Main trends in the development of PAM class solutions. Gartner Magic Quadrant for Privileged Access Management Review

Privileged Access Control (PAM) is a major countermeasure tool to the attacks through a chain of providers that entered the penetration vector TOP-4 in 2023 by. to data NCCCI An expert description of PAM solutions, functionality, forecasts and trends can be found in the Gartner Magic Quadrant report for Privileged Access Management 2023, published in September 2023. The report provides an understanding of the direction of development of privileged access management solutions required by all market participants - IT security. A summary of the 30-page report was prepared specifically for TAdviser Veb Control.

Gartner claims that PAM systems have become widespread information security tools, but when they are implemented, companies experience difficulties when they go beyond the basic functionality, the volume of these difficulties depends on the vendor. It depends on the vendor and how support for account discovery and machine identification management, as well as pricing and licensing conditions are implemented.

Among the new trends of this year are support for the principles of zero trust and zero standing privilege for almost all vendors included in the quadrant. The trend continues last year to support access control to cloud resources. For the past two years, cybersecurity risk insurers have increasingly required companies to implement PAM with multifactor authentication.

Market Definition and Description

By definition, Gartner Privileged Access Management Systems (PAMs) are tools for managing and protecting accounts, credentials, and commands that provide increased technical access, i.e. access to administer or configure systems and applications. Such systems can be supplied as a software service or a device. PAM tools control the privileged access of people (system administrators and others) and machines (systems or applications). As last year, Gartner identifies four categories of PAM tools: Privileged Account and Session Management (PASM), Privilege Elevation and Delegation Management (PEDM), Secret Management, and Cloud Infrastructure Rights Management (CIEM). The latter category first appeared in a report last year.

Privileged access exceeds the level of access granted to ordinary business users. Business users can have access to confidential information: know-how, financial documents, personal data, but their activities and their rights are controlled and limited by various instruments. Privileged access allows an administrator to bypass existing access controls, change security configurations, or make changes that affect multiple users or systems. Privileged access allows you to create, modify, and delete elements of your IT infrastructure, as well as the company data contained in that infrastructure, so it can carry a huge risk. Thus, privileged access control is one of the most important security features for any company. Conventional user access controls cannot effectively manage privileged access, so special procedures and tools are required.

Gartner identifies 2 large groups of PAM tools: tools specializing in working with privileged accounts, and tools for monitoring the execution of privileged commands.

Tools focused on working with privileged accounts help companies discover privileged accounts used by people and machines. These tools protect accounts by rotating and storing their credentials (for example, passwords, keys), as well as delegating access to them. Speaking of interactive accounts used by people, PAM tools are added to legacy systems that do not have multifactor authentication, strong authentication functionality and remote zero-trust access through session management mechanisms, which allows privileged accounts to be used without revealing their credentials.

Speaking of non-interactive accounts used by machines, PAM tools protect the interaction with privileged credentials in order to prevent their disclosure in an unused state. This often requires cooperation with applications and code (and changes to them). Typical examples of machine accounts are service and automation accounts used in DevOps and modern cloud development.

The second category of PAM tools provides control over the execution of commands, allowing only certain actions, and can temporarily elevate user privileges to execute commands in a privileged context. All PAM tools provide visibility and control over the use of privileged accounts and commands by tracking and registering privileged access for auditing. This can include a detailed recording of sessions to understand not only who used the privileged account and when, but also to perform what actions.

The combination of technical controls provided by PAM tools allows you to implement just in time privilege management to implement the principle of least privilege: users must have only the minimum level of privilege exclusively for the time required to complete a specific task. This is one of the significant differences between PAM and other access control systems.

Traditionally, in its reports, Gartner designates the functionality of the solution, this allows manufacturers "not to break away from the market," but buyers to navigate the market.

Gartner calls the following mandatory features:

• provision of centralized management and implementation of privileged access through control of access to privileged accounts and credentials or control of execution of privileged commands (or both);
• Manage and mediate privileged access to authorized users (e.g., system administrators, operators, support personnel, etc.) on a temporary basis.

All PAMs traditionally include: · credential store and privileged account management · managed privilege escalation using agents for commands executed in/or operating systems Windows; UNIXLinux macOS · discovery of privileged accounts across systems, applications, and cloud infrastructures; · management, monitoring, recording, and remote access to privileged sessions; · providing an audit capability to determine who used privileged access when and where.

Compared to last year's report, privilege elevation management and audit capabilities were added to the traditional functionality.

Gartner notes that currently a number of PAM vendors provide additional functionality, which, in our opinion, should be paid attention to when choosing: · secret management for applications and services; · privileged account lifecycle management and remote privileged access for providers, service providers, and other external users who require technical access; · just in time privilege management, which reduces the time and amount of privileges granted to the user to the minimum possible; · Cloud Infrastructure Rights Management (CIEM) and discovery.

Who entered the 2023 magic quadrant

To get into the magic quadrant, companies must meet certain criteria. The solution should support at least three of the following five features: credential storage, automatic start of a remote access session over SSH, RDP or HTTPS protocols without disclosing credentials to the user, secret management, agent-based managed privilege escalation for Windows, UNIX/Linux or macOS, and privilege management in the cloud infrastructure. In addition, the PAM product must implement a role-based access model, the functionality must be documented, the solution must be sold in several regions, used in various industries, positioned as PAM and meet Gartner sales and/or customer requirements. In the report, Gartner notes vendors who are not included in the quadrant, but who should take a closer look for various reasons. For example, in last year's report, HashiCorp, this year's niche player, was among these vendors. This year, experts recommend paying attention to Apono, Fudo Security, StrongDM and Teleport, among others.

