Professional Documents
Culture Documents
KCPAMLeadershipCompass2022
KCPAMLeadershipCompass2022
KCPAMLeadershipCompass2022
Management
Paul Fisher
11 January 2023
LEADERSHIP COMPASS: 81111
Privileged Access Management
Contents
Contents .................................................................................................................................... 2
Figures ....................................................................................................................................... 4
Introduction/Executive Summary .............................................................................................. 5
Highlights ............................................................................................................................... 5
Market Segment .................................................................................................................... 6
Delivery Models ..................................................................................................................... 7
Required Capabilities ............................................................................................................ 7
Leadership ................................................................................................................................. 8
Overall Leadership ................................................................................................................ 9
Product Leadership ............................................................................................................. 10
Innovation Leadership ......................................................................................................... 11
Market Leadership ............................................................................................................... 13
Correlated View ....................................................................................................................... 14
The Market/Product Matrix .................................................................................................. 15
The Product/Innovation Matrix ............................................................................................ 16
The Innovation/Market Matrix .............................................................................................. 18
Products and Vendors at a Glance ......................................................................................... 19
Product/Vendor evaluation ...................................................................................................... 22
ARCON – Privileged Access Management Platform .......................................................... 23
BeyondTrust – PAM Portfolio .............................................................................................. 26
Bravura Security (formerly Hitachi ID) – Security Privilege ................................................ 29
Broadcom – Symantec PAM ............................................................................................... 32
CyberArk – Identity Security Platform ................................................................................. 34
Delinea – PAM Suite ........................................................................................................... 37
2
LEADERSHIP COMPASS: 81111
Privileged Access Management
3
LEADERSHIP COMPASS: 81111
Privileged Access Management
Figures
Figure 1: The overall leaders in PAM ....................................................................................... 9
Figure 2: The product leaders PAM ........................................................................................ 10
Figure 3: The innovation leaders in PAM................................................................................ 12
Figure 4: The Market Leaders in PAM .................................................................................... 13
Figure 5: The Market/Product Matrix for PAM ........................................................................ 15
Figure 6: The Product/Innovation Matrix for PAM .................................................................. 16
Figure 7: The Innovation/Market Matrix for PAM .................................................................... 18
4
LEADERSHIP COMPASS: 81111
Privileged Access Management
Introduction/Executive Summary
This report is an overview of the market for Privilege Access Management (PAM) platforms
and provides a compass to help buyers find the product that best meets their needs.
KuppingerCole examines the market segment, vendor capabilities, relative market share,
and innovative approaches to providing PAM solutions. These platforms fall under the
KuppingerCole Privileged Access Management PAM classification and add improved
security and value to business.
Such products will include those that offer basic PAM capabilities such as password vaulting
and management, full-service platforms that offer most capabilities right through to some
CIEM capabilities and vendors that offer a mix of various capabilities for specific applications.
The Leadership Compass is designed to address the fullest picture of the PAM market by
assessing as many vendors as possible in the space, including those vendors to watch.
Highlights
5
LEADERSHIP COMPASS: 81111
Privileged Access Management
Market Segment
Many successful cyber-attacks involve the misuse of privileged accounts, and misuse is
enabled by inadequate Privileged Access Management (PAM) software, policies, or
processes. Some of the malicious activities that must be detected and controlled are abuse
of shared privileged credentials, misuse of elevated privileges by unauthorized users, theft of
privileged credentials by cyber-criminals, and abuse of privileges on third-party systems
accessed via the cloud.
Privileged accounts have traditionally given to a small set of administrators who needed
access to perform maintenance and upgrade tasks, mostly on networks on-premises or local
area networks (LAN). In some cases, senior employees may have also been given elevated
access rights for specific tasks. It’s fair to say that this is no longer the case. Privilege
management use cases now extend across entire organizations, with users and machines
requiring task-based access to data, services, and applications held on legacy systems and
multi-cloud-based infrastructures. All the while, admins still need to perform traditional
privileged tasks.
PAM has evolved into a stronger and wider risk management discipline as digitalization has
increased the attack surface to include cloud, multiple endpoints, home working, and no
secure perimeters. It brings significant benefits to almost every major digital business
initiative, including securing applications and data in the cloud, privileged user behaviour
analytics to detect anomalous privileged behaviour and supporting endpoint threat protection
More recently, several PAM vendors have started to accommodate capabilities that support
Cloud Infrastructure Entitlement Management (CIEM) for cloud-based resources, and critical
cloud-based workflows such as DevOps and CI/CD projects.
While there is overlap here, the demand for traditional PAM capabilities (vaulting, credential
management, analytics, admin access, Endpoint Privilege Management etc.) remains robust
and vendor efforts to improve on those capabilities continues to drive competition.
Support for the demands of digital organizations offered by the PAM tools is becoming a
competitive differentiator in the PAM market. An important part of the Kuppinger PAM
Leadership Compass is to evaluate the extent to which PAM vendors support digital
business initiatives.
Both new and traditional vendors have responded well to demands for more advanced PAM
capabilities suitable for the modern computing era. Interest in Least Privilege and Zero Trust
informed architectures and policies has also grown as organizations look to secure the multi-
cloud environments. Buyers are increasingly aware that a well-configured and up-to-date
PAM platform can be an integral part of any such architecture and that the traditional
architecture of PAM must be extended to support cloud environments and SaaS applications
and services.
Regular readers of the PAM Leadership Compass will see that there has been a realignment
of scatter chart positioning with some vendors shifting left compared to previous reports. This
is because of an extended questionnaire and more granular process designed to reflect new
6
LEADERSHIP COMPASS: 81111
Privileged Access Management
capability demands and the changing market for privileged access solutions, particularly for
cloud.
Delivery Models
This Leadership Compass is focused on PAM products that are offered in on-premises
deployable form as an appliance or virtual appliance, in the cloud or as-a-service (PAMaaS)
by the vendor. Some vendors also offer a MSSP option for third party services providers.
Required Capabilities
The KuppingerCole PAM Leadership Compass analyses and rates PAM platforms that cover
the following key capabilities:
Account management
Authentication
Extended PAM
Account management
7
LEADERSHIP COMPASS: 81111
Privileged Access Management
• DevOps support
Authentication
The PAM Leadership Compass analyzes software platforms that manage privileged access
for:
• User identities
• Service identities
• Admin identities
• Machine identities
• API Identities
• Control privilege of identities of all kinds by enforcing Least Privilege across multi-
hybrid environments
• Provide Privileged Access Management to those identities that have access to
specific high-value and critical services, applications, and data in dynamic multi-
hybrid environments
• Provide Just in Time access to services, applications, and data in dynamic multi-
hybrid environments in line with security policies and business demands
• Manage entitlements of privileged identities with access to resources at the most
granular level, enabling compliance with access governance policies.
• Manage multiple entities and all modern identity types including machine and non-
machine
Leadership
Selecting a vendor of a product or service must not only be based on the information
provided in a KuppingerCole Leadership Compass. The Leadership Compass provides a
comparison based on standardized criteria and can help identifying vendors that shall be
further evaluated. However, a thorough selection includes a subsequent detailed analysis
and a Proof of Concept of pilot phase, based on the specific criteria of the customer.
8
LEADERSHIP COMPASS: 81111
Privileged Access Management
Overall Leadership
Based on our rating, we created the various Leadership ratings. The Overall Leadership
rating provides a combined view of the ratings for:
• Product
• Innovation
• Market
• ARCON
• BeyondTrust
• CyberArk
• Delinea
• EmpowerID
• One Identity
• Saviynt
• Senhasegura
• WALLIX
9
LEADERSHIP COMPASS: 81111
Privileged Access Management
Product Leadership
Product Leadership is the first specific category examined below. This view is mainly based
on the analysis of service features and the overall capabilities of the various services.
• ARCON
• BeyondTrust
• CyberArk
• Delinea
10
LEADERSHIP COMPASS: 81111
Privileged Access Management
• EmpowerID
• Senhasegura
• Saviynt
Innovation Leadership
Next, we examine innovation in the marketplace. Innovation is, from our perspective, a key
capability in all IT market segments. Customers require innovation to meet evolving and even
emerging business requirements. Innovation is not about delivering a constant flow of new
releases. Rather, innovative companies take a customer-oriented upgrade approach,
delivering customer-requested and other cutting-edge features, while maintaining
compatibility with previous versions.
11
LEADERSHIP COMPASS: 81111
Privileged Access Management
• ARCON
• BeyondTrust
• CyberArk
• Delinea
• EmpowerID
• Fudo Security
• Kron
• One Identity
• Remediant
• Saviynt
• Senhasegura
• SSH
• WALLIX
12
LEADERSHIP COMPASS: 81111
Privileged Access Management
Market Leadership
Lastly, we analyze Market Leadership. This is an amalgamation of the number of customers,
number of transactions evaluated, ratio between customers and managed identities/devices,
the geographic distribution of customers, the size of deployments and services, the size and
geographic distribution of the partner ecosystem, and financial health of the participating
companies. Market Leadership, from our point of view, requires global reach.
13
LEADERSHIP COMPASS: 81111
Privileged Access Management
• ARCON
• BeyondTrust
• Bravura
• CyberArk
• Delinea
• Micro Focus
• One Identity
• Saviynt
• WALLIX
Correlated View
While the Leadership charts identify leading vendors in certain categories, many customers
are looking not only for a product leader, but for a vendor that is delivering a solution that is
both feature-rich and continuously improved, which would be indicated by a strong position in
both the Product Leadership ranking and the Innovation Leadership ranking. Therefore, we
provide the following analysis that correlates various Leadership categories and delivers an
additional level of information and insight.
The first of these correlated views contrasts Product Leadership and Market Leadership.
14
LEADERSHIP COMPASS: 81111
Privileged Access Management
Vendors below the line have a weaker market position than expected according to their
product maturity. Vendors above the line are sort of “overperformers” when comparing
Market Leadership and Product Leadership.
All the vendors below the line are underperforming in terms of market share. However, we
believe that each has a chance for significant growth.
15
LEADERSHIP COMPASS: 81111
Privileged Access Management
16
LEADERSHIP COMPASS: 81111
Privileged Access Management
Vendors below the line are more innovative, vendors above the line are, compared to the
current Product Leadership positioning, less innovative.
17
LEADERSHIP COMPASS: 81111
Privileged Access Management
18
LEADERSHIP COMPASS: 81111
Privileged Access Management
Vendors above the line are performing well in the market as well as showing Innovation
Leadership; while vendors below the line show an ability to innovate though having less
market share, and thus the biggest potential for improving their market position.
Based on our evaluation, a comparative overview of the ratings of all the products covered in
this document is shown in Table 1.
BRAVURA (HITACHI
neutral neutral neutral neutral neutral
ID)
CYBERARK strong positive strong positive strong positive positive strong positive
IMPRIVATA /
positive neutral strong positive positive neutral
SECURELINK
19
LEADERSHIP COMPASS: 81111
Privileged Access Management
In addition, we provide in Table 2 an overview which also contains four additional ratings for
the vendor, going beyond the product view provided in the previous section. While the rating
for Financial Strength applies to the vendor, the other ratings apply to the product.
