Event Recording
Paul Fisher: Trends and Findings From the 2020 PAM Leadership Compass
The PAM market has never been so dynamic and competitive as it reacts to changes in demands from organizations grappling with the effects of digital transformation on security and compliance. The findings from this year’s KuppingerCole PAM Leadership Compass reflect this dynamism as the vendors innovate across the board and add much needed functionality. Join Paul Fisher, Senior Analyst at KuppingerCole, as he discusses the findings from the report and what they mean for PAM in your own organization.
Log in and watch the full video!
Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.
I have an account
Log inRegister your account to start 30 days of free trial access
RegisterSubscribe to become a client
Choose a package
So, yeah, thank you, Annie. And as I said, this is a presentation about the leadership compass that I did recently on Pam and some of the learnings that I found from it. So here's the agenda. So I'll be talking a little bit about the leadership compass I itself and how we did it. Then the Pam market, some, an analysis of where the Pam market is, some facts and figures, and then finally, how Pam may develop in the future. So that's the agenda for today, and I hope you're enjoying your coffee if you are, according to that picture. So first of all, we'll, we'll have a look at how we did the research, the methodology, and the process that we used. And then as I said, the Pam market, the power, the market is experienced pretty rapid go growth and solutions are moving from what might have been a siloed security function to what I call a key identity hub.
And some of our previous speakers have already alluded to the way that Pam is changing, which is great to see. And then finally, what the research tells us about the future of Pam and how Pam fits into business today, how Pam vendors are reacting to changing demand and reflecting that new features and innovation. So there's an overview of what we're talking about. So this is how we did it. We created the biggest ever pan leadership compass. And to do that, it does take quite a lot of time and preparation. So we had 24 vendors in all and each one of those vendors then gave me a briefing, an overview of their product and feature set. And those briefings can last for between 30 minutes and an hour, depending on, well, depending, really on how long it takes that is followed up by a 350 point questionnaire.
All the vendors are given a questionnaire to fill out. And then that goes into crutch, much greater detail about the products and the platforms we ask about the company. We ask about financial performance. We talk about future product plans, all that stuff is put down into a questionnaire. And then that is then put into a Excel. And each product and vendor is weighted by algorithms, which are embedded into our special Excel spreadsheet. From that we generate well, the reviews, the actual written reviews of each product is a review written by me. And then each review has sort of strengths and weaknesses built in, but probably of more interest, particularly to the vendors themselves as a sort of scientific bit where we have ratings scatter charts and spider charts. And these are generated by the rating sheet, which is developed from the questionnaires that all the vendors provide back to us.
And obviously all 24 vendors did that. The draft report, which ran to, I think something like 90 pages is then peer reviewed within the organization. So other analysts will look at that. And then we send the, the draft reviews and the scoring to be fact checked by the vendors. And that obviously is a critical point because we mean want to ensure that we always provide a fair and independent assessment of all the products that we look at. And part of that is the fact checking process so that the vendors can say, well, a actually that's not quite right, or this is no longer relevant, et cetera. That is then fact checked once the FactCheck is done, once the vendors are happy and we are happy, finally, the final reviews and the scoring is determined by co Cole. And then several months later, the report is published. And as Annie said, in the introduction, the report was published in May, 2020, and we're already looking at starting quite soon, 2021.
So how are you measure the vendors? These are key parameters and features and capabilities to not only apply to the Pam leadership compass, but also to all our leadership compasses that we do. So we look at product leadership, innovation, and then market leadership. And within those, we score the products for security functionality, how it is deployed, how it's easy to deploy interoperability, usability, innovativeness, market position, financial strength, and then the wider ecosystem. And obviously when we looked at 24 vendors in, in the leadership compass, they're all of different sizes and period of different stages of development, bigger companies are gonna have a bigger ecosystem, cetera, but we try to that's part of the scoring process is that we try and not level the playing field, but give all the, the vendors a equal, equal judging. So that just because a vendor is small, it might not have a huge ecosystem.
It might perhaps let the financial strength of some of the bigger vendors. However, one of the great things that I've noticed about the Pam market since I've been analyzing it is that small can also mean innovative and small can also mean they come up with some cool ideas that we might see in other pan products in the future. So they might actually have also very easy deployment or very easy work with other existing legacy systems. So it isn't just about financial strength. It isn't about being the biggest in the market. It's about, you know, feature sets and how those apply to the market. So I'll move on and show you just how some of the Pam vendors scored in the 2020 pan leadership compass. And so you can see there that we have product leadership, innovation, leadership, and market leadership. And I put these in alphabetical order just to be fair to everyone, but you can see there that not all the names are the same in each one. And also, and as I was saying, just now about innovation leadership, we have more companies in that sector, which is great news, great news, because it means that the, the Pam market is innovating really well. So we have, you know, some smaller, smaller companies in there, and it's not just a big one. And that that's really exciting.
