What is a PAM Solution?
Privileged Access Management (PAM) is a subset of IAM that protects privileged accounts in an enterprise. It focuses on securing critical assets and meeting compliance while monitoring and tracking privileged accounts. It helps organisations prevent the misuse of elevated access by ensuring the correct level of authorization and keeping a track of privileged users.
PAM solutions are tools used to secure, control and monitor an organization’s resources and data that are sensitive by implementing access controls on the privileged accounts and resources. There are a number of vendors which provide PAM solutions, each with their own set of features and USPs.
80% of IT security professionals consider Privileged Account Management security a high priority.
How do PAM solutions work?
PAM is a combination of technology, humans and processes. Most PAM solutions have their own encrypted vault which is used to store credentials and other equally privileged data such as private keys. Another major component of a PAM solution is its capability to discover the privileged accounts or resources in an environment. Discovery allows an organization to find and manage all privileged accounts and resources, reducing the risk surface in previously forgotten accounts. PAM solutions also provide remote password rotation capabilities along with audit reports and session monitoring which helps to meet compliance and regulations, ultimately hardening the security and improving the risk posture.
Below are some of the industry leading PAM solution providers
BeyondTrust
BeyondTrust is privately held by Francisco Partners. It provides a smooth platform to prevent data breaches related to stolen credentials, misused privileges, and compromised remote access. This unifies privileged password and privileged session management, providing secure management, auditing, and monitoring for any privileged credential within an organization. BeyondTrust records the actions of a user while they access your password-protected managed systems. The actions are recorded in real time with the ability to bypass inactivity in the session. This allows you to view only the actions of the user.
CyberArk
CyberArk PAS is an end-to-end solution that protects, manages and audits user and application credentials, provides least privilege access and session isolation while recording, monitoring and responding to real-time privileged activity using intelligent threat analytics.The primary focus of CyberArk is on financial services, energy, retail industries, healthcare and government markets.CyberArk Remote Access helps organisations secure external vendor access to critical systems without the need for VPNs, agents or passwords.The product has more large-scale virtual and distant implementations than any other competitors, and it has addressed multiple privileged account security concerns.
The PTA from CyberArk is a cutting-edge technology for privileged account security intelligence that identifies previously undetected dangerous privileged user behaviour to deliver detailed, instant actionable risks analytics.
Saviynt
SAVIYNT is a disrupting cloud-built IAG(Identity and Access Governance) platform that helps modern enterprises scale cloud initiatives and solve the toughest security and compliance challenges in record time. SAVIYNT CPAM(Cloud Privileged Access Management) solution comes with IGA capabilities baked with PAM. It is an on-the-cloud for-the-cloud PAM solution which can be integrated with most of the Cloud Service Providers.
Delinea
Delinea is a leading provider of cloud-ready privileged access management (PAM) solutions that empowers cybersecurity for the modern, hybrid enterprise.As one of the leading PAM solution providers it helps us to manage hybrid enterprises seamlessly. Delinea Secret Server offers almost all the PAM capabilities (Discovery, Remote Password Changing, Session recording & monitoring, reporting, event subscription etc) and can be implemented as an on-prem or cloud hosted solution.
Comparison table of different PAM products
| Vendors— — — — —Features | BeyondTrust | CyberArk | Saviynt | Delinea |
| Discovery | It provides the capability to scan the environment to discover privileged accounts in a vast variety of environments, however it does not have the ability to scan cloud environments (Apart from machines in those environments using special connectors). | A wide variety of scanners are available OOTB. Along with that it has a robust marketplace for custom built ones from a variety of vendors. It also partially provides the capability to scan the environment to discover privileged accounts in cloud environments. | Provides real time discovery of privileged accounts in standard applications. Has robust monitoring for Cloud environments (Features depend on cloud platform) | Delinea provides the capability to scan environments to discover privileged accounts across a wide range of environments. Customizations are possible to find accounts but cloud real time monitoring is not available. |
| Integration | Integration with IAM tools is possible via the SCIM connector | CyberArk has the option to integrate with IAM tools using SCIM connectors. | Saviynt has a built in IGA tool along with its CPAM offering and they can be bundled together | It allows integration with IAM tools with a SCIM configuration. |
| Upgrades/Patching | Automated patching and upgrades are built into the solution if required. Hardened appliances also apply Windows patches for the self hosted deployments. The cloud version is taken care of by the BeyondTrust team. | CyberArk’s self hosted solutions require careful planning for upgrades. This is because of the number of components that need to be upgraded. CyberArk’s latest offering, the Privilege Cloud takes care of this as the infrastructure is maintained by CyberArk | Automated patching and upgrades are default features in Saviynt CPAM as it is a fully cloud hosted system. | Delinea also provides automated patching and upgrades for their on-prem version. The upgrade process is done through an intuitive UI and is fairly automatic. The cloud version upgrades are taken care of by the Delinea team. |
| Customization | Customization options are limited to using SSH connectors. Not a wide variety of tools can be used for customization thus limiting extensibility | CyberArk has extensive customization capabilities for both session recording and password management. They also feature a large library of connectors built for various components which allow organizations speed in their implementation. They are not restricted to SSH and can even be configured to run AutoIt scripts for session recording | CPAM is a newer tool and while it may support customization, extensive details are not available on how it is performed. Professionals should be well trained to understand the customization. | Custom remote connectors for password management can be configured. Session recording can also be done through custom launchers however it is not as extensive as CyberArk. Delinea also doesn’t have a centralised marketplace for such integrations. |
| Cost | BeyondTrust requires high cost whereas licence cost may be less in other competitors. Organisations often choose low SQL licensing costs when compared to other tools | Highest total cost for licensing and deployment. | Cost involved is comparable to the other cloud PAM solutions and sometimes a little cheaper because of its newer entry in the market. | It is a costly tool when one factors the cost of SQL licensing in it.In addition, with many different isolated network subnets customers have to purchase additional licensing for some components, thus increasing cost. |
80% of security breaches involve privileged credentials.
How can SecurDI help you make use of these tools ?
SecurDI has certified professionals who can help you in providing secure PAM solutions. We help strategize, roadmap, design, plan, implement and operate the various PAM solutions. We assist in ensuring your business needs are solved, and that your sensitive accounts are protected no matter which tool or vendor you go for.
Authored by,
Arsath Ahmed