One of the most debated subjects on the market is Digital Transformation, now boosted by the Covid-19 pandemic. We heard about the adoption of technologies to transform business processes not only during “lives”, but also in articles, conferences, and even family gatherings. In addition to the migration to distributed models, the home office, and new working tools, the digital transformation has also resulted in the modernization of communication channels with customers.

The strategic plans of organizations and projects considered to be of low priority had to be revised; medium and long-term goals had to be accelerated to take place in a few weeks; also, strategies never thought of have been implemented in the short term. Organizations and their leaders realized that if they did not implement the required changes, business continuity would be affected. So much so that, according to the Gartner CEO and Senior Business Executive Survey, 82% of CEOs have some initiative related to digital transformation, in comparison with 62% in 2018.

In these times of high competitiveness, one of the greatest advantages offered by organizations is the relationship approach with customers. More and more people in companies consider their responses during the entire consumption process, from identifying the purchase need to after-sales.

Gartner itself brings what they call the Total Experience as one of the 10 strategic technology trends for 2021. Total Experience combines multi-experience, Customer Experience (CX), Employee Experience, and User Experience (UX) to transform business results. The goal, according to Gartner, is to improve the overall experience, in which all these areas intercede, from technology for employees to consumers and users.

Taking into account that employees are giving more value to the user experience with the products and solutions available on the market, Gartner launched Peer Insights, so that users could share their impressions and opinions about IT suppliers.

Gartner Peer Insights is a free evaluation and review platform for Technology solutions and services, covering more than 300 markets, aligned with the categories from the Magic Quadrant and Market Guide reports, including 3,000 suppliers. Each review submitted by users is verified by the Gartner team to ensure that their perceptions and views at each of the different stages of the purchase process are completely authentic. And to ensure that reviews are impartial, Gartner does not allow vendors to offer any financial incentives to users who evaluate their products or services. However, Gartner itself offers gift cards and does not prohibit vendors from doing so either. It is important to note that the value of gift cards should not exceed USD 25.

Each of the reviews submitted by users is verified in a process composed of several steps, including the definition of the user and organization profile, in addition to their role and responsibilities. This verification, which usually takes a few days, is done based on the inspection of the verified corporate email and LinkedIn profile. Additionally, the user cannot be an employee, consultant, reseller, or competitor of the vendor and product to be evaluated.

After submission, user reviews are assessed to determine whether they meet Gartner Peer Insights requirements related to context, quality, and relevance.

Some characteristics expected by Gartner are:

• Comments consistent with the respective scores.
• Variance of scores in the review, considering it unlikely that a user will have the same score for all aspects of a product or service.
• Scores are logically consistent, taking into account general and specific scores.
• Demonstration of experience in relation to the product or service being reviewed.

The reviews must also be authored by the user, with generic comments, and must not contain data that allow the user to be identified. Comparisons with competitors and financial data are not allowed either.

It is important to emphasize that, after the review is published, personal data of users, such as the name of the user or organization, are not displayed, only the industry in which the company operates and its respective size, geographic region, and revenue data.

Gartner recognizes the importance of user insights, so much so that it included them in the methodologies for evaluating the Magic Quadrant processes in order to assist customers in their effective decisions in a specific market. For vendors, Gartner Peer Insights allows them to use feedback from their consumers to reinforce their strengths, display quotes from customers, and highlight their position in the market.

For this, Gartner offers resources through the Technology Provider Tools portal that can be used to encourage customers to send their reviews, including best practices, customer communication templates, and tools. These resources allow providers to generate their links for requesting reviews and obtain indicators for measuring the success in using the tool, for example.

By using a platform like Gartner Peer Insights and its resources, it is possible to offer the user a free environment to evaluate their impressions and, thus, help others to choose IT products and services. As for vendors and providers, the platform allows them to check the general satisfaction towards what they offer to the market, in addition to being able to offer upselling, acquisition of other products and services of the company, and even refer them to others. The practical result of this is, in addition to more satisfied customers, a better perception of these products and services on the market, which leads to an increase in revenues and customers. In short: this is one of the secrets to the success of any organization.

Privileged Access Management (PAM) is formed by a set of cybersecurity strategies and technologies to exercise control over privileged access and permissions for users, accounts, processes, and systems in a technological environment.

A PAM is an ideal solution for preventing and mitigating damage resulting from external attacks, as well as from the neglect of internal employees and other insider threats against privileged credentials, specifically.

