Hello, welcome to this webinar from KuppingerCole. My name is Paul Fisher. I'm a lead analyst with the company. Today I'm going to be talking about the Pamocracy!, which is all about the privilege access management market and my views and predictions on where it's going and how this new Pamocracy! is going to affect the way that you see Pam and the way that vendors will change their products.
So, before we start, just a couple of housekeeping messages. You are muted centrally, so you don't need to worry about doing that. No need to mute or unmute yourself. We do have a couple of polls running during the webinar and we'll discuss the results during the Q&A at the end. Also at the Q&A session, there will obviously be questions and answers, so hopefully if you have any questions, you can send them to me in the panel that you'll see on the right of your screen and I hopefully might be able to provide some answers to you.
You should have got a message that this is being recorded and the recording and the presentation deck will be made available to download in the coming days. So, if any of your colleagues wanted to view this today but have missed it, don't worry, they can look at the repeat.
So, my agenda, it's just me today speaking, just me, and first of all, I'll explain what I mean by the Pamocracy and then go into a bit more detail about how this new paradigm will affect the Pam market itself. And then finally, as I said, we'll have a Q&A wrap-up and look at the polls as well.
So, talking of polls, poll number one, if you can all start thinking about answering this now, poll number one is what is the hardest part of selecting a new Pam solution? And your answers are, your options are, literally the sheer number of products and vendors that exist for Privileged Access Management, trying to make sense of vendor websites and their marketing, a fear of failure, a fear that you may make the wrong choice, a fear that you may invest lots of money into something that doesn't write, and also having to work within a fixed budget.
You may have been given a budget by senior management, which doesn't necessarily meet what you think the company needs. So, the sheer number of products, trying to make sense of vendor websites, the fear that you'll make the wrong choice, or having to work within a fixed budget.
So, I'll just let you have a little time there for replying. So, I can leave that on a little bit longer for you, if you like. Just a few people still thinking about it there, I think.
Okay, well, let's get in now to what we might call the meat of this presentation, and the poll is still running in the background. So, I'll let you still vote on that while I'm talking. The Pamocracy, what on earth am I talking about?
Well, the Pamocracy is a system of I'll let you still vote on that while I'm talking. The Pamocracy, what on earth am I talking about?
Well, last year, I did a presentation at the European Identity Conference, where I tried to illustrate how networks continuously expand, and how they're sort of never-ending. I used a lot of illustrations and diagrams of different types of networks as analogies. But this year, I'm thinking, you know what, what actually works for me is this phrase, everything works with everything else.
Basically, this phrase applies to everything in modern computing, and applies to organizations. So, everything works with everything else. Every user works with applications, with card, with other computers, other people. And basically, that's what it is. Everything works with everything else. And then you can rationalize this to focus it a little bit more on what we're talking about. And we talk about identities, but actually, if you think about it, what's happening in computing is we have things. And those things can be obviously humans.
But increasingly, there are non-human things that are also connecting to everything else. And they increasingly want to connect to stuff that may be considered to be privileged.
So, in our modern world, even right down to the simplest active directory, a thing or a user will be given an identity, which is then given a credential, and it gives the thing access to stuff. So, you can narrow down everything works with everything else, right down to things and stuff.
Actually, it's great. I mean, that is, I've now reduced the whole of the world of computing to two words, things and stuff, because that's basically what we're doing.
So, she's very happy about that. But unfortunately, it does mean that things are actually a lot more complicated than that. Everything gets an identity that gets a credential that gives everything access to everything, you see.
So, now suddenly, we have a different picture. We have identities flying around everywhere, belonging to things that have been given credentials and having access to the stuff that they want to access. And that means that we have a very complicated picture. We have now millions of things, and the millions of things are mostly created by the non-human users that we now see everywhere. And some of these things are going to be privileged, which is why we need a democracy.
