Webinar Recording

Privileged Access Management: Cloud Delivery Without Compromise

Log in and watch the full video!

Privileged Access Management (PAM) solutions are critical cybersecurity and risk management tools for just about every business to address the security risks associated with privileged users and privileged access, but not everyone can afford expensive on-prem deployments.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
Welcome to KuppingerCole webinar "privileged access management: cloud delivery without compromise". This webinar is supported by One Identity. And the speakers today are Dan Conrad, who is the IAM strategist at One Identity and me, Martin Kuppinger, I'm principal analyst at KuppingerCole Analyst. Before we start, a little bit of housekeeping and a little bit of information about upcoming events. we have a serious of KClive events coming up before we down, and we'll have it September, our European identity conference. So some of the next KC life events, which are usually health state virtual conferences for free are one around managing, managing digital workflows with service now and, and all the considerations about potentially picking service. Now as a central element in DIT infrastructure, then we'll have one around cloud strategy optimization, and last the least the access management playbook, securing today's organizations.
So does this, what we have in, in our planning for June, July, I have a look at it and don't miss the easy ones. Then for the housekeeping part, we are doing a recording. So this webinar is recorded and we will provide a slides as PDF after the webinars for download as well as the podcast recording, we do a Q&A session by the end of the webinar Q&a session is at the end of the webinar. We may occasionally pick through a lot of questions during the course of the webinar, but in most cases, we, we trust to answer the questions by the end. And however, you can enter questions at any time. You're looking at the right side of your screen, there's GoToWebinar control panel. And there's a questions area where you can enter your question so that we have the questions readily available when we start Q and session.
And last, at least that that is maybe new to some of the ones who have been participating in or listening to KuppingerCole webinars earlier, we will do one or two polls today. We will do two polls with quick questions and Joon do webinars, and we we'll then discuss the results during the Q&A session. So live in watch YouTube to participate in these polls, to take the opportunity to, to provide you feedback. Because I think that gives some more insights into where are the petition peds today and all that stuff also adds to the Q&A session. So we will do the first poll in a minute. I'm having set this let's get started and we get started with the poll. So the first poll, which should polo in a second, how many Pam solutions do you have in place in your organization today? So cloud Pam endpoint, privilege management, chat account, password management, how many different solutions, different tools do you have in place one, zero or one or two or three or more? So please enter your answers. Now that's not the more Patricia paints them more interesting. It will be the more insight we will get. I'll leave it open for another 15 seconds or so before we jump into the conduct of today's webinar.
Okay. Five seconds to go. Okay. Was that close to poll you shouldn't yes, I back here and we have a look at the agenda. So the agenda is split into three parts as I've already announced. So the first part will be me talking about a future of PAM and then Dan Conrad from One Identity will talk about shifting power to the cloud, what to consider. And the last least we have our Q&A session with that.
I'll start. And I will start with something which I observed in the market. I talk a lot with organizations in inquiry calls and advisories in on many other occasions, said, wait a minute, look at each, each customer on each person and choose an organization. I spoke last, I spoke to the last 24 months, felt some of the loss of the triangle with Pam solutions from traditional Padma and point Preuss management and Pam for dev ops and cloud integrated payment.
What ever else is out there. And I think that is a challenge for the market because it makes it relatively complex to, to, to make a reasonable well-informed focused buying decision. And I think also when I look at what we did, to some extent and on what we thought of reflected in our research, it is that Pam became too complex. So, so what, when we look at this picture, then we have a wall, a password manager, an access manager around that, but you also have a session manager for session recording and auto capabilities that are recording management. We have permission things that on Prentiss, user behavior analytics she had a con password management application to application privilege management and pod privilege management trust and time privilege management, and many other things. So we have the ADA probation explained below that picture, but what I want to really focus on us, there has been an evolution of Pam, which is good.
It led us to a very broad range of different types of offerings, different terminologies, different passwords into market. And I think it's time to get back to a little bit more clarity and simplicity, but it's not that they're single solutions. No, there is no single, so it's not a simple answer because there are different use cases. There are different requirements out there and it, so it's about understanding, what do you really need to succeed in this final of privileged access management, which is also evolving. And today's topic is also about this entire Siggy boiling to the cloud, which means there's also Pam from the cloud pamphlet, a cloud pen delivered as a cloud solution, replacing traditional approaches. And so understanding what you really need to do is I think the key point for succeeding in Python when, when not tried to, to bring a little bit more clarity into that.
So I recommend taking two perspectives for everyone. Also the analysts, the lenders, and the end users, and these perspectives are on one hand, what shall be managed and the honor is rare, shall it be managed? So, so the, what is, for instance, a session management thing, and it's also the sort of the access. It is the, the authentication. It is this nowhere is so structured and Sasha management in a compassionate manner for business vacation, application applications. One thing I've done dusty and pawn versus server side and cloud systems, you management and other things. So those are relevant perspectives. And the thought of that for, for managing privileged X, we also have other elements, there's identity and access management there, which is about for instance, the account life cycle management. So who is the owner of a shared account, managing privileged users, stuff like that. There are specialized PKI infrastructures for connect things that, that also are about this administrative Xterra, cloud access, security brokers, controlling access to cloud services.
