If you were talking to someone whose organization is considering CyberArk PAS, what would you say?
How would you rate it and why? Any other tips or advice?
I'd never ever rate anything a 10. I'd probably never rate anything a one. I'd rate CyberArk as 7.5 out of 10. We actually did surveys of all the people that saw all the demos of all the new solutions we looked at. CyberArk was a seven or eight consistently, from all the people who watched it. The benefit of it is it's stable, it's old-school, it just works. The downside is that it's a big program. To scale excessively, locally, on an on-prem application, takes a lot of servers. Those are the highs and lows. It could be amazing if it all ran in the cloud, but that wouldn't be possible. I started as a PAM engineer eight years ago. Learning PAM and understanding how it protects people and being the liaison who needs to take passwords away from engineers is really tough. But it put me in a good spot. I grew from a PAM engineer to an identity engineer to identity team lead to identity manager. Within the last year-and-a-half, I came into this company because of a PAM role. They hired me as an identity manager because I knew PAM and because I had a relationship; I was working on bringing CyberArk in as part of my previous role and they wanted me to come in and do that same evaluation here. So knowing CyberArk got me my job and, within three months, they said, "We don't need just one team like this doing these assessments. We need multiple teams. So you're an associate director." I said, "Thanks, I don't want to do that. I just want to play with PAM."
We use the solution with AWS. In fact, we set up a custom setup for AWS. We worked with the CyberArk engineering team to get it working, to come up with a custom solution to integrate our AWS EC2 instances. There were some limitations, as I mentioned earlier, with how the product integrates with AWS, so we had to make some major changes to how the integration works. As far as monitoring is concerned, it's standard CyberArk monitoring. We don't see anything specific to AWS, as far as the monitoring is concerned. This is the one place where CyberArk can improve. Privileged access management is one part of IM. Anything that goes through has to get approved through the IM team, and our product of choice for privilege access is CyberArk. When we decided to go to the cloud, this was the natural choice because this was the product that the enterprise uses. We've had challenges. We've had to customize the product to meet our requirements. It might not be the same for every customer because our requirements are a little unique. But it eventually worked out. We've been able to meet most of our use cases. CyberArk is an eight out of 10. It can do a lot. But there is definitely scope for improvement. I come from the IM world, but I was more into access management. CyberArk was just one of those products which was thrust on me. Now I'm head of privileged access management, so CyberArk has been pretty good for me, going from the access management space to privileged access management. It's definitely had an impact on my career.
I would rate CyberArk an eight point five on a scale of one to 10 because it has done everything that we have asked of it. There is a bit of a learning curve, but it's a pretty complex solution. They do have ways to make it easier, but it's easy to fall down the rabbit hole when you're going into a deep dive. However, if you follow the trail, you will find some pretty cool stuff.
CyberArk continues to innovate, as they refine strategies based on industry research and trends in the cyber security landscape, and incorporate the necessary updates to both their roadmaps as well as their product sets. The creation of the customer implementation roadmap, acquisition of Conjur for DEVOPS and the development of Alero to address 3rd party secured access, are examples of product innovation to address emerging risks within the industry. I would rate CyberArk 8 our of 10; although I do remain impressed with their existing set of product offerings, their cyber security roadmap & strategy, and their overall corporate philosophy, I do feel it is necessary for them to ensure they remain vigilant and maintain pace with an evolving cyber industry. Significant disruption in the technology industry brought on by advancements in Machine Learning / AI, commoditization of cyber attack tools, and rapid deployment of IoT based technologies, summon the need to ensure companies do not become complacent in the agility of their security tools. I have several passions. One of the passions I've always had is in organizational transformation and leadership. A second is really around the space for identity and access management. CyberArk has allowed me to continue, even after I've retired from the industry after 35 years, to still live that passion through their customers. I've been given the opportunity to provide some keynotes around organizational transformation. It's an exciting industry to be in and CyberArk has allowed me the benefit of still continuing to enjoy that experience.
My advice would be to plan ahead of time. Put up the plan for all the modules that you are going to implement. Look at what the dependencies of those are and plan for those dependencies in advance, then start the project. Especially where it is the application identity manager, the AIM part, which is not only dependent upon the implementation partner but also the customer dev team to make the changes. That's what makes it critical to plan ahead, ensure all stakeholders' commitment of their time and support, then start the implementation. I would rate it nine out of ten.
One of the most important aspects is to ensure that the business is behind the solution. CyberArk suite will only work well if all users adopt the system.
Contact the professional help for a demo, and you will not be disappointed. Even if you do not choose CyberArk, they can help identify current security gaps.
Keep an eye on the cloud integrations and be ready for Conjur.
I think having a distributed architecture would certainly help this solution.
