Market Overview: Privileged Access Management Solutions & the Pamocracy

I'm Paul Fisher and I'll be talking about the privilege access management market and some trends, et cetera are happening. I've started off broken the convention here of starting off with my name and et cetera. But this phrase, everything works with everything else, kind of underpins everything that I'm talking about in this following presentation. It kind of sums up the state of, it sums up the state of our organizations. It actually sums up the state of the world because we literally are connected to everything else and everything works with everything else or does it. So let's find out.

So that's what I'm talking about, the PAM market, first of all. Then a little bit more about some findings from our leadership, compass 2023, and then I'll get into the democracy, which is a term that I've created for what's happening in market and in what the vendors are doing, et cetera. So the pan market, some figures, I know that sometimes people think, well, who, who cares about the figures for the market? It's purely for the vendors.

You know, how many dollars they're making. But actually, if there is growth in a market, it is of interest to buyers as well because simply because if other buyers are buying stuff, then there must be some reason for that. So therefore, the fact that the pan market is growing is significant. It's not growing spectacularly it, it's growing steadily and it'll become apparent as we go through this presentation.

The, the reason for that is that perhaps it's not a very mature market still. There's still a lot of untapped space and a lot of companies are actually not yet using privilege access management as we discovered in some of the previous sessions. So the revenue per region is probably even maybe of less interest. But the what is of interest to us as Analyst is how it breaks down. So as equal between USA or, sorry, north America and emea, but there is starting to be some growth in Asia Pacific. Asia Pacific.

There's traditionally been an area, a market that has kind of lagged behind in privilege access and there also have different approaches to privilege access. They tend to be more focused on, for example, things like access purely to databases and focus much more on financial services. So there are growing markets in Japan and places like Malaysia and the Philippines, Singapore, and then it comes to Latin America.

And yes, oh, sorry, this is this year, sorry, yeah, sorry we didn't put that on there. So sorry. 2022 last year. 4% for Latin America. Latin America, again, is a very emerging market. Probably one company tends to dominate that at the moment, which isen ha. But apart from that, we don't see that that changing very significantly any time soon. What is more interesting to you as buyers is the change in how the vendors want your money. Traditionally, Pam, like many other pieces of software, has been done on a MA on a maintenance basis.

So you know, you buy it, then you have to keep paying years ahead for upgrades, et cetera. Both parties are now seeing a subscription model, which is kind of like what we do with 365 or with Adobe software that is seen as more convenient. And also the vendors are willing to take the risk of churn because they feel that it's actually worth it because they, you know, they probably hold onto more customers and it's easier to manage. So those trends are, are what we're seeing. Now.

Let's get more into the so nitty gritty of what I'm talking about and how the pan market is, is breaking down in what you know, what actually is happening on the ground. And this is a survey that we did from our own customers. So when we do webinars, when we do surveys, we ask people privileged access management customers what they use. And significantly we found that 16% use three or more different PAM solutions, 23% use two or more and 40% debt.

You could read that yourself, but this is something that we'd never, we kind of suspected was happening, but we didn't actually have proof until we did this survey. And this comes down, I think, to a fracturing of the market and privileged access management market in the people are starting to decentralize purchasing not just for Pam, but for other pieces of software. And some of these, one or more, or three or more, PAM installations are being bought by departments and not necessarily through central IT or central purchasing and are not always authorized.

However, the, the management of the companies tend to find that they don't mind too much because if, for example, some kind of PAM is used in development area or software engineering and it's actually doing its job, so there is not, there is a reduction in attacks, et cetera, then they're okay with it. Now if we, this is a survey that was done by Cisco, which is actually a very, very good and I recommend, you know, if you want to find this on the web, it's worth reading.

But what I found the most interesting part was when they were asked to give a, waiting to the kind of technologies that they felt were the most important in for cybersecurity, they tended to be very traditional and they tended to say stick with I identity and access management. And even with things like active directory and other, the tools within that for protecting privilege, only 10% was given to the importance of privilege access management, which is kind of proof of what shows earlier that there is still a lot of growth in the market.

We don't really know why we, we, we talked about this on the, on the panel just now, but we don't really have any particular answers as to why it's so low. It could be a, an education piece or it could be that people just don't want it or they just don't know about it. But that 10% figure is, is well, well worth remembering. So that brings us into some findings from the leadership compass, which then again kind of cements some of the trends that is happening in the PAM market. So these are some of the top line sort of headline things in the bag as it were.

