All Research
Leadership Compass
This Leadership Compass provides an overview and insights into the Cloud Infrastructure Entitlement Management (CIEM) market, with the aim of helping your organization find the right products and technologies for a successful CIEM deployment.

1 Introduction

Welcome to the KuppingerCole Leadership Compass on Cloud Infrastructure Entitlement Management (CIEM) software products. As organizations adopt cloud infrastructure and services, the management of access rights and permissions becomes a critical aspect of maintaining a secure and compliant environment. CIEM software solutions are specifically designed to address this challenge by providing comprehensive visibility and control over entitlements across cloud platforms.

In this report, we explore key considerations when evaluating CIEM software products for your organization's cloud infrastructure. We delve into vital features such as centralized access management, entitlement discovery and analysis, continuous monitoring of permissions, role-based access control, and policy enforcement. Additionally, we will examine factors like scalability, integration capabilities, reporting and analytics, and compliance frameworks to help you make an informed decision that aligns with your organization's cloud security objectives.

Whether you are in the initial stages of adopting cloud infrastructure or looking to enhance your existing entitlement management processes, this KuppingerCole Leadership Compass will equip you with the knowledge and insights needed to help select the right CIEM software product for your organization's cloud security needs.

1.1 Highlights and findings

This report is both an update and reworking of the 2022 Leadership Compass on Dynamic Resource Entitlement & Access Management (DREAM) and CIEM. We have refocused the report and the eligibility of vendors with the emphasis very firmly on the identity management aspect of CIEM. We no longer talk about Privileged Access Management (PAM) for DevOps, as this concept is becoming outdated and largely replaced by the cloud management capabilities in the CIEM platforms assembled here. In fact, the concept of traditional PAM is under fresh scrutiny as we move more to a world of Least Privilege, Zero Standing Privilege and just-in-time access to resources in the cloud. The shift to the cloud and the demanding needs of developers, CI/CD teams and CloudOps has caused a rethink in how we manage resources and access and what defines privileged access. Is the privilege now with the resource, database, application etc., and identities must be verified instantly to get access, and to get things done as the business, not IT, requires.

Certainly, the market is responding. CyberArk speaks less about PAM these days and has pivoted its entire product line to identity management. Others are following suit: BeyondTrust is notably absent from this report, because it, too, is about to transform its product line towards Identity, and its existing CIEM capabilities are transitioning to their new Identity Security Insights solution. The completion of this happening is after the cutoff for this report. We look forward to welcoming BeyondTrust to the 2024 PAM Leadership Compass and seeing the ground up, brand new platform.

Another reason that PAM vendors are shifting is the emergence of the agile cloud native CIEM vendors which customers are realizing provide a real alternative to traditional PAM by paradoxically not actually offering PAM as a capability. Instead, customers have seen the capabilities they offer for cloud entitlement are indeed a form of selective access but with JIT and rapid response built in. Often, they cover a wider scope of all types of cloud infrastructure out of the box and are identity focused by default.

So, it is an interesting time. We advise readers to look at the whole report and not just who the Leaders are. Leaders are leaders not just because of their innovation or capabilities but also because of their financial strength and market presence. But those further down in the ratings should not be overlooked just because they are small—there is great innovations worthy of attention. There is much to discover among the young and start-up vendors, who have set the pace in CIEM, and who should be seriously considered by buyers. Whatever your choice, every vendor in this report is doing the right thing.

To sum up:

  • Major reworking of the 2022 Leadership Compass on DREAM and CIEM
  • PAM for DevOps is outdated and largely replaced by the cloud management capabilities in CIEM platforms
  • Traditional PAM is under fresh scrutiny as we move more to a world of Least Privilege, Zero Standing Privilege and Just in Time
  • Leading PAM players are refocusing entire platforms towards identity and cloud

1.2 Market Segment

CIEM refers to practices, tools, and technologies employed to manage and secure identity access to cloud infrastructure resources, including SaaS, PaaS, IaaS data centers and services. It involves implementing and enforcing access controls, permissions, and entitlements within cloud-based environments to ensure that users have the appropriate level of access to resources based on their roles and responsibilities.

ClEM solutions typically provide capabilities for identity provisioning, access governance, access control policies, authentication, authorization, and monitoring to maintain the security and compliance of cloud infrastructure resources. This Leadership Compass analyses a number of vendors whose products assist with CIEM projects and procedures.

Operating environment

CIEM software must operate securely within multi-cloud, decentralized, open environments. Human and machine identities require access to cloud-based resources. The number of machine identities will vastly outnumber human identities employees, presenting a unique access management challenge to managers and the software they deploy. Machine identities will include workloads, toolchains, and code needed to keep the whole organization running and for new applications to be developed. Cloud entitlements must be surfaced, and standing privileges weeded out of such environments. CIEM should be compatible with major IaaS and SaaS platforms used in modern multi-cloud environments.

1.3 Delivery Models

CIEM platforms should ideally run as a service from the cloud; cloud-native platforms are obviously technically suited to orchestrating other cloud applications and all cloud-based entities as well as marshalling identities. This would not rule out platforms that have some on-premises components, for example to enable secure connections behind firewalls. However, the core capabilities must run in the cloud. All platforms must be deployed in such a manner to enable integration with legacy cloud and legacy non-cloud infrastructures.

1.4 Required Capabilities

Resource Provisioning and Management

The software should enable the provisioning and management of cloud resources, such as virtual machines, storage, and network resources. It should provide an intuitive interface/dashboard to allocate and configure these resources based on user and machine requirements.

Role-Based Access Control (RBAC)

RBAC allows administrators to define roles and assign specific permissions to users or groups. The software should support RBAC to ensure that users have appropriate access rights to cloud resources based on their roles within the organization.

User and Group Management

It should allow administrators to create, manage, and deactivate user accounts. The software should support grouping users together for easier management and enforce consistent access policies across different groups. A CIEM product should differentiate between personal and service accounts and monitor API key usage.

Authentication and Single Sign-On (SSO)

The software should integrate with authentication mechanisms such as Active Directory, LDAP, or other identity providers to enable centralized user authentication. It should also support single sign-on (SSO) to allow users to access multiple cloud services with a single set of credentials.

Fine-Grained Access Control

In addition to RBAC, the software should support fine-grained access controls. This allows administrators to define and enforce granular permissions on specific resources or actions within the cloud environment.

Audit and Compliance

The software should provide logging and auditing capabilities to track user activities, resource changes, and access attempts. It should support compliance requirements by generating reports and providing visibility into who accessed what resources and when.

Policy Enforcement

The software should enforce security policies and compliance requirements across the cloud infrastructure. It should be able to detect and respond to policy violations, such as unauthorized access attempts or misconfigurations.

Integration with Identity and Access Management (IAM) Systems

The software should integrate with existing IAM systems to leverage user and access information, as well as enable seamless management across different platforms and services.

Scalability and Performance

The software should be capable of handling the scale and performance requirements of cloud environments. It should be able to manage large numbers of users, resources, and access requests efficiently.

API and Integration Capabilities

The software should provide APIs and integration capabilities to integrate with other cloud management tools, security systems, or custom applications. This allows for automation, orchestration, and customization of workflows as per organizational needs.

2 Leadership

Selecting a vendor of a product or service must not only be based on the information provided in a KuppingerCole Leadership Compass. The Leadership Compass provides a comparison based on standardized criteria and can help identify vendors that shall be further evaluated. However, a thorough selection includes a subsequent detailed analysis and a Proof of Concept of pilot phase, based on the specific criteria of the customer.

2.1 Overall Leadership

Based on our research, we offer several Leadership designations. The Overall Leadership rating provides a combined view of the ratings for:

  • Product Leadership
  • Innovation Leadership
  • Market Leadership

Figure 1: Overall Leadership

Overall Leaders are (in alphabetical order):

  • CyberArk
  • SailPoint
  • SSH

The Overall Leaders might seem a little predictable: traditional IAM and PAM players who have already sewn up the CIEM market. This would be the wrong conclusion to take from this report. The four Leaders have indeed learned some lessons from CIEM and added the capabilities to their platforms, but they also lead because of size, market position, stability, and trust in the market. Obviously when bigger players learn from smaller innovative rivals, they can still dominate a new sector because they already have substantial customer base (huge in the Microsoft’s case), deep integrations and experience in identity management. But there is no doubt that the big players were slow to realise the impact cloud was having on entitlement and access, especially for areas such as DevOps. Therefore, those in the Challengers group produce highly capable tools with varying levels of functionality and all with strengths, with mostly native cloud design and operation built in. These will only improve. The fact that there are no Followers here or in Innovation Leadership shows just how competitive this market is already, and one far from maturity or settled status.

2.2 Product Leadership

Product Leadership is the first specific category examined below. This view is mainly based on the analysis of service features and the overall capabilities of the various services.

