There are many facets of Privileged Account Management

26.03.2009 by Martin Kuppinger

The PAM/PIM/PUM (Privileged Account/Identity/User Management; I prefer PAM) market is one of the boom markets in IT. I’ve blogged about that recently (here and here). And I’ve talked with many vendors in that market segment about what they are currently delivering and about what they have in mind for the future. These briefings and the ongoing analysis on PAM proves my thesis that it is still a relatively immature market (not saying that all the products are immature – there are some really good tools out there…).

The PAM market currently is in the typical situation of all emerging markets:

  • There are mainly small vendors.
  • First large vendors are entering the market, mainly through acquisitions.
  • There is no “standard feature set” but many different approaches to solve the problems of PAM.

The latter part is particular interesting to me. Besides the frequently limited support for different platforms and applications as well as for different types of privileged accounts, there are many different technical approaches and features. Some vendors focus on limiting administrative capabilities, other store passwords centrally, some support single sign-on features and so on. Last week I had a briefing with Cyber-Ark which recently announced their PIM Suite v5. Adam Bosnian of Cyber-Ark had a slide in his presentation which showed the evolution from their first solution towards the state of their new suite of PAM solutions. That included aspects like

  • Privileged Password Management
  • Privileged User Provisioning
  • Privileged SSO
  • Privileged Session Management
  • On-Demand Privileges

That list shows that there are many element. When talking with Novell about their Fortefi deal (not really an acquisition, more sort of an asset deal), they also talked about different elements like managing (and limiting) the access as well as auditing privileged access.

Even while some vendors (like Cyber-Ark) are adding more and more features, there is, from my perspective, still no complete solution which fully addresses every part of the PAM problem. Thus it is important first to analyze the specific requirements before choosing a PAM platform. And: Any selection should keep in mind that privileged accounts are found in every operating system as well as in many applications (including the technical users).

I’m convinced that we’ll observe to things within the next 24 months:

  • The PAM tools will converge to a common standard feature set plus some additional capabilities – like it has happened for example in the are of Client Lifecycle Management some time ago.
  • There will be some acquisitions of smaller vendors, mainly by the established players in the IAM market. They will start integrating PAM into their suites.
  • There will be, on the other hand, new vendors which become visible – especially because there are several small vendors out there which have solved that problem for a small number of enterprise customers and specific platforms sometimes years ago. Some of them and probably some start-ups will enter the market.

Don’t forget to attend my webinar today on another hot topic, Cloud Computing.

And you definitely should attend the European Identity Conference.


Posted in Privileged Account Management | Comments Off

Cloud Computing – just a hype or change of paradigm?

23.03.2009 by Martin Kuppinger

In a webinar on Thursday I’ll talk about the hype and reality of Cloud Computing. It is interesting to observe that Cloud Computing made it beyond the IT magazines and into the business/economic publications. But the promises you find there (at least in German publications) are probably somewhat overhyped.

From my perspective, there are some things to note:

  • Cloud Computing is, in many areas, built on existing approaches – anyhow, there are many new aspects in it
  • Cloud Computing will change the IT landscape of organizations fundamentally
  • Cloud Computing will provide new business opportunities – some of the promises from the “internet bubble” some 10 years ago will become reality
  • Cloud Computing will influence the economics of IT – for vendors, providers, integrators, and customers
  • Cloud Computing will take its time to become reality

With other words: Yes, Cloud Computing is something that goes well beyond a hype. It is a fundamental shift in IT which can be compared with the introduction of Personal Computers or the Internet becoming a mass market. But it will take some time. Some of the key elements of a successful Cloud Computing infrastructure are still relatively immature. The organizational readiness, application and management platforms, and cloud security, to name just a few, are far from being mature.

On the other hand there are some obvious advantages and promises that will drive adoption. Reliable, flexible services at a fixed price are attractive. For sure, some vendors and some solutions will disappear. Others will appear. But overall, Cloud Computing as a concept is a must for today’s organization. It has to be evaluated as part of any IT strategy. But Cloud Computing isn’t a no-brainer. A strong strategy and a clear view on threats and opportunities is mandatory to do the (partial) move to the “cloud” successfully. But overall, the approach of Cloud Computing will lead to a situation where we understand IT as set of services which we can “orchestrate” (at a higher level than only within applications) and exchange in a flexible way. And that service view will also heavily affect what we do in internal IT. We will have to clearly describe services, to add a price tag to them and to understand, which services under which considerations can be consumed from the cloud.