We also need to understand how it's overlapping, what really helps us. So English issue, and don't you want the area's secrets sessions, titlements life cycles, there are different things. And you need to look at where do your travelers to start? What is your biggest problem, which are problems? What are your, what can you solve? Well, what can you potentially maybe solve as a tool? You have a place like your ha solution and whether you need a specialized tool and where to manage it. So where are these sensitive accounts, this critical access sinks. We follow embarrass this bridge X happening. Isn't the server, the application endpoint. And he had defines what you need, where your gaps are. And, and, you know, we confirmed since creative, absolutely for metrics and say, okay, let's look what we can already do. What we have some sort of folks, simple, Pete Gavin alive, to understand where to put your focus on.
And then on the other side, also look at how to edit. And I think this is, I don't really need to change. So a side of, a lot of innovation, we also have this change that we see more and more delivery of services from the cloud, as we see for originally. And we're seeing more delivery from the cloud. And when, when we look at these different flavors, different challenges, different use cases. So to what underwear, then maybe three main capabilities areas. One is the secrets management part passwords shadow cards, individual accounts machines, but at the end, total domain is relatively the same. It's about managing the lifestyle, rotating passwords, keeping secrets in a wall which ever tiled secret is it is. So this is one problem domain, or once you should domain as well, then there's the social session management management official looks more. It, what is happening at runtime?
So who is doing Walt who's performing, which grows access is that it's another domain about logging monitoring and recording analyzing once again, related challenges also for instance, challenge is like, does it make sense to record tons terabytes, petabytes of data? If you don't have a process in place to analyze them to do something with them. And then there was the endpoint part of it just somewhat different, you could argue, okay, it's also about Didi access and what happens there. But at the end, it's, there are some, despite a set of specific capabilities, such as black and white listing of applications. And so it kind of be kept separated. Also, we see some tendency to go off this endpoint privilege management conversing with the proto EDR space, the endpoint protection detection response space. So if you look at all these different things than most of them would fit quite well into different areas.
So service or sections management session recording, session management and prudence, user behavior analytics are boasted that middle area, occasionally application password management, shared account password management, prudish single sign on our posts on the left-hand side, this first pillar, and then makes it a little simpler to understand how these things really fit together by then now additional things like the Pam for devils. So we hear a lot about privileged access management for dev ops, but be careful it's more than trust managing keys for your cloud or dev ops infrastructure for systems starting up and going down for instances for containers, because yes, that's part of, but it's also about your privileged access management to the DevOps tool chain. So who's allowed to do risk prohibition actions with the different tools you have in your DevOps tool chain to administrative star broached uses of teas, the entire administrative tools of your as a service environments and the MTA applications you build, which is the very traditional privileged access management.
So it is from my perspective, nothing else to deliver improved access management for one, all it infrastructure. So it must not be a separate discipline. It is something that converges and there's the lock sheet to deliver these capabilities from the cloud, because you're your dev ops who are most likely will be in the cloud, but it's, it's not that you say, okay, there's a totally different domain in that if your trust say, okay, I look at these secrets, the keys for my containers, then you have sold to only a very, very small part of the dev ops Pam problem. And what about the entitlements? A lot of restricting access. That's a specific teller for pros and cons, but the end, so does elevation perpetuation management stuff for instance, is part of it. And there are some specific things like who's allowed to do what on a certain type of shell, which are to execute, which commands and stuff like that.
But on the other hand, there are a lot of traditional standard ITA manage entitlements, which comps a lot to what system there are new things like the different lift ephemera, trusted time, excess things we see in projects as management, I believe are just part of a bigger story or user behavior analytics, which says, okay, Q2 to rescue it, not entitled anymore to do that. Or so again, what I'm looking for are our integrated solutions that combine capabilities, or that integrate your, your ITA solution with your Pam solution. Something down on Kuli will cover at least mentioned for, for what, what, what identity is doing, which have their offerings in both areas. So that is that's another part to look at when we think about verse Pam moving in last, at least, and this is the main theme of this webinar, the cloud words already on the cloud already.
A couple of times, we don't look at the cloud. Then I think we have to look at two aspects. The one is managing to access in the cloud. So for the, as a service world, paid infrastructure service platform as a service, so versus hers and Jada is where does Pam run? And I think w w where to run your Pam. This is one question, the important, most important thing, from my perspective of this, your PEM must the port, the high portray reality of your business. It doesn't help you to have a pen for the cloud and the pen for the on premise, rural, or even a couple of times for the cloud, one for AWS, and one for Asher and one for Google and one for whatever else, it helps you to have something which helps you controlling your hybrid reality. And that is what you should look for.
And from my perspective, also from a deployment perspective, good Pam's flexible deployment. When we look at this pendulum swing you from, it was in cloud native to oh, edge computing might be a good idea, which is somewhere in between, then it becomes clear. Do we also need some, some flexibility in the deployment of Pam, because that allows you to adopt to your specific needs, that you might even need instances running here and running there for, for various reasons, being close to what you manage. For instance, when you look at your, for manufacturing, it might be a good idea to be closer to that. Then in the cloud, if you manage and wanting to apply it very quickly across a broad set of targets, a broad set of where, what I mentioned before, then it would be maybe a very good idea to do the work from the cloud.