Because we don't, we can no longer rely on the older method of doing privilege access management, where we talked about privilege accounts, where users were given fixed privilege accounts, standing privileges to access stuff. Now, we need to identify a lot bigger field of stuff that is privileged, and things that are going to be privileged to access it. And that's why we need what I've come up with, a pomocracy. And a pomocracy is kind of a layer of identities that exist in every organization. That are accessing stuff, which to varying degrees of seriousness, is considered privileged.
And that privileged stuff can indeed be the traditional admin access to other people's machines or to databases or servers that need maintenance. But increasingly, we find it hard to define what is privileged, because it's stuff that is more intangible. It could be little bits of code, or it could be one particular part of a database, or it might be, for example, a customer list. A customer database that has addresses, phone numbers, emails on there is like gold dust. And that access to that should be privileged.
So, we need systems that can take into account all of that. But they also need to work a lot quicker than they have in the past. And this is really the landscape now of everything connecting to everything else. We have all of these things, which are getting identities. And all of these things here, could at some point, have what you might call in the old term, privileged access.
So, we have our devices, we have straightforward computers, laptops, mobiles, PCs, iPads, etc. But we also have robots, we have sensors, we have meters, we have all aspects of the IoT, the Internet of Things, which are connecting into our networks as well. And they're connecting in from other networks, and so on. And they're connecting in from all over the place from suppliers. We still have good old, reliable IT admins who are still mostly human.
Although, of course, the admins are also using software to perform some of the tasks automatically. And of course, that means they have service accounts. And those service accounts have identities. But the service accounts and shared accounts are two things that generally speaking, and in the most traditional way, have privileged access because they are actually fundamentally changing stuff that's happening on networks or on PCs or endpoints and stuff. And then this is the bit where it gets really hard now to contain. We have software everywhere.
Microservices, applications, APIs, little bits of code, scripts, workloads. The list will probably continue, will increase. But the number of bits of software that are now looking to connect to things, and those things are considered privileged, is multiplying every day. And this is the core, really, of the paramocracy, because the traditional human users have been joined by these software users, or workload users, applications. They have different names, but essentially, it's all about software doing stuff.
And then we have automation, which is happening, which is obviously related to the software. But we have bots now, we have RPA, analytics machines, machine learning, and search. And of course, machine learning and AI is increasingly in the news recently because of chat GPT. And some people are worried about this, other people think it's the best thing ever. But the point is that things like chat GPT, and a spinoff from them, will also be trolling networks, they'll also be reading things and learning stuff.
And at some point, they are probably going to start treading into areas, which perhaps organizations don't wish them to go. So we need to control machine learning. That isn't part of our planned machine learning, but machine learning, such as spiders, bots that troll the internet and troll networks. So all those things are having an effect and creating this paramocracy. And then to go into a little bit more detail, if we take some of those identities, and we have really, just go back to that, we have now really defined the identities into six areas.
And all of those identities are using existing tools to get access to various parts of your network. And of course, identity and access management is traditionally used for that.
CIEM, Cloud Infrastructure Entitlement Management, is something which is fairly new, which is kind of a version of privilege access management that tends to work best by allowing and measuring and monitoring entitlement in the cloud. And then to get back to what this presentation is really about, privilege access management, it's, as we said, traditionally been the way that we have looked at managing identities into privileged areas. The cloud is pretty much what business infrastructure is now.
So core business infrastructure is platform as a service, software as a service, infrastructure as a service, and even private clouds. And all of that is creating the breeding ground for identities that want access to everything else within all four of those types of cloud, as well as the on-premises existing infrastructure that we have. And then the resources on the right, basically things, file servers, workloads, etc. That's what all the identities want to get to, to do whatever they want.
So at the bottom there, we can see some traditional cybersecurity platforms that are there to back this up. So integrated risk management, for example, and data governance are tools which will help you manage privilege access management and identity access management to make sure that they are compliant, etc. And then we have EDR, XDR to help protect the identity platforms themselves.
So that, again, is a fairly simplified picture of how identity and management work today across the cloud. And obviously, the cloud still is growing, but there's no doubt that when we talk about the cloud, it has become a bit of a cliche, but it's true. The cloud is dominant, but will become dominant. And most new businesses, most traditional businesses are putting either all their organization in the cloud or some of it. So we can't ignore the cloud. So to get to how I see things changing, and this is not just about the product or the product sector now.
