Analyst Chat #168: Trends and Predictions for 2023 - Next-Generation PAM

Welcome to the KuppingerCole Analyst Chat. I'm your host, my name is Matthias Reinwarth. I'm the director of the Practice Identity and Access Management here at KuppingerCole Analysts. We are continuing our sub-series of Trends and Predictions 2023 running up to EIC 2023 in May and in Berlin, and therefore we are looking at one trend, one prediction that is centering around the topic of privileged access management. And therefore I have invited Paul Fisher. He's a Lead Analyst with KuppingerCole, working with us from London. Hi, Paul, good to have you here.

Matthias, hello. Nice to be back. I feel I haven't seen you for a while.

It's been a while, actually. So that means we are both busy. - Yeah. - but we finally made it, so the topic is PAM, you are covering PAM from the research perspective. So what would be one of your key predictions when it comes to PAM in 2023 and beyond?

Okay. Well, let's start with a very boring one. It will continue to grow. So our figures suggest that from 22 to 23 there'll be 0.4 billion increase in revenue, and that seems to actually follow a fairly steady pattern each year. It seems to be about a 5% growth. So we're not seeing staggering growth in the market, but it's certainly solid. However, that's not really the most interesting thing about the PAM market, I would say. One of the things that leads me on to my sort of predictions and development for how PAM might be going. The surveys, as you noted, we now survey audience quite a lot on different things and it's interesting to see the number of PAM solutions or platforms or software in use in business is now, well, 60% use three or more PAM solutions, which is interesting. 23% use two, 40% use just one. And then there's that room for growth: none. The 19% that still haven't invested in any PAM, so that 19% is what all the vendors are after. But the fact that organizations are using more than one PAM, ties in nicely with my prediction of the impact of what I call, or starting to call decentralized purchasing whereby traditional PAM has been purchased by the central IT Department, or the CISO, or the department working for the CISO, and it tended to be across the enterprise installation and that's where you saw things like the big players, so CyberArk, BeyondTrust, Delinea, etc. And whilst that I think is continuing and particularly in big enterprises, well they still feel comfortable with a big platform that does everything that does, you know, all the password control does session management, does all the analytics, you know, all the traditional stuff. I think what we're seeing and from what our customers say, is that different types of privileged access management are now being purchased by perhaps smaller departments or even by very small teams that are working on a project and want some kind of privilege access management, which is better than just simple password managers to control access to whatever it is they're working on.
So that's two things. And I think that as well, the other thing that is happening is,... Sometimes, and you know this as well as I do, Matthias, sometimes we say, oh, cloud is happening and multi-cloud and, you know, all that kind of stuff and digitalization. And it gets to the point where we kind of think, well, we keep saying this stuff and it sounds cliché, but it is actually true. And more and more clouds are being used and more different types of cloud. So in terms of the impact on the PAM market, and this came out a little bit in the Leadership Compass that we published at the start of the year, is the emergence of certain disruptors, and so we traditionally in the Leadership Compass have followers, challengers and leaders, but you can actually break that down. I've noticed that if you look in the followers, then you'll find perhaps some good innovation. You'll find niche applications for privileged access management, and increasingly they were focusing on entitlement and the identity rather than a privileged account basis. Then the challengers tend to be smaller enterprise focused SMB, but also looking at identity and a shift away from passwordless. And that shift from passwordless also applies to the followers. And then right at the top, where we have CyberArk, ARCON, BeyondTrust, Delinea, etc. we have the classical password vault, enterprise, the full kit, which is probably in that 46% I mentioned, I think it was 46, but anyway. The number of people that have one PAM, they're going still for these big guys because they trusted, they've been around for years, they know PAM inside out. But why I think a trend is happening is that quite often people look at our Leadership Compass and they look at the followers and the challengers and they always look at the leaders and they think, well, all the best must be the leaders. I think to look at it the other way around, that those businesses in the followers bit should not be ignored. They don't have every capability under the sun. But what they're doing is catering for that market, which is emerging of companies that have one, two or even three different PAM solutions in operation. And the emergence of CIEM, cloud infrastructure entitlement management, not to be confused with SIEM, is probably one of the biggest disruptors on the PAM market, particularly at that lower end, where people are starting to think more about entitlement access, more about just-in-time access, and more about access to what's in the cloud and less so on privilege accounts. Which I think we are starting to see not the end of privilege account management, which is what PAM used to sort of stand for. But we're seeing the emergence of applications, tools and solutions that do cloud infrastructure entitlement management, but they are in fact a privileged access tool as well, because invariably you find now that the people in DevOps, for example, or the people in other departments and of course non-human identities, for example, a script or an application or a piece of software is actually doing stuff that would be pretty much defined as privilege.

So the question then would be when we look at these cloud entitlements that are managed by these solutions, is this a trend across the full spectrum of the products that you've mentioned? So are these functionalities also included in the upper right corner products that you've mentioned, or are there more specialized vendors that do this or is it both?