From an analyst perspective, I have to say, Pam is ready to petite blood from cloud. So I'm down the intersect on a lot of stuff. There's a lot of nice would say really accruing maturity as was every SSR is approach it's as a service. So you don't need to install from scratch and doing things like that. So to come back, the comma, come to my conclusions, to, to come to a summary. My main recommendation are. So when we look at a pen markets, we need to be very conscious about what do we really want to solve? The most important recommendation at the end is don't go for a new solution for every single problem. It never helps. It doesn't help you to have a lot of identity management out there. And it doesn't have you to have too many projects management solutions out there. There might be specializations for endpoint for, for sessions, for runtime, for, for shadow Kompass, but for measurement.
But those that want to put that folks put that cloud on that cloud and more and more and more try to consolidate, keep you always a Nile, constantly dating it. Sometimes it would meet potentially mean, okay, better making my creation to something which serves a broader part of your world that trust heading it, a missing element here, and Darren dare and resync your Pam needs before making your decisions. So understand you use cases, what is what you really want to do, which capabilities do you like? What helps you mitigating your risks limited number of two or five touches already and do it in a way that supports your IQ reality, but it's also ready to support changes in your IQ, reality, more cloud, more edge computing, et cetera. This is what from my perspective is essential to do. And before we come to the end of my part and on switch over to Dan, I'd like to bring up a second poll, which is a very simple question. Yes, no. And that question is, are you considering shifting, or have you already shifted your patent to a cloud based deployment model? At least partially. So if you have pots of it in the cloud select yes, I leave you another 20 seconds or so to answer.
Okay. 10 more five. Okay, perfect. Thank you. And was that being back here? And we'll pick that ourselves during the Q and a, I am back here to finally welcome Dan cornered, who will become the moderator right now.
Thanks Martin. Appreciate it. Some, some great information there. I mean, great considerations. I mean, you always share the latest and the greatest of everything that you talk about really pursues the, you know, the Pam market or whatever we're talking about specifically, today's a little bit focused. So we're going to talk about shifting Pam to the cloud and some of the implications that go with that, I'm going to discuss a few of the lessons learned. I spend a lot of time in my role at one identity. I'm speaking to customers about identity and access management, whether it's privileged account management and privileged access management, identity governance, you know, everything down to something as simple as password resets. How do I, how do I enable my users? But in this case, we're going to talk about the concept of Pam and how that fits with the cloud.
There's definitely some considerations. And I use some terminology here, like cyber security goals. Obviously, you know, we have a term that every organization has a snowflake. Of course, they all have different jobs, different missions, different requirements, different cyber security goals. Hopefully those have been clearly outlined. The word hygiene is a little bit different as well in regards to cybersecurity, because we're talking about not only how it's implemented, but sort of an acceptance level, how will our, how is cybersecurity accepted in the organization? Are they users embracing it are the administrators embracing cybersecurity and the concept of privileged access management as a whole, I can think back to many years ago, organizations that I've worked in and the concept of privilege access management was not something we thought about greatly. But then when we started to realize that there were potential problems due to the growth of the organization, the explosion of administrators and the explosion of privilege before privileged access management existed, we started putting controls around that.
So that seemed to be a little bit forward-thinking then now from a Pam perspective, forward thinking is a whole different, different story. How has your organization embraced privileged access management? Do they definitely see a need for it? And then when they see the need for it, how is it implemented? And to what extent is it a hundred percent across the board, or is it did the project start and then stop at a certain point because privileges didn't need to be managed in a certain way. I've seen organizations that came to us with a specific access management problem. And after, you know, deep discussions and a lot of inquiry, we learned that they had a Pam program that stopped short. Maybe the, the project lost steam, or maybe it wasn't part of the overall cybersecurity goal of the organization to implement Pam. So it stopped short and it left them with vulnerabilities that now they needed to remediate.
Another thing to consider is corporate policies, whether you're an organization with millions of employees worldwide, or you're a startup with 10 employees, it's, it's good to have clearly defined corporate policies around cybersecurity, as well as other initiatives. And it may sound a little bit ridiculous, but if those can be documented, even in the smaller organizations, it gives employees a clearer path to what the overall goals of the organization are. And then any of those ongoing ongoing programs, any new programs that are brought into the organization, or maybe the organization grows, maybe they merge with another organization or acquire, then that mindset can move forward around. Well, now that you're part of this organization, we manage privilege this way. And here's why we do that. And I believe there's even a growing acceptance among employees, administrators around protecting identities, and that should follow through into a world of privilege.
It definitely, you know, the people that use the privileges definitely understand the value of protecting those privileges. And then all of those policies, if they have that mentality of security in the background, always a mindset towards the cybersecurity initiatives and all of the concepts such as zero trust. I hate to bring that term up, but the concept of zero trust is that moving forward in managing privilege in the organization. So couple of things to consider talking about moving privileged access management to the cloud, you know, I've talked about the organization that, that maybe didn't implement Pam completely. How, how is it deployed now? Are you new to the Pam world? Are you, is this a new Pam program or are you simply taking what you have and shifting it to the cloud, or is the cloud going to fulfill a requirement for privilege access management that you don't currently have in some sort of an existing Pam program?