Although PAM encompasses many strategies, the main goal of the solution is to apply the concept of least privilege, which concerns the restriction of access rights and permissions for users, accounts, applications, systems, devices, and computing processes to the absolute minimum access required for them to perform their daily activities.

For this reason, PAM is considered by many experts and technologists to be one of the most important cybersecurity solutions for reducing cyber risks and obtaining a relevant security return on investment (ROI).

In today’s article, we explore the main features of a PAM solution and clarify some of the goals of this technology. Keep reading it and find out more about the PAM features.

PAM x IAM

PAM is generally related within a broader scope of Identity and Access Management (IAM).

However, IAM controls provide identity authentication to ensure that a legitimate user has the correct access. Meanwhile, PAM offers visibility, management, and auditing in a detailed way about privileged identities and activities.

Together, PAM and IAM provide refined control, visibility, and auditing capabilities over all existing credentials and privileges in a systemic environment.

Here, we also talk about the main features of a PAM solution and its benefits. If you want to learn more about IAM and how this solution complements PAM, read our article entitled “xxxxx”.

Features of a PAM solution

Privileged access or privileged account is a term used to designate access or special skills above and beyond that of a default user. Privileged access allows organizations to protect their infrastructure and applications, manage businesses efficiently, and maintain the confidentiality of sensitive data and critical infrastructure.

Privileged access can be associated with human users, as well as non-human users, such as applications and machine identities.

Thus, PAM is a solution for managing these privileged accesses. Its main goal is protecting and controlling the use of impersonal and high-privilege credentials, providing secure storage, segregation of access, and full use traceability.

To perform this management of credentials, the PAM solution uses the configuration of Access Groups to define the administrator users who will be allowed to use the password for physical access, and the group of users who can use the remote access offered by the solution to access a target device or system.

All cases may respect approval workflows and validation of explanations provided by the requesting user.

In addition to these basic functions, we present below other possibilities for PAM solutions.

• Emergency Accounts: Provide users with administrator access to secure systems in case of an emergency. Access to these accounts requires the approval of the system manager for security reasons. This is usually a manual process that requires security measures.
• Local administrative account management: shared accounts that provide administrator access to the localhost or a session only. These local accounts are routinely used by IT staff for maintenance on workstations and servers, network devices, and other internal systems.
• Application Account Management: These accounts are used by applications to access databases, perform tasks, run scripts, or provide access to other applications. These privileged accounts often have access to sensitive confidential information within applications and databases.
• Active Directory Integration: A challenge to protect, to say the least, passwords can be even more challenging if changes need to be made, as they require synchronization between various systems and applications.
• Service Account Management: Local or domain accounts used by an application or service to interact with the operating system. In some cases, these service accounts have administrative privileges on domains, depending on the requirements of the application for which they are used.
• Domain Administrative Account Management: super administrators who have privileged access to all workstations and servers within the organization’s domain and provide the widest access over the network. Because they have access to administrative accounts, they are a constant target for hackers.
• Privileged User Account Management: These are users who receive administrative privileges for the systems. Privileged user accounts are one of the most common forms of account access granted in a corporate domain, allowing users to have administrator rights, for example, on their local desktops or on the systems they manage. These accounts often have unique and complex passwords, but most of the time, they are only protected by the passwords.

The more privileges and access a user, account, or process accumulates, the greater the potential for abuse, exploitation, or error. The implementation of privilege management not only minimizes the potential for a security breach to occur, but also helps to limit the scope of one if it occurs.

Benefits of a PAM solution

A counterpoint between PAM and other types of security technologies is that PAM covers various links in the cyberattack chain, protecting against external attacks and insider threats.

PAM provides several key benefits, including:

• Reduced Infection and Malware Spread: Many varieties of malware need elevated privileges for installation or execution. Removing excessive privileges, such as applying company-wide least privilege principles, can prevent malware from establishing itself or reducing its spread if it occurs.
• Operational Performance: restricting privileges to the minimum range of processes to perform an authorized activity reduces the chance of incompatibility problems between applications or systems, in addition to helping reduce the risk of downtime.
• Compliance: By restricting the privileged activities that can be performed, PAM helps to create a less complex and therefore more friendly environment for audits.

Also, many compliance regulations (including HIPAA, PCI DSS, FDDC, Government Connect, FISMA, and SOX) and data protection laws (such as GDPR, LGPD, and CCPA) require organizations to apply least privilege access policies to ensure adequate data management and system security.

