Professional Documents
Culture Documents
Summary
While support for cloud infrastructure is rapidly maturing and more vendors are adding behavior
analytics and privileged task automation, pricing and licensing remain variable. Security and risk
management leaders should evaluate multiple vendors with an eye on future requirements as
well as costs.
Overview
Key Findings
Requirements arising from increased adoption of cloud-based infrastructure and applications
are fueling the growth of privileged access management (PAM) as a service, albeit from a low
base.
Privileged task automation, user and entity behavioral analytics (UEBA), and support for IaaS
and PaaS are increasingly important differentiators for PAM products and services.
PAM deployments without proper scoping, roadmap development and stakeholder support
struggle to achieve the desired business value and risk reduction, due to a mixture of political
and cultural issues.
Complex and highly variable pricing models across PAM vendors complicate product
selection.
Recommendations
Security and risk management leaders responsible for delivering IAM capabilities should:
Avoid future sticker shock when extending deployments by planning ahead for evolving
requirements over the next two to three years; and force vendors to provide pricing for
expected features that you may need to buy.
Look for integrated high-availability features, built-in multifactor authentication (MFA) and
value-priced bundled offerings if you are a small to midsize businesses.
Scrutinize vendors' offerings for MFA integration support, scalability and autodiscovery
features if you are a large and global organization.
Deploy session recording as soon as possible, because this capability will add accountability
and visibility for privileged activity. Include this capability as part of your selection process.
Evaluate vendors on how they can help secure nonhuman service and application accounts —
these accounts are major sources of operational and security risk, and most organizations
have a significant number of them.
Strategic Planning Assumptions
https://www.gartner.com/doc/reprints?id=1-4D2LXVE&ct=170909&st=sb&mkt_tok=eyJpIjoiT1dVNE1EY3lPR1E0TmpoaCIsInQiOiJNXC9qUGs5a… 1/38
25/09/2017 Gartner Reprint
Market Definition
PAM tools help organizations provide secure privileged access to critical assets and meet
compliance requirements by managing and monitoring privileged accounts and access. PAM
tools offer features that enable security and risk leaders to:
Control access to privileged accounts, including shared and "firecall" (emergency access)
accounts.
Provide single sign-on (SSO) for privileged commands and actions in a secure manner, such
that credentials are not revealed.
Delegate, control and filter privileged operations that an administrator can execute.
Eliminate hard-coded passwords by making them available on demand to applications.
Require high-trust authentication for privileged access by either providing or integrating with
other multifactor solutions to ensure required levels of trust and accountability.
Two distinct tool categories have evolved as the predominant focus for security and risk
management leaders considering investment in PAM tools:
Privileged account and session management (PASM): Privileged accounts are protected by
vaulting their credentials. Access to those accounts is then brokered for human users, services
and applications. Sessions are established with possible credential injection, and full session
recording. Passwords and other credentials for privileged accounts are actively managed (i.e.,
changed at definable intervals or upon occurrence of specific events).
Privilege elevation and delegation management (PEDM): Specific privileges are granted on the
managed system by host-based agents to logged in users. This includes host-based command
control (filtering), and also privilege elevation, the latter in the form of allowing particular
commands to be run with a higher level of privileges.
Figure 1. Privileged Access Management
https://www.gartner.com/doc/reprints?id=1-4D2LXVE&ct=170909&st=sb&mkt_tok=eyJpIjoiT1dVNE1EY3lPR1E0TmpoaCIsInQiOiJNXC9qUGs5a… 2/38
25/09/2017 Gartner Reprint
The tools span a wide range of systems and infrastructure — OSs, databases, middleware and
applications, network devices, hypervisors, and cloud services (infrastructure as a service [IaaS],
platform as a service [PaaS] and SaaS). Although the major focus is on managing privileged
access, PAM tools are also used by some organizations to manage shared access to
nonadministrative shared accounts, such as an organization's official social media accounts. 1
Accounts used by nonhuman users, such as services or applications — whether of an
administrative nature or not — are also in scope.
Market Direction
The PAM market is rapidly maturing. Managed and cloud-based PAM services are slowly
increasing from being a tiny portion of the market share, with the overall PAM market still
dominated by the sale of on-premises software and appliances. Gartner estimates the overall
market size for PAM products in 2016 at $900 million, an increase of roughly 30% over 2015's
total of $690 million, with a handful of large vendors capturing the bulk of revenue. Continued
rapid growth is anticipated through the next two to three years, after which growth will begin to
slow as a result of increased saturation. (For further detail, consult "Forecast Snapshot:
Privileged Access Management, Worldwide, 2017." )
As in previous years, the PAM market continued to see extensive activity during 2016 and the
first two quarters of 2017:
CyberArk acquired Conjur 2
Thycotic acquired Cyber Algorithms 3
https://www.gartner.com/doc/reprints?id=1-4D2LXVE&ct=170909&st=sb&mkt_tok=eyJpIjoiT1dVNE1EY3lPR1E0TmpoaCIsInQiOiJNXC9qUGs5a… 3/38
25/09/2017 Gartner Reprint
MasterSAM has relocated its headquarters to Singapore, following acquisition by the Silverlake
Group
The divestiture by Dell of its software assets created One Identity, a Quest Software business 4
CA Technologies acquired Mobile System 7 5
Vision Solutions acquired Enforcive Systems 6
In terms of geographical distribution, Gartner sees considerable interest from North America,
followed by Europe and Asia/Pacific. In Europe, adoption of PAM tools is lagging behind North
America, but picking up as many organizations are replacing homegrown tools with commercial
solutions to streamline and tighten processes. In addition, we are continuing to notice an uptick
of interest in PAM in Gulf Cooperation Council countries due to the introduction of several
national regulatory frameworks 8 targeting critical infrastructure industries. Some PAM vendors,
such as Arcon, CyberArk and Wallix Group are positioning their offerings to be used to manage
privileged access for industrial control systems.
