Good afternoon, everyone. And welcome to this webinar. My name is Paul Fisher. I'm a senior analyst with KuppingerCole just to put the camera there so I can see what I'm doing.
So, yeah. Welcome to the webinar. This one is called understanding the privilege access management market. So we're going to be looking at what's available in the market and based an awful lot around the leadership compass that we did recently on privilege access management solutions. So before we get going, just as usual, we have a few adverts for some KC events coming up. We have a virtual event on October 27th, which I believe is next week as it is where we'll be looking at securing industry 4.0. That's an online only event and it's also for free.
So if you're interested in that, go to a website and secure your place now, and then we have our big event in November, the cybersecurity leadership summit, which is also online, but it's also live and in real life, as they say in Berlin, and that's on November the ninth to 11th.
And again, if you're interested in that, please register and book online.
Now, as for this webinar, those of you who have been here before, you all understand that you are muted centrally. So there's no need to worry about muting or unmuting yourself. We're going to run a couple of polls, one at the start and one at the end of the webinar, and we'll discuss the results during the Q and a. And it was obviously based around the topic.
And if the polls don't answer your questions, or if I don't answer all your questions during the presentation, and then we have the Q and a, where you can send questions to me through the go-to webinar control panel, which you should see on your screen. And finally, we obviously record this webinar and it will be available very shortly after this and the slide decks be available for download.
So if any of your colleagues who registered, but couldn't make it today, then not to worry, the recording will be available. So let's just kick off with the first poll poll.
Number one, asking, does your business currently have any form of Pam in operation, any form of privilege, access management in operation, and that could be literally any form, not necessarily a platform and the answers or the options we've given. You know, we're investigating the market for a solution.
Yes, but we do not use a dedicated platform. So you're using something else instead.
And yes, but we are looking to replace a legacy platform. So you may have a Pam platform in place, but you maybe feel it doesn't quite meet your requirements now and you're looking to upgrade or to replace. So that's the poll for the first one and the answers or the results we'll have at the end of this webinar. So as for the agenda first, I'll be talking about the Palm, the Pam market itself, and the evolution of choice that there is in it. And then a bit more about how you can choose the right Pam for your particular organization.
And finally, as I said, there's a Q and a at the end of the webinar. So let's look at the Pam market as it is today.
I've been covering, looking at privilege access management, at least for KuppingerCole for two years now, and also was a observer, I guess there's one way of saying it in previous lives, but we, we have seen an obvious growth in the market. And that means that last year we saw about an annual revenue of about 2.2 billion in 2020. We predict that to grow to about 5.4 billion in four years time.
And actually it wouldn't be beyond the realms of possibility that we would see bigger growth in that given what's happening in the market. And why is why is there growth?
Well, simply because there has been great changes in business computing and in compliance demands and from governments and trading bodies, et cetera. And of course the, the big one is increased levels of cybercrime quite often we forget to talk about cybercrime because we get focused on a technology, but particularly in the last year or so with the epidemic, sorry, the pandemic, we saw an enormous increase in the levels of cybercrime and ransomware in particular.
And as we'll see that privilege access management is actually one of the strongest ways of at least reducing the risk of cyber crime happening to your business and reducing the impact of things such as ransomware. So the, and related to that, of course, is the increase in compliance demands because industry and business and organizations must be responsible for the security of the data that they hold on behalf of the customers or partners or any of people within their supply chain.
And if they don't then governments and organizations, regulatory bodies, such as the European union will have the right find them. And I'm sure everyone is aware of this, but just in case you're not, it's definitely driving the increase in the Pam market. And then there are, of course, the fundamental shifts in what's happening in the organizations themselves in terms of technology.
So we've seen digital transformation to huge shift to the cloud, which is by no means finished and the growth of agile and dynamic operations and including things like DevOps, we're seeing a change in the type of architecture that organizations have.
So for example, we're moving from very static infrastructures and static architectures to dynamic and behind these dynamic resources are increasing number of users, increasing number of services, increasing number of applications and machines that need privilege access, which is no longer just for admins of old, when administrators needed elevated privileges so that they could do some kind of routine maintenance work on other people's machines.
Now, the privilege access universe, as good as this is a good way of putting it involves potentially anyone that has access to a network, anyone that has access to a system, or indeed anyone that works for a modern organization that uses cloud or uses agile environments or uses any, any, any application that they need to get their job done. And so we've seen encapsulate all that the, the Pam market has grown because of the changes in cybercrime, the changes in compliance and fundamentally the changes in the way that we do computing.
