Wallix, One Identity Remain Visionaries as Securing Remote Work Takes Center Stage
CyberArk, Delinea and BeyondTrust have maintained their positions atop the privileged access management market due to their adaptability to client needs, according to Gartner.
See Also: The Backbone of Modern Security: Intelligent Privilege Controls™ for Every Identity
The leaders quadrant remains unchanged from 2023 due to consistent performance and a strong focus on execution from CyberArk, Delinea and BeyondTrust as well as slower progress by rivals, specifically when it comes to offering Software as a Service products, said Gartner Senior Director and Analyst Paul Mezzera (see: CyberArk, BeyondTrust, Delinea Dominate Gartner MQ for PAM).
"The leaders still remain the leaders because they're really in tune to where the puck is going and what is important from a capability perspective, as well as execution," Mezzera told Information Security Media Group. "Some vendors are still behind from that perspective, in offering the SaaS solutions, and then just behind in some of the features."
Remote privileged access management was historically part of the broader PAM use case, but is now a standalone item given the importance of securing third-party and remote access, said Gartner Senior Director and Analyst Paul Mezzera. Unlike traditional users who go through internal HR processes, remote users require capabilities like self-registration and identity verification to ensure secure access.
"The big change is us separating out the remote privilege access management into its own use case and capability that we rate independently from the others," Mezzera said. "Remote PAM is really supposed to help mitigate the risk of third-party privilege access management."
Secrets management has gained attention as organizations move to the cloud, which he said has created a need to secure sensitive information API keys and passwords embedded in code repositories and cloud infrastructure. PAM vendors have integrated secrets management into their tools to handle non-human credentials essential for cloud and DevOps workflows such as APIs and service accounts, Mezzera said.
"Secrets management really came more into light with a lot of the migration to the cloud," Mezzera said. "It's kind of the non-human or machine aspect of privileged access management. So you still have to treat them just like passwords in the sense that you want to make sure that you rotate them, secure them, and make sure that they're not exposed."
Cloud infrastructure entitlement management tools focus on analyzing and managing the permissions associated with cloud infrastructure, which he said helps organizations trim down excessive permissions and adopt a least-privileged approach to cloud security. Mezzera emphasized that CIEM aligns closely with PAM's goal of minimizing risk by analyzing excessive permissions and offering just-in-time access.
"CIEM tools are meant to do the analysis of what's really being used and how they can trim down those excessive privileges," Mezzera said. "So, it makes a lot of sense from a PAM perspective, because a lot of those entitlements are considered privileged access."
While AI and machine learning have been part of PAM solutions for behavioral analytics, Mezzera said there has not yet been significant adoption of generative AI for decision-making or natural language interfaces. Although Mezzera anticipates future potential for generative AI to assist with configuration and decision-making, he said current adoption remains minimal.
"I think it would be helpful at some point given that sometimes these tools can be complicated to configure and support," Mezzera said. "But I'm not seeing a whole lot there in terms of the generative AI specifically."
Mezzera believes the biggest changes over the next year will focus on making PAM solutions easier to deploy and configure, especially when it comes to onboarding privileged accounts in complex cloud environments. Improvements in CIEM, secrets management, and privileged account discovery and onboarding are expected to drive further innovation in the PAM space, according to Mezzera.
"Accounts are popping up all over the place, right?" Mezzera said. "And so how do we best discover and onboard those privileged accounts into our environment? I'm hoping to see some improvements there as well."
Gartner for the fourth consecutive year recognized Boston-area vendor CyberArk for having the most complete vision around privileged access management. Delinea took the silver, BeyondTrust took the bronze, and Wallix and One Identity took fourth and fifth place, respectively. In 2023, BeyondTrust took the silver, One Identity took the bronze, and Delinea and Wallix took fourth and fifth place.
From an execution ability standpoint, Arcon snatched the gold, Delinea took silver, CyberArk captured the bronze, and BeyondTrust and ManageEngine took fourth and fifth place, respectively. Last year, CyberArk and BeyondTrust tied for the gold. Arcon captured the bronze, and ManageEngine and Delinea took fourth and fifth place, respectively.
Outside of the leaders, here's how Gartner sees the privileged access management market:
CyberArk debuted innovations around secrets managements and automated threat response as well as expanded privileged access management to cover modern IT setups, said Senior Vice President Barak Feldman. The rise of cloud, DevOps and dynamic workloads requires a shift to systems where privileges are granted "just in time" and automatically revoked when no longer needed to cut the attack surface.
