Privileged Access Management (PAM): What’s Progressing Besides Prices

Trends Rebecca REPORT
Privileged Access Management (PAM): What’s Progressing Besides Prices
Privileged Access Management (PAM): What’s Progressing Besides Prices

PAM (privileged access management), the scene of a certain resistance to SaaS?

Gartner had highlighted the phenomenon last year in the Magic Quadrant dedicated to this market. It had, more precisely, indicated that several suppliers, after having abandoned perpetual licenses, had returned to them, as a result of “lost opportunities”.

The American firm says no less this year. However, it emphasizes that this step backwards is not incompatible with the adoption of PAM SaaS. This is growing all the more as providers focus on SMEs, given the maturity of mid-caps and large accounts.

Another trend that remains valid from one year to the next: cyber insurance as a lever for a “significant minority” of acquisitions. In 2023, Gartner did not accompany this statement with figures. This time, it does so: 15 to 25% of first PAM purchases are linked at least in part to insurer requirements.

More demanding technical specifications

Gartner still distinguishes four categories of PAM tools:

– PASM (Privileged Account and Session Management)
– PEDM (Privilege Elevation and Delegation Management)
– Secrets management
– CIEM (cloud infrastructure access management)

Two years ago, only the PASM brick was mandatory to appear in the Magic Quadrant. In 2023, the functional requirements had been raised, as a result of the expansion of the offers. In this case, it was necessary to cover at least three of these categories… knowing that PASM and access management were each worth one category.

This year, the evaluation was carried out on two levels.
On the one hand, it was necessary to respect all the criteria listed as “must-have”:

– Centralized management and enforcement of privileged access, controlling either access to accounts and credentials, or the execution of commands, or both
– Management and granting of privileged access to authorized users on a temporary basis
– Retention and management of credentials for privileged accounts

On the other hand, at least 4 of the 5 qualified as “standards”:

– Discovery of privileged accounts
– Agent-based privilege escalation control on Windows, UNIX/Linux and macOS
– Management, supervision and recording of privileged sessions
– Audit capabilities
– Just-in-time privilege management

Secrets management for applications and services was optional. Same for CIEM (cloud infrastructure management). As well as lifecycle management of privileged accounts and remote privileged access.

WFP’s Magic Quadrant is increasingly selective

Beyond the technical specifications (assessed on April 17, 2024), it was necessary to have a minimum level of revenue ($25 million in 2023, maintenance included) or customer base (1,100 paying customers having acquired tools across the entire PAM core).

Several vendors that did not meet this criterion still received an “honorable mention.” Namely, Bravura Security (ex-Hitachi ID), Fortinet, Okta, Saviynt, senhasegura and StrongDM.

Other “honorable mentions” go to vendors that didn’t quite fit the bill on the technical side. HashiCorp is one of them, as is Keeper Security… and Microsoft. The latter doesn’t support all the required aspects. Entra ID P2 still includes privileged identity management focused on JIT sessions; Entra Permissions covers the CIEM part; Intune Endpoint Privilege Management, the PEDM part.

HashiCorp and Savyint were in the Magic Quadrant last year. With no entrants this year, there are only 9 providers left. Still the same three “leaders”: BeyondTrust, CyberArk and Delinea. The French WALLIX remains in the “visionaries” quadrant.

Positioning within the Magic Quadrant results from evaluations on two axes. One, called “vision”, is prospective. It focuses on strategies (sector, geographic, commercial, marketing, product, etc.). The other, “execution”, reflects the ability to effectively respond to demand (customer experience, pre-sales performance, quality of products/services, etc.).

The situation on the “vision” axis:

Rank Supplier Rank Evolution
1 CyberArk =
2 Delinea + 2
3 BeyondTrust – 1
4 WALLIX + 1
5 One Identity – 2
6 ManageEngine + 4
7 ARCON =
8 Netwrix – 2
9 Broadcom (Symantec) + 2

And on the “execution” axis:

Rank Supplier Rank Evolution
1 ARCON + 2
2 Delinea + 3
3 CyberArk – 1
4 BeyondTrust – 3
5 ManageEngine – 1
6 WALLIX =
7 One Identity + 1
8 Broadcom (Symantec) – 1
9 Netwrix + 1

High prices at BeyondTrust…

As part of its bundle Total PASM, BeyondTrust offers PASM, remote access management and secrets management. These last two bricks are also sold independently, in SaaS, software or appliance (physical or virtual). The PEDM component is found in the Privilege Management products (SaaS and software; Windows, UNIX/Linux, Mac). The acquisition of Entitle – completed in early 2024 – brought a SaaS brick from CIEM.

