Evaluation Criteria For Priv 384458

Evaluation Criteria for Privileged Access
Management
Published: 30 July 2019 ID: G00384458
Analyst(s): Homan Farahmand
This document provides a comprehensive set of evaluation criteria for

assessing privileged access management offerings. Security and risk
management technical professionals focused on IAM can use this research
to formulate their requirements, create an RFP or assess existing PAM
deployments.
Table of Contents
Evaluation Criteria...................................................................................................................................2
Privileged Access Governance and Administration............................................................................5
Required.....................................................................................................................................5
Preferred.................................................................................................................................... 6
Optional......................................................................................................................................6
Privileged Account Discovery and Onboarding..................................................................................6
Required.....................................................................................................................................7
Preferred.................................................................................................................................... 7
Optional......................................................................................................................................8
Privileged Credentials Management.................................................................................................. 8
Required.....................................................................................................................................8
Preferred.................................................................................................................................. 12
Optional....................................................................................................................................13
Privileged Session Management..................................................................................................... 13
Required...................................................................................................................................13
Preferred.................................................................................................................................. 16
Optional....................................................................................................................................17
Privileged Access for Applications and Services............................................................................. 18
Required...................................................................................................................................18
Preferred.................................................................................................................................. 19
This research note is restricted to the personal use of [email protected].

Optional....................................................................................................................................20
Privileged Access Logging, Reporting and Audit.............................................................................20
Required...................................................................................................................................20
Preferred.................................................................................................................................. 21
Optional....................................................................................................................................23
Privileged Access Analytics and Response..................................................................................... 23
Preferred.................................................................................................................................. 23
Optional....................................................................................................................................25
Privileged Task Automation............................................................................................................. 26
Required...................................................................................................................................26
Preferred.................................................................................................................................. 27
Optional....................................................................................................................................27
Privilege Elevation and Delegation Management............................................................................. 27
Required...................................................................................................................................28
Preferred.................................................................................................................................. 31
Optional....................................................................................................................................32
Integration With Adjacent Systems................................................................................................. 32
Required...................................................................................................................................32
Preferred.................................................................................................................................. 34
Optional....................................................................................................................................34
Ease of Deployment and Availability................................................................................................35
Required...................................................................................................................................35
Preferred.................................................................................................................................. 37
Optional....................................................................................................................................38
Using the Criteria Toolkit....................................................................................................................... 38
Gartner Recommended Reading.......................................................................................................... 38
List of Figures
Figure 1. Evaluation Criteria for PAM: Scoring Spreadsheet (Sample)...................................................... 4
Evaluation Criteria
Privileged access management (PAM) is an essential, but complex, identity and access
management (IAM) discipline. It includes not only privileged credential management functionality but
also privileged session management (human/interactive), and privileged access for application and
Page 2 of 39 Gartner, Inc. | G00384458

services (nonhuman/programmable). It also includes privileged elevation and delegation
management for endpoints, governance, automation, audit and analytics capabilities.
This research presents comprehensive evaluation criteria to use when defining your requirements
and making PAM product selections and architecture decisions. Gartner developed this evaluation
framework to address current and future needs of its customers, categorizing PAM features as:
■ Required: Required features are essential features needed to develop, deploy and manage an
enterprise-grade PAM solution. Such solutions meet the minimum level of PAM features and
functions needed by typical Gartner clients. PAM products meeting fewer than all the required
criteria may still be employed for specific purposes in which there is some workaround for a
missing piece.
■ Preferred: Preferred features are supplementary features not necessary to satisfy the minimum
requirements of the typical large enterprise. However, they are frequently desired to address
specific needs, such as larger scales, better management and improved functionality. Gartner
considers these criteria to be “nice to have.” Such features often separate the best solutions
from good or average ones.
■ Optional: Optional features may be unique requirements of specific use cases or emerging
criteria that will become more important as time progresses.
Gartner considers the satisfaction of 100% of the required features as indicative of a mature PAM
solution that is ready for deployment in large-enterprise environments. Enterprises may choose to
deploy solutions that do not meet 100% of the required criteria, but they need to be aware of the
trade-offs associated with deploying a less complete solution.
This list of features is representative of typical requirements, but enterprises will want to add their
own requirements as well. Furthermore, they should not neglect the typical qualitative requirements
checklist they would use for any on-premises software or cloud-delivered solution, such as vendor
viability, performance testing, documentation quality, customer support capabilities, pricing and
contract terms.
To make it easy to customize the requirements, a companion Microsoft Excel spreadsheet is

available to download with this document. (See the Using the Criteria Toolkit section for more
information.) The spreadsheet is prepopulated with the listed evaluation criteria, making it easy for
Gartner clients to score a specific PAM vendor’s solution. Figure 1 shows what the scoring
spreadsheet looks like when populated with the ratings for a sample vendor. Gartner clients can
also modify the criteria spreadsheet by adding and deleting criteria.
Gartner, Inc. | G00384458 Page 3 of 39

Figure 1. Evaluation Criteria for PAM: Scoring Spreadsheet (Sample)
PAM solutions should be evaluated for the following capability criteria:
■ Privileged access governance and administration

■ Privileged account discovery and onboarding
■ Privileged credentials management
■ Privileged session management
■ Privileged access for applications and services
■ Privileged access logging, reporting and audit
■ Privileged access analytics and response
■ Privileged task automation
■ Privilege elevation and delegation management
■ Integration with adjacent systems
■ Ease of deployment and availability

Privileged Access Governance and Administration
This capability provides features and functions to formally manage privilege assignment, periodically
review and certify privileged access, and ensure segregation of duties based on a set of policies.
It is important to note that privileged access provisioning and deprovisioning is not a PAM solution
capability. Privileged access assignment is usually performed by identity governance and
administration (IGA) tools or through external directories. PAM systems may interact with IGA tools
to trigger automatic provisioning or deprovisioning of privileged access rights to users — based on
profile attributes, roles, group memberships, or approved access requests. PAM systems may also
interact with external directories to trigger tasks to assign, and revoke privileges using a centralized
user and group structure. For example, smaller organizations may leverage user directories such as
Microsoft Active Directory (AD) for their user life cycle management. The PAM solution should have
the ability to integrate with AD so that the creation of users and group-based authorization for
access are granted and revoked entirely by the directory administration.
Required
■ Privileged access roles: The PAM solution must define key roles for privileged access
governance processes, such as requesters, approvers and reviewers:
■ Requester role: This role is defined with specific attributes to enable fine-grained
authorization for privileged access.
■ Approver role: This role is defined to respond to access requests by approving or denying
the requested access. A user can only be granted an approver role by explicit assignment
from an authorized administrator.
■ Reviewer (auditor) role: This role is defined with read-only rights for the purposes of
auditing. This role can review reports and session details, and export data for use in other
audit and reporting systems.
■ Privileged access policy: The PAM solution must define rules for granting permissions to
privileged access. In case of privileged accounts, these policies can be enforced for registered
users in an integrated directory (e.g., Active Directory) through role-based or attribute-based
access control mechanisms. The simplest form is by assigning a privileged role to a user or
adding a user to a privileged group. In the case of endpoints, these policies can be enforced for
to elevate privilege to execute a command or application.
■ Privileged access request: The PAM solution must provide a business-friendly interface where
privileged users may request access to privileged accounts and credentials, as they start a
session, or persistently. This is to implement the approvals processes for privileged access. The
request can include granular information such as specific accounts and system, time and
duration of access, and reason for access.
■ Privileged access request approval: The PAM solution must gather any necessary approvals
for new privileged access requests. The approval process includes an authorized user who
controls whether to grant or deny access to a privileged account. The simplest form of approval

