CyberArk, Delinea, One Identity Top Gartner MQ for PAM
CyberArk Keeps Leading the PAM Market, With Delinea and One Identity Close Behind Michael Novinson (MichaelNovinson) • July 29, 2022
CyberArk better be careful – that’s the gist of a new study of the privileged access management market. Long-reigning undisputed leader it may be, but it’s not impervious to competitors such as Delinea and One Identity, which are catching up thanks to a few acquired boosts last year to their capabilities.
See Also: OnDemand | Zero Tolerance: Controlling The Landscape Where You’ll Meet Your Adversaries
“CyberArk has been the 800-pound gorilla for a long time. They’ve been the king of the hill,” Gartner Magic Quadrant author Michael Kelley tells Information Security Media Group. “They still remain the leader, but I think lots of companies are doing a lot of investment and catching up a little bit on feature and functionality.” The consultancy released its latest Magic Quadrant for the PAM industry on July 19, evaluating the competitive standings of 11 companies.
Gartner once again recognized publicly traded Boston-area vendor CyberArk for having the most complete vision and strongest execution ability around privileged access management.
Reasons for the company to closely watch its back paradoxically start with the growing size of the market. Interest in PAM tools has perked up outside its traditional constituency of compliance and audit departments, Gartner finds. Cyber insurance providers are almost bullying corporate Americans into becoming PAM customers by threatening massive rate increases to any client without such tools, Kelley says.
“The cost of a breach is much larger if a privileged account has been compromised,” Kelley says. “I think cybersecurity insurers recognize that one way of limiting the impact of cybersecurity breaches – and especially their responsibility to pay for cybersecurity breaches – is to have good controls in place for privileged accounts.” Gartner estimated in 2018 that 70% of organizations would implement PAM by 2022, and that prediction has nearly come to pass.
CyberArk competition One Identity, which is splitting from Quest and is fresh from its October purchase of OneLogin, took silver for completeness of vision in the Gartner race. Mumbai-based Arcon took the silver in execution ability.
Silicon Valley-based Delinea was formed in February through the merging of TPG Capital-owned rivals Thycotic and Centrify and was bestowed bronze in both completeness of vision and execution ability. Atlanta-based BeyondTrust and Paris-based Wallix were also recognized as leaders by Gartner.
“Some people are surprised because Arcon and Wallix are more regional companies,” Kelley says. “But they’ve become very, very strong in their region. And they’ve become very strong from a technical perspective. So we felt that they belonged.”
Gartner’s take on the privileged access market has changed somewhat from last year, with Wallix progressing from a challenger to a leader thanks to increased innovation, more interesting things on the road map, and a better vision for approaching the market. And BeyondTrust – whose execution ability last year was head and shoulders above all leaders but CyberArk – now ranks fifth in the execution criteria.
Outside of the leaders, here’s how Gartner sees the privileged access management market:
- Visionary: Saviynt;
- Niche Players: Broadcom, ManageEngine, Hitachi ID and Netwrix;
- Missing the List: Fudo Security, HashiCorp, Imprivata, Krontech, Microsoft, Remediant, Sectona, Senhasegura and Teleport, which didn’t meet technical or revenue inclusion criteria.
“PAM is a fundamental, foundational security control that you just can’t do without nowadays,” Kelley says.
CyberArk Seeks to Improve On-Premises Experience
CyberArk has focused over the past year on extending its endpoint privilege manager product to include Linux in addition to Windows and Mac so that firms can more easily elevate users to admin privileges no matter which operating system they’re using, says Barak Feldman, senior vice president of PAM and identity security. The company wants to more effectively address use cases in the cloud, SaaS and DevOps world, he says (see: CyberArk Execs: 9 Bets on What’s Next in Identity Security).
With CyberArk’s on-premises PAM product, Feldman says the investments have focused primarily on user experience to improve time to value and the experience around deployment. CyberArk’s maturity in the PAM market has allowed it to expand into adjacent areas such as just-in-time access and cloud entitlements while competitors are still focused on maturing and adding core features to their PAM offering, he says.
“Our foundation is so strong that we have the ability now to expand into areas like just-in-time access and cloud entitlements,” Feldman tells ISMG. “Our competitors are still in the phase of getting that experience maturing. And so we’re very excited about the results.”
Gartner criticized CyberArk for poor ease of use and difficulty deploying the software-delivered version of the product. Feldman says CyberArk wants to make its on-premises product easier to manage and upgrade and ensure that the rich features it offers don’t introduce additional complexity. Roughly two-thirds of CyberArk PAM subscriptions today are SaaS-based with the remaining one-third still on-premises.
“We definitely are putting a lot of effort to make the customer experience a lot better,” Feldman says. “It’s a continuous thing.”
Delinea Puts Usability Front and Center
Bringing Thycotic and Centrify together has created a best of both worlds scenario thanks to Thycotic’s strength in vaulting, managing, collecting and rotating credentials and Centrify’s ability to define what users entering the system are allowed to access, says Delinea CEO Art Gilliland. Delinea will incorporate elevated risk scoring alongside privilege accounts when deciding which users get what level of access.
Gilliland says Delinea continues to focus on enhancing the usability of its workflows and interface given the skills shortage and level of attrition many of the company’s customers are experiencing. In addition, Delinea wants to consolidate its account management capabilities and apply the principles of least privilege to both traditional super users as well as devices and nonuser-based identities, Gilliland says.