Figure 2: Product Leadership

Product Leaders (in alphabetical order):

  • CyberArk
  • EmpowerID
  • Microsoft
  • NextLabs
  • ObserveID
  • Palo Alto Networks
  • SailPoint
  • SSH

2.3 Innovation Leadership

Next, we examine innovation in the marketplace. Innovation is, from our perspective, a key capability in all IT market segments. Customers require innovation to meet evolving and ever emerging business requirements. Innovation is not about delivering a constant flow of new releases. Rather, innovative companies take a customer-oriented upgrade approach, delivering customer-requested and other cutting-edge features, while maintaining compatibility with previous versions.

Figure 3: Innovation Leadership

Innovation Leaders (in alphabetical order):

  • CyberArk

2.4 Market Leadership

This is an amalgamation of the number of customers, number of transactions evaluated, ratio between customers and managed identities/devices, the geographic distribution of customers, the size of deployments and services, the size and geographic distribution of the partner ecosystem, and financial health of the participating companies. Market Leadership, from our point of view, requires global reach.

Figure 4: Market Leadership

Market Leaders (in alphabetical order):

  • CyberArk
  • SailPoint

3 Correlated View

While the Leadership charts identify leading vendors in certain categories, many customers are looking not only for a product leader, but for a vendor that is delivering a solution that is both feature-rich and continuously improved, which would be indicated by a strong position in both the Product Leadership ranking and the Innovation Leadership ranking. The following analysis takes this into account and correlates various Leadership categories and delivers an additional level of information and insight.

The first of these correlated views contrasts Product Leadership and Market Leadership.

3.1 The Market/Product Matrix

Figure 5: The Market/Product Matrix

Vendors below the line have a weaker market position than expected according to their product maturity. Vendors above the line are sort of “overperformers” when comparing Market Leadership and Product Leadership. All the vendors below the line are underperforming in terms of market share. However, we believe that each has a chance for significant growth.

3.2 The Product/Innovation Matrix

This view shows how Product Leadership and Innovation Leadership are correlated. It is not surprising that there is a pretty good correlation between the two views with a few exceptions. The distribution and correlation are tightly constrained to the line, with a significant number of established vendors plus some smaller vendors. Vendors below the line are more innovative, vendors above the line are, compared to the current Product Leadership positioning, less innovative.

Figure 6: The Product/Innovation Matrix

3.3 The Innovation/Market Matrix

The third matrix shows how Innovation Leadership and Market Leadership are related. Some vendors might perform well in the market without being Innovation Leaders. This might impose a risk for their future position in the market, depending on how they improve their Innovation Leadership position. On the other hand, vendors which are highly innovative have a good chance for improving their market position. However, there is always a possibility that they might also fail, especially in the case of smaller vendors. Vendors above the line are performing well in the market as well as showing Innovation Leadership; while vendors below the line show an ability to innovate though having less market share, and thus the biggest potential for improving their market position.

Figure 7: The Innovation/Market Matrix

4 Products and Vendors at a Glance

This section provides an overview of the various products we have analyzed within this KuppingerCole Leadership Compass on Fraud Reduction Intelligence Platforms. Aside from the rating overview, we provide additional comparisons that put Product Leadership, Innovation Leadership, and Market Leadership in relation to each other. These allow identifying, for instance, highly innovative but specialized vendors or local players that provide strong product features but do not have a global presence and large customer base yet.

Based on our evaluation, a comparative overview of the ratings of all the products covered in this document is shown in Table 1. Since some vendors may have multiple products, these are listed according to the vendor’s name.

Vendor Security Functionality Deployment Interoperability Usability
ARCON Strong Positive Positive Neutral Positive Strong Positive
BRITIVE Positive Positive Positive Positive Positive
CYBERARK Strong Positive Positive Positive Strong Positive Strong Positive
EMPOWERID Positive Neutral Neutral Positive Positive
ENTITLE Positive Neutral Positive Neutral Neutral
MICROSOFT Strong Positive Strong Positive Positive Neutral Positive
NEXTLABS Strong Positive Positive Positive Positive Positive
OBSERVEID Positive Neutral Positive Positive Positive
PALO ALTO NETWORKS Strong Positive Positive Positive Positive Positive
SAILPOINT Strong Positive Positive Neutral Positive Positive
SENHASEGURA Positive Positive Positive Positive Positive
SSH Positive Positive Positive Positive Positive
TENABLE (ERMETIC) Positive Positive Positive Positive Positive

Table 1: Comparative overview of the ratings for the product capabilities

In addition, we provide in Table 2 an overview which also contains four additional ratings for the vendor, going beyond the product view provided in the previous section. While the rating for Financial Strength applies to the vendor, the other ratings apply to the product.

Vendor Innovation Market Position Financial Strength Ecosystem
ARCON Positive Neutral Positive Strong Positive
BRITIVE Neutral Neutral Neutral Weak
CYBERARK Positive Strong Positive Strong Positive Strong Positive
EMPOWERID Positive Neutral Positive Neutral
ENTITLE Neutral Weak Neutral Neutral
MICROSOFT Positive Strong Positive Strong Positive Strong Positive
NEXTLABS Positive Positive Positive Positive
OBSERVEID Positive Weak Neutral Neutral
PALO ALTO NETWORKS Positive Positive Positive Positive
SAILPOINT Positive Positive Positive Positive
SENHASEGURA Positive Neutral Neutral Positive
SSH Positive Neutral Neutral Positive
TENABLE (ERMETIC) Positive Positive Positive Neutral

Table 2: Comparative overview of the ratings for vendors

5 Product/Vendor evaluation

This section contains a brief rating for every product/service we’ve included in this KuppingerCole Leadership Compass document. For many of the products there are additional KuppingerCole Product Reports and Executive Views available, providing more detailed information.

5.1 Spider graphs

In addition to the ratings for our standard categories such as Product Leadership and Innovation Leadership, we add a spider chart for every vendor we rate, looking at specific capabilities for the market segment researched in the respective Leadership Compass. For the LC CIEM, we look at the following eight categories:

  • Authentication
  • Dashboard
  • Developer CI/CD
  • IaaS support
  • Customization
  • Entitlement management
  • Policy & workflows
  • Privilege management

5.2 ARCON – Cloud Governance

ARCON is based in Mumbai and was founded in 2006. The company specializes in providing solutions for Privileged Access Management (PAM) and Identity and Access Governance (IAG).

ARCON Cloud Governance is a centralized platform for security, compliance, and governance and is available as a standalone solution. The software allows organizations to manage user access rights and privileges across multiple clouds and applications. It ensures that users have appropriate access levels based on their roles and responsibilities, reducing the risk of unauthorized access.

The solution offers advanced identity provisioning, user lifecycle management, and strong authentication mechanisms like biometrics or smart cards.

It provides real-time visibility into user activities, tracks changes made to sensitive data and configurations, and generates audit logs and compliance reports to meet regulatory requirements. The solution can discover entities as well as entitlements across different SaaS applications which gives a holistic view for the overall entitlement mapping.

The solution leverages advanced analytics and machine learning techniques to identify anomalous user behavior, detect insider threats, and flag potential security incidents. It helps organizations proactively respond to security incidents and mitigate risks before they escalate.

ARCON Cloud Governance also offers incident response processes through automated workflows, many platforms do not offer this – and is compliant with SOC2. Integrations are well supported - with standard protocols and APIs, enabling smooth data exchange and interoperability. It also integrates with ARCON PAM as would be expected, making it an attractive option for existing customers.

The solution generates detailed reports on access requests, user behavior, compliance status, and other security-related metrics for internal and external audits.

Cloud instances can be automatically onboarded and support all three major Cloud Service Providers. There is little manual intervention needed, no use of scripts by end users needed.

Within the dashboard identities can be provisioned, deprovisioned according to roles, groups and policies and group admins can also be designated. Permissions and integrations can be modified directly through a low code programming tool. The Session Orchestrator can scale workflows and access so sessions can be terminated early or reduce bandwidth needed to complete a task. The Identity Hub acts as an easy-to-use portal used to approve or block access requests, raising and approving requests for cloud assets access as well as entitlements.

