The Evolution of PAM: Rethinking Access Management

Insights from the experts on the current challenges of privileged access management — and a future state where identity and privilege come together.

The world of Privileged Access Management (PAM) is evolving. The IT sector is shifting, clients are confronting new challenges, and multi-cloud and DevOps are introducing more risk. Meanwhile, zero standing privilege enabled by just-in-time PAM remains elusive for most organizations.

Chris Owen, Saviynt Director of Product Management, and Paul Fisher, Lead Analyst with KuppingerCole, got together recently to discuss the challenges organizations face, customer expectations, and the need to reset aspirational goals. They also explored a future state where identity and privilege merge with an improved user experience to help drive PAM adoption. 

Here’s a snapshot of their conversation.

Expectations vs Reality: Going Back to Basics 

Chris Owen: Companies come to us with aspirational goals. It may be that they hear the latest trends and industry buzzwords and are grappling with how to build requirements and implementation roadmaps to get to this PAM nirvana. 

People are talking about the just-in-time access and zero standing privilege model. And they are asking about identity threat detection and response (ITDR), which suggests that companies are eager to embrace the promises of a reduced cyber attack surface, better intelligence, and more proactive security coming from their identity stack. 

In reality, there is a large maturity gap between where organizations are and where they want to be. The majority of customers we speak to are still struggling to do the basics. So while we as an industry are thinking about next-level frameworks and feature innovations, we aren’t always keeping in mind what a hard slog it is for customers to get to that point. We might do better to reset people’s expectations in the conversations we’re having, which starts with mastering the basics. 

Paul Fisher: You’re right. When I speak at industry events, I do feel sometimes I’m up there talking blue sky concepts or what’s happening tomorrow. A lot of customers that attend are not necessarily the CISOs, but they are people that are being entrusted with setting up some kind of PAM system. Basic PAM tends to be all they want. They don’t necessarily need session management straight away. They don’t necessarily need all the bells and whistles and analytics that come with some PAM packages. 

While we do tend to talk about what’s new and cool, we should also talk about things like just-in-time and zero standing privilege because these are ultimately the goals that we should be trying to achieve. And those two things can be combined with a more simple approach to PAM anyway.

CO: If you think about companies’ main objective when they implement a PAM solution, there are different drivers. It may be compliance, maybe security, best practice, cyber insurance—but ultimately reducing risk is the number one thing that organizations want to do. If we look back over the last 20 years of the privileged access market, our approach was right at the time, but is perhaps wrong now because it tended to be about centralizing privilege. So we implement a PAM tool, discover everything, store it in a vault, and then control access to it. In reality, this mitigates certain risks, but it does not deliver widespread risk reduction.

Identity Convergence Makes Zero Standing Privilege & JIT Possible

So the move to zero standing privilege, enabled by a just-in-time approach is now being enabled by converged identity solutions that combine elements of IAM and elements of PAM. This allows you to attach elevated privileges to a trusted user identity. This simplifies just in time and zero standing privilege and we’re seeing this whole market shift to this type of model.

PF: We are also seeing new types of vendors or technologies coming, like cloud infrastructure entitlement management (CIEM). Traditional identity providers are looking at how they can provide some kind of PAM on the back of their traditional identity technology, and in my opinion these are good things. How do you see PAM being deployed in the near future?

CO: The market is evolving, with vendors looking to consolidate technological capabilities. IGA vendors are moving into the privilege space and privilege vendors are moving into the IAM world. We’ll see a lot more mergers and acquisitions take place over the next two years in this area. CIEM is straddling IGA and PAM at the moment. We are also likely to see Cloud Security Posture Management (CSPM) and ITDR come together all under a single converged platform that provides identity-based security controls. 

Solving the DevOps Challenge

CO: I would say the one anomaly in the market is DevOps and secrets management. I tend to call it the elephant in the room, because the reality is, none of these identity platforms lend themselves to being in the developer path. It adds too much friction. I think we will get to a point in time where customers actually have many vaults and ultimately a vault is just a storage area. So I think we’ll have this one-to-many relationship and that many will be based on the use cases within the customer environment.

PF: I agree and have posited this idea of not just one PAM, but lots of PAMs sitting in different parts of the organization. And you could call it a vault, or you can call it mini PAM, or secrets management. But there’s a very good statement here that I think came from your company: The market may have the approach wrong if we’re still 15 years into maturity and organizations still cannot get on top of privilege. 

In the four years I’ve been covering PAM for KuppingerCole, unlike most identity markets or cybersecurity markets, the number of vendors keeps expanding rather than getting smaller. When I did the first Leadership Compass, I think there were something like 20 vendors. The last one was 26 and likely they’ll be the same in the next one. So that suggests the market is still in a huge flux even after 15 years of development, and it seems to be all up for grabs.

CO: The industry needs to pivot but first we need to look at where customers get stuck, which is Discovery. You know, where is all this privilege? How do I onboard it? How do I know what privileges to revoke? We need to go back to the basics, onboarding, discovery, and using technology to help us move to the zero standing privilege model.

PF: We may eventually get to a situation where there’s no such thing as privileged access. All access will be assessed just in time and on a need basis. The identity would have attributes attached to it that say what activities it needs to perform. Then it becomes up to your organization’s policies to decide whether it’s privileged, meaning that the action becomes privilege rather than the identity. We might end up with not even calling it Privileged Access Management.

CO: Absolutely. It could be classified as access management, which is about protecting access to sensitive data. This is no longer about IT administrators and servers, because even that concept could go away in the next 5 to 10 years. We need to approach it from the perspective of business users accessing sensitive data and how they go about that. Let’s get rid of privilege and create this just in time model for every type of access we have.

PF: The other area is in dashboarding and management tools. We are moving much more to a kind of consumer-like interface or a wizard-driven interface. Innovations with regard to low-code, no-code, and add-ons suggest that there is a demand for organizations to have less senior people being made, so-called administrators. Not like the administrations of old, with all the power to take over people’s desktops, but more like mini-managers of perhaps one department.

CO: I think there is something to be admired about consumer driven tools in our lives. They have shown us that user experience is key. Employees are now used to these types of technologies and expect that same experience like search, upload and form-fill capabilities. PAM never focused on the user experience, it was always about solving a use case with technology. We at Saviynt are redesigning our entire user interface for PAM for that very reason. 

There are a few short-term steps that customers can take to advance privilege access management in their own organizations:

• Be honest about your needs. If you enable session recording, is anyone going to watch replays of all privileged sessions?
• The biggest barrier to success is user friction. Without good user experiences, PAM programs rarely get off the ground. 
• Think about identity as entitlements, policies, and roles. These are not necessarily “privilege” problems. Tying identity and privilege together is the best way to get risk reduction.

Saviynt’s Converged Approach to Cloud PAM

Saviynt Cloud PAM is built on our Enterprise Identity Cloud which converges IGA, granular application access, cloud security, and privileged access into the industry’s only enterprise-grade, SaaS-based identity solution. Our identity-driven PAM approach means that customers can manage all identities and entitlements more efficiently to improve enterprise-wide visibility and leverage identity intelligence to make better access decisions.