Privileged Access Management for DevOps
Privileged Access Management (PAM) is an important area of access risk management and identity security in any organization. Privileged accounts have traditionally been given to administrators to access critical data and applications. But, changing business practices, hybrid IT, cloud and other aspects of digital transformation has meant that users of privileged accounts have become more numerous and widespread. One area in sharp focus is DevOps support which has become essential to many organizations looking to become more responsive and innovative. Application developers and other agile teams increasingly need privileged access to essential tools, and several PAM vendors are responding to this demand.
This report is an overview of the market for Privilege Access Management (PAM) solutions and provides a compass to help buyers find the solution that best meets their needs. KuppingerCole examines the market segment, vendor functionality, relative market share, and innovative approaches to providing PAM for DevOps solutions. This follow up to the larger Leadership Compass PAM 2020 (published May 2020) concentrates on those vendors we believe are best addressing the challenge of managing PAM within DevOps environments. Many vendors have yet to consider DevOps and agile environments, or believe their solutions cover this adequately, hence a smaller report.
However, the view of KuppingerCole is that the 10 vendors featured are currently doing most for DevOps by adding special technologies and capabilities that address the operating environments and pressures that DevOps teams tend to work in.
1.1 Market segment
Privileged Access Management (PAM) solutions are critical cybersecurity controls that address the security risks associated with the use of privileged access in organizations and companies. Traditionally, there have been primarily two types of privileged users.
Privileged IT users are those who need access to the IT infrastructure supporting the business. Such permissions are usually granted to IT admins who need access to system accounts, software accounts or operational accounts.
There are now also privileged business users, those who need access to sensitive data and information assets such as HR records, payroll details, financial information or intellectual property, and social media accounts.
The picture has become more complicated with many more of these non-traditional users requiring and getting privileged access to IT tools and business data. Some will be employees working on special projects, others may be developers building applications or third-party contractual workers. With the onset of digital transformation, organizations have seen the number of privileged users multiply as new types of operations such as DevOps have needed access to privileged accounts. Such are the critical demands of DevOps that several PAM vendors are now adding specific capabilities to address them.
In recent years, Privileged Access Management (PAM) has become one of the fastest growing areas of cyber security and risk management solutions. KuppingerCole estimates that the number of major vendors in the space is around 40 with a combined annual revenue of around $2.2bn per annum, predicted to grow to $5.4bn by 2025 (see Figure 1).
That growth has largely been driven by changes in business computing practices and compliance demands from governments and trading bodies, as well as increased levels of cybercrime. The growth of Advanced Persistent Threats (APT) and the ability of hackers to access service accounts is a threat PAM can help with. Protecting admin and service accounts can make it more difficult for state actors and corporate espionage agents to abscond with data. PAM controls create additional hurdles for would-be attackers to pass as well as potentially more indicators of compromise (IoC) and thus opportunities for being discovered earlier in the process.
Digital transformation, regulations such as GDPR, the shift to the cloud and, most recently, the growth of DevOps in organizations looking to accelerate their application development processes are all adding to the growth.
The reason for this mini boom is that these trends have triggered an explosion in data and services designated as business critical or confidential, and a concurrent rise in the number of users and applications that need to access them. IT administrators realised that without dedicated solutions to manage all these, the organizations would be at great risk of hacks and security breaches. Hackers and cyber criminals have long targeted unprotected privileged accounts as one of the easiest routes to get inside an organization.
In recent years, PAM solutions have become more sophisticated, making them robust security management tools in themselves. While credential vaulting, password rotation, controlled elevation and delegation of privileges, session establishment and activity monitoring are now almost standard features, more advanced capabilities such as privileged user analytics, risk-based session monitoring, advanced threat protection, and the ability to embrace PAM scenarios in an enterprise governance program are becoming the new standard to protect against today’s threats. Many vendors are integrating these features into comprehensive PAM suites while a new generation of providers are targeting niche areas of Privileged Access Management. Overall, it is one of the more dynamic and interesting parts of security and access management.
1.1.1 The impact of agile development and DevOps on PAM
The pressure on organizations to develop their IT infrastructures within an automated Continuous Integration and Delivery framework (CI/CD) is increasing. The directive is from senior management who wish to see improvements in competitiveness through IT, and IT team leaders looking for boosts in software productivity and efficiency to meet the demands of senior management. Modern organizations are an unwieldy mixture of interconnected code and applications including microservices, APIs, desktop apps and mobile apps and to keep all these up to speed requires a constant stream of updates and patches – not to mention the roll out of brand-new software projects. It is not uncommon today for applications to be updated many times a day.
