So welcome everyone. Good afternoon or good morning or good evening, as Christopher said, depending on where you are, hope you didn't see that maybe you did see that I'm going to be talking about privileged access management in a changing world. And to do that, I've got an agenda. So first of all, I'll talk about some changes in the market.
Then technical innovation that we're seeing amongst the proposition, that vendors are making a little bit then about secrets management, which is a term or a theme that has become more prevalent in the last couple of years, and then managing end points and how those are now becoming an important part of privilege access management, particularly in with the experience that we've all had of the last year or so of more people working from home. So that's the agenda for the afternoon or on my session, not for the whole afternoon.
There's a lot more than that.
So changes in the market let's make some sense of what the vendors have been up to now, as you know, that KuppingerCole, we do an annual leadership compass on privilege access management market. And because of that, we're very close to the vendors and we also get to see what's been happening out there in the market. So here are seven key things that I think are affecting the Pam solutions that you'll be buying or upgrading to in, in the next year or so now mergers and acquisitions happen in every sector all the time and in most parts of it.
But we've seen a couple of big ones just recently in the prime market. And one of the one was possibly a little bit unexpected. That is the merger between psychotic and sorry, psychotic and Centrify, which maybe caught some of us a little bit by surprise.
Now, I think one of the reasons that M and a is happening or are happening is that in that particular case, the two sides of the, of the merger thought that each one had a particular strength, which if they bought together would make them a much more convincing player in the market. I think also the mergers and acquisition happened because of the interest in Pam, which is increased from the outside.
And we've seen that M and A's may well be really controlled or not controlled, but sort of are prompted by the activity of private equity and venture capital who see that there is money to be made in his market. And they read of the reasons why privilege access is becoming important in the business security and cybersecurity. So that was the biggest acquisition, but we're seeing also bigger it groups entering the market. We've seen, for example, Broadcom, a company that is largely known for it.
It's chip manufacturing, but is now heavily invested in privileged access management.
And they are making a serious commitment to what was CA's product and in merging it into a proper software portfolio of the group. So I think that the it group, or what I call big it groups like IBM, who also had a relationship with psychotic and white labeling their solution, see that there is a potential for an upsell to their existing customers. If they can offer privileged access management or Pam into the, into their offering.
More, more, interestingly we've seen identity and identity act. I, I am players, but also identity providers starting to put their toes in, in the market. We've seen the Octa starting. Do you see the, perhaps the, there is an overlap between the identity impairment.
I'm going to talk a bit more about the way I see it, the impacting on the way that we talk about Pam traditionally in one of the latest sections, but what our identity providers, whether I am providers can make a complete success or adding either Pam capabilities or acquiring Pam companies remains to be seen, because there are still differences between identity, access management and privilege access management.
And as the reason why we have this nearly $2 billion market, one thing though, I've really noticed actually, since I've been covering Pam for KuppingerCole is I've called them entry level startups here, but they're not exactly entry level or startups, but they are smaller players. And I think the, the big, the big four or the bigger exists traditional players are starting to notice that these guys are coming up with some really good ideas that they're actually innovating strollers.
And some of them have the advantage that they've taken Pam as a product and decided to make it totally cloud-native. And that's something else that we'll be talking about, but they're also seeing, as it says in the next slide, more opportunities in SMB and Pam as a service, and because these smaller players can kind of hone in on a specific part of the market and also develop their current technologies from scratch.
And they're much more likely to be offering stuff such as passwordless or plus engineering in their product.
And I think that it's, I, it already at the research that I've been doing for the 2021 leadership compass that just in a year, the strides that some of these Pam vendors last year were challenging and they'd taken on board. Some of the stuff that we said about their products and they really gunk and implemented the, what we said were perhaps challenges. And I think you'll notice when you win the 2021 leadership compass comes out that difference that these guys are making to the market. And that's great.
I think that is actually really excellent then, because there's nothing better than having a market that is completely dynamic and, and being shaken up by new players and smaller players that realize that there is still not only are they got untapped markets, but Pam itself is still got a long way to go.
And we'll, we'll see that developing Christopher mentioned DevOps in his opening speech. And I believe that we're seeing two schools of thought there developing one is some vendors developing specific volts or specific pieces of their platform that designed for dev ops.
And we're seeing other vendors that are perhaps thinking that their existing platform has enough in it to cater for the, for the DevOps demands. Now that may be the case. And I think that it's, it's easier. It's easier to market something as already having a DevOps capability, but you have to remember that dev ops is a, is a peculiar beast and that it has specific demands that are kind of different from other parts of the infrastructure.
So at the moment, I think the jury's out on whether Pam vendors should develop specific tools with dev ops or whether they can make their existing platforms work as well, but which we'll see, and that's going to be very much part of our research.
I don't need to tell you about remote and homeworking changes. We've all been through it. That's why we're doing this event virtually right now.
But if I, when I asked vendors, you know, what's what impact did the last year, the last 12 months have on, on their revenue. And they will all tell you that it had a positive one. I'm not saying that there's anything.