When used to manage privileged access on organizational systems and platforms that store or protect the integrity of sensitive data, senhasegura provides a centralized access point for critical systems. Its features allow strengthening the access control, limiting the user access only to what was previously authorized, respecting the principle of least privilege.

We, from senhasegura, a provider considered Challenger by Gartner in its Magic Quadrant for PAM 2020 report, are proud to announce that we have also received the Customer’s Choice seal by Gartner in the Voice of the Customer: Privileged Access Management report. This seal is a recognition for the providers best evaluated by verified users, and endorses our commitment to developing the best PAM solution on the market, with our customers as the driving force behind our work. To ensure a fair and reliable evaluation, Gartner uses a rigorous methodology to consider the aspects analyzed by users.

Gartner considers Privileged Access Management solutions, or simply PAM, as tools that help organizations provide privileged access to critical assets and achieve compliance requirements by managing and monitoring privileged accounts and access. The functionalities of a PAM tool range from the discovery of privileged accounts in systems, devices, and applications to the isolation, monitoring, recording, and auditing of sessions, commands, and privileged access actions.

Since its creation in October 2015, Gartner Peer Insights has received over 350,000 reviews in more than 350 industries. The Voice of the Customer report summarizes reviews from the evaluation platform to assist IT leaders in choosing the best tools according to their organizations’ needs. These reviews complement Gartner’s assessment methodology and have an important influence on the decision-making process, considering the users’ experiences in implementing and operating the solutions.

To be considered in the report, providers must have obtained 10 or more reviews during the eligible submission period, which is usually 1 year. According to the Voice of the Customer 2021 report, Gartner Peer Insights has published 924 reviews in the period ended in November 2020. It is worth remembering that reviews from customers with less than USD 50 million in revenues are excluded from the methodology adopted by Gartner. In the period evaluated, senhasegura has received 54 reviews with an average score of 4.8, the second-highest review in the PAM market. It is worth mentioning the Service and Support aspect, also with a 4.8 score. Besides, 96% of our customers recommend the senhasegura Security platform.

Some testimonials from senhasegura’s users on the Gartner Peer Insights platform include:

“Excellent PAM (tool) for DevOps and Secrets Management, Fast deployment, and great Support. – Portfolio and Program Management for a client with sales between USD 250M and 500M.

The solution is very flexible and scalable. It has integrated very well into our DEVOPS CICD environment composed mainly of Kubernetes, Docker, Jenkins, and Gitlab. The architecture adopted was a 3-node active-active cluster in our AWS account, as we had a large number of applications depending on it. Also, the integration with AWS Watch gave us real-time PAM on ephemeral servers. The secret discovery tool helped us to have visibility of secrets in the pipeline and allowed us to rotate them during the application deployment stage without having to refactor each application in the first place”

For another customer with a turnover of more than USD 1 billion, senhasegura “allows a PAM approach to IT and OT environments for industry 4.0”.

Finally, one more satisfied customer, from the telecommunications and billing area with earnings between USD 3 and 10 BI, considers that “senhasegura’s intuitive wizards and all-in-one architecture facilitate deployment, even in a complex telecommunications company scenario, including high availability (HA) and disaster recovery (DR). The tool is also adherent to local and cloud environments and integrates seamlessly with our infrastructure with various vendors and technologies, including legacy devices.”

Among the 14 providers considered in the Voice of the Customer report, those who obtain a higher score than the market average, evaluated by more than 50 customers during the eligible period, receive the Customer’s Choice seal. Also, customer reviews must be represented in different segments, sizes, and regions. For Gartner, this is a way to recognize both the most satisfied PAM customers and the solutions offered by providers.

Once again we reinforce our pride in being listed in the Gartner Voice of the Customer report and receiving the Customer’s Choice seal. To find out more about what our customers have to say about senhasegura, and if you also want to leave your testimonial, visit our page on Gartner Peer Insights.

Disclaimer

Gartner Peer Insights Customers’ Choice constitutes the subjective opinions of individual end-user reviews, ratings, and data applied to a documented methodology. They do not represent opinions, nor do they constitute an endorsement by Gartner or its affiliates.

Gartner does not endorse any vendor, product, or service depicted in their research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner’s research publications consist of the research organization’s opinions and should not be construed as statements of fact. Therefore, Gartner disclaims all warranties, express or implied, concerning this research, including any warranties of merchantability or fitness for a particular purpose.

Privileged credentials are spread across the infrastructure of organizations of all sizes and types. Through them, it is possible to take a series of administrative actions, such as significant changes in assets and critical systems as Domain Admin servers or ERP systems. No wonder one can also call them “keys to the kingdom”.

