Privileged Access Management
Privileged Access Management (PAM) is one of the most important areas of risk management and security in any organization. Privileged accounts have traditionally been given to administrators to access critical data and applications. But, changing business practices, hybrid IT, cloud and other aspects of digital transformation has meant that users of privileged accounts have become more numerous and widespread. To reduce the risk of privileged accounts being hijacked or fraudulently used, and to uphold stringent regulatory compliance within an organization, a strong PAM solution is essential.
This report is an overview of the market for Privilege Access Management (PAM) solutions and provides a compass to help buyers find the solution that best meets their needs. KuppingerCole examines the market segment, vendor functionality, relative market share, and innovative approaches to providing PAM solutions.
1.1 Market segment
Privileged Access Management (PAM) solutions are critical cybersecurity controls that address the security risks associated with the use of privileged access in organizations and companies. Traditionally, there have been primarily two types of privileged users.
Privileged IT users are those who need access to the IT infrastructure supporting the business. Such permissions are usually granted to IT admins who need access to system accounts, software accounts or operational accounts. These are often referred to as superusers.
There are now also privileged business users, those who need access to sensitive data and information assets such as HR records, payroll details, financial information or intellectual property, and social media accounts.
The picture has become more complicated with many more of these non-traditional users requiring and getting privileged access to IT and business data. Some will be employees working on special projects, others may be developers building applications or third-party contractual workers. With the onset of digital transformation, organizations have seen the number of privileged users multiply as new types of operations such as DevOps have needed access to privileged accounts.
In recent years, Privileged Access Management (PAM) has become one of the fastest growing areas of cyber security and risk management solutions. KuppingerCole estimates that the number of major vendors in the space is around 40 with a combined annual revenue of around $2.2bn, predicted to grow to $5.4bn by 2025 (see Figure 2).
That growth has largely been driven by changes in business computing practices and compliance demands from governments and trading bodies, as well as increased levels of cybercrime. Digital transformation, regulations such as GDPR, the shift to the cloud and, most recently, the growth of DevOps in organizations looking to accelerate their application development processes are all adding to the growth.
The reason for this mini boom is that all these trends have triggered an explosion in data and services designated as business critical or confidential and a concurrent rise in the number of users and applications that need to access them. IT administrators realised that without dedicated solutions to manage all these, the organizations would be at great risk of hacks and security breaches. Hackers and cyber criminals have long targeted unprotected privileged accounts as one of the easiest routes to get inside an organization.
In recent years, PAM solutions have become more sophisticated making them robust security management tools in themselves. While credential vaulting, password rotation, controlled elevation and delegation of privileges, session establishment and activity monitoring are now almost standard features, more advanced capabilities such as privileged user analytics, risk-based session monitoring, advanced threat protection, and the ability to embrace PAM scenarios in an enterprise governance program are becoming the new standard to protect against today’s threats. Many vendors are integrating these features into comprehensive PAM suites while a new generation of providers are targeting niche areas of Privileged Access Management.
With the attack surface expanding and the number of attacks increasing every year, an integrated and more comprehensive PAM solution is required – one that can automatically detect unusual behavior and initiate automated mitigations. A successful attack can be conducted in minutes; therefore, a PAM solution must be capable of thwarting this attack without human intervention. Although we see more comprehensive PAM suites and solutions being offered, vendors are taking different approaches to solve the underlying problem of restricting, monitoring, and analyzing privileged access and the use of shared accounts. Overall, it’s one of the more dynamic and interesting parts of security and access management.
1.2 Delivery models
This Leadership Compass is focused on PAM products that are offered in on-premises deployable form as an appliance or virtual appliance, in the cloud or as-a-service (PAMaaS) by the vendor.
1.3 Required capabilities
In this Leadership Compass, we focus on solutions that help organizations reduce the risks associated with privileged access, through individual or shared accounts across on-premises and cloud infrastructure.
A simple PAM solution will provide an organization with the basic defences needed to protect privileged accounts, but most organizations today will need more to meet their more complex security and compliance obligations. Digital transformation and infrastructure changes mean that organizations will benefit from many of the advanced features now bundled with leading PAM solutions.
At KuppingerCole, we classify the Privileged Access Management (PAM) market into the following key technology functions with PAM vendors providing varied level of support for multiple PAM functions (see Figure 2).
1.3.1 Privileged Account Data Lifecycle Management (PADLM)
The usage of privileged accounts must be governed as well as secured. The PADLM function serves as a tool to monitor the usage of privilege accounts over time to comply with compliance regulations as well as internal auditing processes. If a breach occurs and a compromised privilege account is found to be a cause, investigators will want to know how well the account was managed and audited throughout its lifecycle.