So introducing the Pam leadership compass now for 2021, which we believe is unrivaled in the market. We, we actually review 26 vendors and their products. And we also have on top of that eight vendors to watch. So that's a total of 34 vendors, which we believe pretty much covers the privilege access market. And it covers those vendors which offer what you might call simple but effective Pam solutions to right up to the leaders, which offer fully featured platforms that have all the capabilities that an organization may need to access to, to manage privileged access.
We also look at, in that report, the latest trends in the technology and the market patterns, which I've just been talking about. And you can, if you all member of the, sorry, if you, if you are a member of KuppingerCole, if you subscribe, then you can download that report right now.
And the link that's on this deck will take you straight to it. So that's our report on leadership on Pam and compared to other reports in our market is by far the most in-depth and the most comprehensive. So please have a look at that.
When you'll thinking about projects as management, what are the highlights in the report? Well, it's a very heterogeneous and dynamic and competitive market. Unlike some others in the it market, the Pam market is still developing. We still see new entrants coming in. Although there are maybe a one, two or three or four vendors that are considered to be the big leaders and potentially dominate the market, but they be by no means dominate as some software providers are doing other sectors, which is a very healthy thing. We have new entrants coming to the market all the time.
And we also have a split in the market where we have vendors that have built their solution from the ground up from 0.0 to be totally cloud native.
And suddenly these vendors, which were seen as kind of smaller players suddenly have a, a bigger part to play, particularly in those organizations, which are cloud native themselves, such as, for example, fintechs, or perhaps some kind of online retail.
So they are looking not necessarily at what we might call, do traditional players, but they're also looking at the newer ones, which are, have perhaps more agile frameworks and perhaps are more cloud native. How having said that all, all the vendors have improved throughout.
I mean, speak in a year. Very few vendors had not added more capabilities. They hadn't improved such things as automation and the UX and the ease of use.
So that's, that's actually shows your market is highly competitive and highly dynamic so much as the, the it environments in which Pam must sit. So we also seeing some other interesting aspects in the market where identity and access management vendors, and also identity providers are also sort of putting their toe in the waters, maybe acquiring a Pam vendor or looking at adding Pam capability to their existing product. Because I think they realize that a privilege access is a vitally important part of the functionality that their products should offer.
So we're seeing not just a traditional pamphlet, but we're seeing those from outside of it as well.
We're seeing increasingly, which is good news for buyers. We're seeing Pam as a service being taken much more seriously now. So for those organizations that realize they need Pam of some sort, but don't necessarily have the expertise or perhaps the resources in house, they can now run Pam as a service. And then they benefit from automated upgrades, maintenance, et cetera, or anything that might be in the service level agreement.
We're also seeing some lb platforms, which you, you would say are specifically more suited to smaller businesses, not necessarily smaller businesses, which don't have impact. Like I said, we have smaller businesses that might be in cloud native industry, such as FinTech or insurance, or again, in online retail. We've also seen after many years of Pam being traditionally considered difficult to use, difficult to, to, to deploy. And much of that was true. We're now seeing the realization by vendors that they have to make Pam easier to use and also make it easier to set up.
So we are now seeing the appearance of wizard tools within a Pam application and even things like buttons, which resemble applications that you would find on a mobile phone, or even in things like windows 11, et cetera. So just to an automate as much as possible so that Pam can do its job. But those people that are now charged with administering Pam who not necessarily would be security or governance experts can still do a good job of making sure that it does what it's supposed to do for the organization.
So we, we, when we look at Pam, we look at a certain number of capabilities and how those will relate to business. It use cases and the number of business use cases we've put down. These are the, there are more, but we, we picked on governance, risk and compliance software development, or dev ops infrastructure or platform as a service cloud deployments, vendor risk management and remote working. We believe these are folly, sorry, six key areas or business use cases that many organizations now have to grapple with and build technology around them.
And we believe the Pam is in a very good position to assist with those. And that's because of the capabilities that are built in.
Now, whilst those six business use cases could be applicable to many, many businesses, regardless of size. It doesn't necessarily mean that they would need Pam, that can do every thing.
So the call, the core capabilities, our password management session management and endpoint privilege management, those three things within a Pam solution, we'll do quite a lot for you. You can see it ticks most of the boxes there apart from say, software development and infrastructure is service in session management.
But then we, if we look a bit further and take the same six business capabilities, we can see some more advanced capabilities, privileged data, life cycle management, application, application, password management, control, privilege, elevation, and delegation management, remote privilege access just in time access, single sign-on user behavior and privilege access governance, finally, account discovery. Those what we consider to be perhaps slightly more advanced capabilities, but there's still, there's still more. And Pam vendors are adding more as time goes on.
