7 top privileged access management tools

Good management of privileged credentials can stop or slow an attacker's movement through your network. These PAM tools are among the best.

access control / authentication / privileges / security
ipopba / Getty Images

One of the main objectives of the bad guys is to escalate to privileged account access wherever possible. The more unfettered access they can gain to administrative, superuser and infrastructure accounts, the freer rein they have to tap into sensitive data stores, tamper with critical systems, quietly gain carte blanche to do whatever they’d care to with a victim organization’s IT infrastructure and to do it all without being detected.

As a result, organizations recognize that they need to take special care with the way that they manage and grant access to the most powerful privileged accounts in their environments. This is accomplished with privileged access management (PAM) tooling. PAM is used to manage privileged credentials, delegate access to them, track privileged sessions to monitor for abuse and report on usage patterns for both the risk team and auditors and generally control the elevation of commands.

Whereas years ago, PAM very much a niche specialty reserved for the largest enterprises, its features have expanded well beyond simple admin account protection and reporting. PAM is now tasked to manage the ever-broadening number of accounts with privileged access to at least some part of the enterprise digital ecosystem. The growth in machine-to-machine accounts to enable automation, ephemeral cloud accounts to support DevOps capabilities and on-demand infrastructure provisioning, integration accounts and more, have all made it more complicated and more needful for enterprises to implement PAM.

The following list includes some of the biggest players in the market. The running thread amongst most of these tend to be their three-pronged ability to vault, protect, and rotate privileged credentials; their ability to enforce least privilege on accounts based on granular control filters that can include everything from geographic location to time of day access is requested; and the ability to manage secrets that include not only passwords but also SSH keys, certificates, tokens and other credentials.

Top PAM tools

BeyondTrust

A well-established PAM player, BeyondTrust offers multiple options for privileged account and session management (PASM) via its Password Safe and Privileged Remote Access products, the latter of which has gained particular traction among midsize and smaller enterprises as well as remote access use cases that have grown tremendously in recent years. It also offers secrets management support via its DevOps Secrets Safe software and enforces granular least privilege policies and other privilege elevation and delegation management (PEDM) functionality through its Endpoint Privileged Management that runs across Windows and Mac, as well as Unix and Linux via its Active Directory Bridge Technology.

BeyondTrust has strong tie to the compliance and audit world and one of its big differentiators is in its reporting and visualization capabilities, according to Gartner analysts. Customers can layer in advanced analytics via the company’s BeyondInsight add-on analytics package. That package also provides thorough account discovery capabilities, analysts say.

It is also now a player in the cloud infrastructure entitlement management (CIEM) field—a natural offshoot of PAM—through its newer Cloud Privilege Broker technology, which manages entitlements across multi-cloud environments.

One place where the analysts do caution customers is in the company’s weakness in integrations, both externally and even within some of its overlapping product functionality.

CyberArk

CyberArk is another mainstay of most buyer shortlists when contemplating PAM purchase. “CyberArk remains the biggest PAM brand, with a long history in this sector, a wide geographic reach and the largest share of the PAM market,” according to Gartner’s analysts. “Most Gartner clients researching PAM products include CyberArk on their list of vendors to evaluate.”

Its bread-and-butter is in its CyberArk Privileged Access Manager product, which can be deployed on-premises or as a service through Privilege Cloud and which handles the main PASM functionality for customers. Side-by-side with that is its Cyberark Endpoint Manager (EPM), which provides PEDM and CyberArk Vendor Management, which handles remote privileged account access for third parties.

In 2017 the company picked up Conjur Secrets Manager to address the DevOps market for managing secrets in applications, service and devices and role-based access control in development and deployment environments. It has integrated those capabilities into its portfolio but also maintains Conjur as a separate brand.

This marked the firm’s general push in recent years to expand its footprint across the entire identity space. It’s always been known for strong integration with tangential identity vendors but is also building expanding functionality in-house and through acquisitions. It was one of the first PAM vendors to get into the CIEM fray and provides mature CIEM functionality, including risk scoring of permissions exposure, via its Cloud Entitlements Manager, suited for large-scale and multi-cloud environments. And its 2020 purchase of Idaptive, led to the rollout of workforce single sign-on (SSO) and endpoint multi-factor authentication (MFA), customer identity management features, passwordless options and self-service capabilities for account management.

Delinea

Delinea is the marriage between two established players in the PAM market, Thycotic and Centrify. The two companies were purchased and merged together last year by private equity firm TPG Capital and rebranded in February under the new name. Separately, each product base has the distinction of being judged in that “up and to the right” leadership category of the PAM market by analysts from the likes of Gartner and KuppingerCole.