I think if the industry could work together on TSM connectors, this would be a cutting-age change.
CyberArk has vast trust across the globe. People who've used CyberArk usually don't go back and change the product, unless it is a cost issue. If it is a cost issue, I must suggest BeyondTrust as a cost-effective solution for similar services.
This product is helpful for financial auditing needs, as well.
Work off your roadmap for implementation. We recommend CyberArk solutions.
The product is the best in the market at the moment. I would recommend the product for sales learning.
Others have spoken a lot about security hygiene and I believe that's where you should start. l would rate CyberArk at nine out of 10. The way for it to get to a 10 is with a lot of features, the amount of cost involved in buying the product, and the PSM proxy issue that we've been facing. In terms of important criteria when working with a vendor one thing is, as we said, getting to the right person. We go to support only if there is a critical situation where we are not able to solve it. Getting to the right person at the right time, and getting the issues resolved in a timely fashion is what we are looking for.
Engage with Professional Services, not just for help with, "Here are the buttons to click," because they've been really helpful as far as how we would want to implement things. Our most important criteria when selecting or working with a vendor, outside of the product being good, are reliability and timeliness of response. Those are the two big things. I think CyberArk does a pretty good job on these. I rate CyberArk at eight out of 10. I think the solution, as released, is usually very good. When something comes out, it's generally airtight and works as advertised. However, sometimes they are a little bit slow to keep up with what's coming out. In 2017, for example, they released support for Windows Server 2016, which had been out for a year or so. There is probably some tradeoff that is required to keep things so airtight, by holding back a little bit. But that would be my one criticism: It's slow to keep up, sometimes, with updates.
My advice to a colleague would be: First, don't allow the security team to be the driving force. It has to be the server team that implements it, that is the driving force behind it, and the for that reason is there is always animosity between the people who are there to enforce security and the people who are there to get a job done. When you are on the enforcement team, you are dictating to the people who are trying to get a job done, "Here is something that I'm going to put in your way to make it harder for you to get your job done." Regardless of what happens, that's the way it comes across. Going to the server team saying, 'I've got a solution that's going to make our lives easier, and oh, by the way, it's also going to be more secure," you have a much easier time selling it, much lower push-back, because you're one of them. Second, you've got to have buy-in before you pull the trigger. You can't just force it on them: "Oh, we just took away all your admin rights." You have to give them a new solution, let them prove to themselves that this solution works, that it does exactly what they need, and that it really is easier. Now, when you revoke the rights that they've had for probably decades, there is much less push-back. In terms of selecting or working with a vendor, our most important criterion is the ability to connect with a vendor that not only gives us the solution we need but can also work with us to customize exactly what we need. I would rate CyberArk a nine out of 10 for two reasons: * there is always room for growth * there are still gaps in what the solution provides. It's not complete across the board. If it were, it would be a 10. But I do see its potential to eventually reach that.
Take this solution over any other solution. In fact, I have personally brought a couple of my old colleagues with a technical background into this product line so that most of them are now certified on CyberArk and working in the same environment as well. Without doubt CyberArk is a 10 out of 10. From my experience, the kind of work I have done with this solution, it's absolutely amazing. It has the capabilities to secure the environment, which is the most important part. Anytime we hear any news of breaches elsewhere, that's when we say, "Hey, they should have done something, implemented the solution before they were hit." Once they are hit, they run around and try to fix the problems. But CyberArk, it's an amazing solution. When it comes to selecting or working with a vendor, our most important criteria are access to support, what level of support is available, how fast the turnaround can be. The executives or the account team have to be very accessible to us, so if we need to implement a new product or new integration we should at least be able to get hold of the people who can guide us in the right direction.
Do your research. That would be my biggest advice. CyberArk is a great tool. However, it is not the only tool that does what it does and, in some cases, for a lot of people, other passport vaulting tools are more toward what they would need in their environment. I would give CyberArk an eight out of 10, and the two missing points would probably be mostly because of technical support. I would love to actually get the support that I asked for. I would love to actually get the help that I'm asking you for as opposed to you telling me, "Yes, I can help you. I need you to fill out these papers and jump through that hoop and then cut a cartwheel and rub your belly while you pat your head at the same time." If it wasn't for that, it would be more towards a 10. My most important criteria when selecting a vendor are * credibility * functionality.
If you want to use it as an application password management cloud solution, think about it not as a security person but as an application person. If CyberArk does not meet your requirements, it has a way to meet them through customization. Our most important criteria when selecting a vendor include scalability and stability as well meeting our security requirements for applications From the application perspective, I would rate it at eight out of 10 because it's very easy to use and stable.
