Privileged Access Management
Privileged Access Management (PAM) is an essential component in protecting organizations against cyber-attacks, ransomware, malware, phishing, and data leaks. No longer only for protecting admin accounts, privilege management now extends across the entire organization -from on-premises and cloud infrastructures to every user, no matter where they are working from, or what they are accessing.
This report is an overview of the market for Privilege Access Management (PAM) platforms and provides a compass to help buyers find the product that best meets their needs. KuppingerCole examines the market segment, vendor capabilities, relative market share, and innovative approaches to providing PAM solutions.
- In depth ratings and reviews of 26 leading PAM products, fully updated for 2021
- PAM vendors have responded well to the privilege remote access challenges of the pandemic period with EPM and RPA capability improvements.
- More vendors are now offering automation and improved UX design to reduce the PAM admin burden, and make access easier.
- Several previous Challengers are now taking their place among the Leaders after a year of significant capability additions and enhancements. The market remains highly competitive.
- A small but growing trend is for IDP and IAM vendors to put their toes in the PAM waters, and some existing PAM vendors openly talking about Privileged Identity and Identity Security as part of their pitch.
- More general trends include the increased availability of PAMaaS, and PAM platforms designed specifically for SMBs and cloud native deployment
- Ease of Use is no longer a "nice to have" but increasingly seen as essential to cope with the growing demands on PAM.
- More use of consumer like Wizard tools to ease set up and deployment, and PAM architecture provided out of the box
- The Product Leaders are Arcon, BeyondTrust, Centrify, CyberArk, Hitachi ID, One Identity, Senhasegura, SSH.COM, Broadcom (Symantec), Thycotic, WALLIX and Xton (acquired by Imprivata in July 2021).
- The Innovation Leaders are Arcon, BeyondTrust, Centrify, CyberArk, Hitachi ID, ManageEngine, Remediant, Saviynt, Senhasegura, SSH.COM, Stealthbits, Thycotic, WALLIX and Xton.
- The Market Leaders are BeyondTrust, Centrify, CyberArk, Hitachi ID, Micro Focus, One Identity, Saviynt, Senhasegura, Stealthbits, Broadcom (Symantec), Thycotic and WALLIX
1.2 Market Segment
Privileged Access Management (PAM) platforms are critical cybersecurity controls that address the security risks associated with privileged access in organizations and companies. It is reckoned that most successful cyber-attacks involve the misuse of privileged accounts. And misuse is enabled by poor management of privileged access using old or inadequate PAM software, policies, or in-house processes. A 2020 RSA Conference report[^1] states that potentially malicious privileged access from an unknown host accounted for 74% of all privileged access anomaly behaviour detections. The message is clear: hackers are actively targeting privileged accounts as the best way to get inside an organization.
While PAM platforms have been around for around 20 years, the demands of digital transformation and wholesale structural changes to IT architecture have intensified interest in Privileged Access Management software and applications – across all market sectors.
Vendors, both traditional and new have been responding to the demand and critical need for advanced PAM that can meet the challenges of the modern computing era. Among key negative activities that PAM must control are abuse of shared credentials, misuse of elevated privileges by unauthorized users, theft of privileged credentials by cyber-criminals and abuse of privileges on cloud infrastructure.
KuppingerCole research shows that the PAM market is responding and growing because of these challenges and is in a vigorous period of innovation. Part of this is flexibility in purchasing options with growth in subscription models and SaaS options, although licensing and maintenance deals still dominate the sector. We believe that as PAM moves from a static to a more dynamic operating model to deal with equally dynamic IT architecture; SaaS and flexible purchasing options will become more popular with customers not wanting to be tied into technology that is not evolving fast enough for their changing demands. For PAM futures, flexibility will be key in purchasing, delivery, deployment and usage.
Trends in the market
In the past 12 months we have seen some changes in the vendor landscape with mergers and acquisitions affecting some of the bigger independent players, while those PAM vendors that became part of global IT providers have seen a rebranding and refocus of their product lines, considering trends such as PAM for DevOps and EPM. When two players join forces in the same market there is always some uncertainty for new and existing customers as mergers take time to bed down. In previous times we have seen vendors struggle to manage product overlap, differing marketing strategies, and customer groups. Even those mergers seen as symbiotic rather than simply acquisitive can pose some teething troubles for both parties.
Another small but growing trend is for IDP and IAM vendors to put their toes in the PAM waters, and some existing PAM vendors now openly talking about Privileged Identity and Identity Security as part of their pitch. While Identity is increasingly taking a central role in IT security and access management, it is too early to detect a fundamental shift in this market. But vendors and analysts alike are looking at how Identity, Risk and Task controls may play a central role in governing and managing Privileged Access in the future – particularly in sprawling cloud infrastructures.
The term Zero Standing Privilege (ZSP) is also gaining traction. In short, the theory is that no person or entity should ever hold standing privileges and all PAM be based on a Just in Time or ephemeral footing. If it is fast enough - this could potentially be one future for PAM but there are likely to be many organizations that continue to rely on standing privileges, passwords, and vaults for operational and legacy reasons and would find it hard to transfer to ZSP (and by extension, they do not trust putting passwords and vaults in the cloud).
