Hello, welcome to this webinar from Open Coal. My name's Paul Fisher, I'm a lead Analyst with the company. Today we're gonna be talking about the P, which is all about the privilege access management market, and my views and predictions on where it's going and how this new democracy is going to affect the way that you see Pam and the way that vendors will change their products. So before we start, just a couple of housekeeping messages. You are muted centrally, so you don't need to worry about doing that. No need to mute or unmute yourself. We do have a couple of polls running during the webinar and we'll discuss the results during the q and a at the end. Also at the q and a session, there will obviously be questions and answers. So hopefully if you have any questions, you can send them to me in the panel that you'll see on the right of your screen and I hopefully might be able to provide some answers to you.
You should have got a message that this is being recorded and the recording and the presentation deck will be made available to download in the coming days. So if any of your colleagues wanted to view this today but have missed it, don't worry. They can look at the repeat. So my agenda, it's just me today speaking just me. And first of all, I'll explain what I mean by the P and then go into a bit more detail about how this new paradigm will affect the ham market itself. And then finally, as I said, we'll have a q and A wrap up and look at the polls as well. So talking to polls poll number one, if you can all start thinking about answering this. Now, poll number one is what is the hardest part of selecting a new PAM solution? And your answers are your, your options are literally the sheer number of products and vendors that exist for privilege access management, trying to make sense of vendor websites and their marketing, a fear of failure. A fear that you may make the wrong choice, fear that you may invest lots of money into something that doesn't, right? And also having to work within a fixed budget, you may have been given a budget by senior management, which doesn't necessarily meet what you think the company needs. So the shoe number of products trying to make sense of vendor websites, the fear that you'll make the wrong choice or having to work within a fixed budget. So I'll just let you have a little time there for replying.
I can leave that on a little bit longer for you if you like. Just a few people still thinking about it there, I think. Okay, well let's get in now to what we might call the meat of this presentation. And the poll is still running in the background, so I'll let you still vote on that while I'm talking the P, what on earth am I talking about? Well, last year I did a presentation at the European Identity Conference where I tried to illustrate how network continuously expand and how there's sort of never ending. And I use a lot of illustrations and diagrams of different types of networks as analogies. But this year I'm thinking, you know what, what actually works for me is this phrase, everything works with everything else. Basically, this phrase applies to everything in modern computing and applies to organizations. So everything works with everything else. Every user works with applications, with card, with other computers, other people. And basically that that's what it is. Everything works with everything else.
And then you can rationalize this to, to to, to focus it a little bit more on what we're talking about and we talk about identities. But actually if you think about it, what's happening in computing is we have things and those things can be obviously humans, but increasingly there are non-human things that are also connecting to everything else. And they increasingly want to connect this stuff that may be considered to be privileged. So in our modern world, even right down to the simplest active directory, a thing or a user will give be given an identity, which is then given a credential and it gives a thing access to stuff. So you can narrow down everything works with everything else right down to things and stuff. That is great. I mean that is, I've now reduced the whole of the world of computing to two words things and stuff because that's basically what we are doing. So she's very happy about that. But unfortunately it does mean that things are actually a lot more complicated than that. Everything gets an identity that gets a credential, that gives everything access to everything you see. So now suddenly we have a different picture. We have identities flying around everywhere belonging to things that have been given credentials and having access to the stuff that they want to access.
And that means that we have a very complicated picture. We have now millions of things and the millions of things are mostly created by the non-human users that we now see everywhere as some of these things are going to be privileged, which is why we need a bureaucracy because we don't, we can no longer rely on the older method of doing privileged access management where we talked about privileged accounts, where users were given fixed privileged accounts, standing privileges to access stuff. Now we need to identify a lot bigger field of stuff that is privileged and things that are going to be privileged to access it. And that's why we need, what I've come up with a pornography and a is kind of a layer of identities that exist in every organization that are accessing stuff, which to varying degrees of seriousness is considered privileged. And that privileged stuff can indeed be the traditional admin access to other people's machines or to databases or servers that need maintenance.
But increasingly we find it hard to define what is privileged because it's stuff that is more intangible. It could be little bits of code or it could be one particular part of a database or it might be, for example, a customer list, a customer database that has addresses, phone numbers, emails on there is like gold dust and that access to that should be privileged. So we need systems that can take into account all of that, but they also need to work a lot quicker than they have in the past. And this is really the landscape now of everything connecting to everything else. And we have all of these things which are getting identities and all of these things here could at some point have what you might call Neil term privileged access. So we have our devices, we have straightforward computers, laptops, mobiles, PCs, iPads, et cetera.
