L I C E N S E D F O R - for B2B Sales Strategists and ... · 25/09/2017 Gartner Reprint

25/09/2017 Gartner Reprint

https://www.gartner.com/doc/reprints?id=1-4D2LXVE&ct=170909&st=sb&mkt_tok=eyJpIjoiT1dVNE1EY3lPR1E0TmpoaCIsInQiOiJNXC9qUGs5a… 1/38

LICENSED FORDISTRIBUTION

(https://www.gartner.com/home)

Market Guide for Privileged Access ManagementPublished: 22 August 2017 ID: G00315141

Analyst(s): Felix Gaehtgens, Anmol Singh, Dale Gardner

SummaryWhile support for cloud infrastructure is rapidly maturing and more vendors are adding behavioranalytics and privileged task automation, pricing and licensing remain variable. Security and riskmanagement leaders should evaluate multiple vendors with an eye on future requirements aswell as costs.

Overview

Key Findings

Requirements arising from increased adoption of cloud-based infrastructure and applicationsare fueling the growth of privileged access management (PAM) as a service, albeit from a lowbase.

Privileged task automation, user and entity behavioral analytics (UEBA), and support for IaaSand PaaS are increasingly important differentiators for PAM products and services.

PAM deployments without proper scoping, roadmap development and stakeholder supportstruggle to achieve the desired business value and risk reduction, due to a mixture of politicaland cultural issues.

Complex and highly variable pricing models across PAM vendors complicate productselection.

Recommendations

Security and risk management leaders responsible for delivering IAM capabilities should:

Avoid future sticker shock when extending deployments by planning ahead for evolvingrequirements over the next two to three years; and force vendors to provide pricing forexpected features that you may need to buy.

Look for integrated high-availability features, built-in multifactor authentication (MFA) andvalue-priced bundled offerings if you are a small to midsize businesses.

Scrutinize vendors' offerings for MFA integration support, scalability and autodiscoveryfeatures if you are a large and global organization.

Deploy session recording as soon as possible, because this capability will add accountabilityand visibility for privileged activity. Include this capability as part of your selection process.

Evaluate vendors on how they can help secure nonhuman service and application accounts —these accounts are major sources of operational and security risk, and most organizationshave a significant number of them.

Strategic Planning Assumptions

https://www.gartner.com/home



Strategic Planning AssumptionsThrough 2020, more than half of the security failures associated with IaaS and PaaS will beattributable to significant security gaps caused by failure to adopt PAM technology andprocesses.

By 2020, more than 40% of PAM vendors will integrate machine learning and other predictiveanalytics techniques to offer privileged access profiling and real-time anomaly detection, up fromless than 10% today.

Market DefinitionPAM tools help organizations provide secure privileged access to critical assets and meetcompliance requirements by managing and monitoring privileged accounts and access. PAMtools offer features that enable security and risk leaders to:

Control access to privileged accounts, including shared and "firecall" (emergency access)accounts.

Monitor, record and audit privileged access, commands and actions.

Automatically randomize, manage and vault passwords and other credentials foradministrative, service and application accounts.

Provide single sign-on (SSO) for privileged commands and actions in a secure manner, suchthat credentials are not revealed.

Delegate, control and filter privileged operations that an administrator can execute.

Eliminate hard-coded passwords by making them available on demand to applications.

Require high-trust authentication for privileged access by either providing or integrating withother multifactor solutions to ensure required levels of trust and accountability.

Two distinct tool categories have evolved as the predominant focus for security and riskmanagement leaders considering investment in PAM tools:

Privileged account and session management (PASM): Privileged accounts are protected byvaulting their credentials. Access to those accounts is then brokered for human users, servicesand applications. Sessions are established with possible credential injection, and full sessionrecording. Passwords and other credentials for privileged accounts are actively managed (i.e.,changed at definable intervals or upon occurrence of specific events).

Privilege elevation and delegation management (PEDM): Specific privileges are granted on themanaged system by host-based agents to logged in users. This includes host-based commandcontrol (filtering), and also privilege elevation, the latter in the form of allowing particularcommands to be run with a higher level of privileges.

Figure 1. Privileged Access Management



Source: Gartner (August 2017)

The tools span a wide range of systems and infrastructure — OSs, databases, middleware andapplications, network devices, hypervisors, and cloud services (infrastructure as a service [IaaS],platform as a service [PaaS] and SaaS). Although the major focus is on managing privilegedaccess, PAM tools are also used by some organizations to manage shared access tononadministrative shared accounts, such as an organization's official social media accounts. Accounts used by nonhuman users, such as services or applications — whether of anadministrative nature or not — are also in scope.

Market DirectionThe PAM market is rapidly maturing. Managed and cloud-based PAM services are slowlyincreasing from being a tiny portion of the market share, with the overall PAM market stilldominated by the sale of on-premises software and appliances. Gartner estimates the overallmarket size for PAM products in 2016 at $900 million, an increase of roughly 30% over 2015'stotal of $690 million, with a handful of large vendors capturing the bulk of revenue. Continuedrapid growth is anticipated through the next two to three years, after which growth will begin toslow as a result of increased saturation. (For further detail, consult "Forecast Snapshot:Privileged Access Management, Worldwide, 2017." )

As in previous years, the PAM market continued to see extensive activity during 2016 and thefirst two quarters of 2017:

CyberArk acquired Conjur

Thycotic acquired Cyber Algorithms

1

2

3



MasterSAM has relocated its headquarters to Singapore, following acquisition by the SilverlakeGroup

The divestiture by Dell of its software assets created One Identity, a Quest Software business

CA Technologies acquired Mobile System 7

Vision Solutions acquired Enforcive Systems

Interest in PAM tools is driven by several factors:

The risk of breaches and insider threats

The need to prevent, isolate and limit malware attacks that leverage privileged accounts

An increase of operational efficiency for administrator and operator access

Regulation and failed audits, because auditors are paying closer attention to privilegedaccounts, and regulations are forcing organizations to record a trail of evidence for privilegedaccess

The need to grant privileged access to third parties: contractors, vendors and service providertechnicians

The need to address requirements for a comprehensive cybersecurity defense strategy,specifically for critical infrastructure

Gartner has continued to notice an increase in interest in PAM tools from small to midsizebusinesses, often unregulated, especially in North America. Additionally, we observe acontinuation of the trend where global enterprises that bought PAM tools several years ago,mainly for compliance reasons in isolated environments, are now looking at extending their PAMdeployments. Several security and risk management leaders are using this opportunity to re-examine the market to evaluate other vendors' offerings to replace and extend their current PAMtoolset as an alternative to purchasing more of the incumbent vendor's solution.