This is really how I envisage privilege access to start happening. Whether it works within what we call a PAM tool, or whether it works in a CIM tool, or whether it works in an identity and access management tool, or a part of it, or even an identity providers platform, I see that we now need to think about things in the other way that we traditionally have. So let's take this is a process or a step. So let's say we identify the thing. We identify that it is a script, perhaps, and it has an ID, let's say a number. So that way, we know what the thing is.
Or it may be a user, a human user, in this case, it's me. And we use a traditional identifier by my email address. But then we get into what that thing wants. So what is it requesting? Where is it? Where is it coming from? What's the role it's currently performing as in this moment? What is the activity that it wishes to do when it reaches the thing? Is it normal? If this user, or this thing, this script, is familiar, and it's done the same thing before, it's probably less of a risk than if it's the first time. So how often does it make this request? Or is it unusual?
Is it, for example, doing something that is way out of the boundaries of its role, the activity, what it normally does? So you need to ask yourself, can we verify it? Can we verify this thing and its identity? And to do that, we then pass the indicators against business and security policies and ask, is this a privileged access request? Is this what it's asking for, access to stuff that is privileged? Not this is a privileged identity, but does it want access to privileged stuff? And that's the difference. Does it want access to privileged stuff?
Does this identity want access to privileged stuff? And if it does, is it okay? So we then verify yes or no, the machine. And if it's verified yes, we give it a credential or a one-time password or some other kind of certificate that allows that identity to access the stuff. And it can be then a password from a vault, let's say, in which is what happens in a traditional PAM. But we're not saying these are privileged things. We're just treating everything as equal, hence the PAMocracy. So all these identities are treated equally.
And then the questions are asked, whether they should be allowed privilege access. And then we look at against the policy and then we verify. And all of that, obviously, is a long way of saying, of explaining something that should happen in a millisecond. And that hopefully is where we are getting to with new privilege access management tools. And I'll come on to that in a second. So my five points here are, we need to start thinking about privileged accounts as an unnecessary file or risk. Storing privileged accounts is a pain, but it's also a risk because that's what the attackers go for.
The business policies should decide what is safe and what is should decide what is privileged. And within that, yes, we have the roles, but not just the role. So if the identity is an administrator, we don't just automatically think, oh, it's an administrator.
Fine, let it through. We say, okay, it's an administrator, but what's it asking for? And identities are attached to the things. Identities should never be privileged.
Sorry, the things should never be privileged. That's important. Sorry for that. The things should never be privileged and should never have a standing account. The identities are attached to the thing. And so we get to a point where access is privileged and given on a case by case basis and can be applied to anything. And that's how we start to manage the paramocracy. All those things are now looking for access to privileged stuff. So there's a new order. Identify indicators, pass the policies, verify credential. Identify indicators, pass the policies, verify, issue a credential.
For the thing, it's request get verified, get your credential, get access if allowed. So I hope that's kind of explained what the paramocracy is.
Now, I'm going to talk about the paramarket. But before we do that, we are going to open the second poll, which is this. Would you consider using a different PAM vendor, or sorry, different vendor solutions for different departments in your organization? And we have four answers. So we have, we deploy the same platform across the organization.
We might, as we scale up operations, we choose PAM suited to various departmental needs. We already did centralized purchasing and administration to departments, and that could mean not just PAM. So I'll leave that open for you. Voting is open now.
Hopefully, we're using a new system here. So hopefully you can all see that. Looks like it's people voting now.
So yeah, we deploy the same platform across the organization. We might as well scale.
We might, as we scale operations, we choose PAM suited to departmental needs. We already decentralized purchasing and administration to our departments. So just a little bit longer, I'll just go to the next poll. The next slide. So this is coming back down to earth now. This is the PAM market right now, and no one talking about PAMocracy in this.
