It is no secret that the cybersecurity landscape is one of constant change. Seemingly every day a new tool is released, or an older tool becomes obsolete.

While traditional on-premises privileged access management (PAM) solutions are not quite obsolete, they do have characteristics that do not necessarily lend themselves to today’s cybersecurity environment.

What is the difference between traditional PAM solutions and modern cloud-based PAM solutions?

Traditional PAM solutions are installed, managed and self-hosted on-premises, while modern PAM solutions are delivered via the cloud, commonly through a SaaS (Software-as-a-Service) delivery model. As an on-prem solution, traditional PAM comes with a unique set of challenges when compared to the cloud-hosted alternative, especially when considering that most organizations now have specific cyber insurance policy requirements.

What are the benefits and challenges associated with traditional, on-premises PAM solutions?

The benefits of self-hosting a PAM solution can include:

• Greater control: When self-hosting a PAM solution, you have greater control over the configuration, management, and security of the solution. This allows for greater customization of the solution to meet your specific needs and requirements.
• Improved security: Self-hosting a PAM solution can improve your security posture by allowing you to implement your own security policies and controls. It can also ensure that an organization’s sensitive data is stored securely on-premises rather than in the cloud. However, many organizations don’t have the proper controls in place and may actually find more improvements in a cloud hosted solution.
• Better performance: Self-hosted PAM solutions can provide better performance than cloud-based solutions as a result of more control over hardware and infrastructure. This is often of particular importance for organizations with large or complex environments.

The challenges of self-hosting a PAM solution can include:

• High upfront costs: Self-hosting a PAM solution can require significant upfront costs, due to hardware, software, and infrastructure requirements.
• Maintenance and support: Self-hosting a PAM solution requires ongoing maintenance and support. This includes installing updates and patches, troubleshooting issues, and ensuring that the infrastructure is functioning properly. This can be time-consuming and require specialized skills and knowledge.
• Security risks: With self-hosting, the organization is responsible for ensuring the security of the PAM solution, which can be challenging. If security protocols are not properly configured or maintained, it can lead to vulnerabilities and expose the organization to increased risk.
• Scalability limitations: Self-hosted solutions can have limitations in terms of scalability. If an organization is growing rapidly or needs to accommodate additional users, devices, or applications, additional infrastructure and hardware investments may be required.
• Time-consuming deployments: The deployment and configuration of a self-hosted PAM solution can be a lengthy process requiring a high level of technical expertise. This can easily cause delays in getting the solution up and running, which can impact productivity and time-to-value.

What are the benefits and challenges associated with a modern, cloud-based PAM solution delivered as a service?

The benefits of self-hosting a PAM-as-a-Service  can include:

• Ease of deployment: Deployment is typically quick and easy. There is minimal hardware to set up and infrastructure to configure, as everything is managed by the service provider.
• Scalability: PAM solutions delivered as a service can be more scalable than self-hosted solutions, as the service provider manages underlying infrastructure and ensures resources are allocated appropriately. This may be of particular importance for organizations with rapidly changing environments or those supporting a large user base.
• Ongoing maintenance: Ongoing maintenance and updates are typically handled by the service provider, helping reduce the burden on IT and ensuring that the solution is always up-to-date and secure.
• Predictable costs: When delivered as a service, PAM solutions typically function on a “Pay as you go” model with low total cost of ownership (TCO).
• Integration with cloud services: PAM solutions delivered as a service can often be easily integrated with other services in your cloud environment, including identity and access management (IAM) solutions.

The challenges of utilizing a cloud-based PAM-as-a-Service can include:

• Dependence on service provider: Similar to how organizations are dependent on their own IT to manage traditional PAM, organizations are dependent on the service provider for the availability and security of the PAM solution. This can introduce risks if the provider experiences service disruptions or a security breach of their own.
• Limited customization: PAM services delivered as a service may have limited customization options, proving a challenge for organizations requiring specific features or integrations.
• Data residency and compliance: PAM services delivered as a service may not be available in all regions, and there may be compliance concerns if data is stored outside of specific jurisdictions or regulatory frameworks. This could be of extra concern for organizations required to abide by regulations like the General Data Protection Regulation (GDPR).