Now, the, the concept of privileged access management has grown quite a bit since its inception. It's more than just vaulting and really more than session management. You can tie that into any level of privilege. You know, I've heard some, some speeches and some concepts around every user is privileged. Well, not exactly. We really want to focus on the accounts that aren't common to be used by the, every I call it the Joe dot user account or the Dan dot Conrad account. My individual account shouldn't have any privileges that really need to be managed the way I, I control privileged access management. So we want to figure out how this is deployed in the organization and how is it accepted? Do people use it willingly? Are there when new systems are deployed and rolled out, is there a point in the project plan that says, we need to determine how privilege is going to be used in this new system or application or network or device, or what have you, and basically get those vaulted.
It's the concept of controlling the keys to your car? Do we going to make sure that we control that key everywhere we go, it's going to be kept in a certain place. It's going to be used a certain way, but the same thing applies to privileged access management. And then if you're coming in with a, you know, if you're thinking about shifting Pam to the cloud, but it's not, Pam is not widely accepted or a hundred percent deployed, or part of the corporate security strategy, you may want to consider that your Pam project may not be as complete as you think it is. It'd be good to take a, a survey or do some research in your organization as a whole, and figure out the scope of the existing Pam that's in place and find any gaps that either need to be filled in with a new solution, you know, maybe from the cloud or that you can take your existing solution and simply extended and complete that.
And at that time, if it's, you know, shifting to a cloud is necessary, required, or optimal, that fits your organization's overall scheme plants, things like we have a cloud for strategy. So any new systems need to be moved to the cloud. You can definitely roll that in and make the cloud part of that. W what I'm specifically talking about is Pam running in the cloud. So that can be in, at one identity, we offer Pam solutions as hardened appliance, virtual appliance, that sort of thing, but you can also think of shifting that to a cloud offering and then other vendors as well, and provide similar types of project plans or similar types of deployments. But what we call it in, in the industry is we call it a consumption model. So how are you going to consume Pam? There's a lot of options in the market.
As Martin mentioned, the vendors have made it intentionally confusing. Maybe that's not the right answer, but there are a lot of things to choose from. And a lot of considerations, if you're simply an on-prem active directory customer, how would that, how would you go about managing privilege access management in a strictly active directory environment? Or if you live in a purely dev ops environment, that's definitely different than what you would do for something that's a purely active directory with users and desktop applications sort of environment, but some of the, you know, couple of categories that we can talk about from consumption models. So we have your definitely we have your hardware, your appliance. We can say, you know, looking back that the hardware, the hardened appliance is probably one of the most secure Pam solutions. And, you know, not to question the security of the cloud, but when it's all, you know, if somebody steals your Pam solution and it was a hardware appliance, you pretty much know that it's gone.
Then you can step into that, that concept of taking that hardware appliance and virtualizing it. So years ago, many organizations went with a virtualization first concept, obviously the precursor to a cloud concept, but the virtualization was required for data centers where we can't install new hardware. We can't consume more power. We can't use more air conditioning. And the great thing about an appliance or a virtual appliances, it doesn't use any of those other than running on a host, but it's managed just like a physical appliance. When you get into hardware and virtual appliances, you consider things like high availability. When you're running an on-prem Pam solution, you're putting all your, your critical keys in this one volt. You need to make sure that that volt is highly available, available. That may sound like an obvious thing, but it's really something to be considered. How are you going to provide high availability for physical and virtual appliances?
Software follows that same type of concept. There's many Pam solutions on the market that are available as software solutions. This may be specifically targeted at smaller implementations, but you need to consider the things like scalability on those software solutions. How are you going to make them highly available? And then since it is actually privileged access management, how do you going to secure that software? So there needs to be specific plans in place for all three of those, for the on-prem and the owned and maintained kind of environment. And when I say owned and maintained here, this is you can put your hands on it. This is something you own something you pull down, you, you, you know, you actually own this and it's your responsibility to provide those things like the power and the air conditioning and the patching and the upgrades, and all of that, that goes with that, taking that concept and shipping it, shifting it to the cloud model brings about some very distinct differences.
Obviously, if you know, we're asking questions about this in a cloud, it's really a different kind of conversation. So you can look at something like shifting your Pam to the cloud and still own it. So you can still take that, that software appliance or the software, or the virtual appliance and shift it to that cloud and say, it's now running in AWS or Azure or GCP, whatever you have for that cloud offering. And simply run that virtual solution in that cloud. You're still responsible for all the same thing that you were for the on-prem with the exception of things like power and air conditioning. So you have to install it. You have to maintain it. You need to provide the high availability, which is something you're not really considering. Now, granted the cloud does provide some level of high availability on those virtual virtualized platforms, but it's still a different type of consideration than you would have from an ha from an on-prem solution.