In terms of geographical distribution, Gartner sees considerable interest from North America,followed by Europe and Asia/Pacific. In Europe, adoption of PAM tools is lagging behind NorthAmerica, but picking up as many organizations are replacing homegrown tools with commercialsolutions to streamline and tighten processes. In addition, we are continuing to notice an uptickof interest in PAM in Gulf Cooperation Council countries due to the introduction of severalnational regulatory frameworks targeting critical infrastructure industries. Some PAM vendors,such as Arcon, CyberArk and Wallix Group are positioning their offerings to be used to manageprivileged access for industrial control systems.

Adoption of PAM in Asia/Pacific and Japan remains quite varied due to the diverse levels of ITmaturity and security spending in the region. PAM adoption is much higher in more maturecountries (including Australia and New Zealand, Singapore, Hong Kong, Korea and Japan).However, certain industries in emerging Asia/Pacific economies such as China, India, Taiwan andMalaysia are leapfrogging more mature Asia/Pacific countries in adopting PAM. The presence ofseveral managed PAM service providers in the region, primarily the large Indian IT serviceproviders including Tata Consultancy Services (TCS), Wipro, Infosys, HCL Technologies and TechMahindra helps drive the rapidly increasing adoption of PAM in the region.

4

5

6

7

8



Pricing and bundling remain highly variable within the market and underline the need to shoparound. Some Gartner clients have indicated they have selected a vendor based on specificfeatures that they ultimately end up not using, or buy additional modules that end up as"shelfware." Many vendors now bundle more capabilities together in their entry-level offerings;however, other vendors have split up their offerings into multiple editions, or offer newercapabilities as separate modules.

Vendors use multiple distinct pricing metrics (per named user, per system, per concurrentsession); and adding to the confusion, some vendors use different pricing metrics for differentmodules of their products. In 2016, some vendors such as Thycotic introduced new licensingmetrics for some of their offerings that focus on the number of vaulted privileged accounts.Organizations are advised to plan ahead for evolving requirements over the next three to fiveyears: for example, the introduction of pervasive session management (a feature that Gartnerrecommends deploying early in the process), or application-to-application passwordmanagement in subsequent years. Force vendors to provide pricing for expected futurescenarios, and Gartner clients are encouraged to use inquiries to discuss these plans with ananalyst.

Due to pricing pressure, some vendors have adopted a special pricing structure for small andmidsize businesses that includes many features and capabilities, but which limits scope in termsof target systems or managed privileged accounts. While the price point for these limitedsolutions can be compelling, there is a high risk of small and midsize businesses quicklyoutgrowing these limited solutions, with the next available option being enterprise-level pricingthat can introduce significant price jumps.

The market remains very competitive. Most vendors are working to extend current capabilities,add competitive features and introduce new delivery mechanisms:

Privileged task automation: For procedures and tasks that are executed commonly, or on aregular basis, vendors such as Osirium (see "Cool Vendors in Identity and Fraud Management,2017" ) and Lieberman Software offer functionality for organizations to package up commontasks to be delegated to lesser-skilled personnel for execution. Apart from raising efficiency,this mechanism substantially shrinks the attack surface by not allowing direct privilegedaccess. These vendors typically offer an extensive library, with common tasks that can beadapted.

DevOps: Some organizations are using PAM tools to enable their DevOps initiatives byautomating the management and delivery of keys and credentials in agile deployment andinfrastructure environments. In addition, some PAM vendors integrate out of the box with toolsused for continuous integration/deployment pipelines, such as Ansible, Chef or Puppet.

Support for containers: As container frameworks such as Docker gain rapid adoption forcontinuous integration through development and production workload deployments, PAMvendors are increasingly required to manage the cryptographic keys, digital certificates andother credentials for the containers based on environmental dependencies. CyberArk, throughits acquisition of Conjur, and Venafi offer such functionality. In addition, containermanagement may require managing the kernel privilege escalations of containers on Linux andWindows OSs and hypervisors. PAM products that are traditionally developed to operate at



kernel level have inherent advantages over other proxy-based architecture PAM products inoffering the granularity of controls over process isolation and privilege escalations forcontainers.

IaaS/PaaS and virtualized environments: As organizations continue to adopt virtualization andcloud infrastructure, PAM vendors continue to build out features to discover and manageinfrastructure:

Automated discovery and enrollment of IaaS instances

Fine-grained authorization of infrastructure management operations (that cancreate/modify/delete/start/stop individual instances)

Password vaulting and shared account password management for SaaS (overlapping withsome vendors' cloud-delivered access management solutions)

Some vendors such as BeyondTrust, Lieberman Software, Zoho (ManageEngine) and WallixGroup offer their solution as a virtual image on the Amazon Web Services (AWS) marketplace,Azure marketplace or Google Cloud Launcher — usually with a bring-your-own-license approach.

Cloud-delivered PAM solutions: While there is still relatively low demand for PAM solutionsoffered as a service, several vendors such as Arcon, Centrify and Thycotic offer this as anadditional option.

Privileged usage analytics: Vendors are employing predictive analytics on privileged accountactivity to detect and flag anomalies, with the goal of better identifying theft or misuse ofprivileged credentials. Approaches, and technical sophistication, require buyers to evaluate theaccuracy of such solutions and the time required before they begin to deliver value (following alearning period, if needed, to develop a baseline of expected behavior). Lieberman Softwarepartnered with Securonix, a UEBA vendor, for its solution, while several other vendors eitherdeveloped or acquired the needed analytics technology. Offerings are typically optional, extra-cost products.

Vulnerability management: Some vendors, such as BeyondTrust, are leveraging synergiesbetween privileged command delegation and vulnerability management to detect and preventunsafe operations on potentially compromised or vulnerable systems. Vulnerabilityassessments can also be correlated with privileged activity for risk scoring.