But these, beneath here, we see the leaders, the followers, and the challenges. Sorry, the followers, challenges, and leaders. The leaders are on the right. The challenges are in the middle, and the followers are at the far left. What this shows is that these four on the left, Ekran, Devolutions, Indeed, and Heimdall, whilst in the compass itself, they are listed as followers, you'll see that they also have particular characteristics, which still makes them worth looking at.
So they are innovative, they're niche, they think about entitlement as much as privilege access, and they also focus on identity. And then in the middle, we have the challenges and the leaders. And they together are are much more traditional in their focus. But those in the middle here also are quite suitable for SMEs, for smaller enterprise, they also have a focus on identity. And some are starting to offer things like passwordless or certificate based authentication. And then to the right, we have big providers, as it were, or classical providers.
Many of these still focused on traditional password and vaulting mechanisms. But they are usually popular with big enterprises.
And also, they tend to focus a lot more on analytics and governance, risk and compliance tools and session monitoring and analytics, etc, which makes them suitable for big corporates. But what they don't have, perhaps, so much of, although some will show it in certain areas, they don't quite so much have as much innovation. And they're not quite on the curve when it comes to things like cloud entitlement management. And perhaps they also are a little daunting for smaller enterprises.
That said, many large enterprises like the security of a platform that comes from a company that's been doing PAM for 20 odd years. And I like the fact that they understand that it uses passwords, etc, and a vault to do what it needs to do. But I also see, and I apologize that last slide did not have the headings on there, but outside of the leadership compass, we're starting to see potential vendors to threaten to disrupt the privileged access market, as we see it.
And some of those are coming from the CIM area, like Britae, others from the authentication, HashiCorp, but also with a focus on the coding environments and DevOps, etc. Some are even just thinking of niches such as databases. And that's something that's actually more common in Asian markets than it is, perhaps, in the European and North American markets. And then others, such as Vanafi, who focus on machines and SSH, etc. So we also might see some of those in the followers in future privileged access management leadership compasses.
We're also hearing the noises that companies from outside of the traditional PAM area, more in the identity management and access management, which is opt-in sale point. We're seeing that those are looking, perhaps, to enter this market, but not as in a traditional way. And then we have Microsoft, which has recently entered the CIM market with Entra. But it also may enter and rival some of the big PAM players, if it decides to cater for large enterprise, which it easily could. But of course, it would focus more on the data.
So what we might see, then, is a little bit further on, that things swap around a little. So I just go back there. So you see, at the moment, the followers may include Brita as it is now, 2023, and the challenges. But because those challenges that I just highlighted, opt-in sale point, etc, may focus largely on identity, there is a chance that the previous challenges will develop their platforms and develop them in such a way that they can take advantage of the huge amount of things connecting to everything. And so they may become the new challenges.
And some of the existing challenges may disappear. But I feel that Microsoft, because it's like Microsoft, is still likely to disrupt the traditional leaders, simply because of its size, its power, and the fact that it can acquire technology, which it did for CIEM, to gain a place at the top table of British Access Management. If they get it right, they should get considerable market share because of the fact that everyone uses, well, not everyone, but vast swathes of the world uses Microsoft products.
And then those disruptive forces, decentralized purchasing, Identity First, and CIEM, all happening at the same time. And within that, we get the paramocracy. So the paramocracy is now sitting at the heart of CIEM, Identity First, and decentralized purchasing, plus everything else that I've spoken about, about the forces, about how we need to reverse traditional method of authenticating stuff to privileged things. So that is, sorry, a rather abrupt end then to my overview of the PAM market and the paramocracy as I see it developing. Let's just go back now to the polls.
And I don't know, I don't think I can show these on the screen, but I can tell you that the hardest part of selecting a new PAM solution was, in fact, trying to make sense of vendor websites or marketing, which I kind of suspected would be the case. 36% of you have said that that's the case. After that, there's 22% said a fear that you'll make the wrong choice, and then the sheer number of products and vendors that exist. And also having to work within a fixed budget, all of those got 21 or 22%. So interesting.