And ensuring the security of these “keys” and privileged access is not an easy task for those responsible for Information Security. And taking into account the latest news of data leaks, not just IT teams but all organizational leaders are aware of the risks associated with privileged credentials and how such risks are considered to be part of the business strategy.

It is also worth remembering that, driven by the shift to decentralized models, we saw a boom of cloud-based approaches. For this reason, according to Gartner, more than half of global companies that already use Cloud will adopt a 100% Cloud-based strategy by 2021. In addition, the increase in connected devices as a result of the expansion of IoT, Industry 4.0 (also called Industrial IoT), DevOps, and other digital transformation initiatives has also increased the number of connected devices and privileged credentials. Many of these credentials are not associated with people and are called service accounts. As they are not associated with a user, in most cases, these accounts are not properly managed and monitored by the security teams, which increases the risk of being exploited by malicious attackers.

And for those who think cyberattacks are limited to large organizations, 28% of these attacks were performed against small and medium-sized businesses, according to the Data Breach Investigation Report from 2020. Also, research by the National Cyber Security Alliance has found that 60% of these companies shut down within 6 months after a cyberattack.

Regarding cyberattacks, some of the biggest and most recent ones involved the lack of proper protection for privileged credentials. The attack on SolarWinds, for example, came to show us the need to ensure the security of these credentials. This is because, by obtaining improper access to the infrastructure through malware, malicious attackers were able to move laterally through the infrastructure via compromised privileged credentials.

Thus, the goal of Privileged Access Management is to assist organizations to protect, control, manage, and monitor privileged access to critical assets. Therefore, by centralizing the management of privileged credentials in one place, a PAM solution is able to ensure the maximum level of security, controlling access and monitoring suspicious activities.

Gartner considers Privileged Access Management so important that it chose this market as the number one security project for two years in a row in its publication Top 10 Security Projects. And to address the Privileged Access Management scenario, Gartner has released the Competitive Landscape: Privileged Access Management report, prepared by its researcher Swati Rakheja.

And with the increase in PAM adoption, mainly through SaaS deployments, privileged credential management solutions, which were previously limited only to global organizations, are now also reaching small and medium-sized companies. Also according to Gartner’s report, the PAM market will continue to experience great adoption, expecting a compound annual growth (CAGR) of 10.7% between 2020 and 2024, reaching the size of USD 2.9 billion in 2024.

Considering that PAM use cases are evolving along with the capabilities and functionality of the solutions, and in order to continue to serve this large and promising market, PAM providers must reassess their strategic positioning in the market by offering new features to meet the needs of organizations of all sizes.

Some of the basic functionalities of a PAM solution, according to Gartner, include everything from credential discovery, onboarding, and management through password vaulting and rotation to privileged access governance and recording and auditing capabilities, such as privileged activity logging and reporting.

While small and medium-sized companies are starting their PAM implementations with these basic functionalities, global organizations are including advanced PAM use cases, which cover, for example, Just-in-time, or JIT access. When using JIT approaches, the solution performs access provisioning based on time of use, reducing the attack surface and the risks of attacks that exploit privileged credentials.

Also, functionalities based on Artificial Intelligence and Machine Learning, Privileged Task Automation, or PTA, and privileged session auditing are also included in the list of advanced PAM functionalities.

Other emerging needs in the PAM market are access management in multi-cloud and DevOps environments, including CI/CD automation and secrets management.

It is important to note that this difference in the use of PAM features also extends to geographic regions: while emerging markets such as Asia-Pacific and Latin America are still implementing basic Privileged Access Management features, more mature markets such as the European and North American already consider and implement more advanced use cases.

Finally, Gartner’s report presents the competitive profile of the main provider within the PAM market, including senhasegura. In this profile, Gartner brings information such as the product or portfolio overview and how the provider competes in the market.

Regarding senhasegura, Gartner highlighted our PAM offer based on the privileged access life-cycle, considering the Before-During-After approach. This life-cycle includes aspects from the discovery of assets, credentials, and digital certificates to the visibility of actions performed in the environment, allowing the organization to cover all aspects associated with the protection of credentials and privileged access.

As a competitive advantage of senhasegura, Gartner mentions Keystroke Dynamic Identity, or KDI. Based entirely on Artificial Intelligence and Machine Learning, KDI allows the continuous verification of the user’s identity through behavioral biometrics. Gartner also shows that senhasegura has been highly praised by its users for its ease of use and quick installation, not to mention its intuitive and user-friendly interface.