Well, yes, it's true that the traditional vendors are... well, I wouldn't say scrambling, but they're certainly reacting to this by adding in some CIEM capabilities. But the thing is, it's not necessarily people looking for CIEM, particularly for those kind of decentralized purchasing bits, not necessarily what they want. So unless CyberArk or the others decide to offer a CIEM standalone that is cloud native, I think the market is starting to look more at the companies that I mentioned in the followers because it probably will do one thing and do one thing well. And that's another trend that I'm seeing in privilege access, is that applications are coming out that do privileged access to one thing. So you might have a platform that does privilege access for databases, or privilege access for DevOps. We went through a process of doing a Leadership Compass for DevOps, and then we realized that actually the CIEM side of this was actually starting to make the DevOps bit, or PAM for DevOps as a category, a little redundant, a little too specialized. But that doesn't mean that there aren't tools out there that are emerging, that will do privileged access management purely for DevOps or purely for that kind of environment. So yeah, that would be the other kind of disruptive force. And I'll be talking more about this at the EIC conference in Berlin where this formed part of my presentation.
The emergence of Microsoft into this market, which has been sort of expected to rumored, but they've kind of dusted down parts of Azure Active Directory and the management tools and admin tools for those and repackaged them into a thing called Entra. And that was sparked off by the acquisition of CloudKnox, which was one of the best CIAM tools around and that's why Microsoft bought it. So they may well add in some kind of privilege access into this collection of tools called Entra, which are all available from a common dashboard. And if that happens, that will have an impact on the leaders, absolutely. Because they will be able to say that we can now do identity and access management for our cloud. We can do it for stuff running on other clouds, and we can do a form of privileged access management. Now, we don't know what that is yet because it's rumored to be coming out, but we haven't seen it. But if I was in the leader group, I would say that's something that should be looked at. And if I was a buyer and a big Microsoft user, I would say, watch out for what they come out with because, you know, it's not perfect, but what it does do is follow the trend of making this stuff a lot easier. So they've taken a lot of the, well, you know what Active Directory admin is like and they've taken some of that stuff, wizardized it, and put it into these nice software frames and made it a lot easier. So we'll see what happens there. So to summarize everything, I have come up with this phrase because what's happening in not just PAM, but in computing is, everything works with everything else. So if you take that as your basis now of what a typical organization looks like or its architecture, and then apply that to PAM, you'll see that what has developed is a kind of PAMocracy. So that is a play on the word democracy, and it basically means that because everything is connected and works with everything else, within that, all those connections, means that there is human and non-human identities and machines all scurrying around, connecting to stuff. And a lot of that will now be considered to be privilege. So you can then sum it up a bit further by saying, Well, what privilege access is is not about vaulting, it's not about passwords, it's not about admin tools, and fixed rights. It's about anything that gets an identity, that gets a credential, that gives the thing access to stuff. And that thing could be, like I say, you, it could be me, it could be a tiny bit of code, it could be a microservice, it could be almost anything. But because all this is working together, we need now for privileged access management to somehow and this is where the identity fabric as well comes in, we need to somehow manage all that. And that means eventually, I think that vaulting and password issuing will start to decline, and I think we'll move much more to the dream, as it were, of just-in-time access that is fixed time only and disappears. But that's a big challenge. I mean, these are trends, but I think that's probably why we're seeing organizations buying one or two or three PAM, because they already want some of that speed of access that they get with, say CIEM or some of the more specialist PAM vendors to give them the speed of access that they need. So they go. It's a lot happening in what is actually quite a small market. But the other thing is that when I did, I compared the [PAM] Leadership Compass 2019, the year before I did one and we actually had fewer vendors in that one than we do in 2023. So that's allowing for the fact that a number of vendors have been, either emerged or gobbled up by other companies. So we have more vendors, we have more vendors to watch. So it's definitely, the market is thriving.

So if I try to summarize it, so we see PAM in more areas. We see PAM for more target systems, including especially the cloud, including hybrid cloud, including virtualization platforms and everything around that. And we see more vendors, a more diverse market. And as you described, a broader approach towards PAM. So this is really interesting. So it's no longer this traditional, as you said, enterprise style of protecting your admins from doing something wrong. It's really the full interconnected, and I like the term PAMocracy, which is really, really nice in that context. We will continue that discussion at EIC. You've mentioned that. So you will be there. I will be there. So we will meet each other in Berlin. And it's just a few weeks until there. So this is really something that I'm looking forward to. But I don't want to close down this session with all these trends that we've learned for PAM for 2023, without mentioning that just in a few days, the second edition of KC Open Select will be published and that will be - tadaa - focusing on PAM. So it's also based on your research and the research of colleagues. So again, we have the way of shortlisting products tailored for the audience needs. So you can do that online. Go to kuppingercole.com, click on KC Open Select and choose the PAM edition, and then they can benefit from your research, right?

Yeah. And I believe that I'm doing a webinar on the 25th of April to promote that as well. So you'll be hearing even more about the PAMocracy. And so, by the time that we come to EIC, people will have that word drummed into their head until they're sick of it, you see. So, but yeah, Thursday at EIC is the day that we’re doing the PAM stream which I'm part of.

Thank you very much, Paul, for your insights. This is really an interesting market. It's changing. It's much more changing than we would have expected maybe three years ago. So not only consolidating, but really expanding, really getting broader in functionality and far from going away. Thank you, Paul, for your time.

Okay. I was going to say something else, but I'll leave that to the next session.

No, no, no. Please. The famous last words are always welcome.

Well, I was just going to... what you mention is..., it's funny because it's kind of a market that is mature, but it's still maturing. So it's growing. You could say again at the leader side, it's a mature market, but at the same time, there is new stuff coming along which is yet to mature. So that's very exciting.

Absolutely. And then get in touch with us, with you at EIC. To the audience, please join us in person or virtually at EIC. Head over to KC Open Select the PAM edition, and if you have any questions, any comments, leave them in the comments section below that YouTube video. And if you're listening to that on your favorite podcatcher, reach out to us via our email addresses or just via the website kuppingercole.com. We are all around there. Any comments, any context, any questions, any contradictions, please reach out to us. We love to join the discussion with you. For that, thank you very much, Paul, and looking forward to seeing you in Berlin, and maybe for another episode very soon.

Okay. Well, thank you, Matthias. Have a great day.

Absolutely. You as well. Bye bye.

Bye.