But again, we would say that these 10 and these three are the capabilities that you should look out for depending on your type of organization and the use cases that you wish to improve. You don't need all capabilities. That's a key thing to say and let let's just look at how we rated the products.
We rate them for innovation or innovative-ness market position, their ecosystem, and financial strength. And then we rated them for the security, the actual products for security functionality, interoperability, usability, and deployment.
And then we using the algorithms built into the system that we use for our reports. We get a range of scores from critical, strong, strong positives. And I'm pleased to say that no one gets a critical rating. We'd have to see the full report to, to find out the scores for each one, but let's just look at those in slightly more detail. So innovation does the product deliver the new features that customers need. Innovation is, is a slightly abused term in computing.
Everybody claims they're innovative, true innovation means something that hasn't, you know, that kind of changes the market, or it hasn't been done before. We tend to use it more in the sense that we don't expect every product to change the market, but we do expect products to improve.
We do expect the vendors to understand what their customers are looking for. So we look to see if they're delivering those new features. For example, do, does the vendor offer capabilities that can work for privileged access management within an agile environment, such as dev ops?
So we can get it in a, a, an idea of how well the vendor is responding to its own customers, how it's responding to changes in the market and whether it's considered to be at the forefront of innovation within the market, or perhaps not quite there and perhaps playing catch up. Then we look at the market position, which is really how many customers have deployed the product, which industries are targeted and which regions are the welder using it.
Now you shouldn't just be, we shouldn't judge a product only on its market position and how many customers it may have just because a solution has a lot of customers.
It doesn't necessarily mean it's the best, which is why when we put our algorithm, when we put all this through our algorithm, all of these criteria and ratings are balanced against each other. But you can say that, for example, if a, if a business has a lot of customers, then it must be doing something at least, right? And also if it's covering different industry sectors, then you know that it's a pretty flexible product.
And it's proven within those sectors. What about financial strength?
Again, a company doesn't necessarily have to have huge revenue to be good at what it's doing, but it does help. Obviously if the company has realistic figures and its financial strength is derived from the revenue against what it invests in R and D, what it plays out in operating in, in overheads, et cetera. And we don't judge a startup against a vendor that might be supported by a multinational software provider, because that doesn't make sense.
So we are fair to startups.
We're fair to middle-age startups, for example, and the smaller vendors, so that we take a realistic view of their revenue versus their costs and potentially the future that that product might have. And the product might be indeed a very good one might be very innovative. Therefore it's likely to attract customers that perhaps some of the larger ones don't. And then finally, the ecosystem is important. How many partners does the company have in terms of and support, et cetera, and how globally distributed is it?
Does the product only serve a local market, or does it serve a major markets such as north America or India or Asia Pacific? And also, what about the support that it offers? Does it support in languages other than English? And so together, we look at those things and then a look at the actual product itself or the service itself.
And we have more function, more fundamental scoring here where we can decide whether the solution actually meets security requirements, the functionality of the product interoperability, which is hugely important these days in our cloud and multi-cloud environments usability, I've mentioned that already usability is increasingly important in our time poor environments, where administrators and users, haven't got the time now to do things that they used to have. Therefore ease of use is hugely important and deployment. As I said earlier, Pam was traditionally quite hard to deploy.
Still is if truth be told, it can still take weeks and months to do a full deployment of a Pam platform. However, some of the other platforms are now claiming to have day, you know, day long and deployment times, particularly Pam, as a service, which is changing the way that we see deployment of Pam.
So again, all of these things are evaluated, they're all rated and that's what gives the overall scores, excuse me, that we get in our report.
So this is the overall leaders from the 2021 leadership compass. If you look to the right and then we can see what you might call are the traditional Pam providers. So is Centrify CyberArk beyond trust and Thycotic.
I, and then we have one X I touched you, but we also have, within that leadership, we have some smaller vendors and perhaps nontraditional ones, ssh.com, stuff. Sen has a urea salvia, one identity, et cetera. I'm not going to read out all of these, but the point of this is it is, as I said, a dynamic competitive and fast moving market that is a long way from maturity. And that the results that we see in this leadership compass and the previous ones is that the big and small vendors are playing for overall leadership.
And we also have this year, no followers, which means the level of innovation, the level of product technology and improvement as, as permeated, right food field right down, and then product leadership is a, another measure again, of basically the number of service features and the capabilities of those features in each product.
