Hello, I'm Paul Fisher, I’m a Lead Analyst with KuppingerCole. Those of you who follow me may know that I tend to write quite a lot about privileged access management and look at the market and stuff. Well, it's great today that I'm joined by Chris Owen, who is Director of Product Management at Saviynt, one of the best known names in privileged access management. So we're going to talk a little bit about what customers are looking for, what the state of the market is and what technologies there are, so welcome, Chris.
Fantastic, thank you very much, Paul. Great to have the opportunity to talk to you.
Fantastic, so let's go right in there and maybe ask what your customers are talking about. Are they asking about topical stuff? Are they asking you about the right stuff, perhaps? What are they... What's their - to use the old cliche - what are their pain points?
Yeah, that's a really good question. I think a lot of people come with aspirational goals. It may be that they hear buzzwords in the industry, it may be that they hear the latest trends and we certainly get heads up on this. So people will talk about just in time access, the zero standing privilege model, even identity threat detection response. So we get a lot of these a lot of these words thrown at us from a requirement perspective. And I guess customers believe, you know, from an aspirational point of view, that's where they want it to be. I think the reality is very different if you look at the maturity that most kind of organizations are at the moment, the majority of customers we speak to are still struggling to do the basics. So I think whilst we have all these great things, it's a hard slog to actually get to that point in time for them. And we almost need to reset people's expectations a lot of the time and conversations that we have. I'm sure you probably find similar yourself, people coming to you asking what's the latest and greatest we can do an identity? But you have to start with the basics.
Well, you're right. Actually, when I do conferences and things, I do feel sometimes I'm up there talking about sort of the blue sky or what's happening tomorrow. But actually, yeah, you do find that a lot of customers and a lot of the people that attend are not CISOs, they're not so senior people, but they are people that are being entrusted with setting up some kind of PAM system. And they may even be administrators and they find it like, and I totally agree that just setting up a basic PAM system or solution is basically what they want and they don't necessarily need session management straight away. They don't necessarily need all the bells and whistles and analytics that comes with some PAM packages. I think that whilst we do talk about sort of what's cool, I tend to think that we should talk about things like just in time and zero standing privilege because they are ultimately goals that we should be trying to achieve. And actually those two things can be combined with a more simple approach to PAM anyway, What do you think?
Yeah. Absolutely. I think if you look at the main objective that organization is have when they implement a PAM solution, you know, there'll be different drivers. It may be compliance, maybe security, best practice, cyber insurance, but ultimately people want to reduce risk that's the number one thing that organizations want to do. If we look back over the last 20 years of kind of the privileged access market and look at what we've done, I think as a market, our approach was right at the time, but is perhaps wrong now because when you look at it, what we tend to do is centralize privilege. So we go out there, we discover everything. We put it in a storage area, we call it a vault, we control access to it. Then we create a bunch of policies that define what somebody can do on an endpoint. The reality is that's not risk reduction, that's mitigating certain risks, and it's centralizing it. So the whole move to zero standing privilege is, let's de-risk everything. Let's move to this model of just in time. I think now in the market, what we're starting to see is more converged identity solutions that combine elements of IAM, elements of PAM. And really what that enables is for you to go down the provisioning route. That then facilitates just in time and zero standing privilege. So we're seeing this whole market shift at the moment to this type of model.
Yeah, and we are seeing new types of vendors or technologies coming, like the cloud infrastructure entitlement management. And we are seeing also traditional identity providers looking at how they can provide some kind of PAM on the back of their traditional identity technology, which both of those things are actually, I think, quite a good thing. But what I've mentioned, too, that CIAM and zero st..., well, actually zero standing privilege isn't a technology, it's a goal. But what else are you hearing from your kind of research? What else do you think? You mentioned that, you know, some of the things we're doing have been wrong. So what would you see as the sort of a a modern, yet affordable, easy to deploy, easy to manage PAM in the in the near future?
I mean, I'm a big believer in speaking the truth, so I'm probably going to say a lot of those things in itself are aspirational. As much as I want to claim, you know, we can solve all the problems in the world. I think what we're seeing is a market evolve, what we're seeing is vendors look to consolidate technological capabilities. So you'll see IGA vendors moving more into the privilege space, privilege vendors moving into the IAM world, and we'll see a lot more mergers and acquisitions take place over the next kind of two years in this area. You mentioned the CIEM, cloud infrastructure entitlement management space that is very much straddling IGA and PAM at the moment, you know there's vendors on both sides trying to do this and there's then the dedicated vendors that just focus on cloud infrastructure, entitlements, management. I think we've got to look at this from a value perspective. Entitlements management is really the new battleground for PAM, simply because of cloud and how the permission structure works there. So what we're also likely to see is the world of Cloud Security Posture Management and IDTR [Identity Threat Detection and Response] come together as well, all under this single converged platform that really looks to provide identity based security controls. And it shouldn't matter whether it's HR integration, ERP integration or privilege. You know, it's all one in the same thing, because ultimately our data is everywhere. now. I would say the one anomaly in the market is DevOps and secrets management. That is, I like to call it the elephant in the room, because the reality is, these identity platforms don't lend themselves to being in line in the developer path. It just adds too much friction. I think what we will get to is a point in time where at the moment PAM vendors have a vault. Customers leverage that vault. I think we'll get to a point in time where customers actually have many vaults and ultimately a vault is just a storage area. So I think we'll have this one to many relationship and that many will be based on the use cases within the customer environment.