“Products that are intuitive and easy to use are just more effective because you’ll use them,” Gilliland tells ISMG. “We’ve invested a lot in upgrading the UI and making the interface a lot more usable.”
Gartner criticized Delinea for lacking native agentless recording in its session management offering and lagging behind in service account and credential management for Secret Server. Gilliland says the lack of certain features reflects the strategic choice Delinea has made to focus largely on core use cases without creating custom tooling that would make the product heavier and more complicated for everyone else.
“This allows us to focus very specifically on the core use cases without dragging us down the rabbit hole of individual company integrations, which some of our competitors spend a lot of resource on,” Gilliland says. “Part of our differentiation is that the technology is fast and easy to use.”
One Identity Sees PAM as Part of Bigger Picture
Although PAM accounts for more than half of One Identity’s deployments, customers benefit from the company’s presence in the identity governance, access management and Active Directory management and security markets following last year’s acquisition of OneLogin, says Larry Chinski, vice president of global IAM strategy and customer advocacy. This allows One Identity to have more than just a stand-alone PAM tool.
One Identity has differentiated its privileged access practice by putting the remediation of events in real time using behavioral biometrics front and center rather than the elevation of privileged accounts, Chinski says. Moving away from the fragmented, siloed PAM tools that exist in infrastructure-focused security postures and toward a more holistic platform featuring PAM will benefit customers, he says.
“Cybersecurity has changed in just the last couple of years,” Chinski tells ISMG. “It’s moved from an infrastructure-centric protection model to an identity-centric ‘verify and validate’ model. You’re not building your security posture around infrastructure components anymore. Instead, we’re building a security posture on top of the identity.”
Gartner criticized One Identity for offering only rudimentary stand-alone secret management capabilities and lacking the critical SOC 2 certification for its SaaS offering. One Identity already had plans to address the product and operational deficiencies highlighted by Gartner while preparing for use case feature consolidation by tying its platform back to identity management for privileged governance.
“The-next generation PAM is about being able to integrate with IAM for web single sign-on to the PAM portals and all the benefits we get by snapping into IGA for governance and Active Directory management for zero trust,” Chinski says.
BeyondTrust to Join On-Prem, Cloud on Single Console
BeyondTrust has been taking the functions used to manage privileged accounts on-premises and moving them into Amazon Web Services or Microsoft Azure to give customers a more unified understanding of their cloud environment, says CTO Marc Maiffret. The company will debut a platform late this year that will allow customers to manage on-premises, cloud and SaaS users from a single console, Maiffret says.
Maiffret wants BeyondTrust to get to the heart of the identity threat detection space through policies, compliance and controls that can lessen the impact of a breach and better understand the identities in an environment that are being compromised. BeyondTrust plans to work with third-party security operations and identity teams to improve the detection of identities that have been compromised.
“The biggest push across the entire suite of products has really been around how we extend them to cloud service provider and SaaS environments,” Maiffret tells ISMG. “It’s about taking the timeless aspects of security, like least privilege, and moving that into cloud environments.”
Gartner criticized BeyondTrust for low privileged session management scores and lacking support for native authentication mechanisms in its secrets management offering. Maiffret says the critique stems from Gartner not including BeyondTrust’s privileged remote access report as part of the evaluation, adding that BeyondTrust’s unified platform coming in late 2022 wasn’t reflected in Gartner’s evaluation.
“We’re not too worried because we’re more interested in what actually comes out at the end of the year and what we’re working on,” Maiffret says.
Wallix Expands From Europe to the US
Wallix entered the PAM market three years ago from a session management background to provide customers with a unified way to control access and privilege for any kind of user, says product and marketing director Edwige Brossard. The company recently made it easier to delegate and elevate privileged access so that companies can provision heightened access for a defined period of time.
Brossard says Wallix has implemented a remote SaaS service as part of its portfolio to make it easier for organizations to deploy and maintain their privileged access offering. Wallix has also invested heavily in certain vertical markets such as OT to give manufacturers and members of the supply chain cyber expertise and better usability without compromising on protection, according to Brossard.
“We do believe that having something more unified and dealing after that with privileges as a task you have to cover is really important,” Brossard tells ISMG.
Gartner criticized Wallix for lacking native features for privileged access governance and administration and offering only limited account discovery features. Brossard says Wallix needs to expand the breadth of its product offering and already had a lot of the shortcomings Gartner noted on its product road map. Wallix’s push into the United States this year will make the company more visible to global customers.
“Our plan is to keep pushing what we have in the U.S. and accelerate the customer base over there while at the same time developing much more of an MSP and midmarket business in Europe, Brossard says.
Arcon Continues to Play Feature Catch-Up
The Gartner Magic Quadrant report lauds Arcon for making big strides around secrets management, CIEM, and just-in-time functionality over the past year and pricing its privileged account and session management capabilities below most of its peers. Gartner praises Arcon for giving each customer a customer success manager and making its technical account managers available for large accounts.
Gartner criticized Arcon for having a limited number of prebuilt integrations for adjacent technologies and relying on agents and client tools for the best user experience. The company lags behind its peers in gaining new customers, with Arcon’s road map focusing largely on adding new features that already exist in competitor products. Arcon didn’t respond to an ISMG request for comment.
“A big thank you to our global partners and customers as well,” Arcon writes in a blog post. “Your unwavering support keeps Arcon motivated as it continues to challenge every boundary.”