Disruption In The PAM Market: Our Thoughts On The KuppingerCole PAM Leadership Compass

The Privileged Access Management (PAM) market has grown a lot in recent years. According to Statista, the global PAM market was worth $1.4 billion (£1.1 billion) dollars in 2018, and it’s forecast to be worth around $2.9 billion (£2.4 billion) by 2024.

Verizon’s 2021 Data Breach Investigations Report showed that 61% of data leaks involved privileged credentials and information, so it’s no surprise that more and more businesses are choosing to address cybersecurity risks and integrate PAM technologies into their cyber defences. The PAM market’s continuing to evolve, though, and two years after their last report, KuppingerCole has given us a snapshot of today’s PAM market. Read on for our two cents on the latest changes.

As we’ve already mentioned, the PAM market is growing fast. It’s attracting new players, and there are now more PAM and PAM-capable vendors (there are 25 in total) than ever before. New companies are entering the market, but many have launched with highly-focused PAM apps instead of suits, and are often cloud-native. The number of PAM solutions is growing despite the consolidations that have been happening recently – one of the current leaders in the market, for example, is Delinea, which was formed through the merger of Thycotic and Centrify.

One of the biggest players still standing is our partner, CyberArk, which KuppingerCole named once again as an Overall Privileged Access Management Leader in their latest report. Not only has it never been acquired or merged, but it’s publicly traded rather than owned by private equity. Kuppingercole noted in their report that CyberArk has one of the widest support levels for platforms and deployments, and has been investing heavily in R&D lately, adding new features and capabilities including Dynamic Privileged Access.

Despite the presence of bigger businesses like CyberArk and Delinea, which offer every kind of PAM solution, the market has seen a lot of innovation and diversification. The market is currently split between the end-to-end PAM offerings from the bigger players, and the newcomers, who are smaller and more specialised. These vendors focus on one specific area – like DevOps or database access, for example – and we’re seeing more and more of these coming into the market.

The growth of PAM is being fueled by more and more businesses turning to multi-factor authentication (MFA) to protect their privileged data from data breaches or attacks. MFA systems use a combination of passwords, PINs, security questions, one-time passcodes, and even biometrics to authenticate users, and PAM can be used to add an extra layer of protection for the most privileged account users.

Every business is different, and they all have different cybersecurity needs. With more and more businesses moving to the cloud, there’s a greater need for PAM, but there’s not a one-fits-all solution. The proliferation and diversity of new PAM solutions out there can help all businesses to protect their privileged credentials and their data.

Emerging technologies – as well as changing requirements in the identity and access landscape – are leading to new functionalities for PAM solutions. One that’s becoming particularly prevalent, for example, is Customer Identity Access Management (CIAM). A more specialised version of traditional Identity and Access Management (IAM) solutions , CIAM helps businesses to gather information on their customers. The main purpose of it is to help businesses manage customer identities, provide them with stronger cybersecurity, offer them an enhanced experience, and protect their users’ data at the same time. Both the bigger players and the more specialist providers have already begun introducing CIAM into their offerings. CIAM can be integrated with PAM solutions, giving privileged accounts the ability to access their customer data as and when they need it.

Managing privileged accounts can be challenging, particularly in cloud environments, and Cloud Infrastructure Entitlements Management (CIEM) looks set to change that. The complexity of modern cloud infrastructure has meant that businesses that have moved (or are in the process of moving) to the cloud are looking to improve their cloud infrastructure. They’re looking to reduce costs, improve their productivity, and use data better – and CIEM can solve some of the problems that PAM can’t.

CIEM helps businesses to manage the rights, permissions, and privileges for user identities in a cloud environment, making it easier for them to avoid risks such as privileges being higher – or lower – than they should be. With CIEM, IT and cybersecurity teams can ensure their cyber defences keep up with infrastructure changes.

Of course, this doesn’t mean that PAM is on the way out just yet. As Paul Fisher, the Senior Analyst and author of the KuppingerCole Leadership Compass, explained, “Traditional PAM is being slightly shifted right into more static areas of the business but is still fundamentally an important thing to have.” Some PAM vendors have even started offering capabilities that are similar to CIEM, to keep up with customer demand.

The changes in the global PAM market have meant things are improving for IT and cybersecurity teams. Customers have more and more choices now when it comes to PAM solutions, meaning that businesses of all sizes can find the right solution to fit their unique requirements – or simply opt for an all-in-one solution from one of the industry’s leaders.

Whatever solution you’re looking for, we can help. The experts at Infosec K2K can offer you specialist guidance, and help you find the product that’s the best fit for you.

