A New Pamocracy is Growing Inside Your Organization

When you were not looking, the number of privileged identities you manage went from thousands to millions

OK everybody is doing it right now, so I asked the analyst’s new best friend, Chat GPT, to define Privileged Access Management. Here is what it said: “Privileged Access Management (PAM) is a critical security discipline that provides a framework to manage and monitor privileged access to sensitive systems and data. PAM solutions aim to prevent unauthorized access, reduce the risk of cyberattacks, and ensure compliance with industry regulations.” Well, you can’t argue with that, I could have written that myself – in fact I’m sure I have!

But as anyone put in charge of managing identity and privileged use activity knows, the picture is a little fuzzier in real life. As my Leadership Compass PAM 2023 shows, there is a lot going on in the market which makes choosing and using PAM to achieve anything close to ChatGPT abstraction. The results of Leadership Compass showed that vendors are responding in diverse ways to meet the demands of buyers, who it must be said often express confusion on the best type of product to choose.

PAM no longer just manages human identities

Those at the top end of the Leadership scale, including the traditional “big” players, are keeping up with a changing market by adding new capabilities to platforms while also simplifying purchasing, deployment, and daily usage of the software – the bit that developers sometimes forget! Clean dashboards are replacing CLIs and code - automation and wizard tools are on the increase - all good. Smaller players with the advantage of creating lean, clean cloud native software from scratch have been instrumental in driving the bigger players to make many of these usability changes. 

The biggest change is a recognition that PAM is now quite removed from its traditional definition and in this aspect ChatGPT gets it pretty spot on when its says "A framework to manage and monitor privileged access to sensitive systems and data". For a long time, PAM was about managing admins and superusers and controlling access to endpoints or other network devices, usually for maintenance purposes.

The market now knows that PAM is a technology that must manage not just human identities but those associated with machines, workloads and applications. Other areas of enterprise computing such as multi-cloud, microservices, code repositories, software defined networks and more have transformed how we see identity and what identities are allowed to do to get things done.

The laws of Pamocracy

In effect this means that millions and millions of identities require agile and fast access to something, somewhere that could be considered privileged. In my forthcoming webinar I talk about the new Pamocracy which is my term for describing this massive expansion of privileged access in a world where everything is connected to everything else. But like any other kind of power group, it must be controlled by policies, laws and regulations to make it work in the interest of the whole enterprise.

While this has been happening, new players and friends have entered the PAM market. Smaller vendors are realizing that there is money to be made addressing PAM niches – such as DevOps, Cloud and even database access. For them, the trends of decentralized purchasing means that some organizations are witnessing purchase of limited PAM for certain departments, even when a cross enterprise PAM platform is in place. As more PAM vendors move to SaaS, this will be more common. The irony is that managing theses decentralized PAM SaaS or on demand iterations will need controlled access too. 

And at the outer edges of the market, I am starting to see some aspects of Data Governnace and Privacy emerge into the PAM domain. Vendors in that space are starting to offer PAM-like capabilities. Maybe they don’t call it that – or even realize they are offering it, but it’s happening.