And: Don’t miss EIC 2009!


Posted in Cloud | Comments Off

Dynamic authorization management

18.03.2009 by Martin Kuppinger

Authorization management is becoming increasingly popular. But there are, in fact, two very different approaches:

  • Static authorization management, where changes are provisioned to the target systems.
  • Dynamic authorization management, where authorization decisions are externalized to authorization engines at runtime.

The latter require changes to the applications, but they lead to the externalization of authentication and authorization (and hopefully as well auditing) from applications. Everything can be easily managed from outside of the applications.

Whilst static authorization management is provided by provisioning systems (at the more technical level) and by several GRC vendors (from a business control perspective), vendors of solutions for dynamic authorization management are still relatively rare and, besides this, in most cases relatively small. Besides Oracle with their Entitlements Server and, to some degree, CA with their Embedded Entitlements Manager, vendors include companies like Bitkoo or Engiweb, to name some of the two which are particularly interesting. And, for sure, Microsoft’s approach for claims leads in that direction – but at least in the current approach, authorization decisions aren’t externalized yet.

From my perspective, externalizing these decisions from applications definitely makes sense. Policies can be managed centrally, changes are effective immediately, and application developers don’t have to think much about security. They just rely on external decisions. In fact, things are moved from coding not only to deployment, but to runtime.

There are three challenges:

  • The authorization engines have to be fast
  • They have to be integratable with other IAM/GRC tools for a consistent management
  • The applications have to be adopted to a specific solution

The first part is just an architecture and engineering task which has been solved by several vendors. The second requires, from my perspective, standards for the description and exchange of policies which are still widely missing. The third part could also be addressed by standards. That would give customers the choice between different authorization engines. As long as these standards are missing, customers should, with respect to the last bullet point, focus on implementations which require few changes in applications to minimize the risks of vendor lock-in. On the other hand, the advantages of such approaches are significant – and vendors like Bitkoo and Engiweb are succesful because of that fact.

From my perspective, companies should start looking at these approaches today and really start externalizing security out of the code.

By the way: We’ve given our European Identity Award in the category best innovation in 2008 to some of the vendors mentioned above. Attend European Identity Conference 2009 and learn, amongst many other things, who will be awarded as innovator this year.

The need for standards


Privileged Account Management

12.03.2009 by Martin Kuppinger

Over the course of the last few months, PAM (Privileged Account Management), also called PIM (Privileged Identity Management) or PUM (Privileged User Management) became increasingly popular. The main driving force behind this increase in popularity are the auditors, which more frequently look at the state of privileged accounts and, in many cases, detect and criticize shortcomings in that area.

Privileged accounts include administrative accounts (UNIX/Linux root accounts, Windows administrators), system accounts, service accounts, and technical users. It is important not to limit the scope of PAM to root account management. There are far more privileged accounts which have to be covered by PAM solutions. Privileged accounts are at high risk, because they have all or many or at least some sensitive access rights. And privileged accounts typically aren’t personal user accounts but specific types of accounts which in some cases (root accounts, administrators, and to some degree technical users) are actively used by several users.

In fact it is a combination of three factors which puts privileged accounts at risk: The broad range of access controls assigned to this accounts (up to full access), the lack of a clear responsibility for these accounts and thus a reliable life cycle management, and the fact that at least some of these accounts are used by different people and thus the credentials tend to become common knowledge.

The vendors in the PAM space support different approaches to deal with these issues, including restricted access, automatically generated one-time passwords, and a better support for lifecycle management. Given the technical differences between operating systems, there have to be differences in the approaches. Over time, we will need (and we expect, from an analyst perspective) more comprehensive tools which support several of these approaches.

However, the current state of the PAM market shows that there is still a long way to go. There are several strong solutions as well for Unix/Linux as for Windows environments. But tools which support both “operating system worlds” are still missing. The integration with existing lifecycle management solutions (e.g. identity provisioning) is, if existing, typically week. PAM is, despite the fact that some of the point solutions are out for years, still sort of an emerging market. With the increasing awareness and increasing sales two things are very likely to happen:

  • Established vendors in the IAM space will start acquiring PAM specialists and integrate these tools with their existing offerings. Novell has been amongst the first with their Fortefi acquisition (correctly: the asset deal) and has a clear vision for integrating the new Novell Privileged User Management with other Novell offerings and to expand the functionality. Quest has as well a tool in its portfolio.
  • The feature sets of existing products will be enhanced. It is the typical phase of “feature comparison checklists” where vendors try to add some features which customers find valuable in competitive products. That as well will include an increasing support for as well Unix/Linux as Windows environments.