20
LEADERSHIP COMPASS: 81111
Privileged Access Management
21
LEADERSHIP COMPASS: 81111
Privileged Access Management
Product/Vendor evaluation
This section contains a quick rating for every product/service we’ve included in this
KuppingerCole Leadership Compass document. For many of the products there are
additional KuppingerCole Product Reports and Executive Views available, providing more
detailed information.
Spider graphs
In addition to the ratings for our standard categories such as Product Leadership and
Innovation Leadership, we add a spider chart for every vendor we rate, looking at specific
capabilities for the market segment researched in the respective Leadership Compass. For
the Leadership Compass PAM, we look at the following eight categories:
• Just in Time
• Dashboard
• Analytics
• DevOps
• Data Governance
• Cloud Deployment
• Account Discovery
• High Availability
22
LEADERSHIP COMPASS: 81111
Privileged Access Management
ARCON makes good use of a browser-based approach. During session management, for
example, controllers can open multiple privileged sessions as tabs, waiting for approval in
several at a time – saving time and resources.
Authentication is by SSH key and not passwords and authentication take place on the initial
login page to the ARCON system. The auto-onboarding tool of ARCON PAM can be
integrated with Microsoft AD, AWS, Azure Active Directory and GCP for onboarding all
privileged accounts and services. The auto-onboarding solution - both AD scanner and
Network Discovery Utility can run near real-time syncing of data from AD. The modern
interface mixes the best of consumer tech design with neat touches such as "My Apps" for
Admins. The ARCON EPM module can also control what users do at the endpoint and is
now based on JIT processes. Data Intellect". This component enables the classification of
data using AI/ML, itemization of the exposed data, categorization of the critical data along
with giving a complete understanding of "where" and "what" of data. It allows one to have a
complete track of where all important the important data lies in the organization.
ARCON My Vault is offered as a standalone option for those desires secret vault for different
infrastructures. The solution is based on a microservices framework and is built for the cloud
(it can also be installed on-premises for PAM customers). The Vault has advanced features
like onboarding user groups, tagging businesses, workflow, Just-in-Time access to Secrets,
Keys, Certificates, Files, etc. Further, users can deploy role-based access for sharing,
downloading, viewing, or transferring files and secrets – a unique and useful capability. It
also provides administrative users managing servers the ability to transfer files from one
machine to another without having to go through interactive access in PAM without knowing
the passwords and full RBAC controls
ARCON has now developed a unique Offline Vault capability as an extension of the PAM
solution and is designed to assist remote workers and those on the road. An Offline Sync
button ensures that all the devices the user has access to will sync with a highly secured
local vault on the end user machine (endpoint). Once the vault is synchronized, the user can
carry their laptop, connect to the console of the devices they have access to, and simply click
to start a session in the PAM app. Credentials are auto injected and the session is now
monitored, without the user having to see or know the passwords. Session logs are stored
locally and synced centrally when the endpoint comes in the network.
ARCON Digital PAM is a PAM solution for Non-Human Identities, leveraging native
application attributes and role-based access controls to authenticate applications and
containers. It can manage and pass credentials securely to validated containers DevOps
tools and automated systems and clusters when required.
23
LEADERSHIP COMPASS: 81111
Privileged Access Management
ARCON has launched a new design for its administrative console and this all modules will be
migrated to this new design theme. The theme is carefully designed to meet the standard
requirement of WCAG Standards. ARCON says the entire administrative console of the
product has been process re-engineered. A full Management Portal for AWS is planned
increasing ARCON’s compatibility with cloud infrastructures and dynamic access.
Functionality positive
Interoperability positive
Usability positive
Strengths
Challenges
• ARCON still need to improve its marketing of what is now a highly competitive and
leading PAM platform
• The next step is to fully integrate CIEM capabilities and further develop password less
access for all identities
• The platform would benefit from further DevOps native integration
Leader in
24
LEADERSHIP COMPASS: 81111
Privileged Access Management
25
LEADERSHIP COMPASS: 81111
Privileged Access Management
This collection makes it one of the most comprehensive on the market, covering all the
recognized functionalities of a PAM suite and takes account of the global interest in securing
Privileged Access for home working. BeyondTrust PAM can be deployed in the on cloud, as
hybrid and on-premises. SaaS options with feature parity are available for every key product
in the portfolio. BeyondTrust continues to innovate and add capabilities. Password Safe has
a continued focus on ease of use with an updated UI/UX interface to support core operations
like onboarding new secrets and managed systems and can also help organizations bring
systems that are disconnected or intermittently connected to the network under
management. DevOps Secrets Safe has an updated UI/UX interface with expanded reporting
depth and new SaaS deployment options.
Also targeted at the cloud is new cloud security management capabilities were added with
the CIEM focused BeyondTrust Cloud Privilege Broker (CPB) application, designed to
manage entitlements across multi-cloud environments. CPB sits on the BeyondInsight
platform, providing current customers with a familiar interface. An advantage for existing
BeyondTrust customers is full compatibility with the BeyondInsight platform, providing
integration across the full BeyondTrust PAM suite. For Endpoint Privilege Management,
there are now new deeper integrations with ServiceNow for exception handling, VirusTotal
for analytical insight, SIEM tools and continual evolution of our MFA and Azure AD
integrations, allowing the use of new MFA providers and more use cases of AAD. The
Advanced Parent Tracking feature protects against malware that evades detection through
Windows parent and child process hierarchies, an emerging approach for malware strains. A
new SailPoint IGA integration brings a welcome strengthening of the platform’s Identity
management capabilities.
Other innovations include the launch of a granular roles & permissions system in the SaaS
EPM management console, allowing customers to segment administration of their estate with
fine-grained controls. BeyondTrust provides third- party access with a self-registration
portfolio and simplified management tools for third party vendors. BeyondTrust is offering
vendors greater autonomy over PAM while keeping entitlement and resources secure.
Finally, the new look Cloud Privilege Broker (CPB) has been redesigned for managing cloud
access risk and governance of entitlements in hybrid and multi cloud environments.
A future release will guide users to remove standing privileges and assign entitlements for a
specified window of time, to accomplish only specific tasks. While BeyondTrust in its current
incarnation remains an undoubted leader for PAM, big changes are promised for beyond
2022. A new platform will consolidate data streams from multiple BeyondTrust products and
apps and enrich data streams in real time in a centralized, high performance data store. The
new platform will use APIs for smoother and wider integrations, AI/ML algorithms to deliver
26
LEADERSHIP COMPASS: 81111
Privileged Access Management
prescriptive analytics and descriptive analytics with actionable insights available. Exciting
times ahead.
Functionality positive
Deployment positive
Interoperability positive
Usability positive
Strengths
• BeyondTrust has built on existing strengths and added sensible and needed
capabilities in line with market needs
• Proven enterprise-class solution that is scalable and available on-premises or in the
cloud
• Host-based approach for CPEDM delivers strong and granular command control for
privilege elevation
• Ability to mix and match solutions across three main categories provides flexibility
• Strong endpoint and remote access functionality, good visibility, and control of third-
party remote access
Challenges
Leader in
27
LEADERSHIP COMPASS: 81111
Privileged Access Management
28
LEADERSHIP COMPASS: 81111
Privileged Access Management
Bravura Privilege relies on proven password and vault technology, which also addresses
some of the shortcomings of passwords with PAM. It automatically replaces shared and
static passwords assigned to privileged accounts with periodically new and random values
based on password policy controls set by the organization. It can also enforce multiple
scheduled or event-triggered password policies on fixed IT assets, laptops, and virtual
machines. This backed up with sensible and robust data protection tools including active-
active architecture that can replicate data sets in real time across all geographies for HA and
disaster recovery purposes. Data at rest and in transit is encrypted using AES 256 encryption
keys unique to each customer. Bravura also offers multiple copies of the vault and option to
store other files in those vaults.
Bravura Privilege retains its strong discovery capabilities to find all accounts, groups and
services and regular auto discovery based on policy is possible. In addition, system data can
be analyzed, and policies and credentials set for resources available to identities, and the
right policies to attach to each one. Automated discovery routines can be set by admins, also
based on policies, and designed to enable more efficient scaling and reporting.
In terms of more dynamic access Bravura Privilege is need of a little catch up in terms of
DevOps and cloud entitlement management, JIT access is available but still takes quite a bit
of administrative work to limit privilege access for identities and native Zero Standing
Privilege (ZSP) with password less access is still some way off. Bravura is hardly alone in
this, however, and the company is committed to developing the platform via Open Data
Protocol APIs to evolve the user experiences with Bravura Pass, Identity, and Privilege
components which we hope will see a shift to more dynamic, cloud native capabilities soon.
To that end, Bravura Safe is already built on top of AWS ECS serverless technology to
automatically scale as demand grows.
Bravura has continually offered robust and reliable PAM tools that lacked some cutting edge
and the there was a feeling that technical development and improved market presence were
frustrated. A change of ownership, new investment and focus may now speed further
development.
29
LEADERSHIP COMPASS: 81111
Privileged Access Management
Security neutral
Functionality neutral
Deployment neutral
Interoperability neutral
Usability neutral
Strengths
Challenges
• The acquisition by the Volaris Group may be just what this platform needs to really
grow and develop
• Improvements to marketing and messaging still needed to compete better
• OOB connectors for cloud applications are limited but growing
• Limited partner ecosystem impacts market outreach and growth
Leader in
30
LEADERSHIP COMPASS: 81111
Privileged Access Management
31
LEADERSHIP COMPASS: 81111
Privileged Access Management
The solution is designed well for hybrid environments with AWS and Azure support and
Broadcom claims its appliances can be stood up very quickly, with auto discovery of
privileged accounts getting basic PAM up and running in 2- 3 days. The product is available
as a rack-mounted, hardened hardware appliance, Open Virtual Appliance (OVA) Amazon
Machine Instance (AMI) or a Virtual Hard Disk (VHD) for Azure. Yet, there is still no SaaS
version and no sign of any new CIEM capability, which is another challenge.
Broadcom has introduced light-weight desktop agent that allows users to connect to target
systems using privileged account without having to log into the PAM user interface directly.
Users can use their own tools for connecting and PAM will manage the credentials behind
the scenes.
Other capabilities are open REST API's (including SCIM), CLI's and several out-of-the-box
integrations with Identity and Access Management solutions, SIEM solutions, Service Desk
solutions etc. The PAM Server Control offers an agent-based architecture to intercept control
and restrict commands at OS Kernel level. It is notable for its fine-grained access control
able to block Root access to a file or give one specific account access to a file or service.
Policies can be upgraded through the central console. The Threat Analytics engine delivers
advanced threat analytics leveraging machine learning techniques for automated detection of
risky privileged behavior.
The affinity with CA's former IAM products remains, and Symantec's customer history shows
that this PAM platform can scale to multiples of 100k of devices and users and is at home in
hybrid IT environments. A solid choice and one that may now flourish under the Symantec
Enterprise Security umbrella if further IAM integration plans come to fruition – as with other
vendors, marrying IAM and PAM is seen as the next step forward. We would like to see
much more for DevOps, and CIEM compatible tools introduced within the next 12 months.
Broadcom offers a tried and tested PAM one stop solution that offers 100% of the desired
capability options – if not yet a technology leader in all of them.
