Hello, good afternoon, good evening and or good morning, depending on where you're listening in from. Hello, welcome to my webinar, which is just me and I'm talking about PAM, Privilege Access Management, if you didn't know. And the question is, do you need it?
Well, let's find out. We're also going to be talking about the KuppingerCole PAM Leadership Compass and some of the results from that.
So, for all of you who are interested in Privilege Access Management, which I hope is most of you, this should be worth your 30 minutes or so. So, let's just get into this stuff. Just relax, sit back, enjoy everything. You don't need to control anything, just listen. It says we're running polls. Don't worry, we're not actually running polls on this. It's just a standard slide. But there is a chance for you to ask me questions at the end. You can submit those questions at any time in the control panel.
And of course, this will be recorded and available on the KuppingerCole website in a couple of days, so that any of your colleagues or yourself can listen to it again. So, that's that.
Now then, Privilege Access Management. Okay, probably don't need to tell you this, but what the Privilege Access Management definition is, is changing some. But let's look at this. This kind of what I think is a nicely constructed definition.
So, it is basically a set of technologies and strategies which allows organizations to have control over access to things and give permission. And this is the important bit. Allow users, user identities, machine identities, workflows, and anything really that needs access to something else in a network.
Now, in the past, Privilege Access Management has basically been defined as something that monitored or controlled privileged accounts. So, certain people, and they generally were people in an organization, would have special access and permanent access to things that were considered high level or privileged, such as being able to administer things or do remote control access to people's PCs and things.
So, it was a fairly simple thing. But in recent years, and certainly in the kind of the six years or so that I've been looking at Privilege Access, the whole notion of what it is has changed somewhat. And one of the reasons for that is the reason why there's this picture on your screen from the Game of Thrones, which is a series which, unlike the rest of the world, I didn't watch until this year.
And then, of course, became obsessed by it. But in it, there is this character, Jagan, who has many, many identities, and he can change his face. And that's kind of where businesses are now, in that it's much harder now to understand who an identity belongs to, or who or what that identity needs, and whether that identity is actually what it says it is. In the case of Game of Thrones, this guy could change his identity to carry out tasks, usually murderous tasks, in order to satisfy his clients.
Now, luckily, the general business organization doesn't yet need to murder people. But we do have this issue now with multiple identities, and multiple users, multiple machines, all trying to access the organization. So it means now, I would say, more about Privileged Access to stuff, rather than Privileged Users, Privileged Identities, and where the privilege lies. So I asked at the start, do we need Privileged Access Management? The answer is yes, but not necessarily one type of Privileged Access Management, which I'll come to later in this webinar.
But we need PAM probably more than we ever have, simply because the number of things that need protecting, the number of, let's say, cloud operations, clouds themselves, databases, applications, SaaS applications, individual resources, all of these things now have valuable things on them. And we have to start to think about how we protect those things. And using just regular Identity and Access Management or IGA will help, obviously, anything will help. But we need to start thinking about assigning access resources a privileged value.
So we need to start thinking about how we allocate access to these things. And this matrix here is from the MITRE ATT&CK matrix for Enterprise, which basically shows everything that is involved in the ATT&CK, protecting the ATT&CK surface, protecting the ATT&CK layer and protecting the organization. And you can see right in the middle, I've highlighted, these are just a few of some of the dangers, some of the risks that come with privileged resources.
You can see some of the techniques that criminals will try to use or hackers, attackers, whatever, maybe they're not even criminals, they could just be state actors, they could be people that just want to screw things up. But they will look at ways of doing these things like abuse elevation controls, manipulate access tokens, manipulate accounts, affect the boot or log on, they will look to create or modify system processes, and so on, and so on, and so on.
They will look to exploit privilege escalation, something which is quite easy to do with traditional PAM tools, less with some more advanced ones. There is more stuff. And what this doesn't actually say here is how much more complicated and how much more challenging it has become to stop these processes or abusive processes, the more that we start adding stuff to clouds, the more our networks expand, etc. So it's very much part of traditional attack areas.
But again, even this is a little bit dated because it's sort of talking about, mostly here, we're talking about sort of admin type of attacks, where most of the privilege stuff was done by administrators, they would get a request to, for example, give access to a user or add, they would set up standing privilege accounts is something which has existed for a long time. And those things were open to abuse. And I still are because many, many organizations still operate privilege in this way.
