Analyst Chat #156: CIEM Is Entering the Privileged Access Management Market

Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth, I'm the director of the Practice Identity and Access Management here at KuppingerCole Analysts. My guest today and it's been a while, is again Paul Fisher. He is a Lead Analyst acting out of London for KuppingerCole Analysts. Hi, Paul, good to see you.

Matthias. Good to see you too. Been a while.

It's been a while. But nevertheless, we have a great topic because we are here today because we want to have a quick look at your update of the Leadership Compass Privileged Access Management that you just completed with quite a substantial set of vendors and hopefully with some interesting new results. So what can you tell us about this new Leadership Compass Privileged Access Management?

Yeah, the first thing to say is that we took a slightly different approach this year in as much that we redid the questionnaire and we recalibrated the results a little bit. So one thing that people will notice, and the vendors certainly noticed, is that some ratings have gone down across the board from 2021. This is because we felt that we had to reflect the changes in the market. The entrance of a CIEM type of applications of software, and also I think it was just time to to shake things up a little. I think that the point of a Leadership Compass is that it gives a snapshot of where the market is at the time it is published and obviously things change, vendors change, vendors merch vendors don't necessarily remain as leaders or remain as, you know, innovation leaders year after year.
And that is why Leadership Compasses are exciting and why the market is exciting because it develops all the time. So as I said, there are still about I think I got it right, 23 or so vendors and that is despite the merger of Thycotic and Centrify into what is now called Delinea but we have added some more... One of the trends is that we're seeing a kind of split in the market almost between what you might call the mature large vendors who still offer multi module, multi-platform, end-to-end Privileged Access Management and then at the lower end of the market or perhaps maybe the entry level, we're seeing vendors that are deciding to specialize in one area of privilege access. So they might decide to specialize in DevOps or they might specialize in database access or even, you know, do some other area which they decided they are specialist in and that is affecting the market. And I think we are also seeing an emergence of smaller PAM applications that are more suited for the small to medium sized businesses rather than enterprise.
As you know, the enterprise level PAM is a big commitment to big learning curve. It can take many months sometimes to fully establish Privileged Access Management. And I think some businesses are now looking for more instant results. So we're seeing almost like an immature and a mature market all at the same time and I’m not really sure how this would develop in the future. I think CIEM is definitely taking a hold at the lower end at the cloud native, the lean PAM application, and we are also seeing greater demand for just in time access, for certificate based access. We are starting to see not the end to passwords and vaults, but certainly the emergence of certificate based just in time, ephemeral, whatever you want to call it, access starting to have an impact. And as businesses realize that keeping passwords, storing passwords, rotating passwords adds to sometimes some blockages in Privileged Access Management. So that is, as I said, a market divide is emerging between centralized, multi capability PAM platforms and the smaller PAM vendors and the CIEM vendors, which are sort of coming in that part of this PAM market.


You've mentioned that now CIEM, Cloud Infrastructure Entitlement Management, how does that play together with PAM? Is this just PAM for the cloud or is this more?