Despite the fact, that PAM still is sort of an emerging market with many smaller vendors, the risks associated with privileged accounts make it mandatory for many organizations to either invest in PAM or to expand their investments beyond some core systems (like the critical AIX or Solaris servers) to other platforms.

By the way: We’ll provide a lot more information and thoughts around PAM in an upcoming webinar (German Language) as well as at our European Identity Conference in May.


The cloud becomes popular

06.03.2009 by Martin Kuppinger

At this year’s CeBIT trade show in Hannover, Germany, cloud computing is the hot topic. That is no surprise to me, given that cloud computing is the trend within IT. Cloud computing is still fundamentally changing IT. In fact, cloud computing isn’t really new. Services in the internet are out there for many years. You just have to look at vendors like and others which have their roots in the pre-year-2000 internet bubble.

What really changes are three other aspects:

  • There is a more consistent view on cloud computing – and vendors are filling the gaps in the cloud offerings
  • There is an increasing maturity of many cloud services
  • Cloud computing is understood as a strategic issue instead of a point solution for specific issues (CRM, Web Hosting, Online backup,…)

Defining a cloud strategy is essential to companies of every size. Whilst SMBs might move their entire server IT into the cloud, larger organizations will gain more flexibility in many areas, especially in contrast to classical (frequently very expensive) outsourcing contracts.

The big issue with the cloud today is that there isn’t one cloud offering but there is a broad range of elements. Virtually any vendor uses the term “cloud” in its marketing. And most of them really provide cloud services. But for a cloud strategy it is essential and inevitable to first define the “stack” of cloud services, from pure processing power up to specific applications for CRM or ERP or anything else. We have defined such a stack in a recent (german language) report on the Cloud Computing Market. The main areas are

  1. Hardware: Cloud Services which provide “hardware”, e.g. computing power, storage,…
  2. OS: Virtualized environments provided within/via the cloud.
  3. Infrastructure: Identity Management, IT Service Management and all the other infrastructure services which can be provided as cloud services.
  4. Application infrastructures/services: As well complete application platforms in the cloud as web services provided via the Internet.
  5. Office, Communication, Collaboration: All the application which are used as standard tools – from web conferencing to office applications which can be used via the web.
  6. Applications: Any type of ready application, including business applications like or SAP BusinessByDesign.

Another issue in the cloud will become what I call “cloud governance”. This is probably the biggest threat, as well from an ITSM/BSM perspective as from an IAM/GRC perspective. And in that area many things have still to be solved. We will discuss trends in that area as well as identity services for the cloud at the European Identity Conference 2009 which will be held in Munich in May.

Popularity of a topic is one thing. Doing it right is another. And that is, for sure, the big threat we are all facing now – making the best out of the cloud.


Posted in Cloud | Comments Off

Getting Attestation Right

04.03.2009 by Martin Kuppinger

In a webinar this Thursay (March 5th) I’ll talk about my thoughts about attestation, with focus on approaches that as well provide quick wins as are valid from a long-term perspective. What I currently observe is that attestation is sold as sort of panacea for all GRC issues. What is true is that attestation is important. But some approaches might only provide a positive feeling without much real impact. I frequently miss the support of multi-layered attestation which really covers all levels of IT security. I also frequently wonder about what happens after attestation. It is fine to do attestation – but

  1. the results should lead to actions
  2. these actions should be automated whereever appropriate
  3. attestation shouldn’t be a singular event but has to be part of a concept which ensures a continuous high level of proven entitlements

Attestation is a part of an overall GRC strategy and attestation has to be integrated into a risk management strategy.

It is important to have a clear view on the limitations and the prospects of attestation – to invest in the right tools and to build the right concepts. Participate in the webinar or listen to the recording we will publish close to the webinar! And, by the way: Our European Identity Conference will as well provide a lot of information on attestation and GRC in general – not only on IAM.


Posted in Attestation, GRC | Comments Off
© 2015 Martin Kuppinger, KuppingerCole