So now I'm going to think about how and when the privilege exists, how we need to start thinking in a new way of privilege, it's no longer PAM used to actually stand for privilege account management, then it got changed to privilege access management, which is closer to where we are now. I think we're now just getting to a phase where we talk about privilege access control, or privilege task management, or just lump it all under privilege access control.
Because we need to move the focus of privilege away from the identities, away from those many face gods, as I call them, from Game of Thrones, and into the resource. So from identity to resource. The idea of this is that you do not have standing privileges. You do not have people or identities that are always have access to passwords, which allow them to gain entry to a sensitive resource, what we need to start thinking about, you don't begin with the privilege, okay, you don't begin by saying, okay, you as an identity, likely that you'll do these various functions and roles in the company.
Therefore, we shall give you privilege access straight away. And you will keep that privilege access for, well, pretty much forever as long as you work for the business.
Instead, what we need to be thinking about is this. And, and if you don't take away anything else from this webinar today, think about this. Think about this statement, at some point in time, every identity will need privilege access at some point in time, every identity you control, every identity that's listed in your active directory, or in your IGA system, will need privilege access for something. Because the privilege bit is now the resource and the privilege bit changes. As a company changes, new resources are built, new applications are built, new ways of doing things are created.
And at some point, different identities are going to need access to that. But that stuff is a risk if the wrong people get access. So then if the same person that was once given standing privileges is not given them for everything that he might need in the future, they will have to ask.
Now, the problem with that, of course, is speed. And the reason why we have standing privileges is because it works well with traditional PAM. So just to rewind slightly, it is likely that we will keep some standing privileges for some lower level privilege activity or privilege workflow. But that all comes down to how you manage the risk. And even in so-called zero trust networks, you still have to have a level of trust. You have to have some trust in your organization.
Otherwise, nothing gets done. The end game of zero trust is that nothing can work unless that node or that point of inflection or that point of access has been checked to be secure. And this is where I think that people get hung up on zero trust a bit because they think that's what they need to do.
Well, no. What you need to do is do a good old-fashioned risk assessment. And within that risk assessment, you assign a privilege value to resources. You assign what, if it is accessed, would need to be validated so that identity is either allowed to access it or not. And that is called zero standing privilege for that particular activity. It's also called just-in-time access.
Now, just-in-time, again, there is two types of just-in-time. There's one type of just-in-time where you kind of have semi-standing privilege.
So, the identity does have a standing access to a particular resource, but it's not actually switched on until time of asking. So, it's kind of zero standing privilege, but just-in-time. Pure just-in-time is the future of privilege access, but we're not there yet because pure just-in-time means you have to work very quickly. The code behind privilege access then has to work out almost instantly whether an identity is allowed access or not, and to do it in real time.
And this is where we are starting to see the leading vendors in privilege access approach where they're starting to use AI so that they can make those risk assessments quickly, and then they can make the access more quickly. But it still comes back to some of those basics that we need in any IT infrastructure, which is things like basic hygiene, which is like all the stuff I've been talking about, which is data governance and risk assessment.
The advocates of zero trust recently have started to say that risk assessment is an old-fashioned and unnecessary science or activity, and if everything moves to zero trust, we wouldn't need to do risk management. Well, I think that's, for a start, the practice of risk management, or integrated risk management, has been around for many decades, and it suits IT as well as every other kind of business activity. And when people start saying, oh, we need a zero trust network, they don't tell you the level of application, hard work, and intensive monitoring a zero trust network needs.
They don't tell you the resources that you might need to throw at it. They don't tell you that, for some of the biggest corporations, zero trust is impossible, and for some of the smaller organizations, it's not worth it. But that's enough about zero trust for now. Just to put this into context, so this is how I see PAM in the future, where it fits in to data access for identity, so identity looking for access. So we have, right now, we have maybe seven different types of identities.
The admin, traditional developers, DevOps end users, which is employees, effectively, machine identities, of which there are now many thousand million emerging, third parties, again, third party access, or vendor access, customer access, is adding to the mix. Because at some point, these guys need what we might call privilege access. How are you going to apply zero trust to them? Because they were coming from another network entirely, and so on.