And again, we have a similar mix of legacy platforms or sorry, more traditional platform that maybe legacy for some companies with newer and smaller, more. So I would say cloud cloud-based providers.
So again, the, all of this information is in much more detail in the report itself. And then we have overall market leadership, which is, again, is something that I was talking about just now it takes virtually every kind of parameter, every criteria that we've been talking about. And then which gives us a picture of who's leading the market. And then we can see that CyberArk beyond trust. Centrify Thycotic are still doing that.
But again, we have newcomers in there, new players, smaller players that are mixing things up.
And then finally, we also, we rate each vendor for some more specific capabilities.
And we, we, we create a spider chart, which is also the scoring is, is from algorithms. But we, in for example, this is true of all our leadership campuses, but in this one, we've taken some specific capabilities such as EPM, high availability, dashboard tools, analytics, account discovery, machine access, just in time access and architecture and given the school for each one of those. And you can see CyberArk's there.
Now, the thing is, these are probably more capabilities that don't appear in the main 10 that I was talking about earlier, but they're becoming well. They once might have been considered sort of sub capabilities, but as Pam is being asked to do more and more and to operate in different environments, cloud multi-cloud hybrid, et cetera, things like endpoint privilege management, which was until quite recently a fairly specialist to, because of co-ed.
And because of working from home, et cetera, people are now needing privileged access from end points and from remote devices and from devices, which aren't necessarily seen as secure. So endpoint privilege management and remote provision management have become suddenly a much more relevant high availability, again, because of the speed of business.
It, the speed of computing and the speed in which management wants things done, privilege, access needs to be available at all times, and when people need it or not, when it's convenient. So high availability is incredibly important dashboard tools that works into ease of use and use ease of use and user experience.
And, and so on, analytics are there to help with compliance. So you know, how people are using privilege access. And so on just in time, again, is something that has become to the four, especially in applications Schutze has a DevOps.
And finally the actual architecture of the tool itself, the platform itself, how well designed is the architecture within the Pam platform.
Now some, some platforms are going to be older than others, and some are going to be perhaps less suited to some of the more advanced dynamic environments that we're now seeing. So exactly how the platforms are coded exactly how they're engineered is actually becoming very important. And it's not just the, the bigger companies with bigger resources to engineering, et cetera that are leading here. So we'll see that some of the smaller vendors are also understanding the importance of the architecture within their own platforms.
There has been a few changes in the market, which have had some impact on, on the vendors lineup. The news was psychotic and Centrify have merged psychotic. And Centrify where, as I said, leaders in the field, they're now going through a, a merger, which is, will have an impact because they are effectively merging two platforms together. And that's where the architecture comes into play. It'd be really interesting to see what comes out of this.
I'm looking forward to finding out more about this in a few weeks time, we've seen, like I said, other businesses in provato, which is actually a governments organization or vendor, particularly focusing on the health sector has bought Exxon technologies, which was one of the smaller vendors. So they're obviously thinking that their market and their specialist market has a need for Pam capability. And finally, one identity, one identity recently acquired one login.
So you see again, identity providers moving into this market as well.
And I'll leave you to read who the, the leaders are yourself when you look at this presentation. So that's the, the outline of the report. So I'm just checking the time here. I don't want to spend too much time, but getting back to basics then. So w when you're thinking about, you need to think about three tenants, really, that should be your guiding principles to what you, what you buy, literally what you buy. So you need to think about what you need, then look at what is available. So for example, look at the leadership compass and then what is possible.
So what you need might not be what is possible in your organizations. So those three work together, but you should always start with what you need. And by doing a, an audit of your organization to find out, you know, how many privilege accounts you might have, or you might need, what kind of privileged users you have, what fundamentally, what business you're in, what market sector do you store personally, identifiable, identifiably, identifiable information.
Do you have data that if it fell into the wrong hands, this could be catastrophic.
So what you need, what is available in the market and what is possible? So you need to identify your primary use cases, and then you understand the capabilities on offer from again, from what's in the market, and then what is available. And that really means once you've decided on your needs and the capabilities that you need, you can start thinking about a shortlist of vendors, and that can be a shortlist of vendors to do Pam in the very first time or bay vendors to replace Pam, or perhaps to put in place a Pam solution for one part of your organization.
So we have here selection of capabilities. Again, I said earlier on you don't need them all, and I'm not going to go through all these again.