is via email. When an access policy defines that approval must be granted before access, an
email may be sent to a set of approvers. For example, these users can be the owners or
stewards of systems being accessed. A time-limited unique approval link is sent and must be
responded to before access is granted. In more advanced use cases, the approval process can
be automated via integration with workflow, IT service management (ITSM), or IGA systems.
■ Workflow: The PAM solution must automate the approval process for privileged accounts that
require permission from authorized users. PAM tools can use their own native rule-based and
task-driven workflow functions or integrate with other tools, such as ITSM or IGA, that have
similar functionality.
■ Privileged access review and certification: The PAM solution must gather information about
privileged access requested and actions by users. This information must be reviewed by
authorized individuals to ensure privileged users performed appropriate activities in target
systems. In rare cases where a user account may have long-term privileged access, it must be
certified that privileged access entitlements are still appropriate.
Preferred
■ ITSM tools integration: The PAM solution should automate access request approvals through
integration with the enterprise ticketing systems (e.g., ServiceNow or BMC Remedy/Helix
ITSM). This integration validates a specific change management ticket that has been approved
(and in this case, privileged access approval is implicit). A user must provide a ticket number
before the system grants any access. The integration then verifies whether the ticket number is
accurate, in the correct state and assigned to the user requesting access. Alternatively, ITSM
systems could be used to create a new request for privileged access.
■ Identity governance and administration tools integration: The PAM solution should provide
connectors and/or APIs that allow external IGA tools to govern long-term privileged access
(which should be exceptional, not a rule), provision/deprovision privileged accounts and ensure
segregation of duties. IGA integration should enable central management and control of all
identities, including privileged identities and entitlements, to quickly detect and mitigate access
risks of privileged users, while ensuring compliance. Segregation of duties (SOD) controls check
for policy violations, such as segregation of duties for existing and new privileged access
requests.
Optional
■ SCIM connectors: The PAM solution can leverage the System for Cross-domain Identity
(SCIM) connectors to create users, manage group membership, remove users, and report on
general user and group information in target systems. SCIM is a broad standard integration that
could allow for any governance tool to integrate with target systems.
Privileged Account Discovery and Onboarding

This capability provides features and functions to identify and onboard all privileged accounts and
related credentials in all platforms and environments, including scanning of the environment on an
ad hoc basis or continuously.

Required
■ Privileged accounts and credentials discovery use cases: The PAM solution must
automatically discover privileged accounts on managed systems/devices and endpoints,
including the following use cases:
■ On-demand: To run autodiscovery on demand
■ Scheduled: To schedule the discovery to run automatically on a scheduled basis
■ Batch/bulk: To import multiple privileged accounts in batch mode
■ Manual: To manually create privileged accounts within the user interface
■ Target systems enrollment and privileged account onboarding: The PAM solution must add
systems/endpoints and new or modified privileged accounts manually on an ad hoc basis, in
bulk, via IGA integration, or via API, command line interface (CLI), or as part of an orchestration
process. Windows account discoveries must be able to classify them as a local account or
domain account as well as either privileged or not privileged. In addition, the discovery must
find Windows Services and Windows Scheduled Tasks that use the detected privileged
accounts. UNIX account discoveries must be able to classify them as local account or Secure
Shell (SSH) key and find the key trusts.
■ Virtual machines discovery: The PAM solution must enumerate virtualization platforms
(including IaaS/PaaS) and automagically enroll virtual machines and services. For example a VM
is created or cloned, the solution should enroll and onboard all of its privileged accounts.
Preferred
■ Discovery mechanism: The PAM solution autodiscovery should find new systems and
endpoints within the enterprise using multiple mechanisms, such as:
■ AD scan: Connect to Microsoft AD and query for systems and devices to manage, and
automatically add them to the PAM system.
■ LDAP scan: Connect to an LDAP directory and query for systems and devices to manage,
and automatically add them to the PAM system.
■ Configuration management database (CMDB) query: Connect to an existing CMDB,
query for systems and devices to manage, and automatically add them to the PAM system.
■ IP scan: Perform a scan of IP ranges and identify systems and devices to manage and
automatically add them to the PAM system.
■ Simple Network Management Protocol (SNMP) scan: Use SNMP to identify systems and
devices to manage, and automatically add them to the PAM system.
■ SSH keys scan: Discover SSH keys, and where they are stored and leveraged in the
environment.

■ Access configuration: Discover and compare access security configuration, such as a
sudoers file, access.conf or sshd_config.
■ Account discovery: Discover and onboard new privileged accounts on managed systems
and endpoints. Account discovery must support systems such as AD, Lightweight Directory
Access Protocol (LDAP), UNIX/Linux, Windows proxy and Windows remote at minimum.
This function should evolve to cover broader systems, such as databases and applications.
Optional
■ IGA integration: The PAM solution should optionally provide connectors and/or APIs that allow
external IGA systems to automatically provision and deprovision privileged users.
■ Orphan privileged users discovery and offboarding: The PAM solution should leverage
integration with IGA tools to identify orphan users with privileged access and offboard them
from the system.
Privileged Credentials Management

This capability provides core features and functions to manage and protect system- and enterprise-
defined shared account credentials or secrets. These include generation, vaulting, retrieval and
rotation for interactive access to these credentials by individuals, and brokering access to these
credentials for application and service connectivity.
Required
■ Access to PAM server:
■ PAM server access channels: The PAM solution must be accessible through a web
console and API at minimum. Other means of access, such as client software, are optional.
■ PAM server authentication: The PAM solution must positively confirm the identity of
privileged users or entity (application or service) before granting access to any privileged
credentials.
■ PAM server multifactor authentication: The PAM solution must have the ability to require
multifactor authentication for users of the solution.
■ PAM server single sign-on (SSO) and federated authentication: The PAM solution must
have the ability to leverage federated authentication for users of the solution to gain access
to the PAM server.
■ Access to managed credentials:
■ Managed credentials visibility: The PAM solution must restrict the view that solution users
have over the managed credentials to only the systems for which they have been given the
capability to request access.
■ Managed credentials grouping: The PAM solution must have the ability to automatically
categorize managed credentials into logical groups to allow assignment of permission and

role. For example, all Windows Server local administrator accounts must be grouped for
access by Windows Server administrators.
■ Role-based access: The PAM solution must have the ability to define what role a user has
in relation to groups of one or more privileged accounts and which access policies apply for
that role. This is necessary for controlling the segregation of duties.
■ Policy management: The PAM solution must have the ability to define policies that control
who may gain privileged access, how, when and where.
■ Credential vault:
■ Vault implementation: The PAM solution must store privileged credentials in an encrypted
vault (aka safe), which is protected using managed keys that are automatically generated,
stored and used via software or a FIPS 140-2 validated cryptography module, such as
AES-256 encryption. The vault must meet security and industry regulations.
■ Vault management: The PAM solution must centralize the administration, storage, release
and audit of privileged account credentials such as passwords, SSH session keys,
cryptographic secrets and other credentials.
■ Credential management:
■ Credential generation: The PAM solution must have the ability to specify the criteria by
which new credentials are generated. For example, in case of passwords, this should
include minimum length, maximum length, required number of uppercase letters, required
number of numeric characters and the required number of symbol characters. The ability to
specify subsets of each class of character type (uppercase, lowercase, number, symbol) is a
plus. The solution should have the ability for multiple rules to be defined to accommodate
different scenarios.
■ Credential retrieval for interactive (human) use cases: The PAM solution must have the
ability for users to check out credentials. Human users should be able to access
credentials. This could happen through the PAM solution revealing the credential in clear
text, or copying the clear text credential to the clipboard. However, revealing credentials
should be rare — the typical access scenario should be via privileged session management
(see the Privileged Session Management section).
■ Credential injection: The PAM solution must have the ability for users and applications/
services to inject credentials for privileged usage. The solution must inject credentials/
passwords into the session management connections to target systems, so the user does
not need to type or even know the credential/password. Credentials can also be injected
programmatically via API and CLI for nonhuman applications/services for application/
service scenarios.
■ Credential retrieval for noninteractive (nonhuman) use cases: The PAM solution must
have the ability for applications and services to retrieve credentials via API. This includes
application/service to application/service credential access for a variety of application/
service types in different architecture approaches from custom, commercial off-the-shelf,

