Magic Quadrant for Privileged Access Management Privileged access management is one of the most critical security controls, particularly in today’s increasingly complex IT environment. Security and risk management leaders must use PAM tools in a long-term strategy for comprehensive risk mitigation. Strategic Planning Assumptions By 2022, more than half of enterprises using privileged access management (PAM) tools will emphasize just-in-time privileged access over long-term privileged access, up from less than 25% today. By 2021, 40% of organizations (up from less than 10% in 2018) that use formal change management practices will have embedded and integrated PAM tools within them, significantly reducing the overall risk surface. By 2021, over 50% of organizations using DevOps will adopt PAM-based secrets management products, rising rapidly from less than 10% today. Market Definition/Description PAM tools help organizations provide secure privileged access to critical assets and meet compliance requirements by managing and monitoring privileged accounts and access. PAM tools offer features that enable security and risk leaders to:  For all use cases:  Discover privileged accounts on systems, devices and applications for subsequent management.  Automatically randomize, manage and vault passwords and other credentials for administrative, service and application accounts.  Control access to privileged accounts, including shared and “firecall” (emergency access) accounts.   Isolate, monitor, record and audit privileged access sessions, commands and actions. For human users:  Provide single sign-on (SSO) for privileged sessions, commands and actions securely to not reveal account credentials (passwords, cryptographic keys, etc.).  Delegate, control and filter privileged operations that an administrator can execute.  Ensure required levels of trust and accountability for privileged access by providing robust authentication capabilities or integrating with external authentication products or services.  For services and applications:  Eliminate hardcoded passwords by making them available on-demand to applications. Two distinct tool categories have evolved as the predominant focus for security and risk management leaders considering investment in PAM tools: 1  Privileged account and session management (PASM). Privileged accounts are protected by vaulting their credentials. Access to those accounts is then brokered for human users, services and applications. Privileged session management (PSM) functions establish sessions with possible credential injection, and full session recording. Passwords and other credentials for privileged accounts are actively managed, such as being changed at definable intervals or upon occurrence of specific events. PASM solutions can also provide application-to-application password management (AAPM).  Privilege elevation and delegation management (PEDM). Specific privileges are granted on the managed system by host-based agents to logged in users. This includes host-based command control (filtering) and privilege elevation, the latter in the form of allowing particular commands to be run with a higher level of privileges. Vendors covered in this Magic Quadrant must at least provide a fully functional PASM product and, optionally, PEDM tools as well. In the write-ups for each vendor, we comment on the quality of individual product components, and use terms such as “well above average,” “above average,” “average,” “below average” and “well below average.” The average for a particular component refers to the average score for all vendors evaluated in this research for that component. Please refer to the entry for “Product or Service” in the Evaluation Criteria section for a full description of these components and what was evaluated. Magic Quadrant Figure 1. Magic Quadrant for Privileged Access Management 2 Source: Gartner (December 2018) Vendor Strengths and Cautions ARCON ARCON offers a suite that spans both PASM and PEDM. Service account management is above average compared to competitors’ offerings (see the entry for “service account management” under “Product or Service” in the Evaluation Criteria section to see what was evaluated). It can manually configure dependencies, multithreaded credential checking and rotation with pre-/postactions. Discovery capabilities include system discovery and privileged user discovery on systems and several databases. A