Thycotic was best known for the password vaulting and rotation capabilities of its Secret Server product, and its catering to smaller enterprises with more streamlined, out-of-the-box functionality. Centrify was best known for serving large enterprises with the Active Directory (AD) bridging functionality of its Cloud Suite SaaS platform, which brings together access control and management of disparate on-premises and cloud system administrative accounts, including Linux and Unix environments, into the familiar AD environment.

The company is still in that in-between stage of product integration that comes from bringing together companies with overlapping feature sets. Many of the products like Secret Server and DevOps Secrets Vault from the Thycotic end and Cloud Suite platform modules from the Centrify side can still be purchased and supported separately. Delinea seems to be committed to unifying the offerings. Last October the company rolled out an integration between the privileged account and session management capabilities of Secret Server and with the other parts of the Cloud Suite platform and executives promise more progress in the months to come

Hashicorp

Hashicorp is a bit of a niche player in the PAM space, with its offering not broad enough to do end-to-end management of privileged access. However, it’s making a name for itself in the DevOps space for its secure password vault capabilities, which is designed to be integrated into application development and delivery management tooling that DevOps teams live in.

“While several other PAM vendors are now offering similar capabilities to suit DevOps, HashiCorp offers a good start for organizations looking to onboard PAM within application development and deployment processes,” explained KuppingerCole analyst Paul Fisher in a recent KuppingerCole report on the PAM market.

ManageEngine

ManageEngine is another PAM-lite player with specialized functionality for companies seeking to ease into privileged account management. Its PAM360 platform is firmly focused on SSH key and SSL certificate management and analysts note that its ability for adding custom roles in user management as a plus. The product provides some user behavior patterning to look for risky behavior and compliance-friendly reporting.

One of its selling points is in its integrations, both with its own internal suite of products (ManageEngine is part of ZOHO Corp) and externally. For workflow management of common tasks like on-boarding and off-boarding of accounts, it’s tied closely with the robotic process automation for Automation Anywhere and ITSM players like ServiceDesk Plus and ServiceNow.

“On a more fundamental PAM issue, PAM360 offers strong SIEM integration with Splunk, SumoLogic and Log360. DevOps is covered up to a point with integrations for Jenkins, Ansible, Chef and Puppet,” wrote Fisher.

Where Gartner deems it lacking is in its privilege elevation and delegation management. It dropped ManageEngine from its latest PAM Magic Quadrant for not meeting minimum requirements for PEDM, for which Gartner excludes session monitoring as a sole route to accomplish the capability, “because the point of control is less reliable.” PAM360 is big on session management and session monitoring controls, and this put it out of the running based on Gartner’s yardstick.

One Identity

A full-fledged and mature PAM vendor, One Identity brings together its privileged account functionality under its One Identity Safeguard product base, which is made up of three modules. Safeguard for Privileged Passwords handles role-based access and automates workflows for provisioning and authentication administration. Safeguard for Privileged Sessions handles the control, monitoring, and recording of privileged sessions, including real-time alerting for suspicious activity and robust reporting for audit and compliance support. Safeguard for Privileged Analytics, which offers deep analytics into privileged account activities. Gartner says the latter is where the company really shines.

“One Identity Safeguard for Privileged Analytics stands out from other solutions by using machine learning to analyze not just privileged access attempts, but also complete session activity, including commands,” Gartner analysts wrote. “Passive behavioral biometric analysis can detect unauthorized use through keystroke dynamics.”

One Identity is trying to broaden its general IAM appeal through M&A activity. Last year it picked up OneLogin, a lightweight IDaaS vendor for smaller organizations. Forrester analysts says the deal gives One Identity a foot in the door into the broader IDaaS market and a chance to and differentiate itself from vendors in that market space that don’t have native PAM identity governance administration capabilities (IGA) capabilities. It’s still early days following the deal, so it remains to be seen how well the company can integrate OneLogin technology and cross pollinate each side’s feature strengths.

WALLIX

Based in France, WALLIX is a rising player in the PAM market. The WALLIX Bastion product is made up of five modules: Session Manager, Password Manager, Access Manager, Privilege Elevation and Delegation Manager and Application to Application Password Manager. It also works hand-in-hand with the endpoint privilege management capabilities of the company’s other main product WALLIX BestSafe.

Deemed a Challenger in the Gartner Magic Quadrant, WALLIX Bastion is given high marks by that firm’s analysts for its session management and recording features, ease of deployment and competitive pricing. Where Gartner dings it is in credential rotation and account discovery features. Meantime, KuppingerCole had glowing remarks about its growing feature set.

“By building on its existing capabilities for password management and privileged session management (PSM) and adding enhanced EPM, AAPM and better DevOps support, WALLIX now has a highly competitive level of PAM capabilities that should be seriously considered by buyers in all organizations,” wrote Fisher.

Copyright © 2022 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.