and cloud-native applications and services that are built using DevSecOps tools and
methodologies.
■ Credential exclusive check-out: The PAM solution must provide the ability to enforce
exclusivity, so that only a single privileged user may check out and use a credential at a
time.
■ Credential update: The PAM solution must have the ability to update credentials/
passwords automatically on target systems according to organizational policy and store the
new credentials/passwords in a central encrypted location. Administrators should be able to
configure the policies to periodically change account credentials and passwords as needed
for security and compliance reasons. Key features are:
■ Manual credential update: The ability to manually trigger the generation of a new
credential for a selected account.
■ Bulk credential update: The ability to select one or more accounts and initiate a
credential change across all accounts at the same time.
■ Credential change after exposure: The ability to trigger a credential change each time
the credentials have been revealed (i.e., directly exposed in clear form to a user).
■ Credential synchronization: The ability to link accounts together so that the credential for
all linked accounts is the same when automatically managed.
■ Credential verification and reconciliation: The ability to periodically verify account
credentials and passwords. If it the credential or password stored in the vault is a mismatch
to the one on the target system, then the verification process would have failed. If a
verification task fails, the solution should be able to automatically reconcile (or reset) the
account credential/password so there’s no longer a mismatch and the correct password is
known to the PAM solution.
■ Managed functional accounts: The PAM solution must have the ability to define and
manage functional accounts used by the solution to facilitate credential management
without relying on the accounts available for system access. This ensures that the account
used to manage credentials is maintained separately from those used for user access to
enforce segregation of duty, which is often overlooked.
■ Disconnected credential management: The ability to change credentials on disconnected
systems while keeping synchronization with the solution.
■ Key management: The PAM solution must be able to store, protect, manage and control
access to SSH keys at a centralized point using a robust policy management engine. This
includes proactive protection of private SSH keys and passphrases, SSH key rotation, and
monitoring of SSH session activities to detect threats.
■ Privileged access coverage supported:
■ Account types: The PAM solution must support the management of credentials of all types
according to platforms such as operating systems, databases, security appliances, network
devices, directories, applications and cloud services. This includes support for credential

protection and rotation for all these platforms, whether they are used by humans,
applications or services.
■ APIs: The PAM solution must support web-based APIs and modern languages used for
credential management. The solution SDK must provide a variety of APIs such as
Java, .NET, COM, CLI and C/C++ to offer flexibility in managing credentials management
via API. For example, external applications would be able to check out an account or
develop a connector (in rare cases) for credential rotation on a legacy system.
■ Target systems: The PAM solution must have the ability to manage accounts on any
system by using APIs and SDKs for Windows systems, leveraging interactive access
protocols such as SSH and Telnet, and web applications. This includes common directories,
operating systems, databases and network devices, at minimum.
■ Clusters and highly available applications: The PAM solution must have functions (such
as the support for account pools) to rotate service and application accounts on highly
available applications and clusters.
■ Service accounts support: The PAM solution must have the ability to manage a domain
account not used by a physical user but used by the operating system to run the software. The
solution will synchronize multiple copies of Windows accounts that have been changed and are
used in different resources, such as Windows Services, scheduled tasks, IIS Application Pools
passwords, COM+ applications, and IIS Directory Security (anonymous access) passwords.
Some of the key features include:
■ Management of Windows service accounts: The ability to update Windows services
credentials across target systems when a password change is done. This includes Windows
services accounts restarts when services are running, as well as stop and restart of all
dependent services as part of restart operation for target service. If services are clustered,
they must use the proper cluster APIs to avoid destroying the target cluster.
■ Management of Windows scheduled tasks: The ability to update the managed
credentials associated with Windows scheduled tasks across target systems when a
password change is done.
■ Management of different types of applications: The ability to propagate new passwords
to different types of applications, such as COM+ or Distributed Component Object Model
(DCOM), using target service credential identity.
■ Management of Internet Information Services (IIS): The ability to propagate new
password to IIS anonymous, application pool and network credentials using target service
credential identity.
■ SCOM Run As accounts: The ability to propagate new passwords to SCOM Run As
credentials using target service credential identity.
■ Management of SQL Server accounts: The ability to propagate new passwords to
credentials in SQL Server (linked accounts) using target service credential identity.

■ Management of accounts in .NET config IIS data sources: The ability to propagate new
password to the .NET config IIS data sources in IIS, even when credentials are encrypted
using target service credential identity.
■ Management of credentials in flat files: The ability to propagate new passwords to flat
files, such as scripts, config, text or binary files without any agents or SDK requirements,
using target service credential identity.
■ Management of SharePoint server: The ability to propagate new passwords to SharePoint
configuration targets using target service credential identity.
■ Management of login cache: The ability to propagate target service account credential
information to target server so services and processes using the account can continue to
log in even when domain resources are unavailable.
■ Management of autologin credentials: The ability to propagate new passwords to
Windows autologon configurations using target service credential identity.
■ Management of SQL Reporting Services: The ability to propagate new passwords to SQL
Server Reporting Services action account configurations using target service credential
identity.
■ Run arbitrary process to update arbitrary target application/system: The ability to run
an additional process such as a script, .exe, or API call to perform service account or
credential update to locations without a built-in connector.
■ Enable local cache option for secure service account credential: The ability to provide a
local cache with secure storage so passwords can be propagated and stored to a local
server location for retrieval even when password management solution is unavailable.
■ Disconnected system and privileged accounts: The ability to manage privileged credentials
for systems when disconnected from the network, such as Windows, Linux/UNIX, OSX and
other platforms. No information must be passed or stored between the primary PAM solution
and disconnected endpoints.
Preferred
■ Pluggable architecture for not-yet-defined target systems: The PAM solution should have
the ability to be extended using a pluggable architecture for platforms that are not yet covered.
These would include new cloud services or on-premises devices and systems that are not
simply SSH- or Telnet-based. The solution should allow users to create their own custom
extensions to discover and manage these systems/devices and related privileged accounts.
■ Access to cloud providers’ secrets: The solution should be able to further integrate with cloud
providers to allow seamless secret management. For example, the solution can be further
integrated with Amazon CloudWatch and AWS Lambda to enable the automatic onboarding of
SSH keys as new instances are created to reduce risk. This includes deleting the SSH keys as
these instances are terminated. This integration is ideally suited for elastic cloud environments
where new instances are routinely spun up and down dynamically.

