CyberArk, BeyondTrust, Delinea Dominate Gartner MQ for PAMOne Identity, Wallix, Arcon Exit Leaders Space as Privileged Access Market Matures
CyberArk, BeyondTrust and Delinea maintained their spots atop Gartner's privileged access Management Magic Quadrant, while One Identity, Wallix and Arcon fell from the leader ranks.
Over the past half-decade, privileged access management has gone from being required at large, regulated organizations to being a prerequisite for cyber insurance coverage. Carriers now want to assess the maturity of an organization's approach to managing privileges, said Gartner Vice President Felix Gaehtgens. This has led to a reduction in prices and the adoption of more flexible models.
"If you don't know where your privileged accounts are, you can't protect them," Gaehtgens told Information Security Media Group. "That seems like common sense, but many organizations say, 'Oh, we'll just scan around Active Directory and get to know where all of our privileged accounts are.' But it's not that simple."
Gaehtgens praised CyberArk, BeyondTrust and Delinea for their visibility in the market and for providing a broad offering with lots of capabilities as well as wide geographic and vertical reach. He said a variety of PAM providers have invested in extensible account discovery to spot privileged accounts on local systems as well as in databases, apps or devices, and many PAM vendors are providing these tools for free (see: CyberArk, Delinea, One Identity Top Gartner MQ for PAM).
Market Is Maturing But 'Not Close to Saturation Yet'
Gartner for the third consecutive year recognized publicly traded Boston-area vendor CyberArk for having the most complete vision around privileged access management. BeyondTrust took the silver, One Identity took the bronze and Delinea and Wallix took fourth and fifth place, respectively. In 2022, One Identity took the silver, Delinea took the bronze, and Wallix and BeyondTrust finished fourth and fifth, respectively.
"If you don't know where your privileged accounts are, you can't protect them."
– Felix Gaehtgens, vice president, Gartner
From an execution ability standpoint, CyberArk and BeyondTrust tied for the gold. Arcon captured the bronze, and ManageEngine and Delinea took fourth and fifth place, respectively. That's a major change from 2022, when CyberArk edged out Arcon for the gold, Delinea took the bronze, and One Identity and BeyondTrust tied for fourth place.
"The market is maturing," Gaehtgens said. "It's not close to saturation yet, but it's already in midstage maturity."
Looking ahead, Gaehtgens would like to see privileged access management vendors focus on "break glass" capabilities, or giving customers access to privileged accounts even if their systems are down. Customers should also examine how PAM providers address nonhuman and machine accounts since providers have invested heavily in that space and have maturing capabilities, according to Gaehtgens.
Gaehtgens also would like to see providers take advantage of artificial intelligence to provide lean, efficient privilege approvals that are fine-grained and provide an account with no more access than is absolutely necessary. He said the "just in time" approval capabilities differ dramatically among vendors. Netwrix excels, he said, while CyberArk has been building out the capability recently, and others are still playing catch-up.
Outside of the leaders, here's how Gartner sees the privileged access management market:
- Visionaries: Wallix, One Identity, Netwrix;
- Challengers: Arcon, ManageEngine;
- Niche Players: Broadcom, Saviynt, HashiCorp;
- Missing the List: Apono, Bravura Security, Fudo Security, Imprivata, Kron Technologies, Microsoft, Sectona, Senhasegura, StrongDM and Teleport, which didn't meet technical or revenue inclusion criteria.
How the Privileged Access Management Leaders Climbed Their Way to the Top
|Bomgar||BeyondTrust - Took BeyondTrust name||Not Disclosed||October 2018|
|Bomgar||Avecto||Not Disclosed||August 2018|
|Centrify - Renamed Delinea in February 2022||Thycotic||$1.4B||April 2021|
|Thycotic||Onion ID||Not Disclosed||June 2020|
|Thycotic||Arellia||Not Disclosed||February 2016|
CyberArk Extends Privilege Controls to All Identities
CyberArk has infused and deployed privilege controls across all personae using modern methodologies to protect new identities coming online in cloud and hybrid environments, said CEO Matt Cohen. Investments in life cycle management have allowed CyberArk to discover privileged identities in client environments and apply the right level of controls, making organizations more effective, he said.
