Best Privileged Access Management Vendors & Solutions

Hi Simone,

Following are the products which you can look for your requirement. I recommend to select any solutions depend on the your organization need. Is it needed on premise or on cloud. Do you need SAAS service or have in house deployment. On these conditions cost will differ. My personal opinion is 

CyberArk, 

Thycotic, 

Wallix

Beyondtrust

Microsoft Azure AD Premium

Thanks,

Kishan

When It comes to PAM, I would say Thycotic, CyberArk, BeyondTrust are the ones I normally include in RFPs.  However, where your environment is exclusively Azure cloud-based, I say that Microsoft's Azure AD Premium provides a pretty good PIM solution. These are different solutions to achieve the same goal of managing privileged access. 

I would first state that you are asking an unqualified question. The PAM tool that matches your organizations requirements, use cases, volume, and many other considerations, will need to be considered in this equation. I like the previous answer by Kishan as I like those products and see them employed successfully. The converse is also true if not carefully scoped and evaluated.

PAM tools can be costly and contain confounding arrays of security features and terminology synchronization will be key in ensuring you are getting what you actually are asking for. On top of the software cost implications you will have the Architectural, Implementation, and Administration costs nipping at your heels. Consider also that this is not a "PAM Project", but a long term Program and buy-off must start from the very top of your organization.

I have witnessed, and participated, in projects that started out with your question, and many went off the rails, unless important considerations are taken into account:

1. Define your requirements with granularity, including integration with your existing infrastructure such as: Authentication / Authorization / MFA, syslog, analytics, Disaster Recovery and High Availability just to name a few.

2.Determine your overall goals relating to Least Privilege, Standing Privilege, Just in time Privilege, and No standing privilege. Do you require Session Recording and Keystroke Logging, as they are not always bundled  into the initial price and sometimes not together, and may be individual features in your initial quotations and can unpleasantly surprise you.

3. Provision a comprehensive test environment to confirm the viability of the product choices within your infrastructure.

4. Select a vendor or integration partner to back-fill the expertise gaps in your organization as these skill-sets are very expensive and marketable.

I apologize for not answering your question directly, but I would consider looking into the Gartner resources, KuppingerCole and so on.

In a short direct answer I favor CyberArk, BeyondTrust, Thycotic, Centrify, and StealthBits, and these are definitely not in any preferential order.

Hi Simone,

When we started the PAM journey we POC'ed three vendors based on the use cases and the roadmap for your requirements.  Since the world is shifting to cloud infrastructure, i would recommend looking at these vendors.  

One Identity (Safe Guard), CyberArk, and Beyondtrust.  We decided to go with One Identity because it was the right fit for our use cases and requirements.  We have been using safe guard for several years and it did not disappoint so far! Rock Solid tool.

I'd say that everything depends on your detailed requirements. I can tell that I know many customers who selected One Identity because it was ideal for their needs. Here is what they valued most:

1. Ease of deployment. After several months of piloting competitive solutions, One Identity pilot was started within 1 week (in basic scenarios that can be started within 2 days).

2. No need to deploy agents on servers. That is really important for critical infrastructure.

3. No need to change tools on the client's side. Admins really like it. They are not forced to use some inconvenient tools.

4. Scalability: I'd say that there is no company whose needs cannot be covered by this solution.

If you value the same things than have a look at One Identity.

I would advise choosing among Gartner MQ Leaders. You are a Bank so the solution should be robust. According to the latest Gartner PAM MQ the leader are CyberArk, Centrify, Beyond Trust, Thycotic. If you need 5 options, take a look at One Identity.

FUDO was excluded by Gartner from the latest PAM MQ.

PAM solutions worth considering are CyberArc, Centrify, Beyond Trust, Thycotic & Fudo.

BeyondTrust

CyberArk

Thycotic

Centrify

One identity

These are the big players. While they can all do PAM, things you should consider in making a choice include have a success criteria, what you want to achieve, cost, ease of implementation and management, scalability, etc. 

Go for the features you need and fits your requirement and not nice to have. 

What answer will you give for such question: 'what is the best car?'

Is it 'Ferrari, Bugatti, Aston Martin' or "BMW, Mercedes, Audi' or 'Jeep, Toyota, Mitsubishi'?

Give us more info and we will be able to give better advice.

I'd say that if session management is important for you than One Identity should definitely in the list.

And please don't make your choice based on marketing. Test in your infrastructure and you will definitely see the difference. 

I like the potential for catching an unusual activity like that with our recently implemented endpoint detection tool, Cynet360.  It seems so far to have about the highest level of transparency into the endpoint with a 24x7x365 backing of monitoring.  

It's understood that internal tool probably shared by Internal Employee as RCA. The tool was used to reset associated Mail Address of account thereby Password Reset of Choice. In MFA of Identity related features, it's more secured on keeping it with associated Mobile Secure Pin or SoftCrypto Code in Future to avoid compromise at this moment is the lesson learned. 

The use of two factor authentication by Twitter

This is one of the Identity theft issue, which means some one hack your password or account and do activity which he she is not suppose to do. basic reason of hack of your identity or password is Social engineering. second reason is system has week privilege access management. If you have less control on admin id or privilege id then enter firm has to suffer along with the customer of that firm. For me the take away of this event is to protect privilege ID and you good PAM PIM tool with two factor and UBA included.  

Span of control, Solid RBAC, Privileged Access Management (PAM) 

First, terminology - there really is no such thing as privileged identity management. PAM systems broker access to existing accounts and other entitlements - they do not normally create or manage the lifecycles of identities (login accounts, etc.) which is what identity management means. That's just a misnomer introduced and later abandoned by some vendors.

As for the link between ML/AI and PAM - it is basically to identify unusual but authorized access and trigger either extra authorization or at least alerts.
It's normal that John connects to root on the Linux server M-F in the morning, but it's really strange at 3AM on Saturday, so invite John's manager to approve the odd-looking request.

Typically any new latest PAM comes with a great number of options for automation. Integration with JSON scripts is also possible. It depends on what is the use case you want to achieve. If an ML can trigger AI to send some request to PAM then based upon the input received and configured automation rules in PAM the action will be taken. BeyondTrust PAM can do this.