Ratings Security Strong positive
Functionality Positive
Deployment Neutral
Interoperability Positive
Usability Strong positive
  • ARCON’s PAM and IGA experience stands this platform in good stead, and it will fit well with existing ARCON stacks.
  • Well-designed dashboard and the Identity Hub make it simple to request, authorize and process entitlement requests from supported cloud tools.
  • Low code framework makes it suitable for end user modification and improves integration.
  • Uses Machine Learning techniques to make recommendations and remediation easier for risky entitlements.
  • Wide support for SIEM platforms including proprietary AWS and Azure SIEMs as well as Splunk, Prometheus etc.
  • Full support for all major IGA providers
  • Challenges
  • Core JIT capabilities are already bundled with the solution, advanced use cases are promised in the roadmap.
  • Could do with wider API support (no JSON, XML) to further aid integration and modification of the base platform.
  • Focus is on cloud governance currently which is good, but we would like to see improvements to cloud access and entitlement speeds and processes.
  • Leader in

    5.3 Britive – Dynamic Permissioning Platform

    Britive was founded in 2018 and is based in California. It develops access and entitlement management solutions for IaaS, PaaS, SaaS, and DaaS platforms used in multi-cloud environments. Britive Dynamic Permissioning Platform offers ephemeral JIT access for all types of identities to all resources - data, servers, CSP, SaaS applications. In scenarios when JIT access is not desired, Britive has introduced a cloud vault for static secrets and keys, which can also be accessed according to Least Privilege principles. However, the raison d’etre of this platform is focused on JIT access.

    Britive leverages an API-first approach to grant users access to the target cloud platform or application within the level of privileges authorized for the user and significantly, it integrates with Attribute Based Access Control (ABAC) as well as more traditional RBAC policies.

    Britive is ideally suited to managing developers and DevOps with its focus on JIT access and IT Admin oversight built into the platform, but also savvy enough to get that developers should be trusted more in modern IT environments and understand their way of working. Therefore, the platform gives developers and engineering teams access to the platform via a Python compatible SDK module. There is full integration with ChatOps such Slack and Teams and introduced Britive Access Builder which in 2024 Britive will release Access Builder Britive Access Builder will allows users to create custom profiles with just the adequate access necessary for the work required. This will be performed under the restrictions and policies set by Britive admins, reflecting. Such is the company’s philosophy of empowering users while maintaining discrete control over entitlement and privilege. The software now supports Identity Lifecycle Management (ILM) for machine, service, and human. And significantly the company understands that cloud isn’t everything (yet), so it has added support for JIT access management to Kubernetes clusters operating both in cloud and in an on-premises environments for those buyers who still prefer to keep some ops on premises.

    Deployment is agentless which simplifies set up and is in line with the stated goal of making installation, management, and usage easy for non-traditional admins and less experienced IT security people to use. Instead, it encourages those directly involved in DevOps or other development environments to apply security controls themselves.

    The platform uses APIs to integrate third-party IAM, SIEM, and SSO tools but it also readily integrates with common CI/CD automation and data warehousing platforms. For developers it supports a range of DevOps automation tools (Terraform, Ansible, AWS Cloud Formation, Kubernetes tools for AWS, GCP, and Azure) as part of the CI/CD Test, Build, and Release, Operate and Configure Operate functions. Britive has some of the widest support for Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and SaaS solutions on the market. This includes Snowflake (DaaS), Workday, Okta Identity Cloud, Salesforce, ServiceNow, Google Workspace and others – some following specific requests from existing customers. This extends its reach into the cloud beyond many of its rivals, out of the box.

    While this is undoubtedly a lean cloud first entitlement platform, it retains several classical PAM capabilities such as automated account discovery, rule-based privileged escalation, and onboarding of privileged accounts, which will be useful to many potential customers.

    Britive Advanced Data Analytics enables organizations to automatically uncover and monitor all human and machine identities and privileges (including overly broad and misconfigured privileges) and privilege related risky behavior (including privilege drift and abuse) cross-cloud.

    The class-leading modern user interface allows for quick onboarding and offboarding of users, and self-service privilege check-out, and the learning curve—given the focus of the platform - should be less than most similar applications.

    In many ways, Britive is anticipating the future with the focus on 100% JIT access, but some organizations may find this a challenge with current infrastructures. It is ambitious to turn all identity access into JIT and embrace Zero Standing Privilege (ZSP) across all environments—but this is an achievable target with Britive, for those environments that wish to (and can) follow that path.

    Ratings Security Positive
    Functionality Positive
    Deployment Positive
    Interoperability Positive
    Usability Positive
  • Eye opening in the way it supports multi-cloud entitlement especially in higher-risk developer environments.
  • Wide and deep support for IaaS, microservices and containerization architectures.
  • Has improved support for classical PAM capabilities to round out its appeal including Least Privilege control.
  • Class-leading support for cloud-native developer tools.
  • Excellent DevOps, Infrastructure-as-Code (IaC) and containerizations support.
  • Strong support for API integration.
  • Excellent support for third party SIEM tools including Splunk, ArcSight etc.
  • Challenges
  • Support for IaaS should be wider OOB to include IBM, Alibaba, MongoDB and others.
  • In many ways, Britive is anticipating the future with the focus on 100% JIT access, but some organizations may find this a challenge with current infrastructures.
  • Focus on non-traditional IT experts having admin access in DevOps may be too much for some, but for others may be empowering.
  • 5.4 CyberArk – Identity Security Platform

    CyberArk is based in Israel and the United States and sells several Identity security products. Long famous for its PAM expertise, the company has broadened the scope of the platform and rebranded it as the CyberArk Identity Security Platform.

    Within the platform there are two modules specifically focused on cloud access and entitlement management. The CyberArk Cloud Entitlements Manager can discover cloud entitlements for machine and human identities as well as service accounts and APIs across AWS, Azure and GCP, CyberArk Secure Cloud Access provides native user access to cloud directly from the CyberArk dashboard.

    Once set up, CyberArk Cloud Entitlements Manager continually scans IaaS CSPs to search for anomalies in entitlements and permissions or changes to cloud architecture. Admins or Managers are then automatically alerted to non-complaint changes and can take appropriate action.

    The dashboard displays entitlements across supported clouds and surfaces services and permissions that identities may have access to. An AI driven threat intelligence engine suggests recommendations to admins to adjust or delete excessive permission levels, securely manage credentials, or remove standing privileges to use an account.

    CyberArk's Cloud Entitlements Manager provides least privilege design capabilities to reduce the attack surface. CyberArk also identifies admins and shadow admins (identities with option to elevate permissions) and provides security professionals the ability to reduce such privileged permissions.

    The CyberArk platform enjoys one of the widest levels of IaaS support, making it highly compatible with many organizations. The same can be said of its support for Container technology.

    CyberArk Secure Cloud Access provides the kind of native access to cloud that smaller vendors are offering but within the much wider IAM ecosystem that CyberArk can offer on top. With Secure Cloud Access admins can define how users access cloud consoles by setting centralized secure policy, remove standing privileges and integration with ChatOps tools to facilitate fast access requests. CyberArk has released just-in-time zero-standing access Privilege solution for cloud services (integrated with cloud IAM modules for all major cloud providers).

    The solution allows end-users to select account and role, a pre-defined range of access and have account owners approve the request via Slack, ServiceNow or other ITSM system of choice. Admins can also customize the process through a low code/no code workflow engine to enable additional integrations, custom logic, and context-based auto-approval.

    Elsewhere in the suite, Cyber Ark Cloud Secrets Management fills the gap between proprietary IaaS secrets management clusters for DevOps and non-human identities by centrally discovering and managing secrets across all major cloud providers, also from within CyberArk dashboard.

    Ratings Security Strong positive
    Functionality Positive
    Deployment Positive
    Interoperability Strong positive
    Usability Strong positive
  • It’s a probably a stretch to say that CyberArk has reinvented itself but by embracing the challenge form newer CIEM and CSPM rivals, but it has come close.
  • With low code automation and support for more open development CyberArk is ushering in a new era for its identity suite
  • Good range of IaaS provider support including IBM, Oracle and OVH via PAM
  • Creates deployable recommendations and remediation steps for an admin to utilize to reduce risk level of permissions
  • Dynamic Privileged Access capabilities to allow brokering of access to ephemeral compute resources with SSH certificates
  • Challenges
  • Some but not all of CyberArk’s products are fully cloud native or support microservices and containers
  • Further rationalization of CyberArk PAM tools and identity management still needed to be fully ahead of the curve
  • CyberArk’s heft and experience keeps it ahead of rivals but not all buyers will need all that is on offer here
  • Leader in

    5.5 EmpowerID – Platform

    Established in 2004, EmpowerID is a leading provider of identity and access management solutions. Headquartered in New York City, the company offers a platform to manage user identities, access permissions, and security policies across various applications and systems.

    EmpowerID offers capabilities in CIEM support for IaaS including the big three cloud platform providers as well as Alibaba, IBM, Oracle Rackspace, VMWare, and OVH.

    There is a standards-based native Identity Provider built into the platform that provides SSO to cloud applications directly from a menu in the dashboard. Other IDPs are supported, and multi- factor authentication can be configured in addition using Azure, Duo, OAuth, and mobile-based MFA apps. EmpowerID’s expertise in identity management make this a flexible access tool for DREAM.