Today, the CI/CD trend impacts as much on third party and customer facing, software driven products as it does on internal IT projects. In a world seeking perfection, nothing is ever finished. At the heart of this process is the DevOps IT team culture which emerged to break down the traditional engineering and operations silos that existed previously, and often stalled software development, and introduced errors. It was found that co-operation between the teams and the breakdown of traditional IT roles helped facilitate the desired CI/CD framework as developers became used to agile turnaround and rapid software delivery times.
Transparent Security platforms including PAM must be embedded within the CI/CD lifecycle that DevOps teams work within. A security feedback mechanism is also advisable to allow DevOps and other agile development teams to act quickly on vulnerabilities as they arise.
1.1.2 Why DevOps is now critical to managing privileged accounts in organizations
Those working in DevOps store, compile and test code that will involve privileged access to specific data sources, tools, applications and other resources that are classified as confidential, and must be kept secure. Today, this will include individual pieces of code, containers, and APIs as well as discrete data that relates to company projects or individuals.
DevOps will access and process privileged data and entities on a continuous basis. Without a platform to monitor, record and control this access, countless vulnerabilities will be introduced every day. For example, developers committed to their job, will often perform actions that make their operations quicker but introduce security risks. They may locally store or share credentials to privileged tools and data or embed them within an application or container they are working with. Developers may share passwords and code, and admins may allow privilege to users on an ad hoc bases – a process known as privilege creep.
The challenge is finding a PAM solution that can work at the pressure and speed that DevOps already work to and keep all secrets secure. It must not get in the way - it must be secure and accountable through integrated tools or via third-party integrations. In this Leadership Compass we assess those PAM vendors that are addressing the needs of DevOps and agile environments. Some are offering DevOps capabilities as an add-on to existing suites, while others offer specific authentication toolsets that work well with providing privileged access to DevOps teams and non-human users. Currently vendors offer traditional vaults or certificates to authenticate users within the DevOps environment (see Figure 3).
1.2 Delivery models
This Leadership Compass is focused on PAM products for DevOps that are offered in on-premises, in the cloud or as-a-service (PAMaaS) by the vendor.
1.3 Required capabilities
At KuppingerCole we believe that the following capabilities are essential if PAM is to meet the demands of DevOps and other agile development environments.
1.3.1 Toolchain support
Efficient DevOps teams will want to use the most effective set of tools for developing and delivering applications. Such tools can comprise of code, artifacts, applications and other essential components. These are always likely to be components of strategic business value that qualify for privileged access only. Any PAM for DevOps solution should be able to provide fast and secure access to Toolchain components wherever they reside in the IT environment.
1.3.2 Runtime support
Developers who wish to run apps in containers and elsewhere may not always have written all the code to fully execute. Therefore, they need access to runtime code to compete the job, and PAM must provide and protect the access needed to runtime.
1.3.3 Finished application support
One of the guiding principles of DevOps is support for CI/CD and to provide fast updates to applications, particularly when bugs or vulnerabilities may arise after code hits production. The best people to fix code are those who developed it in the first place, but obviously access to live code must be on a strictly privileged basis. This can also work in conjunction with specialist application lifecycle applications designed to assist developers find and sort applications rapidly.
1.3.4 Certificate support
While PAM has traditionally relied on an encrypted vault to store and manage passwords for authentication and access to privileged data and tools, the more intense and ephemeral nature of the DevOps environment is leaning toward the issue of one time only public key certificates for authentication of privileged users (see Figure 3).
1.3.5 Base PAM support
While authentication of privileged accounts is of paramount importance within the DevOps environments to ensure users get access to the tools they need, this should also be backed up with the regular features of PAM such as session management and recording, therefore it is advisable to either add a PAM solution to DevOps that can integrate with legacy PAM platforms or to buy PAM that does both from the same platform. (See Section 1.4 Other capabilities to support DevOps)
1.3.6 High Availability (HA)
Having a method of accessing vaulted PAM accounts in an emergency is important for all PAM deployments but in the high stress, high strategic value DevOps it is more so. Developers being locked out of tools and runtime support will result in lost revenue and expensive downtime. Tools should be in place to conduct break glass procedures without compromising the integrity of DevOps or wider organization.