And then you can go into the marketplaces and you can pull some of the same solutions into that marketplace and use them just like you would, if they were on prem. Again, this is something that is running from the marketplace. So you don't really have to, you're not going to be able to control the things like the ha the ha should be implied. At that point. You've got the advantages of running it in the cloud where you don't have to use power air conditioning or Rackspace, or even cycles on your virtualization platform, but it's going to run in the cloud for you. And then you're going to be charged appropriately based on whatever the licensing model is for that marketplace solution. The on-demand solution is, you know, I'm from one identity. So I know the, the one identity safeguard on demand solution provides you these advantages of the cloud without have to buying them without the, by the cloud.
So if you were a, a small startup and you have, you know, several employees and you decided that Pam is something that you really need to do, something like safeguard on demand can provide that for you, that runs in the one identity cloud, and then provide you all of those advantages of having the Pam solution from a, a vaulting of the session management running in your data center, but it's actually running in the cloud. So it'll give you all of that capability. At that point, you still control the solution. You're still responsible for doing the things that you do with a Pam solution, like enrolling systems and managing credentials, and setting up the policies and processes that go along with Pam processes like accounts and system, a need to have their password cycled every 10 days and accounts and system B. You need to have their password cycle twice a day.
That sort of thing is still on you and, and your policies still apply to those systems, and it will do all the work for you, but it will run in the on-demand offering from a cloud. And then one thing we're seeing from that, some of our customers actually prefer is to basically outsource that. And we have vendors that provide that, and it's, we call it complete Pam as a service, and that would run through a managed service provider. Now that's not something one identity offers, but it's something that some of our partners will offer running one identity solutions. And that may be an on demand solution, or it may be a marketplace solution. It may be running a virtual appliance in their data center, but at that point, it doesn't matter to the customer. It, it doesn't, it doesn't have to matter to the customer where it runs.
It's just for them to know that they have privileged access management as a service, and it gives them capabilities to do many different things, or simply, you know, from many different levels of that provider. They can simply call the provider and open a ticket and have another system added, or they can manage their own system themselves, the things to consider and things like the infrastructure as a service marketplace and on demand, or even the managed service provider is how is that tenant running in something like privileged access management. You may want to say that my privileges or my credentials should only be running in a tenant. That's just for me. And that's something that, that one identity offers. So that could be a single tenant offering where you, you, all of the credentials that are stored in this fault or your credentials, and they're not mixed in with others.
And then just separate it out via logical partitions, per se, stepping into what the one identity offering is the, you know, based on the previous slide, the one thing you're not going to see her as a software only solution one identity does not offer privileged access management as a software only solution. It's, you know, we're the oldest vendor in the privileged access management space. Now I say that because we acquired the, the first company that was doing that, but the, our privileged access management solution is offered as a hardened physical appliance or a hardened virtual appliance. And I see hardened because it's all, self-contained, there's no software to install and it's, it's hardened from the outside. And it's hardened within as well, do several levels of encryption and access controls within the privileged access management solution. But if you want it to get that same capability, you can actually pull those from the AWS or Azure marketplace.
So if you're already an AWS or Azure customer, and you want it to grow into Pam, that way you can simply grab a, an appliance from the virtual marketplace. And that will be a single tenant pliant appliance that you own. At that point, you can rely on things like the, the availability of the cloud provider. So if the cloud provider is going to provide you five nines of uptime, and you just want to live on a single appliance, that's fine. If you want it to add high availability to that, you can add that to, you know, move it out to other data centers or what have you. You have a lot of control and a lot of capability from that perspective. And that's available from both our physical or our privileged password appliance and our privileged session appliance. It also includes analytics. One of our newer offerings is the on demand, and it's an as a service offering.
So we would call it it's called safeguard on demand. And that runs out of the Azure, the Azure cloud. So it's going to be running there and it's going to provide you all the capabilities to do privileged access management, both vaulting and sessions from that cloud, that is a single tenant offering. So it's going to provide you the same high security as you would get from a physical or virtual appliance. There's not going to be crossing of any streams or any credentials within there. And we, again, I mentioned that we have a lot of our customers prefer the managed service provider offering, where somebody just offers outsources that couple of the new things on the market. So we've got the safeguard remote access, which is a, a client that runs out of our, it's not the on demand offering, but it runs out of a cloud provider.
And it gives you access to your assets, whether they're on prem or in the cloud through a secure channel, that's, it's going to be some demos coming out in the near future. And that's going to be one of the things that changes the way administration is done remotely. Now, granted, this is the, you know, post Penn temp pandemic. And a lot of people are doing administration from home now. So this will help moving forward in the way that administration has actually done. But we're looking for that to change the way people do administration overall. And long-term things are going to look a lot different from an administrator perspective. So it kind of rehashing the, the terminology of the innovations. So the safeguard on demand is our latest offering. So it's dedicated it's for it's. Each individual customer gets an individual safeguard on demand implementation for them to use it is hosted in Azure.
