Once we implemented the solution, we found that support groups were sharing the Root password with some application teams to facilitate implementations and upgrades. The applications required Root due to software requirements or other issues. This process was never documented and therefore was unknown. We are now working on getting these applications under proper controls. They will either need to use PAM if Root is still required or proper access will be implemented where Root will not be required for day to day support.

Centralized firewall rules (through the appliances) make it easier for users to access our secure environments from a variety of locations and devices. The release of the CA PAM Client eliminated the Java vulnerabilities and support issues with browser access.

It will provide us with more security. Anybody who has access can only get it. It makes admin access more critical. People are not building service accounts. 

It will provide more security and monitoring. 

Without getting too specific, we are able to manage root account passwords on 1600+ Linux servers. Our users can transparently login with those credentials when needed.

The product has not improved our organization. It is an intentionally limiting product. That’s why we have it.

PA is a global vault application which is essential in our day-to-day tasks is retrieving and using privileged accounts. Also provides a nice logging and notification to management as well as audit.

Before we had a vaulting solution that had a manual provisioning of the DB and privileged accounts. Now, we can automate this provisioning through APIs which are easy to understand and implement.

So far, with the functionality of what we had, there has not been much improvement at this point of time. I am not able to comment at this time.

In retrospect, we and our clients have seen a reduction in service-related issues for application server and mainframe environments, a reduction in the provisioning lifecycle and requirements for systems such as mainframes, and a substantial increase in security flow and protection.

We only did an evaluation of the product, but we do feel that it will improve our security and governance posture and shave time off our engineers having to connect to systems managed by the PAM solution. It also gives us the accountability we are looking for.

Not applicable. I’m distributor of this product, not an end user.

Its primary benefits are the ability to regulate and control privileged access accounts, and their usage. Say for instance, that you have an administrator account for your Oracle EBS system: you obviously don't want your system administrators all sharing a single account. If you do find yourself in a situation where you only have one administrator account, you can setup Privileged Access Manager to track which administrators are using that single administrator account. That is very useful.

Being able to have a centralized place to store the most critical username/password combinations that you have. These are the ones that access your key systems. PAM prevents some of the breaches that we've seen recently where one of those privileged accounts can lead to access to confidential information or financials can really paralyze an entire organization. Breaches can potentially smear organizations in the media when their names get out there in that light. So the whole concept of locking that down is very important.

One example of how it has improved the way my organization functions is that before, we had to deal with the firewall rules between domains to control access. With CA PAM, we simply set the rule once, which can be applied when we add new clients into our cloud environment.

It is very helpful with passing audits. It’s one thing to say you have a control; it’s another to show your control. This is very easy to show. It also simplifies the security team's role in that we aren't chasing as many accounts with elevated privileges. We have a central place to go look for them.

A secondary feature is that it tracks normal behavior, and then sends notifications about anything out of the norm. An example of that is: a network administrator would add accounts on a regular basis at a rate of 10 a day; if 50 were to show up in one day, it would automatically flag it and say, "Something's not right, take a look."

The access control component is solid. It adds another layer of security from the basic OS security of Linux and Windows. A lot of customers use it. The segregation is difficult to achieve as different OS's require different skill sets, but in terms of admin, it’s the same cost, and that’s a key benefit.

• Earlier admins used to access critical system from their desktop, which was a security threat considering the wide variety of compromises happening on endpoint. Now, all the privileged access is tunneled through PAM.
• With password management, we can enforce complicated password policies and very important frequent password changes, i.e., weekly.
• Most importantly, we now have recordings for each and every privileged session which is used for auditing, compliance, and investigations.

The key benefits are we improve our governance. We ensure we can build more trust in the way we run and operate our environment, and most of all is the accountability. Where things do go wrong from time to time, we are in a good position to ensure that we can recover quickly.

It has helped us with security.

It definitely helps with security. It also helps with how we audit which credentials are being used. When somebody actually logs in to CA PAM, they have to go in through second factor authentication. Once they're logged in, whatever credentials they check out, we get to see that and our auditors get to see that. It helps out in that way.

Our organization does and uses cloud-based solutions. Those have to be very secure.

Specifically, administrative access needs to be highly secure. When people are accessing the production environment as administrators or as non-end users, they use CA Privileged Access Manager to be able to access it.

Since we implemented CA PAM in our company, we don't need to pass the passwords to every individual administrator. He just logs in using his own credentials and then searches for the end point he wants to access and that's it. We approve their access and they're ready to administer the end point. This is good because we don't need to change passwords every time one of our colleagues leaves the company.

We are now able to record all technical support requests that require a remote control session, therefore accountability has risen reducing the amount of mistakes or errors.

Clients are also more confident that all activities are recorded and everyone is held accountable when asking for support being provided.

With the recently added feature that supports recording VNC sessions, we have been able to expand the session management to the IT personnel who prefer VNC for remote session management.

On the access management side, our system administrators, under privileged management, don't have to use their local tools to log on to the production servers.

They basically will log on, but they need access controls. They log on to a web interface, so that they will have access to the servers. From there, they can make the sessions.

What I'm saying is that on 443, with an extra cell connection, you log on to a web server and that web server will basically initiate the sessions from the web server to the production server. At that point, my session is secure because all that is happening inside that subnet or inside that network. All my end user is seeing is training the HTML-file interface.

That makes the access more secure. Even on the session side, the sessions are really between the production servers and the IA PAM. The sessions are not between the endpoint and the production server. So that makes it more secure by using a PAM.

• Quick setup
• Support for different types of existing user stores
• Management automation through REST interface
• Integration with Identity Management solutions easily for automatic user provisioning.

When a customer uses CA PAM, they can control who can access their server and what they do. So they feel more comfortable when using outsourced engineers to manage their assets.

After the CA acquisition of Xceedium, I was able to see a lot of improvement in technical support.

The fact the password is changed after each checkout beats changing passwords manually every few months.

The exposure of sensitive usernames and passwords has been limited in a massive way. This allows us to give much needed access to LDAP servers and databases without the operator knowing the username and/or password. They just have a link to click on after logging into the PAM virtual appliance.

It has simplified and unified the access of the users to a single point of access. It grants access identity to privileged accounts.

This product allows the administrator of users control of the vault of passwords, in the sense that is known who are the privileged users and who has the power to close the session for security issues.

The answer for the requirements of the users is faster and stable. The Session Recording function in audits is accurate and functional.

• Integrates your management

It started with the basic features, and gradually they added SCP, FTP, and also the API calls that helped us to meet the Automation at our end.

DXC has created a managed service offering based on it.

The solution allows us to ease the risks and headaches with administrators turning to our IT team.

There are no improvements as it never went live.

• Centralized
• Secure
• Monitored access to any (RDP, Telnet, and SSH device in Datacenter).

We administrate the platform in some clients and the results are very useful to control the access to privileged servers.

We do not have to authenticate users due to automatic authentication, so this allows us to be much more secure.