Adoption of PAM in Asia/Pacific and Japan remains quite varied due to the diverse levels of IT
maturity and security spending in the region. PAM adoption is much higher in more mature
countries (including Australia and New Zealand, Singapore, Hong Kong, Korea and Japan).
However, certain industries in emerging Asia/Pacific economies such as China, India, Taiwan and
Malaysia are leapfrogging more mature Asia/Pacific countries in adopting PAM. The presence of
several managed PAM service providers in the region, primarily the large Indian IT service
providers including Tata Consultancy Services (TCS), Wipro, Infosys, HCL Technologies and Tech
Mahindra helps drive the rapidly increasing adoption of PAM in the region.
https://www.gartner.com/doc/reprints?id=1-4D2LXVE&ct=170909&st=sb&mkt_tok=eyJpIjoiT1dVNE1EY3lPR1E0TmpoaCIsInQiOiJNXC9qUGs5a… 4/38
25/09/2017 Gartner Reprint
Pricing and bundling remain highly variable within the market and underline the need to shop
around. Some Gartner clients have indicated they have selected a vendor based on specific
features that they ultimately end up not using, or buy additional modules that end up as
"shelfware." Many vendors now bundle more capabilities together in their entry-level offerings;
however, other vendors have split up their offerings into multiple editions, or offer newer
capabilities as separate modules.
Vendors use multiple distinct pricing metrics (per named user, per system, per concurrent
session); and adding to the confusion, some vendors use different pricing metrics for different
modules of their products. In 2016, some vendors such as Thycotic introduced new licensing
metrics for some of their offerings that focus on the number of vaulted privileged accounts.
Organizations are advised to plan ahead for evolving requirements over the next three to five
years: for example, the introduction of pervasive session management (a feature that Gartner
recommends deploying early in the process), or application-to-application password
management in subsequent years. Force vendors to provide pricing for expected future
scenarios, and Gartner clients are encouraged to use inquiries to discuss these plans with an
analyst.
Due to pricing pressure, some vendors have adopted a special pricing structure for small and
midsize businesses that includes many features and capabilities, but which limits scope in terms
of target systems or managed privileged accounts. While the price point for these limited
solutions can be compelling, there is a high risk of small and midsize businesses quickly
outgrowing these limited solutions, with the next available option being enterprise-level pricing
that can introduce significant price jumps.
The market remains very competitive. Most vendors are working to extend current capabilities,
add competitive features and introduce new delivery mechanisms:
Privileged task automation: For procedures and tasks that are executed commonly, or on a
regular basis, vendors such as Osirium (see "Cool Vendors in Identity and Fraud Management,
2017" ) and Lieberman Software offer functionality for organizations to package up common
tasks to be delegated to lesser-skilled personnel for execution. Apart from raising efficiency,
this mechanism substantially shrinks the attack surface by not allowing direct privileged
access. These vendors typically offer an extensive library, with common tasks that can be
adapted.
DevOps: Some organizations are using PAM tools to enable their DevOps initiatives by
automating the management and delivery of keys and credentials in agile deployment and
infrastructure environments. In addition, some PAM vendors integrate out of the box with tools
used for continuous integration/deployment pipelines, such as Ansible, Chef or Puppet.
Support for containers: As container frameworks such as Docker gain rapid adoption for
continuous integration through development and production workload deployments, PAM
vendors are increasingly required to manage the cryptographic keys, digital certificates and
other credentials for the containers based on environmental dependencies. CyberArk, through
its acquisition of Conjur, and Venafi offer such functionality. In addition, container
management may require managing the kernel privilege escalations of containers on Linux and
Windows OSs and hypervisors. PAM products that are traditionally developed to operate at
https://www.gartner.com/doc/reprints?id=1-4D2LXVE&ct=170909&st=sb&mkt_tok=eyJpIjoiT1dVNE1EY3lPR1E0TmpoaCIsInQiOiJNXC9qUGs5a… 5/38
25/09/2017 Gartner Reprint
kernel level have inherent advantages over other proxy-based architecture PAM products in
offering the granularity of controls over process isolation and privilege escalations for
containers.
IaaS/PaaS and virtualized environments: As organizations continue to adopt virtualization and
cloud infrastructure, PAM vendors continue to build out features to discover and manage
infrastructure:
Automated discovery and enrollment of IaaS instances
Some vendors such as BeyondTrust, Lieberman Software, Zoho (ManageEngine) and Wallix
Group offer their solution as a virtual image on the Amazon Web Services (AWS) marketplace,
Azure marketplace or Google Cloud Launcher — usually with a bring-your-own-license approach.
9
Cloud-delivered PAM solutions: While there is still relatively low demand for PAM solutions
offered as a service, several vendors such as Arcon, Centrify and Thycotic offer this as an
additional option.
Privileged usage analytics: Vendors are employing predictive analytics on privileged account
activity to detect and flag anomalies, with the goal of better identifying theft or misuse of
privileged credentials. Approaches, and technical sophistication, require buyers to evaluate the
accuracy of such solutions and the time required before they begin to deliver value (following a
learning period, if needed, to develop a baseline of expected behavior). Lieberman Software
partnered with Securonix, a UEBA vendor, for its solution, while several other vendors either
developed or acquired the needed analytics technology. Offerings are typically optional, extra-
cost products.
System and privileged account discovery: Identifying all systems and the corresponding
privileged accounts is important, because every privileged account is a potential source of risk.