Like last year, the Mac and UNIX/Linux PEDM earns a good point for BeyondTrust. The same goes for the discovery of privileged accounts with PASM, which Gartner also once again praises for its ease of use. Added to this are the support expertise, the quality of privileged session management, improvements in deployment, the flexibility to plan updates on the SaaS and the exhaustiveness of ITSM integrations.

BeyondTrust, on the other hand, is behind in detecting the shadow admin and Secure Shell keys. Gartner also regrets a “rudimentary” offer for the management of secrets and machine identities. As well as on auditing and troubleshooting. The prices are, in addition, higher than the average, especially for software PAM. An observation already made last year.

…like at CyberArk

For the PASM part, CyberArk has Privileged Access Manager (SaaS or software). For PEDM, Endpoint Privileged Manager (SaaS; Windows, UNIX/Linux and Mac), On-Demand Privileges Manager (software for AIX and Solaris). Cojur (SaaS or software) and Secrets Hub (SaaS) cover secrets management and AAPM (password management between applications). There are also remote session management bricks (SaaS Vendor Privileged Access Manager) and CIEM (SaaS Secure Cloud Access).

Once again, Gartner praises the maturity of CyberArk products. In particular PASM, Windows PEDM and machine secrets and identity management. Its global presence earns it another good point. Like the innovation on JIT and native database access.

Many of the negative points raised last year still appear valid. Among them, the burden of major updates, the prices “among the highest” on the market and the margin for improvement of technical support. Vigilance also on the PEDM, limited in terms of file integrity supervision (UNIX/Linux) and GPO support (UNIX/Linux, Mac).

PAM Delinea, not cheap for large companies

The Delinea Platform offering includes PASM, PEDM, CIEM and remote session management. There are standalone options: Secret Server for PASM (software or SaaS), Privilege Manager (SaaS or software; Windows and Mac) and Server Suite (UNIX/Linux) for PEDM, DevOps Secrets Vault for secrets management.

The UNIX/Linux PEDM remains a strong point of Delinea. The ease of use of its solutions too. Gartner adds to this an exhaustive coverage on health metrics and a growth – in revenues as well as customers – notable on this market.

Recording RDP session metadata requires agents on the target servers, which most competitors do not require. Several elements of Secret Server require customizations via PowerShell (notice already made in 2023). The support response time can also improve. As for the prices, they are above the market average in the large enterprise segment.

WALLIX no longer has the price advantage

For PASM and AAPM, there is WALLIX Bastion (software) and WALLIX One PAM (SaaS). PEDM is part of WALLIX PAM. The WALLIX One Remote Access (SaaS) offer covers remote session management. CIEM is available through an additional IGA product.

Session management and file transfers remain a strong point. WALLIX also proves to be mature in identity administration. Its sector strategy also hits the mark with Gartner, in support of qualitative support for industrial IT. The ease of use of its solutions is another good point for WALLIX, as is the effectiveness of its support.

In 2024, the business model has changed… and prices have increased. Here they are above the market average, while Gartner presented them as “very competitive” last year. At the functional level, connectors for rotating passwords for service accounts are still missing. Also, beware of the limited account discovery capabilities. And the PAM JIT is still “relatively immature” (dependent on ITSM integrations).

Illustration © Ruslan Granmble – Shutterstock

-

-

PREV Abuse in daycare centers, “non-aggression pact” with Aurore Bergé… what “Les Ogres”, the shocking investigation by Victor Castanet, reveals
NEXT Serie A. Double scorer against Parma, Florian Thauvin puts Udinese at the top of the championship

Related posts

Is France really right-wing?

Daily | Oilseeds – Soybean prices still falling while rapeseed prices are recovering a little

The 2024 Alexandra Leyris Literary Prize: a great success

Who is Teresa Ribeira, the new European Commissioner for Competition?