But again, when you look at this presentation, just take a look at some of these applications, obligation, password management, for example, that's going to be something that's important to you. If you have lots of services, if you have dev ops going on, if you have applications that need to talk to other applications, et cetera. So have a look at that. There are more, and there's more detail again in the leadership compass, but you don't necessarily need every capability that is available in privileged access management. At least not. When you're perhaps doing that first, what you need scope.
This is really where we're at now. We're seeing more and more clouds. We're seeing clowns being used with different things. We're seeing clouds within clouds, and we're seeing the emergence of things like cloud entitlement management platform.
But us, we at KuppingerCole recognize that all of this is really building a dynamic resource environment. And crowds are part of that. Whether they're a DevOps clouds, whether they are public clouds, whether it's a database in the cloud, whether it's even a good old fashioned data center that is filed on premise, it's all part of this increasingly complex hybrid hybrid. It hybrid cloud infrastructure, which includes service accounts, non-human identities, data, and code.
And so Pam plus the, I am plus other applications are focusing or becoming part of why we have Chris and the dynamic resource entitlement and access management paradigm. And you're going to be hearing a lot more about that from us and how that fits into a modern cloud infrastructures.
And again, this isn't something that I'm going to read out to you, but it gives you an idea of where dream and Pam fit in.
And you can see that we are put in the, in the middle, so and access management, including Pam SEM and access government are going to be working pretty much together with policy management enforcement and automation do create this dynamic resource entitlement and access management paradigm, which fits in with, on premises with edge computing, with private clouds and with public clouds, and of course managed service providers. So we believe at the moment, this is probably a great way of illustrating what's happening out there in the world of it in the world of business.
It, and we see at the core of this will be some forms of Pam, some forms of CIM, some forms of data governance that will add access governance. I'm sorry, will help organizations manage this increasingly complex environment.
So that's the end of the main presentation. So I'm going to ask you now when I have a look at these results in a minute, has this changed your mind about Pam in any way or not so grand as to think that it, it has, but I'd be interested to see if, if, if you have changed your opinion anyway. So will you look to replace your legacy platform? Yes.
We want to adopt a cloud native solution. Yes. But we wish to know more about deploying a dream architecture.
No, we think we are happy with our Pam at the moment. So we'll have a look at the results of that poll in a minute, but I think we have any question Here.
Oh, okay. I think they're the answers to the poles. So while we're waiting for the rest of those polls, as I said, please answer, you can send any questions to me right now, In the meantime, while we're waiting for the results of that. Let me just give you a quick rundown of some, oh, you already had that.
So,
So I can see the poll result 53%. Well, at least on the second poll, 53% wish to know more about our dream architecture, which is good news. No one wants to replace their legacy platform. Sent one wish to adopt a cloud native solution, 37% happy with the time that they have at the moment. I'm just trying to find the results for the first Polis earlier start.
Yes, the, the first poll 23, this is very interesting. 23% said, no, we are investigating the market for a Pam platform, but 62% said they did not use a dedicated platform right now. And 15% who were looking to replace a legacy platform. So that's 62% is actually a very interesting to me anyway, which proves what we have suspected for some time. I think in the KuppingerCole is that parameter is still a long way to go in terms of penetration in terms of take-up.
So I'm very well, I'm not happy to see that, but I I'm interested.
I guess, if people are not using a dedicated platform, what, what are they doing? So it shows, eh, 62% of the people on this call are not using a dedicated Pam solution. That means there is a awful lot of room in the market to go and 15% looking to replace the legacy platform.
Well, that's, that's interesting too. I want the webinar, the vendors would be interested in that as well, because it means that legacy platforms, whenever they are perhaps not doing the job that they need to do, they're perhaps not up to the job of attending, addressing the very physical demands of multi-cloud and hybrid environments that we're now seeing everywhere. Okay. So we haven't got any other questions. There's still time for any separate questions to come in.
If not,
I will wrap up this webinar. And if you do have questions further to this presentation, I'm more than happy to take, take them as email. You have my address on the screen there, PF at KuppingerCole dot com. I'm very happy. I always love to talk to end users and buyers to find out what, what you are actually going through, what, what you actually want out there in the real world.
So please, please just forward any questions or experiences that you have, because as I said, the fact that 62% of you do not use a dedicated platform has got to be interesting. And I hope to continue with you on the journey to finding the right platform for you.
So we, we haven't gotten any more questions. So I think I will thank you all very much for your time. I hope it was worthwhile.
As I said, you can download the slides. Are they today from the website?
And, and again, please do drop me a line. So for now I wish you all a very good afternoon or good evening or good morning, depending on where you are in the world. So thank you.