1.3.2 Shared Account Password Management (SAPM)
Best practice demands that organizations switch to single identity privileged accounts, but shared privileged accounts still exist in many organizations and are a serious risk to security, especially if they are not monitored. The latest variants of PAM will have SAPM functionality built-in to oversee the management and auditing of shared accounts across the enterprise. An inability to account for number of usages of shared privileged accounts will almost certainly fail any relevant audit and could be a cause for prosecution under GDPR if it was proven that a shared account was responsible for the loss of credentials, that led to data being lost.
Organizations should discover and audit all privilege accounts – ensuring that only the right people or resources have access and bring them under the orbit of the SAPM so that access to shared accounts is monitored by the PAM solution and strictly controlled ideally with alerts set up for unauthorised usage of shared accounts. To put it into context a fully configured and set up PAM solution with SAPM will prevent instances of users accessing shared privileged accounts simply by knowing old passwords.
1.3.3 Application to Application Password Management (AAPM)
Part of digital transformation is the communication between machines and applications to other applications and database servers to get business-related information. Some will require privileged access but time constraints on processes means it needs to be seamless and transparent as well as secure. AAPM is therefore being added as part of the SAPM function to allow applications to access credentials, making PAM suitable for the digital age by treating people, machines and applications as equal entities to be secured, without slowing down communication or file access. The activity of applications can also be tracked in the same way as users in the Session Manager.
1.3.4 Controlled Privilege Elevation and Delegation Management (CPEDM)
This is another increasingly important function related to the fluid and fast changing needs of digital organizations. As the name suggests it allows users to gain elevation of access rights, traditionally for administrative purposes and for short periods typically, and with least privilege rights. However, some vendors are adapting the traditional role of CPEDM to become more task focused and adaptable to more flexible workloads that modern organizations require. This is known as Privileged Task Management (PTM), enabling least privilege access to resources to get things done. Such processes can be pre-assigned for distribution or may well be a response to a specific request. The challenge for all PAM vendors is to integrate CEPDM and PTM securely and transparently. Inevitably, some will do it better than others.
1.3.5 Endpoint Privilege Management (EPM)
EPM offers capabilities to manage threats associated with local administrative rights on laptops, tablets, smartphones or other endpoints. EPM tools essentially offer controlled and monitored privileged access via endpoints and include capabilities such as application whitelisting for endpoint protection.
1.3.6 Session Recording and Monitoring (SRM)
Session Recording and Monitoring offers basic auditing and monitoring of privileged activities. SRM tools can also offer authentication, authorization and Single Sign-On (SSO) to the target systems.
1.3.7 Just in Time (JIT)
Just-in-time (JIT) privileged access management can help drastically condense the privileged threat surface and reduce risk enterprise-wide by granting secure instant access to privileged accounts. Implementing JIT within PAM can ensure that identities only have the appropriate privileges when necessary, as quickly as possible and for the least time necessary. This process can be entirely automated so that it is frictionless and invisible to the end user
1.3.8 Privileged Single Sign-On (SSO)
Single sign-on is a user authentication system that permits a user to apply one set of login credentials (i.e. username and password) to access multiple applications. This is very useful for speeding up workflows but allowing single sign on to privileged accounts carries risk if not subject to PAM controls. Therefore, PAM solutions are increasingly supporting integration with leading SSO vendors to address this challenge.
1.3.9 Privileged User Behaviour Analytics (PUBA)
PUBA uses data analytic techniques, some assisted by machine learning tools, to detect threats based on anomalous behaviour against established and quantified baseline profiles of administrative groups and users. Any attempted deviation from least privilege would be red flagged.
1.4 Other advanced features
PAM should accommodate the presence of a multitude of privileged users within an organization which includes temp workers, contractors, partner organizations, developers, DevOps, IT security admins, web applications and in some instances, customers. The more advanced features available within PAM to manage the demands of the modern organization are discussed in more detail in the next chapter.
Other advanced capabilities may also be available such as privileged user analytics, risk-based session monitoring and advanced threat protection - all integrated into comprehensive PAM suites now available. These include:
- PAM for DevOps which some vendors are now providing as extra modules or standalone products. Any such solution should be designed to accommodate the unique challenges of DevOps such as rapid project turnaround and JIT provisioning.
- Privilege IT task-based automation is a new feature that brings PAM to more granular level by combining JIT access to specific tasks, often one time only. While integration with existing PAM solutions is currently limited, this is likely to change.
- Remote access for end users to privilege accounts is more relevant in digital environments. PAM solutions will increasingly support this in the future to help secure access for third parties such as customers and vendors, as well as remote workers.
- Privileged Access Governance deals with offering valuable insights related to the state of privileged access necessary to support decision making process. PAG includes privileged access certifications and provisions for customizable reporting and dashboarding.