One of the reasons I think that we have are seeing market growth and why we're seeing that, that, that range of innovation and why we're seeing more vendors come into the market, excuse me, is, is because of the demand. We have estimated that currently there are around 40 vendors as a whole within globally. And at the moment they have possibly a combined annual revenue of about 2.2 billion. We think we predict this will grow to at least 5.4 billion in five years time. And again, there's lots of reasons for that. And security is just one of them. And here's some other reasons, as I said, security is traditionally seen as the main driver for Pam applications. However, there's a lot more going on in the world. And as previous speakers have alluded to, we have digital transformation, we have governance, risk and compliance demand, which are getting harder to meet.
We have GDPR, obviously in Europe, we have the California privacy act. Now in the United States, we have things like DevOps, remote working robot devices, or machines that are also looking to get access to privilege accounts. We have them shifted a cloud, which is not as widespread as commonly thought APIs. We have supply chains. COVID we all know about that. COVID has driven, not just the whole world towards rapid deployment of remote working is also meant that people allow trying to access privileged accounts from home as well. So COVID has been a huge driver and I'm sure Pam vendors have told me that in the last three or four months, demand for their products has, has significantly increased. Couple of other things, consumer ID, internet things, and edge devices.
So Pam vendors are responding well, Pam for DevOps is now providing is sorry. Pam vendors are providing extra modules or standalone products, any such solution solution. Those should be designed to accommodate the unique challenges of DevOps, such as rapid project turnaround and just in time provisioning, task based automation is another new feature that we are seeing coming into Pam a lot more than we used to. And again, this is driven by the things I've just been talking about remote access. Well, again, I've just mentioned that, but if it wasn't apparent before, it's certainly apparent now and whatever happens after COVID, a lot of people are probably gonna continue working from home. And a lot of those people will be doing some maybe complicated things from home, not just accessing fundamental applications and access governance is something that we are seeing come into pan products as well, so that people can get insights into what is happening to privilege access and also include privilege access certifications and provisions for reporting dashboarding and governance is, is increasingly important in the pan market.
So what the future, what would the report tell us? And here's just a few things that I, I think it's the future direction of Pam. We're seeing more advanced capabilities coming in, such as privileged user analytics, risk based session monitoring, advanced protection are all there. And more and more vendors we've seen, certainly in, in this year's leadership compass are starting to include those features into their Pam suites. And as I also mentioned, that there's a new generation of providers that are they're targeting more niche areas of project access management. They may even look at just say DevOps or access to APIs and things like that. So we're seeing as the market develops, we are moving with, with, you know, wide suites, but we're also seeing more niche products spring it up at the same time, we need more, more integrated products as well, ones that can automatically detect unusual behavior ed and initiate automated mitigations.
That's, that's really important. Again, the, the attack service expands and the number of attacks increase. So we need much more integrated and comprehensive Pam solutions. And as I said, another exciting thing is, is, is seeing how different vendors are taking different approaches to solve what is still the underlying problem, restricting monetary monitoring and analyzing privilege access and the use of shared accounts. And that's something that came out of the report as well, is that it's, we're not having, we, haven't got a homogenous bunch of products. We're seeing everything, you know, people are taking different, different ways of approaching.
So running outta time a bit. So the four main key trends that I think we're talking about, or we can talk about a bit more during the day is Pam for DevOps, Pam, as a service Pam for SMBs and hybrid Pam or something that I talk about as Pam mobs, Pam for DevOps is, is, is kind of like the big thing at the moment. And it's not just hype people. Companies are realizing the importance of DevOps to their organizations. They're understanding that if they're gonna remain competitive, and if they're gonna respond to rapidly changing demands in, in, in consumer choice, then they need to be able to develop applications far, far, quicker than they do. Now. They need to be able to change their consumer facing applications, their websites, almost not just once a day, but you know, tons of times a day as things change. That's how fast it's going. Pam as a service is something that is also increasing Pam for SMBs, which is kind of related to Pam as a service, but not necessarily. We are seeing that Pam vendors are looking at on premises products as well, that are geared towards SMBs. And finally, something that I'm being working on myself is a hybrid Pam or Pam ops, as I have determined it, especially for, for today's Casey live event.