Optional
■ Managed account aliases: The PAM solution may have the ability to define aliases for
managed accounts across systems. This is useful for obfuscating the account names used in
API requests from the actual account names of the managed accounts.
■ Personal credentials management: The PAM solution may provide a secure personal
password store that is separate from other managed or shared credentials and can only be
managed by end users. Personal password access can be granted to third parties by the end
user.
■ Secure file storage: The PAM solution may provide a secure file store in which the admin or
users can upload and maintain copies of the data or documents within the vault. Typical uses
are old password lists, keys, certificates and licenses.
Privileged Session Management

This capability manages a privileged user session for human interaction sessions from initial
authentication through checking a privileged credential out and back in again. It provides core
features and functions to isolate and monitor privileged sessions. It can also ensure users only
execute authorized operations to restrict accessing a system. It includes session recording/replay,
real-time monitoring, protocol-based command filtering, and session separation.
Required
■ People interactive privileged access:
■ On-premises: The PAM solution must have the ability for authorized users on a typical
organization’s internal network to log in with their domain account to manage and use
privileged credentials that they are authorized to access.
■ In the cloud: The PAM solution must have the ability for authorized users to manage and
use privileged credentials outside the organization’s standard network in an environment
that is hosted by a vendor that supports the infrastructure of many entities. This may require
installing a credential management server in the cloud environment to enable users to verify,
update and reconcile privileged accounts in the cloud.
■ Third-party remote: The PAM solution must have the ability for authorized third parties or
contractors to gain privileged access to authorized target systems to perform authorized
tasks.
■ Privileged access to target systems:
■ Automated login with privileged credentials: The PAM solution must provide automated
login to managed endpoints using privileged credentials without revealing the credentials to
users. This is implemented when users directly use a privileged credential to access a
system.

■ Automated transparent login with unprivileged credential: The PAM solution must
provide transparent unprivileged login to access a system when security requirement does
not allow direct access to the system with privileged credentials. This is implemented by
defining accounts used for logging into target systems before the transition to the managed
privileged account. The login account can be used initially to establish the connectivity, and
then mechanisms such as “su” can be used to transition to the managed privileged
account.
■ Supported protocols: The PAM solution must support a variety of native protocols to connect
to systems and applications natively, including Remote Desktop Protocol (RDP), SSH, Telnet
(e.g., for industrial control systems) and native web access.
■ Managed sessions: The PAM solution must have the ability to present the user with a fully
authenticated session to a target system using a managed credential. Authentication should be
done (for example, from the solution proxy, or via tunneling or credential injection) to the target
system, meaning the credentials are never exposed to the user. The client accesses the
connection through native tools, reducing the overhead of learning new systems. Essential
protocols are RDP, SSH, Telnet, and Virtual Network Computing (VNC). This eliminates the need
for users to ever have direct access to credentials (except for rare scenarios, such as system
recovery).
■ Application session isolation: The PAM solution must have the ability to isolate users’
application sessions and their applications from target machines without divulging passwords
or secret keys. That requires the solution to present the user with a fully authenticated session
to a managed application using a managed credential. Authentication is done to the managed
application system, meaning the credentials are never exposed to the user. The client accesses
the connection through native tools such as RDP clients and SSH clients. This commonly uses
existing Microsoft Remote Desktop Services for Windows applications, published as
RemoteApps or servers hosting text-based applications on SSH-based connections. The
solution should provide mechanisms to support command line credential injection, user
interface credential injection (injecting credentials into a thick client or browser) and keystroke
automation (sending the necessary keystrokes to the application to inject credentials). Also,
users should be able to configure session management to start the connection by launching a
dedicated application or services on the target machine that cannot be minimized or escaped to
attempt to use other apps. Common examples are browser-based sessions, Active Directory
Users and Computers (ADUC), DNS, Kubernetes cert-manager, Task Manager, services, and
command line.
■ Session recording: The PAM solution must have the ability to record the managed sessions
without needing an agent on either the target system or the client workstation. The session
recording can be done through HTTPS protocol (without the need to open the enterprise firewall
to native protocols such as SSH and RDP). Or, it may be done using standard RDP clients that
allow users to connect directly from their desktop to the target machine. The recording
preferably should happen on the proxy server as a common practice and not on the user’s
machine or using an agent. Recording at the proxy ensures that nothing can be hidden or
omitted from the recording. However, an agent-based session recording/logging is much more
granular and complete.

■ Playback: The solution provides DVR-like playback controls for session replay, allowing
review of the entire session, ability to back up and replay portions of the session, or fast-
forwarding to specific points in the timeline to evaluate activities and violations.
■ Always-on: The solution supports always-on session recording for all or specific privileged
accounts.
■ Forwarding: The solution supports recording and forwarding session activity to SIEM tools
for further examination and automation.
■ Append: The solution supports the ability to append the session recording data so that
reviewers can easily detect and fast-forward to policy violations or high-risk activities.
■ Storage: The solution provides mechanisms to externally save or back up session
recording data to address long-term storage compliance mandates.
■ Capacity: The solution supports recording all privileged user access and activities for the
entire enterprise.
■ Session monitoring: The PAM solution must have the ability to view live sessions and take
actions on a session, such as:
■ Locking/unlocking the session (prevent the user interacting with the target system)
■ Terminating the connection (close the user’s connection to the target system)
■ Terminating and canceling the connection (close the connection and cancel the request for
access preventing reconnection)
Viewing sessions to target systems and taking part in controlling them should be according to
predefined policies and configurations. This enables authorized users to supervise live sessions
and enables two users to perform a procedure concurrently. Access to this capability requires
explicit authorization.
■ Session auditing and review: The PAM solution must have the ability for recorded sessions to
be audited and reviewed for compliance and remediation purposes. It should be possible to add
comments and mark sessions as reviewed, with attribution to the user completing the activity.
Access to this capability requires explicit authorization.
■ Remote privileged access: The PAM solution must record and control secure remote
privileged access sessions, whether inside a company network or from a third-party or
contractor outside of the corporate network. The solution must offer zero-install secure access,
such as using an HTML5 gateway that tunnels the session between the end user and the
session management proxy machine using a secure WebSocket protocol. This approach, for
example, eliminates the requirements to open an RDP connection from the end user’s machine.
Instead, the end user requires only a web browser to establish a connection to a remote
machine through the session management solution. This can eliminate the need for allowing
RDP protocol to flow inbound from less secure networks toward more secure networks.

■ Session credential management: The PAM solution must use credentials stored in the vault/
safe for all session types. This allows credentials to be injected when accessing a system.
■ Multisession support: The PAM solution must have the ability to run multiple simultaneous
sessions. The user can easily navigate between multiple sessions, enhancing productivity.
■ Session management deployment models:
■ Browser: Session management should have the option to use HTLM5 for browsers. This
gives the auditors and security teams the ability to monitor, suspend or terminate privileged
sessions through HTML5 gateways, which eliminate the requirement to open an RDP
connection from the user endpoint.
■ Jump box: Session management should have the option to use a jump box for session
isolation, control and monitoring. Examples are:
■ Windows-based session management jump box: For recorded and isolated
connections to just about any system.
■ Specialized SSH jump box: For multiple active sessions that allow UNIX and Linux to
use their native clients without a change to their workflow.
■ Different session management jump box for the cloud: To provide organizations with
a native, unified approach to securing access to multiple cloud platforms, applications
and services that preserve the benefits of a privileged session manager, such as
isolation and monitoring.
■ Proxy: Session management should have the option to use a proxy for session isolation,
control and monitoring.
Preferred
■ Access console:
■ Web or native remote access console: The PAM solution should enable alternative
remote access through HTML5 or a thick client that removes the need to connect through
native access methods like an RDP client or PuTTY, which must be run locally.
■ Mobile remote access console: The PAM solution should enable native iOS and Android-
based consoles that allow for privileged session run from mobile devices. It should be noted
that this option is less common but may be useful for certain use cases.
■ Access console verification: The PAM solution should define the networks on which your
access consoles may run or require two-factor authentications to log into the access
console (as needed using a risk-based approach).
■ MFA (including smart cards) for sensitive sessions: The PAM solution should provide the
ability to reauthenticate users using methods other than password entry. Messages should be
configurable to allow authentication options, including password, smart card, algorithm-based
response codes and designated user override. When messages are requesting credentials, they
should be presented on the secure endpoint interface for enhanced security.