The year 2021 has arrived, and organizations of all types and sizes are continuing their efforts to adapt their workforce to the new work reality imposed by the Covid-19 pandemic. People, who were previously working using corporate devices and infrastructure within its security perimeters, have been forced to quickly change their approach, now working from their homes and accessing the same resources as before lockdowns. And according to Cisco research published in the Future of Secure Remote Work report, even with the introduction of a vaccine against the coronavirus, IT decision-makers believe that a significant part of this workforce will continue to operate remotely, thereby accelerating the move to Cloud-based models and their projects linked to digital transformation.

Many companies, however, did not have the adequate infrastructure to support a huge number of people working from their homes, let alone to ensure that sensitive data was not exposed. The change introduced by the pandemic has created a strong demand for digital solutions, bringing an important mission for the Information Security teams: not only to protect the company, its employees, and customers but also to guarantee business continuity. A Promon survey of 2,000 remote workers provides some worrying data: almost two-thirds of them had not received any cybersecurity training in the past 12 months. Besides, 77% of them are not concerned with data security while working from their homes. It is worth remembering that data protection laws provide for heavy sanctions in case of data leaks. If the personal data of Brazilians are leaked, for example, a company is subject to fines that can reach 2% of revenues or 50 million reais.

In this context, the Covid-19 pandemic also brought new attack vectors to this entire remote workforce. With so many people using insecure devices and networks to perform their daily activities, malicious attackers saw an opportunity to exploit security gaps introduced by this form of work. Also according to the Cisco report, 61% of decision-makers have reported an increase of 25% or more in cyber threats since the pandemic began in March 2020. And for those who think cybersecurity is something that concerns only global organizations, this increase in threats is also reported by small (55%) and medium-sized (70%) companies. But what aspects should Information Security leaders consider in order to guarantee the security of data transmitted via unprotected devices and networks?

Virtual Private Network, or VPN – as a basic tool in the kit of those who want to guarantee data security, VPNs are old known to IT teams. In addition to the function of avoiding geographical restrictions, the use of these tools also improves privacy on the internet. Also, a VPN allows you to encrypt all internet traffic through devices;

Wi-Fi, or Wireless Connections – most Wi-Fi networks are secure in some way. However, when outside their workspaces, employees should be aware that using public wireless networks is one of the preferred targets for malicious agents to spy on internet traffic and collect sensitive data

Home Routers – many people do not change the passwords for their home routers when they are installed, which increases the risk of falling victim to a cyberattack. To prevent any malicious attacker from having access to the home network and thus gaining improper access to critical data, the first step includes changing the router’s password. Also, it is interesting to encourage employees and third parties to check and install device firmware updates.

Passwords – In these times, it is more important than ever that your passwords are properly protected. Unfortunately, many people use the same password for multiple-service access credentials, both personal and corporate. This means that if a malicious attacker has access to a compromised password, it will be much easier to gain access to other services, including corporate accounts. Therefore, it is recommended to use a PAM solution to manage these privileged credentials.

Multi-Factor Authentication – often, strong passwords are not enough to protect systems from unauthorized access. If a criminal has access to a credential compromised in a data leak, it is not difficult to compromise other user accounts. Thus, by using multi-factor authentication, such as confirmation via an OTP (One-Time Password) generated by an application or SMS, it is possible to add an extra layer of protection to user accounts;

Backups – all user files must be configured to be backed up, preferably in a cloud-based environment. If there is a cyberattack through malware, such as ransomware, and the data is not properly saved, it is not possible to recover it without paying a ransom, which can directly affect the victim’s activities and even the business continuity;

Phishing – in addition to investing in cybersecurity solutions, it is also necessary to train employees appropriately to learn how to deal with phishing attempts or other social engineering-based attacks by malicious attackers to gain improper access to systems. One way to address this problem is to alert employees how to detect suspicious emails from unknown senders, especially if it involves any user action, such as clicking a link or opening an attachment. Even messages received from trusted senders must be considered and verified before they are opened.

As remote work becomes more and more common, companies of all sizes need to implement infrastructure in addition to the appropriate policies to minimize their exposure to cybersecurity risks. The list we presented here is a good start to give an idea of what should be considered in order to create an adequate policy to ensure the protection of the remote workforce. In this way, it is possible to reduce the risks of cyberattacks and avoid heavy penalties from data protection laws, which can affect the trust of employees, partners, suppliers, and even business continuity.