Leadership Compass

Privileged Access Management

Privileged Access Management (PAM), over the last few years, has evolved into a set of crucial technologies that addresses some of the most urgent areas of Cybersecurity today. Continuing the growth trajectory, the PAM market has entered a phase of consolidation characterized by increased price competition and an intensified battle for market share. This Leadership Compass provides a detailed analysis of the PAM market and its key players to help security and IAM leaders find the right product(s) that best fit their cybersecurity needs.

Anmol Singh

asi@kuppingercole.com

1 Introduction

The KuppingerCole Leadership Compass provides an overview of vendors and their product or service offerings in a certain market segment. This Leadership compass focuses on the market segment of on-premises or cloud delivered Privileged Access Management. PAM has emerged as one of the most crucial IAM technologies that has a direct relevance and impact on an organization’s cybersecurity program.

1.1 Market Segment

In the age of digital transformation, not only the requirements for IT, but also the way IT is done, are constantly evolving. To remain relevant, organizations must reinvent themselves by being agile and more innovative. Emerging technology initiatives such as digital workplace, DevOps, security automation and the Internet of Things continue to expand the attack surface of organizations as well as introduce new digital risks. To stay competitive and compliant, organizations must actively seek newer ways of assessing and managing the security risks without disrupting the business. Security leaders, therefore, have an urgent need to constantly improve upon the security posture of the organization by identifying and implementing appropriate controls to prevent such threats.

Privileged Access Management (PAM), over the past few years, has become one of the most relevant areas of Cyber Security associated with IAM (Identity and Access Management) that deals with identifying, securing and managing privileged credentials and the resulting access across an Organization’s IT environment. Once considered a technology option for optimizing administrative efficiency by managing passwords and other secrets, PAM has evolved into a set of crucial technologies for preventing security breaches and credential thefts. PAM today concerns Security and Risk Management leaders as well as Infrastructure and Operation (I&O) leaders across the industries for several security and operational benefits.

Privileged Access Management represents the set of critical cybersecurity controls that address the security risks associated with privileged users and privileged access in an organization. There are primarily two types of privileged users:

  1. Privileged Business Users – those who have access to sensitive data and information assets such as HR records, payroll details, financial information, company’s intellectual property, etc. This type of access is typically assigned to the application users through business roles using the application accounts.
  2. Privileged IT Users – those who have access to IT infrastructure supporting the business. Such access is generally granted to IT administrators through administrative roles using system accounts, software accounts or operational accounts.

The privileged nature of these accounts provides their users with an unrestricted and often unmonitored access across the organization’s IT assets, which not only violates basic security principles such as least privilege but also severely limits the ability to establish individual accountability for privileged activities. Privileged accounts pose significant threat to the overall security posture of an organization because of their heightened level of access to sensitive data and critical operations. Security leaders therefore need stronger emphasis on identifying and managing these accounts to prevent the security risks emanating from their misuse.

Available Identity and Access Management (IAM) tools are purposely designed to deal with management of standard users’ identity and access, and do not offer the capabilities to manage privileged access scenarios such as managing access to shared accounts, monitoring of privileged activities and controlled elevation of access privileges. Privileged Access Management tools are designed to address these scenarios by offering specialized techniques and process controls, thereby significantly enhancing the protection of an organization’s digital assets by preventing misuse of privileged access.

While credential vaulting, password rotation, controlled elevation and delegation the focus of attention for PAM tools, more advanced capabilities such as privileged user analytics, risk-based session monitoring and advanced threat protection are becoming the new norm. With the attack surface expanding and the number and sophistication of attacks increasing every year, an integrated and more comprehensive PAM solution is required – one that can automatically detect unusual behavior and initiate automated mitigations. A successful attack can be conducted in minutes; therefore, a PAM solution must be capable of thwarting this attack without human intervention. And although we see more comprehensive PAM suites and solutions being offered, vendors are taking different approaches to solve the underlying problem of restricting, monitoring, and analyzing privileged access and the use of shared accounts.