■ Just-in-time (aka, ad hoc or on-demand) privileged access session: The PAM solution must
have the ability to grant temporary administrative access to a particular system for a predefined
time frame and/or tasks.
■ Access to Windows local admin accounts: The solution should be able to get access to
target machines for Windows local admin accounts for a predefined time frame, after which
the account access is automatically expired. Users can access the target machine using
their own Windows Domain credentials and any native tools during the access period. The
solution should have workflow/approval options that allow the user to request to be added
to the target system’s administrators group according to the just-in-time (JIT) policy
parameter after which the user is automatically removed.
■ Access to UNIX/Linux local superuser accounts: The solution should be able to set and
manage least-privilege policies for all users and systems, where users are required to have
access granted just-in-time to establish a session with privileges to run superuser
commands. To fulfill the just-in-time principle, admins can set policy that requires end users
to specify a time frame for which they need access as part of their request. After that, their
elevated level of privilege is revoked, and they must request again.
■ Access to cloud providers’ power users: The solution should be able to integrate with
cloud providers for just-in-time privileged access. For example, the solution should
integrate with AWS Security Token Service (STS) to automatically generate a role-based
and/or policy-based temporary session for the AWS Management Console or for API
access. Sessions can be recorded and set up to be valid only for a certain period of time. In
addition, all active sessions can be monitored by security teams in real time, and even
terminated in case of suspected misuse or potential attack.
Optional
■ Session sharing: The PAM solution should have the ability to allow a user to share a session
with a team member with appropriate permissions to enable team collaboration.
■ Long-standing sessions between multiple users: The PAM solution should have the ability to
run a session in the background while allowing users to connect to the session. This is
particularly useful for manufacturing environments that have a limited number of terminal-based
sessions (sometimes serial protocols) that are used by multiple users.
■ Access invite: The PAM solution must have the ability to invite an internal or external user with
appropriate permissions into a shared session with one-time, limited access.
■ Session recording autostart: The solution supports autostart session recording when a policy
is violated or when unusual behavior is detected.
■ Session command filtering: The PAM solution must have the ability to restrict unauthorized
commands if they are executed by a privileged user on a network device or any SSH-based
target system. SSH commands whitelisting or blacklisting in managed sessions gives an
organization the ability to block unauthorized SSH commands if attempted by a privileged user
on a network, device or any SSH-based target system. Users can connect transparently to a

target system or device through the session management solution. They can then run specific
commands on the target according to the user’s permissions and the allowed commands as
defined by the organization’s security policy in the vault/safe. Unauthorized commands will be
blocked and will not be sent to the target. This can prevent malicious or unintentional
commands being sent over SSH sessions.
■ Session policy: The PAM solution must have the ability to customize session permissions to fit
specific scenarios, such as the specific endpoint being supported. Session permission policies
provide flexibility in building the security model for each specific scenario that allows flexibility
and granular levels of access beyond roles or user permissions.
■ Session restrictions: The PAM solution must have the ability to allow granular control over
which applications are available within a session. This limits the access to specified applications
on the remote Windows or Linux system by either allowing or denying a list of executables. It
may also choose to allow/deny desktop access or disable the endpoint’s mouse/keyboard input
and conceal the screen to avoid interference and ensure privacy while working.
Privileged Access for Applications and Services

This capability manages privileged access for nonhuman use cases such as machines, applications,
services, scripts, processes and DevSecOps pipelines. It includes transparently providing a
credential to nonhuman entities (e.g., via API) to authenticate to other systems directly or via
orchestration tools and managing authorizations and related functions.
Required
■ Application-to-application or application-to-database: The PAM solution must have the
ability to secure application-to-application (or database) access by enabling proactive controls
on privileged credentials embedded in applications, service accounts and scripts. These
controls include rotation of accounts that applications use. The solution should provide
application admins and developers with easy-to-use software tools to access credentials from
the vault (safe) or a secure cache using a single function call in a CLI or native API for COM,
Java, C/C++ and .NET on a variety of platforms. This enables organizations to eliminate hard
code and automate the rotation of credentials.
■ Identity management for nonhuman entities: The PAM solution must provide identity
management capability for registering and managing the life cycle of nonhuman entities, such
as machines, applications or services. The solution should provider user and group
management to enable authentication and authorization of nonhuman entities, to
programmatically access other system resources that use managed credentials or secrets for
programmatic access to other nonhuman entities. This includes providing:
■ Multiple authentication strategies: The PAM solution must have the ability to implement
credential-based and/or attributed-based authentication, including flexible and extensible
security automation workflows for a variety of system-to-system use cases. Examples are
secrets management, SSH, traffic authorization, container environments and custom
access control scenarios. The attribute authentication mechanism can be based on central

identity data repository (CIDR), operating system user, application signature and containers
attributes, as well as certificates.
■ Multiple authorization strategies: The PAM solution must have the ability to implement
role-based access control (RBAC) and attribute-based access control (ABAC)
methodologies by defining roles and policies to authorize nonhuman entities to access
other systems. This includes access control per environment, such as limiting development
build servers and test automation tools from accessing production secrets. It also includes
implementing full segregation between different applications and humans, ensuring entities
use only secrets they are entitled to access.
■ Secrets management: The PAM solution must provide creation, secure storage, retrieval,
update and retirement of secrets or credentials for application and service connectivity to other
applications and services in heterogeneous environments. This includes username/password,
RSA keys, SSH keys and text documents (e.g., JavaScript Object Notation [JSON] or YAML).
■ API support: The PAM solution must support all popular application APIs and SDKs, such as
REST, .NET, Go, Ruby, Java, Python, C/C++ and CLI. The solution must support multiple API
options to answer the different needs of the developer, in addition to the CLI option for
operators.
■ Applications and services API-less credential handling: The PAM solution must have
components to handle credentials used by applications or services running on application
servers for connecting to systems such as databases. The solution should have components for
providing and brokering credentials from secret/credential management services in a
heterogeneous environment. Examples of secret/credential sources are public-key infrastructure
(PKI) and key management services, as well as secret vaults from different PAM or secret
management vendors, cloud providers, Kubernetes secrets providers, and Keychain. The
application secrets/credentials should be fetched and injected by these components securely
and automatically, with minimum changes to application code.
Preferred
■ DevSecOps: The PAM solution should have the ability to enable automation pipelines by
managing embedded secrets that are used by machine identities (applications, microservices,
applications, CI/CD tools, APIs, etc.) and users throughout the DevSecOps pipeline. This
includes secrets management for sensitive data, such as API keys, certificates, passwords,
SSH keys and tokens. Secrets are securely stored and managed in an encrypted and access-
controlled container and can be automatically rotated based on policy. The solution should
ensure that applications deployed in autoscaling environments, such as AWS, can dynamically
and securely access secrets.
■ Robotic process automation (RPA) digital worker/bots: The PAM solution should enable
digital workers or software robots to securely retrieve credentials needed to perform their
functions. It should also rotate those credentials used in RPA to ensure compliance with
corporate policies and industry guidelines. The solution can expand the application-to-
application technology to retrieve credentials used for RPAs.

