Event Recording

PAM versus CIEM: Clash of Identity Management Cultures or Saviour?


Log in and watch the full video!

Paul Fisher, Lead Analyst at KuppingerCole will discuss how the seemingly different capabilities of PAM platforms and CIEM platforms are in fact beginning to converge as multi-cloud architectures come to dominate. The advanced tools appearing in both platforms will benefit CISOs and IT managers struggling to manage privileged access to key assets in the cloud. Paul will explain how to secure ROI from PAM and CIEM, and how in continually expanding IT universes, architecture matters less than ensuring widespread and disparate identities have access to global assets.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Register  
Subscribe to become a client
Choose a package  
Okay, well, thanks again, Annie. So you can see that I'll be talking today, not so much actually about some of the, the market patterns, but more about some technical trends, mostly in British access management, but also it's sort of new cousin cloud infrastructure, entitlement management, and how those two might seem to contradict each other or, or even they could actually be a savior for identity access management and security in our organization. So that's, that's what I'll be talking about. So the quick agenda for you, we will talk a little bit about the cloud, how that's affecting our infrastructures and organizations. Then I'll bring bringing in zero trust as I think this is important area now, and it's had a bit of a, a revival I suppose, is the best way of describing that in the last 48 months.
And finally, actually 48 maybes, a bit strong, more like 36, and then finally some takeaways for you from, from the presentation. So let's, let's look so cloudy days ahead. It's it is indeed a cloudy day here in London where I'm speaking from. So nothing unusual there before we get into technology. Quite often, when we do these presentations around our identity access management or, or some facet of cybersecurity, we, we do focus on the technology, which is fine, but sometimes it's good to take a step back and look at the why we're doing this in other words, what the business needs. And I think what I put up there, the six items are a pretty good sum up of where we are agility is, is obviously something that businesses have always needed, but increasingly so in, in the kind of markets and customer expectations, we now have across the world, mostly brought out by, you know, advances in the internet and cust customer delivery, huge amount of choice, these days of what we can buy and who to choose and who to buy from. And, and because of that, then any organization, whether it's manufacturing or in services, banking, et cetera, needs a, a rapid rollout of, of services and products, sort of the product life cycles, product development, life cycles have been slashed very much in the last decade or so. You know, we talk about fast fashion, for example, where literally items are clothing are changed on a daily basis.
Not by me, I, to her also the businesses want improved infrastructures. They're investing in technology because they want their infrastructure to run better. And with that becomes cost reduction and improved productivity, getting more in a shorter space of time, improving profitability, many countries, including the United Kingdom, suffers from a productivity lag and better use of technology is perhaps one way of meeting that lag and finally data opportunities. The side effect of digital transformation is the increase in the amount of data that is produced and stored. And businesses are increasingly aware that within that data is gold. There is data that can help them understand customers better, can help them improve their processes workflows, but also improve security and identity and access management. So that's a little bit of what businesses want. So now what about users? And I'm here actually talking about business users. So in other words, everyone that works in an organization, not necessarily consumers.
So they increasingly want ease of access and ease of use. They've seen in their consumer devices, how much easier it is to do stuff, how much easier it is to use an app, how easier it is to get online and do virtually everything. And increasingly as the generations grow up from, you know, millennials to generation Z, and even beyond that, they expect the same kind of experience within the organizations they work for. And they just want to be able to get on with their job. And they also want the freedom to experiment and the freedom to change roles, but added to that. They also, as they do in the private world, they consumer world, they expect good standards of privacy, very good standards of privacy and security. And this must be part of the experience that they have in their organizations as well. So added to that, we have automation and speed users increasingly expect trivial and menial tasks, such as form filling, et cetera, to be automated so that they don't have to spend time on those tasks and spend more time thinking and doing what they're paid for.
And of course, the last two and a half years, we, we are now probably in fairly safe to say that we're in a post pandemic period, God willing, and that has fundamentally changed the way people work in, in terms of where they work. We, we haven't seen a mass return to the office, but we haven't also seen a mass stay at home either. So now we have this kind of hybrid model where people work sometimes in the office and sometimes remotely. And so users expect that, but they also expect that wherever they're working, whatever platform they're using, whatever kind of device that the experience is the same. So they get the privacy and the security and the ease of use that they would get in the, perhaps in the static office as they would working on a laptop. So all of that is what businesses and users combined. So changing the focus slightly now and getting to what we are talking about this morning, and that is privilege access management and cloud infrastructure, entitlement management. How do these fit in to this new world that we've been talking about? First of all, we need to sort of look at the differences. So privilege access management has been around for, I don't know, 20, 20 odd years it is. We would now consider it a mature technology. There are proven leaders within the field. You can look at our leadership compass to see who they are.
And there there's probably about 20 to 23 active vendors in that market. Privileged access management though comes from a different world. It comes from a world without multi-cloud. It comes from a world where we don't have the advances that we have. Now. We didn't have the same kind of level of dynamic requests or dynamic demands for access to infrastructure. So whilst some privileged access management vendors have addressed that in certain things. So they have actually increased capabilities in things for DevOps, etcetera. It still kind of feels like it was built for a static, more static environment. So in the last two or three years, cloud infrastructure entitled management has come along.
And this right from the start was built for the cloud. Most, most of the platforms are cloud native. And the emphasis there is, is on entitlement management rather than access management. But you'll see that those two terms are starting to merge. So is there really a difference between access management and entitlement management? Because when you give someone access, you are actually giving them entitlement to do something with that access. But the key difference is the speed of access and the way that CIM manages entitlements and the way that it is specifically designed to manage cloud infrastructure and the, and the resources that reside in the cloud. So there's a difference to put it more crudely. Pam equals static and CIM equals dynamic, but they can work together. And many organizations will have Pam installed of some sort, and they may now want to put cm on top. They can work independently. So you may use Pam for specific lines of business or specific departments within your organization.
