Symantec Privileged Access Manager Reviews

The most valuable feature is the general concept of securing privileged passwords. Having worked in IT for a long time, I know how privileged passwords can float around. They pass from person to person and don’t get changed when they should be changed, such as when someone key who knows them leaves the organization. So, I appreciate the value of locking all that down.

Being able to have a centralized place to store the most critical username/password combinations that you have. These are the ones that access your key systems. PAM prevents some of the breaches that we've seen recently where one of those privileged accounts can lead to access to confidential information or financials can really paralyze an entire organization. Breaches can potentially smear organizations in the media when their names get out there in that light. So the whole concept of locking that down is very important.

The product itself is solid. I haven't really seen any deficiencies. It’s more just getting the message out about why it's so important. That's what our organization is trying to do. We're also a reseller. We are trying to convince companies that they need this type of technology. Publishing more use cases would be helpful just to help to convince companies why they need a product like this.

We don't actually use this solution ourselves. We implement the solution for people who buy it. I’ve been doing it for about a year. I haven't used it personally, but I know how it works.

It's very self-contained as a product. Being appliance-based, it's easy to implement. It's stable. No complaints there.

It is very scalable. I know it's used in large organizations like banks and healthcare organizations. It's just a matter of swapping in. I recall on one of the enablement calls that I attended, they had a very defined set of parameters where if you reached a certain threshold, you would then swap in another PAM appliance.

I've actually never called in to their technical support, so I really can't say.

I don't really know much on the pricing side. I'm more on the technical side. We do have an instructor that teaches the PAM enablement classes, and he's a big fan of the course materials. He thinks that they're very valuable and well worth the cost of attending a class. So attend the public CA courses on PAM, because they're very good.

I would say definitely get professionals that can help out. My company is in this space, and this is what we do for a living, so I don't think that it's a product that you want to go and try to implement on your own. Getting professional experience on your side for two or three weeks, or whatever it takes, to deploy the solution is well worth the investment.

I see it performing really well. It has a really good scalability attribute, where you can continuously keep dumping on new users and giving them only the access they need on the projects that they would view. It is very controlling and I really like that.

Whoever built it from the ground up, they understand how an organization is laid out. You can tell. When a user comes in, it automatically picks up their information. It is very easy to use. The interface is very friendly, colorful, and bold. I really like that. It is friendly to the users. 

What PAM does is when a user signs in, or when a user gets prompted to an organization, they are classified based on what teams, job titles, and roles that they have. 

One feature I would like to see is instead of just giving passwords to the user based on job function, from auditing perspective, turn that cycle around. Let us have a reporting feature that will say, "Can you please show me all the users who have access to the DB admin account essay." That would really help from an auditing standpoint. 

There is already a feature for that. It is not too great to use. Instead of being Splunk, maybe have a feature built into the application. 

There have been no issues with CA technical support.

After doing a little bit of research in the PAM market, there are not too many PAM players out there. Obviously, there is CyberArk but the other big player is CA PAM. I took a look at CA PAM. CA's rep gave me every reason to pick CA PAM over CyberArk.

CyberArk is harder to set up. You need a stand up infrastructure to back up CyberArk. PAM, on the other hand, is much more simple to use, and you do not need as many Windows servers to back it up as far as I know. 

1. According to the users who have actually used CyberArk and CA PAM, they have said that CA PAM is ten times easier to use and manage. 
2. Also, according to the users, CyberArk is only in the Windows area. They only control passwords in the Windows area. I am not sure how true that is, but that is a huge thing. 

If your company has Windows, Unix, and Linux, and has accounts all over the place and you need to management it, look into CA now. 

I feel like I have to learn more about CA PAM, because there are a lot of questions I still have for the product and I do not know them yet. 

Most important criteria when selecting a vendor: technical support. Always having someone there who knows a lot about the product, but at the same time, they will be straight up with you about the difficulties. I really do like when people tell me, this is not working, and tell you straight off the bat. I really like that straightforwardness.

• Consolidates access to all the systems
• Easy to deploy/virtual
• Records access for troubleshooting issues

One example of how it has improved the way my organization functions is that before, we had to deal with the firewall rules between domains to control access. With CA PAM, we simply set the rule once, which can be applied when we add new clients into our cloud environment.

They need to improve how it scales. We end up adding new “appliances” to scale for large or complex environments.