■ Platform support:
■ On-premises application platform support: The PAM solution should support applications
and services running on various on-premises platforms such as UNIX/Linux, Windows, Mac
and mainframes.
■ Cloud platforms support: The PAM solution should support applications and services
running on cloud platforms such as AWS, Microsoft Azure and Google Cloud Platform
(GCP). The solution should support native authentication in these platforms, such as AWS
IAM roles, instead of passing keys.
■ Hybrid IT support: The PAM solution should support applications and services running on
hybrid IT, which includes multicloud environments and on-premises.
■ Container and orchestration platforms support: The PAM solution should support
applications and services running on containers and orchestration platforms. This includes
native integration with container and orchestration platforms such as Kubernetes, Red Hat
OpenShift, Pivotal Cloud Foundry and Cloud Foundry.
■ DevSecOps support: The PAM solution should support integration with popular continuous
integration/continuous delivery (CI/CD) tools such as Jenkins, Red Hat Ansible, Puppet and
Chef to enable automation pipelines to access managed secrets and credentials.
Optional
■ Support for emerging standards/frameworks: The PAM solution should optionally provide
support for emerging standards such as Secure Production Identity Framework for Everyone
(SPIFFE) and System V Interface Definition (SVID) authentication for use cases such as
implementing resource identifiers and authentication in Kubernetes. SPIFFE is an emerging set
of open-source standards for securely identifying software systems in dynamic and
heterogeneous environments.
Privileged Access Logging, Reporting and Audit

This capability records all single events, including changes and operations, as part of the PAM
operation. A single event is based on user, time, date and location and is processed with other
events via correlation in a logical order. This is to monitor and determine the root cause of risk
events and identify unauthorized access.
Required
■ Privileged activity logging: The PAM solution must log all activities that are carried out for all
covered systems. This includes comprehensive logs of all requests and responses by the
system, including a complete and detailed account of what happened on sensitive systems and
who performed what activity. Examples are all changes carried out by administrators in the
audit trail, including username, time stamp, activity performed, IP address and old/new values.
Also, the solution should enable configurable log management, including rotation. Other key
features include:

■ User attribution log data for nonrepudiation: The PAM solution must have the ability to
track privileged users’ activities and access to the original user identity to ensure
accountability requirements are addressed.
■ Tamper-proof log data for evidential requirements: The PAM solution must store all audit
data in an encrypted and tamper-proof safe to protect the integrity of logged data.
■ Log data forwarding: The PAM solution must have the ability to forward all logged and
audit data to SIEM, UEBA and IGA tools for further examination and automation.
■ Centralized privileged activity auditing and reporting: The PAM solution must provide a
centralized visual representation of all application and user-privileged activities in the
environment as logged or recorded by the solution for auditing and reporting. This includes a
rich set of preconfigured dashboards and reports for executed applications, elevated
applications, blocked applications and discovered applications. The latter may provide a
breakdown of the applications in the environment that require admin rights to run, and those
that only require standard user rights. Examples are all changes made in Active Directory,
Exchange, File Systems, SQL and storage environments in a centralized real-time web console
without the need for native audit logs. This centralized dashboard in distributed enterprise
environments simplifies administration and reduces the number of tools administrators must
manage. The system should provide scheduled execution and report delivery.
■ Privileged session reports: The PAM solution must provide details of each session. Session
reports include basic session information along with links to session details, chat transcripts,
video recordings, keystroke recordings and text I/O for SSH.
■ Privileged session forensic search: The PAM solution must enable search across all sessions
based on session events. Searchable events include chat messages, file transfer, registry editor,
session foreground window changed, and shell recordings. Successful matches in stored shell
recordings automatically take the user to that point in time in the recording.
Preferred
■ Customizable system and application event data: For privileged elevation and delegation,
the PAM solution should capture event information to accommodate for multiple storage
scenarios. This information should be able to reside on the endpoint and/or in a common
location with a common format for troubleshooting and audit purposes. It should be also able to
transport back to a central administration point and logged transparently or anonymously to
accommodate for specific regions or compliance purposes.
■ Privileged activity monitoring: For privileged elevation and delegation, the PAM solution
should allow privileged operations to be monitored. The privileged monitoring reports should
include a list of the applications, tasks, scripts and privileges they require. It should also include
the actual privileged operations that were performed, such as access to the registry and file
system, and interactions with system services and kernel-level objects. This allows creation and
update of privileged access control policies that reflect use in the environment.

■ Predefined and custom reporting tools: The PAM solution should provide a predefined or
easy way to create different types of reports required by administrators and auditors. The
reports should be in tamper-proof storage and exportable to third-party reporting tools.
Examples of predefined reports are privileged accounts inventory, applications inventory, vaults
(active and nonactive) and their related information, users list (active and nonactive), privileged
accounts compliance status, entitlements and activity logs.
■ General reporting with predefined templates: The solution must provide, minimally, a set of
out-of-the-box general reports without any additional components, such as reporting on:
■ Assets privilege settings such as sudoers, sshd_config, access.conf
■ Event log setting and entries
■ Managed account inventory
■ Privileged groups inventory and group memberships, including nested groups
■ Managed account metadata such as roles, groups, credentials, age and usage
■ Managed account credential metadata, such as age and change activities
■ User privileges and entitlements, and segregation of duties violations
■ User activities, including credential and session requests and approval activities
■ Credential change policy and upcoming scheduled change
■ Credential reset status that credentials have been reset after being released
■ Delta managed account added and removed in a defined period
■ System and account/credentials coverage
■ Service account inventory and usage.
■ Regulatory compliance, including but not limited to COBIT, the Gramm-Leach-Bliley Act
(GLBA), the Health Insurance Portability and Accountability Act (HIPAA), HITRUST,
ISO-27002, ITIL, MASS 201, NERC-FERC, NIST 800, PCI and the Sarbanes-Oxley Act
(SOX).
■ Privileged account usages and correlation on how an account is used on a target system,
such as running applications, middleware, embedded in scripts and text files, or generally
used for standard infrastructure like Windows services.
■ On-demand and scheduled reports supporting multiple formats: The PAM solution should
have the ability to generate all reports by frequency, on-demand, or as scheduled tasks. The
solution should support typical formats, such as comma-separated values (CSV), Excel, PDF,
PowerPoint, MIME HTML, Word, TIFF and XML. Key features are:
■ Report delivery automation: The PAM solution should have the ability to automatically
deliver reports through email or to a shared folder based on a predefined schedule so that
the user doesn’t have to generate or retrieve the report manually.

■ Rich reporting content and customization: The PAM solution should support rich
reporting content, such as text, tables, graphics and charts. The solution should have the
capability to allow the creation of a customized report.
Optional
■ General Data Protection Regulation (GDPR) pseudonymization support: The PAM solution
should have the option for responding to “right to erasure” requests by searching for specific
criteria supplied by the requester. The results can be reviewed and subsequently anonymized
with an automatically generated term or a custom replacement.
Privileged Access Analytics and Response

This is an emerging capability that employs analytics (using machine learning) on privileged account
activities to detect and flag anomalies, including baselining, risk scoring and alerting. The objective
is to better identify lagging and leading indicators that identify privileged access anomalies to trigger
automated countermeasures in response to alerts.
Preferred
■ Privileged access baselining: The PAM solution should have the ability to create mathematical
baselines or averages for regular users to determine their normal usage of privileged accounts.
The solution baselining is required for the analytics of what privileged access is happening
(privileged events) in the environment. Based on the numerical relevance of the events that are
above the normal baseline, the solution should respond proactively to high-risk events to stop
attacks.
■ Privileged session risk scoring: The PAM solution should have the ability to identify high-risk
privileged sessions by assigning a risk score based on the baselining of events. This is the
ability to detect irregularities or potentially malicious activities in real time to increase the
organization’s security by alerting on high-risk events and giving a proactive response.
■ Privileged account threat detection: The PAM solution should have the ability to identify
specific high-risk users and systems by correlating granular privileges, system vulnerabilities,
and threat data from a variety of sources. This is the ability to detect a potential threat in admin-
time by reviewing anomalous privileged user behavior against the baseline considering asset
vulnerability and compliance policies to detect the threat of a high-risk event.
■ Privilege threat alerting: The PAM solution should have the ability to notify security
administrators of high-risk events using appropriate notification mechanisms such as reports,
email, text messages, or external systems, such as security information and event management
(SIEM) or ITSM, when the risk exceeds a specified threshold.
■ Analytics dashboards: The PAM solution must provide dashboards that summarize the
analysis results to provide operation insights to security management.