    The applications are also open to customer development with very broad API support and dev tools readily built-in to the platform. For example, a built-in tab for Postman is included, a relatively easy API platform for building and using APIs – a notable plus for in house development of CIEM capabilities for the platform. Furthermore, APIs can be used to provide RBAC based identity access on a JIT basis.

    The dashboard at the heart of EmpowerID is comprehensive in scope and does more than just provide access to cloud services. Other key capabilities include ML-assisted role mining with automatic clean-up of roles, and disclosure of entitlements granted to roles and the security impact these may have on the organizations.

    Business policy can be mapped to Azure Groups; for example, Purchase Order functions and whole groups can be switched to JIT access if the role is considered high-risk or optimized for Least Privilege Access. Discovery tools provide data on standing privileges for identities and Zero can be easily configured in a window with time restrictions defined. Conversely, end users can reuse JIT access under the same GUI.

    Assigning roles across EmpowerID for Active Directory and other services is noticeably clear and very graphical. The experience is the same for ServiceNow, SAP, and other integrations. The Risk Analysis Engine can scan full stacks to reveal which identities and roles are at risk. An example would be machines which have too many admins. The whole ethos of EmpowerID is to hide the proprietary logistics and IAM tools of all CSPs—what it calls its semantic layer approach—and cloud-based applications and to provide seamless access and control of cloud services.

    Ratings Security Positive
    Functionality Neutral
    Deployment Neutral
    Interoperability Positive
    Usability Positive
  • EmpowerID is really thinking beyond the static nature of classical PAM and ID management with an abstracted layer approach to CIEM, cloud management and beyond
  • Excellent GUI out of the box
  • Wide ranging IaaS support
  • API support includes ability to use APIs to build new functions with built-in support for API development platforms
  • Challenges
  • Needs to expand EPM and PRA support for the era of home working
  • We would like to see Privileged User Behavior Analytics (PUBA) and other advanced capabilities added to make this a more rounded option. Given the way market is heading, this may not matter to some cloud native organizations
  • Still heavily AD and Azure AD focused but EmpowerID is convinced that Microsoft has won the identity management argument for the cloud—others may differ
  • Leader in

    5.6 – Entitle Platform

    Founded in 2021, produces a cloud permission management platform that automates access and entitlement across leading IaaS/SaaS platforms. The company has operations in New York and Tel Aviv. supports an impressive number of IaaS and SaaS applications commonly in use today in many organizations. Any non-native CIEM should support GCP, Azure and AWS at a minimum and checks this box. But it also supports a wide range of DevOps and Kubernetes platforms, code repos, cloud databases such as Databricks and MongoDB, sales, marketing, and financial platforms, and some of the leading HRIS clouds. We would like to see more IaaS platforms supported out of the box and the company says it is willing to work with customers to support further IaaS/SaaS platforms.

    It has a good dashboard with easy-to-read graphics and data, making admin tasks more efficient and detecting anomalies swiftly. It is simple with views on pending access request, access history, log data and more detailed orchestration data. Admins can deliver bulk permissions for fast onboarding and offboarding to keep up with organizational changes. Users can request access to what they need via Slack, Teams, Jira, or email for a seamless approval process. The approval process is simple, and the admin process is equally effortless.

    Single Sign On (SSO) is supported as standard and without any extra cost making Entitle cost effective to sue with third party ID providers. It also creates a quasi SSO experience for non-SSO environments by creating just-in-time secrets, such as SSH keys and connection strings. It is fully SOC 2 complaint and integrates with Identity tools such as Okta, Ping Identity and OneLogin.

    It is also strong on Monitoring and Logging services and customization is provided for by support for REST APIs and events streaming. The platform automatically discovers entitlements for human identities and service accounts and search can be done via user, role, scope, and policies.

    Dashboarding provides visibility into identity and resource permissions gaps and provides critical data on over privilege for both types of identities, supports manual permissions revocation, but does not automatically remediate permissioned identities (user, role, group, resource) to create least privilege roles. Like its likeminded rival Britive, Entitle believes in delegation for access control and entitlement reviews and supports metadata-based management. For example, accessing a Google Drive doc that was created by the CEO will require her assistant's approval.

    Roadmap items include integrations with traditional on-premises applications such as CRM and ERP platforms. Of more interest are the tag-based permission policies and integration with Data Security Posture Management (DSPM), using classified data tags (like PII) to add or reduce friction in access approval workflows. AI recommendations will assist requesters and approvers with what to ask and what to approve based on peers, activity, and existing approval patterns.

    Ratings Security Positive
    Functionality Neutral
    Deployment Positive
    Interoperability Neutral
    Usability Neutral
  • The product can delegate access permissions management to trusted employees, heads of LOBs or other non-admin roles.
  • Alerting of native permission changes within integrated applications.
  • Lean platform born in the cloud speeds deployment and improves scalability.
  • SSH can be used for PAM workflows and CSP IAM proprietary protocols are fully supported.
  • Will appeal to those with pressing DevOps or coding cloud entitlements but is less strong on wider cloud access issues.
  • Wide support for containerization services within AWS, Azure, and GCP.
  • Challenges
  • Currently, little support outside the big three cloud services, e.g. does not support Kubernetes iteration form HashiCorp Nomad.
  • Lacks the development capabilities via SDK and LC/C that some rivals possess.
  • Fully supports service accounts but supports machine identities only when the third-party application does (e.g., GitHub).
  • Cannot natively authenticate users, —but can integrate with SSO providers such as Okta, One Identity, and Microsoft Azure.
  • No automatic report generation or risk scoring available.
  • 5.7 Microsoft – Entra Permissions Management

    Microsoft is a multinational technology company headquartered in Redmond, Washington. Renowned for its software products and services, Microsoft has played a pivotal role in shaping the modern technology landscape.

    Microsoft Entra Permissions Management, part of the Microsoft Entra product family (alongside Microsoft Entra ID, formerly Azure Active Directory; Microsoft Entra ID Governance, Microsoft Entra Privileged Identity Management and Microsoft Entra Workload ID). It gives granular visibility into every action performed by every identity on every resource across multiple clouds. It provides a metric called "Permission Creep Index" to measure the unused and excessive permissions granted to an identity.

    By automatically detecting which permissions are unused and risky, it allows enforcement of principle of least privilege at cloud scale, granting additional permissions on demand when needed, and with high-precision machine-learning-based anomaly detection alerts and detailed forensic reports, customers can use it to continuously monitor their infrastructure for future permissions creep.

    The product offers visibility and control over permissions for any identity and any resource within Microsoft Azure, Amazon Web Services (AWS) and Google Cloud Platform (GCP). The number of IaaS platforms supported is highly likely to be expanded as Microsoft develops the platform. It uses a modern dashboard interface to provide admins or IT managers with an easy-to-understand window into the activity of all identities, both human and workloads, across multiple cloud infrastructures.

    A primary capability of an effective CIEM platform is full discovery and visibility into identities and their permissions across multi-cloud. This informs a key part of the platform; the Permissions Creep Index, a qualitative measure of risk by comparing an identities’ permissions granted vs. permissions used and their access to high-risk resources.

    To deploy Microsoft Entra Permissions Management, customers are required to have an Entra ID (formerly Azure AD) account to sign in to. Once established, customers with a Global Admin role can execute Permissions Management on their Microsoft Entra ID tenant, and then onboard AWS, GCP or Azure cloud accounts as needed.

    Once discovery has been completed Permissions Management can automatically delete permissions that have been unused for more than 90 days, granting additional permissions on-demand for just-in-time access for cloud resources. All such actions can be triggered by a request for access from an identity, and all activities are recorded for analytics purposes. The user experience is the same for any identity type, identity source and cloud. A human identity can also request access on behalf of a workload identity which is a neat and forward-thinking capability.

    Permissions Management offers out-of-the-box forensic reports which are also fully customizable to meet the needs of the reporting channels. Reports can be scheduled or produced on-demand in response to an incident or investigation and distributed by email. Future development will include refinement of the UX and dashboard to mirror that of other Microsoft platforms. More importantly, Microsoft says it will support more IaaS services across the board in the future while support for ITSM such as ServiceNow is already here.

    Ratings Security Strong positive
    Functionality Strong positive
    Deployment Positive
    Interoperability Neutral
    Usability Positive
  • Simple architecture allows rapid and easy deployment and fast scanning of identities and permissions.
  • Supports the big three IaaS providers with native scanning capability.
  • Strong capability to manage identities and permissions as well as rapid access request process for end users.
  • Supports workload and human identities and developer environments such as containers.
  • Free 45-day trial available
  • Challenges
  • The platform currently doesn't support hybrid cloud environments or Sovereign clouds yet
  • Pricing model based on resources may not be attractive to all customers, or easy to map accurately
  • Leader in

    5.8 NextLabs – CloudAz

    NextLabs provides data-centric security software to protect business-critical data and applications. It is based in San Mateo, California. NextLabs focuses on managing access to data and data lakes across AWS, Google Cloud, Azure, and other cloud infrastructures along with on-premises and hybrid environments.