Among the key challenges that drive the need for managing privileged access are:

  • Abuse of shared credentials
  • Abuse of elevated privileges by authorized users
  • Hijacking of privileged credentials by cyber-criminals
  • Abuse of privileges on third-party systems, and
  • Accidental misuse of elevated privileges by users

Furthermore, there are several other operational, governance and regulatory requirements associated with privileged access:

  • Discovery of shared accounts, software and service accounts across the IT infrastructure
  • Identification and continuous tracking of ownership of privileged accounts throughout their life-cycle
  • Establishing and managing privileged session to target systems for enhanced operational efficiency of administrators
  • Auditing, recording and monitoring of privileged activities for regulatory compliance
  • Managing and monitoring administrative access of IT outsourcing vendors and MSPs to internal IT systems, and
  • Managing and monitoring privileged access of business users and IT administrators to cloud infrastructure and applications

Consequently, multiple technologies and solutions have been developed to address these risks, as well as provide better activity monitoring and threat detection.

1.2 Required Capabilities

In this Leadership Compass, we focus on solutions that help organizations reduce the risks associated with privileged access, through individual or shared accounts across on-premises and cloud infrastructure. The tools and technologies used for managing privileged access have been marketed under various terms used by vendors – Privileged Account Management, Privileged Identity Management, Privileged User Management and Least Privilege to name a few. While we referred to this market as PxM in the past, we decided to rename it as ‘Privileged Access Management’ or ‘PAM’ to reflect on the ‘access management’ aspect that primarily focuses on managing privileged access of users and IT administrators through individual or shared accounts and other privilege delegation and elevation mechanisms.

At KuppingerCole, we classify the Privileged Access Management (PAM) market into following key technology functions with PAM vendors providing varied level of support for multiple PAM functions:

Shared Account Password Management (SAPM): Shared Account Password Management offers technology to securely manage privileged credentials including system accounts, service accounts or application accounts that are generally shared in nature. At the core of SAPM products is an encrypted and hardened password vault for storing passwords, keys and other privileged credentials for a controlled, audited and policy-driven release and update. These products support periodic, scheduled or event-driven randomization of passwords and other credentials as the fundamental requirement.

Privileged Session Management (PSM): Privileged Session Management offers the technology to establish a privileged session to target systems including basic auditing and monitoring of privileged activities. PSM tools also offer authentication, authorization and Single Sign-On (SSO) to the target systems.

Application-to-Application Password Management (AAPM): AAPM is an extension of SAPM tools to manage accounts used by an applications or systems to communicate with other applications or systems (such as databases etc.). This includes use of service accounts used to execute certain functions or trigger processes with necessary privileges for a successful execution. AAPM tools offer elimination of hardcoded credentials in application code, scripts and other configuration files by offering a mechanism (generally APIs) to make credentials securely available when requested.

Session Recording and Monitoring (SRM): SRM is an extension of PSM tools to offer advanced auditing, monitoring and review of privileged activities during a privileged session, including but not limited to key-stroke logging, video session recording, screen scraping, OCR translation and other session monitoring techniques.

Controlled Privilege Elevation and Delegation Management (CPEDM): Technology that deals with controlled elevation and policy-based delegation of a users’ privileges to super-user privileges for administrative purposes.

Privileged User Behavior Analytics (PUBA): PUBA uses data analytic techniques to detect threats based on anomalous behavior against established behavioral profiles of administrative users as well as user groups and administrator roles.

Privilege Account Discovery and Lifecycle Management (PADLM): This deals with discovery mechanism to identify shared accounts, software accounts, service accounts and other unencrypted/clear-text credentials across the IT infrastructure. PADLM tools offer workflow capabilities to identify and track the account's business and technical ownership throughout its lifecycle and can detect changes in its state to invoke notification and necessary remedial actions.

Endpoint Privilege Management (EPM): EPM offers capabilities to manage threats associated with local administrative rights on windows, mac or other endpoints. EPM tools essentially offer controlled and monitored escalation of user’s privileges on endpoints and include capabilities such as application whitelisting for endpoint protection. Categorically, we define EPM solutions to primarily offer three distinct technologies:

  • Application Control: This allows organizations to control what applications can be allowed to run on an endpoint. This is usually achieved through application whitelisting in which only known good applications are placed on a pre-approved list and are allowed to run. Application control provides effective protection against shadow IT challenges for organizations.
  • Sandboxing: This technology uses the approach to isolate the execution of unknown applications or programs by restricting the resources they can access (for eg., files, registries etc.). This technology, also known as application isolation, provides an effective protection against cyberattacks by confining the execution of malicious programs and limiting their means to cause the harm.
  • Privilege Management: This technology encompasses user and application privilege management. For user privileged management, it deals with controlled and monitored elevation to local admin privileges. Application privilege management deals with exception or policy-based elevation of administrative rights for known and approved applications to execute successfully.