■ Trend analysis reports to identify patterns: The PAM solution should have the ability to report
on user behaviors and peak usage, which is not always possible to see by looking at event logs
alone. For instance, trend analysis in privileged logins helps track the migration of all users to
least privilege over time. Analysis of the usage of on-demand requests can establish user trends
and can be used to refine the policy.
■ Privilege attack detection and response for high-risk scenarios, such as:
■ Suspected credential theft: This is when a credential is suspected to be used by someone
other than a proper owner, and the credential is typically used for disruption or theft. When
a credential theft is suspected, the solution should detect, notify the admins and
automatically rotate credentials/passwords.
■ Irregular access to machines at irregular times: This is when a user retrieves a privileged
account password at an irregular hour for that user. The solution should detect when a user
retrieves a privileged account credential/password at an irregular hour for a particular user.
The solution should proactively respond by either ending a session or rotating the
credential/password. The responses should be configurable.
■ Direct logins to privileged accounts that bypass existing PAM servers: This is when a
connection to a machine or a cloud service is made with a privileged account that is not
stored in the secure and encrypted central location. The solution should detect if an
account that is not being managed is used in the bypass. The solution should respond by
onboarding such privileged account into a vault/safe for credential/password management.
■ Abnormal behavior (deviation from keystroke cadence or passive biometric traits):
This is when a user retrieves privileged accounts from an irregular IP, or at irregular hours, or
when a high number of machines are logged into. The solution should detect this scenario
and respond by either ending a session or rotating the password. The responses should be
configurable.
■ Unusual commands executed: This is when commands that are considered either harmful
or unproductive are executed in a session. The solution should have the ability to detect
and stop the execution of harmful commands.
■ Unmanaged privileged accounts: The solution should detect when a connection to a
machine or a cloud service is made with a privileged account that is not stored in the secure
and encrypted central location. The solution should respond by onboarding this account for
management.
■ Excessive access to a target system: The solution should detect when a user retrieves
privileged accounts more frequently than normal for that user. The solution should
proactively respond by either ending a session or rotating the password. The responses
should be configurable.
■ Kerberos attacks: This is when attackers exploit vulnerabilities in the Kerberos protocol to
manipulate and generate Kerberos tickets. These Kerberos attacks enable attackers to
operate under the radar by impersonating authorized users. With the ability to anonymously
impersonate any user, including privileged users, attackers can traverse the network for

extended periods of time, likely without being detected by traditional security tools. As a
result, these attacks can be extremely damaging. The solution should have the ability to
conduct network behavior analytics to detect and stop in-progress Kerberos attacks,
including Kerberos golden ticket attacks.
Optional
■ Machine learning: The PAM solution should leverage machine learning to build a behavior
model for every privileged user that can automatically adapt as the user’s job and access
changes over time. The machine learning capability can be part of a PAM solution internally or
provided by a UEBA solution externally via integration. In the case of external machine learning
capability, the solution should forward all privileged user access and activity data to the external
analytics engine.
■ Analytics to enhance endpoint policy management: The PAM solution should have the ability
to use the data captured on the endpoints for policy creation or enhancement. The solution
should provide dashboards and drill-in reports that show application usage reports, such as
applications that were unable to be executed with elevated privilege or blocked from on-
demand elevation. This centralized data should be accessible directly from the policy engine to
build the contents of your application’s elevation or blocking rules using recorded metadata
without having to manually enter the information.
■ Privilege threat countermeasure: The PAM solution should have the ability to continuously
monitor the use of privileged accounts that are managed, as well as accounts that are not yet
managed, and to look for indications of abuse or misuse. The solution should act by executing
appropriate countermeasures to stop high-risk or security events. Examples are:
■ Terminate or suspend active suspicious sessions: The solution should analyze activity in
privileged sessions based on a set of activities and activity patterns associated with a
configurable risk score, per session type, that the security team configures. Sessions with
high-risk suspicious activities can be configured to automatically suspend or terminate. This
suspension or termination can also be done by authorized users who view a live session.
■ Lock out privileged users that show abnormal activity patterns: The solution should
distinguish in real time between normal and abnormal behavior, and raise an alert and lock
out the user of the privileged account that is being misused.
■ Onboard unmanaged accounts upon detection: The solution should have the ability to
configure remediation initiation and actions. An example would be the detection of an
account that is not centrally stored and managed, so it is automatically onboarded to the
PAM solution.
■ Trigger credential rotation on suspected compromised accounts or credentials: The
solution should take automatic remediation of a detected privileged account that has been
hacked. The automatic fix would be to rotate the credential.
■ Reauthentication: The solution should halt the privileged user’s session, requiring the user
to reauthenticate when the risk exceeds a specified threshold.

Privileged Task Automation
This capability provides functions and features for automating multistep, repetitive tasks related to
privileged operations that are orchestrated and/or executed over a range of systems. This capability
uses extensible libraries of preconfigured privileged operations for common IT systems and devices.
It can orchestrate back and forth between different activities and ask for more information as
needed while putting guard rails by checking input against policies and settings.
This is like robotic process automation for IT operation processes that require privileged access. For
example, the PAM solution should be able to spin up a container for each relevant IT operation
process and provide it with a one-time key and the necessary data to perform the required tasks,
such as the identities and devices involved. The script or code within the secure container can only
ask for appropriate keys and credentials from the PAM solution that can verify the container (one-
time) key and data before requesting the actual identity’s keys/credentials from the PAM tool. The
key objective is to reduce the complexity and errors in privileged operations and achieve higher
efficiency.
Required
■ Automate recurring tasks: The PAM solution must have the ability to automate any repeated
job or action that can be performed by a user to improve efficiency and reduce risk. The
solution should leverage session management to run tasks without exposing the credential or
providing full account access to the users. It should only launch the applications or clients
necessary to perform the task at hand with the least privilege. The automation should include
pre- and post- actions and allow users to automate maintenance and provisioning of tasks. An
example is to start and stop services for both Windows and UNIX/Linux systems. The user
selects the automated start/stop task, which prompts the user to select the service to be
managed. The information can be prepopulated or added as a part of a drop-down list to further
limit the control the user has over this account and the server. Another example is to automate
deployments through remote SSH command execution on target systems in both on-premises
and cloud environments.
■ Automate privileged tasks: The PAM solution must have the ability to operationalize privileged
tasks by working to find opportunities to automate, script and integrate with other systems. The
idea is to automate all the steps in a task to remove the opportunities for manual errors.
Examples are:
■ Credential/password workflow automation: This task includes credential and password
request and grant/deny workflows via the system API.
■ Session activation automation: This task activates privileged sessions via the system API.
■ Session workflow automation: This task facilitates privileged session access via the
system API.
■ Asset onboarding and retirement automation: This task onboards or retires and
otherwise manages all assets supported by the solution via the system API.