I'm not trying to say that the dynamic is a positive thing, but the demands from the market was such that people wanted or realize that they needed some kind of tool to help them manage Pam with people now working remotely or at home and on endpoints and not just the administrators, the Pam that traditionally would be using Pam, but increasingly those, those employees that also need access to privilege stuff.
Finally, there is another area where Pam is starting to have an overlap, I guess, and that is an area of data governance, where tools we shall design to help people make sense of where that data is, what they have in unstructured data, what PII stuff is available, or what is at risk. Some of those vendors are actually putting a little bit of a privilege access management in there so that they Han manage who is looking at what kind of data. And they have some tools to prevent certain people, other people not having that access. So that's an interesting area, which is quite new to me.
So there, there is some of the areas, and as I said, there's more choice than ever, but buying decisions could be harder because of the diversity of demands that we are seeing.
So let's move on to some of the technical innovation in, in, in the market and some of the, what I call discreet technologies that are emerging. And before we delve into those in details, I just have this chart here, which I think w what am I called it is, is the Pam challenge, which is, which is driving the innovation in the market.
So is it, do we give people too much privilege or is there not enough management, you know, is, is, should we cut down on another level of privilege access, or should we just make the tools to manage that better? And I, I, I think that we probably need to do a few things. If we're going to meet that challenge, the vendors are doing a great job of innovating, as I said, to improve management. So that addresses the second part of that question, but is it too much privilege?
Well, possibly we need to do more risk management of privilege, and I'll come to a bit more about that in, in the next section, but look at what people or machines or service accounts are actually accessing, and actually decide quite brutally, whether some things are worth protecting and whether other, some things are not separation of duties. We need to look more carefully at who needs access and who needs it rapidly. And that's where we get the DevOps Patriot coming in, because those guys work at a fast pace and they're under pressure to deliver.
We probably need to reduce the reliance on passwords, although not altogether because some organizations like password. So we need to give people a choice if they want to use Paul's because they feel safer with passwords, and we need to give them the volts and the technology that protects those passwords, even though the, the current thinking is that passwords a week and they get, they get shared, et cetera, but perhaps we could shift some of the access to just-in-time access or ephemeral or even password free.
And finally, Pam ops is something I talked about on previous KC lives, but perhaps we need to move previous access closer to the source. So using automation, AI tools to speed access and reduce the security load. And of course, offering zero trust Shipley implemented for such high value accounts. But of course, zero trust is a way of doing things. It's not necessarily a technology that you can just add. So there's some of the ideas or sorry, the, the challenges that we face, but as I said, the vendors are doing a great job of responding to that.
One thing that is really improved is the ease of use the user experience and user interface.
Traditionally was a tool for admins used by admins. But now we're seeing an vendors has said this to me, that they deliberately are making the dashboards the way that they can assign accounts, et cetera, to be easy to use and to use those kind of tools that consumers that we as consumers have become used to in, in our other lives. So that when we, for example, do something on an iPhone, it's very easy. It's a question of just pressing buttons.
And that message has really got through, I think, to the designers, the engineers of privilege, access management and all of the Nydia, all of the vendors I've been looking at have made improvements to that. Some, some more so than others, but the trend is clear. They're even doing things that, you know, some like wizard tools have a bad reputation. They're seen as kind of all of that for a, you know, people just no ordinary people that don't know what they're doing, but actually I was a tool for setting up Pam and for setting up connectors makes perfect sense.
Why, why should it be hard to actually get the tool up and running and working with the other things in your organization that you want it to admins or users, users, admins. So we're breaking down the technical boundaries because of the pressure of cybersecurity and the fact that it itself has so much else going on. It makes sense to allow or give ordinary users certain amount of admin rights. If it's combined with ease of use and security that we've already been talking about.
Something else that I alluded to earlier was how identity is starting to change the focus of privilege access management. I think we're just at the start of this, but at the moment, we tend to match users with a task.
We rather than looking at the task itself and the risk of what would happen if that task was performed by the wrong person. So we should look at the task and the risk, and then the identity of the person or the thing that is trying to access that.
Now, if the, if the risk and the focus, sorry, and if the risk of that task being done by someone else is low, then you don't need to worry too much about the identity. However, the upside, the other, the other side of that is if the identity appears trusted and you're allowing them to do something which is high risk, how do you know, as in like the case of solo wins, that the identity hasn't been stolen. And that is where I think the ID identity management solutions and the identity providers, perhaps seeing an Inn here in privilege, because they can secure that identity.
So that the identity that is trying to do the task, which is risky is the identity you think it is. So I think we S we need to start talking more about identities, tasks, and risks, as much as we talk about privilege, access more boringly, perhaps, but still important. We're seeing some vendors starting to ally, GDPR compliance and policy management within the tool, which is a great thing because GDPR compliance, actually, it's not just GDPR or compliance is something that privilege access management fundamentally can assist with.