Zero Trust is an extension of this approach, but it should be remembered that for PAM to work efficiently, a level of trust must still be priced into operations. The future may well be a mixture of all approaches, based around Identity and Risk to ensure that trust can be maintained for many users and accounts. Finally micro-PAM features are starting to appear in Data Governance and IRM platforms and cloud providers continue to add forms of secrets management to their offerings – but these are a sideshow currently to the concerns of this Leadership Compass.
More general trends include the growing availability of PAMaaS, and PAM platforms designed specifically for SMBs and cloud native deployment. Ease of Use is no longer a "nice to have" but increasingly seen as essential to cope with the growing demands on PAM. We are seeing more use of consumer like Wizard tools to ease set up and deployment.
1.3 Delivery Models
This Leadership Compass is focused on PAM products that are offered in on-premises deployable form as an appliance or virtual appliance, in the cloud or as-a-service (PAMaaS) by the vendor.
1.4 Required Capabilities
In this Leadership Compass, we focus on solutions that help organizations reduce the risks associated with privileged access, through individual or shared accounts across on-premises and cloud infrastructures. A core PAM solution will provide an organization with the basic defences needed to protect privileged accounts, but the PAM market is adapting to provide different levels of service and capabilities to meet with newer capabilities being offered. Digital transformation and infrastructure changes mean that organizations would benefit from many of the advanced capabilities offered as part of PAM suites from leading vendors in the market.
1.4.1 Classical PAM capabilities
While the market continues to offer more capabilities to PAM platforms to meet the privileged access demands of large and more complex organizations, classical PAM capabilities are outlined below.
Although not ideal, many organizations will share passwords and keys to privileged accounts. To counter this, Password Management controls access to shared accounts and ideally provides alerts to unauthorised usage of accounts. It is a fundamental tool that usually includes a Vault to store encrypted keys, passwords, or other relevant secrets.
Session Management offers basic auditing and monitoring of privileged activities. Session Management tools can also offer authentication and Single Sign-On (SSO) to target systems.
Endpoint Privilege Management (EPM)
Managing privileged access to endpoints is important and is often combined with specific capabilities such as black or whitelisting of applications. In the new era of much increased working from home we are also seeing privileged access authenticated directly from endpoints.
1.4.2 Desired capabilities in addition to the classical components
As demands develop across the market, the choice for PAM has become wider but also more fragmented with the result that one solution may not fulfil all requirements. For some organizations, some modules will be more important than others depending on enterprise architecture. A good example of a new challenge for PAM vendors has been the rise on remote working which calls for privileged access from the endpoint. Elsewhere, right across organizations we have seen further penetration of DevOps, CI/CD, IaaS, and multi cloud environments which also call for extra capabilities in PAM, but again not all customers will desire or need all of them.
The more complex operating environments means that customers can take advantage of the wide choice of PAM capabilities now available to them across the vendor spectrum. There is not always a need for a specialized PAM for DevOps, but for a PAM solution that supports the hybrid reality of your business including DevOps and agile computing – but also any legacy architecture that is in place.
Step back and rethink your PAM needs before making decisions. It starts with the use cases: what do you need to protect and where? Which are the capabilities you need? And which can you really handle – do you have the capacity and need for full session monitoring and analytics for example?
The optional capabilities to consider are as follows:
Privileged Account Data Lifecycle Management (PADLM)
The usage of privileged accounts must be governed as well as secured. PADLM serves as a tool to monitor the usage of privilege accounts over time to comply with compliance regulations as well as internal auditing processes.
Application to Application Password Management (AAPM)
Part of digital transformation is the ongoing communication between machines and applications to other applications and database servers to get business-related information. Some will require privileged access but time constraints on processes means it needs to be seamless and transparent as well as secure.
Controlled Privilege Elevation and Delegation Management (CPEDM)
As the name suggests CPEDM allows users to gain elevation of access rights, traditionally for administrative purposes and for short periods typically, and with least privilege rights. However, some vendors are adapting the traditional role of CPEDM to become more task focused and adaptable to more flexible workloads that modern organizations require.
Remote Privileged Access (RPA)
Since the Covid 19 pandemic, the prevalence of working from home has soared and some PAM vendors have responded by adding capabilities allowing privileged access directly from endpoints such as laptops.
Just in Time (JIT)
Implementing JIT within PAM can ensure that identities have only the appropriate privileges, when necessary, as quickly as possible and for the least time necessary. This process can be entirely automated so that it is frictionless and invisible to the end user.
Single Sign-On (SSO)
Single sign-on is a user authentication system that permits a user to apply one set of login credentials (i.e., username and password) to access multiple applications. Therefore, PAM solutions are increasingly supporting integration with leading SSO vendors to add convenience to PAM.
Privileged User Behaviour Analytics (PUBA)
PUBA uses data analytic techniques, some assisted by machine learning tools, to detect threats based on anomalous behaviour against established and quantified baseline profiles of administrative groups and users. Any attempted deviation from least privilege would be red flagged.
Some vendors offer modules that scan networks and endpoints to discover privileged accounts in use to enable better security and compliance.