However, this is a major challenge, as it is easy for privileged or default system accounts to be
forgotten and left out. This is exacerbated by virtualization and hybrid environments that
include cloud infrastructure. In such a dynamic environment, systems and accounts can easily
fall through the cracks of privileged access management. Autodiscovery capabilities attempt
to automate the discovery of currently unmanaged systems and accounts, and come at
different levels:
Ad hoc discovery requires running a separate task to scan the network and associated
information (such as in Active Directory [AD]) to run an as-is analysis of the current
environment, and compare this to the last known state to find changes. Most vendors that
offer autodiscovery fall into this category.
https://www.gartner.com/doc/reprints?id=1-4D2LXVE&ct=170909&st=sb&mkt_tok=eyJpIjoiT1dVNE1EY3lPR1E0TmpoaCIsInQiOiJNXC9qUGs5a… 6/38
25/09/2017 Gartner Reprint
Secure Shell (SSH) key discovery and mapping. Several vendors provide the capability to
discover and map SSH keys to accounts and/or users. This covers both human and
nonhuman entities.
Privileged identity governance and administration: Several vendors with identity governance
and administration (IGA) as well as PAM products such as CA Technologies, Hitachi ID
Systems, IBM, One Identity, Oracle are leveraging synergies between them to track and manage
account ownership and privileged entitlement life cycles. Other stand-alone PAM vendors have
integrated their products with some IGA products from other vendors.
Market Analysis
Most PAM vendors provide tools that fall into one or both of the categories described in the
Market Direction section:
https://www.gartner.com/doc/reprints?id=1-4D2LXVE&ct=170909&st=sb&mkt_tok=eyJpIjoiT1dVNE1EY3lPR1E0TmpoaCIsInQiOiJNXC9qUGs5a… 7/38
25/09/2017 Gartner Reprint
PASM tools often implement workflow features for administrative users to request access, and
for authorized approvers to grant this access. In some cases, this can also be automated by
including external data sources — for example, service desk tickets that contain change control
authorizations, or incident reports that document outages or anomalies that need to be rectified.
Most products integrate with some IT service management (ITSM) systems out of the box
and/or provide APIs to validate administrative access requests by cross-checking them with
information from ITSM systems. Buyers should look to leverage existing integrations to link
privileged access with change management processes. PASM tools also support "break the
glass" scenarios for emergency and disaster recovery purposes, including the support for firecall
accounts.
As a general rule, users of privileged accounts should not be allowed to see or access the actual
passwords for these accounts, because they could reuse them or pass them on, therefore
eroding the usage control of the accounts. Instead, most of these tools will automatically initiate
SSO to sessions without disclosing credentials. A session is initiated using a well-known
protocol such as:
SSH
X11
Credential injection happens at this time (see the Privileged Session Management section).
This helps to comply with the imperative that passwords for shared accounts must not be
shared, which can lead to uncontrolled access. When the only practical way forward is to
disclose a password to the user, it can be placed into the clipboard or copy buffer, or even
displayed, if this is followed by an automated password reset as soon as the current password's
use has concluded. Access to shared accounts can be contingent on additional workflow
approvals and/or high-trust MFA. An audit trail documents all privileged account use.
Some PASM tools also support the notion of preconfigured tasks, which allow an authorized user
to execute a specific batch of commands using a shared account. In some specific and simple
use cases, preconfigured tasks can provide an alternative to controlled privilege elevation and
delegation (PEDM) tools (discussed in the Privilege Elevation and Delegation Management
section). Large organizations with mature processes and significant multilevel service desks
often spend considerable effort on operationalizing privileged and administrative tasks that
leverage ITSM, orchestration and service management frameworks. Vendors such as Osirium
and Lieberman Software now put this within reach of smaller or less mature organizations.
https://www.gartner.com/doc/reprints?id=1-4D2LXVE&ct=170909&st=sb&mkt_tok=eyJpIjoiT1dVNE1EY3lPR1E0TmpoaCIsInQiOiJNXC9qUGs5a… 8/38
25/09/2017 Gartner Reprint
Protocol-based command filtering for sessions to either restrict what an administrator can do,
or to raise an alert on suspicious or dangerous activity
A small number of vendors, such as Balabit, ObserveIT and NRI SecureTechnologies, specialize
in delivery of these PSM features in a stand-alone tool, without offering broader PASM
capabilities around credential management.
The majority of vendors use a gateway (or proxy) approach for session management and
recording. With this approach, all traffic passes through one or more control points. Another
approach is to initiate direct connections from the administrator's workstation to the target
systems, and to inject credentials into the session on the workstation using a local control.
Recording then happens on the administrator's workstation and is forwarded to a collector. While
this can be beneficial in the case where a system is accessed at a remote location that has only
very limited bandwidth, one major disadvantage is that the approach critically relies on trust and
integrity in the administrator's workstation in order to rule out that a compromised workstation
will ultimately compromise session control and recording. Achieving this level of assurance on
third-party-owned workstations, compared to workstations operating internally, presents new
challenges that IAM and security leaders need to account for.
With respect to session recording and transcription, features range from a simple searchable key
or input/output (I/O) logging to "over the shoulder" video recording of graphical sessions. For the
latter, most tools provide very efficient compression, but real differentiators are found in the
session playback functionality: The most basic tools will support only a 1:1 playback of the entire
session. Some other tools will take regular screen shots of a session every few seconds. More
advanced playback features allow automatic skipping forward and backward, based on user
activity. When protocols such as RDP are used, some tools can gather additional searchable
metadata events, such as applications executed, windows opened, text typed. For SSH, many
tools store input and output streams. More vendors are now supporting full optical character
recognition (OCR), scanning entire graphical sessions with extensive protocol support.
In addition to session recording, some tools support session monitoring and alerting in real time.
This allows live monitoring of privileged sessions by administrators or managers, who can
intervene or even terminate the session if necessary. This feature is also known as the "four eyes
principle" or "session shadowing." Some tools can also analyze privileged sessions in real time
and generate alerts or notifications when a suspicious behavior is detected. These can be sent to
a security information and event management (SIEM) system, or supervisors can be alerted.
