What are the best Privileged Access Management (PAM) Solutions in 2020? The answer depends on who you ask and what your particular needs might be. It’s not like the Miss America Pageant, where one lucky winner takes home the crown. Rather, potential buyers of PAM, as the technology is often called, have their choice of thought leaders and user review resources to consult.
A Brief Overview of PAM
Not all system users are equal. Organizations which practice secure computing principles typically apply the principle of least privilege. Regular users simply log onto the network and use their daily productivity applications while accessing the data they need to do their jobs. A privileged user, on the other hand, is someone who has permission to administer the systems themselves. This can mean many different things, but in general, a privileged user can set up, modify or delete software applications. He or she can configure—or reconfigure—servers, endpoints and databases. The privileged user can even delete data and erase any trace that he or she performed such a task. A PAM solution manages the assignment of access privileges, monitors privileged account sessions, and tracks actions taken by privileged users. PAM is usually viewed as a subset of the broader identity and access management (IAM) category. Privileged Account Management is an alternative name for PAM as well as Privileged Identity Management (PIM) and Privileged Access Security (PAS).
Why PAM Matters
PAM is an important part of IT security for two primary reasons. First, it’s absolutely critical to maintaining a strong security posture. Without some systematic management of privileged users, it’s nearly impossible to ensure that anything else will be secure. This is why the predominant security frameworks all insist on strong PAM controls. Secondly, PAM is hard to do. At least, it’s hard for organizations that lack a dedicated PAM solution. Using spreadsheets and manual processes to stay on top of provisioning of privileged account access, which happens more than you might think, is sub-optimal and prone to errors that result in risk exposure.
Gartner on Privileged Access Management Solutions
Gartner is an authoritative source on PAM. Their “Magic Quadrant” for the category, which was the first of its kind, appeared in 2018. They also published a report on Identity and Access Management (IAM) Leaders’ Guide to Privileged Access Management.
In the Magic Quadrant report, Gartner referred to PAM as “one of the most critical security controls, particularly in today’s increasingly complex IT environment.” Gartner listed several key criteria that would make a PAM solution worthy of serious consideration. This list includes the ability to discover privileged accounts. Indeed, not knowing who has access privileges is a serious vulnerability. A PAM solution should automatically find any user with administrative account access rights.
Gartner also felt that password management is a necessary requirement for a viable solution. What Gartner seems to be taking into account here is the tendency for admins to work around PAM solutions that are hard to use. For example, if a PAM solution is cumbersome to use or install, or administrators cannot keep up with the inevitable lifecycle of software and hardware upgrades, it will get circumvented or placed on the shelf. Access controls will be effectively nonexistent. Not only does this result in a wasted investment, it also severely impairs security. Privileged sessions will go unmonitored and data breaches may result.
As a result, Gartner suggests that it should be impossible to circumvent the PAM solution. If the privileged user depends completely on the PAM solution for privileged access, he or she cannot work around it. With some solutions, the privileged user does not even know the actual privileged account password. Instead, he or she logs into the PAM solution and is routed to the administrative back end while the PAM solution logs the session activity in real time.
Gartner makes a distinction between PAM capabilities that affect human users versus those that deal with services and applications. A human-facing PAM solution might use single sign-on (SSO) as well as multi-factor authentication (MFA). One oriented towards system-based use should eliminate the practice of hard-coded passwords. This is a surprisingly common problem—admins often write backend passwords into scripts or other code, which may end up being stored in the public cloud. These practices act as an invitation to be attacked and have sensitive system credentials harvested by hackers and malware tools. An effective PAM solution reduces the odds of this type of an event from occurring.
Gartner’s Peer Insights site offers potential PAM buyers reviews and ratings from their industry peers.. The site asks users to rate solutions based on evaluation and contracting, integration and deployment experience along with service and support.
Peer reviews on PAM solutions
IT Central Station, which compiles peer reviews of enterprise technology products, devotes a section of its site to Privileged Access Management solutions. CyberArk PAS is the leader on IT Central Station, garnering the most reviews (48) and the highest ratings, a 9.0. Arcon Privileged Access Management is second, with 13 reviews and an 8.0 rating, followed by One Identity Safeguard, which has 11 reviews and an 8.3 rating.
Other review sites offer their own ratings winners for PAM solutions. G2 has Jumpcloud Directory-as-a-Service in its top slot, followed by Microsoft Azure Active Directory. CISO Platform ranks CyberArk as number one, with CA Technologies and Hitachi trailing in the second and third slots. Solutions Review lists BeyondTrust, Broadcom and Centrify at the top of their listings, but not in any particular order.
These differing rankings show that end users tend to have varying priorities for PAM. Use cases and IT environments are seldom the same from one IT organization to the next, so it makes sense that the top PAM choices are not consistent from site to site. Hardware-intensive IT departments will favor PAM solutions that make their lives easier, while those with data or application-centric environments will like PAM tools that support their needs, and so forth.
PAM and Hysolate
Hysolate offers an innovative solution that augments PAM tools to secure privileged access at the endpoint level. The Hysolate platform enables running multiple isolated operating systems on a single device with a unified and seamless user experience. It’s an ideal replacement for a two-laptop air gap solution often referred to as Privileged Access Workstations (PAW) or Virtual Desktop solutions which many privileged users rely on in addition to PAM.
With Hysolate, a privileged user is provisioned a workstation that has two completely separate operating systems running on it. The primary virtual machine (VM) is for general corporate use. This allows users to continue their daily productivity activities such as checking email, web browsing and connecting to the non-privileged areas of the corporate network in a much more open manner. The other OS, which is running on a separate VM, is restricted to allow access only to the privileged zones of the corporate network. This machine does not allow web browsing, email or the opening of files in general. With this approach, the privileged user carries a privileged access workstation wherever he or she goes.
By restricting access to what the VM is allowed to do, you significantly reduce the attack surface to the VM, potentially eliminating the attack surface from the Internet. Therefore, you reduce a significant amount of risk to privileged users by only allowing them to access the PAM solution from this privileged VM and, tangentially, access privileged resources using those credentials from the privileged VM.
Are your current privileged access management efforts enough? Learn how Hysolate isolates PAM solutions for top grade endpoint security. Start your free trial here.