And then we take care of everything like the upgrades and all the maintenance and that sort of thing. It's still your, your Pam solution to be able to deploy. So you can go into that solution and you can change the policies. You can add new systems, you can add new, we call it assets, you can change password policies, and then it's still up to you to manage the users as well. So users will come in and check out their credentials or sessions and that sort of thing, all of the pieces that would look the same as if it was on prem. The big difference in the safeguard on demand offering. And I can say other cloud providers have privileged access management is it's a 100% code match. So the same appliance, the same physical appliance. If you were to decide to go with a physical appliance, you get, you get a set of code.
If you get the virtual appliances, it's the exact same set of code. The safeguard on demand offering running out of R D out of Azure is the same code that you would get with either one of those appliances. So feature for feature and function for function, everything is going to match up and it's going to work exactly the same way. And of course, when you do the on demand offering, we take care of all the upgrades and all the maintenance that goes with that. We do rely on things like the cloud to provide the availability, and then the safeguard remote access is that concept of VPN, less secure remote access. That's what we're really looking to provide to get around that, that need that every administrator needs to carry a VPN with them. You know, we've seen some problems with VPNs in the past, but that, that idea that we can do this remotely for you and still do all of the things that a privileged access management broker would do for you.
So with that, you're going to get all the capabilities of running through the, the Pam appliance and all of that check-in check-out and credential management that takes care of for you. And it's, there's no client to install. It's very simple. And it's really designed to be a very quick and efficient way to give people remote access, to do their administration. And then, you know, we've got the coming soon slide over here. So this is the, to be announced is going to be safeguard shield, which is our privileged access browser based brokerage. So that'll run through the privilege access or the privilege sessions appliance, and it'll give you a secure remote browser to do many different privileged accesses or access controls that are browser based. And it'll give you a lot of control over that. And a lot of security, because a lot of that, browser's going to be running in a very controlled environment and it'll actually reach in and inject credentials where necessary and give you a complete recording of that session. So, based on that, I'm going to hand it back over to Martin.
Yeah. Thank you. Then we're switching to part three Chanda, which is our Q&A session. And during Q and a, we will, then I will look at those, the poll results, and also have a look at follow up the questions you already have, but again, the gas to the audience, please enter additional questions when you have to use this, think there could be a lot of questions around this topic of Pam. So feel free to enter down so that then, or we can provide our insights so that our answers to your questions, let's start it as a question to then switch to the first poll. So the question I'd like to look at us, if Pam is provided as a service that you push attached to us, but how do we make sure it's backed up and redundant? Because you're talking about a system managing our secrets or keys to the kingdom, and if they get lost, they're in trouble. So what you do,
That's a, I mean, that's a question that typically comes from an organization that's fairly new to cloud, right? So when, when you embrace cloud concepts, the availability becomes implied. I guess that's that doesn't really cleared up, but like, I'm relying on somebody else to provide that for me, it's, it's kind of like in the old days, the telephone system, we relied on dial tone access. How do I get dial tone access? So, you know, every time I pick up the phone, it's there. I don't wonder where that dial tone comes from. And that's the concept as it is as a service. So it can be provided by many ways by the cloud provider, through things like a data replication and availability at many different levels, whether it's from the virtualization or from the presentation side of the cloud, but it's, it's implied. And it's, it's one of those things where they're not going to exactly tell you how they do it, but it's going to be there. Now, high availability can be things like this system is down to the system is up, but it can also be, I have so many systems accessing it at the same time. I might need more. So you might need to scale that out a little bit, but from a, you know, from a sessions management side, you can scale that out fairly, very easily from the cloud.
Okay. So let's maybe have a look at the first poll results, which, which are coming up here. They should be with little in the second purchase. The question was about how many pounds we'll use do we have in place? What we see here is so Rhonda Bhagwan cert say, a few, say that half, none, very few have three, but a couple really have more. So, so, so maybe Dan, to, to you, as, as a question from practice, are you surprised by these four thoughts?
Not so much. I mean, other than different things are being considered Pam now than they were before. So, you know, the zero is a little bit concerning, you know, the 11% people that have organization, I have zero Pam deployed, but the greater than is it's, that's not shocking at all because there's many different things that can be a simple Pam solution of maybe a password manager of some sort that shared across the organization. That's a sort of Pam or the endpoint management, you know, there's many different systems that are actually considered part of the Pam portfolio now.
Okay. Got it. Say, thank you for, for displaying the, the poll. Let's move to maybe the next question. I think one of our interesting question, I, I talked about managing ever so to speak from the same environment, the same title for so, so being flexible and deployment, but being able to manage the hype, which reality of your business. So maybe could you kind of elaborate a little bit on how your solution also supports managing sort of cloud privileged access? So when it comes to the target, that's being whatever, and we do a server or a Unix or Linux server, but some site which doesn't run on your process.
So that could be done, you know, a few different ways. There's, there's different types of different, different types of access, there's different types of interactions. So at one identity, there's, you know, obviously we have a suite, a suite of privileged access or of identity management solutions. So there's things that we can plug in to manage that access such as identity governance. And we can definitely tie to identity governance into privileged access management because it's coming from the same company and we create those integration points for that. Now we do have customers that are only buy our Pam solution and just use our Pam solution. But we also have customers that use our identity governance solution that want to integrate Pam. So you can take something like that, identity governance, and you can run governance or attestation campaigns as the, as the governance terminology goes against privileged, privileged access users. You can also do things like just-in-time provisioning because there's multiple solutions working together. And I can say, you know, at one identity, of course we can make integrations with other vendors, even other Pam vendors. But of course, we're going to focus on our own solutions first because our API APIs are well known to us and we integrate very well. So concepts like a temporary elevation of a credential is very doable across different systems when you plug in an IGA solution on the front end of that or on the backend.