One big piece of advice I would give is: Don't ignore user acceptance. If you want people to use CyberArk, you have to pay attention to user acceptance. If your users hate it, then your entire experience is going to be an uphill battle, when you're trying to get people to actually use the tool. It doesn't matter how good the tool is, it doesn't matter how well it does password management. It doesn't matter how well it does all these other things. If your users hate it, you're going to have an uphill struggle with the people that you need to be on your side. You've got to get user acceptance right. Now, you can't completely sacrifice all those other things just for user acceptance, I'm not saying that. But you have got to keep user acceptance up there, alongside everything else. It's got to be a hand-in-hand thing as you go along, so don't ignore user acceptance. Spend some time doing it. I tend to shy away from giving anybody a 10 out of 10. I would rate it at about eight out of 10, a pretty high rating. Anything could be improved, and certainly, CyberArk is not immune to that. But I think it's a good tool.
Take your time. It is not a quick hit, where I am going to put it in today and be done. It is a process. The cyber hygiene program is a crucial aspect of how to implement this successfully. I do have experience with the new plugin generator utility. We have been using it for a short period of time. It is not fully in production yet, but it seems to be quite good. Most important criteria when selecting a vendor: Technical ability, not only in the product, but in the industry as a whole. This helps set CyberArk apart. They are not only experts in their product, but they are experts in the industry, including Red Team capabilities. They are gearing their product towards the defending of what the active exploits are, not something that has been done in the past.
CyberArk is on top of its game. The product has worked well for our company. If you are looking at implementing this solution, buy the training and go to it. If you do not train, it is hard to understand it. It is hard to pick it up by cross-training with other people. You really want to start off strong. Most important criteria when evaluating a technical solution: Be brutally honest about all the factors that go into the solution that you are looking for (buyer) and what the solution can offer (seller).
CyberArk is the best out there. Their product makes our privileged access management so much easier. For privilege access management, there is really no choice but to implement this or a similar solution. It is the last bastion that companies have. Firewalls used to be the perimeter and the place to be. Nowadays, intruders can walk through the perimeter (the firewall). So, we have to get on the inside and get it tied down. They are not very many people playing in this market. CyberArk is on the top, so there should not be any reason not to go with it. Most important criteria when selecting a vendor: * Best of breed * Top quality support organization.
Try a demo, if you can. Make it a hands-on with some of the components and see what they offer you. I have used other privileged account management tools in the past. This, by far, outranks them as far as features and usability. The integrations on top of that as well. Each new product that our company buys, we turn to CyberArk, and they are say, "Yes, we integrate with that." I have used the new generator utility plugin once, so not extensive experience, but I have used it. It does work. Most important criteria when selecting a vendor: They integrate with CyberArk.
I would recommend the product. We have done a lot of customer referrals for CyberArk. It is good. It fits our needs, and there is not anything else out in the market that can match it. Most important criteria when selecting a vendor: * Good support. * Meeting the each of the requirements. * Usability of the product. * Ease of implementation. * Not a lot of customization; you can get it right out-of-the-box and run with it.
CyberArk is a fantastic solution. They understand what the industry is trending towards. They are able to meet that very quickly. Being in healthcare, we are a little bit behind the times and we follow people a little further behind (for example, the financial sector has been doing all this stuff for so long). However, healthcare, as an industry, is always a few steps behind because we are clinical and have to support a lot of different clinicians, physicians, and regulations, which sometimes makes us move more slowly. Just having this has been huge for us. One of the things which has differentiated us from other customers from CyberArk is we have been tremendously successful in rolling out different implementations. There are a lot of clients whom I have talked to personally who have bought the solution, but have never implemented it, or they have been met with a lot of struggles or a lot of uphill battles with their staff and adoption. My best advice would be to start out and find the quick wins, the low-hanging fruit; these things you can provide to your organization to have them understand and see the same value that you are seeing as you are implementing. I am familiar with the the new plugin generator utility. I have not used it because I think it is a newer version than what we have, but I am excited about it. I am looking forward to utilizing it. It is similar to what they have for their PSM solution. They have some new web services framework, so they do not have to use the AutoIt tool because it takes a long time to create plugins today. Like the plugin creation utility, it will allow us to take a whole lot of time off of our turnaround to be able to provide some of these connection components. Most important criteria when selecting a vendor: Because we have so many applications and solutions across our organization, interoperability is a big thing. I am in charge of CyberArk, as well as Duo, who we use for our two-factor, and having that integration point or the ability to integrate with these solutions is huge for us. As we try to standardize across all of our different organizations, which is very difficult in our industry, what we offer for a particular solution rather than having 30 different iterations of different applications, has been huge for us. Standardization and integration is a huge point for choosing a vendor.
