installing client applications on users' machines for better security. Instead, we can publish a URL link for them. Also, its web interface needs enhancement as well.

I cannot say that the solution is lacking any features. It has everything we need right now.

They could probably integrate a wizard or something like that to add a new use case. It could be something that makes it easier to add a new use case. That's something they could probably improve. I'm not sure about this, however, as the direction is anyway going more and more in the direction of automation. That said, for a beginner customer who is starting from scratch, probably a wizard would be a good feature to add.

The on-premises version is not as easy to set up as a cloud deployment,

The integration client, backup solution, and SSO setup and provisioning could be improved. There isn't any documented or supported user provisioning currently, which slows down the processes of onboarding and assigning permissions. I would like to see this improved soon.

The Vault could use some attention, specifically in managing named administrative accounts. I have to assign permissions to my named admin account during sessions manually, but I think that should be the default. Admin account permissions could use some more automation and be adjusted to be more user-centric.

BeyondTrust could improve text-based auditing; it's not very readable. I can get the details through the jump client and other tools, but if I run a simple PowerShell command, the solution generates multiple lines for that specific session in the text audit, which doesn't make sense.

The solution is very flexible, which is a plus, but I would say the implementation requires someone with knowledge and experience, as it can be easy to get lost in all the details. The implementation process could be streamlined and simplified. Though the complexity of the solution provides greater flexibility, it requires a lot of time to understand it fully.

The UI is somewhat basic, so that could use some work. It's okay; apart from that, it's an aesthetics issue.

The integration of the solution with many platforms is a difficult area to manage and needs to be made easy. For example, I don't think BeyondTrust Privileged Remote Access works with products from Sophos.

Changing your password should be simplified, and there should not be a charge for it. For every server that we are supporting, we have an administrator password to log in. This is for remote access and remote support, and we do not like to give this password to the local support people. I would like to be able to assign a dedicated password that can be used only for one day. There are other products that can do this.

I can't think of any specific improvements because the product is already so rich. 

It would be very nice if it has an enterprise vault. Currently, it can interact with Password Safe, which is a separate solution and equivalent to Thycotic Secret Server. Instead of having Password Safe as a separate entity, they should combine it with BeyondTrust Privileged Remote Access. They have done it in some way, but it is not an enterprise tech solution.