32
LEADERSHIP COMPASS: 81111
Privileged Access Management
Security positive
Functionality neutral
Interoperability neutral
Usability positive
Strengths
• Supports a broad range of target IT systems and full support for AAPM
• Support for virtualized and Cloud environments and fine-grained command control
• Support for both host and proxy-based approaches to PAM
• Strong partner ecosystem, reputation of Symantec brand in cybersecurity still holds
good
Challenges
• Good support for DevOps is there but CIEM needs some love
• We would like to see much more in terms of cloud entitlement management
• Having committed to the brand and product, Symantec’s parent needs to invest
further to place its platform among the top Leaders
33
LEADERSHIP COMPASS: 81111
Privileged Access Management
The full CyberArk PAM portfolio includes CyberArk Privileged Access Manager available as
self-hosted or as PAMaaS (CyberArk Privilege Cloud); its PAM for DevOps product, Conjure
Secrets Manager; CyberArk Remote Access for vendors, third parties (Vendor PAM) and
privileged employees from remote locations; and CyberArk Endpoint Privilege Manager
(EPM). CyberArk EPM removes local administrator rights from endpoints and offers
temporarily elevated privileges for specific tasks in real-time.
More boldly, perhaps, Cyber Ark has started to rebrand the business around this its
enhanced product portfolio as an Identity Security vendor, encompassing IAM, PAM and
Cloud management. This messaging may take some ironing out but get it right and it will be
a canny move to stay ahead of growing interest in the PAM market from IAM vendors. It also
dovetails well with KuppingerCole's Identity Fabric model for organizations.
In Conjur, its DevOps product, segregation of data between different environments using the
same vault is now possible by synching different secrets to different Conjur Enterprise
instances. There is also now native authentication support for Azure and Google Cloud
Platforms. Cloud Entitlements Manager, a new SaaS offering introduced in November 2020,
uses AI-powered detection and remediation of hidden, misconfigured, and unused
permissions across an organization's cloud environments. This move demonstrated
CyberArk’s ability to read the market ahead of many of its rivals, and one of the reasons it
topped the KuppingerCole DREAM Leadership Compass.
CyberArk also offers in depth analytics, session management, elevation management and
AAPM technologies across its suite of products. The products on offer here remain the
benchmark in integrating new capabilities with tried and tested technology while keeping up
with new challenges such as remote access, DevOps, cloud and identity management
integration.
CyberArk has increased its coverage of target systems for least privilege enforcement by
improving EPM support for MacOS, introducing support for Windows ARM and Linux. Cloud
Entitlements Manager also helps extend least privilege as organizations adopt new cloud
platforms and modern identity frameworks for policy targeting. Secrets Manager introduced
JWT based authentication for OpenShift and Kubernetes containers and support for SNI
certificates – to be able to authenticate workloads running on these Cloud platforms and
eliminating the “secret zero problem”. CyberArk has introduced Dynamic Privileged Access
to address Just-in-Time access requirements by providing ephemeral access to cloud and
on-premises infrastructure.
CyberArk continues to innovate in with new capabilities including Dynamic Privileged Access
and Cloud Entitlements Manager. Dynamic Privileged Access provides Ephemeral privileged
access to reduce address standing access and associated risks. Cloud Entitlements
Manager with Dynamic Privileged Access and implements least privilege for human identities
34
LEADERSHIP COMPASS: 81111
Privileged Access Management
Interoperability positive
Strengths
Challenges
Leader in
35
LEADERSHIP COMPASS: 81111
Privileged Access Management
36
LEADERSHIP COMPASS: 81111
Privileged Access Management
The full line up of Delinea’s products and services is now listed as follows: Delinea Secret
Server, Delinea Server Suite, Delinea Cloud Suite, Delinea Privilege Manager, Delinea
DevOps Secrets Vault, Delinea Account Lifecycle Manager, Delinea Privileged Behavior
Analytics, Delinea Connection Manager. All are available for On Premises or SaaS
deployment and management except for DevOps Secrets Vault (SaaS only). As part of the
continuing licensing deal with IBM, Delinea Secret Server, Privilege Manager, Server Suite,
DevOps Secrets Vault, Account Lifecycle Manager and Connections Manager are also
available packaged through IBM Security Services. Cloud hosted offerings such as Secret
Server Cloud feature automated capacity management to scale available resources
according to demand.
For buyers this means that Delinea now has the strength of Centrify’s PEDM capability
combined with the recognized capacity of Thycotic’s Secret Server vaulting technology. But
what else does the new brand offer? It’s a mixed picture.
The Threat Analytics Service, which uses machine learning to identify anomalous behaviour
in real time, is now engineered to work with Secret Server. This activates policies for users
who are accessing the vault, initiating a privileged session, or checking out a password.
Delinea has plans to extend existing Privileged Behavior Analytics to encompass server PAM
use cases and cloud entitlements, facilitating detection of anomalous activity on servers and
over privilege in cloud infrastructures. We would have liked to see this more currently,
however.
Delinea provides multiple options for access to privileged sessions. Users can choose from
direct in the application, support for 3rd party session management tools, an endpoint
session management client and web-based RDP and SSH session tools. Web browser
plugins for automatic credential filling on web UIs and mobile app providing access to
credentials and integration with mobile OS credential management complete the picture.
Delinea Privilege Manager is an agent based EPM solution for Windows, Mac, and Linux
endpoints that supports extensive EPM capabilities including application control and privilege
elevation (available on-premises or as a SaaS-hosted solution in Azure).
The current iteration of Delinea is pretty much what a merger of two major PAM vendors
might deliver - a more complete set of traditional PAM capabilities. There is some effective
consolidation but overall, this is a package that has effectively suffered from a lack of key
development while the merger was going through. We can’t help but wonder where Thycotic
and Centrify might have been without the merger. It remains a powerful platform in 2022 but
much has been set aside for the future.
37
LEADERSHIP COMPASS: 81111
Privileged Access Management
This includes improved security for access to Kubernetes pods, better CIEM and remote
access tools. But much will wait until a brand-new platform is developed to support all
existing modules from Delinea expected in 2023.
Security positive
Functionality neutral
Deployment positive
Interoperability positive
Usability positive
Strengths
Challenges
• Merger has rationalized technology choices but we feel has held back wider
innovation and development in emerging areas such as CIEM
• Merger has also led to headcount decrease with some leadership changes
Leader in
38
LEADERSHIP COMPASS: 81111
Privileged Access Management
39
LEADERSHIP COMPASS: 81111
Privileged Access Management
Security neutral
Functionality neutral
Deployment neutral
Interoperability weak
Usability neutral
40
LEADERSHIP COMPASS: 81111
Privileged Access Management
Strengths
• Good solid PAM solution for SMBs, that understands that sector’s needs
• Ease of use and ease of delivery is a positive for SMBs
• Broad remote access capabilities
• Strong reporting capabilities of users and accounts
• Private vaults available for end users provides extra layer of security
Challenges
41
LEADERSHIP COMPASS: 81111
Privileged Access Management
In the last year Ekran has added some more enterprise focused features with a new
dashboard that monitors multiple sessions, a HA mode, load balancer and multi-tenancy
support. None of this is revolutionary, but it does mean that buyers attracted to Ekran’s
approach to PAM can now scale more effectively as infrastructure expands. A new real-time
alert window and full integration with Microsoft Power BI also add more ballast to the
platform.
Other improvements include the Anonymizer (Compliance with GDPR), support of SELinux,
full, password checkout, tree view for secrets (same as folders), updated dashboards and an
updated session player. The company is currently developing a SaaS platform, which will be
welcome to many SMB buyers.
For development and integration purposes there is some API support including application
credential brokerage, ticketing system integration, and provision of monitored information via
API; more API support would be welcome if Ekran System is to compete against the leaders
in integration.
Session monitoring and recording is well taken care of. Video recordings are indexed with
multilayer metadata including names of active applications, titles of active windows, websites
(URLs) visited, keystrokes typed, commands and scripts executed, and devices connected.
A single Ekran System Terminal Server Client can be installed on a jump server to monitor
all sessions that come through it. The trigger rules for alerts can be set and modified by the
customer.
There are some elements of Artificial Intelligence (AI) in play. The Ekran User and Entity
Behaviour Analytics (UEBA) engine can detect a hacker with stolen credentials through self-
learning techniques. The working hours of a genuine user are scanned, and a formal
baseline created from which to compare anomalous or unusual behaviour. The company has
plans to develop this with new behavioral factors for baselining. We look forward to more
development in this exciting area.
Ekran has been busy adding much needed improvements to its platform and it now is a
much stronger player which adds capabilities to its existing strengths of good design,
simplicity, and ease of use.
42
LEADERSHIP COMPASS: 81111
Privileged Access Management
Security neutral
Functionality weak
Deployment neutral
Interoperability neutral
Usability weak
Strengths
Challenges
• Lacks some of the key PAM capabilities such as task management and privilege
escalation
• Some, but still limited DevOps capabilities that need development
• Needs more investment and innovation to compete with the best
43
LEADERSHIP COMPASS: 81111
Privileged Access Management
EmpowerID – Platform
Based in Ohio (US), EmpowerID offers several products within its broader IAM portfolio,
including EmpowerID Privileged Access Management (PAM). All applications within the
portfolio run as SaaS, and EmpowerID software offers fully managed services. The only on-
prime component is Cloud gateway on Win 10/11 - this creates the credentials and keys.
Largely built on top of Microsoft technology, EmpowerID offers integration and performance
benefits for Microsoft-centric organizations, particularly for existing customers of its user
provisioning and identity governance products.
The product is completely workflow based. A set of 1000 ready-made workflows ship with the
product to get started, and more can be added through simple drag and drop creation in
Workflow Studio. It uses conventional vault technology, which hides passwords from users
via RDP, SSH or web browser SSO. MFA support is through YubiKey Universal 2nd Factor
Authentication, Duo Push, knowledge-based authentication (Q&A), and an OATH token
server for issuing one-time password tokens.
EmpowerID has further developed its investment in Workflow Studio for 2022 with support for
Microsoft Adaptive Card now added, which simplifies UI development. Further integration
with Microsoft tools allowing users to create their own bots, supported as micro services in
Azure. Bots can be configured to find users with too much privilege or garbage JIT access.
The overall UI has been further optimized for mobile devices. EmpowerID is the most user
customizable of all PAM platforms and should be commended for further adding bridging low
code principles and knowledge levels that will support non-expert development.
Full PAM is available for DevOps and the Session Manager Architecture is completely
broken out into microservices and fully containerized. There is a standards-based native
Identity Provider built into the platform that provides SSO to cloud applications directly from a
menu in the dashboard. Other IDPs are supported, and multi- factor authentication can be
configured in addition using Azure, Duo, OAuth and mobile-based MFA apps. EmpowerID’s
expertise in identity management make this a flexible access tool for DREAM.
EmpowerID has added an Eligibility Policy Engine which manages what users may see and
request and which roles and resources in the enterprise can again access. Eligibility policies
can be applied to users by query, role, group, or other criteria, to target who receives which
policies. MFA support is through YubiKey Universal 2nd Factor Authentication, Duo Push,
knowledge-based authentication (Q&A), and an OATH token server for issuing one-time
password tokens
A new microservice called My Tasks provides a consumer grade UX for request and to do
item tracking. My Tasks was designed to work with EmpowerID's new Business Request
approval flow engine which supports multi-level approvals.