3 notorious user experience shortfalls in a traditional on-premises PAM solution

PAM solutions that use a traditional on-prem approach have three shortfalls that negatively impact user experience and increase risk. These shortfalls can be overcome with cloud PAM solutions.

• Password vaulting. PAM solutions that rely on vaulting passwords, like the root/domain admin use case, lead to a glaring issue - the access is always there and is always an attack surface. Even if the account is no longer needed or not actively in use, it sits as a potential doorway to be leveraged by attackers.
• Proliferation of hardware requirements. Another area in which traditional PAM falls short is the proliferation of hardware requirements in the form of jump-boxes. This additional hardware requires administrative oversight and adds further complication, slowing down privileged users trying to do their jobs. When security solutions make work cumbersome, end-users find ways to circumvent them.
• Discovery processes across the network. Traditional PAM does not adequately meet the needs of discovery processes across the network. As new servers and products get added, they require intervention to be integrated with the PAM solution. This is especially so with workstations where their ownership inventory changes often. Updating PAM manually does not scale, so assets get missed without proper discovery.

What to consider when choosing between self-hosted PAM and PAM delivered as a service

When deciding whether to use a self-hosted PAM solution or a PAM solution delivered as a service, there are several factors to consider:

• Control: A self-hosted PAM solution provides more control over the deployment and management of the system, while a cloud-based PAM solution is managed by the vendor.
  • Ask yourself: “Do you need complete control over the PAM solution or are you comfortable delegating management to a third-party?”
• Security: A self-hosted PAM solution can provide an extra layer of security since all data and access controls are managed and stored within your own network, but also properly configured maintained security protocols. On the other hand, a cloud-based PAM solution may provide the benefit of constant monitoring and patching by the vendor.
  • Ask yourself: “What are the security requirements of your organization and which option provides the level of security you need?”
• Scalability: A cloud-based PAM solution can be easier to scale up or down as your organization grows or changes. With a self-hosted PAM solution, you may need to invest in additional infrastructure and hardware to accommodate changes in scale.
  • Ask yourself: “What is the growth potential of your organization and the level of scalability you require?
• Technical expertise: A self-hosted PAM solution requires technical expertise in areas such as server management, security, and networking. If you do not have the necessary skills in-house, you may need to hire additional staff or contract with outside experts. A cloud-based PAM solution may require less technical expertise, but you may still need some level of expertise to manage and customize the system.
  • Ask yourself: “How much time does your staff have to devote to maintaining the solution? What is their level of technical expertise?”
• Cost: A self-hosted PAM solution can be more cost-effective in the long run but may require a significant upfront investment in hardware and infrastructure. A cloud-based PAM solution may require ongoing subscription fees, but less upfront investment.
  • Ask yourself: “Do you prefer a larger upfront investment or a more predictable costs?”

Should your organization utilize a traditional on-premises or a cloud-hosted PAM solution?

Ultimately, when deciding between a self-hosted PAM solution and a PAM solution delivered as a service, the decision will come down to your organization's specific needs and requirements. There is no one-size-fits-all.

Self-hosted PAM solutions may be a better fit for larger, enterprise-level organizations that require extensive customizations, increased security, have complex compliance requirements, and have a large team of technically experienced staff to support the tool.

On the other hand, PAM solutions delivered as a service tend to better fit organizations that are more focused on scalability, predictable pricing, and lack a large staff for implementing and managing the solution.

As a solution-agnostic company, MajorKey offers advisory services built to help organizations of all sizes analyze their current situation and develop a PAM roadmap. If you’re interested in speaking to an identity security expert, feel free to contact us to set up a meeting.

‍