1.3.7 Non-human user support
Integral to digital transformation is the communication between machines and applications, and to other applications, data centres and databases to get business-related information. This is a key part of the DevOps process as developers use automaton tools to complete tasks. Some will require privileged access but time constraints on processes means it needs to be seamless and transparent as well as secure.
1.3.8 Shared account support
Best practice demands that organizations switch to single identity privileged accounts, but shared privileged accounts still exist in many organizations and remain a risk to security if not monitored. Shared accounts are a feature of DevOps and until they can be safely eradicated it is important that PAM for DevOps can manage and record usage securely.
1.3.9 Just in Time (JIT)
Just-in-time (JIT) privileged access management can help drastically condense the privileged threat surface and reduce risk enterprise-wide by granting secure instant access to privileged accounts. Implementing JIT within PAM for DevOps can ensure that identities only have the appropriate privileges when necessary, as quickly as possible and for the least time necessary. This process can be entirely automated so that it is frictionless and invisible to the end user.
1.4 Other capabilities to support DevOps
PAM should accommodate the presence of a multitude of privileged users within an organization which includes temp workers, contractors, partner organizations, developers, DevOps, IT security admins, web applications and, in some instances, customers.
1.4.1 Privileged Account Data Lifecycle Management (PADLM)
The usage of privileged accounts must be governed as well as secured. A discovery mechanism to identify shared accounts, software accounts, service accounts and other unencrypted/clear-text credentials across the IT infrastructure is included in some PAM solutions. PADLM tools offer workflow capabilities to identify and track the account's business and technical ownership throughout its lifecycle and can detect changes in its state to invoke notification and necessary remedial actions.
1.4.2 Controlled Privilege Elevation and Delegation Management (CPEDM)
This is another important function related to the fluid and fast changing needs of digital organizations. As the name suggests it allows users to gain elevation of access rights, traditionally for administrative purposes and for short periods typically, and with least privilege rights. However, some vendors are adapting the traditional role of CPEDM to become more task focused and adaptable to more flexible workloads that modern organizations require – such as DevOps. This is known as Privileged Task Management (PTM), enabling least privilege access to resources to get things done. Such processes can be pre-assigned for distribution or may well be a response to a specific request. The challenge for all PAM vendors is to integrate CEPDM and PTM securely and transparently. Inevitably, some will do it better than others.
1.4.3 Endpoint Privilege Management (EPM)
EPM offers capabilities to manage threats associated with local administrative rights on laptops, tablets, smart phones, or other endpoints. EPM tools essentially offer controlled and monitored privileged access via endpoints and can include capabilities such as application whitelisting for endpoint protection.
1.4.4 Session Recording and Monitoring (SRM)
SRM enables more advanced auditing, monitoring and review of privileged activities during a privileged session, including key-stroke logging, video session recording, screen scraping, OCR translation and other session monitoring techniques.
1.4.5 Privileged Single Sign-On (SSO)
Single Sign-On is a user authentication system that permits a user to apply one set of login credentials (i.e. username and password) to access multiple applications. This is very useful for speeding up workflows but allowing Single Sign On access to privileged accounts carries risk if not subject to industry standard controls. Therefore, PAM vendors are increasingly supporting integration with leading SSO vendors to address this challenge.
1.4.6 Privileged User Behaviour Analytics (PUBA)
PUBA uses data analytic techniques, some assisted by machine learning tools, to detect threats based on anomalous behaviour against established and quantified profile behaviour of administrative groups and users.
Other advanced capabilities may also be available such as privileged user analytics, risk-based session monitoring and advanced threat protection - all integrated into comprehensive PAM suites now available. These include:
- Privileged IT task-based automation is a new feature that brings PAM to more granular level by combining JIT access to specific tasks, often one time only. While integration with existing PAM solutions is currently limited, this is likely to change.
- Remote access for end users to privileged accounts is more relevant in digital environments. PAM solutions will increasingly support this in the future to help secure access for third parties such as customers and vendors, as well as remote workers.
- Privileged Access Governance (PAG) deals with offering valuable insights related to the state of privileged access necessary to support decision making processes in the organization. PAG can include privileged access certifications and provisions for customizable reporting and dashboarding.