The dashboard at the heart of EmpowerID is comprehensive in scope and does more than
just open access to cloud services. Other key capabilities include ML supported role mining
with automatic cleanup of roles, display of rights granted to roles and the security impact
these may have on the organizations. Business functions can be mapped to Azure Groups,
for example, purchase Order functions. Whole groups can be switched to JIT access if the
role is considered high-risk or optimized for Least Privilege Access – from an IAM
background EmpowerID is developing new approaches to PAM.
44
LEADERSHIP COMPASS: 81111
Privileged Access Management
Security neutral
Functionality neutral
Deployment positive
Interoperability positive
Usability positive
Strengths
Challenges
• Still some scope to improve endpoint access for the era of home working
• The focus on Microsoft technology will suit many, but not all
• Needs Microsoft tools experience to customize UX and capability
Leader in
45
LEADERSHIP COMPASS: 81111
Privileged Access Management
46
LEADERSHIP COMPASS: 81111
Privileged Access Management
Fudo PAM has a modern, crisp interface and allows customization with drag and drop
resizable tiles available. The same customization can be used for data presentation, useful
for reporting and behaviour pattern management. Fudo PAM is an agentless, all-in-one
solution, deployable mostly as a virtual appliance supporting VMware, AWS, Microsoft Azure
and Google Cloud. Fudo PAM can be also offered as a SaaS and in the MSP model by
partners.
For end users, the User Access Gateway portal provides easy access to servers – the user
is presented with a list of servers in one place, and a privileged session state can be initiated
by pressing the "play" button - a thoughtful touch and one that adds greater efficiency to PAM
in digital environments.
Fudo Security has used AI used to detect biometric anomalies such as unusual mouse or
typing movements within the CLI or dashboard components. The use of Machine Learning
has been enhanced further with new PUBA capabilities. Fudo's latest release enables
existing systems to build users and system usage profiles based on continuous analysis of
behaviour patterns and anomalies. Password Management offers password changes through
pre-defined scripts and in-house plug-ins can be used to automate password management.
Fudo PAM supports SIEM including ArcSight and Splunk platforms. It’s well thought out
interface and AI tools that can detect unusual behaviour and suspicious sessions will appeal
to organizations of all sizes looking for improvements in security. Analyze mouse moves,
semantics, etc. – above average detection of someone taking over a laptop,
We would like to see more development in terms of capabilities and native support for cloud
and DevOps such as support for tools such as Jenkins. And also, more for CPEDM. It does
good support AAPM for application accounts and API support for good range of
programming language AAPM connects with User Access Gateway over TLS, there are two
options: reading the password or OTP that connects without sharing real password
Development items include a fully developed SaaS version operated by Fudo tailored
towards cloud and multi-cloud environments and cross platform support for Kubernetes,
containerized apps and cloud services platforms. Of perhaps greater significance will be full
JIT access from the Fudo mobile app.
47
LEADERSHIP COMPASS: 81111
Privileged Access Management
Security neutral
Functionality neutral
Deployment strong
positive
Interoperability neutral
Usability neutral
Strengths
Challenges
• Being built to support more capabilities so now needs bigger marketing push we
believe
• More DevOps tool compatibility such as Jenkins and Kubernetes would be welcome
• Opportunity to further integrations with IAM tools
Leader in
48
LEADERSHIP COMPASS: 81111
Privileged Access Management
49
LEADERSHIP COMPASS: 81111
Privileged Access Management
Security strong
Functionality weak
Deployment neutral
Interoperability weak
Usability neutral
50
LEADERSHIP COMPASS: 81111
Privileged Access Management
Strengths
• Easy to use dashboard for admins making approval and blocking efficient at
endpoints.
• Auto approval mode and automatic removal of privileges on threat detection
• Works best as a dedicated, easy to set up PRA tool for known users
• Fully compatible with Heimdal’s other VM and Endpoint Protection products
• May appeal to smaller and mid-size organizations (or departments) looking for a
simple to manage tool to control privilege access for remote workers
Challenges
51
LEADERSHIP COMPASS: 81111
Privileged Access Management
Imprivata – PAM
Imprivata is a US based identity management company that is widely known in the
healthcare sector. It boosted its expertise in PAM through the acquisition of Xton in 2021.
The Imprivata Privileged Access Management solution is agentless and supports RDP, SSH
and HTTP(s) proxies and HTML 5 that can record sessions, keystrokes, and file transfers.
The solution benefits from weekly updates including feature requests and bug fixes – part of
the company's philosophy that security software should be updated often, something hard to
argue with if updates are pushed. Updates are deployed via the GUI and latest
improvements include a Zero Trust login and session recording for AWS command line and
automation tools, access to isolated networks without firewall changes and an improved
Administrator Dashboard.
Imprivata PAM provides a web-based, password vault with accounts discovery, shared
account password management and privileged session management capabilities, including
password rotation, access request workflows and session and keystroke recording with
playback. Credentials never leave the vault, and the solution also supports Just-in Time (JIT)
provisioning.
While Imprivata does not provide full privilege elevation and delegation management
(CPEDM) capabilities, it offers support for elevated script automation for routine privilege
escalation tasks, enhancing administrator efficiency.
Imprivata PAM is a self-hosted solution that supports Windows, Linux Server installations
(including RedHat) on-premises or for the cloud. There are two versions: Enterprise
Password Vault which provides basic PAM functionality and the Imprivata Access Manager
for Enterprise that adds workflows, password rotation, discovery remote access and full API
integration among other features. MFA and SSO is supported through integration with
AzureAD, Okta, One Sign, WatchGuard and Duo Security. For a relatively new platform,
Imprivata offers a wide PAM technology portfolio that aligns well with the market direction
and supports emerging PAM requirements of organizations. Imprivata offers integrations with
well-known ITSM, SIEM and MFA providers, and is a scalable solution for on-premises,
hybrid, and cloud deployments.
Based on open software and standards, Imprivata PAM offers an unlimited subscription
pricing model and thereby presents a viable alternative to many established PAM vendors,
particularly in the mid-market segment. An interesting alternative option, and one to watch –
but needs more capabilities which will undoubtedly come as Imprivata beds its PAM platform
in with its existing IAM portfolio – which in turn should benefit from the cloud native PAM
tools on offer here.
Security positive
Functionality neutral
Interoperability positive
Usability neutral
52
LEADERSHIP COMPASS: 81111
Privileged Access Management
Strengths
• Solid overall package that supports most of the advanced PAM functions needed for
larger organizations
• Sensible incremental improvements have boosted its ratings
• Wide number of options available for 2FA and MFA implementation
• Passwords and key never transmitted to the end user
• Can be offered as-a-service from third-party MSPs
• Agentless architecture speeds deployment and time to value for organizations
Challenges
53
LEADERSHIP COMPASS: 81111
Privileged Access Management
Despite current deployment limitations, the platform is well featured for basic PAM
capabilities, including vaulting, session recording, and shared account management. Also on
the plus side is a thoroughly modern interface and UX, which older rivals in the market could
learn from. There is Device Discovery - search in the AD/LDAP and import a list of target
resources into PAM, and Account Discovery with ability to import privileged accounts into
Indeed PAM.
Capabilities that stand out are an SSO module that connects to any client application plus
2FA supported out of the box without any third-party applications needed. The base code of
Indeed Identity's PAM server is lean and designed for easy integration into legacy and new
architecture. The company also designed the platform to be configured on privileged and
security policies such as approved SSH commands and the policies and rules around
session recording.
A good basic package that ticks many of the boxes but has some notable omissions that
would be essential for many buyers. These include Cloud support, EPM, PUBA, Privilege
Elevation, and JIT. But there is support for AAPM assisting with some DevOps which is good
for those looking for that.
The solution does basic PAM stuff well and is very well designed but without its omissions
and shortcoming being addressed soon, it is difficult to see Indeed Identity becoming truly
competitive in the PAM space but there is promised development focus on Just-In-Time and
access control improvements and usable integration via API – which Indeed Identity should
take further.
54
LEADERSHIP COMPASS: 81111
Privileged Access Management
Security neutral
Functionality weak
Deployment positive
Interoperability neutral
Usability neutral
Strengths
• Possesses just enough of the PAM basic capability to make it viable thanks to SSO
and 2FA out of the box
• Bang up to date UX and dashboard design among the best
• Can be configured around existing security policies and for session recording
• Company has good knowledge of IAM technologies which will be useful for future
development
Challenges
• Currently lacks far too many capabilities such as, PUBA, JIT and others to be a
credible enterprise or even larger SMB solution
• Would benefit from a SaaS version sooner rather than later
• Indeed Identity needs to decide on a product development strategy if it wants to meet
the demands of more buyers
55
LEADERSHIP COMPASS: 81111
Privileged Access Management
56
LEADERSHIP COMPASS: 81111
Privileged Access Management
Krontech Single Connect features a "bottom-up" strategy for secrets onboarding. This
translates as a visual hierarchical tree structure to manage secrets and more flexible policies
for password generation (length, numbers, letters, special characters, alphanumeric
characters). There is out of the box support for 60+ enterprise applications and systems.
The PUBA component has been enhanced with adaptive intelligence techniques, able to act
according to risk scores and imminent security threats related to privileged accounts/access.
Risk score calculations are made in 3 different dimensions: users, servers, sessions. Reports
of all threat activity are also available for download. The interface and web GUI remain
competitive along with the easy-to-use Desktop Client Application for Windows and MacOS,
which sits alongside the WEB based interface.
Automation can be applied to recurring privileged tasks such as network port updates, DNS
maintenance, router configuration, CMDB update automation (pre check, validation, and post
check mechanism), as now supports integration with any ITSM system before running any
task.
The Data Access Manager supports video recording and can enforce policy at the query
level. The product can be accessed as a desktop client, web app or via a mobile app. While
also supporting Putty, it features token based application to application password
management. All sessions are recorded as MP4 files while there is good support for SIEM
integration.
There is support for CPEDM, PUBA and PADLM which should be expected at this level of
PAM solution. Supported third parties’ applications include Duo and Okta and management
of access to cloud applications is supported on AWS, Azure and Google. Unusually, Single
Connect has a built-in MFA manager called the Unified Access Manager which also includes
support for SSO. Single Connects MFA Manager provides built-in MFA (multi-factor
authentication) for Single Connect’s Session Manager and Direct Access Manager modules.
In addition, MFA manager integrates with VPN servers, allowing MFA authentication at
enterprise network access.
Single Connect’s Unified Access Manager provides built-in and pre-integrated TACACS+ and
RADIUS servers that provide AAA (Authentication, Authorization and Accounting) services
for network infrastructure and extends authentication, single-sign-on capabilities, and policy
configurations of Active Directory to network infrastructure.
With easy-to-use SAPM and PSM capabilities, Krontech Single Connect may appeal to small
and mid-size businesses (SMBs) with manual routine PAM tasks eliminated by useful
privileged task automation, thereby accelerating leaner privileged operations. This remains a
package worth further investigation and will benefit from improved DevOps capabilities,
AAPM capabilities, a hosted SaaS version and further improvements to the UX.