But we also have robots, we have sensors, we have meters, we have all aspects of the iot, the internet of things which are connecting into our networks as well. And they're connecting in from other networks and so on. And they're connecting in from all over the place. From from suppliers. We still have good old reliable IT admins who are still mostly human, although of course the admins are also using software to perform some of the tasks automatically. And of course that means they have service accounts and those service accounts have identities. But the service accounts and shared accounts are two things that generally speaking and in the most traditional way have privileged access because they are actually fundamentally changing stuff that's happening on networks or on PCs or endpoints and stuff. And then this is the bit where it gets really hard now to contain, we have software everywhere, microservices applications, APIs, little bits of code scripts, workloads and the list will probably continue, will increase.
But the number of bits of software that are now looking to connect to things and those things are considered privileged is multiplying every day. And this is the core really of the P because the traditional human users have been joined by these software users or workload users, applications, they have different names, but essentially it's all about software doing stuff. And then we have automation which is happening, which is obviously related to the software, but we have bots now we have r p a, analytics machines, machine learning and search Cause machine learning and AI has is increasingly in the news recently because of chat G B T. And some people are worried about this, other people think it's the best thing ever. But the point is that things like chat, G P T and a spinoff from them will also be networks. They'll also be reading things and learning stuff and at some point they are probably gonna start trick treading into areas which perhaps organizations do not wish them to go.
So we need to control machine learning that isn't part of our planned machine learning, but machine learning such as spiders and bots that troll the internet and troll networks. So all those things are having an effect. And I'm creating this and it's going into a little bit more detail if we take some of those identities. And we have really just go back to that, we have now really defined the identities into six areas. And all of those identities are using existing tools to get access to various parts of your network. And of course identity and access management is traditionally used for that. C I E M cloud infrastructure entitlement management is something which is fairly new, which is kind of a a, a version of privilege access management, but tends to work best by allowing and measuring and monitoring entitlement in the cloud. And then to get back to what this presentation is really about, privilege access management, this as, as we said traditionally been the way that we have looked at managing identities into privileged areas.
The cloud is pretty much what business infrastructure is now. So core business infrastructure is platform as a service, software as a service, infrastructure and service and even private clouds. And all of that is creating the breeding ground for identities that want access to everything else within all four of those types of cloud as well as the on-premises existing infrastructure that we have. And then the resources on the right, basically things, file servers, workloads, et cetera. That's what all the identities want to get to, to do whatever they want. So, and then at the bottom there we can see some traditional cybersecurity platforms that there to back this up. So integrated risk management for example, and data governance are tools which will help you manage previous access management and identity access management to make sure that they are compliant, et cetera. And then we have E D R XDR to help protect the identity platforms themselves. So that again is a fairly simplified picture of how identity and management work today across the cloud. And you know, obviously the cloud still is growing, but there's no doubt that when we talk about the cloud, it has become a bit of a cliche. But it is true, you know, the cloud is dominant or will become dominant and most new businesses, most traditional businesses are putting either all their organization in the cloud or some of it. So we can't ignore the cloud.
So to get to how I see things changing, and this is not just about the product or the product sector. Now this is really how I I envisage privileged access to start happening. Whether it works within what we call a PAM tool or whether it works in a C I M tool or whether it works in a identity and access management tool or a part of it or even an identity provider's platform, I see that we now need to think about things in the other way that we traditionally have. So let's take, this is a process or a step. So let's say we identify the thing, we identify that it is a script perhaps and as an id, let's say a number so that way we know what the thing is. Or it may be a user, a human user, in this case it's me and we use a traditional identifier by my email address.
But then we get into what that thing wants. So what does it requesting? Where is it? Where is it coming from, what's the role it's currently performing as in this moment? What is the activity that it wishes to do when it reaches the thing? Is it normal if this user or this thing, this script is familiar and has done the same thing before, it's probably less of a risk than if it's the first time. So how often does it make this request or is it unusual? Is it for example doing something that is way out of the boundaries of its role, the activity, what it normally does? So you need to yourself, can we verify it? Can we verify this thing and its identity? And to do that, we then pass the indicators against business and security policies and ask, is this a privileged access request? Is this what it's asking for access to stuff that is privileged? Not this is a privileged identity, but does it want access to privileged stuff? And that's the difference. Does it want access to privileged stuff? Does this identity want access to privileged stuff? And if it does, is it okay?
So we then verify yes or no the machine. And if it's verified, yes we give it a credential or a one-time password or some other kind of certificate that allows that identity to access the stuff. And it can be then a password from a vault, let's say, in which is what happens in traditional pam. But we're not saying these are privileged things, we're just treating everything as equal, hence the bureaucracy. So all these identities are treated equally and then the questions are asked whether they should be allowed privilege access, and then we look at against the policy and then we verify it. And all of that obviously is a long way of saying of of explaining something that should happen in a millisecond. And that hopefully is where we are getting to with new privilege access management tools. And I'll come onto that in in a second.
