Paul Fisher, Senior Analyst, KuppingerCole
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Just my agenda for this morning. I'm gonna talk a little bit about a Pam philosophy or what I see as a Pam philosophy thinks to think about before you deliver on Pam and then how Pam that philosophy applies into the material world or the real world, and then finally some recommendations for you to take away. So the Pam philosophy, I've called this the way of Pam, the path to enlightenment. So there's some ideas here that I think we can take and, and this, these path, or these, these instructions could be applied to any it deployment, not just in Pam.
So the first thing you have to think about, and we were talking about it just now in the panel is the kind of environment that you have, the it environment.
And of course also the business environment that you operate in, and you need to find some kind of balance for any deployment so that you need to think about any compromises you might have, whether it's in terms of the infrastructure, you have the legacy infrastructure, whether you are purely cloud or whether you have multi-cloud hybrid cloud, all of those things are going to affect your decision on the kind of privilege access management you may decide on. Or even if you're thinking about building on an existing solution. So you need to choose wisely.
When, when you're thinking about Pam, it's not something a a as the panel just showed even a discussion on something like zero standing privilege has huge number of discussion points. So Pam is something that you need to carefully consider before Taking the plan, and you need to expect some kind, you know, discord from outside the organization, but also within, you're gonna maybe find resistance to investment from certain quarters. You're gonna find people that would question the need for Pam.
You might find people within parts of your organization that don't like the idea of being regulated or having privileged access sort of bestowed upon them. But when you're doing all that you need to think about tomorrow as well. So sewing the seeds for the future, you need to build the best Pam solution that you can and think about the unknown.
I mean, Donald Donald Rumsfeld's famous quote gets brought up on countless presentations, but it's true. You know, you have to think about the unknown, unknown unknowns and things that you don't know might happen, but anticipate them as best you can. So anticipate the future environment that this Pam solution may be required to operate in. We we've seen already what a pandemic can do to our operating environments, and we just don't know what might happen.
So think as much as you can about the future, what happens if your own organization becomes subject to an acquisition or a merger or something like that, which will have an impact on not just privilege access management, but, but also other areas of your organization. So that's the sort of the path to enlightenment as I call it, but then drilling down onto that. I have free tenants of Pam.
And again, these guiding principles can be used for not just for a Pam, but also any project. Really.
So, number one, you need to think about what you need. So what you actually need for your organization in terms of privilege access, do you, do you know how many privilege accounts you have, et cetera. And then when you thought about that, you need to start looking at what is available. So you start saying, well, I need this. And then I need these solutions that may be available. But then also you need to think about what is possible. And that comes back to the question of resistance. You might find within your organization, you might have only a restrictive budget.
So you can't just go out and splash the cast on the most expensive solution you can find. And then within that, when you start thinking about the, what you need, what is available and what is possible, you should achieve some kind of harmony in your thinking. You should start to, you know, gel in your mind as to what solution you need. So that's kind of like the philosophical side of it, which is easy to talk about before you even, you know, deploy anything. But you need to think now about how Pam works in the real world, in the material world, in the business world.
And we like to talk about, we like to talk about use cases and what Pam can do for your business, cuz in the end, any it deployment is only any good. If it actually achieves better efficiency or it achieves some kind of result or end result for the organization. So the two most obvious use cases for privilege access management are, are cyber security. And of course, governance, risk and compliance. Pam can do a lot to protect data and accounts from attack, particularly in the age of ransomware.
And it, it is already known that attackers hackers will go after unprotected privilege accounts. Cause they know it's an easy route in, into the organization. And I'm sure you know that, but I'm added to that. The levels of compliance legislation that you need to meet are increasing and becoming more severe, but they're not just becoming more severe. They're becoming more complicated because we did have a European wide GDPR as you know, which my country, the UK signed up to.
But now thanks to Brexit, they're thinking of changing that a bit so that they can then say, well, actually we quite like the idea of looking at people's data because that would give companies some kind of competitive advantage so they can, you know, deliver better products. So that means that if you're an organization working across Europe, you now have to meet the existing GDPR and probably some kind of mutant version that whatever the UK government is, is thinking up. And then of course in the United States, there are various forms of legislation in different states.
So it means that you, your risk managers and your compliance managers now have to think of, you know, a lot more about the, the legislation they have to meet. So they, they're kind of like the, the, the negatives or the, the negative use cases, which Pam obviously can help with. But then on the more infrastructure side and actually building again, this organ, this conference, we've talked endlessly about cloud multi-cloud hybrid cloud, et cetera, and how everybody is deploying cloud and actual.