Okay. Another question I have here is cloud entitlement management, from your perspective, part of critical access management or of IGA. So we recently have seen this term of cloud identity entitled management popping up. I'm honestly, I'm not a believer in that terminology because I don't think we need an identity management for the identities of cloud services at the title and the cloud service. We need something which serves our entire infrastructure. So I don't think we should add something trust for a cloud that doesn't make sense. But anyway, I think going back to you on, across from now, there's the, which is you have on premise services, you have cloud service and product cloud service, human need to manage the accounts, their entitlements to privileges all that stuff. So maybe from your one identity perspective, you can elaborate a little on what is done in which part of your one identity set up solutions,
Right? So that's an interesting perspective that it's really, really what it comes down to. As many things are fitting more into Pam than we've seen before. So if I need, you know, a privilege in Azure or a privilege in AWS, is that a permanent privileges or the temporary elevation of my own account? Is it something I check out in use? There's it all depends on how you want to do it. So at, at one identity, I would take something like this, take an SAP privileged account, for instance. And I would take that account and I sort of liked the concept of shared accounts. I, you know, it's not necessarily shared account, but it's not a, a de Conrad SAP admin account. It would be SAP admin one. And I would, I wouldn't own that account personally, but what I would have is a right to use that account or check it out.
And the way that would work is I would connect to the Pam solution and make that request. And that can have as much workflow approval behind it as you need. And I can manage my ability to make that request from an IGA solution, if you choose to do that. So I can make that request to pay him. And then Pam will notify me that the request is hopefully approved and at that point, different things can happen. And that's really up to you. I like to take the accounts that I'm going to use and have them unprivileged until time of use. At that point, the just-in-time service can reach into SAP and our reach into identity management and make a, you know, a flip of a bit or change an attribute that gives that account, the right privileges that it needs to do what it needs to do, what it needs to do it at the end of my session, that process is reversed.
So that's, that's critical and more that the temporary elevation is more critical in some systems and it is, and others for active directory, for instance, temporary privileges are a great thing to use, but in something like SAP, it's not quite as important. So we want to figure out what works for those individual systems, and that can be cloud systems as well. If I needed to be an Azure global admin for the afternoon, I can make that request. I can go check out the Azure global admin account for my Pam solution. And then when I go to use that, that, that temporary account, it will be an Azure global admin when I'm not using it, it will be checked back in and it will no longer be an Azure global admin.
Okay. Thank you. So again, Ford you're saying is really look at a use cases to bros assists you, you shouldn't have, and don't start with the sort of the technical perspective, but really look at it more from a, from a perspective and how correct do it well from a security and from a usability process. Let's have a look at this, the second poll now, which was about, are you considering shifting to the cloud? Are you already the cloud or not? I think it's an interesting resolve because it shows that a modern house, so more than 60% of the win are for privileged access management on their path to the cloud. And I would dare to say, when I go back two years or so, that would have looked very different with me, way fewer companies saying, okay, we can do pan from the cloud to cloud. It's so critical, but it seems to have changed. So, so do you also observe sort of increasing adoption of utilizing the cloud as a delivery model for privileged access management management, Pam, then
That's, I think there's an acceptance of the cloud to be seen there right now, not just from its capabilities, pure capabilities, from things like reliability and security. There's a growing acceptance of that. The cloud can actually provide the level of security that I need for something like the keys to the kingdom, you know, the very important assets of privileged access management. So I think there's something to be said for the level of acceptance there. And they've built a very good business around that and, and have shown through many years of availability that they can do it.
Okay, great. Let's go back to the questions. Thank you for displaying DePaul. The final question I'd like to pick an interest of time and we will follow up or that we'll follow up probably separately afterwards with questions remained unanswered. One question I'd like to pick us. Are there any difference in the features that are available in the, on premise and the cloud version of the Pam solutions? I understand it's pretty much the same code base,
Correct? Correct. That is it's. It sounds like, like a great marketing feature or something like that. But in reality, when you write, you use the same code base, we don't have to maintain three or four different products from a support perspective, you can call the same support number and it doesn't matter, you know, the same person that you talk to doesn't need to be a cloud expert because it is the same code base. So that's something, you know, we're proud of it, but it actually came out to be a better way for us to actually deploy the cloud offering.
Okay. So it's feature comparable some hands on research. We have like our leadership compass, the next one on privileged access management and state matrix category will be updated drug soon from now. So there's current research that there's a lot of four circles on what entity products we stand. I thank everyone for attending this KuppingerCole webinar. Thank you very much, Dan, for all information provided and for One Identity supporting us in doing this webinar. So thank you very much. See you soon again.