System and privileged account discovery: Identifying all systems and the correspondingprivileged accounts is important, because every privileged account is a potential source of risk.However, this is a major challenge, as it is easy for privileged or default system accounts to beforgotten and left out. This is exacerbated by virtualization and hybrid environments thatinclude cloud infrastructure. In such a dynamic environment, systems and accounts can easilyfall through the cracks of privileged access management. Autodiscovery capabilities attemptto automate the discovery of currently unmanaged systems and accounts, and come atdifferent levels:

Ad hoc discovery requires running a separate task to scan the network and associatedinformation (such as in Active Directory [AD]) to run an as-is analysis of the currentenvironment, and compare this to the last known state to find changes. Most vendors thatoffer autodiscovery fall into this category.

9



Concurrent discovery works on a continuous basis where changes in AD, as well as tohypervisors, are detected as they happen and can trigger automatic enrollment workflowswithin the PAM solution. Lieberman Software's Rapid Enterprise Defense (RED) Identitymanagement is the best-known example of this.

Secure Shell (SSH) key discovery and mapping. Several vendors provide the capability todiscover and map SSH keys to accounts and/or users. This covers both human andnonhuman entities.

Privileged identity governance and administration: Several vendors with identity governanceand administration (IGA) as well as PAM products such as CA Technologies, Hitachi IDSystems, IBM, One Identity, Oracle are leveraging synergies between them to track and manageaccount ownership and privileged entitlement life cycles. Other stand-alone PAM vendors haveintegrated their products with some IGA products from other vendors.

Market AnalysisMost PAM vendors provide tools that fall into one or both of the categories described in theMarket Direction section:

Privileged account and session management

Privileged elevation and delegation management

The difference between the two approaches is that the first controls access to individualaccounts with always-on privileges, whereas the second is more granular, controlling theinvocation of a specific privilege in the form of executing a command with elevated privileges ona case-by-case basis. Both of these approaches complement each other, and manyorganizations will ultimately deploy technology to address both approaches. However,attempting to deploy both types of tools at the same time is rarely feasible — organizationsshould start with one type of tool first, before attempting to roll out the other (see the MarketRecommendations section to help choose an approach for selecting the type of tool that fits themost urgent requirements).

Privileged Account and Session Management

Solutions that fall into this category will provide an encrypted and hardened vault for storingaccount passwords, keys, other credentials and other secret information. Passwords ofadministrative, shared and service accounts are managed by changing them at configurableintervals or upon occurrence of specific events (even, if desired, after every use ) according todefinable policies. Reconciliation features verify that passwords have not been changed throughany other mechanism, and password history is available to support restores from earlierbackups. Comprehensive reporting features provide detailed information on privileged accounts,users' access to privileged accounts, approvals and activity.

Access Control for Shared Accounts

PASM tools support privileged account sharing by controlling authorized administrators' accessto accounts. Administrators will log on to the PASM tools (high-trust MFA should be requiredhere) — usually through a web portal — and can then request access to a shared account on aparticular system.

10

11



PASM tools often implement workflow features for administrative users to request access, andfor authorized approvers to grant this access. In some cases, this can also be automated byincluding external data sources — for example, service desk tickets that contain change controlauthorizations, or incident reports that document outages or anomalies that need to be rectified.Most products integrate with some IT service management (ITSM) systems out of the boxand/or provide APIs to validate administrative access requests by cross-checking them withinformation from ITSM systems. Buyers should look to leverage existing integrations to linkprivileged access with change management processes. PASM tools also support "break theglass" scenarios for emergency and disaster recovery purposes, including the support for firecallaccounts.

As a general rule, users of privileged accounts should not be allowed to see or access the actualpasswords for these accounts, because they could reuse them or pass them on, thereforeeroding the usage control of the accounts. Instead, most of these tools will automatically initiateSSO to sessions without disclosing credentials. A session is initiated using a well-knownprotocol such as:

SSH

Remote Desktop Protocol (RDP)

Independent Computing Architecture (ICA)

Virtual Network Computing (VNC)

HTTPS

X11

Credential injection happens at this time (see the Privileged Session Management section).

This helps to comply with the imperative that passwords for shared accounts must not beshared, which can lead to uncontrolled access. When the only practical way forward is todisclose a password to the user, it can be placed into the clipboard or copy buffer, or evendisplayed, if this is followed by an automated password reset as soon as the current password'suse has concluded. Access to shared accounts can be contingent on additional workflowapprovals and/or high-trust MFA. An audit trail documents all privileged account use.

Some PASM tools also support the notion of preconfigured tasks, which allow an authorized userto execute a specific batch of commands using a shared account. In some specific and simpleuse cases, preconfigured tasks can provide an alternative to controlled privilege elevation anddelegation (PEDM) tools (discussed in the Privilege Elevation and Delegation Managementsection). Large organizations with mature processes and significant multilevel service desksoften spend considerable effort on operationalizing privileged and administrative tasks thatleverage ITSM, orchestration and service management frameworks. Vendors such as Osiriumand Lieberman Software now put this within reach of smaller or less mature organizations.

Privileged Session Management

While SSO to privileged sessions for administrators is a standard feature for today's PASM tools,some vendors offer additional privileged session management (PSM) capabilities, either builtinto the standard version of the product or as an additional licensable module:

Real-time monitoring (for dual control or "four eyes" principle/session shadowing)



Protocol-based command filtering for sessions to either restrict what an administrator can do,or to raise an alert on suspicious or dangerous activity

Session recording (for later analysis, perhaps for forensic purposes)

Application session separation: Launching interactive local applications (mostly Windows-based) in a remote, contained environment (such as a terminal server), rather than permittingadministrators to run them on potentially compromised endpoints

A small number of vendors, such as Balabit, ObserveIT and NRI SecureTechnologies, specializein delivery of these PSM features in a stand-alone tool, without offering broader PASMcapabilities around credential management.

The majority of vendors use a gateway (or proxy) approach for session management andrecording. With this approach, all traffic passes through one or more control points. Anotherapproach is to initiate direct connections from the administrator's workstation to the targetsystems, and to inject credentials into the session on the workstation using a local control.Recording then happens on the administrator's workstation and is forwarded to a collector. Whilethis can be beneficial in the case where a system is accessed at a remote location that has onlyvery limited bandwidth, one major disadvantage is that the approach critically relies on trust andintegrity in the administrator's workstation in order to rule out that a compromised workstationwill ultimately compromise session control and recording. Achieving this level of assurance onthird-party-owned workstations, compared to workstations operating internally, presents newchallenges that IAM and security leaders need to account for.