    NextLabs cloud-native products are built on the Kubernetes containerized architecture and support hybrid and multi-cloud deployment model. NextLabs CloudAz is a cloud-based authorization service for dynamic entitlement and access management. It is a centralized platform that enforces access and entitlement policies consistently across the enterprise and beyond.

    The platform is powered by NextLabs’ dynamic authorization policy engine (extensible Access Control Markup Language compatible) in which entitlement and access rights to an organization’s IT infrastructure, applications, data, and other sensitive assets in the cloud and on-premises are granted dynamically in real-time via attribute-based (ABAC) policies.

    Accessed from single dashboard, NextLabs CloudAz provides an unusual combination of CIEM along with data governance and data classification features on which to build policies to control access to cloud resources. NextLabs maintain several policy administration, analysis, and audit tools to support the increasing importance of policy governance. Delegated administration and segregation of duties policies can be implemented in ABAC to control access throughout the policy management process, with approval workflows and version control with policy rollback capabilities allowing seamless migration of policies from policy development to production system.

    Distributed policy engine architecture allows a single CloudAz instance to manage policies that are evaluated in widespread geographic locations, ensuring consistent application of policies across systems while reducing policy management overhead.

    The product offers native support for Docker, Terraform, OVA / OVF, AMI, Kubernetes on EC2, Azure VM, Google Cloud VM, EKS, AKS, GKE, and OpenShift. The platform is engineered to fit policy to entitlements and access to cloud infrastructure and data held there. NextLabs also offer a Policy Engine sidecar for microservices access enforcement to control authorization in a service mesh architecture using centrally managed policy.

    NextLabs can support both structured data and unstructured data payload. Unstructured data support is especially useful for engineering and big data analytics.

    The platform can run on-premises or as SaaS and can access resources running on AWS, Azure, Google Cloud, IBM Cloud Salesforce, and SAP OpenShift and VM Ware cloud infrastructures. There is strong support for container orchestration services including different interpretations of Kubernetes, but modern cloud support also extends to Infrastructure as a Code (IaC) and proprietary cloud monitoring services from AWS, GCP, Azure, and other CSPs. There is also support for SIEM platforms Prometheus and Splunk.

    NextLabs CloudAz integrates with third-party Identity Providers (SAML & OIDC based) such as Azure AD, Google, and Okta for authentication. The Policy Engine within the platform can capture data and logs and sends it to a SIEM platform or a lighter logging app. The platform can also discover service accounts and API entitlements.

    Entitlement configuration, permission management, least privilege enforcement, auditing, and alerting can be automated. Alerts are generated for ghost permissions, excess permissions, and excess privileges. This is a solid package with some unique data governance options.

    Ratings Security Strong positive
    Functionality Positive
    Deployment Positive
    Interoperability Positive
    Usability Positive
  • Comprehensive cloud management tool based on policies which also includes useful data governance tools
  • Can automate Least Privilege enforcement across a cloud infrastructure
  • Zero Trust Architecture with strong support for third-party IdPs
  • Support for Terraform, Kubernetes on EC2 and Azure VM
  • Unique use of containers to segregate and manage access to data
  • Supports proprietary cloud monitoring services from AWS, GCP, Azure and other CSPs
  • NextLabs can support both structured data and unstructured data payload, which is especially useful for engineering and big data services
  • Challenges
  • Because CloudAz is CIEM agnostic, supporting any CIEM OOTB, some CIEM analytics and admin capabilities are not included in CloudAz itself
  • Not suitable for those organizations with large numbers of standing privilege accounts
  • ABAC will not suit all buyers, still a relatively new science in IAM although adoption of Zero Trust may change this
  • Leader in

    5.9 ObserveID – Platform

    Established in 2020, ObserveID is a young identity and access management company headquartered in Orange County, California. The company offers organizations a comprehensive platform to manage and secure user identities across various clouds and applications.

    ObserveID Platform is offered in two formats: for enterprises with existing IGA/IAM/PAM solutions, by piggy backing on those and increasing functionality through automation of access to the cloud—thereby improving their ROI and operational efficiency; and for greenfield organizations looking for a CIEM solution that includes lightweight PAM and IGA functionality.

    ObserveID is an agentless solution with integration for Azure, AWS, GCP, Oracle and ERP-form Oracle. There is currently limited support for containerization with only Kubernetes, Docker, and Azure AKS on offer. There is some third-party SIEM support but only those through the AWS and Azure marketplaces or via syslog. Not all CIEM support compliance standards but ObserveID is able to manage potential violations of NIST, GDPR, and SOC2.

    The well-designed dashboard provides good insight across IaaS including Cross-Account Access visualization, remediation of over-permissioned identities (user, role, group, and resource) to create least privileged roles, delivery of on-demand and Just-in-Time permissions which are time and resource bound, plus risk scoring and over-privilege discovery for machine and non-machine identities. Like other dashboards, it conceals the proprietary connectors of the three main CSPs and allows insight into usage of cloud by identities with information available in a single window. The dashboard shows real-time information about cloud events, such as what is happening, affected user, and type of event.

    The full range of entitlements can be discovered for all identity types and there is wide automation of functions including entitlement configuration, provisioning and permission management, scale of enforcement policies, least privilege enforcement, and alerts for suspicious behavior. Privileged accounts cannot be automatically discovered, however. The platform integrates support for custom policy management including PBAC and RBAC. The user can create a policy and see it pop up in real time. Some CIEM still have manual refresh of policies, but not real time creation Policies can be applied, customized with the dashboard or ticket generated.

    Global search is impressive, giving a virtual AWS file structure within ObserveID platform. Finally, onboarding users is easy via the use of prewritten templates.

    Ratings Security Positive
    Functionality Neutral
    Deployment Positive
    Interoperability Positive
    Usability Positive
  • Useful automation and integration of existing PAM/IGA/IAM tools
  • ObserveID supports Hybrid infrastructures—major CSPs along with traditional on-premises infrastructure
  • Access changes can be configured on behavior patterns and risk scores
  • Wide range of entitlement discovery for machine and non-machine identities
  • Given the short time vendor has been established, a lot has been achieved in terms of functionality
  • Challenges
  • Vendor remains new but is gaining traction with customers. One to watch.
  • We look forward to greater DevOps and developer CIEM features to take advantage of cloud native architecture
  • Standing privileged accounts not yet discoverable
  • Leader in

    5.10 Palo Alto Networks – Prisma Cloud

    Founded in 2005, Palo Alto Networks is a leading global cybersecurity company with headquarters in Santa Clara, California. Known for its firewall technology, Palo Alto Networks assists organizations in preventing cyberattacks and safeguarding their networks.

    Palo Alto Networks Prisma Cloud offers deployment options based on customer need, either as a SaaS option or a self-hosted solution. The self-hosted version is suitable for use in air-gapped environments. The wider platform is built around APIs, which lets users configure custom integrations as they wish. The platform uses agents and agentless processes for deployment. Agents are required for the workload prevention capabilities, for other capabilities, including CIEM and CSPM it is API based with no agents needed.

    The platform can monitor and regulate access and activity within the major IaaS providers including AWS, Azure, GCP, and IBM as well as Alibaba and Oracle. This is supported by strong support for microservices and Infrastructure as Code (IaC) targets across cloud infrastructures.

    While support for cloud infrastructure is broad and deep, what sets this package apart is its logging and monitoring activities that go granularly across several proprietary cloud monitoring tools such as Amazon CloudWatch, Azure DevOps Services and proven SIEM tools such as Splunk and Prometheus (for monitoring container activity).

    The focus is also on highlighting GRC issues that arise from poorly configured cloud access and entitlement. For example, it can highlight unused permissions and the parameters can be set across organizational or department admins. The dashboard gives a quick view measurement of compliance risk, typical of an excellent UX and single pane of glass. Some compliance standards come out of the box, but customers can create and apply custom policies.

    The platform compiles data from flow logs, configuration logs, and audit logs over an encrypted connection to provide granular telemetry and maintain historical context for incident investigation and forensics. Teams can then use the console or APIs to interact with this data to configure policies, investigate and resolve alerts, set up external integrations, and forward alert notifications.

    An absolute highlight of this platform is its unique (in this Leadership Compass) software governance capability (Software Supply Chain Security) – with a feature that allows bugs or flaws in code to be highlighted (e.g., in Visual Studio) and fixed within the Prisma Cloud platform. That is genuine innovation. Other development processes supported include fixing in GitHub issues directly from the Prisma Cloud dashboard.