Stay Connected

KuppingerCole on social media

Related Videos

Webinar Recording

Championing Privileged Access Management With Zero Trust Security

A modern approach to securing privileged accounts is to apply the principle of Zero Trust: Never trust, always verify. While Zero Trust is not an off-the-shelf solution, it is modern vendors of PAM solutions that recommend using this security principle to cement the technical capabilities…

Analyst Chat

Analyst Chat #156: CIEM Is Entering the Privileged Access Management Market

The PAM market is changing and expanding. Paul Fisher talks about the latest trends for Privileged Access Management, the role of CIEM, mergers and newcomers in this important market segment.

Webinar Recording

Implementing Zero Trust With Privileged Access Management Platforms

Among the many approaches to do that, Zero Trust is one where organizations apply the principle of “never trust – always verify”. Since Zero Trust is not a single product or solution, implementing processes that work accordingly can be a challenge to IT teams that want to…

Webinar Recording

Implementing Modern and Future-Proof PAM Solutions

Privilege Access Management (PAM) is changing, driven by the move of most businesses from on-prem IT applications and infrastructure to the cloud, resulting in a multi-could, multi-hybrid IT environment. This has resulted in a proliferation of privileged identities that need to be…

Event Recording

Expert Chat: Interview with Denny Prvu

KC Analyst Paul Fisher interviews Denny Prvu, Global Director of IAM at Royal Bank of Canada.

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00