And I'll finish with what I call a next gen hybrid Pam stack, and to go through that just quite quickly in the 40 seconds that I've got left, we have all our digital identities up the top there, and that can be obviously people, but now increasingly it's machines, it's robots. It could be an edge device. It could be an, you know, a thinking car at the moment. Most of those will go through a traditional Pam layer to get to applications and data that they need. But I'm thinking that in the future, we may have something embedded within all of this called Pam ops, which would give a direct channel to people like DevOps that want to get as quickly as possible to microservices and containers. And I think with that, my time has finished.
And some of our previous speakers have already alluded to the way that Pam is changing, which is great to see. And then finally, what the research tells us about the future of Pam and how Pam fits into business today, how Pam vendors are reacting to changing demand and reflecting that new features and innovation. So there's an overview of what we're talking about. So this is how we did it. We created the biggest ever pan leadership compass. And to do that, it does take quite a lot of time and preparation. So we had 24 vendors in all and each one of those vendors then gave me a briefing, an overview of their product and feature set. And those briefings can last for between 30 minutes and an hour, depending on, well, depending, really on how long it takes that is followed up by a 350 point questionnaire.
All the vendors are given a questionnaire to fill out. And then that goes into crutch, much greater detail about the products and the platforms we ask about the company. We ask about financial performance. We talk about future product plans, all that stuff is put down into a questionnaire. And then that is then put into a Excel. And each product and vendor is weighted by algorithms, which are embedded into our special Excel spreadsheet. From that we generate well, the reviews, the actual written reviews of each product is a review written by me. And then each review has sort of strengths and weaknesses built in, but probably of more interest, particularly to the vendors themselves as a sort of scientific bit where we have ratings scatter charts and spider charts. And these are generated by the rating sheet, which is developed from the questionnaires that all the vendors provide back to us.
And obviously all 24 vendors did that. The draft report, which ran to, I think something like 90 pages is then peer reviewed within the organization. So other analysts will look at that. And then we send the, the draft reviews and the scoring to be fact checked by the vendors. And that obviously is a critical point because we mean want to ensure that we always provide a fair and independent assessment of all the products that we look at. And part of that is the fact checking process so that the vendors can say, well, a actually that's not quite right, or this is no longer relevant, et cetera. That is then fact checked once the FactCheck is done, once the vendors are happy and we are happy, finally, the final reviews and the scoring is determined by co Cole. And then several months later, the report is published. And as Annie said, in the introduction, the report was published in May, 2020, and we're already looking at starting quite soon, 2021.
So how are you measure the vendors? These are key parameters and features and capabilities to not only apply to the Pam leadership compass, but also to all our leadership compasses that we do. So we look at product leadership, innovation, and then market leadership. And within those, we score the products for security functionality, how it is deployed, how it's easy to deploy interoperability, usability, innovativeness, market position, financial strength, and then the wider ecosystem. And obviously when we looked at 24 vendors in, in the leadership compass, they're all of different sizes and period of different stages of development, bigger companies are gonna have a bigger ecosystem, cetera, but we try to that's part of the scoring process is that we try and not level the playing field, but give all the, the vendors a equal, equal judging. So that just because a vendor is small, it might not have a huge ecosystem.
It might perhaps let the financial strength of some of the bigger vendors. However, one of the great things that I've noticed about the Pam market since I've been analyzing it is that small can also mean innovative and small can also mean they come up with some cool ideas that we might see in other pan products in the future. So they might actually have also very easy deployment or very easy work with other existing legacy systems. So it isn't just about financial strength. It isn't about being the biggest in the market. It's about, you know, feature sets and how those apply to the market. So I'll move on and show you just how some of the Pam vendors scored in the 2020 pan leadership compass. And so you can see there that we have product leadership, innovation, leadership, and market leadership. And I put these in alphabetical order just to be fair to everyone, but you can see there that not all the names are the same in each one. And also, and as I was saying, just now about innovation leadership, we have more companies in that sector, which is great news, great news, because it means that the, the Pam market is innovating really well. So we have, you know, some smaller, smaller companies in there, and it's not just a big one. And that that's really exciting.
