I’ve blogged several times about PAM (Privileged Account/Access Management) in the last few months, stating that I expect more integration of PAM with existing IAM applications (Here, here, here, and here). Now IBM is moving forward on this with their PIM offering. It’s interesting to observe what IBM is doing these days. There hadn’t been that many news from IBM for a pretty long time. But this year IBM has increased its speed significantly. The release of TIM 5.1 with many significant improvements, their approaches around risk and compliance with tight integration to TIM as well as other IBM products, and some other news prove that IBM is back on track and should be rated amongst the leading vendors in the broader IAM space again – with some interesting visions and strategies, becoming a trendsetter in some areas.

Amongst them is their PIM approach. IBM isn’t new in that market. Their TAMOS (Tivoli Access Manager for Operating Systems) products is out for many years. But right now, they are building a solution which is tightly integrated with TIM and TAM E-SSO (Tivoli Access Manager Enterprise Single Sign-On). Shared IDs can be provisioned by TIM and TIM as well manages pools of shared IDs. TAM E-SSO checks out/in shared IDs when accessing apps. Thus, IBM drives the tight integration of provisioning, E-SSO, and PAM which definitely makes sense. However, the integration is currently within the IBM world of IAM apps, not beyond. Anyhow, this is an interesting approach and IBM is currently leading this trend.

The solution is currently deployed as IBM Global Strategic Solution, e.g. bei IBM Global Services to selected customers, thus at the first stage to general availability. But for existing IBM customers (TIM, TAM E-SSO) it is definitely worth to talk with IBM about that.

An interesting question in this context is whether this will affect the overall PAM market. First of all, it confirms what I’ve described earlier in my blogs: There will be a convergence of PAM with provisioning and other IAM solutions. And with more vendors providing such integrations (some are providing some integration or are working on that), customers are likely to pick the “integrated PAM”. However, there is no doubt that at that point of time the PAM specialists in most cases have more feature-rich offerings, which might complement even these integrated PAM approaches or replace them in case that specific features are required. Thus, there will be a “stand-alone” PAM market for the foreseeable time. On the other hand I expect more acquisitions of PAM specialists to happen given that the larger vendors might want to speed-up the development of their integrated PAM offerings by acquiring a product and integrating it. Another point to mention: IBM’s approach shows that PAM is moving out of a niche towards a mainstream IAM market segment.

For now, it is to me to wish you all a MERRY CHRISTMAS and a HAPPY NEW YEAR!

And don’t miss EIC 2010 and Cloud 2010 next year! Hope to see you there and to discuss some of my thoughts with you in person.

These days I have been talking with Siemens on enhancements for their DirX Identity product, a provisioning tool (and, by the way, a pretty good one). Amongst the new features is some support for Privileged Account Management (PAM). That’s interesting. I’ve blogged some time ago about the possibility of provisioning vendors starting to acquire PAM vendors and adding these capabilities to their provisioning products.

Siemens didn’t acquire but implemented some own technology. They mainly focus on providing one-time passwords for the use of privileged accounts and re-setting these passwords after use. This is combined with strong authentication, using smartcards. In fact it is sort of a mix between product (resetting passwords and all that stuff) and project (adding strong authentication using other products). But finally they became a pioneer in integrating PAM with provisioning.

There is no doubt that the leading PAM suites like the ones provided by Cyber-Ark or Lieberman Software provide a much broader feature set. However, integrating that with provisioning tools, identity lifecycles, and existing (self) service interfaces is a valid approach. I expect other vendors to follow, adding PAM support as well. However, the specialists will provide a more sophisticated solution at least for a pretty long period of time (unless they become acquired…).

But what Siemens has done proves my thesis on PAM moving into provisioning, servicing the specific requirements of customers. And it proves that PAM is moving from a niche topic towards a mainstream technology in the broader IAM market.

Regarding the term PAM (or PIM or PUM): I prefer Privileged Account Management because it is about accounts which are associated to a person and their digital identity. The user is sometimes associated with an account, sometimes more understood as a construct in between, e.g. a user-ID with some accounts associated and sometimes the situation that some person with one digital identity could have multiple user-IDs. For what is managed, PAM seems to be the most appropriate term, from my point of view.