With respect to session recording and transcription, features range from a simple searchable keyor input/output (I/O) logging to "over the shoulder" video recording of graphical sessions. For thelatter, most tools provide very efficient compression, but real differentiators are found in thesession playback functionality: The most basic tools will support only a 1:1 playback of the entiresession. Some other tools will take regular screen shots of a session every few seconds. Moreadvanced playback features allow automatic skipping forward and backward, based on useractivity. When protocols such as RDP are used, some tools can gather additional searchablemetadata events, such as applications executed, windows opened, text typed. For SSH, manytools store input and output streams. More vendors are now supporting full optical characterrecognition (OCR), scanning entire graphical sessions with extensive protocol support.

In addition to session recording, some tools support session monitoring and alerting in real time.This allows live monitoring of privileged sessions by administrators or managers, who canintervene or even terminate the session if necessary. This feature is also known as the "four eyesprinciple" or "session shadowing." Some tools can also analyze privileged sessions in real timeand generate alerts or notifications when a suspicious behavior is detected. These can be sent toa security information and event management (SIEM) system, or supervisors can be alerted.

Brokering Privileged Credentials to Applications

PASM tools also manage passwords and other credentials for nonhuman access, such asservice or application accounts. Similar use cases are seen in vulnerability assessment activities,where credentials are required for thorough analysis of systems, and DevOps toolchains, whichfrequently contain a variety of sensitive credentials. These are accounts used by automatedservices or applications for accessing other applications, data or systems (see "Manage ServiceAccounts to Mitigate Security and Operational Risks" ).


https://www.gartner.com/doc/reprints?id=1-4D2LXVE&ct=170909&st=sb&mkt_tok=eyJpIjoiT1dVNE1EY3lPR1E0TmpoaCIsInQiOiJNXC9qUGs5… 10/38

Most PASM tools will have functionalities to manage service and application accounts by one ormore of the following methods:

Rotating credentials and changing them in situ — that is, in the place where they are held by thesystem, application or service. Examples are Windows services that run under local or domainservice accounts — whenever the password is changed, the services require that their serviceconfiguration is updated on each local system where the services run.

Automatic generation of credentials for continuous deployment/continuous integration andorchestration tools, as new instances are built, such as in elastic scalable environments.

Managing cryptographic access keys and other credentials used within containers, such asDocker.

Allowing an application to retrieve the password from the vault through a network-protocol-based API.

By use of application-to-application password management (AAPM) agents that are installedon local systems and allow applications to access credentials using host-based access controlmechanisms, described in the next section.

Application-to-Application Password Management

AAPM tools are agents that allow applications or scripts to gain access to applicationcredentials through proprietary software development kits (SDKs) and command line interfaces(CLIs). These tools are available as additional modules to PASM solutions and, in some cases,are even available stand-alone, although sometimes these modules are already included in thelicense of the base product at no additional charge (such as in the case of BeyondTrust andHitachi ID Systems).

AAPM tools usually provide a caching function that is kept in sync with the main PASM vault.They implement local (host-based) access controls for applications that attempt to fetchcredentials, such as:

Application fingerprinting or checksum verification of the application, its configuration andother dependent files to prevent tampering

Environment verification, such as the user ID or process under which the application is started,from which directory it is started, and so on

One-time password mechanisms, where after every invocation the next sequence password isgenerated from a seed, stored and verified upon subsequent invocation

AAPM tools allow elimination of hard-coded and unencrypted credentials stored in the filesystem and present the most secure form of delivering credentials to applications or scripts,when no other mechanisms exist to safeguard locally stored credentials, at the cost of modifyingthe application. The modification is usually simple; however, testing must happen for everyapplication modified, which places a considerable burden on security and risk managementleaders (see "Adopt a Strategy to Deal With Service and Software Account Passwords" ).

Privilege Elevation and Delegation Management

PEDM tools are local agents that allow certain commands to be run under elevated privileges, orby restricting or replacing commands that can be executed. The tools use policies to limit thescope of what administrators can do, or to prevent administrators from carrying out unsafe

12



activities that could be a vector for malware or that potentially could do great damage. Thedifference to the approach of PASM tools is that PEDM will elevate individual commands, but notgive access to an unrestricted privileged session. PEDM tools also monitor and record privilegedactivity centrally or on the systems — either upon login, or during execution of privilegedcommands.

On Windows systems, PEDM agents are kernel-based. Apart from being able to tightly controlwho can run which privileged commands, these tools are also an important level of protectionfrom Pass-the-Hash attacks. For this reason, Windows PEDM tools are not only deployed toestablish controls for system administrators, but many organizations have also deployedWindows PEDM tools pervasively on endpoints for purposes other than privileged accessmanagement. Examples of these other use cases are Windows least privilege enforcement andapplication control (see "Protecting Endpoints From Malware Using Application Whitelisting,Isolation and Privilege Management" and "How to Successfully Deploy Application Control" ).

On Unix and Linux systems, many PEDM vendors integrate at the shell level by shippingreplacements of shell and other common commands, such as text editors (to prevent shellescapes). Other vendors, such as CA Technologies, offer kernel-based PEDM tools for Unix andLinux as an additional option. Some vendors ship a replacement or extension to the popular Unix"sudo" command. Unix PEDM tools are often combined with, or include, Active Directory bridgingtools that allow authorized users to log in to Unix and Linux systems using their Windowsdomain account.

Representative VendorsThe vendors listed in this Market Guide do not imply an exhaustive list. This section is intended toprovide more understanding of the market and its offerings.

Tables 1 and 2 below present the representative vendors and their key capabilities for PASM andPEDM, respectively. Each mark indicates that the vendor in question has an offering within theparticular capability. The existence of more marks for a particular vendor must not be interpretedto mean a better or more appropriate product. Depth of features and functionality differ widelywithin every capability. Some vendors that only address one or a few capabilities are very good atwhat they do. Keep in mind that some products from different vendors can work together tocreate a best-of-breed solution at a more attractive price.