Brokering Privileged Credentials to Applications
PASM tools also manage passwords and other credentials for nonhuman access, such as
service or application accounts. Similar use cases are seen in vulnerability assessment activities,
where credentials are required for thorough analysis of systems, and DevOps toolchains, which
frequently contain a variety of sensitive credentials. These are accounts used by automated
services or applications for accessing other applications, data or systems (see "Manage Service
Accounts to Mitigate Security and Operational Risks" ).
https://www.gartner.com/doc/reprints?id=1-4D2LXVE&ct=170909&st=sb&mkt_tok=eyJpIjoiT1dVNE1EY3lPR1E0TmpoaCIsInQiOiJNXC9qUGs5a… 9/38
25/09/2017 Gartner Reprint
Most PASM tools will have functionalities to manage service and application accounts by one or
more of the following methods:
Rotating credentials and changing them in situ — that is, in the place where they are held by the
system, application or service. Examples are Windows services that run under local or domain
service accounts — whenever the password is changed, the services require that their service
configuration is updated on each local system where the services run.
Managing cryptographic access keys and other credentials used within containers, such as
Docker.
Allowing an application to retrieve the password from the vault through a network-protocol-
based API.
Environment verification, such as the user ID or process under which the application is started,
from which directory it is started, and so on
One-time password mechanisms, where after every invocation the next sequence password is
generated from a seed, stored and verified upon subsequent invocation
AAPM tools allow elimination of hard-coded and unencrypted credentials stored in the file
system and present the most secure form of delivering credentials to applications or scripts,
when no other mechanisms exist to safeguard locally stored credentials, at the cost of modifying
the application. The modification is usually simple; however, testing must happen for every
application modified, which places a considerable burden on security and risk management
leaders (see "Adopt a Strategy to Deal With Service and Software Account Passwords" ).
activities that could be a vector for malware or that potentially could do great damage. 12 The
difference to the approach of PASM tools is that PEDM will elevate individual commands, but not
give access to an unrestricted privileged session. PEDM tools also monitor and record privileged
activity centrally or on the systems — either upon login, or during execution of privileged
commands.
On Windows systems, PEDM agents are kernel-based. Apart from being able to tightly control
who can run which privileged commands, these tools are also an important level of protection
from Pass-the-Hash attacks. 13 For this reason, Windows PEDM tools are not only deployed to
establish controls for system administrators, but many organizations have also deployed
Windows PEDM tools pervasively on endpoints for purposes other than privileged access
management. Examples of these other use cases are Windows least privilege enforcement and
application control (see "Protecting Endpoints From Malware Using Application Whitelisting,
Isolation and Privilege Management" and "How to Successfully Deploy Application Control" ).
On Unix and Linux systems, many PEDM vendors integrate at the shell level by shipping
replacements of shell and other common commands, such as text editors (to prevent shell
escapes). Other vendors, such as CA Technologies, offer kernel-based PEDM tools for Unix and
Linux as an additional option. Some vendors ship a replacement or extension to the popular Unix
"sudo" command. Unix PEDM tools are often combined with, or include, Active Directory bridging
tools that allow authorized users to log in to Unix and Linux systems using their Windows
domain account.
Representative Vendors
The vendors listed in this Market Guide do not imply an exhaustive list. This section is intended to
provide more understanding of the market and its offerings.
Tables 1 and 2 below present the representative vendors and their key capabilities for PASM and
PEDM, respectively. Each mark indicates that the vendor in question has an offering within the
particular capability. The existence of more marks for a particular vendor must not be interpreted
to mean a better or more appropriate product. Depth of features and functionality differ widely
within every capability. Some vendors that only address one or a few capabilities are very good at
what they do. Keep in mind that some products from different vendors can work together to
create a best-of-breed solution at a more attractive price.
A vendor may have multiple "editions" of a main product. In Table 1, features that exist in the
basic (lowest-priced) edition are marked with the block symbol ( █ ), whereas features only
existing in higher priced editions are marked with the currency symbol ( ¤ ). The existence of
the ¤ symbol must not be misinterpreted that the product is more expensive.
A vendor may offer individual feature or capabilities as separate products that need to be
licensed separately, this is also marked with the currency symbol ( ¤ ).
Table 1. Representative PASM Vendors and Their Key Capabilities
Vendor
https://www.gartner.com/doc/reprints?id=1-4D2LXVE&ct=170909&st=sb&mkt_tok=eyJpIjoiT1dVNE1EY3lPR1E0TmpoaCIsInQiOiJNXC9qUGs5… 11/38
25/09/2017 Gartner Reprint
Market
Share
Product Built-in HA
Names
AAPM
Form Factor
Market Small
Share
Key █
Features
Product
Names
Arcon (India)
Market Medium
Share
Key █
Features
Product █
Names
https://www.gartner.com/doc/reprints?id=1-4D2LXVE&ct=170909&st=sb&mkt_tok=eyJpIjoiT1dVNE1EY3lPR1E0TmpoaCIsInQiOiJNXC9qUGs5… 12/38
25/09/2017 Gartner Reprint
H, S, Svc, V
BeyondTrust (U.S.)
Market Large
Share
Key █
Features
Product █
Names
C, H, S, V
Bomgar (U.S.)
Market Small
Share
Key ¤
Features
Product
Names
H, S
CA Technologies (U.S.)
https://www.gartner.com/doc/reprints?id=1-4D2LXVE&ct=170909&st=sb&mkt_tok=eyJpIjoiT1dVNE1EY3lPR1E0TmpoaCIsInQiOiJNXC9qUGs5… 13/38
25/09/2017 Gartner Reprint
Market Large
Share
Key █
Features
Product █
Names
H, V
Centrify (U.S.)