    The platform now has a new UX which can track assets across 250 services. Services can be supported via API as CSPs announce them and users need them. Palo Alto Networks Prisma Cloud is taking support for developers a little further than most with the capability to clean up different versions of the same code held in different places in the cloud – so called code drift. Done directly in the cloud, it allows developers to fix their own risks. Such capabilities are to be developed further down the line along with native access to Palo Alto from ChatOps including Slack. With JIT now fully supported as standard Palo Alto Networks are shaping this product well to compete in this space.

    Ratings Security Strong positive
    Functionality Positive
    Deployment Positive
    Interoperability Positive
    Usability Positive
  • Unique software governance capability (Software Supply Chain Security) –allows bugs or flaws in code to be highlighted and fixed within the Prisma Cloud platform.
  • Logging and monitoring activities that go granular across several proprietary cloud monitoring tools such as Amazon CloudWatch
  • Highlights GRC issues that arise from badly configured cloud access and entitlement
  • Neat dashboards with some consumer like touches to check compliance
  • Compliance standards come out of the box, but customers can create and apply custom policies too
  • Challenges
  • No PAM-based capabilities, but this may not matter if it can integrate with third parties in future
  • We would like to see more governance and compliance support in addition to what is available
  • Purchasing Prisma Cloud for CIEM only may be overkill but it is a powerful cloud management package
  • Leader in

    5.11 SailPoint – Cloud Infrastructure Entitlement Management

    Established in 2005, SailPoint is a prominent provider of identity governance solutions, with its headquarters located in Austin, Texas. SailPoint's platform helps organizations manage user identities, enforce security policies, and streamline access controls across complex IT environments.

    Due to the extensive support for IaaS and deeper cloud architectures that SailPoint IGA solutions already provide, SailPoint Cloud Infrastructure Entitlement Management is compatible with Tier 1 and Tier 2 CSPs. Support for container-based deployments is less robust (Kubernetes, Docker, Goggle GKE, HashiCorp Nomad, Amazon EKS, and Azure EKS), making this more suitable to managing identity entitlement for end users and less so for machines, particularly in DevOps environments. Proprietary entitlement and identity protocols of the three main CSPs are supported natively.

    On the other hand, the level of support for entitlement discovery is good, and includes machine identities, service accounts, APIs, and RPA workflows. Support for SIEM is a major strength with 9 mainstream third-party applications supported—which would be expected from SailPoint but does add an extra layer of useful functionality to the platform. All SailPoint solutions provide support for Azure AD and Okta federation tools and wide support for well-known PAM platforms—making this potentially integrate well with legacy IAM applications among customers.

    SailPoint Cloud Infrastructure Entitlement Management visibility includes insight into over-permissioned identities (user, role, group, and resource) to create least privileged roles/policies, privileged account discovery, over-privileged discovery, usage behavior analytics, and cross account access visualization plus reporting available out of the box.

    The capabilities found in the newly announced Activity Insights (which were formerly part of the SaaS Management offering) put it quite close to the leaders in CIEM. This can shine a light on shadow IT usage in SaaS, access risk, open SaaS visibility, and improve control efficiency.

    The dashboard simplifies access visibility with an interactive graphical map of access, from identities to entitlements to resources. It can identify excess privileges and right-size access by finding unused and sensitive entitlements scattered across the multi-cloud environment. SailPoint continues to integrate with PAM providers and SailPoint will invest more into adding PAM type capability into areas such as SCIM, an area in which it has expertise.

    SailPoint Cloud Infrastructure Entitlement Management is no longer an add on tool but fully integrated in the SailPoint platform, available via a tab on the SailPoint dashboard. The company promises better support for non-human identities in future along with a move away from static roles and into policy-based controls.

    Ratings Security Strong positive
    Functionality Positive
    Deployment Neutral
    Interoperability Positive
    Usability Positive
  • Strong support for entitlement discovery and privileged accounts
  • IGA heritage plays well here as would be expected
  • Investing in Data Governance also much improved
  • Fine dashboard with graphical displays of risk and access data
  • Solid support for Tier 1 and Tier 2 CSPs and mainstream orchestration platforms
  • SaaS monitoring capabilities close to the best of CIEM specific platforms
  • Useful for identifying unused cloud entitlements
  • Challenges
  • Strong on identifying human identity activity, less so for machines
  • SailPoint has an opportunity to meld its IGA and PAM experience into a leading CIEM/Identity Security platform
  • We look forward to the adoption of ABAC for major Cloud providers
  • Leader in

    5.12 Senhasegura – Cloud Entitlements

    Senhasegura is a cybersecurity company specializing in privileged access management solutions. The company is headquartered in Brazil. Senhasegura’s comprehensive platform helps organizations protect critical assets by managing and securing privileged accounts, preventing unauthorized access and potential security breaches.

    Senhasegura Cloud Entitlements module is designed to manage, monitor, and log all access across multi-IaaS clouds in use by the customer. The module is designed to manage compliance as well as access risks. Senhasegura Cloud Entitlements can expose unused privileges assigned to machine and non-machine identities. The tool is compatible with proprietary IAM tools and credentials generated by CSPs and creates a proxy connection for identities to clouds, thus hiding those IAM tools from end users.

    Credentials and service accounts for end users and applications are delivered in JIT for the multiple CSPs that Senhasegura supports (including smaller cloud technologies such as Rackspace and OVH). Senhasegura applies the same protocols and workflows for access to cloud resources within Cloud Entitlements that it has established for its more traditional PAM capabilities—including the design and capabilities of the common dashboard that can be used to administer Cloud Entitlements.

    Within the dashboard, admins can set IAM security requirements according to CSP best practices guide and create an Identity Entitlement Map—a graphical representation of the relationship between identity, its permissions and service. It offers Dynamic Privilege Resizing which right-sizes privilege for machine and non-machine identities according to the services they really use. Permissions not used in a set time period will be automatically removed.

    The dashboard allows discovery and onboarding of cloud accounts and for entitlements to be set—such as read only access. There are several automation capabilities built into Senhasegura Cloud Entitlements, but it still lags some competitors in terms of features such as entitlement and permission management and auto-scaling of entitlement policy.

    There are several OOB security policies built in, and users can create security policies—on top—which is great for smaller organizations. Recommendations and guided remediation are also on available.

    The refreshed interface offers drill down by providers, access recommendations and account and identity types.

    Ratings Security Positive
    Functionality Positive
    Deployment Positive
    Interoperability Positive
    Usability Positive
  • Strong support for container technologies and all major cloud services with Tier 2 supported
  • Good integration with well-known SIEM platforms
  • Human and machine entitlement discovery with useful automation tools for remediation
  • Vendor has taken on board the importance of compliance issues in the cloud
  • Challenges
  • Needs better integration with CI/CD tools but GitHub integration is welcome
  • Some promised CIEM features have failed to materialize—in Kubernetes and DevOps support for example
  • Senhasegura is proving itself an innovative and agile vendor, but still needs to push harder into new markets
  • 5.13 SSH – PrivX

    SSH Communications Security (SSH) is a cybersecurity company specializing in securing communications between people, applications, networks, and systems, including privileged access and credentials management. With a history dating back to 1995, SSH is headquartered in Helsinki, Finland.

    With PrivX Users log into a clean-looking browser-based interface via SSO and can see what resources they can access based on their current role and click though appropriately. Access rights are automatically updated as roles change in either AD, LDAP, or OpenID directories or from IAM systems that work with PrivX including Okta, ForgeRock, Ubisecure, and One Login.

    While the core product is deliberately lean, it integrates with third parties to add functionality for SIEM systems and HSM. There is support for session recording and compliance, and recordings are encrypted. All SSH/RDP/HTTPS/VNC sessions are audited and logged and be used for forensics or training purposes. As a new functionality, native database connections are supported also. First implementations of Post Quantum Cryptography (NIST compatible) have been implemented.

    PrivX also offers accountability of user activities even if admins are using shared accounts, since PrivX associates a user ID to every session. Other important areas of functionality covered include SAPM, AAPM, PADLM, PUBA, and CPEDM, but traditional endpoint privilege management is missing here. Instead SSH promotes HTML5 thin client approach which reduces the need for endpoint security. SSH has introduced a new device trust-based authenticator to enhance authentication based on device security and continuous monitoring (continuous authentication)

    PrivX is by its nature ideal for DevOps teams looking for privileged access with ephemeral certificate delivery at its core. Accounts are not accessible by any other means as there are no credentials available. Additionally, there is no need to make run-time changes in target hosts (immutable infrastructure). PrivX also supports integrations and plug-ins for different DevOps CI/CD pipelines and role-based access controls for container orchestration platforms.