Vendors With PASM Solutions

Table 1 denotes capabilities that are available in a vendor's solution, either as an integral part ofthe basic solution or as an optional licensable component:

A vendor may have multiple "editions" of a main product. In Table 1, features that exist in thebasic (lowest-priced) edition are marked with the block symbol ( █ ), whereas features onlyexisting in higher priced editions are marked with the currency symbol ( ¤ ). The existence ofthe ¤ symbol must not be misinterpreted that the product is more expensive.

A vendor may offer individual feature or capabilities as separate products that need to belicensed separately, this is also marked with the currency symbol ( ¤ ).

Table 1. Representative PASM Vendors and Their Key Capabilities

Vendor

12

13



MarketShare

KeyFeatures

Session Recording

ProductNames

Built-in HA

AAPM

Form Factor

Applecross Technologies (Australia)

MarketShare

Small

KeyFeatures

█

ProductNames

S

Privileged User Manager

Arcon (India)

MarketShare

Medium

KeyFeatures

█

ProductNames

█



█

H, S, Svc, V

Arcos Privileged Access Management

BeyondTrust (U.S.)

MarketShare

Large

KeyFeatures

█

ProductNames

█

█

C, H, S, V

PowerBroker Password Safe

Bomgar (U.S.)

MarketShare

Small

KeyFeatures

¤

ProductNames

█

H, S

Vault, Privileged Access

CA Technologies (U.S.)



MarketShare

Large

KeyFeatures

█

ProductNames

█

¤

H, V

CA Privileged Access Manager, CA Privileged Access App to App Manager

Centrify (U.S.)

MarketShare

Large

KeyFeatures

█

ProductNames

█

█

Svc, S

Centrify Privilege Service

CyberArk (Israel)

MarketShare

Large

KeyFeatures

¤

ProductNames

¤



¤

H, S

Enterprise Password Vault, Privileged Session Manager, Enterprise High AvailabilityModule, Application Identity Manager, Conjur

Hitachi ID Systems (Canada)

MarketShare

Small

KeyFeatures

█

ProductNames

█

█

S, Svc, V

Privileged Access Manager

IBM (USA)

MarketShare

Medium

KeyFeatures

¤

ProductNames

¤

V

IBM Security Privileged Identity Manager, IBM Security Privileged Identity ManagerPrivileged Session Recorder, IBM Security Privileged Identity Manager forApplications



Iraje Software (India)

MarketShare

Small

KeyFeatures

█

ProductNames

█

H, S, V

Privileged Identity Management

Kron (Turkey)

MarketShare

Small

KeyFeatures

█

ProductNames

S, H, V

Single Connect (Session Manager, Password Manager, TACACS Access Manager,2FA Manager)

Lieberman Software (U.S.)

MarketShare

Medium

KeyFeatures

¤



ProductNames

C, S

Rapid Enterprise Defense Identity Management, Application Launch Server

ManageEngine (U.S.)

MarketShare

Medium

KeyFeatures

¤

ProductNames

¤

¤

C, S, V

Password Manager Pro (multiple editions)

MasterSAM (Singapore)

MarketShare

Small

KeyFeatures

¤

ProductNames

█

S

Star Gate, Analyst



Micro Focus (NetIQ) (U.K.)

MarketShare

Medium

KeyFeatures

█

ProductNames

█

S

Privileged Account Manager

MT4 Networks (Brazil)

MarketShare

Small

KeyFeatures

¤

ProductNames

¤

¤

H, V

Senhasegura

Novasys (Argentina)

MarketShare

Small

KeyFeatures

█



ProductNames

S

SATCS

One Identity (U.S.)

MarketShare

Large

KeyFeatures

¤

ProductNames

█

█

H

One Identity Safeguard

Onion ID (U.S.)

MarketShare

Small

KeyFeatures

█

ProductNames

█

Svc, V

Onion ID



Oracle (U.S.)

MarketShare

Medium

KeyFeatures

█

ProductNames

S

Oracle Privileged Account Manager

Osirium (U.K.)

MarketShare

Small

KeyFeatures

█

ProductNames

█

V

Privileged Access Management, Privileged Session Management

Thycotic (U.S.)

MarketShare

Large

KeyFeatures

¤



ProductNames

¤

S, Svc

Secret Server (multiple editions)

Wallix Group(France)

MarketShare

Small

KeyFeatures

¤

ProductNames

█

█

C, H, V

Wallix Access Manager, Wallix Password Manager, Wallix Session Manager

Wheel Systems (Poland)

MarketShare

Small

KeyFeatures

¤

ProductNames

¤

¤

H, V



Fudo Privileged Session Manager, Fudo Secret Manager, Fudo Application toApplication Password Manager

Feature Availability Legend █ = Included in base product; ¤ = Available as an option or higher priced edition; Blank = NotAvailable. C = Instance on AWS/Azure Marketplace or Google Cloud Launcher; S = Software; H =Hardware Appliance; V = Virtual Appliance; Svc = Cloud-Based Service. Feature via OEM/Reseller Partnership Legend ¤ = Available as an option.


The "Product Name(s)" column lists all components that would need to be acquired to deliver thefunctionality indicated:

Every vendor listed must have a solution able to actively manage (i.e., change) credentials forprivileged accounts on multiple systems, network devices and applications. Solutions mustinclude a vault, and allow access to privileged accounts according to specific policies. Singlesign-on features must exist that allow a privileged session to be automatically establishedusing a protocol such as SSH, RDP or HTTPS without revealing credentials to the user. Vendorsthat do not deliver this functionality, or can only deliver this functionality in combination withother products, are not listed in Table 1.

Built-in HA: Integrated high-availability features that do not require an organization to deployand operate an external highly available relational database management system (RDBMS;such as database clustering or database replication). Vendors that are not listed with thisfeature support high availability in combination with external components, such as databaseclustering.

AAPM: Agent-based application-to-application password management capability, as describedin the Market Analysis section.

Compared to last year, the "command filtering" capability has been eliminated from the table.Last year's Market Guide for Privileged Access Management called out this capability to limitcommands or operations using an agentless approach by filtering the underlying networkprotocol (SSH, HTTP, and so on). However, while some vendors still offer this capability, itsreliability varies, and has thus been eliminated from this year's research focus. Gartner hasdetected a shift in market trends to use this feature as a detective, rather than a preventive,capability.