But I think the message there goes out to vendors that there's too much information perhaps on their websites and too little that actually helps users or buyers find the right solution. So the next question, the next poll was, would you consider using would you consider using a different vendor, PAM vendor that is, for different departments in your organization? And at the moment, interesting, really interesting result. There's 36% say we deploy the same platform across the organization, but 37% choose PAM, which is suited to various department needs.
And again, I kind of think, suspected that is what happened. And that is all part of the PAMocracy, that increasingly, we shall see niche PAM, or PAM in the middle, or big PAM, or CIM, stroke PAM being used, because of the actual application or the need in a particular department. And that's particularly true, I think, of things like the DevOps. 27% said they may, as we scale operations, no one actually has yet decentralized purchasing.
So that, I assume, means no one's officially decentralized. But I'm sure out there, what is happening is that unofficial decentralization is happening. And some departments may be buying bits of PAM, or even just password managers and things like that, help them cope with the PAMocracy. So now then, on your screen, you'll see an ad for KC OpenSelect. I just want to talk to you a little bit about this. This is a brand new tool that we have created on KrippingerCoal.com. And it goes right to the heart of that question that I asked, what's difficult about choosing products?
And the fact that so many of you said that it is actually hard to decipher what on vendor websites and marketing, KC OpenSelect is exactly designed to help you on that journey to discover and compare cybersecurity solutions. It's a free to use tool. It's for everyone. And it's there as a tool to start your investigation, your journey in buying solutions, not just for privilege access management. Eventually, we will have it for every aspect of cybersecurity. But at the moment, we have privilege access management just come on stream.
But it's entitled to encourage further discussion within your organization. And then discussion, hopefully, with potential vendors, or with KrippingerCoal ourselves. So we can then, you can use the tool to get an idea of what's in the market, we have, it's interactive, you can change the parameters, you can decide what use cases you want to solve, what cybersecurity use cases you wish, for example, PAM to solve for you, or identity management or other use cases. And when you've got to, maybe you can define a shortlist of vendors and their products. But we say don't end it there.
As I said, it is the start of a journey. And then we would hope that perhaps you can engage with us one of our analysts or one of our advisors to go further, or you can use it as a starting point to open discussions with vendors. So that's KC OpenSelect. It's available KrippingerCoal.com slash OpenSelect. It's right there now. So perhaps have a look if you are looking for a solution in PAM at the moment. So now I'm going to see if I can find the questions.
Okay, so one question I have here. Well, this is interesting. How does the adoption of PAM solutions vary across regions of the world? And what factors are driving this?
Well, I kind of mentioned at the start there or earlier that some parts of Asia use PAM more focused on things like databases. So that's one difference. I think the adoption of PAM also is changes when in markets such as Europe or North America, which are heavily regulated, which now have privacy rules, which are quite harsh, or strict, I should say. And that tends to change what kind of PAM solution they might think about, they might want one, which has more GRC in it. I don't think that there is much difference in the markets between what they actually wish to protect.
But I think that perhaps some markets might be more focused on different types of it. I think in the US, they're probably more focused now on identities in the cloud, on different types of identities, machine identities, and less on human identities.
Says here, what impact are emerging technologies such as artificial intelligence and machine learning having on the PAM market? Well, let's just park and do a chat GPT and just talk about machine learning. I think that a number of vendors are now using aspects of machine learning to different ways, particularly to help them in analytics. If you have this many identities, and if the whole market changes towards a PAMocracy, then you're going to have to analyze, record, and manage the activity of millions of identities and find patterns in that. And that's very hard to do manually.
So I think a number of vendors are investing now into machine learning and AI technologies to help with that. So I think, really, that's it. I don't have anyone else to hand over to because this is a solo effort. I hope it's been useful to you all. If you are, any of you in Berlin in May, we still have tickets available for our conference where I'll be talking again about the PAMocracy. And many of my colleagues and many more from the vendor community will be talking as well. But for now, I think I shall say goodbye.
Have a good day, have a good evening, or good afternoon, depending on where you're listening. Thank you so much.