Apono offers a service that provides just-in-time management of privileged access to cloud resources for developers and administrators. The StrongDM cloud solution is also focused on establishing privileged access sessions based on the just in time approach. Teleport has moved away from classic PAM and provides identity-based access when working with SSH, Kubernetes, web applications and databases. Fudo Security offers AI-based behavioral analytics that use mouse motion analysis, keyboard text, and commands to detect threats.

Trends and forecasts

Insurer Requirements: New PAM Implementation Driver

Traditional PAM drivers in foreign markets are access security, corporate and regulatory compliance. The last two years have been added to them: insurance cyber security insurers are increasingly demanding that companies implement PAM with multifactor authentication for administrative access in order to reduce the risk of leaks and. malware

Using PAM for Remote and Cloud Access

According to the NCCCA, 2023 in Russia is marked by numerous attacks through the supplier chain: "contractors and systems that are interfaced with the target infrastructure" are included in the TOP-4 of penetration vectors.

Companies often engage contractors to administer servers, databases, and other systems. Traditionally, VPN is used to organize remote access for external technicians, but this carries certain risks due to the lack of strict authentication, accounting and management of privileged accounts. Gartner speaks of growing interest in PAM tools for managing remote privileged access. Many PAM vendors already offer solutions for controlling remote access, and their functionality, according to Gartner, is similar to the means of controlling network access based on zero trust. Other manufacturers, according to analysts, are currently working on expanding their functionality in this direction. These solutions go beyond simple SSH and RDP access, allowing tools on a remote workstation to function in a client environment.

In addition, the market is growing in the number of tools focused on managing the remote privileged access of developers and engineers to the cloud infrastructure, in particular to support DevOps. Gartner includes HashiCorp, Apono, Teleport and StrongDM among such tools.

Endpoint PAM

Analysts expect a growing need for PAM for endpoints. We noticed that quadrant leaders have already included privilege control on endpoints in their portfolio of solutions. Sometimes this functionality is implemented by solutions of the adjacent market - EPP and UEM. They could potentially be a replacement (or alternative) to buying PEDM from PAM providers to manage privileges on endpoints.

Application of safety model based on risk assessment or minimal efficacy to PAM

PAM is a complex system, and not only because of the many disparate use cases and different types of privileges. PAM creates difficulties for users because it changes the way they access systems. The best way to mitigate this impact and balance costs, operational impact and safety is to apply a risk-based approach to PAM.

For example, if a significant part of intellectual property is stored on, and servers Linux costs and efforts are mainly directed at, servers Windows then this indicates an imbalance in the approach to PAM. If regulated data such as personal or health information are most at risk, and the highest costs and efforts are directed to technical support, it may also suggest an unbalanced approach to PAM.

In order to apply a risk-based approach to PAM, it is first necessary to conduct an in-depth study of accounts in all cases of PAM use, for all types of users (human and machine) and for all environments (local, IaaS and SaaS). After identifying and classifying PAM use cases, you need to determine the access risk - from the highest risk to the lowest. Then you should build a PAM practice aimed at solving those problems that pose the greatest risk to the business. It should be understood that sometimes a risk reduction of 80% -90% is normal, especially if to achieve the last 10% -20% it is necessary to spend twice as much money as has already been spent, but the result will not correspond to these costs.

Password managers vs PAM

According to Gartner, password managers are not suitable for managing the credentials of privileged accounts due to the lack of the necessary functionality:

• tracking privileged accounts across different systems, applications, and devices,
• Manage service account credentials
• establishing privileged access sessions over SSH, RDP or HTTPS protocols without revealing credentials to the user,
• recording and viewing privileged access sessions, managing and suspending live sessions,
• transfer of credentials to other software, which allows to eliminate credentials in clear text in configuration files or scripts,
• analytics and reporting on privileged accounts and their use (for example, detecting unauthorized use of privileged credentials or reporting unusual actions).

Reasons for the growth of the PAM market

According to Gartner, the growth of the PAM market in 2023 is 13.6% compared to 2022. Growth is driven by high-profile leaks related to compromise of privileged accounts and abuse of privilege, regulatory demands, security perimeter blurring, and migration to, cloud as is the overall increase in attacks. It is interesting to note that 10% to 20% of Gartner customers are beginning to study and evaluate PAM due to the requirements of cyber risk insurers.

Interest in remote access management also led to an increase in PAM sales: PAM is a recognized best practice for meeting regulatory requirements and reducing security risks associated with remote access, so sales of remote access-oriented products have increased. This, in turn, led to the fact that manufacturers began to pay great attention to the development of remote access capabilities.

Gartner also noted the emergence of a new target audience - software developers and cloud service operators, which was caused by the development of secret management capabilities in PAM solutions.

PAM Market in Russia

With rare exceptions, the solutions of vendors mentioned in Gartner are not available in Russia. Nevertheless, domestic products follow global trends in the development of privileged access management and offer a worthy alternative to foreign products that have left the Russian market. Solutions of the companies I&T BASTION, WEB Control DC, Indid, RTK-Solar, NGR Softlab are fully capable of minimizing threats associated with privileged access. Moreover, a number of vendors are already offering support for just-in-time access and providing controlled remote access for suppliers, which not all Western manufacturers have. This allows domestic products to occupy a decent place in the PAM class.