Market Large
Share
Key █
Features
Product █
Names
Svc, S
CyberArk (Israel)
Market Large
Share
Key ¤
Features
Product ¤
Names
https://www.gartner.com/doc/reprints?id=1-4D2LXVE&ct=170909&st=sb&mkt_tok=eyJpIjoiT1dVNE1EY3lPR1E0TmpoaCIsInQiOiJNXC9qUGs5… 14/38
25/09/2017 Gartner Reprint
H, S
Market Small
Share
Key █
Features
Product █
Names
S, Svc, V
IBM (USA)
Market Medium
Share
Key ¤
Features
Product
Names
IBM Security Privileged Identity Manager, IBM Security Privileged Identity Manager
Privileged Session Recorder, IBM Security Privileged Identity Manager for
Applications
https://www.gartner.com/doc/reprints?id=1-4D2LXVE&ct=170909&st=sb&mkt_tok=eyJpIjoiT1dVNE1EY3lPR1E0TmpoaCIsInQiOiJNXC9qUGs5… 15/38
25/09/2017 Gartner Reprint
Market Small
Share
Key █
Features
Product █
Names
H, S, V
Kron (Turkey)
Market Small
Share
Key █
Features
Product
Names
S, H, V
Market Medium
Share
Key ¤
Features
https://www.gartner.com/doc/reprints?id=1-4D2LXVE&ct=170909&st=sb&mkt_tok=eyJpIjoiT1dVNE1EY3lPR1E0TmpoaCIsInQiOiJNXC9qUGs5… 16/38
25/09/2017 Gartner Reprint
Product
Names
C, S
ManageEngine (U.S.)
Market Medium
Share
Key ¤
Features
Product ¤
Names
C, S, V
MasterSAM (Singapore)
Market Small
Share
Key ¤
Features
Product █
Names
https://www.gartner.com/doc/reprints?id=1-4D2LXVE&ct=170909&st=sb&mkt_tok=eyJpIjoiT1dVNE1EY3lPR1E0TmpoaCIsInQiOiJNXC9qUGs5… 17/38
25/09/2017 Gartner Reprint
Market Medium
Share
Key █
Features
Product █
Names
Market Small
Share
Key ¤
Features
Product ¤
Names
H, V
Senhasegura
Novasys (Argentina)
Market Small
Share
Key █
Features
https://www.gartner.com/doc/reprints?id=1-4D2LXVE&ct=170909&st=sb&mkt_tok=eyJpIjoiT1dVNE1EY3lPR1E0TmpoaCIsInQiOiJNXC9qUGs5… 18/38
25/09/2017 Gartner Reprint
Product
Names
SATCS
Market Large
Share
Key ¤
Features
Product █
Names
Onion ID (U.S.)
Market Small
Share
Key █
Features
Product █
Names
Svc, V
Onion ID
https://www.gartner.com/doc/reprints?id=1-4D2LXVE&ct=170909&st=sb&mkt_tok=eyJpIjoiT1dVNE1EY3lPR1E0TmpoaCIsInQiOiJNXC9qUGs5… 19/38
25/09/2017 Gartner Reprint
Oracle (U.S.)
Market Medium
Share
Key █
Features
Product
Names
Osirium (U.K.)
Market Small
Share
Key █
Features
Product █
Names
Thycotic (U.S.)
Market Large
Share
Key ¤
Features
https://www.gartner.com/doc/reprints?id=1-4D2LXVE&ct=170909&st=sb&mkt_tok=eyJpIjoiT1dVNE1EY3lPR1E0TmpoaCIsInQiOiJNXC9qUGs5… 20/38
25/09/2017 Gartner Reprint
Product
Names
S, Svc
Wallix Group(France)
Market Small
Share
Key ¤
Features
Product █
Names
C, H, V
Market Small
Share
Key ¤
Features
Product ¤
Names
H, V
https://www.gartner.com/doc/reprints?id=1-4D2LXVE&ct=170909&st=sb&mkt_tok=eyJpIjoiT1dVNE1EY3lPR1E0TmpoaCIsInQiOiJNXC9qUGs5… 21/38
25/09/2017 Gartner Reprint
The "Product Name(s)" column lists all components that would need to be acquired to deliver the
functionality indicated:
Every vendor listed must have a solution able to actively manage (i.e., change) credentials for
privileged accounts on multiple systems, network devices and applications. Solutions must
include a vault, and allow access to privileged accounts according to specific policies. Single
sign-on features must exist that allow a privileged session to be automatically established
using a protocol such as SSH, RDP or HTTPS without revealing credentials to the user. Vendors
that do not deliver this functionality, or can only deliver this functionality in combination with
other products, are not listed in Table 1.
Built-in HA: Integrated high-availability features that do not require an organization to deploy
and operate an external highly available relational database management system (RDBMS;
such as database clustering or database replication). Vendors that are not listed with this
feature support high availability in combination with external components, such as database
clustering.
Compared to last year, the "command filtering" capability has been eliminated from the table.
Last year's Market Guide for Privileged Access Management called out this capability to limit
commands or operations using an agentless approach by filtering the underlying network
protocol (SSH, HTTP, and so on). However, while some vendors still offer this capability, its
reliability varies, and has thus been eliminated from this year's research focus. Gartner has
detected a shift in market trends to use this feature as a detective, rather than a preventive,
capability.
Gartner defines PAM market share segments by estimated vendor revenue for 2016:
https://www.gartner.com/doc/reprints?id=1-4D2LXVE&ct=170909&st=sb&mkt_tok=eyJpIjoiT1dVNE1EY3lPR1E0TmpoaCIsInQiOiJNXC9qUGs5… 22/38
25/09/2017 Gartner Reprint
Table 2 denotes capabilities for agent-based controlled privileged elevation and delegation on
multiple platforms. The "Product Name(s)" column lists all components that would need to be
acquired to deliver the functionality indicated:
Unix/Linux, Windows, IBM i, IBM z/OS: Denotes support for the respective operating system.
Unix/Linux AD Bridging: The vendor offers an agent-based Active Directory bridge for multiple
Unix and Linux systems. Vendors that provide Unix/Linux AD bridges without PEDM solutions
are not listed in this table.