Well, there's the thing, you could call it PAM for cloud. And it comes something which is sort of fundamental to the whole market is, what is PAM anyway? Sounds like a philosophical question, but it, you know, for two decades at least, we've seen PAM, privileged access, as something you give to people, usually people, like administrators which gives them special status within your organization so they can access certain things such as other people's desktops, software upgrades, databases, etc.. And I think what's happening is things are moving so fast that that traditional area, PAM, is still valid. You still need to give certain people in your organization a traditional privileged access to certain things. But if we think about cloud and what's happening in the cloud and the importance of cloud, so we have infrastructure is code, we have development teams using DevOps and coders, etc.. And what they do, or the very nature of what they do is sensitive and important to the business. By building code, you know, we talk about the software supply chain now and the security of that. So if we take one example of the sort of new PAM users for new PAM people are people that are creating code and creating applications within the organization. Now those people are not traditional privileged users, but what they're doing needs to be much more carefully monitored. And I think we're seeing the emergence of access, which is considered privileged but not called it. And I know that's a funny sort of way, but if you are allowing coders access to repositories like that, if you're allowing them to talk to other coders and you’re allowing them to build cloud, you're allowing them to build infrastructure for the organization, those people are a kind of privileged community because what they're doing is relevant and highly impacts the future of the business.
So that's where we've seen in the last two or three years the CIEM vendors and they don’t call themselves, they don't talk about privilege access, they just talk about infrastructure and cloud entitlement. And I think we had seen PAM for DevOps sort of emerge a little bit, but I think PAM for DevOps was based on traditional PAM quite often on, you know, the existing platforms, so things like defaults and passwords. And I think that's not quick enough for this new paradigm, this new area where businesses expect, you know, expect to agility, they expect a rapid rollout of services and products. They want to improve their infrastructures, reduce costs, improve productivity, use data better, then we have low-code, no-code. And as I say, the impact on the software supply chain. So all those things are relevant to the business and they want that to happen. So the people in IT management or the people managing the coding environments and of course the CISO need to think about how they do that and how they do it securely because as we all know, the business demands stuff and security has to somehow keep up with that and you could never, it's not a battle that you can win or nor should you expect to win because, everyone is working for the business. So if the strategy for the business is to increase productivity to rebuild the entire infrastructure, then you have to do it. And if that means you have to give people access to sensitive stuff, to sensitive parts of the infrastructure, then you need to work out ways of doing that. And I think that's where CIEM is now making a huge push and traditional PAM is being slightly shifted right, if I can use that term into more static areas of the business, but still fundamentally an important thing to have.


So if I understand you correctly, the market has changed in a way that you need to be a more educated reader to look at your Leadership Compass. So just looking at the right upper corner is not enough because you need to know what the functionality is that you really need and what the maturity of the vendors are and which are the problems that you want to solve. So you need more an educated reader. And this is also what you provide. I know in the first two chapters you describe the market segment, you describe what your key findings are and where it evolves. So this is really of importance just the upper right corner is just no longer enough.


No, and I'm glad that you picked that, because we have, you know, it's a big document, a big report, and we do try to explain the market. Obviously, we can't explain it in every facet. Otherwise the report would be too long. But yet, I think this is the best Leadership Compass on Privileged Access Management that I've done and I think it’s the first one that shows a real change happening in the market. Also, an important thing to mention is the emergence of Microsoft as a player in this market. And again, they've come in from the CIEM sort of side of things and they acquired CloudKnox last year, which was one of the sort of leaders in CIEM software, and that was an astute purchase. What Microsoft have done is integrated cloud very rapidly into Microsoft, sort of stable that Microsoft branded it, that Microsoft improved, already improved some of the UX of it. And I think what Microsoft have decided is that we already own the desktop, we own Active Directory, we own a huge percentage of the Identity and Access Management tools that millions of businesses use around the world. And I think by them entering this market, by them entering the market for secure cloud access, which can be monitored and which can be validated, etc., is going to impact the market, at least definitely from next year on. Up until now, we haven't really... well, we have, we've had companies like Broadcom that are parents of... that have a PAM product within their portfolio. But this is the first time, and Micro Focus again is a good example of that, but apart from that, we've had the leaders in there, so CyberArk, BeyondTrust, Delinea were PAM companies. This is the first time that we've got a software giant entering this market with all the cloud and with all the market leadership it already has. So I think they're committed to developing Entra, as they're calling it, into different solutions. So just to sum up this report, I think that the change in the market is one thing and then the entry of Microsoft is another, and that's going to make repercussions throughout next year and beyond.


That's fascinating. And the report is published. It is out there. So I highly recommend to the audience that you head over to kuppingercole.com and pick up the Leadership Compass for Privileged Access Management. Thank you very much, Paul, for sharing that insight and for sharing also that view of a changing market, a rapidly changing market. So it's not just more of the same. It's really a changing and interesting market and also market to cover in the upcoming years. Thanks again for your time, Paul.


Well, thank you Matthias, have a good day.


Thank you and bye bye.