Gartner defines PAM market share segments by estimated vendor revenue for 2016:

Small: Less than $10 million

Medium: Between $10 million and $30 million

Large: Greater than $30 million

Vendors With PEDM Solutions



Table 2 denotes capabilities for agent-based controlled privileged elevation and delegation onmultiple platforms. The "Product Name(s)" column lists all components that would need to beacquired to deliver the functionality indicated:

Unix/Linux, Windows, IBM i, IBM z/OS: Denotes support for the respective operating system.

Unix/Linux AD Bridging: The vendor offers an agent-based Active Directory bridge for multipleUnix and Linux systems. Vendors that provide Unix/Linux AD bridges without PEDM solutionsare not listed in this table.

Table 2. Representative PEDM Vendors and Their Key Capabilities

Vendor

MarketShare

KeyFeatures

Unix/ Linux

ProductName(s)

Unix/Linux AD Bridging

Windows

IBM i

IBM z/OS

Applecross Technologies (Australia)

MarketShare

Small

KeyFeatures

█

ProductName(s)



Privileged User Manager

Arcon (India)

MarketShare

Medium

KeyFeatures

ProductName(s)

█

Arcos TS Plugin for Windows Servers

Avecto (U.K.)

MarketShare

Large

KeyFeatures

ProductName(s)

█

Defendpoint



BeyondTrust (U.S.)

MarketShare

Large

KeyFeatures

█

ProductName(s)

█

█

PowerBroker for Unix & Linux, PowerBroker Identity Services, PowerBroker forWindows

CA Technologies (U.S.)

MarketShare

Large

KeyFeatures

█

ProductName(s)

█

█

█

CA Privileged Access Manager Server Control, CA ACF, CA Top Secret

Centrify (U.S.)



MarketShare

Large

KeyFeatures

█

ProductName(s)

█

█

Centrify Server Suite

CyberArk (Israel)

MarketShare

Large

KeyFeatures

█

ProductName(s)

█

█

On-Demand Privileges Manager, Endpoint Privilege Manager

Fox Technologies (U.S.)

MarketShare

Medium



KeyFeatures

█

ProductName(s)

█

BoKS Server Control

HelpSystems (U.S.)

MarketShare

Small

KeyFeatures

ProductName(s)

█

Safestone Powerful User Passport, PowerTech Authority Broker, SafestoneMultiple System Administrator

MasterSAM (Singapore)

MarketShare

Small

KeyFeatures

█



ProductName(s)

█

Secure @ Unix/Linux, Secure @ Windows

Micro Focus (NetIQ) (U.K.)

MarketShare

Medium

KeyFeatures

█

ProductName(s)

█

█

█

Privileged Account Manager, Host Access Management and Security Server

One Identity (U.S.)

MarketShare

Large

KeyFeatures

█

ProductName(s)

█

█



Privileged Access Suite for Unix, Privilege Manager for Windows

Raz-Lee Security (Israel)

MarketShare

Medium

KeyFeatures

ProductName(s)

█

iSecurity Software Suite

Thycotic (U.S.)

MarketShare

Large

KeyFeatures

ProductName(s)

█



Privilege Manager

Vision Solutions (U.S.)

MarketShare

Small

KeyFeatures

ProductName(s)

█

█

Enforcive Enterprise Security for IBM i, Enforcive Enterprise Security for CICS —z/OS

█ = Available; Blank = Not Available.


Other PAM Solutions

Several vendors offer solutions that do not entirely fall into the main categories of PASM orPEDM, yet those solutions have been used successfully by clients. The vendors described inTable 3 provide an alternative way to mitigate risks around privileged access, or provide a set ofspecific and deep capabilities to augment existing PAM deployments.

Table 3. Vendors With Their Product Name(s) and Description

Vendor

Balabit (Luxembourg)

ProductName(s)andDescription

Balabit's Privileged Session Management module (formerly known as ShellControl Box), delivered as a physical or virtual appliance, is a stand-alone PSMsolution that supports an extensive list of network protocols and can act as agateway or transparent proxy. Balabit also offers Privileged Account Analytics(formerly known as Blindspotter), a user behavior analytics engine that canidentify suspicious privileged activity.



Devolutions


Devolutions offers Devolutions Server, Password Vault Manager and RemoteDesktop Manager. The combination of these products offers capabilities forvaulting administrative passwords, account sharing and session management.

HashiCorp (U.S.)


Vault (delivered as software) stores, manages and grants access to credentialsand other secrets through APIs. Vault is delivered in two editions (free opensource and commercially supported Enterprise version with additional features).

Microsoft (U.S.)


Azure Active Directory (AD) Privileged Identity Management provides temporaryand time-limited membership in administrative roles for management acrossMicrosoft Online Services. Similarly, Privileged Access Management is asolution based on Microsoft Identity Manager (MIM) and works by using MIM'saccess request user interface and workflow capabilities to broker temporarymembership in privileged Active Directory security groups. Also, LocalAdministrator Password Solution (LAPS) is a tool to store local administrativeaccount passwords in Active Directory, protected by access control lists (ACLs).

NRI SecureTechnologies (Japan)


SecureCube Access Check (delivered as software) is a stand-alone PSMsolution that integrates to extend PowerBroker Password Safe fromBeyondTrust or iDoperation IM for Access Check by NTT Software (onlyavailable in Japan). Apart from extensive PSM capabilities, SecureCube AccessCheck can also monitor and log file transfers and database sessions to OracleRDBMS systems.

ObserveIT (U.S.)


ObserveIT (delivered as software) is a PSM solution that works as an agent forWindows and Unix/Linux (a gateway-based mode is also available, but lesscommon). The solution provides detailed, fully searchable recording of all useractivity, and user behavior analytics.

Red Hat (U.S.)




Red Hat offers Identity Manager (IdM), a feature set in Red Hat Enterprise Linux,which provides Linux-based authentication, user and privilege management, andpolicy settings that govern authorization and access with the ability to integratewith Active Directory via Kerberos. A free open-source version called FreeIPA isalso available for general use.

