Gartner Reports Outline the Path to PAM Maturity

Over the past couple of years, it’s been very satisfying to see the increased coverage for Privileged Access Management (PAM) from the industry analyst community. This was evidenced in December 2018 when Gartner published its first Gartner Magic Quadrant for Privileged Access Management, a clear sign that market maturity had reached a point that it warranted its own MQ.

Since the beginning of 2019, Gartner has continued to build its PAM coverage out considerably, and with increasing emphasis beyond basic password vaulting. The core PAM team at Gartner has rolled out a series of research notes and reports that provide a comprehensive primer for Identity and Access Management (IAM) Leaders as well as Security & Risk Professionals to learn the basics of PAM, move on to best practices for PAM, and then drill down into specific tactics to enforce and support a least privilege approach.

Below, we have provided short synopses of three reports, available to you with complimentary access from Centrify.


Gartner has provided an excellent summary of what PAM is, and outlines the difference between Access Management, Identity Governance and Administration (IGA), and Privileged Access Management (PAM). This report highlights where PAM can help organizations provide secure access to critical assets for privileged users, and meet compliance requirements related to securing, managing, and monitoring privileged accounts.  

This Gartner report summarizes PAM tools for a range of use cases, how to use PAM to manage privileged services and machine accounts, as well as how to secure third-party external privileges and remote administrative access. It then looks at how digital transformation is creating new attack surfaces, such as DevOps and Cloud, and where PAM can help reduce risk.


Gartner IAM Leaders' Guide to PAM


As organizations look to capture the value to be gained from transformative technologies like the Cloud, DevSecOps, containers, and microservices, they are also adding massive complexity to their IT estate. This report from Gartner states that, “Identity and access management leaders often lack a comprehensive understanding of all PAM use cases across the enterprise, including new challenges for PAM coming from companies moving to the cloud.”

As IAM Leaders gain a greater understanding of PAM, they can move on to best practices that can get the organization on the path to PAM maturity. The report highlights key challenges and recommendations, and how to leverage your current InfoSec program as the foundation for PAM policies, processes, and procedures. Then it outlines Gartner’s Four Pillars of PAM, and the 5 W’s of Privileged Access (Who, When, What, Where, and Why).


Gartner Best Practices for PAM


As organizations continue along a PAM Maturity model, they will want to move beyond the “basics” of PAM and adopt a stronger posture based on a least privilege approach. Least privilege means granting only enough privileged access for only the amount of time needed to complete the task. These are often referred to as Just Enough, Just-in-Time (or JIT) PAM.

This report specifically focuses on JIT PAM, outlining the various key challenges that this approach can address, including ensuring that privileges are only granted when a valid reason exists. It does also look at how organizations can reduce the amount of privileged accounts that are “fully armed” and overprivileged, which can be address with Just Enough access. The goal, Gartner points out, is to have zero standing privileges (ZSP).


Gartner Remove Standing Privileges

Centrify’s PAM Maturity Model aligns well to these recommendations. First, don’t leave your organization in the “Danger Zone” where you are doing nothing to secure and manage privileged access in your organization. At the very least, try to get to the first phase where you discover all machines and vault away shared and admin passwords. Then move on to more of an Identity-Centric approach to PAM based on least privilege, focused on consolidating identities, establishing alternate admin accounts, enforcing MFA, and enforcing Just Enough, Just-in-Time access. Finally, an organization with a truly mature PAM posture will harden the environment with high assurance, centralizing service management accounts, using host-based auditing, vaulting secrets, and enforcing a higher NIST assurance lever for MFA.

Centrify PAM Maturity Model
©2020 Centrify Corporation. All Rights Reserved.

I hope you enjoy these three Gartner reports. If you are interested in trying any of our Identity-Centric PAM solutions, be sure to visit our Trial Center.


Gartner: IAM Leaders’ Guide to Privileged Access Management, Abhyuday Data, Felix Gaehtgens, Michael Kelley, 18 July 2019.

Gartner: Best Practices for Privileged Access Management Through the Four Pillars of PAM, Felix Gaehtgens, Michael Kelley, 28 January 2019.

Gartner: Remove Standing Privileges Through a Just-in-Time PAM Approach, Abhyuday Data, Felix Gaehtgens, Michael Kelley, 6 September 2019.

This post was first first published on Blog | Centrify website by AndySmith. You can view it by clicking here