1 Introduction
PAM platforms are critical access and security controls that address the risks associated with the use of privileged access in organizations and companies. It is recognized that most successful cyber-attacks involve the misuse of privileged accounts. And misuse is enabled by poor management of privileged access using old or inadequate PAM software (or even none!), out of date policies and rusty security processes. The recent rise in ransomware has given organizations another reason to consider PAM as many of these attacks target privileged accounts as a gateway into wider enterprise networks.
The dangerous activities that PAM must control include abuse of shared credentials, misuse of elevated privileges by unauthorized users, theft of privileged credentials by cyber-criminals and abuse of privileges on third-party systems.
While PAM platforms have been around for around 20 years, the demands of digital transformation and wholesale structural changes to IT architecture have intensified interest in Privileged Access Management software and applications – across all market sectors. While many assets remain on-premises or in private data centres, many organizations are also using the cloud for infrastructure, storage and SaaS applications. PAM must keep up with these developments.
KuppingerCole research shows that the PAM market is responding and growing because of these challenges and is in a vigorous period of growth and innovation. Part of this is flexibility in purchasing options with growth in subscription models and SaaS options, although licensing and maintenance deals still dominate the sector. KuppingerCole believes that as PAM moves to a dynamic operating model to deal with dynamic IT architectures, SaaS and flexible purchasing options will become more popular with customers not wishing to be tied into technology that does not evolve fast enough for their changing demands.
A typical IT estate will include applications, on-premises architecture, data centres, Microservices, orchestration platforms and multi-cloud infrastructures. Somehow, organizations need to manage PAM all through this new digital landscape. KuppingerCole considers there will be demand among organizations of all sizes to outsource some or all of the deployment and operation of PAM to Managed Service Providers (MSP). In addition, more PAM vendors will offer full PAMaaS run from the cloud on behalf of their clients - this will require new commitments of trust between client and provider, not least in protecting data privacy and honouring Service Level Agreements (SLA).
Legacy PAM solutions scan IT environments at regular intervals, but progressively these intervals can't keep pace with the rate at which, for example, cloud resources and microservices auto-scale, leaving them periodically at risk. Managing the security of PAM consistently and uniformly applying governance is now much more complicated.
All of which means that many businesses will be less inclined to manage PAM themselves and drawn to the ease of use, deployment and auto updates that PAMaaS offers. This trend will not be restricted to smaller businesses, or those without large in-house technical teams – although this is an obvious target market - but also to larger corporations that possess hugely complex IT estates where PAM plays a critical role in protecting specific high-value operations.
While many public clouds come with some form of PAM application and security commitments in SLAs, these differ across proprietary Cloud Service Providers (CSP) making it hard to maintain consistent security access management in multi-cloud, multi-provider environments. What is desirable is a dedicated PAM solution that handles all modes of identity across multiple clouds and hybrid IT infrastructures. The good news is that organizations have never had more choice in PAM tools and deployment options to match their IT environments, processes, and supply chains. In this Executive View we consider the PAMaaS option vended to the market by Saviynt.