Yeah. I mean, there's an awful lot you said in that just then and I, I kind of have posited this idea of not just one PAM, but lots of PAMs sitting in different parts of the organization. So I agree with you there. And you could call it a vault, or you can call it mini PAM, you can call it secrets management of some sort. But there's a very good statement here that I think came from your company: The market may have the approach wrong if we're still 15 years into maturity and organizations still cannot get on top of privilege. And it's interesting, in the, at least the four years I've been covering PAM for Kuppinger, unlike most identity markets or cybersecurity markets, the number of vendors keeps expanding rather than getting smaller. And although this M&A and things like that happening and yet when I did the first Leadership Compass, I think there was something like 20 vendors. The last one was 26 and likely they'll be the same in the next one. So that suggests the market is still in a huge flux even after 15 years of development, and it seems to be all up for grabs.
Absolutely. And I think that that leads to what you said about the statement at the start. I think as a market, we've solved the problems of old what we thought we had and we did what we thought was the right approach at the time. But I think now that approach is clearly wrong. But I think we as an industry need to pivot. We need to move away from this centralization of credentials that there's just no need for it. It's not solving the problem. But if we look at where customers get stuck, they're not moving past the basics of discovery. You know, where is all this privilege? How do I onboard it? How do I know what I can cut out if people are stuck there? We can't do all these fancy use cases looking at, you know, what are my entitlements in the cloud going and discover then? Tell me the risk onboard them and look at technologies such as AI/ML to help us move forward. We need to go back to the basics, onboarding, discovery, cut out the weeds, and we can use technology to help us cut out the weeds and move to the zero standing privilege model.
Do you think we might even get to a situation where there's no such thing as privileged access? Because everything will be assessed just in time and on a need basis, sort of attribute based. So the identity would have attributes attached to it that say it needs to do this and that. And then you decide whether it's privileged or not because the action becomes privilege rather than the identity. So we might end up with not even calling it Privileged Access Management
Absolutely. It could be classified as access management. And when you think about access to sensitive data, that's what we're protecting. This is no longer about IT Administrators and servers, because even that concept could go away in the next 5 to 10 years. So we definitely have to look at our approach. We definitely have to think about business users accessing sensitive data, how they go about that. But absolutely, let's get rid of privilege, that solves a major problem. Let's create this just in time model for every type of access we have.
Yeah. And another thing that I noticed, and it's not just in this area, but in dashboarding and management tools in general, that we are moving much more to a kind of consumer like interface or, you know, a wizard driven interface or even low-code, no-code, add-ons and things which suggest that there is a demand for organizations to have less senior people being made, so-called administrators, but they're not like the administrations of old, you know, with all the power to, you know, take over people's desktops and things. But more sort of micr... no, I was going to say micromanages, but that's not a good term. But sort of mini managers of perhaps, you know, one department.
Yeah, absolutely. I think there's something to be admired about consumer driven tools in our lives. You know, if you look at vendors that actually started with, you know, personal password management as an objective and came out with these really nice browser integrations where you could just go in, you've got a personal storage area for credentials. It will inject them into websites. There's a real nice, slick user experience with those type of tools. And what's happening at the moment, and that is now moving its way into the market. Because what we've realized is, user experience is key. Users are now used to these types of technologies in their life and expect that same experience, expect the search capabilities, the upload capabilities, the form fill capabilities. PAM has never focused on the user experience, I don't think, in reality we're focused on the use case and let's get somebody there, and it's always been about the technology side of things, never the experience. So we ourselves, we’re redesigning our entire UI for PAM just because of this reason. And we'll see consumer based tools moving into the privilege space that's happening already and they're doing a really good job of it. So it's a threat to the industry
Absolutely. I totally agree with you. So finally, Chris, briefly, what are some sort of short term steps that customers can take even without, you know, where they are adding new software and stuff? What are the sort of minimum steps they can take to advance privilege access management in their own organizations?
I think, you know, if this is a greenfield environment, just going about implementing a PAM tool, do the basics and do them well. Even things like session recording, in reality, it's a blue sky vision for so many organizations, yet we see it as a must have requirement. Who is going to sit there watching video recordings of sessions? Nobody. Honestly, use your [...] tools to [...] gathering and look at it from that response because, I'm not going to say it's a gimmick, we have this within our platform, but it's a capability, I can tell you from experience, nobody uses. So do the basics. Think about friction. The biggest barrier to success is user friction. If they don't get on with the user experience, this program is never going to get it off the ground. Identity consolidation is key. If you just take everything you've got, put it in a PAM tool, you're not solving a problem. You're actually just creating more problems for yourself down the line. And then finally, I think along the lines of identity, think about entitlements, think about policies, think about roles. This is now becoming an identity problem, not necessarily a privilege problem. So you need to tie these two things together, and that's the only way you get to see risk reduction.
Fantastic. Thank you. Well, thanks very much, Chris Owen from Saviynt. And thank you for watching. Bye.
Thank you.