Market
Share
Windows
IBM i
IBM z/OS
Market Small
Share
Key █
Features
Product
Name(s)
https://www.gartner.com/doc/reprints?id=1-4D2LXVE&ct=170909&st=sb&mkt_tok=eyJpIjoiT1dVNE1EY3lPR1E0TmpoaCIsInQiOiJNXC9qUGs5… 23/38
25/09/2017 Gartner Reprint
Arcon (India)
Market Medium
Share
Key
Features
Product
Name(s)
Avecto (U.K.)
Market Large
Share
Key
Features
Product
Name(s)
Defendpoint
https://www.gartner.com/doc/reprints?id=1-4D2LXVE&ct=170909&st=sb&mkt_tok=eyJpIjoiT1dVNE1EY3lPR1E0TmpoaCIsInQiOiJNXC9qUGs5… 24/38
25/09/2017 Gartner Reprint
BeyondTrust (U.S.)
Market Large
Share
Key █
Features
Product █
Name(s)
PowerBroker for Unix & Linux, PowerBroker Identity Services, PowerBroker for
Windows
CA Technologies (U.S.)
Market Large
Share
Key █
Features
Product █
Name(s)
Centrify (U.S.)
https://www.gartner.com/doc/reprints?id=1-4D2LXVE&ct=170909&st=sb&mkt_tok=eyJpIjoiT1dVNE1EY3lPR1E0TmpoaCIsInQiOiJNXC9qUGs5… 25/38
25/09/2017 Gartner Reprint
Market Large
Share
Key █
Features
Product █
Name(s)
CyberArk (Israel)
Market Large
Share
Key █
Features
Product █
Name(s)
Market Medium
Share
https://www.gartner.com/doc/reprints?id=1-4D2LXVE&ct=170909&st=sb&mkt_tok=eyJpIjoiT1dVNE1EY3lPR1E0TmpoaCIsInQiOiJNXC9qUGs5… 26/38
25/09/2017 Gartner Reprint
Key █
Features
Product █
Name(s)
HelpSystems (U.S.)
Market Small
Share
Key
Features
Product
Name(s)
MasterSAM (Singapore)
Market Small
Share
Key █
Features
https://www.gartner.com/doc/reprints?id=1-4D2LXVE&ct=170909&st=sb&mkt_tok=eyJpIjoiT1dVNE1EY3lPR1E0TmpoaCIsInQiOiJNXC9qUGs5… 27/38
25/09/2017 Gartner Reprint
Product
Name(s)
Market Medium
Share
Key █
Features
Product
Name(s)
Market Large
Share
Key █
Features
Product █
Name(s)
https://www.gartner.com/doc/reprints?id=1-4D2LXVE&ct=170909&st=sb&mkt_tok=eyJpIjoiT1dVNE1EY3lPR1E0TmpoaCIsInQiOiJNXC9qUGs5… 28/38
25/09/2017 Gartner Reprint
Market Medium
Share
Key
Features
Product
Name(s)
Thycotic (U.S.)
Market Large
Share
Key
Features
Product
Name(s)
https://www.gartner.com/doc/reprints?id=1-4D2LXVE&ct=170909&st=sb&mkt_tok=eyJpIjoiT1dVNE1EY3lPR1E0TmpoaCIsInQiOiJNXC9qUGs5… 29/38
25/09/2017 Gartner Reprint
Privilege Manager
Market Small
Share
Key
Features
Product
Name(s)
Enforcive Enterprise Security for IBM i, Enforcive Enterprise Security for CICS —
z/OS
Balabit (Luxembourg)
https://www.gartner.com/doc/reprints?id=1-4D2LXVE&ct=170909&st=sb&mkt_tok=eyJpIjoiT1dVNE1EY3lPR1E0TmpoaCIsInQiOiJNXC9qUGs5… 30/38
25/09/2017 Gartner Reprint
Devolutions
Product Devolutions offers Devolutions Server, Password Vault Manager and Remote
Name(s) Desktop Manager. The combination of these products offers capabilities for
and vaulting administrative passwords, account sharing and session management.
Description
HashiCorp (U.S.)
Product Vault (delivered as software) stores, manages and grants access to credentials
Name(s) and other secrets through APIs. Vault is delivered in two editions (free open
and source and commercially supported Enterprise version with additional features).
Description
Microsoft (U.S.)
Product Azure Active Directory (AD) Privileged Identity Management provides temporary
Name(s) and time-limited membership in administrative roles for management across
and Microsoft Online Services. Similarly, Privileged Access Management is a
Description solution based on Microsoft Identity Manager (MIM) and works by using MIM's
access request user interface and workflow capabilities to broker temporary
membership in privileged Active Directory security groups. Also, Local
Administrator Password Solution (LAPS) is a tool to store local administrative
account passwords in Active Directory, protected by access control lists (ACLs).
ObserveIT (U.S.)
Product ObserveIT (delivered as software) is a PSM solution that works as an agent for
Name(s) Windows and Unix/Linux (a gateway-based mode is also available, but less
and common). The solution provides detailed, fully searchable recording of all user
Description activity, and user behavior analytics.
https://www.gartner.com/doc/reprints?id=1-4D2LXVE&ct=170909&st=sb&mkt_tok=eyJpIjoiT1dVNE1EY3lPR1E0TmpoaCIsInQiOiJNXC9qUGs5… 31/38
25/09/2017 Gartner Reprint
Product Red Hat offers Identity Manager (IdM), a feature set in Red Hat Enterprise Linux,
Name(s) which provides Linux-based authentication, user and privilege management, and
and policy settings that govern authorization and access with the ability to integrate
Description with Active Directory via Kerberos. A free open-source version called FreeIPA is
also available for general use.
SecureLink (U.S.)
Venafi (U.S.)
