Privileged Account Management

12.03.2009 by Martin Kuppinger

Over the course of the last few months, PAM (Privileged Account Management), also called PIM (Privileged Identity Management) or PUM (Privileged User Management) became increasingly popular. The main driving force behind this increase in popularity are the auditors, which more frequently look at the state of privileged accounts and, in many cases, detect and criticize shortcomings in that area.

Privileged accounts include administrative accounts (UNIX/Linux root accounts, Windows administrators), system accounts, service accounts, and technical users. It is important not to limit the scope of PAM to root account management. There are far more privileged accounts which have to be covered by PAM solutions. Privileged accounts are at high risk, because they have all or many or at least some sensitive access rights. And privileged accounts typically aren’t personal user accounts but specific types of accounts which in some cases (root accounts, administrators, and to some degree technical users) are actively used by several users.

In fact it is a combination of three factors which puts privileged accounts at risk: The broad range of access controls assigned to this accounts (up to full access), the lack of a clear responsibility for these accounts and thus a reliable life cycle management, and the fact that at least some of these accounts are used by different people and thus the credentials tend to become common knowledge.

The vendors in the PAM space support different approaches to deal with these issues, including restricted access, automatically generated one-time passwords, and a better support for lifecycle management. Given the technical differences between operating systems, there have to be differences in the approaches. Over time, we will need (and we expect, from an analyst perspective) more comprehensive tools which support several of these approaches.

However, the current state of the PAM market shows that there is still a long way to go. There are several strong solutions as well for Unix/Linux as for Windows environments. But tools which support both “operating system worlds” are still missing. The integration with existing lifecycle management solutions (e.g. identity provisioning) is, if existing, typically week. PAM is, despite the fact that some of the point solutions are out for years, still sort of an emerging market. With the increasing awareness and increasing sales two things are very likely to happen:

  • Established vendors in the IAM space will start acquiring PAM specialists and integrate these tools with their existing offerings. Novell has been amongst the first with their Fortefi acquisition (correctly: the asset deal) and has a clear vision for integrating the new Novell Privileged User Management with other Novell offerings and to expand the functionality. Quest has as well a tool in its portfolio.
  • The feature sets of existing products will be enhanced. It is the typical phase of “feature comparison checklists” where vendors try to add some features which customers find valuable in competitive products. That as well will include an increasing support for as well Unix/Linux as Windows environments.

Despite the fact, that PAM still is sort of an emerging market with many smaller vendors, the risks associated with privileged accounts make it mandatory for many organizations to either invest in PAM or to expand their investments beyond some core systems (like the critical AIX or Solaris servers) to other platforms.

By the way: We’ll provide a lot more information and thoughts around PAM in an upcoming webinar (German Language) as well as at our European Identity Conference in May.


  • http://360tek.blogspot.com Matt Flynn

    Any thoughts on whether vendor adoption of authentication standards will eventually eliminate the need for PAM as a separate category? In other words, current IAM solutions don't solve the PAM problem because they don't provision to routers or firewalls (as an example). But once the firewall vendors universally support authentication mechanisms that IAM solutions can leverage, will PAM continue to thrive?

    • http://intensedebate.com/people/MartinKuppinger MartinKuppinger

      Hi Matt,
      I don't think that we can limit PAM to routers, firewalls and other devices with frequently very weak security concepts. For sure, an advanced support for federation as well as for authorization standards (which are still immature) will help. But PAM as well addresses the operating system level, databases and other types of systems. I personally expect that PAM will become more and more part of core IAM solutions (e.g. Provisioning) and will be integrated in these lifecycle management approaches. But specific features for PAM will be required as well in the future – and even when ancient concepts like "root" are replaced by better approaches perhaps sometimes in the future. The question isn't whether we will need PAM features or not – we will, even while some threats (firewall admins,…) might disappear. The question is whether there will be a separate PAM market segment or an integration into other solutions. I think that there will be both – standalone, sometimes specialized (UNIX/Linux only,…) solutions and integrated approaches.
      Martin

  • Pingback: There are many facets of Privileged Account Management | Martin Kuppinger()

  • Pingback: Missing: Privilidged Account Management for the Social Web. | Identity Woman()

  • Craig Joyner

    Martin, Thank you so much for your blogs on Priviledged Account Management. I have been tasked with researching this more. Would you help me with some links and vendors? I've really struggled to find the right words to query on for this subject.

    We are looking for a system where we check-out and check-in privileged accounts that we then track during thier activity. it has to be an Enterprise Application and Web-Based if at all possible. This is being used to show auditors we have controls in place for SOX application changes.

    I will be checking out Novell's Fortefi and Cyber-Ark but would like to know who all the vendors are in this space?

    Have you heard of ID-Synch by M-Tech? I'll be looking at them as well.

    What words would you suggest a person query on to find out more information PAM?

    Thanks!

  • shanebond

    We are looking for a system where we check-out and check-in privileged accounts that we then track during thier activity. it has to be an Enterprise Application and Web-Based if at all possible. This is being used to show auditors we have controls in place for SOX application changes.
    But once the firewall vendors universally support authentication mechanisms that IAM solutions can leverage, will PAM continue to thrive?
    _____________________________________
    shanebond
    Savings Accounts

Services
© 2014 Martin Kuppinger, KuppingerCole