So my five points here are we need to start thinking about privilege accounts as an unnecessary file or risk storing privilege accounts is a pain but it's also a risk because that's what the attackers go for. The business policies should decide what is privileged. And within that, yes we have the roles but not just the role. So if the identity is an administrator, we don't just automatically think, oh it's an administrator, fine let it through. We say okay, it's an administrator but what's it asking for? And identities are attached to the things the identities should never be privileged. Sorry, the things should never be privileged important, sorry for the error. The things should never be privileged and should never have a standing account. The identities are attached to the thing. And so we get to a point where access is privileged and given on a case by case basis and can be applied to anything. And that's how we start to manage the bureaucracy. All those things that are now looking for access to privilege stuff.
So there's the new order, identify indicators, pass the policies, verify credential, identify indicators, pass the policies, verify issue a credential for the thing, it's request, get verified, get your credential, get access if allowed. So I hope that's kind of explained what bureaucracy is. Now I'm gonna talk about the PAM market, but before we do that we are going to open the second poll, which is this. Would you consider using a different PAM vendor or sorry, a different vendor solutions for different departments in your organization. And we have four answers. So we have, we deploy the same platform across the organization. We might as we scale up operations, we choose Pam suited to various departmental needs. We already did centralized purchasing and administrations department and that could mean not just Pam. So I'll leave that open for you.
Voting is open now hopefully we're using a new system here. So hopefully you can all see that looks like it's people that voting now. So yeah, we deploy the same platform across the organization. We might as well scale, we might as we scale operations, we choose Pam suited to departmental needs. We already decentralized purchasing and administration to our departments. So just a little bit longer. And I'll just go to the next slide. So this is coming back down to earth now this is the pan market right now and no one talking about in in this. But these beneath here we see the leaders, followers and the challenges, sorry, the followers challenges leaders. The leaders are on the right, the challenges are in the middle and the followers at the far left. What this shows is that
These four on the left are cran devolution, indeed and heindel. Whilst in the compass itself they are listed as followers. You'll see that they also have particular characteristics which still makes them worth looking at. So they are, they are innovative, they're niche, they think about entitlement as much as privilege access and they also focus on identity. And then in the middle we have the challenges and the leaders and they together are much more traditional in their focus. But those in the middle here also are quite suitable for SMEs for smaller enterprise. They also have a focus and identity and some are starting to offer things like passwordless or certificate based author authentication. And then to the right we have our big PAM providers as it were or classical PAM providers.
Many of these still focused on traditional password and vaulting mechanisms, but they're huge, usually popular with big enterprises. And also they tend to focus a lot more on analytics and governance risk and compliance tools and session monitoring and analytics, et cetera, which makes them suitable for big corporate. But what they don't have perhaps so much of, although some will show it in certain areas, they don't quite so much have as much innovation and they not quite on the curve when it comes to things like cloud entitlement management. And perhaps they also are a little daunting for smaller enterprises. That said, many large enterprises like the security of a platform that comes from a company that's been doing PAM for 20 odd years and they're like the fat that they understand and it uses passwords et cetera and a vault to do what it needs to do.
But
I also see, and I apologize that last slide did not have the headings on these, but outside of the leadership compass, we're starting to see potential vendors who threaten to disrupt the privilege access market as we see it. And some of those are coming from the C I M area, like retire others from the authentication hashish core, but also with a focus on the coding environments and DevOps, et cetera. Some are even just thinking of niches such as databases and that's something that's actually more common in Asian markets than it is perhaps in the European and North American markets.
And then others such as the AFI who focus on machines and s SSH, et cetera. So we also might see some of those in the followers in future privileged access management leadership compasses. We're also hearing noises that companies from outside of the traditional PAM area, more in the identity management and access management, which is Okta and sale point. We're seeing that those are looking perhaps to enter this market but not as in a traditional way. And then we have Microsoft, which has recently entered the C I M market with enter, but it's also may enter and rival some of the big PAM players if it decides to cater for large enterprise, which it easily could, but of course it would focus more on.
So what we might see then is a little bit further on that things swap around a little. So I'll just go back there. So you see what at the moment the followers may include BRI dive as it is now 2023 and their challenges. But because those challenges that I just highlighted, Octa, SalePoint, et cetera, may focus largely on identity, there is a chance that the previous challenges will develop their platforms and develop them in such a way that they can take a, you know, advantage of the huge amount of things connecting to everything. And so they may become the new challenges and some of the existing challenges may disappear. But I feel that Microsoft, because it is, because it's like Microsoft is still likely to disrupt the traditional leaders simply because of its size, its power, and the fact that it can acquire technology, which it did for C I E M to gain a place at the top table of British Access Management.
