Thursday, December 24, 2009

Privileged Account Management’s Star to Rise in 2010?

Martin Kuppinger over at Kuppinger Cole+Partner just blogged about this topic: Will IBM change the way we do PAM (or PIM or PUM)? His post is worth reading in its entirety but I thought I’d comment on one particular portion of it:
An interesting question in this context is whether this will affect the overall PAM market. First of all, it confirms what I’ve described earlier in my blogs: There will be a convergence of PAM with provisioning and other IAM solutions. And with more vendors providing such integrations (some are providing some integration or are working on that), customers are likely to pick the “integrated PAM”. However, there is no doubt that at that point of time the PAM specialists in most cases have more feature-rich offerings, which might complement even these integrated PAM approaches or replace them in case that specific features are required. Thus, there will be a “stand-alone” PAM market for the foreseeable time. On the other hand I expect more acquisitions of PAM specialists to happen given that the larger vendors might want to speed-up the development of their integrated PAM offerings by acquiring a product and integrating it. Another point to mention: IBM’s approach shows that PAM is moving out of a niche towards a mainstream IAM market segment.
I completely agree that we are going to see a greater tie-in between provisioning and privileged account management systems. After all, isn't a privileged account a special type of account and isn't my provisioning application used for creating accounts? "QED" as my old math professor would say. I think the traditional stack vendors (IBM, CA, Sun, Novell, etc.) are going to have to address privileged account management within their platforms sooner than later. Regulators and compliance professionals are starting to wake-up to the fact that companies do not have a good handle on their privileged accounts, who has them, what they are doing with them and who has authorized them to have one. Just ask yourself who has an Active Directory domain administrator account in your organization, why they have one, who authorized them to have it and what they do when they use it? That’s not an easy question for most organizations to answer today. The same goes for “root” on your Unix or Linux systems. In fact, on Unix and Linux the question is even more difficult to answer.
Privileged account management as a subset of identity management is new. Provisioning has been around a long time and is somewhat “old news”. In 2010 I think we will see a lot more market turbulence around privileged account management and I agree with Martin’s prediction to expect more acquisitions.
Hmmm, did Microsoft make a mistake in their purchase of Desktop Standard in 2006 by allowing the BeyondTrust bit to escape? In retrospect, they would have been better to keep the PAM (BeyondTrust) portion – they need it like the other stack vendors!

1 comment:

Jeremy Moskowitz ( said...

Microsoft already owns a BeyondTrust-like solution gained in the acquisition of Winternals. 99% of the Winternals acquisition went out with MDOP. 1% did not. This product. The real question is, with the ownership of that technology AND the fact that they specifically passed up the Beyondtrust piece... WHY would Microsoft WILLINGLY decide NOT to get into that business. My feeling is that they need to maintain "plausible deny-ability" in security cases. In other words, there is no middle ground: there are Admin users and there are User users. The Winternals and BeyondTrust pieces allow you to dial up or down privilege rights. Microsoft clearly doesn't want to be in that business.. So they aren't. (PS: No internal knowledge here.. just a hunch.) -Jeremy Moskowitz, Group Policy MVP