And then, of course, we have endpoints, and probably edge computing, and things like that. So the identity types are multiplying. At the moment, we have these seven.
And then, those identities are currently managed by a mixture of IAM, PAM, and the new guy on the block, Cloud Infrastructure Entitlement Management. And you probably should add IGA in there, as well. And they're looking for access to all these types of infrastructure.
And then, of course, on the right here, we have what kind of data people are looking for. And you could probably add AI data to that now, as well. This slide, actually, in its original form, predates the age of AI.
And then, as I said, there are elements to the organizational infrastructure. So I have put zero trust design in there, because people will be interested in creating at least some form of zero trust, zero standing privileges. Identity lifecycle management governance, data governance, and then some form of DR. You could probably add identity threat and detection, as well, which is now not affecting the PAM market so much as affecting the identity security market. In my opinion, the ITDR is perhaps a slight distraction from what we should be focusing on.
It is, in effect, a version of XDR, some kind of detection response. But I'm not saying people shouldn't look at it, but I don't think that if you're looking to protect identities and protect access from those identities, or for those identities, then you should be looking at the PAM or CHEM or identity access management first. ITDR is a nice to have, I think. It's adding bits to it, so that, yeah, you can see, oh, there is a threat to the identity. But that's talking usually more at the edge.
But CyberArk and one or two other leaders in privilege access have started to integrate ITDR, so we'll see what happens. If you were a customer of one of those companies doing or adding ITDR as a function or a capability, then that's fine. You don't have to use it. But I wouldn't recommend people buy an ITDR before anything else. But there it is. Just to add it there, that's why I didn't put it on straight away, because I didn't want to focus too much on it.
Now, when you're thinking about implementing an identity security platform or a PAM, of which PAM is now a part, if you're looking to completely protect identities, then a combination of tools may be necessary. And you might call this an identity fabric, you might call it identity measuring, you might just call it a set of tools to protect identity.
But again, you need to think about what worries you most, what are the risks to your business? What is your most sensitive data? What is the stuff that if it was corrupted, or if it was accessed by the wrong people, might bring the business grinding to a halt? So you think about what worries you most, then you've got to think about why you're in business in the first place. What obligations do you have?
Like, you know, who are your customers? What are they depending on? How much of your organization, how much of your infrastructure is critical to keeping customers services going, etc, keeping customers happy, if that is deemed to be of high privilege value, you need to do something about it, because the customers, the last people that you want to be affected in any breach, unfortunately, often is the case. And then what is your business? And I said that already. But you know, think about what type of business you have.
You know, if you're involved in retail, if you're involved in, to put it simply, if you're involved in selling stuff, then you're likely to have access to a lot of payment data and a lot of personal information, you need to protect that. If your business is in health, obviously, that's also extremely critical data that you probably have access to and so on. So think about what your business is. And as I've been trying to say in that earlier bit, rather than think I need Pam or I need IGA or Kim or something, and go looking for it, like you start with the answer.
Instead, think about your data governance. First, think about what you have.
Again, those three questions, what worries you most, what obligations, what your business all fall into data governance as well, and the policies that you have within your organization. How do people, how do identities get access? What kind of authorization tools do you currently use or authentication?
Is it, you know, everything based around Active Directory or Entra? Once you've started to think about that from the back, backwards, it actually, I'm only saying it's backwards, because it's backwards to what people tend to think of now.
Actually, this is the right way to do it. So it's actually forwards. But so think about the data first, think about the organization first. Think about how you run things, the policies, how people get access, what you already have in place, authorization tools, then think about how you can start to protect the identities, but protect that data so that the right identities get the right access at the right time, and only for the time they need it.
So that's a kind of, I've got five minutes, that's the basically, where I see privilege access going, which I think is very, very wrapped up in other technologies as well. So much so that I think that, you know, I didn't talk too much about Kim, that's really for another presentation. If you come to Cyber Evolution next week in Frankfurt, I'll be talking a bit more about Kim as well, and the impact that's had.