One of the reasons I think that we have are seeing market growth and why we're seeing that, that, that range of innovation and why we're seeing more vendors come into the market, excuse me, is, is because of the demand. We have estimated that currently there are around 40 vendors as a whole within globally. And at the moment they have possibly a combined annual revenue of about 2.2 billion. We think we predict this will grow to at least 5.4 billion in five years time. And again, there's lots of reasons for that. And security is just one of them. And here's some other reasons, as I said, security is traditionally seen as the main driver for Pam applications. However, there's a lot more going on in the world. And as previous speakers have alluded to, we have digital transformation, we have governance, risk and compliance demand, which are getting harder to meet.
We have GDPR, obviously in Europe, we have the California privacy act. Now in the United States, we have things like DevOps, remote working robot devices, or machines that are also looking to get access to privilege accounts. We have them shifted a cloud, which is not as widespread as commonly thought APIs. We have supply chains. COVID we all know about that. COVID has driven, not just the whole world towards rapid deployment of remote working is also meant that people allow trying to access privileged accounts from home as well. So COVID has been a huge driver and I'm sure Pam vendors have told me that in the last three or four months, demand for their products has, has significantly increased. Couple of other things, consumer ID, internet things, and edge devices.
So Pam vendors are responding well, Pam for DevOps is now providing is sorry. Pam vendors are providing extra modules or standalone products, any such solution solution. Those should be designed to accommodate the unique challenges of DevOps, such as rapid project turnaround and just in time provisioning, task based automation is another new feature that we are seeing coming into Pam a lot more than we used to. And again, this is driven by the things I've just been talking about remote access. Well, again, I've just mentioned that, but if it wasn't apparent before, it's certainly apparent now and whatever happens after COVID, a lot of people are probably gonna continue working from home. And a lot of those people will be doing some maybe complicated things from home, not just accessing fundamental applications and access governance is something that we are seeing come into pan products as well, so that people can get insights into what is happening to privilege access and also include privilege access certifications and provisions for reporting dashboarding and governance is, is increasingly important in the pan market.
So what the future, what would the report tell us? And here's just a few things that I, I think it's the future direction of Pam. We're seeing more advanced capabilities coming in, such as privileged user analytics, risk based session monitoring, advanced protection are all there. And more and more vendors we've seen, certainly in, in this year's leadership compass are starting to include those features into their Pam suites. And as I also mentioned, that there's a new generation of providers that are they're targeting more niche areas of project access management. They may even look at just say DevOps or access to APIs and things like that. So we're seeing as the market develops, we are moving with, with, you know, wide suites, but we're also seeing more niche products spring it up at the same time, we need more, more integrated products as well, ones that can automatically detect unusual behavior ed and initiate automated mitigations.
That's, that's really important. Again, the, the attack service expands and the number of attacks increase. So we need much more integrated and comprehensive Pam solutions. And as I said, another exciting thing is, is, is seeing how different vendors are taking different approaches to solve what is still the underlying problem, restricting monetary monitoring and analyzing privilege access and the use of shared accounts. And that's something that came out of the report as well, is that it's, we're not having, we, haven't got a homogenous bunch of products. We're seeing everything, you know, people are taking different, different ways of approaching.
So running outta time a bit. So the four main key trends that I think we're talking about, or we can talk about a bit more during the day is Pam for DevOps, Pam, as a service Pam for SMBs and hybrid Pam or something that I talk about as Pam mobs, Pam for DevOps is, is, is kind of like the big thing at the moment. And it's not just hype people. Companies are realizing the importance of DevOps to their organizations. They're understanding that if they're gonna remain competitive, and if they're gonna respond to rapidly changing demands in, in, in consumer choice, then they need to be able to develop applications far, far, quicker than they do. Now. They need to be able to change their consumer facing applications, their websites, almost not just once a day, but you know, tons of times a day as things change. That's how fast it's going. Pam as a service is something that is also increasing Pam for SMBs, which is kind of related to Pam as a service, but not necessarily. We are seeing that Pam vendors are looking at on premises products as well, that are geared towards SMBs. And finally, something that I'm being working on myself is a hybrid Pam or Pam ops, as I have determined it, especially for, for today's Casey live event.
And I'll finish with what I call a next gen hybrid Pam stack, and to go through that just quite quickly in the 40 seconds that I've got left, we have all our digital identities up the top there, and that can be obviously people, but now increasingly it's machines, it's robots. It could be an edge device. It could be an, you know, a thinking car at the moment. Most of those will go through a traditional Pam layer to get to applications and data that they need. But I'm thinking that in the future, we may have something embedded within all of this called Pam ops, which would give a direct channel to people like DevOps that want to get as quickly as possible to microservices and containers. And I think with that, my time has finished.
Stay Connected
How can we help you