The company is focused on managing secrets across Microsoft Azure, Amazon Web Services and Google Cloud, with the company's Secrets Hub product enabling centralized control and allowing developers to work seamlessly within their cloud environments. Feldman said CyberArk's focus on handling new types of human and non-human identities and managing secrets in cloud-native vaults sets it apart from rivals (see: CyberArk to Secure Machine Identities with $1.54B Venafi Buy).
"You get the privileged access on the fly, and it's removed when you're done," Feldman said. "So, we really are reducing the attack surface, but it's also exponentially enhancing the user experience. Because now I can just use data, I can log in natively to my target system. So, speed was key here, and not only Gartner acknowledges it. We've seen a lot of interest in actual consumption on the customer side."
Gartner criticized CyberArk for complex configuration and management, high prices, subpar customer support and response speeds, and limited centralized sudo management and file integrity monitoring for UNIX/Linux. Feldman acknowledged the validity of Gartner's critique, and said CyberArk is working to simplify its pricing model, enhance its SaaS offerings and improve customer support.
"We actually want to become more flexible, where we can negotiate and meet the customer where they are," Feldman told ISMG. "So, actually not have built-in discounts, but be able to negotiate. And we've been working very hard on a much more flexible model."
Delinea has expanded beyond privileged access management into cloud identity and threat detection through acquisitions that enable the company to audit and secure identities in the cloud and address identity governance and risk management, said President Rick Hanson. The Authomize buy fueled cloud identity discovery and threat detection, while Fastpath brought governance and provisioning tools.
Delinea has focused on building fully cloud-native products and require 90% fewer resources for setup and maintenance as compared with competitors, according to Hanson. CyberArk's deep relationships with large enterprises make it difficult to penetrate certain accounts, but Hanson said Delinea's modern, cloud-native solutions and strong go-to-market strategy position them to win over new customers (see: PAM Provider Delinea Buys Fastpath).
"PAM got entirely too complicated," Hanson told ISMG. "And so when we rewrote our platform, we went for ease of use, and basically we've been recognized to need 90% less resources to set up and run our solution within an organization. In that ease of use and in that time to value, we are leaps and bounds ahead of both of our competitors."
Gartner criticized Delinea for uneven pricing, a large number of executive changes, requiring PowerShell for certain customizations and requiring local agents for video session metadata recording. Hanson said Delinea experienced some executive turnover when first formed but said the new leadership team has stabilized. He agrees that video session recording requires local agents but defends its unique AI-driven capabilities.
"You have hundreds of thousands of video sessions that can be done in a single day, and we can look at certain threats and really bring those threats down to ones that we believe are actionable," Hanson said. "That was the agent architecture to do it, but it's something none of our competitors can do. So, it's a bit unfair that we're not compared to competitors because we did something that no one else is doing."
BeyondTrust has focused on transforming privileged access management from just managing privileged accounts to actively preventing and detecting abuse, said Chief Technology Officer Marc Maiffret. The company's identity security insights tool has showcased its real-world application by detecting external attacks such as the breach at Okta, and Maiffret said it helps mitigate broader risks.
The company's acquisition of Entitle brought unified identity management capabilities to BeyondTrust's platform, helping businesses manage access across on-premises, cloud and SaaS environments from a single point of control, Maiffret said. The company offers robust detection and prevention features and enhances both security and user experience through how it secures cloud infrastructure, he said (see: Identity Is the New Battleground in Cloud-Era Cyberattacks).
"If you're looking for a PAM solution that is not only in management but the active protection and prevention of privilege-based attacks, I think that's something that we're leading in," Maiffret told ISMG. "While there's a lot that's important from the management of privileges, how you actually enable secure access to resources is critically important."
Gartner criticized BeyondTrust for high pricing, rudimentary workload identity and secrets management capabilities, lack of discovery for shadow admin accounts and private Secure Shell keys, and an inability to provide information for troubleshooting beyond logging. Maiffret said BeyondTrust recently launched enhanced reporting features, and is working to improve in other areas as well.
"On the discovery side, I think there's more there that we actually do than was given credit for," Maiffret said. "One of the things we do uniquely there is not having a standalone secondary secrets vault that you have to actually purchase separate than what you might be doing from a PAM vaulting perspective, but actually having a unified PAM vault/secrets management in a single solution."