But just to end really quite a little bit quickly, unfortunately, on the report that I published about a month ago, the power market is probably one of the most agile and most fluctuating in IT at the moment. And this is because of what's happening elsewhere, cloud adoption, digital transformation, are, you know, always the cliche things, but also what's happening is just generally the explosion of identities, the explosion of access, the explosion of artificial intelligence, and so on.
And so we, as usual, try to find the leaders, challenges, and followers in our report. And we look at smaller vendors, which are targeting sort of more niche applications, and the bigger players like CyberArk, like BeyondTrust, like Delinear, who are morphing into wider, broader identity security platforms. So we reckon it's going to reach 4 billion by 2026.
You know, that figure is actually important to you as a buyer, only because it shows that people are investing in this market. Therefore, if you invest in PAM, you're likely to invest in a company that will be around for a while. And you'll be investing in technology, which should form the basis of a long term identity protection tool.
Actually, I think that the market probably will grow a bit more than that. But I think we'll increasingly see, as I said, privilege as part of an overall identity access, or enhanced identity access management portfolio.
So, okay, so yeah, call it Privileged Access Solution. Let's just move on from there. Just to quickly give you a look at some of the results of our latest Leadership Compass. We always publish a chart of the overall leaders. So in that we include everything that counts towards that overall leadership score, such as innovation, such as market presence, and product development. So you can see just to maybe make sense of that for you. The three traditional leaders in Privileged Access, the ones that are now morphing, as I said, or shifting towards identity security platforms.
There's very little really between those. Beyond Trust, CyberArc, Delinear, they pretty much are like for like in terms of capability, in terms of features, they differ, perhaps in how they are deployed, and to what extent they might have added new functionalities. But choose one of those, you'll choose something that's certainly going to work. You might not necessarily need all those features, though, which is why you probably should look a bit further across this chart.
This is a chart that tends to people always look at the right-hand side, but I think we should look more in the middle and look on both ways, because any of those vendors in that compass will provide some form of Privileged Access that would be right for you. The way to find out is to do the process that I've just been talking about, find out what you need, and then map a vendor towards you. So right in the middle there, we have some highly capable vendors.
And then to the left, we see people like InductorOne, Whiteswan, who will offer specific types of Privileged Access, which might suit one particular part of your organization. One thing I didn't talk about was the kind of democratization of Privileged Access in the same way that departments are buying pieces of cloud. You might see departments buying Privileged Access for one use only. So take a look at the whole market. Don't just look at CyberOp, Yontrust, Archon, Savion, Wallex, et cetera, although you should, because they're very good.
But don't just think, oh, that's what I need, even though it's quite expensive. It's going to take quite a long time to deploy. So look across. Look throughout the report. I urge you to look at most of the reviews in it so that you get an idea of each individual vendor and what they can do for you and how they compare.
Again, we have here in this chart some very, very good vendors in the middle. We also still have some good ones in Bravasia and Heindel, which will offer something to you.
Yeah, that's the end of the presentation today. Does it make most sense to move on a per?
Yes, that is almost exactly right. If you can do that, that is where we come into pure just-in-time so that you get access only when and as needed. But as I said, that is like the ultimate. And at the moment, to do that and do it well is, would take a fairly advance on application, which only probably some of the leaders might actually have capabilities for and some of the smaller specialists. If that's the what you want, though, I would urge you to interrogate the vendor and to see how and when they might be able to do that.
But the only when and as needed is kind of like the holy grail of Pam. That is just-in-time and zero standing privileges. But we're not there yet. That's why we still need to do that. We need to do the due diligence that I was talking about. You need to do the examination of your organization. You need to look at that infrastructure. You need to look at how you organize data, everything that's going on, and then decide what kind of privilege access you need to assign to different parts of the organization. Some parts can still use traditional Pam with passwords and a vault and rotation.
Others will need something much closer to just-in-time. So I think that is all. I'd like to thank you for your attention. I hope that gives you some idea of where the privilege access market is right now. The full report is available on the Kubernetes Core website. If you join as a member, you will get free access, I believe, for a month to all our research, including privilege access.
Also, you can find identity and access management and everything else that we cover on the website. Also, if you become a full member, you get all sorts of other goodies. I urge you to check out the membership scheme that we've now launched, which you can have access to our research all the time. And in the meantime, then please enjoy the rest of your day or evening. Thank you again for listening, and goodbye for now.