Product Venafi Platform (delivered as software and as a service) offers centralized SSH
Name(s) and TLS key and certificate management capabilities, used by some
and organizations to also manage privilege access for humans and machine
Description identities. Venafi also includes features for DevOps automation through
integration with containers like Docker and continuous integration tools like
Puppet.
Market Recommendations
Organizations considering PAM tools should keep in mind that both types of tools (PASM and
PEDM) are complementary, and some organizations eventually deploy both of them to address
most risks associated with privileged access. However, we advise against attempting
https://www.gartner.com/doc/reprints?id=1-4D2LXVE&ct=170909&st=sb&mkt_tok=eyJpIjoiT1dVNE1EY3lPR1E0TmpoaCIsInQiOiJNXC9qUGs5… 32/38
25/09/2017 Gartner Reprint
deployment of both types of tools at the same time, because of the significant cultural change
and integration involved. To choose a starting point for a PAM tool, Gartner recommends the
following methodology for security and risk management leaders:
In most cases, start by first deploying PASM tools to manage shared and service accounts.
PASM technology has the advantage that it applies to different types of systems, including
network appliances and even SaaS or applications, therefore allowing an organization to
manage privileged access across platforms — although at a lower granularity. High-trust MFA
must be enabled for access to the PASM tools, and session recording and monitoring should
be activated.
Start with Windows-based PEDM tools if the following criteria are met: they are predominantly
Windows-based, already have high-trust MFA in place for administrators and administrators
currently use discrete accounts with domain admin privileges (i.e., separate from their regular
user accounts). These organizations should eliminate usage of accounts with domain admin
privileges except for very specific and extreme situations, such as rebuilding, reconfiguring or
patching Active Directory domain controllers. Instead, administrators should elevate privileges
from their regular user accounts. Windows PEDM solutions may also be deployed first when
non-PAM endpoint protection use cases, such as Windows least privilege control or application
whitelisting, have an urgent priority.
Start with PEDM for Unix/Linux when individual named accounts already exist for users on
Unix or Linux systems, and these users need to execute limited privileged operations on these
systems. High-trust MFA must be enabled in this case as well — if the MFA requirement is not
feasible, then PASM should be deployed first to require MFA for all Unix/Linux systems.
Organizations that also want to extend Active Directory over Unix and Linux systems to allow
certain users to log into Unix and Linux systems using their AD accounts should focus on
PEDM for Unix/Linux with Active Directory bridging functionality.
Some vendors sell PASM tools as different modules (vaulting plus password management, PSM,
and AAPM); others sell "minisuites" or combined PASM products. When deploying PASM tools,
vaulting plus password management and PSM can easily be deployed at the same time, whereas
deployment of AAPM requires additional focus that can cause distractions when attempted at
the same time.
When selecting tools from vendors, security and risk management leaders must be aware that:
Small and midsize businesses should closely look at solutions that have built-in high-
availability features as alternatives to solutions that either rely on OS clustering or require the
use of an external RDBMS system to be configured for replication and high availability.
High-trust authentication, such as MFA , should always be used in conjunction with PAM tools.
Most vendors provide native support for integration with Active Directory and Lightweight
Directory Access Protocol (LDAP)-compliant directories, as well as authentication systems
such as RADIUS. Some vendors ship embedded MFA solutions, which is attractive for small
and midsize businesses that do not have an MFA solution in place. Organizations that already
have a third-party user authentication solution in place should ensure that shortlisted PAM
vendors provide the required integration support — either through RADIUS, LDAP or through a
proprietary integration with specific vendors. For example, some vendors integrate with
offerings from Duo Security and SecureAuth to support a wider range of authentication
methods.
https://www.gartner.com/doc/reprints?id=1-4D2LXVE&ct=170909&st=sb&mkt_tok=eyJpIjoiT1dVNE1EY3lPR1E0TmpoaCIsInQiOiJNXC9qUGs5… 33/38
25/09/2017 Gartner Reprint
One-time password (OTP) and public-key hardware tokens have been the most prevalent
authentication method for securing privileged access in most organizations, but are now
increasingly being replaced by phone-as-a-token authentication methods, particularly OTP
apps for smartphones and mobile push (OTP-less out of band [OOB] push) methods. See
"Market Guide for User Authentication."
Use of contextual and adaptive authentication techniques can significantly increase the
levels of trust and accountability of privileged access to the critical systems. Shared account
access to Windows systems should leverage local privileged accounts rather than domain
admin accounts.
U.S. federal agencies that are required to use Personal Identity Verification (PIV) cards for
authentication of privileged users as part of HSPD-12 and Cybersecurity Strategy and
Implementation Plan (CSIP) directives 14 should look out for vendors that offer native
support for common access cards (CACs) and PIV cards. Several vendors offer broad
support for PIV card authentication. Where Derived PIV Credentials are an option, agencies
should consider PAM vendors that support integration with third-party vendors offering
authentication via Derived PIV Credentials.
A2A credential brokering: Some operating systems (specifically Windows) offer a mechanism
to safeguard service account credentials, and PASM tools can rotate and update those
credentials in situ. Having applications retrieve credentials from the vault through a network-
protocol-based API requires authentication to the vault, which requires the use of a hardware
security module (HSM) or other secure credential storage mechanisms. When this is not
practical, AAPM tools should be strongly considered.
Discovery of privileged accounts and their use continues to be a major challenge for security
and risk management leaders who must expect this to take a considerable effort and realize
that technology may not necessarily provide adequate results or value. 15
Shop around: Pricing and feature bundling is highly variable between vendors, and the problem
is exacerbated by the fact that some vendors even apply different licensing mechanisms
among their individual tools or modules. Plan for the next three years in terms of systems and
functionality covered, and get a pricing commitment not only for the initial phase, but also for
subsequent phases. Gartner clients should use inquiry privileges for pricing reviews.