    PrivX can be deployed in container environments orchestrated by Kubernetes and is available as Infrastructure as a Code (IaC) on AWS for fast deployment, natively taking advantage of the elements of cloud environments (scalability, backups, etc.) The SSH Key Manager can discover the keys in your organization, allow admins to remove keys and shift to SSH ephemeral access. Account discovery and onboarding are part of the solution.

    This is a highly scalable, highly compatible credential management system which already serves well for DevOps cloud users coming in from remote locations. Extending this architecture across Tier 1, Tier 2 CSPs CI/CD, machine, and non-machine entitlements is a natural and welcome move. It is more than ready to take the next step to full CIEM capability for access management across all types of cloud

    SSH has the Secure Information Storage (vault) for customers that want it. Secrets are stored in JSON formatted data, and based on their role, users get access to the secrets. With HTTP(S) Web Gateway it is possible to manage access to critical web resources (browser isolation), including admin consoles of network devices, admin portals to a company’s SaaS services, like Salesforce or Twitter, or internal web tools.

    PrivX can also operate as an identity provider towards client web applications using Open ID Connect. The authentication event can also be chained to various upstream identity providers enabling PrivX to act as a single authentication point for all applications.

    Ratings Security Positive
    Functionality Positive
    Deployment Positive
    Interoperability Positive
    Usability Positive
  • Full range of IaaS providers supported
  • Well-featured dashboard that is easy to navigate
  • Lean footprint and rapid access make it ideal for DevOps and other agile environments
  • Reduces major level of vulnerability by eliminating static passwords and vaults
  • Eliminates the risk of redundant credentials being stolen or misused
  • Challenges
  • Needs wider containerization platform beyond Kubernetes compatibility and Docker support as the core code of PrivX is ideal for lean cloud environments
  • The promised support for more DevOps tools such as Jenkins should come ASAP
  • Not a full on CIEM solution yet and SSH may consider adding more management capabilities
  • Leader in

    5.14 Tenable – Cloud Security (formerly Ermetic)

    Tenable acquired Ermetic in 2023. The company develops solutions to help enforce least privilege policies, prevent data breaches, and maintain compliance in multi-cloud environments.

    Tenable Cloud Security platform is deployed as SaaS and can onboard cloud accounts for analysis. It supports the three major IaaS providers. It can list cloud resources and infrastructure using cloud proprietary terminology—for example it will list EC2 instances under AWS (an instance is a virtual server with different capacities and functions within the AWS universe). Such AWS instances are labelled as Public or Privileged and the associated identities with each type of access are further listed. There is also access to AWS S3 buckets to see who or what has access.

    The platform delivers capabilities which includes CIEM and CSPM but also native combination toolkits such as Kubernetes Security Posture Management (KSPM) and Cloud Native Application Protection Platform (CNAPP). This is 100% cloud native cloud focused platform, distributed as SaaS.

    Like most in this Leadership Compass, Tenable Cloud Security uses a dashboard at the center, but it is enhanced visually and functionally by using widgets. These include the Compliance Widget and the Toxic Combinations Widget. This is effective in contextualizing risk in a short space of time.

    The dashboard is color coded for users and admins/approvers, red and blue. Strong native support is exemplified by a process that allows policies to be modified and created in AWS native script direct from the Ermetic dashboard.

    There is good support for different types of privileged access, access to cloud infrastructure, both time-managed and type of approval with multiple approval layers of available.

    The platform can expose a full asset inventory across regions, accounts, and divisions for AWS/Azure/GCP—ideal for multi-cloud environments. It provides granular, contextual visibility into all identities, configurations, permissions, and activities. It also displays publicly exposed (internet facing) resources.

    A useful tool also displays the potential attack chain that attackers might use laterally if they were to hijack an identity with access to Private and Public Privileged Access. In this way Tenable Cloud Security serves as an excellent discovery tool for exposing cloud access entitlements given to identities. This also allows right sizing to be adjusted for roles and identities in the different cloud services available.

    Another key capability is exposure of over-permissioned identities—increasingly a problem in multi-cloud environments where machine and non-machine identities are granted privileged access on an ad hoc basis. The platform is fully compatible with Okta and other major IdP platforms.

    One of the strengths of this platform is its ability to go beyond the limited granularity cloud management of the major cloud providers, and to overcome the incompatible methods used for IAM in each Cloud Service.

    A cloud discovery tool is of little use unless you can do something about over privileges and authentication errors, so Tenable Cloud Security can read/write and remove permissions. This can fix over privilege and over sharing of resources—all controlled from the IAM tab in the dashboard. Remediation is possible in the Findings Tab and can be based on the organization’s specific security policies.

    Machine identities can be onboarded and set as Least Privilege before entering any production environment. This is a platform with huge promise and worth investigating for specific CIEM solutions in small and large organizations – and a good acquisition for Tenable.

    Ratings Security Positive
    Functionality Positive
    Deployment Positive
    Interoperability Positive
    Usability Positive
  • Does a good job for critical task for managing cloud access & entitlements.
  • Does well in supporting DevOps and developer needs in the cloud.
  • Simple to deploy, set up and use—makes good use of latest trends in dashboard and UX design. Tab based navigation a plus.
  • Allows managers and admins to rectify over privilege and cloud entitlements.
  • Will appeal to those departments looking for segmented solutions to specific tasks.
  • Should benefit from Tenable acquisition
  • Challenges
  • Should support more than just the three main Cloud Service Providers.
  • While supporting elements of PAM for cloud access it cannot compete with major PAM providers.
  • Platform may find it harder to compete if bigger players add similar functionality, but it does have that superb lean cloud native architecture on its side.
  • 6 Vendors to Watch

    Besides the vendors covered in detail in this document, we observe some other vendors in the market that readers should be aware of. These vendors do not fully fit the market definition but offer a significant contribution to the market space. This may be for their supportive capabilities to the solutions reviewed in this document, for their unique methods of addressing the challenges of this segment or could be a fast-growing startup that may be a strong competitor in the future.

    6.1 Lacework

    Lacework is a cybersecurity company that specializes in cloud security and threat detection. The company's platform leverages machine learning and automation to identify security threats and anomalies within cloud environments, such as AWS, Azure, and Google Cloud Platform.

    Why worth watching: Lacework offers automated response capabilities to mitigate security incidents quickly, based 100% on data analysis algorithms. This may include automated alerting, isolation of compromised resources, or other predefined actions.

    6.2 Sonrai

    Sonrai is a cybersecurity company that specializes in cloud security and identity governance. The company offers a platform that enables organizations to gain visibility and control over their cloud environments, identifying and mitigating risks associated with data access and security.

    Why worth watching: Sonrai focuses on data access management in the cloud and can identify types of data being accessed

    6.3 Sectona

    Sectona is a PAM vendor based in Mumbai, India with a regional office in Dubai, United Arab Emirates. Sectona also has regional offices in Europe, Southeast Asia, and Africa. Sectona Security Platform is focused on PAM for cloud environments and offers continuous discovery of privileged accounts with JIT access.

    Why worth watching: Sectona is planning to release a lightweight CIEM in the next 12 months. This should be promising given the cloud-native nature of the existing PAM components and capabilities. The full CIEM piece is 8-9 months away according to Sectona.

    6.4 Wiz

    Wiz is a cybersecurity company that focuses on cloud security and risk management. Founded in 2020, Wiz is headquartered in Palo Alto, California. The company provides a unique cloud-native security platform that helps organizations identify and address potential risks and vulnerabilities in their cloud infrastructure.

    Why worth watching: Wiz offers comprehensive visibility, continuous monitoring, and automated remediation capabilities, enabling businesses to protect their data and applications across various cloud environments.

    7 Related Research

    Leadership Compass: Access Management
    Advisory Note: Cybersecurity Resilience with Generative AI
    Leadership Compass: Software Supply Chain Security
    Leadership Compass: Cloud Security Posture Management
    Leadership Compass: Unified Endpoint Management
    Leadership Compass: Access Governance

    8 Methodology

    8.1 About KuppingerCole's Leadership Compass

    KuppingerCole Leadership Compass is a tool which provides an overview of a particular IT market segment and identifies the leaders within that market segment. It is the compass which assists you in identifying the vendors and products/services in that market which you should consider for product decisions. It should be noted that it is inadequate to pick vendors based only on the information provided within this report.

    Customers must always define their specific requirements and analyze in greater detail what they need. This report doesn’t provide any recommendations for picking a vendor for a specific customer scenario. This can be done only based on a more thorough and comprehensive analysis of customer requirements and a more detailed mapping of these requirements to product features, i.e. a complete assessment.