But neither one we would say is now a solution or a savior on its own. And it's increasingly likely that organizations will need both, particularly if they are, as many organizations are multi-cloud multi-location multi device. So that's access management and CIM. So here at cooking, a co we've actually gone a little bit further with defining the market. And recently we published a report leadership compass on what we've entitled, dynamic resource entitlement, access management, or dream for short. And we've used that as a paradigm that encompasses both cm and Pam. And as you'll see from this chart, also elements of traditional identity, access management and even identity governance. So let's just quickly go through this chart and, and explain how this works. So we have a core business infrastructure, so that can be whatever it is. It could be three people in an office, or it could be a global organization of 300,000.
It will comprise properly of many on premises architectures, but it'll also now have cloud based architecture, which if you quickly go to the right, you'll see that I've also put in as something to access, but the two do work together because one of the complications of the infrastructures we're having now is that you have cloud access to other clouds and people work within private clouds to get access to other cloud services. So we've also identified what we call, I identified identities in, we call the, the six key identities. So we have say, administrators, developers end users machines, or non-human identities, third party and endpoints. And you could possibly add into that OT and edge devices, but to keep it simplify it, we we've kept it to those six, but we're focused now on end users and machines. Because right now we believe that end users and machine identities are the ones most likely to want to have dynamic access to resources, particularly machines or applications, which are part of dynamic workflows and tend to, you know, look for things like pieces of code, et cetera, in order to complete the workflow.
So those identities go through this process of access and entitlement, and depending on the type of identity, depending on the type of access or entitlement required, these can now be funneled either through Pam, through CIM or through IM. And that would then give access to crucially the cloud services, which are now dominating our organizations. So we have platform as a service where people build a, a, a platform for applications, software as a service in, you know, very few organizations now do not use some kind of software as a service things like 365 or service now, et cetera, infrastructure as service. And then again, as I mentioned at the start, the private clouds, which are very much part of the mix, and then we've also identified key resources that identities will look for. And of course, files servers, workloads, and containers, containers obviously very important to the developer community, but it also would be virtual machines, administration accounts, credentials, and of course databases.
So that's dream as we see it working. So a dream is not a technology. It, it is a paradigm and it's a way of defining how we manage dynamic access and entitlement. So moving on a little bit further, as I said, zero trust has now become not fashionable. I don't think that's the right word, but it's become talked about quite intensely now in the last couple years. And again, I think this is a result of the pandemic and a shift in the ways of working, but also the realization amongst organizations that the advantages of cloud and cloud infrastructure can't be had, unless we improve the way that we manage them. So zero trust, and we have many, many documents and research pieces on zero trust and how it works. But the essence of it is you don't trust anything. You don't trust identities, you don't trust request for access. You always verify before you authorize, but zero trust. If it's gonna work requires a unified approach, a perspective that goes beyond the networks, et cetera, it needs to encompass the whole enterprise, the holistic enterprise, and the way that you manage identity.
So, as I said, zero trust with cloud and dream makes for a good way to start thinking how to manage identities in the new environment. So how do we get there? Well, we need what we are calling a unified architecture. So we have to think about everything as a whole think big. So even, even if your organization is technically not big, you need to have a bigger view of how you're going to govern and manage that organization going forward. You need to, the, the key thing here is this second phrase, understand how everything relates to each other, to protect everything and everyone. And that, that really goes all the way from the zero trust, right through to our dream architectures. And if we start thinking like that, we can start managing the access better. And of course we need governance and management in place, but those things will come, but we need to think of this as a fabric, a cybersecurity fabric, that it's not literally a fabric that wraps around, but it is a set of services that, you know, are part of what I just described in the dream diagram that will enable secure access and entitlement, but also detect and respond and recover and protect the traditional areas of cybersecurity.
As, as part of the process identity management. This is something that I like to say in, in, in nearly every presentation that I do right now. And I realize I'm running a little bit out of time. We just, a security has often been said that cybersecurity and access management even is everyone's responsibility. I, I like to think that it's not actually, and I think what we need to do is create these infrastructures so that the responsibility is then put onto our policies and is put onto the technologies and the automation so that people can get on with what they want to do, safe in a knowledge that they are safe and they are secure. And that what they want to do is enabled rapidly. And this is particularly true because the CIO, the CI C O offices are moving much more to an enterprise corporate level with long strategic goals, such as a digital transformation of an organization and less so with the, of managing security on the ground and managing identity and access on the ground, we need to verify entitle and secure.
So just to wrap up quickly, and I'll be very happy. You know, you can, you can email me after this, if you want to talk more, but we need to accept new centers of control. We need to put, I am much closer to where it is needed. We need to empower new nodes of security. We need to embrace infrastructure as a service. We need to automate as much as we can so that we can give people that enablement to do what they want to do and to innovate themselves and to change their roles as they go. And finally, just to explore what's out there in privilege, access management, dream and cm. And as I said, we have privileged access management leadership companies, and we also have a dream leadership compass out now, which gives you a great background and in, and starting point for this. So thank you very much.