Get in touch with us to find out more about how we can help you.

The Future Of Zero Trust

In the cybersecurity field, zero trust has gained a lot of attention in recent years, and for good reason. Cyber attacks are changing all the time, and becoming ever more sophisticated – and more frequent.

The more traditional perimeter-based security measures are no longer enough to protect businesses and organisations from cyber threats. Zero trust, meanwhile, takes a different approach – and just like the cyber threats it’s designed to combat, it’s also evolving. We’ve taken a look at some of the ways that zero trust security is set to develop over the next few years.

Before looking at the future of zero trust security, we wanted to look to the past to understand why it matters. Put simply, it assumes that all devices, users, and applications are potentially dangerous, and requires users to continuously verify their identity before they can be authorised to use a network.

When it comes to implementing a Zero Trust approach to cyber security, there is one simple rule to follow: never trust, always verify

This approach helps organisations to both reduce their risk exposure and improve their security posture. A zero trust model is built on three key principles. First, organisations should assume that at all times, there are malicious actors trying to get into their network and access their files. Second, organisations should verify users, devices, and networks instead of trusting them implicitly – any device could have been hacked. Finally, all users and devices should only be given the authorisation they need to access the networks and files they need, to minimise the impact of any potential breach.

Trust in businesses’ networks has never been more important – the number of cyber attacks has been increasing year on year. A recent study by Check Point Research revealed that the number of cyber attacks around the world had increased by 38% compared to 2021. It’s because of this that more and more organisations are turning to zero trust. In fact, the global zero trust security market was worth around $27.4 billion (£22.6 billion) last year, and is expected to grow to $60.7 billion (£50 billion) by 2027. As well as the rise in cyber attacks, one of the main contributors to the rise in zero trust adoption has been government initiatives. In 2021, for example, President Biden signed an Executive Order mandating that US federal agencies should adopt zero trust architecture, while in the UK, the National Cyber Security Centre has also offered guidance on zero trust security.

Zero trust is already playing a critical role in cybersecurity, and in the coming years, that’s likely to continue. In the future, you can expect zero trust frameworks to become even smarter, more secure, and more accessible. As Inderjeet Barara, a thought leader and notable speaker in the cybersecurity space, explains, “Zero Trust is not just a cybersecurity framework, it’s a mindset shift for enterprises. As cyber threats continue to evolve, Zero Trust will become the foundation for secure access management, enabling organizations to protect their data and networks from anywhere, at any time.”

We’ve rounded up some of the key trends we can expect to see, and how we expect zero trust security to develop.

For as long as the concept of zero trust security has been around, it’s traditionally just been focused on securing the perimeter of the organisation’s network. However, in recent years, more and more organisations have been moving to cloud-based environments – and with the pandemic largely over, companies have embraced remote and hybrid working models. This has meant that the network perimeter is becoming less and less defined. Zero trust will need to evolve and expand to include new environments and devices, so that users can be verified and authenticated regardless of where they’re connecting to your network.

In order to combat the growing volume and complexity of cyber threats, organisations will need to rely more on artificial intelligence (AI) and machine learning technology. Both of these will make cybersecurity far more efficient, by assessing and evaluating new users, and even responding to potential security incidents. AI tools could be used to automate the verification of users, reducing the risk of human error, and freeing up employees to deal with other tasks.

Zero trust is not a standalone solution. To be as effective as possible, it needs to be used with other cybersecurity solutions, like identity and access management, endpoint security, and threat intelligence. With organisations looking to streamline their security operations, we can expect to see more interoperability between these different solutions, and greater integration – especially as more businesses move to zero trust infrastructure.

One of the most common criticisms of zero trust security is that it can be frustrating for some users, especially when they need to constantly verify their identity and re-authenticate themselves, and provide more information to access resources. While all this is necessary to keep networks secure and protect sensitive data, it can cause some friction with users. In the future, we expect more zero trust solutions to have a greater focus on improving the users’ experience, while still keeping the network secure. This could be through more seamless authentication and authorisation processes, or giving users a way to verify themselves, perhaps through biometric data, like fingerprints or voice recognition.

Zero trust security is a rapidly evolving field, and it’s set to become increasingly important in the years ahead.

Organisations will need to take a more proactive approach to cybersecurity. With zero trust security can help to achieve that, we can expect to see more innovation and evolution over the next few years. If you’re looking for support implementing your own zero trust solution, or you just want to find out more, then you’re in the right place!

Get in touch with us to find out more about how we can help you.