57
LEADERSHIP COMPASS: 81111
Privileged Access Management
Security positive
Functionality neutral
Deployment positive
Interoperability neutral
Usability neutral
Strengths
• Separate modules for distinct PAM functions, integrated under a common PAM
platform
• Has made constructive improvements to capabilities in the past year
• Good market and technology understanding
• Good UI design for enhanced UX
• Strong support for database administrative privileges
• Early and effective emphasis on privileged task automation
• Support for most commonplace IaaS platforms
Challenges
Leader in
58
LEADERSHIP COMPASS: 81111
Privileged Access Management
59
LEADERSHIP COMPASS: 81111
Privileged Access Management
ManageEngine – PAM360
Headquartered in Pleasanton, US, ManageEngine is a part of the India-based Zoho
Corporation founded in 1996. PAM360 is the company's main modular offering to the PAM
market and offers key functionalities in an integrated fashion.
The platform promotes key management over more traditional password management, but
still supports traditional password rotation with a proprietary vault technology. Privileged
Account discovery works across Windows, Linux, Network devices and databases. Session
management masks passwords from users when launching RDP, VNC, SSH and SQL
sessions. All sessions can be recorded and PAM360 comprises tools for PAG, PUBA, SSL
and SSH key management and workflow automation.
PAM 360 benefits from machine learning capabilities in its PUBA functions which assists with
user behaviour patterning to detect anomalies. The interface for PUBA shares the same
modern look as the rest of the solution and delivers a high level of risk scores including
current high-risk servers, current high-risk users, and total number of anomalies. A highly
useful resource for admins which offers drill down into more granular data on users.
ManageEngine makes a play of its "smart" workflow automation and there is credibility to this
with integration with Automation Anywhere and integration with ITSM ticketing systems such
as ServiceDesk Plus and Service Now. On a more fundamental PAM issue, PAM360 offers
strong SIEM integration with Splunk, SumoLogic and Log360. DevOps is covered up to a
point with integrations for Jenkins, Ansible, Chef and Puppet.
The self-service privilege elevation feature comes with built-in least privilege capabilities,
where users will have minimal or no access to certain applications. Based on the merits of
their requests, users will be provided with access to allow listed applications for a specific
period, and the access to such applications will be revoked after the users have successfully
carried out their actions. This includes managing and securing cloud infrastructure
entitlements.
We would have liked to have seen more capability development rather than still waiting for
native DevOps, cloud and PAMaaS but this remains one of the best platforms outside the
Leadership space.
60
LEADERSHIP COMPASS: 81111
Privileged Access Management
Security neutral
Functionality neutral
Deployment positive
Interoperability neutral
Usability neutral
Strengths
• PUBA tools very good with machine learning now added to functionality
• Customization tools are welcome at this level
• Strong auto discovery capabilities and risk-based scoring system for activities
• Integrates well within broader security and IT software portfolio
• Reasonable pricing and easy licensing arrangement
• Strong integration with digital workflow management tools
Challenges
• Only available in an on-prem software delivery format. We look forward to the cloud
native version of PAM360 coming soon
• Lack of integration with IGA tools
• Lack of connector support for cloud applications and cloud-based delivery
61
LEADERSHIP COMPASS: 81111
Privileged Access Management
In 2021 we said Looks like Micro Focus is getting back on track with its PAM play and there
has been further incremental development of the platform. MFA is now an option for
Privileged Access Elevation and SSO is available via IdP platforms, and improved search
tools. Micro Focus is available on premises, in the cloud or as SaaS.
The integration of Net IQ Privileged Account Manager with Micro Focus Interset, its
proprietary UEBA solution means that risk scores can be generated based on user behaviour
anomalies, such as unusual applications accessed, time of day, geographical location,
device used and other metrics. NetIQ Privileged Account Manager then uses this information
in its decision-making process to provide a privileged session based on the user's risk score.
Elsewhere, new agentless capabilities for both Windows and Linux deployments should
speed time-to-value requiring fewer components to be installed (and be vulnerable). The
platform now provides real-time session streaming, for improved monitoring and control of
privileged sessions. This allows a secondary user to audit a privileged session in real-time
and make decisions based on detected risky behaviour and terminate the session if desired.
Improvements have also been made to user interfaces across the platform and a new
console allows quick toggling between multiple privileged sessions.
Administrators can configure privileged access permissions in a simpler, easier, and more
meaningful way with Access Control, the latest policy engine. New agentless capabilities for
Windows and Linux enable faster time-to-value by requiring fewer NetIQ PAM components
and a better user experience for privileged users by providing a highly functional console that
allows for quick switching between multiple privileged sessions.
The Access Control policy engine focuses on grouping resources based on similar access
requirements within an organization and then granting access to users based on criteria such
as privilege level, monitoring requirements, allowed access time, and so on. Access Control
gives you quick access to information about Privilege Governance (who has what access).
The highest priority product capabilities planned on the product roadmap are securing
privilege access in the cloud, which includes Cloud Consoles, SaaS applications, and Cloud
Static and Dynamic Workloads. Additional product capabilities to be introduced include
secure programmatic access to cloud, microservices, and SaaS applications to our privilege
escalation functionality.
62
LEADERSHIP COMPASS: 81111
Privileged Access Management
NetIQ PAM will evolve in Cloud by supporting dynamic and ephemeral accounts, enabling
Security Token Services for Least Privilege Access, as part of the planned expansion of
cloud and SaaS applications. Cloud dynamic resources are also enrolled as ephemeral
machines to protect themselves in NetIQ PAM, with zero standing privilege accounts.
With these improvements and the solid PAM tools at its core discovery, vault, session
management and recording, AAPM, EPM and SIEM Micro Focus NetIQ offers privileged
session management across a variety of systems including enterprise business applications
such as SAP, databases, and popular SaaS applications.
Security neutral
Functionality neutral
Deployment neutral
Interoperability positive
Usability neutral
Strengths
• Good for organizations that already adopt other NetIQ IAM products especially with
new family integrations
• Real-time session recoding now standard
• Support for SAP and other major database platforms
• Reliable and trusted solution for its basic capabilities
• Retains a good interface with user friendliness to the fore
• Financially backed by a large enterprise software vendor
Challenges
• The product would now benefit from more comprehensive DevOps and other digital
capabilities as a next positive step
• Micro Focus website remains confusing to buyers and dual branding is confusing
• The platform is now being given technical and marketing attention, but a next level
focus is required
Leader in
63
LEADERSHIP COMPASS: 81111
Privileged Access Management
64
LEADERSHIP COMPASS: 81111
Privileged Access Management
Senhasegura PAM has a good mix of traditional and advanced capabilities and MT4
Tecnologia’s ambition to break into wider markets has resulted in solid development. The
company has improved its use of biometrics – already used for MFA - with supporting
algorithms designed to identify human keystroke patterns and alert to activity by
unauthorized users on endpoints. Related to this is a module that collates user behaviour
data to determine a risk score for all Privileged Users.
The User Security Posture Rating is used to calculate the probability of malicious actions
given the history of the user's previous behaviour. With each new privileged event executed
by the user, the score is updated and dynamically influences password controls for the user.
Developers will appreciate the support in Task Manager Pro for Red Hat Ansible playbooks
to create new privileged tasks. With Ansible it is easier to create complex privileged routines
and the tool integrates vendor modules already in its repository.
An agentless architecture allows for easy installation and configuration while preserving the
full control of privileged settings. A set of built -in infrastructure modules offer high availability,
load balancing and advanced monitoring capabilities. A new SaaS-based tool delivers
Remote Privileged Access (RPA) that is agent-less and VPN-less, using the client cloud as
the connection point to the network. The authentication is made via an MFA biometric
validation on Senhasegura's Mobile App.
MT4 Tecnologia now has a more powerful PAM proposition, with enhanced usability and
forward thinking on the needs of developers and how PAM fits into Infrastructure as Code
(IaC) environments. In addition to all basic PAM modules for account and password
management, Senhasegura offers SSH key management, accounts discovery, AAPM, an
endpoint MFA module plus much needed PUBA capability.
More developer focused tools are coming automation of scripts making integration with
pipeline workflows much simpler through wizards, and a secret less option for the
Senhasegura agent that will make it possible for applications to get authenticated without
requesting passwords or secrets.
65
LEADERSHIP COMPASS: 81111
Privileged Access Management
Security positive
Functionality positive
Deployment positive
Interoperability neutral
Usability positive
Strengths
Ease of deployment
Easy to use, clean interface
Can be customized by admins and end users
Good efforts made to address previous challenges
Keystroke analysis tool is unique and bodes well for future development
Much improved analytics tools including safety rating status of company
Challenges
Leader in
Netwrix – SbPAM
Netwrix was founded in 2006 and is headquartered in Irvine, California. Having acquired
Stealthbits in 2021 it has now fully rebranded its PAM platform as Netwrix SbPAM.
Netwrix has made some technical enhancements of note: Security OpenID Connect and
SAML 2.0 authentication, scheduled password rotation for all supported platforms and a
browser extension for Chrome and Edge for improved web session recording. There is also a
claimed 10-minute deployment option as ever such claims need verification in the real world,
but the simplicity of SbPAM architecture suggests that rapid times could be achieved. We are
also promised SSH key management and credential-based policies for AAPM soon.
66
LEADERSHIP COMPASS: 81111
Privileged Access Management
There are four basic functions in the product: access control, session recording, editing and
vaulting. This provides scheduled and on-demand credential rotation capability for all AD,
Windows, Linux, Cisco and Azure AD). The design is to simplify PAM as much as possible
by providing a fully JIT ephemeral approach to access and provisioning with as little as
possible installed in the customer environment. Privileged accounts don't exist until someone
is doing something, then they disappear. However, the product does also support the
management and rotation of dedicated admin and other accounts as well as ephemeral
accounts.
The key is BYOV or Bring Your Own Vault. Customers have the option to integrate a third-
party vault via API from several leading PAM providers although 99% of customers choose
Microsoft LAPS. Stealthbits built-in vault protects service accounts used for privilege
escalation and can manage the passwords for existing privileged accounts used by
administrators.
On the dashboard there is no long list of accounts, instead users select what they want to do
and then the system provides access and provisions the account. When the session is
finished the user is automatically logged out and all privileges are removed. It uses mesh
architecture and provides scalability supporting Windows, Linux and Docker built on a .net
core and can be run hybrid, on-premises, or in the cloud. Built-in task-based certifications are
supported.
The Netwrix PAM suite offers hundreds of out-of-the-box auditing reports to fit a wide variety
of common use cases. Both Netwrix PAM auditing products easily support custom scripting
and reporting to aid in the configuration of novel auditing tasks. Netwrix PAM can manage
privileged accounts, or use ephemeral accounts, when provisioning activity sessions on
endpoints. Activities are fully customizable, so that any custom sequence of actions can
occur during the pre-session, session, and post-session. Additionally, Netwrix PAM offers a
password vault functionality. It also has a single pane of glass threat dashboard that surfaces
a variety of threats across the environment in real-time and executes automated response
playbooks.
Roadmap items include yet unspecified CIEM and ZTNA packages by end Q4, 2022 and
tighter out of the box integration with common DevOps tools such as Ansible, Puppet and
Chef. The next release of SbPAM will support custom roles for SbPAM console access. So,
not only are SbPAM access policies and activities customizable, SbPAM console access will
be customizable. This will allow for higher levels of fine-grained access for combinations of
resources and users.