I run a multi-tenant cloud environment so I cover multiple domains and environments. So, as we grow our customer base by adding more systems, new customers or have different security zones for new applications/systems for customers, we end up having to add more appliances….we can only scale the virtual resources so much before we start hitting the performance thresholds on the appliance and the thresholds we have set with a customer.

By segregating and/or adding new appliances we even out the load and still maintain the performance we want with our customers. Obviously, I am talking about customers that have a higher access than some other companies.

I have used this solution for roughly a year.

At the beginning, we did have some stability issues, i.e., until we understood the product, and then the process was better.

There were scalability issues. The architecture forces us to add systems - similar to a Cisco model.

The technical support is above average.

I have used different systems in the past with other companies that I worked for, so I have been able to compare several of these. CA PAM is the least expensive option than most and is easy to deploy.

The initial setup/configuration was easy. It was more troublesome in finessing the rule sets/processes that needs to be used, which isn’t a product issue but an internal walkthrough of how we wanted the access to be controlled and in what manner.

Negotiate well but more importantly, design your architecture and understand what you will need as you scale (build building blocks).

We also evaluated One Identity, Centrify and Microsoft PIM.

Make sure you fully vet out what is needed for the complete process, and understand what you need up front for the initial set and what will be added at what trigger points.

So far the best value is the centralized management of all administrative accounts. Before PAM, domain administrators, Unix administrators with root access, end-users with elevated desktop privileges, and so on, were managed by those individual groups themselves. Now we have a way to separate the management of accounts with and without elevated privileges. This provides better control over who can see what information, and who can perform which actions.

So all the different roles (such as database admin, Unix admin, network administrator), are now centralized into one system. Users are authenticated with a single sign-on to access only what is appropriate for their role. It also enables us to take a generic role, like an administrator, and grant certain access rights to that role. Then you can apply the generic role, but go inside and make it granular. That isn't available in the product off the shelf, like in Microsoft or Red Hat.

It also integrates with our identity management system in which the roles and responsibilities are defined. Syncing the two systems is very helpful as well.

It is very helpful with passing audits. It’s one thing to say you have a control; it’s another to show your control. This is very easy to show. It also simplifies the security team's role in that we aren't chasing as many accounts with elevated privileges. We have a central place to go look for them.

A secondary feature is that it tracks normal behavior, and then sends notifications about anything out of the norm. An example of that is: a network administrator would add accounts on a regular basis at a rate of 10 a day; if 50 were to show up in one day, it would automatically flag it and say, "Something's not right, take a look."

I would like to see better integration with Security Incident Management solutions, a SIM, like a Splunk.

The integration with IBM’s Guardian is useful, but it is not a specific plug-in or API. It is just log information; so a little more detail would be useful there.

So far, so good. It is new. We haven’t had any issues yet.

So far, so good. It is new. We haven’t had any issues yet.

Technical support been good too. We had professional services onsite with us, so that made things easy. We have transitioned away from that, but so far things have been fine. We haven't had any major issues.

We were not using anything else previously.

It was a little bit of both. There's some internal politics, and the internal infrastructures, as well as bringing in a new product,; but overall it was fine.

There was lack of knowledge from my team; and then learning from the other team, as well as the professional services team learning our infrastructure and its intricacies.

How do you get a change control approved so we could do something quickly?

We went with it because of internal customer needs, the regulatory and audit requirements, ease of installation, and auditor funding.

I would say do your research. We did, and that's why I said there weren't any real competitors. There always; but in this space, I don't think so – not today.

It consists of three components that work well together: access controls, SIEM, and password recording capabilities.

The access control component is solid. It adds another layer of security from the basic OS security of Linux and Windows. A lot of customers use it. The segregation is difficult to achieve as different OS's require different skill sets, but in terms of admin, it’s the same cost, and that’s a key benefit.

The rule management portion and reporting is very weak on its own. Also, the login part and visibility are not user friendly, as is management of the policies. Moreover, I can't easily generate the metrics. Once the rules increase, if you can’t cross-reference it becomes a challenge.

With any deployment, you may have overkill, so it’s up to the business to get balance with rules.

It’s been in the market a long time, so thankfully it is stable.

Scalability is not an issue because of the architecture. The management piece just manages policies, so you can still go the system and are not handicapped.

The initial set up is very straightforward. The complexity is not so much of a problem, but that’s up to the organization.