We're seeing more support for Azure active directory across the board and continuous discovery, which is something a few vendors have been talking about so that you have automated discovery of privileged users, previous accounts. And we're seeing, as I said earlier, some of the vendors that now have native access to cloud and dev ops tool chains, because they've built their platform like that alternatives to passwords and volts are increasing.
However, I'd just like to reiterate that some vent, sorry, some customers are wedded to passwords for their own reasons, and they may be very good reasons and they like the security of the volt. So it makes sense that vendors can offer that choice. Having said that we can see increasingly as sort of a cloud or on premises hybrid of some organizations, simply don't like the idea of putting something like Pam into the cloud, where they feel it is a security risk. They like to have it bolted down on premises. That's fine.
And again, the vendors should be responding to that and do respond to that secrets management is something I mentioned that we is, is start to emerge. Is this different from Pam? Or is it just another feature set? This is something that is really more of a discussion, you know, w what is the secret in modern business?
So a secret is basically anything that I would define as having high value to, to the organization, or if it fell into the wrong hands, could do serious damage to that organization is, is quarter Palm or an add on, I think it's, it's kind of both really.
I think that what privileged management kind of does it is in itself a keeper of secrets, as in it keeps passwords, which allows entities to access things, but increasingly the things that those people need access to a secret as well. So it can be passwords, other passwords, SSH keys, excuse me, credentials, or even pieces of data. It can be pieces of code, which is where DevOps comes into.
And this is if we have this multiplication of secrets in, in business, which even can affect impact things like social media, that, you know, people put things onto social media, which they shouldn't, how do these, how to shared accounts, individual accounts, service accounts, and machines impact on this, because this is probably one of the biggest challenges to privilege access management currently in how can it manage the increasing number of secrets that we find in modern businesses?
And as secrets are everywhere, not just the obvious things that we mentioned, but we things like customer identities impacting on the organization. Also third party and vendors becoming part of those organizations. You can see that the level of what needs to be protected is increasing all the time. So I think we might see Pam becoming developed more into a kind of a secrets management side without fundamentally changing its core, but it's something that hopefully we can talk about more about during the rest of today event.
So finally managing endpoints, creating opportunity from university and which, again, I don't mean to belittle the pandemic, but I think it has shown us, you know, that we can't operate in different ways and Pam is no different.
But traditionally in, in, in we've talked about endpoint privilege management as a thing, which allows admins to access endpoints to do the things that they do, you know, upgrade or patches, et cetera, what is becoming more prevalent is remote privilege management, which means increasingly people are looking to get privileged access from a remote machine, and that's not dust admins, but the other social, I mean, that, that picture, that I've shown you might be, you know, it's a bit far-fetched perhaps, you know, suggesting that someone is accessing an endpoint or accessing Pam from their phone on the underground.
Yeah. Do need access from much more than just a windows platform. So they need it via their phones and they need it via Android. And I think that the other side of that, where we give people RPM means that we need to provide more platform support to them as well. So at the moment we kind of treat privilege access on endpoints as kind of separately, it was specific capabilities, you know, as black or white listing applications.
But I think we need to see it as part of the new way of working so that people can, you know, even at dev ops people, even the people working in say human resources, anyone that needs access to some kind of secrets are able to do that on whatever machine that they have available to them, whether that is a home laptop or whether it's their phone. And we will also, I think, see, see the development of application to application privilege management, working like this as well.
And, and finally, to, to just to round out this piece that we'll see, or we may see more compatibility with traditional tools, such as incident response, endpoint detection, and response and data leak protection. And of course, AAV tools, the, the, the long forgotten, but stoic part of, of cybersecurity, you know, that which are always the first line of defense against malware and phishing attacks, et cetera. So that's just a few short ways in which I think that the end point is going to impact on privileged access management.
And again, I think most of the vendors are quite aware of this.
So just some quick takeaways and recommendations from my opening keynote, there is without doubt, a wider choice of lb platforms and technologies and Evan. And I say that because even with the shrinkage that you might expect through to M and a and acquisitions, we still got more, more vendors in our leadership compass this year than we did last year. So that is quite extraordinary. Really.
I would say to you, if, if you all new to privilege access management have come to realize that it's something that your organization needs or would use that choice to your advantage. You know, it's, they're all vendors now, and there are solutions that can play to all parts of the market.
And so, you know, have a, have a shop around and even, you know, look at the, the kind of deals you can get and how the Pam might be price. Think about Pam as a service, for example, the big vendors, the, to their credit, or are aware that they've got agile nippy guys ha at their heels, nippy guys nipping at the heels. That's what, that's what I meant to say. And they're, they were innovating harder to stay at, which is, which is great for the market.
Ease of use is something that should be high on your list of desired features because Pam, Pam is a hugely complex.
And the more that you can simplify, particularly at the sharp end, which is deployment and, and actually using the thing is fantastic. So, you know, look out for that, understand and define what is a secret in your organization.
I mean, that's all part of what you should do anyway, as part of a risk assessment, et cetera, but all organizations are different, you know, and all organizations have different types of secrets in them. And some you want to protect some you might think are not so secret after all.