Security positive
Functionality positive
Deployment positive
Interoperability positive
Usability Neutral
67
LEADERSHIP COMPASS: 81111
Privileged Access Management
Strengths
• Potentially the future of PAM in terms of ease of use and ephemeral control and now
with added capabilities
• Highly suitable for DevOps and high velocity environments
• Easy to use and administer, potentially highly rapid deployment times for some
organizations
• Ephemeral approach means a reduced attack surface for hackers
• Would work well with smaller, agile and less legacy incumbered organizations
Challenges
• Larger enterprise organizations may need the back up of existing PAM, but this is
less so as the product has developed
• Potential to add capabilities that add data governance to the mix
• Netwrix need to do more to effectively market this approach to PAM
68
LEADERSHIP COMPASS: 81111
Privileged Access Management
The platform itself consists of Safeguard for Privileged Passwords, Safeguard for Privileged
Sessions and Safeguard for Privileged Analytics. Safeguard for Privileged Passwords grants
role-based access with automated workflows designed to speed up provisioning and
authentication. Administrators can sign into the tool from a web browser with support for
mobile devices while the tool is protected by two-factor authentication.
Safeguard for Privileged Sessions can record all privileged sessions and content is indexed
to simplify searching for events and reporting. Safeguard for Privilege Analytics tracks user
activity in real time and compares activity to session data collected from the wider IT
environment. New additions include a SaaS solution, Safeguard on Demand and a Remote
Privileged Access tool, Safeguard
A new secrets broker, based on HashiCorp and supporting the complete HashiCorp API, has
been added to the package. This allows customers to manage secrets through the
Safeguard vault or push secrets out to other secrets stores in the cloud (HashiCorp, Azure
Key Vault, AWS Secrets Manager, etc.). This allows DevOps teams to use the secrets
service that works best for them - a good move.
In a more specialized and welcome move, the Safeguard DevOps Service tool has been
added which is a fully containerized service that brings a native level of connectivity from the
Safeguard Vault to DevOps tools and environments. There is also Starling Connect for
Passwords that allows customers to quickly subscribe to credential connectors for password
rotation and discovery of cloud targets.
One Identity has improved its JIT provisioning for Safeguard which now allows privileges to
be assigned at the exact time of credential check-out. Accounts in Active Directory that
require privileges to perform a function can be added to the appropriate group(s) when the
account is approved for check out, then removed.
All of One Identity's solutions offer an easy-to-use dashboard interface to control specific
settings and task loads. The product can be implemented as a protocol proxy so that minimal
changes are required to the network - and monitoring, recording, and analysis of privileged
sessions is achievable without having to onboard any assets. Session activity can be
captured via keystroke, mouse movement and windows viewed. All sessions are recorded as
video and stored in a secure, searchable database.
One Identity also offers CPEDM and AD Bridge products as installable client packages.
Safeguard for UNIX/Linux is a comprehensive suite delivering Unix-AD bridging,
authentication, root delegation (SUDO enhancement) and centralized management of
policies across Unix-based systems.
69
LEADERSHIP COMPASS: 81111
Privileged Access Management
Privilege Manager for Windows offers CPEDM capabilities for Windows-based platforms.
Finally, SIEM support is delivered with support for market leaders Splunk or Micro Focus
ArcSight and MFA comes courtesy of One Identity Defender or via plug-ins for RSA,
Yubikey, Okta, Duo and RADIUS. Safeguard now supports Sudo 1.9 which brings new
security safeguards against user error and furthers JIT capability. With the addition of
OneLogin this is now a competitive PAM option for many organizations.
Functionality positive
Deployment positive
Interoperability positive
Usability positive l
Strengths
• Much improved capability for DevOps environments with native Kubernetes support
• JIT capability now much improved which delivers better dynamics
• Easy to understand interface shared across all modules with support for both CLI and
GUI
• Good reputation for enabling smooth deployment, integration and scale for many
organizations
• Simple integration with One Identity IAM products will appeal to organizations already
invested in the ecosystem
Challenges
Leader in
70
LEADERSHIP COMPASS: 81111
Privileged Access Management
71
LEADERSHIP COMPASS: 81111
Privileged Access Management
Remediant – SecureONE
Remediant was founded in 2013 and is based in San Francisco. Its SecureONE product has
agent-less and vault-less technology at the core of the PAM platform that provides JIT
access for all privileged accounts, abolishes shared accounts altogether, and stores no
credentials at all.
SecureONE integrates with security platforms from Axonious (Cyber Asset Management),
Carbon Black (EDR), CrowdStrike (EDR) SentinelONE (EDR) and, broader SIEM support. In
terms of functionality the EDR integration permits session recording, associating relevant
data with privileged access sessions. Basic IGA capability is also available with deeper IGA
integration, specific to SailPoint.
OAM (Offline Access Management) now provides break-glass and scheduled on-demand
rotation of local account credentials in case JIT access is not working due to the target
system being offline. Remediant has also expanded its API endpoint integration count by
22% to further assist customer driven integrations.
It also supports role-based access control as well as attribute access control – however it
lacks dedicated support for some more traditional advanced PAM capabilities such as
AAPM. This is where pure JIT may fail for larger organizations that still need to vary privilege
access safely. An agent less approach to endpoint access lowers risk of third-party breaches
and speeds deployment times – which already promise to be quite rapid due to the small
footprint of Remediant SecureONE. The company claims that 100,000+ endpoints can be
managed within 2 hours.
Remediant now offers two deployment options. The existing virtual appliance method that
deploys 1-3 virtual appliances in the customer environment in a clustered configuration. This
deployment mechanism offers HA and DR with flexible RTO and RPOs. For the SaaS
offering, the customer can deploy several sensors (small virtual machines) in various
environments. These sensors communicate directly with Remediant's SaaS console.
Sensors can be added, removed or replaced without impacting service availability. A great
step forward for SaaS based PAM.
However, the platform still lacks dedicated support for some more traditional advanced PAM
capabilities such as AAPM but its cloud native posture and refusal to use passwords or
agents is becoming more relevant.
72
LEADERSHIP COMPASS: 81111
Privileged Access Management
Security positive
Functionality neutral
Deployment positive
Interoperability neutral
Usability neutral
Strengths
• Agent less and vault less operation makes sense and will appeal to some
organizations
• Simple to install with modern interface
• Basic solution that does a good job of access control and management
• Role-based access control
• Potentially the basis of a future leading PAM solution
Challenges
• Still needs stronger support for functions such as PADLM and SAM
• Still needs wider DevOps support
• May deter some organizations who still like a vault-based solution and a more
traditional approach to PAM functions
Leader in
73
LEADERSHIP COMPASS: 81111
Privileged Access Management
74
LEADERSHIP COMPASS: 81111
Privileged Access Management
The solution is designed to run on all major cloud platforms, including Google, AWS and
Azure. It is also fully compatible with Workday and Office 365 integrations, which is useful for
organizations standardizing on SaaS based operations.
Saviynt Cloud PAM can automatically discover and secure privileged access to all the
applications in the IT ecosystem — whether on-Prem or in the cloud and adopt a password-
less experience for privileged accounts to reduce credential leak. Other capabilities include
role-based access (good), session recording, log ingestion and just-in-time access to any
application.
Saviynt's solution also comes with built-in Cloud Entitlements Manager (CIEM) features,
which is good. In addition, as part of its converged Enterprise Identity Cloud (EIC) platform,
Saviynt's cloud PAM comes with built-in IGA features. There is continuous discovery of cloud
workloads and entitlements and monitoring of services and workloads for security errors or
misconfigurations. A new Risk Exchange tool allows bi-directional data integration with 3rd
party solutions such as SIEM and vulnerability management solutions. There is also
Automated Backdoor Entry Protection, able to identify backdoor accounts and automatically
disable, delete, based on policies - and alert and mitigate.
The web-based interface is designed to be user -centric and in this the company has
succeeded in creating a very clean and simple interface. It is a bold move to create a PAM
solution that runs only as a service. While it gives the developers control over iterative
development, it also hands them greater responsibility for the integrity of privileged access
management for their clients. Overall, this represents a promising addition to the ranks of
PAM solutions, taking PAM as SaaS further and the company has exciting plans to add to
the BYO concept. Development is under way to support BYO widgets and more out of the
box dashboards in a future release. Saviynt is also looking at High Dynamic JIT for RPA –
tools to automate many repetitive tasks. Interesting times at Saviynt.
75
LEADERSHIP COMPASS: 81111
Privileged Access Management
Functionality Positive
Interoperability positive
Strengths
• Integration of functions designed in from the start, takes PAMaaS to a whole new
level and is ready for the IaC future
• Saviynt has clearly thought about how cloud apps affect PAM and worked to
accommodate that
• A good step towards reducing reliance on passwords
• Good control of redundant IDs and unused passwords
• Unique HR integration capabilities
Challenges
Leader in
76
LEADERSHIP COMPASS: 81111
Privileged Access Management
77
LEADERSHIP COMPASS: 81111
Privileged Access Management
Sectona offers JIT capability with Zero Standing Privilege (ZSP) now supported, Privileged
Task Management (PTM) automates SSH and PowerShell commands to automate routine
tasks while Privileged Account Lifecycle management is fully accessible from the
Management Console.
Sectona offers an in-built Plugin Designer Kit (PDK) that allows customers to develop their
own connectors to facilitate PSM and SAPM for non-standard applications and does not
require extensive coding experience thereby avoiding development costs. Sectona also
offers an MSP edition of its software aimed at IT service providers wishing to offer managed
PAMaaS, which is quite rare in the market, at present.
A highlight of the platform is Session Risk Scoring for threat analysis which gives an at-a-
glance view of performance against pre-existing security and data theft categories. Risk
alerts can be set for immediate notice of suspicious activities
It is up to speed with features such as Adaptive Authentication which will become more
common on PAM in the future as well as Application to Application Password Management
(AAPM) by using APIs and SSKs for many platforms. It is well positioned then to manage
DevOps and containerization demands in the future. Sectona has added enhancements to
Account Discovery, Cloud integrations and SCIM support, further strengthening a well-
engineered platform that should scale well - to that end Sectona is planning to release a
lightweight CIEM tool to compliment PAM in 2023.
Security neutral
Functionality positive
Deployment positive
Interoperability neutral
Usability positive
78
LEADERSHIP COMPASS: 81111
Privileged Access Management
Strengths
Challenges
79
LEADERSHIP COMPASS: 81111
Privileged Access Management
80
LEADERSHIP COMPASS: 81111
Privileged Access Management
81
LEADERSHIP COMPASS: 81111
Privileged Access Management
SSH – PrivX
Based in Helsinki, Finland, SSH offers PrivX as its primary product for the PAM market. PrivX
offers an alternative to traditional account & password management methodologies. It
provides ephemeral (short-lived) certificate based Just-In-Time (JIT) access for SSH and
RDP protocol authentication.
This approach can reduce the overhead management that typically comes with password
vaulting solutions. PrivX does however come equipped with two vaults (user exposed &
PrivX admin only access) providing the best of both worlds. In addition to the already existing
key vault for admins, the new PrivX Secrets Vault allows for secrets to be stored and
retrieved by users from the UI or automated processes.
Newly added functionality for X.509 certificate support further expands the range of targets
accessible via certificate-based authentication, including Tectia SSH servers and devices
from but not limited to vendors such as Cisco.