When I've been speaking to some people here, it's not, we, we, we probably shouldn't think about the idea that everybody's switching to the cloud. Still many organizations want to keep stuff on premises, et cetera, but also it's not just putting stuff in the cloud, like databases, et cetera. It's about creating those cloud infrastructures in the first place and creating infrastructures code and all that stuff. And to do that, you're likely to have give access to people to sensitive stuff, to code cetera. So Pam can help with cloud deployment, but also building clouds.
And then finally remote working again, the pandemic has opened up new avenues of working. We don't know yet whether people will permanently work at home or whether they'll go back in, in large numbers after the holiday break in, after August in UK, it 20% increase in the use of public transport in London suggested that there was a significant return to work or work to workplaces, but not a total return.
So I think like most people, we will end up with a kind of hybrid situation because people like the convenience, et cetera, but it does mean that the, the old idea that Pam for remote was only for admins that needed to do stuff on a remote laptop or whatever it now increasingly means that people need to do privilege stuff from a remote location. So Pam's gonna help with that. I've already talked about cybersecurity and then how many attacks likely to go through.
I'm not gonna go through that attack route, but it's a one way that attackers get in with privilege accounts, usually through some kind of fishing attack with a link or some kind of attachment, and that leads them in to take control of that account and then they can get into other parts of the organization. But the, the important step there is probably that attempted privilege access from an unknown house host account is 74% of privilege access anomalies. So there is no doubt that privilege access or privilege accounts are being targeted. And that's obviously likely to continue Back to GRC.
When we start looking at Pam platforms, Pam solutions, we can start drilling down into some capabilities and not all Pam solutions are gonna have all of these, but some of those, there are key to keeping you compliance. So password management, session management, and particularly user behavior analytics. So when the regulators come knocking and you perhaps have had a breach, they need to know that you've got evidence that you did as much as you can, or to protect, to prevent that breach and analytics that are built into privilege. Access management solutions are vital for that.
And so on and control privilege. Escalation, there are many more capabilities as you can, you'll find out by looking at our research, but there are some highlighted ones that would help you with GRC. Let's go back to, yes. Yes. If you have any questions, just raise your hand in the room or use the app. And if you're listening in online, use the app to ask questions. We can at any time questions, sorry. I should Paul. He loves this to get nasty, difficult questions. Yes. Especially from Martin. Yeah. So thanks for that back to cloud.
So I was already talking about the difference between, you know, putting stuff in the cloud and building clouds. And increasingly I was speaking to people from IBM just recently. And they said it was typical for their clients, IBM security services. They said it was quite typical these days for their clients to have 10 or 15 different clouds. And probably more than that. And some of these clouds, they don't even know about, we, I heard the term shadow databases, which I guess is an extension of shadow it.
So people are sticking stuff up on clouds that the company or the admins don't even know about. And Pam increasingly will allow access from remote OnPrem and mobile devices. And of course, OT, so machine getting access, but it's becoming more complicated in, in the cloud. So people are, are moving, you know, are putting stuff into public clouds, et cetera. But increasingly we're seeing the DevOps environment and their so-called agile environments where people are doing stuff in the cloud, like they're coding, they're orchestrating and testing.
And that really brings up what Martin was introducing on Monday. I think it was yeah. With dynamic resource access. And that really what you're seeing there on the right is, is probably typical of what I would call a dynamic cloud infrastructure, where things are happening all the time, very fast and changing all the time.
You know, people are changing applications like 15 times a day. DevOps will send stuff to production, like 30 things to production on a Friday, et cetera. So this is the kind of dynamic environment that we, we are now seeing more often that needs protected and what's going on in there is actually highly valuable to a business. And it's high value data that they're using. And all of that is of great interest to people that you don't want to access.
So Pam and we predict that in well, from now on, you'll see more elements of cloud infrastructure, entitlement management, but also parts of the dynamic access that Martin has identified. So that's something else to think about when you're looking at Pam, it's not just about static access. It's not just about standing privileges. We were talking about it's gonna be a lot faster and a lot more dynamic.