Educate the user community once you get it actively deployed and set up a strict policy on it. Most important criteria when selecting a vendor: * Good reputation for technical support * Product that does what it is supposed to do.
My advice is to have the necessary resources to fully implement this. Don't just bring it in and let it sit. It needs to have the resources with a fully dedicated team to be able to get this functional. Otherwise, it will be sitting there not being fully utilized. There are a lot of functionalities that require a lot of resources to get it up and running. I have been using the new plugin generator utility for about a year. I took a PSM Connection course this past summer. I have been using it ever since. Most important criteria when selecting a vendor: * It will be usability of the product. I want to make sure that when we have the product, we can quickly use it and have a full understanding of it without all the hoops that we need to jump through just to be able to understand what that system looks like or how it works. * The next thing will be support. How will they be able to support the system? Do they have a good support staff who will be able to help us get through an implementation? Those are the two main things I look for: the usability and supportability of the tools.
Do it now. Don't wait. Any other issues that we may have come up with, they have always been there to help assist and get us back on the right track. They don't just give you the product, then wipe their hands. We just got an upgrade to version 10.4, as we went from 9.2 to 9.9.5 last year. This was a major improvement for us, going to 10.4 with the different dashboards and PTA built-in and PTA on the credential rotation. They are starting to integrate all the different components. Most important criteria when selecting a vendor: * Ease of access. * They are with you going through any problems that may arise. * Good support.
It does what it promised. It secures our platforms, haves the scalability, and it is just a solid product. Know what you are getting into upfront. Work with IT to ensure you have buy-in from upper management, and work with them to get a roadmap to deploy. Most important criteria when selecting a vendor: * Reliability * Having good customer support.
Get on implementing it today. Be patient. Test a lot. Deploy slowly. It has places to go. I see the potential. It is getting there, but it has room to grow. If you compare this product with anything else as far as an endpoint solution, there is nothing which even compares. We have implemented the new plugin generator utility already. I trained the help desk. It is really easy. Instead of having to fix it myself, the service desk will receive a one-time code to help the customer immediately, so they do not have to wait. I will receive a ticket to make a long-term policy. It is a perfect system. Most important criteria when selecting a vendor: communication.
If you want more security, get CyberArk. I used the new plugin generator utility here in the lab. Right now, it is manual, and the plugin is very easy to use. It is amazing. Most important criteria when selecting a vendor: I prefer better tech support, because I love the CyberArk support. I want support like that everywhere with all my vendors.
If you are starting from scratch with the product, you should take a good inventory of your accounts to know what is in the scope. Start off with the password management aspect of it, but also look into things that provide session management, SSH key, and rotation. These are some of the basic things a new company using privileged access should look for. CyberArk is always willing to take feedback from the customer and are looking for ways to improve. There are all types of programs within CyberArk to take that feedback and incorporate it into their product. I have experience using quite a few of the plugins, but I am not familiar with the new generator utility plugin. The most important criteria when selecting a vendor: They need to understand our environment. We have a very complex environment at a very large scale. They need to show that they have a product which can meet the needs of a large organization like ours, and find solutions from old legacy environments to everything through the cloud.
One of the biggest factors when dealing with this field/area in privileged accounts is you have to have executive support from the top down. Push for this, because trying to get different business units or groups to implement this product is very hard if you don't have upper level management support. Most important criteria when selecting a vendor: * Stability of the product. * The customer service interface: Someone who can work with you on the product and understand what your needs are.
Make sure you have a development or QA environment. I did training today on the new plugin generator utility. I would rate it about a nine for ease of use and deployment. They are continuously improving the product. It works great, and there is a lot of documentation available. Most important criteria when selecting a vendor: Longevity and length of time in the business. Not that there is anything wrong with startups, but these folks have been out there with a proven track record. We talk to other people, look at the reports, etc.
Start small and don't try to overwhelm your scope. Do small steps and get them completed. Take notes, document, then scale out. Go from high risk out instead of trying to get everything in, then fixing it. One of my homework assignments at CyberArk Impact is to find out more about how to utilize CyberArk to secure infrastructure or applications running in the cloud. We have a lot of the out-of-the-box plugins with one custom plugin, but we are still new to using them. Most important criteria when selecting a vendor Age of the company, because we do not want to be first to market. We want to hear about it from other people. How is the sales rep is communicating. Whether it is more of a sales pitch or if it is a genuine concern for our security. Then, make sure our vision is lined up with the product. We want to get our bang for the buck
We are currently on version 9.10. We would like to upgrade to the latest version sometime this year. There is currently a CyberArk Security Bulleting CA19-09 that addresses potential administrative manipulations within the PVWA and the Digital Vault. CyberArk has released patch 9.10.4 to address the PVWA and they are working on releasing a patch for the Vault Server.