If you've got a picture of a bag, then you have to use it and justify it. So in the bag we have things like C I E M, cloud infrastructure, entitlement management, having a significant impact on the PAM market and is having an impact on new vendors. But it's also having an impact on the traditional guys like the beyond trusts, the de lineas, the ura who were here earlier, but we're seeing more new market entrance coming in. We're seeing potentially a market divide occurring. So we have kind of big Pam as you might want to call it. And then we have sort of more niche players coming in as well.

We also in the survey, tried to take account of, we, we changed the scoring system a little bit. We, we shook up things and we changed some of the things that we thought were important. So we now added in DevOps and data governance. I think that's right, isn't it? Yeah.

And, and data governance, because we felt that there was a, a push or a trend or a demand from some customers that Pam would give some level of data governance as well as protecting privilege. And we don't mean the full scale data governance, which means that you can then tick the box for all the standards and compliances, sorry, the the regulations, but more in a turn of literally governing the data governing what is being accessed and what is considered to be privileged data within your organization.

And that, as I said in the panel is, is actually coming is, is is being shown by the fact that a vendor which has traditionally had nothing to do with privilege access management, a data governance vendor, has started to add a small little piece of privilege access. And so it meant that the traditional pan providers were also thinking, oh, maybe we should start thinking a bit more about data governance. And so that's why we, we changed the scoring a little, just go back four years and this two, 2019 was the year that I joined Kuppinger Coal.

And it was also the year when I first looked at this market. And you can see there, this is how things panned out, the followers and challengers and the leaders that we had then. And you know, there's some names there that have since disappeared. There are some familiar names, but what's interesting is when we look at 2023, unlike other markets where you would expect to see some consolidation, usually what happens is the number of vendors goes down. What's actually happened is the number of vendors has increased in four years.

And we have now we have people like Heindel security, et cetera, joining the list. We still have the big names in the leaders. One of those actually is an example of some consolidation, the merger of psychotic and centrify it, which became deline. So that again suggests that there's a lot of churn, there's a lot of activity in the market.

It's, it's, you know, it's a market that's on the move and it's certainly not mature. And that would explain the 10% figure and it would explain, you know, the penetration or the lack of penetration in some regions in the world. So if we take those categories, followers, challenges and leaders, and I thought maybe we could give them slightly different name sort of classification.

And we found that if you look at the, the followers now we, we did have a bit of a discussion in COLA about whether followers is a good name or a worthy way of describing because it's not meant to be a negative, but we couldn't think of a better word. So we, we left it as followers. But actually you can find within the followers much, you know, a high level to innovation, you can find vendors that have decided that a PAM product for a particular niche area is worth doing.

Increasingly they will focus more on the entitlement, which also brings in the data governance side of things and identity first the challenges still tend to be more in the SMB space, but they also will focus on identity and passwordless. And then we get to the, the leaders which tend to be, like I said, you know, the beyond trust, Arcon, et cetera, the guys that provide the sort of end-to-end solution that not everybody wants, but it tends to be favored by big enterprises, by financial services.

Those people that like the passwords, they like the vault and they like the fact that it's kind of reliable and everything. So that's another way of looking at it. But then at the same time within the market, and this will probably be come out in the 2024 leadership compass, we're seeing new vendors arriving from different areas. So we have, for example, Brit I who will be classified as a C I E M vendor, but they're looking actively and want to be seen as a vendor that can provide control of privilege access.

So we're seeing also Hashi core who kind of concentrate on the sort of development area and so on. We are hearing that traditional IGA or identity management companies like Octa and SalePoint are also interested in the privilege access management market. And that means that they will bring all the expertise and experience they have with identity management and they're likely to go probably straight into the challenger section. Now the big one of course is Microsoft.

Microsoft has now entered the space at least for secrets management and cloud management and managing what they call workload identities. And they've bundled all this under a brand name called Entra. And that includes the acquisition that they made last year of a CM vendor. And it's rumored and we believe that Microsoft will add to that package some form of privilege access management that might find come as, as a form of an acquisition or might develop themselves. At the moment, a lot of what they're doing is really repackaging the tools that exist.

