KuppingerCole Report
Leadership Compass
By Paul Fisher

Privileged Access Management for DevOps

Privileged Access Management (PAM) is an important area of access risk management and identity security in any organization. Privileged accounts have traditionally been given to administrators to access critical data and applications. But, changing business practices, hybrid IT, cloud and other aspects of digital transformation has meant that users of privileged accounts have become more numerous and widespread. One area in sharp focus is DevOps support which has become essential to many organizations looking to become more responsive and innovative. Application developers and other agile teams increasingly need privileged access to essential tools, and several PAM vendors are responding to this demand.
By Paul Fisher
pf@kuppingercole.com

1 Introduction

This report is an overview of the market for Privilege Access Management (PAM) solutions and provides a compass to help buyers find the solution that ...

Login Get full Access

1.1 Market segment

Privileged Access Management (PAM) solutions are critical cybersecurity controls that address the security risks associated with the use of privileged ...

The impact of agile development and DevOps on PAM

The pressure on organizations to develop their IT infrastructures within an automated Continuous I ...

Transparent Security platforms including PAM must be embedded within the CI/CD lifecycle that DevOps teams work within. A security feedback mechanism ...

Login Get full Access

1.2 Delivery models

This Leadership Compass is focused on PAM products for DevOps that are offered in on-premises, in the cloud or as-a-service (PAMaaS) by the vendor.

Login Get full Access

1.3 Required capabilities

At KuppingerCole we believe that the following capabilities are essential if PAM is to meet the demands of DevOps and other agile development environm ...

Login Get full Access

1.3.1 Toolchain support

Efficient DevOps teams will want to use the most effective set of tools for developing and delivering applications. Such tools can comprise of code, a ...

Login Get full Access

1.3.2 Runtime support

Developers who wish to run apps in containers and elsewhere may not always have written all the code to fully execute. Therefore, they need access to ...

Login Get full Access

1.3.3 Finished application support

One of the guiding principles of DevOps is support for CI/CD and to provide fast updates to applications, particularly when bugs or vulnerabilities ma ...

Login Get full Access

1.3.4 Certificate support

While PAM has traditionally relied on an encrypted vault to store and manage passwords for authentication and access to privileged data and tools, the ...

Login Get full Access

1.3.5 Base PAM support

While authentication of privileged accounts is of paramount importance within the DevOps environments to ensure users get access to the tools they nee ...

Login Get full Access

1.3.6 High Availability (HA)

Having a method of accessing vaulted PAM accounts in an emergency is important for all PAM deployments but in the high stress, high strategic value De ...

Login Get full Access

1.3.7 Non-human user support

Integral to digital transformation is the communication between machines and applications, and to other applications, data centres and databases to ge ...

Login Get full Access

1.3.8 Shared account support

Best practice demands that organizations switch to single identity privileged accounts, but shared privileged accounts still exist in many organizatio ...

Login Get full Access

1.3.9 Just in Time (JIT)

Just-in-time (JIT) privileged access management can help drastically condense the privileged threat surface and reduce risk enterprise-wide by grantin ...

Login Get full Access

1.4 Other capabilities to support DevOps

PAM should accommodate the presence of a multitude of privileged users within an organization which includes temp workers, contractors, partner organi ...

Login Get full Access

1.4.1 Privileged Account Data Lifecycle Management (PADLM)

The usage of privileged accounts must be governed as well as secured. A discovery mechanism to identify shared accounts, software accounts, service ac ...

Login Get full Access

1.4.2 Controlled Privilege Elevation and Delegation Management (CPEDM)

This is another important function related to the fluid and fast changing needs of digital organizations. As the name suggests it allows users to gain ...

Login Get full Access

1.4.3 Endpoint Privilege Management (EPM)

EPM offers capabilities to manage threats associated with local administrative rights on laptops, tablets, smart phones, or other endpoints. EPM tools ...

Login Get full Access

1.4.4 Session Recording and Monitoring (SRM)

SRM enables more advanced auditing, monitoring and review of privileged activities during a privileged session, including key-stroke logging, video se ...

Login Get full Access

1.4.5 Privileged Single Sign-On (SSO)

Single Sign-On is a user authentication system that permits a user to apply one set of login credentials (i.e. username and password) to access multip ...

Login Get full Access

1.4.6 Privileged User Behaviour Analytics (PUBA)

PUBA uses data analytic techniques, some assisted by machine learning tools, to detect threats based on anomalous behaviour against established and qu ...

Login Get full Access

2 Leadership

Selecting a vendor of a product or service must not be based only on the comparison provided by a KuppingerCole Leadership Compass. The Leadership Com ...

The five vendors that comprise the Overall Leaders are well established brands: BeyondTrust, Centrify Corporation, CyberArk, SSH Communications Securi ...

In the Product Leader category, we see the same five Overall Leaders joined by one giant, Broadcom, and one much smaller but innovative company – Ha ...

This section is most interesting as Innovation is key to creating PAM that works well in DevOps environments. We have seven Leaders now: CyberArk, Bey ...