SecureLink (U.S.)


SecureLink is a cloud-based PSM service to control privileged access by thirdparties, such as vendors. The service is sold in two editions: SecureLink forEnterprises provides an environment in which an organization can controlremote support access to multiple vendors. SecureLink for Vendors is thecounterpart for service providers or vendors that provide remote service ormaintenance to a variety of customers. Both modules can be usedindependently, but they can be linked to provide synergies in terms of integrateduser management.

SSH Communications Security (Finland)


CryptoAuditor (delivered as a virtual appliance) is a stand-alone PSM appliancewith a built-in privileged account credential vault. Some organizations are alsousing the company's Universal SSH Key Manager (delivered as software orvirtual appliance) for managing privileged access for humans and applicationsbased on a centralized management platform for SSH keys and access. PrivXOn-Demand Access Manager is a new product to manage and deliver short-termtemporary credentials for cloud use cases.

Venafi (U.S.)


Venafi Platform (delivered as software and as a service) offers centralized SSHand TLS key and certificate management capabilities, used by someorganizations to also manage privilege access for humans and machineidentities. Venafi also includes features for DevOps automation throughintegration with containers like Docker and continuous integration tools likePuppet.


Market RecommendationsOrganizations considering PAM tools should keep in mind that both types of tools (PASM andPEDM) are complementary, and some organizations eventually deploy both of them to addressmost risks associated with privileged access. However, we advise against attempting



deployment of both types of tools at the same time, because of the significant cultural changeand integration involved. To choose a starting point for a PAM tool, Gartner recommends thefollowing methodology for security and risk management leaders:

In most cases, start by first deploying PASM tools to manage shared and service accounts.PASM technology has the advantage that it applies to different types of systems, includingnetwork appliances and even SaaS or applications, therefore allowing an organization tomanage privileged access across platforms — although at a lower granularity. High-trust MFAmust be enabled for access to the PASM tools, and session recording and monitoring shouldbe activated.

Start with Windows-based PEDM tools if the following criteria are met: they are predominantlyWindows-based, already have high-trust MFA in place for administrators and administratorscurrently use discrete accounts with domain admin privileges (i.e., separate from their regularuser accounts). These organizations should eliminate usage of accounts with domain adminprivileges except for very specific and extreme situations, such as rebuilding, reconfiguring orpatching Active Directory domain controllers. Instead, administrators should elevate privilegesfrom their regular user accounts. Windows PEDM solutions may also be deployed first whennon-PAM endpoint protection use cases, such as Windows least privilege control or applicationwhitelisting, have an urgent priority.

Start with PEDM for Unix/Linux when individual named accounts already exist for users onUnix or Linux systems, and these users need to execute limited privileged operations on thesesystems. High-trust MFA must be enabled in this case as well — if the MFA requirement is notfeasible, then PASM should be deployed first to require MFA for all Unix/Linux systems.Organizations that also want to extend Active Directory over Unix and Linux systems to allowcertain users to log into Unix and Linux systems using their AD accounts should focus onPEDM for Unix/Linux with Active Directory bridging functionality.

Some vendors sell PASM tools as different modules (vaulting plus password management, PSM,and AAPM); others sell "minisuites" or combined PASM products. When deploying PASM tools,vaulting plus password management and PSM can easily be deployed at the same time, whereasdeployment of AAPM requires additional focus that can cause distractions when attempted atthe same time.

When selecting tools from vendors, security and risk management leaders must be aware that:

Small and midsize businesses should closely look at solutions that have built-in high-availability features as alternatives to solutions that either rely on OS clustering or require theuse of an external RDBMS system to be configured for replication and high availability.

High-trust authentication, such as MFA , should always be used in conjunction with PAM tools.Most vendors provide native support for integration with Active Directory and LightweightDirectory Access Protocol (LDAP)-compliant directories, as well as authentication systemssuch as RADIUS. Some vendors ship embedded MFA solutions, which is attractive for smalland midsize businesses that do not have an MFA solution in place. Organizations that alreadyhave a third-party user authentication solution in place should ensure that shortlisted PAMvendors provide the required integration support — either through RADIUS, LDAP or through aproprietary integration with specific vendors. For example, some vendors integrate withofferings from Duo Security and SecureAuth to support a wider range of authenticationmethods.



One-time password (OTP) and public-key hardware tokens have been the most prevalentauthentication method for securing privileged access in most organizations, but are nowincreasingly being replaced by phone-as-a-token authentication methods, particularly OTPapps for smartphones and mobile push (OTP-less out of band [OOB] push) methods. See"Market Guide for User Authentication."

Use of contextual and adaptive authentication techniques can significantly increase thelevels of trust and accountability of privileged access to the critical systems. Shared accountaccess to Windows systems should leverage local privileged accounts rather than domainadmin accounts.

U.S. federal agencies that are required to use Personal Identity Verification (PIV) cards forauthentication of privileged users as part of HSPD-12 and Cybersecurity Strategy andImplementation Plan (CSIP) directives should look out for vendors that offer nativesupport for common access cards (CACs) and PIV cards. Several vendors offer broadsupport for PIV card authentication. Where Derived PIV Credentials are an option, agenciesshould consider PAM vendors that support integration with third-party vendors offeringauthentication via Derived PIV Credentials.

A2A credential brokering: Some operating systems (specifically Windows) offer a mechanismto safeguard service account credentials, and PASM tools can rotate and update thosecredentials in situ. Having applications retrieve credentials from the vault through a network-protocol-based API requires authentication to the vault, which requires the use of a hardwaresecurity module (HSM) or other secure credential storage mechanisms. When this is notpractical, AAPM tools should be strongly considered.

Discovery of privileged accounts and their use continues to be a major challenge for securityand risk management leaders who must expect this to take a considerable effort and realizethat technology may not necessarily provide adequate results or value.

Shop around: Pricing and feature bundling is highly variable between vendors, and the problemis exacerbated by the fact that some vendors even apply different licensing mechanismsamong their individual tools or modules. Plan for the next three years in terms of systems andfunctionality covered, and get a pricing commitment not only for the initial phase, but also forsubsequent phases. Gartner clients should use inquiry privileges for pricing reviews.