If you can find them in a 600 page active directory manual on how to actually do a bit of identity access management and privilege management within active directory. But the way they've done is simplified that and you know, and quite correctly they put that into a sort of a dashboard wizard style thing. So that doesn't necessarily mean that Microsoft are gonna suddenly become the dominant force in pan, but I'm pretty sure just because Microsoft is Microsoft, it's massive. So anything it does is like a tsunami effect.

So if it plunges into a market, it's going to affect it and it's gonna affect most likely the traditional players that we've been seeing. So let's do something else now. So we've got the, the vendors who are disrupting, let's add in the, the stuff that's happening in out there where everything is works with everything else.

And I've, I've picked, I've done three things here. So I've got one, one is happening in the actual enterprise itself or the customer base, so that's decentralized purchasing. Then we have B, everything works with everything else, which is just the blob that we all live in, which, you know, means that everything's connected, everything is in the cloud, et cetera. And we can't do anything about that because it's just here. And then from a technical point of view, we are looking more and more from talking more about identities and less about privileged accounts.

And this is where we come to what I've called the cracy. If you put all those three together, a intersections, B intersections C, then you see we have this suddenly because everything is connected with everything else. Everything works for everything else. Then we have this new paradigm or population of identities, we are all getting some kind of privileged access, far removed from the traditional definition of privilege access, which is what, you know, admins having standing access to machines to do stuff that's kind of changing rapidly, really rapidly.

And that's why I call it a democracy because it's kind of like everybody can have some privilege access at some point. A bit like Andy Wall said, everybody will be famous for 15 minutes.

Well, in the future everyone will have some privilege access probably for less than 15 minutes. But anyway, so the bureaucracy, I'm gonna talk a little bit more about what this is and how we can work with it and how we can rethink our approach to privileged access.

And again, it all comes back down to this phrase, everything works with everything else. So as I said, we can't do anything about that. That that's, that's, you know, you can't undo the internet, you can't undo the connected state of the world. Like people are now worried about, you know, chat G P T and things like that. But once something like that is invented, it's very hard to uninvent it. So we have to deal with it.

But Scott, David, who was speaking here on the first day, talked about exponential growth of stuff and he said within an exponential growth, actually there are dangers, but there are also opportunities that we just, but often we overlook them, we don't see them. And I think that the, in this bureaucracy we can see the same thing happen. So I've reduced this down to a thing which is no longer, I'm not talking about individual people or anything, I'm talking about everything that is connected to everything else.

But we give those things an identity and they will give them a credential and then that gives the thing access to stuff. So that's my new ID basically definition of privilege access. So things get identities and that gives access to stuff. So there you go, she's happy about that. Things and stuff. We can now get, give our things, access to stuff. But of course it isn't as simple as all that because when everything gets an identity that gets a credential, then that gives ev everything access to everything in theory.

So we've got our identity first bit and we've got our credentials, which are very important, but that means well hang on a minute because everything works and everything else, how, how can we control it so it's not quite so easy? So she's no longer happy. And then I'm not gonna go through all this, but this is kind of a, a breakdown of identities that you, you'll will know about. I mean everyone's been talking about this stuff throughout the conference, but it certainly isn't just admins anymore. It's kind of everything and stuff that we don't even probably know about just yet.

So all these things, literally the internet of things, but this is, this is not the internet of connected fridges, this is the real internet, this is, this is, you know, what we are right now here in in this room. So all those things have a need perhaps at some point to have access to something which we might consider to be privileged. So what we're doing is no longer thinking about giving things or identities, standing privilege, we're just saying they might need some privileged access.

So we're talking about access and, and the emphasis for privilege should be on, on the stuff that should be the stuff that we measure as privileged, not the user or the other identity. So this is my proposal for a new way of looking at privileged taxes. I mean it's not that new really, but it, it's just kind of what we have been doing.

But what, instead of saying this is a privileged account and forgetting about it and you know, the last speaker was talking about how we rotate passwords and how that keeps this stuff control. And then machines have standing access, we have no idea what they're doing.

Let's, let's take that thing. So it's an identify what it is. So in this case it could be a, you know, a soft piece of software or it could be me, a human user, it doesn't really matter, but it just gives it a start. It literally identifies what the thing is and we start from there. But the important bit is now the indicators and what a lot of people have been saying, role-based access is finished, we now need to move to policy-based access, blah, blah blah.