If they get it right, they should get a considerable market share because of the fact that everyone uses, well not everyone but vast sways of the world uses Microsoft products and then on those disrupt forces, decentralized purchasing identity first and C I M all happening at the same time. And within that we get the P. So the P is now sitting at the heart of c i m identity first and decentralized purchasing plus everything else that I've spoken about, about the forces, about how we need to reverse the traditional method of authenticating stuff to privileged things.
So that is, sorry, a rather abrupt end then to my overview of the power market and the p as I see it developing. Let's just go back now to the polls and I don't know, I don't think I can show these on the screen, but I can tell you that the hardest part of selecting a new PAM solution was in fact trying to make sense of vendor website or marketing, which I kind of suspect it would be the case. 36% of you have said that that's the, the case after that there was 22% percented, a fear that you'll make the wrong choice and then the sheer number of products and vendors that exist and also having to work within a fixed budget. All of those got 21 or 22%. So interesting. But I think the message there goes out to vendors that there's too much information perhaps on their website and too little that actually that actually helps them or helps users or buyers find the right solution.
So the next question, the next poll was, would you consider using, would you consider using a different vendor, pan vendor that is for different departments in the organization and at the moment, interesting, really interesting result. This 36% say we deploy the same platform across the organization, but 37% choose pam, which is suited to various department needs. And again, I kind of think suspected that is what happening and that is all part of the, that increasingly we shall see niche Pam or Pam in the middle or big Pam or CM stroke Pam being used because of the actual application or the need in a particular department. And that's particularly true I think of things like the DevOps. 27% said they may as we scale operations, no one actually has yet decentralized purchasing. So that I assume means no one's officially decentralized, but I'm sure out there what is happening is that unofficial decentralized is happening and some departments may be buying bits of PAM or, or even just password managers and things like that help them cope with the democracy.
So now then on your screen you'll see a an ad for KC Open select. I just want to talk to you a little bit about this. This is a brand new tool that we have created on clipping a coal.com and it goes right to the heart of that question that I asked. What's difficult about choosing products and the fact that so many of you said that is actually hard to decipher. What, what on vendor websites and marketing case Open Select is exactly designed to help you on that journey to discover and compare cybersecurity solutions. It's a free to use tool, it's for everyone.
And is there as a tool to start your investigation, your journey into buying solutions, not just for privilege access management. Eventually we will have it for every aspect of cybersecurity, but at the moment we have ped access management just come on stream. But it's entitled to encourage further discussion within your organization and then discussion hopefully with potential with vendors or with Kuppinger Coal ourselves. So we can then you can use the tool to get an idea of what's in the market. We have it's interactive, you can change the parameters, you can decide what use cases you want to solve, what cybersecurity use cases you wish, for example, Pam, to solve for you or identity management or other use cases. And one you've got to maybe you, you, you can define a short list of vendors and their products but we say don't end it there. As I said, it is the start of a journey and then we would hope that perhaps you can engage with us, one of our analysts or one of our advisors to go further or you can use it as a starting point to open discussions with vendors. So that's KC Open select, it's available ko.com/open select. It's right there now. So perhaps have a look if you are looking for a solution in PAM at the moment. So now I'm gonna see if I can find the questions.
Okay, so one question I have here, well this is interesting. How does the adoption of PAM solutions vary across regions of the world and what factors drive this? Well, I, I, I kind of mentioned at the start there or earlier that some parts of Asia use PAM more focused on things like databases. So that's one difference. I think the, the adoption of PAM also is changes when in markets such as Europe or North America, which are heavily regulated, which now have privacy rules which are quite harsh or strict I should say. And that tends to change what kind of PAM solution they might think about. They might want one which has more GRC in it. I don't think that there is much difference in the markets between what they actually wish to protect, but I don't, I think that perhaps some markets might be more focused on different types of id. I think in the US they're probably more focused now on identities in the cloud, on different types of identities, machine identities and less on human identities.
Says here, what impact are emerging technologies such as artificial intelligence and machine learning having on the pan market? Well, let's just part anything to do with chat. G B T. Just talk about machine learning. I think that a number of vendors are now using aspects of machine learning to different ways, particularly to help them in analytics. If you have this many identities and if the whole market changes towards a democracy, then you are gonna have to analyze, record and manage and the activity of millions of identities and, and find patterns in that. And that's very hard to do manually. So I think a number of vendors are investing now into machine learning and AI technologies to help with that. So I think really that's, that's it. I don't have anyone else to hand over to, cause this is a solo effort. I hope it's been useful to you all. If you are any of you in Berlin in May, we still have still tickets available for our conference where I'll be talking again about the p and many of my colleagues and many more from the vendor community will be talking as well. But for now I think I shall say goodbye. Have a good day, have a good evening or good afternoon, depending on where you're listening. Thank you so much.