    8.2 Types of Leadership

    We look at four types of leaders:

    • Product Leaders: Product Leaders identify the leading-edge products in the particular market. These products deliver most of the capabilities we expect from products in that market segment. They are mature.
    • Market Leaders: Market Leaders are vendors which have a large, global customer base and a strong partner network to support their customers. A lack in global presence or breadth of partners can prevent a vendor from becoming a Market Leader.
    • Innovation Leaders: Innovation Leaders are those vendors which are driving innovation in the market segment. They provide several of the most innovative and upcoming features we hope to see in the market segment.
    • Overall Leaders: Overall Leaders are identified based on a combined rating, looking at the strength of products, the market presence, and the innovation of vendors. Overall Leaders might have slight weaknesses in some areas, but they become Overall Leaders by being above average in all areas.

    For every area, we distinguish between three levels of products:

    • Leaders: This identifies the Leaders as defined above. Leaders are products which are exceptionally strong in certain areas.
    • Challengers: This level identifies products which are not yet Leaders but have specific strengths which might make them Leaders. Typically, these products are also mature and might be leading-edge when looking at specific use cases and customer requirements.
    • Followers: This group contains vendors whose products lag in some areas, such as having a limited feature set or only a regional presence. The best of these products might have specific strengths, making them a good or even best choice for specific use cases and customer requirements but are of limited value in other situations.

    Our rating is based on a broad range of input and long experience in that market segment. Input consists of experience from KuppingerCole advisory projects, feedback from customers using the products, product documentation, and a questionnaire sent out before creating the KuppingerCole Leadership Compass, and other sources.

    8.3 Product Rating

    KuppingerCole Analysts AG as an analyst company regularly evaluates products/services and vendors. The results are, among other types of publications and services, published in the KuppingerCole Leadership Compass Reports, KuppingerCole Executive Views, KuppingerCole Product Reports, and KuppingerCole Vendor Reports. KuppingerCole uses a standardized rating to provide a quick overview on our perception of the products or vendors. Providing a quick overview of the KuppingerCole rating of products requires an approach combining clarity, accuracy, and completeness of information at a glance.

    KuppingerCole uses the following categories to rate products:

    • Security
    • Functionality
    • Deployment
    • Interoperability
    • Usability

    Security is primarily a measure of the degree of security within the product/service. This is a key requirement. We look for evidence of a well-defined approach to internal security as well as capabilities to enable its secure use by the customer, including authentication measures, access controls, and use of encryption. The rating includes our assessment of security vulnerabilities, the way the vendor deals with them, and some selected security features of the product/service.

    Functionality is a measure of three factors: what the vendor promises to deliver, the state of the art and what KuppingerCole expects vendors to deliver to meet customer requirements. To score well there must be evidence that the product / service delivers on all of these.

    Deployment is measured by how easy or difficult it is to deploy and operate the product or service. This considers the degree in which the vendor has integrated the relevant individual technologies or products. It also looks at what is needed to deploy, operate, manage, and discontinue the product / service.

    Interoperability refers to the ability of the product / service to work with other vendors’ products, standards, or technologies. It considers the extent to which the product / service supports industry standards as well as widely deployed technologies. We also expect the product to support programmatic access through a well-documented and secure set of APIs.

    Usability is a measure of how easy the product / service is to use and to administer. We look for user interfaces that are logically and intuitive as well as a high degree of consistency across user interfaces across the different products / services from the vendor.

    We focus on security, functionality, ease of delivery, interoperability, and usability for the following key reasons:

    • Increased People Participation: Human participation in systems at any level is the highest area of cost and the highest potential for failure of IT projects.
    • Lack of excellence in Security, Functionality, Ease of Delivery, Interoperability, and Usability results in the need for increased human participation in the deployment and maintenance of IT services.
    • Increased need for manual intervention and lack of Security, Functionality, Ease of Delivery, Interoperability, and Usability not only significantly increase costs, but inevitably lead to mistakes that can create opportunities for attack to succeed and services to fail.

    KuppingerCole’s evaluation of products / services from a given vendor considers the degree of product Security, Functionality, Ease of Delivery, Interoperability, and Usability which to be of the highest importance. This is because lack of excellence in any of these areas can result in weak, costly and ineffective IT infrastructure.

    8.4 Vendor Rating

    We also rate vendors on the following characteristics

    • Innovativeness
    • Market position
    • Financial strength
    • Ecosystem

    Innovativeness is measured as the capability to add technical capabilities in a direction which aligns with the KuppingerCole understanding of the market segment(s). Innovation has no value by itself but needs to provide clear benefits to the customer. However, being innovative is an important factor for trust in vendors, because innovative vendors are more likely to remain leading-edge. Vendors must support technical standardization initiatives. Driving innovation without standardization frequently leads to lock-in scenarios. Thus, active participation in standardization initiatives adds to the positive rating of innovativeness.

    Market position measures the position the vendor has in the market or the relevant market segments. This is an average rating over all markets in which a vendor is active. Therefore, being weak in one segment doesn’t lead to a very low overall rating. This factor considers the vendor’s presence in major markets.

    Financial strength even while KuppingerCole doesn’t consider size to be a value by itself, financial strength is an important factor for customers when making decisions. In general, publicly available financial information is an important factor therein. Companies which are venture-financed are in general more likely to either fold or become an acquisition target, which present risks to customers considering implementing their products.

    Ecosystem is a measure of the support network vendors have in terms of resellers, system integrators, and knowledgeable consultants. It focuses mainly on the partner base of a vendor and the approach the vendor takes to act as a “good citizen” in heterogeneous IT environments.

    Again, please note that in KuppingerCole Leadership Compass documents, most of these ratings apply to the specific product and market segment covered in the analysis, not to the overall rating of the vendor.

    8.5 Rating Scale for Products and Vendors

    For vendors and product feature areas, we use a separate rating with five different levels, beyond the Leadership rating in the various categories. These levels are

    • Strong positive: Outstanding support for the subject area, e.g. product functionality, or outstanding position of the company for financial stability.
    • Positive: Strong support for a feature area or strong position of the company, but with some minor gaps or shortcomings. Using Security as an example, this can indicate some gaps in fine-grained access controls of administrative entitlements. For market reach, it can indicate the global reach of a partner network, but a rather small number of partners.
    • Neutral: Acceptable support for feature areas or acceptable position of the company, but with several requirements we set for these areas not being met. Using functionality as an example, this can indicate that some of the major feature areas we are looking for aren’t met, while others are well served. For Market Position, it could indicate a regional-only presence.
    • Weak: Below-average capabilities in the product ratings or significant challenges in the company ratings, such as very small partner ecosystem.
    • Critical: Major weaknesses in various areas. This rating most commonly applies to company ratings for market position or financial strength, indicating that vendors are very small and have a very low number of customers.

    8.6 Inclusion and Exclusion of Vendors

    KuppingerCole tries to include all vendors within a specific market segment in their Leadership Compass documents. The scope of the document is global coverage, including vendors which are only active in regional markets such as Germany, Russia, or the US.

    However, there might be vendors which don’t appear in a Leadership Compass document due to various reasons:

    • Limited market visibility: There might be vendors and products which are not on our radar yet, despite our continuous market research and work with advisory customers. This usually is a clear indicator of a lack in Market Leadership.
    • Declined to participate: Vendors might decide to not participate in our evaluation and refuse to become part of the Leadership Compass document. KuppingerCole tends to include their products anyway if sufficient information for evaluation is available, thus providing a comprehensive overview of leaders in the market segment.
    • Lack of information supply: Products of vendors which don’t provide the information we have requested for the Leadership Compass document will not appear in the document unless we have access to sufficient information from other sources.
    • Borderline classification: Some products might have only small overlap with the market segment we are analyzing. In these cases, we might decide not to include the product in that KuppingerCole Leadership Compass.

    The target is providing a comprehensive view of the products in a market segment. KuppingerCole will provide regular updates on their Leadership Compass documents.

    We provide a quick overview about vendors not covered and their offerings in chapter Vendors and Market Segments to watch. In that chapter, we also look at some other interesting offerings around the market and in related market segments.

    9 Copyright

    © 2024 KuppingerCole Analysts AG all rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole's initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaims all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole does not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarks ™ or registered trademarks ® of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

    KuppingerCole Analysts support IT professionals with outstanding expertise in defining IT strategies and in relevant decision-making processes. As a leading analyst company, KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business.

    KuppingerCole Analysts AG, founded in 2004, is a global, independent analyst organization headquartered in Europe. We specialize in providing vendor-neutral advice, expertise, thought leadership, and practical relevance in Cybersecurity, Digital Identity & IAM (Identity and Access Management), Cloud Risk and Security, and Artificial Intelligence, as well as for all technologies fostering Digital Transformation. We support companies, corporate users, integrators and software manufacturers in meeting both tactical and strategic challenges and making better decisions for the success of their business. Maintaining a balance between immediate implementation and long-term viability is at the heart of our philosophy.

    For further information, please contact