IGA + PAM, PAM + IGA and The Rest

A quick comment on the recent set of summer transactions that has seen some movements in the worlds of privileged access management and identity governance and administration.

July saw the intention for a multi-billion dollar integration of Palo Alto networks and long time PAM player CyberArk (see The Cyber Hut’s comment on that event here). That was seemingly a powerful revenue mashup transaction allowing Palo to add a substantial customer base in an orthogonal market to their already varied cyber security portfolio.

Prior to that acquisition, CyberArk as a standalone PAM machine announced in February they were to acquire Zilla Security. This essentially provided them with some next-gen cloud-centric IGA functions, with the press releasing stating:

“Zilla’s modern IGA SaaS platform was built from scratch to address today’s digital environments, characterized by an explosion of SaaS applications, decentralized management, and identity-based security threats. Leveraging AI-driven role management, Zilla automates the processes of identity compliance and provisioning, making governance easy, intuitive and all-inclusive for the modern enterprise. It offers the most complete set of integrations for both commonly used and custom applications and provides fast time to value. Zilla customers experienced in implementing legacy IGA found that Zilla can be deployed five times faster; complete access reviews with 80% less effort; and enable faster provisioning with 60% fewer service tickets.”

So suddenly a tuna that ate a squid, was eaten by a shark. What does that result in? Well arguably, Zilla would aim to be cross-sold into existing CyberArk PAM customers to expand revenue horizontally. A super-set of that would be Palo sales reps now cross-selling CyberArk et al into existing Palo customers. The net-net? Smaller startups may struggle against Palo or Cyber prospects if they were incumbent. The alternative narrative, is that startups in the PAM and IGA spot, may see more opportunities in greenfield, simply as Zilla and CyberArk may not pursue net-new logos. Time will tell.

In addition there have been a few other transactions on a slightly less grand scale that creates some interesting narratives. Last week Ping Identity announced they were entering the just-in-time PAM space with a neatly crafted press release. It stated that:

"As enterprises embrace multi-cloud strategies, the scale and complexity of cloud permissions are expanding faster than ever. Traditional, vault-based PAM solutions can't keep up with today's dynamic business needs," said Peter Barker, Chief Product Officer at Ping Identity. "With the addition of PAM capabilities, we're empowering organizations to adopt just-in-time (JIT) privileged access and solve a broader set of identity and security challenges – all within a unified platform."

These new capabilities will support JiT for the main cloud service providers, Kubernetes, databases and on-premises environments too. Authentication will include passwordless and the policy modular will be able to deliver fine-grained and contextual access. All the necessary buzzwords ticked.

The press release also mentioned AI (drink!) with an oblique reference to trust. It didn’t state how PAM capabilities would help here, simply that Ping was describing themselves as now “…now uniquely positioned to equip organizations with next-generation privileged access capabilities—protecting access to cloud infrastructure and securing the full spectrum of identities from a single, trusted platform."

The press release also slipped in quite quietly, that these new PAM capabilities were made available by a recent acquisition of Procyon:

“Ping Identity's privileged access capabilities will be made available through PingOne Privilege and are made possible by the recent acquisition of Procyon, a cloud-native startup founded in 2021 by Sukhesh Halemane, Suman Sharma, and Mahantesh Pattanshetti. The company was founded with a vision to enable simple, seamless, and secure privileged access to both cloud and on-prem infrastructure. Procyon was designed for modern DevOps workflows, offering a solution that's easy to deploy, use, and maintain. Its mission focused on increasing productivity for both security and development teams while providing high assurance protection for enterprises from identity breaches.”

So Ping in recent years has become a mashup with the integration of the former-ForgeRock stack into their kitbag - which also contained some early foundations for IGA capabilities, allowing Ping to deliver simple and complex solutions for B2E and B2C ecosystems.

One other data point to add in to this, is what Sailpoint, the long standing IGA juggernauts, have also released a press release recently - this time focused on application management and governance. This release goes on to describe a new capability set called “Accelerated Application Management”. The press release stated that:

“SailPoint Accelerated Application Management, a breakthrough solution that redefines how enterprises discover, govern, and secure applications at scale. While most organizations govern fewer than 50 applications, thousands more remain outside governance, creating serious risk. SailPoint’s new approach represents a strategic shift: combining intelligence with expert-led deployment to deliver rapid coverage and compliance at a fraction of the cost and complexity of competing solutions, delivering unmatched value while setting a new market standard.”

So the net-net is that most IGA projects often focus on a subset of applications. Why so? Well it is likely that only the most high-risk apps that are under the scrutiny of external auditors will be put through the paces of being connected to life cycle management systems, with access request and access review management processes nicely documented and digitised. The rest are left. Either disconnected entirely, or thrown to a faster and more agile cloud-centric players who often deliver IGA-lite functions, but aim for rapid on-boarding and broader coverage.

The acquisition aspect that is powering this new functionality was quietly added into the release with details stating:

“In connection with announcing this new offering, SailPoint has entered into an agreement to acquire key assets from Savvy. Savvy provides best-in-class SaaS application visibility and monitoring, while guiding users in real-time with a focus on identity risks and insider threats. Following a successful completion of the contemplated acquisition, which remains subject to customary closing conditions, SailPoint intends to integrate the acquired Savvy technology with SailPoint's offerings to deliver unparalleled application visibility and intelligence to customers.”

To add to the excitement, Sailpoint technically entered the PAM space with the acquisition of Osirium back in October 2023.

So we now have already a quite messy looking schematic above with a few overlapping segments closing down the main functions of IGA, PAM and the associated risk and life cycle management use cases.

Does this mean further or less competition? Time will tell, but it does create some interesting partnership and go-to-market questions.

Arrange Inquiry with The Cyber Hut