It is an innovative approach but one that brings functional and security advantages – access
is faster, onboarding/offboarding of privileged users is quick and for most use cases there
are no passwords to expose. Furthermore, credentials or secrets are masked from users
when accessing targets using certificate-based authentication or vaulted passwords that are
injected into target sessions.
Users can view a list of resources based on role memberships and select targets
accordingly. User & Group information is automatically synchronized through seamless
IGA/IDM integration capabilities. PrivX currently supports AD, Azure AD, LDAP/s, AWS
Cognito, in addition directories from IAM systems using OIDC and SCIM claims are also
supported.
While the core product is deliberately lean, it integrates with third parties to add functionality
for SIEM, ticketing systems and HSM through APIs. In addition to the UI, Native Clients are
supported for SSH and RDP with little to no loss in functionality over the main UI use. All
SSH, RDP, HTTPs and VNC sessions are audited, logged and can be recorded for
compliance, forensics or training purposes.
PrivX offers accountability of user activities even when shared target accounts are in use,
since PrivX associates a user ID to every session. PrivX integrates with SIEM, UEBA/BAD
systems. Other important areas of functionality covered include SAPM, AAPM, PADLM,
PUBA and CPEDM but endpoint privilege management is missing here.
However, PrivX reduces the need for traditional endpoint security by isolating the user's local
machine from the target. When connecting via its UI, target connections take place within a
containerized (HTML5) browser session, meaning zero exposure to user local machines.
This method of access also enables RPA (remote privilege access) without the need to
manage external user/3rd party workstations which is ever more prevalent with today's
distributed work practices.
PrivX has already secured the most important step in any CI/CD pipeline using ZT
ephemeral certificates: access to code repositories such as Gitlab/Github. SSH plan to
extend integrations to CI/CD tooling, like Jenkins.
© 2023 KUPPINGERCOLE ANALYSTS AG 82
82
LEADERSHIP COMPASS: 81111
Privileged Access Management
SSH PrivX can be deployed on standalone IaaC or on-premises virtual machine, there is
tooling for deploying PrivX as infrastructure as code and a Kubernetes deployment.
The product remains an attractive alternative for many organizations seeking to reduce
password management and leverage cloud native capabilities.
Security positive
Functionality neutral
Deployment positive
Interoperability positive
Usability neutral
Strengths
• For a lean product, it still supports many core PAM capabilities and has been recently
enhanced
• Rapid access makes it ideal for DevOps and agile environments
• Reduces one level of vulnerability by eliminating static passwords and vaults
• Eliminates the risk of redundant credentials being stolen or misused
• Quick deployment
Challenges
• Lacking endpoint privilege management keeps the solution lean but may be missed
by some
• Agentless approach may deter some buyers
• Would really benefit from an SSH delivered SaaS based version
Leader in
83
LEADERSHIP COMPASS: 81111
Privileged Access Management
84
LEADERSHIP COMPASS: 81111
Privileged Access Management
Systancia – Cleanroom
Systancia is a software vendor specializing in secure remote access and workspace
solutions based in France Systancia has several workplace and application virtualization
tools. As part of this it offers the Cleanroom platform, which it developed as a PAM offering to
the market. Systancia can now combine ZTNA and PAM within the same platform, as an
extension to each other. It is available on-premises or as a service in four product lines:
Systancia Cleanroom Session, Systancia Cleanroom Desk, Systancia Cleanroom Session
Service and Systancia Cleanroom Desk Service.
Systancia offers another new angle to privileged access management with a JIT approach
based around virtualization. But instead of just providing ephemeral credentials it provides a
totally virtualized environment for admins, separated from the real admin server and which
can be disposed of after use. A vault and session manager are contained within the
virtualized environment for sessions. The idea is that the core functional parts of PAM can be
separated from log files, applications and unused secrets which remain on admin servers
and only accessed for sessions as needed.
Since 2021, Systancia has made some solid capability and functional improvements to
Cleanroom. Cleanroom Desktop Session with new support for FIDO 2 USB keys. There is
also a much improved and fully graphical admin console with access to all logs, video logs,
analysis of workflows and full export of logs top SIEM etc.
Systancia has opened the platform to customer development with an open-source API
enabling automation of a limited number of functions, which undoubtedly will lead to more
customization options suitable for more dynamic access applications. The company plans a
migration of Systancia Cleanroom components to a microservices based architecture along
with improved automation and orchestration for AWS deployments. Systancia has
progressed in the cloud deployment of Systancia Cleanroom, with architecture and
orchestration built for the AWS cloud infrastructure. We are also promised PEDM in the next
iteration.
This is now a less specialist secure workplace delivery tool that offers some privileged
capabilities and one that has been developed enough in the last year to provide an option for
many more organizations. The integration with Systancia IAM and new focus on cloud native
delivery, some DevOps stuff and privileged access options has made it much more
interesting in this company.
85
LEADERSHIP COMPASS: 81111
Privileged Access Management
Security neutral
Functionality neutral
Deployment positive
Interoperability positive
Usability neutral
Strengths
Challenges
86
LEADERSHIP COMPASS: 81111
Privileged Access Management
87
LEADERSHIP COMPASS: 81111
Privileged Access Management
WALLIX – PAM4ALL
Based in France, WALLIX provides WALLIX PAM4ALL as its primary PAM product in the
market. At the core is password management, session management and access
management with built-in access request and approval capabilities.
WALLIX PAM4ALL consists of five major components that together form a solid foundation
for enterprise level PAM: Session Manager, Password Manager (Vault), Access Manager,
Privilege Elevation and Delegation Manager (PEDM) and Application to Application
Password Manager (AAPM). To complete the picture, WALLIX PAM4ALL also supports
WALLIX BestSafe to deliver an in-house compatible Endpoint Privilege Management (EPM)
solution. Multi Factor Authentication (MFA) is also available.
WALLIX has made improvements to password management; AAPM has the capacity to
provide virtual filesystem monitoring and replace on the fly placeholders with passwords for
applications which rely on passwords being present in a configuration file. WALLIX
PAM4ALL now has real time and extendable reporting and dashboarding capacities provided
based on service options, based on the profile orientation for auditors and functional
administrators. A new Access Manager provides access over native RDP clients. Only
authorized applications can read this password automatically from the filesystem. New
plugins have been released to allow Azure AD password rotation, and new database
systems to be managed.
Sensibly, WALLIX has identified CIEM functionality scope as strategic initiative to explore in
2023, to expand deeper into identity security posture management controls like governance
of entitlements, identity analytics as well as PAM and IGA process integrations. A new
central console for PAM and EPM will facilitate the deployment, management, and elevation
of least privilege rules. The PAM4ALL management console for PAM and EPM will allow
central control of privileged permission to timed minimums, pushing the JIT approach further
into the platform.
By building on its existing capabilities for password management and privileged session
management (PSM) and adding enhanced EPM, AAPM and better DevOps support, WALLIX
now has a highly competitive level of PAM capabilities that should be seriously considered by
buyers in all organizations. The new product branding suggests a better marketing approach
also, lending itself well to the new era of CIEM type capability adoption and much wider
interpretation of what is privileged access in all organizations. WALLIX is now well
established among the leaders and can only improve its capabilities. – we wish them bon
chance!
88
LEADERSHIP COMPASS: 81111
Privileged Access Management
Security positive
Functionality neutral
Deployment positive
Interoperability neutral
Usability neutral
Strengths
• Well-engineered PAM solution that offers basic and advanced features to a high level
of functionality
• Proven in multiple operating environments including OT, industrial and SCADA
• High level of privilege session management and recording capabilities
• Single administrative console for web access gateway and bastion
• Strong support for multi-tenancy and HA options
• Non-intrusive and agentless architecture
Challenges
• Some admin-focused aspects of platform UX are still behind the curve on current
design practice
• WALLIX now needs to expand its presence beyond EMEA and into Enterprise with its
improved proposition
• DevOps support has solid base in AAPM and Bastion vault, but WALLIX should
develop this further for more native integration
Leader in
89
LEADERSHIP COMPASS: 81111
Privileged Access Management
90
LEADERSHIP COMPASS: 81111
Privileged Access Management
Vendors to Watch
Britive
Britive was founded in 2018 and based in California. It develops access and entitlement
management solutions for IaaS platforms deployed in multi-cloud environments. It added
CIEM capabilities and security governance tools to the platform in 2021. It’s raison d’etre is
ephemeral JIT access for all types of identities to all resources - data, servers, CSP, SaaS
applications - in DREAM environments. In scenarios when ephemeral access is not feasible,
Britive has introduced a cloud vault for static secrets and keys, which can also be accessed
JIT. Due to Britive platform acting as an abstraction layer, machine and non-machine
identities never see or have standing access to the application, cloud, or server layer. Britive
leverages an API-first approach to grant users’ access to the target cloud platform or
application with the level of privileges authorized for the user.
Why worth watching? While this is undoubtedly a lean cloud first entitlement platform, it
retains several classical PAM capabilities such as automated account discovery, rule-based
privileged escalation, and onboarding of privileged accounts, which will be useful to many
potential customers.
Deep Identity
Based in Singapore, Deep Identity is a regional provider of Identity Management software,
offering Deep PIM as its primary PAM product which is essentially built as software plug-ins
over Deep Identity Manager and comes with Privileged Access Server (PAS) acting as a
gateway to establish and manage access to the target systems. While Deep IM extends
account provisioning and access request approval workflows to privileged access, Deep PIM
lacks several basic PAM features that include privileged accounts discovery, shared account
password management (SAPM) and controlled privilege elevation and delegation
management (CPEDM).
Though PIM gateway provides support for privileged RDP connections to Windows servers
and offers session logging and recording with text-based search and review capabilities, it
lacks support for management of privileged accounts and activities in cloud applications and
platforms.
With some good local presence in Asia, particularly Southeast Asia (SEA), Deep PIM is a
good addition to existing Deep Identity Manager deployments to onboard additional
privileged session management features.
Why worth watching: It appeals to organizations with basic PSM needs along with the
requirements of regional delivery and integration support.
HashiCorp
San Francisco (US) based HashiCorp is a provider of application development and delivery
management software for data centers. Built on an open-source foundation, HashiCorp
© 2023 KUPPINGERCOLE ANALYSTS AG 91
91
LEADERSHIP COMPASS: 81111
Privileged Access Management
offers a secure password vault that integrates with its application development and delivery
management modules to offer a tightly integrated DevOps platform.
The vault is offered in three variants for individuals, teams and enterprises depending on the
complexity of development and deployment processes involved. While the basic password
vaulting features such as encryption, secure storage, keys rotation, vault agent, access
control policies and credential checkout workflows are included in all the three vault variants,
MFA, governance and features necessary to support multi-data centers environments such
as disaster recovery and replication are only available as part of team and enterprise
versions.
While not a complete PAM platform, HashiCorp offers password vaulting and secure
application to application password management capabilities to support enterprise DevOps
initiatives.
Why worth watching: While several other PAM vendors are now offering similar capabilities
to suit DevOps, HashiCorp offers a good start for organizations looking to onboard PAM
within application development and deployment processes.
Iraje
India based Iraje offers Privileged Identity Management (PIM) as a complete PAM solution
with a compelling feature set and the flexibility to customize according to business
requirements. Offering an agentless approach to PAM, Iraje supports a wide range of target
systems and is available in software as well as virtual and hardware appliance formats.