There are not many players in this arena so there aren't many choices. IBM has a solution, but I don’t think they push it.

Definitely you have to go for a tested solution. This solution doesn’t have bugs, but you should follow CA’s messaging that it’s always good to deploy in small chunks. Applications have problems, and sometimes it’s a process. You just have to expand over time.

My primary use case for this solution is for work in data center components. We use it with our data center devices. 

The DB clustering is a really good benefit of using CA PAM.

An improvement for this solution is that it should not be constantly based on user name and password. There should be a condition to edit and update your username. Also, it would be nice to have a single sign-on, but that particular portal doesn't allow any copy/paste.

In addition, I have an additional suggestion. I will give you a scenario. In regards to the licensing, I have some concerns. The NAS team, they want to have 24/7 support. The NAS team is the one actually using this CA PAM. So, the total count is some hundred members. But at other times, the login is 23 members. So it's like a batch. Every 7 hours there is a batch change, so every 7 hours 23 members will change. But when I ask for a licensing part, they are saying we have to take 100 license, not 23 license. Each time I have to ask for 100 licenses, even though I have only 23 members at a time using the solution. If there were any options for concurrent usage of a license, that would be a better option.

I find it is a stable product for our organization. But, we have had to do some debugging sessions occasionally.

We have previous experience with CyberArk.

The initial setup was easy and straightforward.

I would prefer better licensing options for the 20-100 users we have at a given time. 

We also considered CyberArk.

So when we are trying develop some particular portal, when you are looking with loop-back IP, connecting the backend by a loop-back IP, the response is coming by an actual IP - that's the portal design. Because it is redirecting multiple URLs, the portal designed like in such a way like it will take your input and redirect your many multiple URLs with the connection and respond back to your browser, but the browser always it comes back with the actual IP, not the loop-back IP.  In this case, the CA PAM is working well for us.

It is great for identity governance or identity PAM, CAPAM.

It is simple to integrate. For other solutions, we have to install a component that can directly deploy from the OVA in this system.

We have to do a lot of manual work to automate features. The initial phase is simple, but it is difficult to configure our requirements. In addition, the integration between Symantec Privileged Access Manager and identity governance has to be better.

We have been using this solution for about three years, and it is deployed on-premises. We are planning to deploy on cloud this year.

It is a stable solution for PAM. We sometimes have issues with stability and identity governance.

It is scalable because we can add and remove all the models. We have onboarded around 500 users, and actual users are around 100 to 500.

The technical support is not satisfactory. I rate the technical support a four out of ten. Most of the time, they are not accessible, and we can't directly contact Symantec. There is a middle partner we can use to contact dot com support. We are waiting for a solution to the long wait times.

Neutral

I rate this solution a seven out of ten. I recommend this solution because it is suitable for the initial phase and the small business plan.

• Privileged account management
• Session management
• Session recording
• One stop access for all things involving privileged access management.

• Earlier admins used to access critical system from their desktop, which was a security threat considering the wide variety of compromises happening on endpoint. Now, all the privileged access is tunneled through PAM.
• With password management, we can enforce complicated password policies and very important frequent password changes, i.e., weekly.
• Most importantly, we now have recordings for each and every privileged session which is used for auditing, compliance, and investigations.

Privileged account management for Windows (domain and local) and Unix.

Service account management is a key area where the product needs to develop. Currently, the product supports service account discovery, but only if the host name of the server is known. For unknown host names, it is still a dark area.

In comparison with Thycotic and CyberArk, the service account management functionality needs to be extended to application pools, SQL database, PowerShell scripts, service account discovery, etc.

We experience stability issues after every patch upgrade. This is a place where CA needs to improve drastically.

The product is very scalable in terms of concurrent sessions that it can handle at a time, number of device it can support, accounts that it can manage, or number of nodes that you can deploy in a cluster. It comes in four forms.

1. Physical appliance
2. Virtual instance
3. AWS
4. Azure (just launched).

The technical support has improved a lot in last year with the advent of the European technical support team.

No previous solution was used.

Initial setup is very straightforward and ease to configure. It is similar to any appliance-based network security device.

Pricing is fair compared to other top vendors, like CyberArk. The licensing is simple and scalable.

We did not evaluate any other solutions.

Go for it if your key areas are password/session management of Windows/Unix/database.

Be careful if you want to use this for service account management.

There are some technical challenges while integrating the web-based console (security devices) for transparent login/single sign-on.