The results of this section are unsurprising. Centrify, BeyondTrust, CyberArk and Thycotic form a tightly knit group which accurately reflects their m ...

Login Get full Access

3 Correlated View

While the Leadership charts identify leading vendors in certain categories, many customers are looking not only for a product leader, but for a vendor ...

Login Get full Access

3.1 The Market/Product Matrix

The first of these correlated views contrasts Product Leadership and Market Leadership. This is where we see a more granular breakdown of the results ...

Vendors below the line have a weaker market position than expected according to their product maturity. Vendors above the line are “overperformers€...

Login Get full Access

3.2 The Product/Innovation Matrix

This view shows how Product Leadership and Innovation Leadership are correlated. It is not surprising that there is a pretty good correlation between ...

Vendors below the line are more innovative, vendors above the line are, compared to the current Product Leadership positioning, less innovative.

In ...

Login Get full Access

3.3 The Innovation/Market Matrix

The third matrix shows how Innovation Leadership and Market Leadership are related. Some vendors might perform well in the market without being Innova ...

Vendors above the line are performing well in the market compared to their relatively weak position in the Innovation Leadership rating; while vendors ...

Login Get full Access

4 Products and vendors at a glance

This section provides an overview of the various products we have analyzed within this KuppingerCole Leadership Compass on PAM. This overview goes int ...

Login Get full Access

Ratings at a glance

Based on our evaluation, a comparative overview of the ratings of all the products covered in this document is shown in Table 1. ...

Login Get full Access

Table 1: Comparative overview of the ratings for the product capabilities

In addition, we provide in Table 2 an overview which also contains four ad ...

Login Get full Access

Table 2: Comparative overview of the ratings for vendors

Login Get full Access

5 Product/service evaluation

This section contains a quick rating for every product/service we’ve included in this KuppingerCole Leadership Compass document. For many of the pro ...

Login Get full Access

5.1 BeyondTrust

After acquiring Avecto, Lieberman software and BeyondTrust, Bomgar decided to merge the businesses and keep the BeyondTrust brand for the new entity. ...

Login Get full Access

5.2 Centrify

Based in the US, Centrify offers several PAM modules as part of an overall suite which includes privileged access, authentication, privileged elevatio ...

Login Get full Access

5.3 CyberArk

Headquartered in Israel and the US, CyberArk is one of the more mature providers of PAM solutions having been in the market since 1999. It has continu ...

Login Get full Access

5.4 EmpowerID

Based in Ohio (US), EmpowerID offers several products within its broader IAM portfolio, of which EmpowerID Privileged Access Management (PAM) is its r ...

Login Get full Access

5.5 HashiCorp

HashiCorp is a provider of multi-cloud infrastructure automation software for cloud and on-premises environments. Built on an open-source foundation, ...

Login Get full Access

5.6 SSH Communications Security

Based in Helsinki, Finland, SSH.COM offers PrivX as its primary product in the PAM market. PrivX is a relatively new offering in the market by SSH.COM ...

Login Get full Access

5.7 STEALTHbits Technologies

Founded 2002, in Stealthbits Technologies is a US-based company that offers several solutions designed to help organizations meet their GRC obligation ...

Login Get full Access

5.8 Symantec

A new name for PAM but one borne by the acquisitions by US chip giant Broadcom of CA Technologies and subsequently, Symantec. Having digested the form ...

Login Get full Access

5.9 Thycotic

Based in Washington D.C. (US), Thycotic offers the Secret Server platform as its primary PAM. Secret Server is known for its comprehensiveness, ease o ...

Login Get full Access

6 Vendors and Market Segments to watch

Aside from the vendors covered in detail in this Leadership Compass document, we also observe other vendors in the market that we find interesting. So ...

Login Get full Access

6.1 Remediant SecureONE

Based in San Francisco, Remediant is a single product PAM company founded in 2013. Its SecureONE product uses agent-less and vault-less technology at ...

Login Get full Access

6.2 Saviynt

Saviynt is a US-based company founded in 2010 that specializes in IGA and Identity solutions. It has recently entered the PAM market with a new cloud- ...

Login Get full Access

6.3 Venafi

US based Venafi offers TrustAuthority, a machine identity protection platform that also offers extensive SSH key management for securing privileged ac ...

Login Get full Access

Methodology

Copyright

©2020 KuppingerCole Analysts AG all rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole´s initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarksTM or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

KuppingerCole Analysts support IT professionals with outstanding expertise in defining IT strategies and in relevant decision-making processes. As a leading analyst company, KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business.

KuppingerCole, founded back in 2004, is a global, independent analyst organization headquartered in Europe. We specialize in providing vendor-neutral advice, expertise, thought leadership, and practical relevance in Cybersecurity, Digital Identity & IAM (Identity and Access Management), Cloud Risk and Security, and Artificial Intelligence, as well as for all technologies fostering Digital Transformation. We support companies, corporate users, integrators and software manufacturers in meeting both tactical and strategic challenges and make better decisions for the success of their business. Maintaining a balance between immediate implementation and long-term viability is at the heart of our philosophy.

For further information, please contact clients@kuppingercole.com.

top