IBM yesterday has announced its Tivoli Identity Manager 5.1. If you read the list of new features you might end up with the same question like me: Why is it only version 5.1, e.g. a minor (.1) release instead of TIM 6? Amongst the new features are fundamental things like Role Management, SoD support, attestation and, last not least, support for some Privileged Account Management (or Privileged Identity Management, the term IBM is using). With other words: IBM has significantly expanded the feature set of its product, mainly adding a lot of IAM-GRC features to what TIM delivers. Given that they have some other interesting solutions in the GRC space, especially for analytics and dashboards, IBM definitely improves its positioning in that emerging market segment.

So the GRC stuff is one of the new areas in TIM 5.1. That’s nice, but we have seen that before. Many vendors have either added such features to their products or have released separate GRC platforms – with advantages and disadvantages in both approaches. IBM in fact has tied in that area.

Much more interesting is the addition of PIM capabilities to a provisioning solution. Even while not every aspect of PIM will be solved by what TIM 5.1 delivers, that fulfills my expectations of PIM becoming more and more part of provisioning tools – which is just logical, given that it is about managing accounts. IBM is the first vendor in the market who delivers an integration in that area. Novell might become a close follower given that they have recently acquired a PIM vendor.

With these additions, IBM would have gould reasons to name the release of TIM as version 6.0 instead of 5.1. But understanding the reasons for version numbers is definitely amongst the hardest things in IT.

However, IBM shows that they are intensively acting to improve their positioning in the IAM and GRC market space. Being one of the first big companies which had entered that market, there hasn’t been that much evolution for some time. But now IBM is definitely back and moving forward significantly, acting as a strong competitor for the other players in the market. And once they deliver on full GRC solutions, beyond IAM-GRC and access controls (and IBM is amongst the ones who might deliver on that given their strengths in areas like SIEM, ITSM, and others…) IBM might even further improve its positioning.

The PAM/PIM/PUM (Privileged Account/Identity/User Management; I prefer PAM) market is one of the boom markets in IT. I’ve blogged about that recently (here and here). And I’ve talked with many vendors in that market segment about what they are currently delivering and about what they have in mind for the future. These briefings and the ongoing analysis on PAM proves my thesis that it is still a relatively immature market (not saying that all the products are immature – there are some really good tools out there…).

The PAM market currently is in the typical situation of all emerging markets:

• There are mainly small vendors.
• First large vendors are entering the market, mainly through acquisitions.
• There is no “standard feature set” but many different approaches to solve the problems of PAM.

The latter part is particular interesting to me. Besides the frequently limited support for different platforms and applications as well as for different types of privileged accounts, there are many different technical approaches and features. Some vendors focus on limiting administrative capabilities, other store passwords centrally, some support single sign-on features and so on. Last week I had a briefing with Cyber-Ark which recently announced their PIM Suite v5. Adam Bosnian of Cyber-Ark had a slide in his presentation which showed the evolution from their first solution towards the state of their new suite of PAM solutions. That included aspects like

• Privileged Password Management
• Privileged User Provisioning
• Privileged SSO
• Privileged Session Management
• On-Demand Privileges

That list shows that there are many element. When talking with Novell about their Fortefi deal (not really an acquisition, more sort of an asset deal), they also talked about different elements like managing (and limiting) the access as well as auditing privileged access.

Even while some vendors (like Cyber-Ark) are adding more and more features, there is, from my perspective, still no complete solution which fully addresses every part of the PAM problem. Thus it is important first to analyze the specific requirements before choosing a PAM platform. And: Any selection should keep in mind that privileged accounts are found in every operating system as well as in many applications (including the technical users).

I’m convinced that we’ll observe to things within the next 24 months:

• The PAM tools will converge to a common standard feature set plus some additional capabilities – like it has happened for example in the are of Client Lifecycle Management some time ago.
• There will be some acquisitions of smaller vendors, mainly by the established players in the IAM market. They will start integrating PAM into their suites.
• There will be, on the other hand, new vendors which become visible – especially because there are several small vendors out there which have solved that problem for a small number of enterprise customers and specific platforms sometimes years ago. Some of them and probably some start-ups will enter the market.

Don’t forget to attend my webinar today on another hot topic, Cloud Computing.

And you definitely should attend the European Identity Conference.

Over the course of the last few months, PAM (Privileged Account Management), also called PIM (Privileged Identity Management) or PUM (Privileged User Management) became increasingly popular. The main driving force behind this increase in popularity are the auditors, which more frequently look at the state of privileged accounts and, in many cases, detect and criticize shortcomings in that area.