And this is actually a slide that Martin I've stolen this from Martin, but I'm not gonna go into this in great detail, but I put it into this deck simply because when you download it, you can read the detailed information about how we consider security is gonna change, not just for privilege access, but also for all of it. So that's dynamic resource entitlement and access management. And finally remote working. I just say again, remote working is in some shape or form is here to stay. And some of those remote workers are gonna be privileged workers or people with privilege access.
So we need to think about how Pam solution can give them the access they need. And those people may even be doing the kind of stuff that I've just been talking about, dynamic access. And just because they're working at home or in a remote office, they need to be protected, but they also need to get the access they need. So moving back now to the world as it is, once you've considered all that, and there's a huge amount to consider. I realize that you need to apply the tenants that I talked about at the start to the market and what's available.
So you need to identify your primary use cases and what, so that's what you need. You, you have identified what kind of operation you have, what kind of employees you have, what you do. Do you have supply chains that work closely with you? Do you allow access from customers? Do you allow access from, from those supply chain? So you need to think about what you need to protect that and what you need to protect the privilege within that, and then understand the capabilities on offer. And so how those capabilities meet your needs. So what is possible, and then you get more concrete.
So you look at the various vendors out there and create a short list of what is available. So here are just a selection of capabilities. I'm not gonna go into them in great detail, but these could be found in many pan products that we look at. And we look at virtually every privileged access management platform in the market. But some of the things to highlight there are for example, application to application, password management. So increasingly privilege access is not just about human users. It's about applications and machines getting access from each other.
And they get privilege access to certain things. A vault is something that virtually every Pam solution will have, particularly those more established ones, a vault is where you encrypt passwords, install them so that when people want access, the password is checked in and then checked out also single sign on privilege, user behavior analytics that I think we, I talked about already, but those are just some of the capabilities and there are more, and you can read a lot more about what's available. Our leadership compass for 2021 was published just last month.
I think we as an organization because we specialize in identity and access, we have an unrivaled coverage of privileged access market. So in the latest version, there's 26 vendors and their products are reviewed and rated, but we also have eight vendors to watch. So that's 34 vendors in total, and I think we've pretty much covered the market there. So you can download that report.
Now, if you are a subscriber, if, if not, you have a 30 day free access, so you can download that. And that gives you a lot more detail about some of the stuff that I've been talking about just now. And it gives a rating for all the vendors. So I said some stuff to think about over lunch, but actually I, I got the timing of this presentation wrong. So there isn't lunch after this, but you can still think about it over lunch. What you need to think about is there are now, as I said, a huge, huge number of, of Pam vendors and they don't all offer the same capabilities.
The great thing is that the Pam market is, is, is like, what it needs to address is, is dynamic. So we're seeing a heterogeneous market mix of the established sort of leaders, which will do sort of Pam and provide every capability. But then we're seeing more with smaller vendors and startups, which are sensing that there are gaps in the market for particular use cases and capabilities. And those are sort of the ones to watch. So you shouldn't think, oh, I need to buy a Pam solution that does every capability that I showed you on that slide.
And more, you need to think right back to what you need, as I said at the start and use the choice to your advantage. So it's very, as I said, it's very competitive. The vendors are looking to meet your needs and think of Pam again, think about this, our new dream paradigm and how Pam fits into that and how dream will actually is relevant to your organization.
Something else that's interesting in, in the market is the convergence, a little of identity and access management and Pam, I don't personally, I think that Pam will still remain a separate discipline, but identity and access management vendors are interested in, in this market, which shows for them, it's a lucrative market. And it also means that those existing pan vendors have got more competition, which means that they become more innovative, which means it's good for you. Ease of use is something that, that I didn't really mention much in the presentation, but actually is quite important.
A few years ago, Pam solutions or Pam platforms, would've been very admin focused. They would've had very sort of command line interfaces, which admins love. And they've realized that again, the market is shifting that the people that maybe are administering privilege access are not traditional admins. They may be more, excuse me, more regular employees that are given special, you know, responsibilities for free access, but they don't need, or they don't want command line interfaces. They need something that's easy to use.
And these people increasingly come from a, you know, a, a population that is, has become used to ease of use. They've become used to instant access. So it's good to see the, some of the larger vendors were dragging their feet a little on this, but some of the, the smaller ones, more innovative ones have driven the market. And so now we see even the biggest vendors making their products much easier to use an administer. And finally, remote privilege access is not for admins.
It is for, for everyone. So that's the end of my quick 1 0 1 I'm slightly early. So if there are any questions online or.