ACL
CAC
CLI
https://www.gartner.com/doc/reprints?id=1-4D2LXVE&ct=170909&st=sb&mkt_tok=eyJpIjoiT1dVNE1EY3lPR1E0TmpoaCIsInQiOiJNXC9qUGs5… 34/38
25/09/2017 Gartner Reprint
CSIP
HSPD-12
HSM
IaaS
ICA
IGA
ITSM
LAPS
MFA
NESA
https://www.gartner.com/doc/reprints?id=1-4D2LXVE&ct=170909&st=sb&mkt_tok=eyJpIjoiT1dVNE1EY3lPR1E0TmpoaCIsInQiOiJNXC9qUGs5… 35/38
25/09/2017 Gartner Reprint
OCR
PaaS
PAM
PASM
PEDM
PIV
RDBMS
RDP
SDK
SIEM
https://www.gartner.com/doc/reprints?id=1-4D2LXVE&ct=170909&st=sb&mkt_tok=eyJpIjoiT1dVNE1EY3lPR1E0TmpoaCIsInQiOiJNXC9qUGs5… 36/38
25/09/2017 Gartner Reprint
SSH
SSO
VNC
Evidence
This research has been informed by vendor briefings over the past 12 months, inquiries with
Gartner clients and secondary research.
The following vendors did not respond to requests for a review of the draft contents of this
research:
Applecross Technologies
HashiCorp
HelpSystems
ObserveIT
SecureLink
1
Some organizations are using PAM tools to put controls around access to shared social
networking accounts used for marketing purposes, although this may not be as effective as tools
specifically tailored for this use case such as Adobe Social, Bitium, Falcon.io, Hootsuite,
Spredfast and Shoutlet. In addition to multilevel review and approval workflows for content
publication, these tools also support social analytics, engagement and CRM integration (see
"Market Guide for Social Marketing Management" ). Other options used for this purpose are
personal password managers such as Dashlane and LastPass.
2
See "CyberArk Acquires Conjur, Revolutionizing DevOps Security to Drive Greater Business Agility,"
(https://www.cyberark.com/press/cyberark-acquires-conjur-revolutionizing-devops-security-drive-
greater-business-agility/) CyberArk.
3 See"Thycotic Acquires Security Analytics Company to Identify Malicious Privileged Behavior Across
Systems and Users," (http://www.prnewswire.com/news-releases/thycotic-acquires-security-analytics-
company-to-identify-malicious-privileged-behavior-across-systems-and-users-300357604.html) PR
Newswire.
4
https://www.gartner.com/doc/reprints?id=1-4D2LXVE&ct=170909&st=sb&mkt_tok=eyJpIjoiT1dVNE1EY3lPR1E0TmpoaCIsInQiOiJNXC9qUGs5… 37/38
25/09/2017 Gartner Reprint
4 See "Customer FAQ- Legal Entity," (https://www.oneidentity.com/docs/one-identity-customer-faq-
legal-entity-non-gated-assets-127732.pdf) One Identity.
5 See "CA Technologies acquires Mobile System 7,"
(https://www.crunchbase.com/acquisition/15bfb23cb3d463e82746c52ad4bda699) Crunchbase.
6 See "Vision Solutions Completes Acquisition of Enforcive Systems,"
(https://globenewswire.com/news-release/2017/07/05/1038908/0/en/Vision-Solutions-Completes-
Acquisition-of-Enforcive-Systems.html) GlobeNewswire.
7A recent example of tightening regulation is the new SWIFT Customer Security Controls
Framework, adopted after several high-profile breaches.
8 Such as Qatar's National ICS Security Standard and regulation from the UAE's National
Electronic Security Authority (NESA).
9
This approach requires a license for the PAM tools to be acquired directly from the vendor (or
one of its resellers) and then installed or configured in the virtual image.
10
Although PAM tools are typically simple to install, using them pervasively requires a change to
an organization's processes and culture, and therefore requires buy-in from all parties that need
privileged access. That can be a lengthy exercise for one tool alone. Yet a significant minority of
proposals from PAM vendors reviewed by Gartner include both types of tools for simultaneous
purchase. As a consequence, Gartner has learned from organizations that struggle to fully deploy
all tools — leading to "shelfware," where only some tools are deployed, and other tools incur
annual support and maintenance costs while "waiting in the wings."
11
This is recommended when passwords are revealed to an administrator. If the passwords are
not changed (automatically) after use, the password is no longer controlled; it could be revealed
to another party and thus undermine policy. On the other hand, when SSO is used to establish
sessions for administrators, the password is not revealed. In this case, passwords do not need to
be changed after every use. In fact, changing passwords that have not been revealed after every
use can be counterproductive, as it increases the load on the PAM solutions and risks passwords
getting out of sync, and Gartner hears from customers that this can be a problem for less
scalable PAM solutions.
12 For example, administrators must avoid executing any commands that could serve as a vector
for malware, such as running browsers or email clients within sessions with administrative
privileges, or executing unknown code.
13 See"Microsoft Security Intelligence Report," (https://www.microsoft.com/en-
us/security/intelligence-report) Microsoft.
14 See the NIST Cybersecurity White Paper "Best Practices for Privileged User PIV Authentication."
(http://csrc.nist.gov/publications/papers/2016/best-practices-privileged-user-piv-authentication.pdf)
15 Some vendors differentiate themselves by offering features to scan for — and discover —
accounts in a programmatic way. This can greatly reduce time and effort. But remember that this
is an inexact science, and many privileged accounts will likely fall through the cracks of
autodiscovery and will need to be discovered through other mechanisms (see "Manage Service
Accounts to Mitigate Security and Operational Risks" ).
https://www.gartner.com/doc/reprints?id=1-4D2LXVE&ct=170909&st=sb&mkt_tok=eyJpIjoiT1dVNE1EY3lPR1E0TmpoaCIsInQiOiJNXC9qUGs5… 38/38