Well it's true that relying just a role-based access is probably limited, but actually the role-based bit is still important because you know, that's an important part of what the identity does. So we ask the identity all these questions and depending on the level of granularity that you want, you could have hundreds of questions I guess. And then you ask, can we verify it? And then that's where your policy bit comes in your policy engine or your policy as code I, I think there's some guys outside that are vending policy. I haven't really investigated that yet, but it sounds interesting.

And that's when you say, is this a privileged access request when you, then you finally get to this stage when you verify and this, this is the last step in the process and only then do you get the credential. And the credential is actually probably not even that important anymore because that simply is a ticket to allowing the thing to get to the staff. So it could be a password if you like, or it could be a certificate. It doesn't really matter at this stage because the important bit is all happening here.

Now what I've described here has probably taken me, you know, a couple of minutes to obviously if this could be engineered it would take milliseconds. So that's the whole point that in our everything world we need a privileged access system that can work really fast, which is a long way from standing privileges and using passwords, et cetera. There are obviously to finish, you know, as I said, this is a co a concept, it's an idea, but I think what's happening in the market and what some companies are doing is kind of alluding to that.

But we're still kind of the little red and yellow fishes there. We're sort of still, that's probably privileged access management as it is now. And we we're a long way from the blue.

As I said, it's, it's conceptual so it would need work, it would need way, you know, work to see if it could be engineered it, it would mean in some organizations which currently have privileged access management systems based on a traditional vaults and password, which works by the way, I, I'm not suggesting that everyone should rip all that stuff out because those guys, you know, they have built systems that are reliable but they, they know and we know that they're not fast enough or they're not fit enough to last forever. But they do do a good job.

And I'm not saying that that stuff is no good. There will be costs involved. So you know, if you suddenly said we're gonna change everything to this, then you know, anything that you do in engineering architecture, it et cetera is gonna cost something. And then you'd have to think about whether there is any governance issues in play and you might find obviously in the organization resistance. So that is my overview of the market very quickly run through and hopefully generated some thought within you. So thank you very much.

I have, if you wanna any questions then I'm happy to take them if not Oh yes sir. In your study where you said that organizations were using multiple PAM solutions. Yeah. Was it because certain PAMs didn't cover other areas and they were filling gaps with the other PAMs? Or was it really more just the decentralized Buy? I think it was shouldn't stand next to the speaker. I think it was more kind of decentralized and perhaps you might call unauthorized. So you might have found like a department decided, I mean we didn't go right into, you know, what is the PAM that you're using.

It could be like, it could just been a password manager or something, you know, to so, but it was interesting that they weren't really feeling restricted or unable to to, to do that. So, but I think it was, yeah, definitely more of a case of decentralized purchasing or what we, you know, used to be called shadow IT situation. But I think that could become more legit I guess when, like I say, the business realizes that what they're doing in DevOps for example actually works. So that was pretty much what we felt. Was there an ah yes.

Yeah, my banker Follower followers like working along with entitlements. Did you? But did you mean that they work with entitlements rather than with accounts? Exactly, yeah.

So, and that's kind of probably behind what I'm saying as well. We should stop having thinking about accounts. So it is more about entitlements. I'm suggesting that perhaps we could move almost to a hundred percent just in time kind of as paradigm where no one has a standing account, not the, not even administrators or, although you could perhaps let them still have their, you know, standing because what they do is perhaps less crucial because you know, it, it's on a regular basis, blah, blah blah. But it's exactly right.

It it is about, yeah and also the governance bit, which I mentioned was about finding out which is what the CM guys do is actually who has entitlements, who has standing privileges and, and you know, doing a, a a, an audit of that. And then after that then you move to your adjust in time.

Cuz what, you know, the, the, the, the thing that I was describing here, that is basically a just in time process, which would happen like I said extremely quickly, but, but not that, you know, is just a a, a long-winded way of explaining it. account and fly just Sorry, what? Since Aura Creates accounts or the fly just to grow, Create Totally put you in a Group Yeah. Create account. But they're, they're, they're still creating an account, you know, I, I'm, yeah, yeah.

But yeah, so okay. Just entire membership in the groups rather than, Than with Accounts.

Yeah, I mean there was, there was a guy earlier in this, I dunno if you saw it, but he was talking about shared and I wish i'd, he, he'd created some kind of legitimate shared account system and I didn't really get that. I'm not sure if that was the, I'd like to catch up with him and talk to him a bit more about that.

So, anyway. Okay, well I'll let you head off for, well I dunno what's happening now, but probably some drinks or something. But thank you.