Privileged Access Governance (PAG): PAG deals with offering valuable insights related to the state of privileged access necessary to support decision making process. PAG includes privileged access certifications and provisions for customizable reporting and dashboarding.

At KuppingerCole, we define PAM solutions to constitute of the tools and technologies demonstrated in the Figure 1.

Architecture Blueprint of PAM tools and technologies
Figure 9: Architecture Blueprint of PAM tools and technologies

We look at all types of products that support customers in solving the Privileged Access Management challenges fully or partially. This includes, e.g., Session Monitoring and Recording as well as Password Vaults or Privileged User Behavior Analytics.

We do not look at general-purpose tools such as Identity Provisioning tools or Real Time Security Intelligence with very limited support for the specific requirements of the Privileged Access Management challenges. However, integration with such solutions is on the list of features we consider as being relevant in our analysis.

Particularly, we are looking for features and functionalities in the following areas corresponding to privileged access:

  • Shared Account Password Management
  • Privileged Single Sign-On (SSO access to multiple privileged sessions)
  • Privileged Account Discovery and Lifecycle Management
  • Session Monitoring, Analysis, and Recording
  • Privileged User Behavior Analytics
  • Privilege Elevation Management (Restriction)
  • Application-to-Application Password Management
  • Endpoint Privilege Management
  • Reporting, Audit, and Compliance

We appreciate seeing integrated solutions with a tight integration of the various feature sets. Key features that we expect to see in the various PAM areas include:

  • Shared Account Password Management
    • Password vaulting
    • Central management of shared account privileges
    • Automated credential rotation or OTPs
    • Secured Access to privileged credentials
  • Privileged Single Sign-On (SSO access to multiple privileged sessions)
    • Simple management of session assignments to users
    • Ad-hoc and upfront authorization of access with support of approval lifecycles
    • Simple yet secure UIs
  • Privileged Account Discovery and Lifecycle Management
    • Automated discovery of privileged accounts on servers, clients, and other systems in scope (e.g. network devices)
    • Integration into CMDBs
    • Simple (automated) grouping of accounts and systems
  • Session Monitoring, Analysis, and Recording
    • Session Monitoring
    • Session Recording
    • Session Analysis
    • All for both CMD based and GUI based sessions
  • Privileged User Behavior Analytics
    • Anomaly detection in privileged user behavior
    • Adaptation of analysis to custom requirements
    • Support for privacy and compliance, e.g. four-eye-principle for reviewing anomalies
  • Privilege Elevation Management (Controlled Privilege Elevation)
    • Restricted (least privilege) access to managed systems
    • Command filtering
    • Command/Shell substitution
  • Application-to-Application Password Management
    • Identification of hard-coded credentials in scripts, configuration files, etc.
    • APIs for replacing hard-coded credentials
    • Application or service authentication calling password vault for credential checkout or injection
  • Endpoint Privilege Management
    • Application Control (Whitelisting/ Blacklisting capabilities)
    • Application Sandboxing (Executing untrusted or less trusted applications in a controlled environment)
    • Privilege elevation of local users
  • Reporting, Audit, and Compliance
    • Flexible reporting interfaces, customizable

Providing tightly integrated offerings that cover all major features is one of the criteria we have high on our list, given that customers prefer such integrated approaches over a variety of disparate, non-integrated or only loosely coupled offerings.

A strong focus will be put on integration into existing security infrastructures to provide consolidated monitoring, analytics, governance or compliance across multiple types of information stores and applications. Most importantly, this includes integrations with SIEM/SoC solutions, existing identity and access management systems and information security governance technologies.

Additional architectural and operational aspects that are considered in our vendor evaluation process are:

  • Support for a broad range of target systems
  • Support for cloud services and platforms
  • Support for Multi-tenancy
  • Support for High Availability (HA) and automated failover configurations
  • Ease of integration with third-party security solutions including ITSM, SIEM etc.
  • Delivery formats: Hardware or virtual appliances, PAM-as-a-Service or managed hosted service
  • Deployment types: Agent or network proxy/ gateway based, remote passive monitoring Scalability and performance impact
  • Easy of deployment and initial configuration, including involved friction to administrative behavior
  • Flexibility and user-friendliness of the management console and overall user interfaces
Continue reading...
Read the full report and get access to KuppingerCole Research for 4 weeks.
Start Your Free Trial
Already a subscriber? Click here to login.