Iraje offers a native database client, schema extender and database monitoring module in
conjunction with its PIM product targeted at securing privileged database operations. There
are additional modules available for 2FA and SSO, but lacks endpoint privilege management
and advanced AAPM capabilities such as application or process fingerprinting.
Why worth watching: Iraje's PIM is targeted at SMBs in Asia and should appeal to
customers that require the flexibility to customize PAM for a deeper auditing and monitoring
of database operations across a distributed IT environment.
92
LEADERSHIP COMPASS: 81111
Privileged Access Management
Why worth watching: With the majority of its customers in Japan, SecureCube Access
Check makes a good fit for East Asian organizations looking for regional integration support
and detailed privileged session auditing and monitoring capabilities.
ObserveIT
ObserveIT provides a comprehensive agent-based Session Management platform that is
deployable and scalable across a variety of IT systems. ObserveIT is one of a few
specialized vendors that originated in Session Recording and Monitoring (SRM) and
extended it to include other PSM features. It offers detailed user behaviour analysis and live
session response features.
In addition to monitoring and recording of both CLI and GUI type sessions in visual formats
that allows creation of detailed user activity log of the recorded data, ObserveIT offers
advanced user behaviour analytics that detects and alerts anomalous user behaviour.
Observe IT also offers live session response that allows for the interruption of sessions at
runtime based on information fed from user behaviour analytics or through external products
such as SIEM (Security Information and Event Management) tools.
With visual endpoint recording, ObserveIT can capture sessions across a variety of systems,
supporting all major protocols such as RDP (Remote Desktop Protocol) including the Citrix
variants, SSH, Telnet and direct logins to application consoles.
Why worth watching: An agent-based approach allows for detailed logging and therefore a
more meaningful and efficient activity search in contrast to other similar solutions that are
primarily proxy or gateway-based.
Venafi
US based Venafi offers TrustAuthority, a machine identity protection platform that also offers
extensive SSH key management for securing privileged access gained through SSH keys
across organizations of all sizes and verticals. SSH keys are used for privileged operations in
a Unix environment and pose significant threats to security as most organizations don't have
a policy pertaining to management and rotation of SSH keys. Venafi TrustAuthority offers
continuous discovery, inventory and monitoring of SSH keys across the IT infrastructure and
enables automated key rotation.
Venafi TrustAuthority delivers centralized SSH key management and provides enterprise-
wide visibility into SSH key inventories and SSH trust relationships. Venafi also offers
automation of the SSH key lifecycle from key provisioning to decommissioning, thereby
securing and controlling all SSH keys to minimize the risk of unauthorized access to critical
systems.
93
LEADERSHIP COMPASS: 81111
Privileged Access Management
Why worth watching: Venafi appeals to organizations that have a critical security
requirement to gain visibility and control over unmanaged SSH keys and other credentials
used for privileged access.
Methodology
KuppingerCole Leadership Compass is a tool which provides an overview of a particular IT
market segment and identifies the leaders within that market segment. It is the compass
which assists you in identifying the vendors and products/services in that market which you
should consider for product decisions. It should be noted that it is inadequate to pick vendors
based only on the information provided within this report.
Customers must always define their specific requirements and analyze in greater detail what
they need. This report doesn’t provide any recommendations for picking a vendor for a
specific customer scenario. This can be done only based on a more thorough and
comprehensive analysis of customer requirements and a more detailed mapping of these
requirements to product features, i.e., a complete assessment.
Types of Leadership
We look at four types of leaders:
• Product Leaders: Product Leaders identify the leading-edge products in the market.
These products deliver most of the capabilities we expect from products in that
market segment. They are mature.
• Market Leaders: Market Leaders are vendors which have a large, global customer
base and a strong partner network to support their customers. A lack of global
presence or breadth of partners can prevent a vendor from becoming a Market
Leader.
• Innovation Leaders: Innovation Leaders are those vendors which are driving
innovation in the market segment. They provide several of the most innovative and
upcoming features we hope to see in the market segment.
• Overall, Leaders: Overall Leaders are identified based on a combined rating, looking
at the strength of products, the market presence, and the innovation of vendors.
Overall Leaders might have slight weaknesses in some areas, but they become
Overall Leaders by being above average in all areas.
94
LEADERSHIP COMPASS: 81111
Privileged Access Management
• Leaders: This identifies the Leaders as defined above. Leaders are products which
are exceptionally strong in certain areas.
• Challengers: This level identifies products which are not yet Leaders but have specific
strengths which might make them Leaders. Typically, these products are also mature
and might be leading-edge when looking at specific use cases and customer
requirements.
• Followers: This group contains vendors whose products lag in some areas, such as
having a limited feature set or only a regional presence. The best of these products
might have specific strengths, making them a good or even best choice for specific
use cases and customer requirements but are of limited value in other situations.
Our rating is based on a broad range of input and long experience in that market segment.
Input consists of experience from KuppingerCole advisory projects, feedback from customers
using the products, product documentation, and a questionnaire sent out before creating the
KuppingerCole Leadership Compass, and other sources.
Product rating
KuppingerCole Analysts AG as an analyst company regularly evaluates products/services
and vendors. The results are, among other types of publications and services, published in
the KuppingerCole Leadership Compass Reports, KuppingerCole Executive Views,
KuppingerCole Product Reports, and KuppingerCole Vendor Reports. KuppingerCole uses a
standardized rating to provide a quick overview on our perception of the products or vendors.
Providing a quick overview of the KuppingerCole rating of products requires an approach
combining clarity, accuracy, and completeness of information at a glance.
• Security
• Functionality
• Deployment
• Interoperability
• Usability
Security is a measure of the degree of security within the product / service. This is a key
requirement and evidence of a well-defined approach to internal security as well as
capabilities to enable its secure use by the customer are key factors we look for. The rating
includes our assessment of security vulnerabilities and the way the vendor deals with them.
Functionality is a measure of three factors: what the vendor promises to deliver, the state of
the art and what KuppingerCole expects vendors to deliver to meet customer requirements.
To score well there must be evidence that the product / service delivers on all of these.
Deployment is measured by how easy or difficult it is to deploy and operate the product or
service. This considers the degree in which the vendor has integrated the relevant individual
95
LEADERSHIP COMPASS: 81111
Privileged Access Management
technologies or products. It also looks at what is needed to deploy, operate, manage, and
discontinue the product / service.
Interoperability refers to the ability of the product / service to work with other vendors’
products, standards, or technologies. It considers the extent to which the product / service
supports industry standards as well as widely deployed technologies. We also expect the
product to support programmatic access through a well-documented and secure set of APIs.
Usability is a measure of how easy the product / service is to use and to administer. We look
for user interfaces that are logically and intuitive as well as a high degree of consistency
across user interfaces across the different products / services from the vendor.
We focus on security, functionality, ease of delivery, interoperability, and usability for the
following key reasons:
KuppingerCole’s evaluation of products / services from a given vendor considers the degree
of product Security, Functionality, Ease of Delivery, Interoperability, and Usability which to be
of the highest importance. This is because lack of excellence in any of these areas can result
in weak, costly and ineffective IT infrastructure.
Vendor rating
We also rate vendors on the following characteristics
• Innovativeness
• Market position
• Financial strength
• Ecosystem
96
LEADERSHIP COMPASS: 81111
Privileged Access Management
Market position measures the position the vendor has in the market or the relevant market
segments. This is an average rating over all markets in which a vendor is active. Therefore,
being weak in one segment doesn’t lead to a very low overall rating. This factor considers the
vendor’s presence in major markets.
Financial strength even while KuppingerCole doesn’t consider size to be a value by itself,
financial strength is an important factor for customers when making decisions. In general,
publicly available financial information is an important factor therein. Companies which are
venture-financed are in general more likely to either fold or become an acquisition target,
which present risks to customers considering implementing their products.
Ecosystem is a measure of the support network vendors have in terms of resellers, system
integrators, and knowledgeable consultants. It focuses mainly on the partner base of a
vendor and the approach the vendor takes to act as a “good citizen” in heterogeneous IT
environments.
Again, please note that in KuppingerCole Leadership Compass documents, most of these
ratings apply to the specific product and market segment covered in the analysis, not to the
overall rating of the vendor.
Strong positive Outstanding support for the subject area, e.g., product functionality, or
outstanding position of the company for financial stability.
Positive Strong support for a feature area or strong position of the company, but
with some minor gaps or shortcomings. Using Security as an example, this
can indicate some gaps in fine-grained access controls of administrative
entitlements. For market reach, it can indicate the global reach of a partner
network, but a rather small number of partners.
Critical Major weaknesses in various areas. This rating most commonly applies to
company ratings for market position or financial strength, indicating that
vendors are very small and have a very low number of customers.
97
LEADERSHIP COMPASS: 81111
Privileged Access Management
However, there might be vendors which don’t appear in a Leadership Compass document
due to various reasons:
• Limited market visibility: There might be vendors and products which are not on our
radar yet, despite our continuous market research and work with advisory customers.
This usually is a clear indicator of a lack in Market Leadership.
• Declined to participate: Vendors might decide to not participate in our evaluation and
refuse to become part of the Leadership Compass document. KuppingerCole tends to
include their products anyway if sufficient information for evaluation is available, thus
providing a comprehensive overview of leaders in the market segment.
• Lack of information supply: Products of vendors which don’t provide the information
we have requested for the Leadership Compass document will not appear in the
document unless we have access to sufficient information from other sources.
• Borderline classification: Some products might have only small overlap with the
market segment we are analyzing. In these cases, we might decide not to include the
product in that KuppingerCole Leadership Compass.
We provide a quick overview about vendors not covered and their offerings in chapter
Fehler! Verweisquelle konnte nicht gefunden werden.. In that chapter, we also look at
some other interesting offerings around the market and in related market segments.
98
LEADERSHIP COMPASS: 81111
Privileged Access Management
Related Research
Leadership Compass Identity as a Service (IDaaS) IGA
Leadership Compass: Identity as a Service: Single Sign-On to the Cloud (IDaaS SSO) -
71141
Copyright
©2022 KuppingerCole Analysts AG all rights reserved. Reproduction and distribution of this publication in any form is forbidden
unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole´s
initial view. Through gathering more information and performing deep analysis, positions presented in this document will be
subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or
adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information
security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as
such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion
expressed may be subject to change without notice. All product and company names are or registered® trademarks of their
respective holders. Use of them does not imply any affiliation with or endorsement by them.
KuppingerCole Analysts support IT professionals with outstanding expertise in defining IT strategies and in relevant decision-
making processes. As a leading analyst company, KuppingerCole provides first-hand vendor-neutral information. Our services
allow you to feel comfortable and secure in taking decisions essential to your business.
KuppingerCole, founded in 2004, is a global, independent analyst organization headquartered in Europe. We specialize in
providing vendor-neutral advice, expertise, thought leadership, and practical relevance in Cybersecurity, Digital Identity & IAM
(Identity and Access Management), Cloud Risk and Security, and Artificial Intelligence, as well as for all technologies fostering
99
LEADERSHIP COMPASS: 81111
Privileged Access Management
Digital Transformation. We support companies, corporate users, integrators and software manufacturers in meeting both tactical
and strategic challenges and make better decisions for the success of their business. Maintaining a balance between immediate
implementation and long-term viability is at the heart of our philosophy.
100