Related Post
Report
2024 Identity and Security Trends
Report
Saviynt a Gartner Peer® Insights Customers Choice for IGA
Solution Guide
IGA Buyer's Guide
Solution Guide
PAM Buyers Guide
Whitepaper
Focus on patient care, not complex identity management.
Use our partner finder to discover your perfect business match.
Where We’ve Been – And Now Need to Go – to Secure the Modern Enterprise.
A few weeks ago, I published a blog on why modern enterprises must rethink PAM.
And I ruffled a few feathers.
But traditional privileged access management solutions just don’t secure cloud ecosystems (and the human and machine identities) that enterprises now deploy.
To the skeptics, I ask: how can PAM be “cloud-friendly” if it doesn’t embrace the principles of the platform it is supposed to protect?
PAM emerged in the 1980s (with Sudo for Unix/Linux), although the first commercial vault didn’t release until the early 2000s. At the time, randomizing passwords was the principal security feature. This helped prevent cyber criminals from moving laterally through networks.
Vendors originally created vaults to store passwords for infrastructure. The reason: Every server is built with an administrator (or, ‘root’) account – and often these accounts used the same password when built. Password vaults randomize these passwords and allow access to each by support teams when needed.
Then, we saw wider adoption of password management and new solutions around active directory bridging and least privilege, also for Unix/Linux. By 2007, Privilege Escalation and Delegation Management (PEDM) for Windows emerged, albeit with a focus on endpoints like desktops and laptops. This technology offered better application control and removal of local admin rights.
Many began describing these solutions as ‘PAM,’ although vaulting remained central. Yet, true privileged access management didn’t exist as we experience it today. Frank Dickson, Research Vice President, Worldwide Security Products at IDC, described it this way: “Password managers are just that. They allow a user to save a potpourri of user accounts, IDs and associated passwords.”
Concerningly, enterprises carried these solutions forward – even as ecosystems modernized. See, vaults were designed for shared accounts, not personal, application, or web accounts. Personal accounts include a variety of entitlements that do not lend themselves to management within a vault. But perhaps most concerning is that vaults don’t solve the worst security issue: excess privileges.
Centralizing privileged accounts in a vault won’t reduce the number of privileged accounts or reduce the risk of these privileges. And it won’t guide an enterprise toward principles of least-privilege or just-in-time (JIT) access.
As attacks grew, the 2010s saw new defense measures and applications introduced. While robust, the solutions were piecemeal – and expanded enterprises’ architectural footprints. The result? A smorgasbord of tools including SIEM, IGA, SSO, MFA, and Vulnerability Management software to deploy and maintain.
Although more robust PAM solutions now exist, M&A dynamics further muddle things. Often, incumbent vendors try to fast-track innovation by buying up PAM tools. In this, customers miss out. Fragmented architectures blunt the full potential of PAM. Companies now suffer with different consoles, different reporting interfaces, and disparate agents in play. The technical debt alone debilitates even the most efficient IT/security teams.
Saviynt designed its platform with Zero Trust, zero-standing privilege, and JIT access in mind. Without an on-prem footprint, the platform adds versatility: secure privileged access and critical asset protection across the entire infrastructure.
As we trace the progress of PAM, we believe that the 2020s will be about consolidation and simplicity. To us, a true cloud-PAM solution is converged. This means integrated IGA and PAM capabilities.
For instance, the Saviynt platform works inside the cloud to attach rights and privileges to identities to streamline governance – no bolt-on software required. In contrast, traditional PAM focuses on infrastructure. Cloud-PAM leapfrogs this with built-in connectors, bringing JIT to applications and consoles, for example.
And rather than creating additional user accounts for privileged access that need monitoring, administrators can assign time-bound permissions to identities.
Sure, a solution may tell administrators who has access to what. But converged solutions expand this. Not only can they certify access, but they manage the lifecycle of the user and the privilege. They should also be able to govern what the machine a user uses and what access they have, even down to granular entitlements.
We’ve come a long way since the days when PAM was a fancy term for password vaulting. New PAM means so much more:
Clearly, times are changing. Fortunately, technology is too. Modern enterprises, it’s time to keep up.
10 / 30 / 2024
Report
Report
Solution Guide
Solution Guide
Whitepaper