Acronym Key and Glossary Terms

AAPM

ACL

Application-to-application passwordmanagement

Access control list

CAC


Common access cards

CLI

14

15




Command-line interface

CSIP


Cybersecurity Strategy and ImplementationPlan (U.S.)

HSPD-12


Homeland Security Presidential Directive 12(U.S.)

HSM


Hardware security module

IaaS


Infrastructure as a service

ICA


Independent Computing Architecture (protocol)

IGA


Identity governance and administration

ITSM


IT service management

LAPS


Local Administrator Password Solution

MFA


Multifactor authentication

NESA




National Electric Security Authority (UAE)

OCR


Optical character recognition

PaaS


Platform as a service

PAM


Privileged access management

PASM


Privileged account and session management

PEDM


Privilege elevation and delegation management

PIV


Personal identity verification

RDBMS


Relational database management system

RDP


Remote desktop protocol

SDK


Software development kit

SIEM




Security Information and event management

SSH


Secure Shell (protocol)

SSO


Single sign-on

VNC


Virtual Network Computing (protocol)

EvidenceThis research has been informed by vendor briefings over the past 12 months, inquiries withGartner clients and secondary research.

The following vendors did not respond to requests for a review of the draft contents of thisresearch:

Applecross Technologies

HashiCorp

HelpSystems

ObserveIT

SecureLink

Some organizations are using PAM tools to put controls around access to shared socialnetworking accounts used for marketing purposes, although this may not be as effective as toolsspecifically tailored for this use case such as Adobe Social, Bitium, Falcon.io, Hootsuite,Spredfast and Shoutlet. In addition to multilevel review and approval workflows for contentpublication, these tools also support social analytics, engagement and CRM integration (see"Market Guide for Social Marketing Management" ). Other options used for this purpose arepersonal password managers such as Dashlane and LastPass.

See "CyberArk Acquires Conjur, Revolutionizing DevOps Security to Drive Greater Business Agility,"(https://www.cyberark.com/press/cyberark-acquires-conjur-revolutionizing-devops-security-drive-greater-business-agility/) CyberArk.

See "Thycotic Acquires Security Analytics Company to Identify Malicious Privileged Behavior AcrossSystems and Users," (http://www.prnewswire.com/news-releases/thycotic-acquires-security-analytics-company-to-identify-malicious-privileged-behavior-across-systems-and-users-300357604.html) PRNewswire.

1

2

3

4

https://www.cyberark.com/press/cyberark-acquires-conjur-revolutionizing-devops-security-drive-greater-business-agility/

http://www.prnewswire.com/news-releases/thycotic-acquires-security-analytics-company-to-identify-malicious-privileged-behavior-across-systems-and-users-300357604.html



See "Customer FAQ- Legal Entity," (https://www.oneidentity.com/docs/one-identity-customer-faq-legal-entity-non-gated-assets-127732.pdf) One Identity.

See "CA Technologies acquires Mobile System 7,"(https://www.crunchbase.com/acquisition/15bfb23cb3d463e82746c52ad4bda699) Crunchbase.

See "Vision Solutions Completes Acquisition of Enforcive Systems,"(https://globenewswire.com/news-release/2017/07/05/1038908/0/en/Vision-Solutions-Completes-Acquisition-of-Enforcive-Systems.html) GlobeNewswire.

A recent example of tightening regulation is the new SWIFT Customer Security ControlsFramework, adopted after several high-profile breaches.

Such as Qatar's National ICS Security Standard and regulation from the UAE's NationalElectronic Security Authority (NESA).

This approach requires a license for the PAM tools to be acquired directly from the vendor (orone of its resellers) and then installed or configured in the virtual image.

Although PAM tools are typically simple to install, using them pervasively requires a change toan organization's processes and culture, and therefore requires buy-in from all parties that needprivileged access. That can be a lengthy exercise for one tool alone. Yet a significant minority ofproposals from PAM vendors reviewed by Gartner include both types of tools for simultaneouspurchase. As a consequence, Gartner has learned from organizations that struggle to fully deployall tools — leading to "shelfware," where only some tools are deployed, and other tools incurannual support and maintenance costs while "waiting in the wings."

This is recommended when passwords are revealed to an administrator. If the passwords arenot changed (automatically) after use, the password is no longer controlled; it could be revealedto another party and thus undermine policy. On the other hand, when SSO is used to establishsessions for administrators, the password is not revealed. In this case, passwords do not need tobe changed after every use. In fact, changing passwords that have not been revealed after everyuse can be counterproductive, as it increases the load on the PAM solutions and risks passwordsgetting out of sync, and Gartner hears from customers that this can be a problem for lessscalable PAM solutions.

For example, administrators must avoid executing any commands that could serve as a vectorfor malware, such as running browsers or email clients within sessions with administrativeprivileges, or executing unknown code.

See "Microsoft Security Intelligence Report," (https://www.microsoft.com/en-us/security/intelligence-report) Microsoft.

See the NIST Cybersecurity White Paper "Best Practices for Privileged User PIV Authentication."(http://csrc.nist.gov/publications/papers/2016/best-practices-privileged-user-piv-authentication.pdf)

Some vendors differentiate themselves by offering features to scan for — and discover —accounts in a programmatic way. This can greatly reduce time and effort. But remember that thisis an inexact science, and many privileged accounts will likely fall through the cracks ofautodiscovery and will need to be discovered through other mechanisms (see "Manage ServiceAccounts to Mitigate Security and Operational Risks" ).

4

5

6

7

8

9

10

11

12

13

14

15

https://www.oneidentity.com/docs/one-identity-customer-faq-legal-entity-non-gated-assets-127732.pdf

https://www.crunchbase.com/acquisition/15bfb23cb3d463e82746c52ad4bda699

https://globenewswire.com/news-release/2017/07/05/1038908/0/en/Vision-Solutions-Completes-Acquisition-of-Enforcive-Systems.html

https://www.microsoft.com/en-us/security/intelligence-report

http://csrc.nist.gov/publications/papers/2016/best-practices-privileged-user-piv-authentication.pdf

https://www.gartner.com/technology/contact/become-a-client.jsp?cm_sp=bac-_-reprint-_-banner

Documents

L I C E N S E D F O R - for B2B Sales Strategists and ... · 25/09/2017 Gartner Reprint