Privileged accounts include administrative accounts (UNIX/Linux root accounts, Windows administrators), system accounts, service accounts, and technical users. It is important not to limit the scope of PAM to root account management. There are far more privileged accounts which have to be covered by PAM solutions. Privileged accounts are at high risk, because they have all or many or at least some sensitive access rights. And privileged accounts typically aren’t personal user accounts but specific types of accounts which in some cases (root accounts, administrators, and to some degree technical users) are actively used by several users.

In fact it is a combination of three factors which puts privileged accounts at risk: The broad range of access controls assigned to this accounts (up to full access), the lack of a clear responsibility for these accounts and thus a reliable life cycle management, and the fact that at least some of these accounts are used by different people and thus the credentials tend to become common knowledge.

The vendors in the PAM space support different approaches to deal with these issues, including restricted access, automatically generated one-time passwords, and a better support for lifecycle management. Given the technical differences between operating systems, there have to be differences in the approaches. Over time, we will need (and we expect, from an analyst perspective) more comprehensive tools which support several of these approaches.

However, the current state of the PAM market shows that there is still a long way to go. There are several strong solutions as well for Unix/Linux as for Windows environments. But tools which support both “operating system worlds” are still missing. The integration with existing lifecycle management solutions (e.g. identity provisioning) is, if existing, typically week. PAM is, despite the fact that some of the point solutions are out for years, still sort of an emerging market. With the increasing awareness and increasing sales two things are very likely to happen:

• Established vendors in the IAM space will start acquiring PAM specialists and integrate these tools with their existing offerings. Novell has been amongst the first with their Fortefi acquisition (correctly: the asset deal) and has a clear vision for integrating the new Novell Privileged User Management with other Novell offerings and to expand the functionality. Quest has as well a tool in its portfolio.
• The feature sets of existing products will be enhanced. It is the typical phase of “feature comparison checklists” where vendors try to add some features which customers find valuable in competitive products. That as well will include an increasing support for as well Unix/Linux as Windows environments.

Despite the fact, that PAM still is sort of an emerging market with many smaller vendors, the risks associated with privileged accounts make it mandatory for many organizations to either invest in PAM or to expand their investments beyond some core systems (like the critical AIX or Solaris servers) to other platforms.

By the way: We’ll provide a lot more information and thoughts around PAM in an upcoming webinar (German Language) as well as at our European Identity Conference in May.

Novell has announced that they have acquired the technology for privileged account management (PAM) from Fortefi Ltd. PAM addresses the need to better manage privileged accounts. It is a broad field, starting with root account management in the Unix and Linux environments and reaching out to technical user accounts, system users and local as well as domain administrators in Windows environments or database and other system administrators. There are many privileged accounts out there. And these accounts frequently aren’t well managed, despite the fact that they either have full access or at least at lot of access rights. Sometimes they are used by several persons, there passwords becoming (sort of) public. Frequently, no responsibility for these accounts is assigned to a user. A consistent lifecycle management often is missing.

Thus it is no surprise that auditors are analyzing the state of PAM more often than in former days. Missing PAM is a risk, opening the door for insider attacks – and sometimes making outsider attacks more easy and more hazardous. Companies have to act on this.

Over the years, a pretty segmented PAM market has evolved. Some companies only address the Unix/Linux root account management, others focus on Windows accounts. Most of these solutions are point solutions, even while the management of privileged accounts should be a part of the overall identity/account lifecycle management. Thus it is no surprise, that Novell as an established vendor in that market has acquired a PAM vendor. We have predicted this before, for example in our “Trend Report IAM and GRC 2009-2019“. And we expect other established IAM vendors to enhance their portfolios as well. Thus, the Novell deal with Fortefi might be the first one in a wave of acquisitions.

There are two important things to note:

1. Novell has done a step into this market, but the solution which focuses on Linux/Unix root accounts doesn’t fully solve the requirements. There are many other privileged accounts out there which have to be managed. Novell will have to go beyond the Fortefi solution.
2. When an IAM vendor acquires PAM technology, the logical next step is to integrate the technology with their Identity Lifecycle Management offerings, going beyond the standalone approaches which are most frequently found in the PAM market today.

Overall, the Novell acquisition will have a significant impact on the PAM market, which today is (as mentioned) segmented and where most (but not all) of the vendors are relatively small and pretty specialized.