The company brought its least privilege approach and automated policy management to the endpoint, using ML and AI to apply the right amount of policy enforcement at the local level based on global client learnings, Cohen said. To address nonhuman identities and secrets management, he said, CyberArk has adopted central policy management and invested in protecting organizations from vault sprawl (see: CyberArk CEO Touts New Browser That Secures Privileged Users).
"There is no traditional PAM user anymore," Cohen told ISMG. "Any identity can be privileged at any time, human and nonhuman. Our unique special sauce is to be able to bring the world's best privilege controls to any identity accessing any environment. And that brings us broader into this space of identity security, which for us is just a redefinition of the PAM space."
Gartner chided CyberArk for high cost, lackluster technical support, not delivering against plans on its road map for privileged session management, and difficulty managing and upgrading some software. Cohen said privileged session management will be improved by early 2024 and that it plans to make upgrades seamless for on-premises customers, deliver good value for the price it charges, and deal with complex use cases.
"We're always going to have a little bit of a 'ding' around us because we're solving more complex use cases, which takes more technical resources," Cohen said. "When you look at our customer base that's downmarket, I think you find a different level of ability to support them seamlessly through automated methods."
BeyondTrust Brings Privileged Access to Cloud Infrastructure
BeyondTrust has brought new technology to market around cloud infrastructure to provide remote users with access to cloud resources using their laptop through a granular, narrow tunnel, said CTO Marc Maiffret. Given the number of organizations using cloud-native resources housed in AWS or Azure, Maiffret said it's essential to provide secure access into the public cloud providers in a granular manner.
The company has pursued integrations with Ping and GitHub to highlight the identities at highest risk of compromise and provide a holistic, unified view of users and accounts across a client's entire environment, Maiffret said. BeyondTrust has focused on surfacing risk by illustrating unique risks to new and different systems as well as depicting where attackers are going and how threats are playing out, he said (see: BeyondTrust CEO on Merging Privileged, Infrastructure Access).
"We are the best in the industry in the depth that we go - not just in the classic areas of PAM and how you do vendor remote access security, but also the new technology that we've brought to market related to cloud infrastructure and making sure that users are equally able to securely access cloud resources," Maiffret told ISMG.
Gartner criticized BeyondTrust for high pricing, a cumbersome upgrade process, little improvement in core PAM capabilities in its road map, and disappointing workload identity and secrets management tools. Maiffret said BeyondTrust is the only vendor to offer workload identity and secrets management as a combined solution and wants its product to go above and beyond addressing traditional PAM use cases.
"What PAM was and has been for the last few years is going to look dramatically different over the next two years," Maiffret said. "Most companies are trying to figure out this new perimeter that is made up of identities themselves and how you secure it. That's going to look very different than what PAM was traditionally thought of."
Delinea Doubles Down on Encryption, Customer Experience
Delinea has brought a common look and feel across all the legacy Thycotic and Centrify products by tapping into microservices, which allow common components to be used across different products rather than having each product built by a separate team, said CTO David McNeely. For instance, he said, Delinea's post-quantum cryptography technology uses the company's centralized crypto service.
As customers put their secrets into Delinea's vaults, McNeely has focused on ensuring the encryption Delinea uses can't be broken, which has driven investments in the next generation of cryptography. In addition, McNeely said, Delinea has turned to artificial intelligence to identify malicious activity or a suspicious series of events as well as place guardrails around the privileged access granted to humans (see: Delinea Snags David Castignola as CRO to Push Beyond Banking).
"We have highly usable products," McNeely said. "Customers love the way it works. That gives us faster time to value in the organization. We also have a lower total cost of ownership given that our solution is much easier to set up and get operational. And we don't require customers to do anything weird or extra with respect to deploying the products or even with upgrades over the years."
Gartner criticized Delinea for meager R&D headcount, limited on-premises capabilities, requiring PowerShell customization for fairly common requirements, and subpar RDP session management and secret server capabilities. McNeely said Delinea takes a different approach to RDP session management but provides similar functionality and has focused on simplifying the integration process for secret server customers.
"Our competitors end up with a marketplace of a lot of these integrations," McNeely said. "They do get old over time, and you've got to spend time to keep them up to date. It's just a trade-off."