■ Job management automation: This task includes every job type supported by the solution
password management, key management, discovery and power on/off operations for all
assets supported by the solution via the system API.
■ Elevation automation: This task includes all elevation functionality that is fully available via
the system API.
■ Auditing automation: This task includes all audit data management activities, such as job
logs, system status and user activity, that are fully available via the system API.
Preferred
■ Automate privileged tasks: The PAM solution should preferably extend the automation to a
broader number of tasks. Examples are:
■ Governance automation: This task includes all delegation facilities supported by the
solution via the system API.
■ External control automation: This task includes programs that can be completely
controlled by external processes for orchestration and threat response via the system API.
■ Event sink and triggers automation: This task sends eventing information to external
resources in a variety of generic and program-specific output formats, such as syslog,
REST/JSON, external program/process, email, COM calls or named pipes.
■ File management automation: This task includes file storage management, such as file
upload, access and delegation via the system API
Optional
■ Automate privileged tasks: The PAM solution can optionally automate more tasks, such as:
■ Deployment of infrastructure automation: This task includes deployment activities for
components of the solution, such as web applications and services, and remote
components via the system API.
■ Network operations automation: This task includes network operations that require
changes across different hardware vendor platforms, such as port updates, DNS records
creation and routings record configuration.
■ CMDB update automation: This task includes updating CMDB records, such as CMDB
accuracy and data integrity validation, ITSM change request creation and ITSM ticket
round-trip updates.
Privilege Elevation and Delegation Management

This capability provides functions and features for enforcing policies to allow authorized commands
or applications to run under elevated privileges. Administrators will log in using an unprivileged
account and elevate the privilege as needed. Any command that needs additional privilege would

have to pass through those tools, in effect preventing administrators from carrying out unsafe
activities. The requirements and level of support may vary by platform (i.e., Windows, UNIX/Linux
and Mac).
Required
■ Role-based access controls: The PAM solution must enforce segregation of duties within all
areas of the solution. That includes defining entitlements for access to the management console
and policy engine, and back-end reporting to ensure segregation of duties regardless of the
deployment architecture selected. For example, if using Group Policy, access would be
controlled via Active Directory’s security model and provide the same security model provided
by standard Group Policy Objects (GPOs), including delegated administration. In this model,
administrator access is controlled via the permissions that have been set on the AD GPOs.
■ Policy-based filtering: The PAM solution must have flexible and granular policy-based filtering
features based on a wide variety of fixed or contextual conditions. The solution should allow
policies to be created for individual users or groups, computers and IP address ranges. For
Windows environments, the filters can be defined persistently or ephemerally for Windows
Management Instrumentation (WMI).
■ Operating systems controls:
■ Individual commands elevation: The PAM solution must have the ability to implement a
least-privilege solution by using an on-demand elevation feature for endpoints running on
the respective operating system in scope. The solution must allow users to request privilege
elevation rather using administrative accounts and privileged credentials. That requires the
solution to allow a regular nonadministrative user to run a command as a privileged user,
such as administrator or root, in order to do a job that normal users cannot perform.
■ Parent and child process control: The PAM solution must be able to control which
processes match a rule based on the parent or child process. The solution must have
granular control over the child process, allowing rights to be inherited or blocked for all child
processes or a restricted group of child processes based on launching context. Specifically:
■ Prevent shell escapes (UNIX/Linux): The PAM solution must have the ability to protect
against shell escapes in applications that present a threat by allowing subprocesses to
spawn with the same privileges as the parent application. The solution should be able
to prevent privilege elevation for subprocesses.
■ Prevent granular elevation of subprocesses (Windows): The PAM solution must have
the ability to protect against spawning subprocesses from file open dialogues that
present a threat by allowing the launch of an elevated instance of File Explorer or CMD.
The solution should be able to prevent privilege elevation for subprocesses.
■ Native OS prompt control: The PAM solution must provide the ability for full OS messaging
integration. This includes intercepting Windows User Account Control (UAC) prompts or
Mac Consent prompts to suppress or replace them with customized messages for
individual items, classes of items or globally. Additionally, it should be possible to allow
access self-authorization, after secondary user authorization or challenge-response

authorization. It should also be possible to vary the behavior based on network status so
that remote or completely disconnected users can access these tasks without a
complicated help desk interaction.
■ Registry keys, folders or files management: The PAM solution must be able to allow
delegated access to privileged files and registry keys. This minimizes the need for admin
privileges to be designated to entire resources. For example, it assigns the permissions to a
text editor in order to edit a specific privileged file or folder. This functionality should also
provide granular control of registry keys without elevation of the editor for the entire registry.
■ Privileged shells control: The PAM solution must provide granular control of privileged
shells and consoles, such as PowerShell, Command Prompt and Terminal, and enable a full
audit trail of execution.
■ Sudo replacement or integration: The PAM solution must provide sudo replacement or
integration for Mac and UNIX/Linux to allow for elevation of specific commands or scripts
while running as a standard user. This includes the ability to provide granular control of
sudo functionality without modification of the sudoers file on the endpoint.
■ System level controls and logging: The PAM solution must control what the system does
versus what the user types, and log all system operations and scripts. The solution should
not simply block commands typed by the user, but also have the ability to block system-
level actions (including scripted actions) as well as log all system-level activity (including
that created by scripts).
■ Application controls for Windows endpoints:
■ Granular administrative right assignment to applications: The PAM solution must have
the ability to provide access tokens for granting administrative rights to applications. The
solution should provide predefined access tokens that would be applied to applications
upon evaluation of rules and policies that consider application privilege levels, integrity and
access control requirements. For example, the solution should accommodate the following
scenarios, at a minimum:
■ Pass through (passive): No change is made to the access token for the process.
■ Add admin rights: Assigns an access token with the standard properties of a Windows
Administrators group member access token.
■ Add custom admin right: Custom-made access tokens that define all Windows-
supported values for groups, privileges and integrity level, and process access rights to
be defined and applied to applications, such as the removal of debugging or shutdown
privileges in a token.
■ Comprehensive application matching rules: The PAM solution must provide extensive
matching criteria, including rule-based publisher signature, to account for the most complex
environments. Applications, tasks and scripts should be defined with embedded application
metadata using any combination of available criteria. Examples are filename, application ID,
requires elevation in user access control, command line, product description, Windows

store package name, file hash, product version, parent process, product name, file version,
child process, publisher (certificate), ActiveX version, Windows store publisher, ActiveX
codebase, product code (installers), internet zone identifier, COM class ID, upgrade code
(installers), source URL (web downloads), trusted ownership and application vulnerability
status. Each validation criteria should allow leveraging wildcards and regular expressions to
specify multiple application binaries with one rule while maintaining the level of specificity. It
should also be able to control the rights assigned to individual child processes or based on
the parent process.
■ Application execution control: The PAM solution must provide application control, such as
whitelisting, blacklisting and graylisting. This includes the ability to allow or block the
execution of applications based on a list of allowed apps (whitelist) and/or list of prohibited
apps (blacklist). Applications can also be graylisted, which may allow them to run with some
restrictions, alerts or follow-up action. In addition to managing application privileges, the
solution should be able to block the installation or execution of unauthorized applications.
The solution should provide end-user messaging. A custom message may be displayed to
the end user, including the ability for the user to email a request to the IT department to
request access to the blocked application. Graylisting can allow an application to run with
some additional limitations or steps, such as confirmation, password, challenge-response
and designated user authorization.
■ One-time access to nonwhitelisted applications: The PAM solution must have a
mechanism for granting one-off or temporary access to applications for users who are
unable to receive a configuration update in a timely manner. The solution should provide a
challenge and response mechanism capable of granting one-time use, 24 hours, permanent
(for specific application) access to offline and online users who need instant access to an
application. For example, a user can manually request access by invoking a workflow if not
already matched in the policy.
■ Remote execution of administrative scripts or commands: The PAM solution must provide
elevation and delegation management to remote privileged operations. The solution should
enable the granular control, privilege management and auditing of remote PowerShell scripts
and cmdlets invoked on remote systems.
■ Block malware attacks (email-, document- and web-based): The PAM solution must have
the ability to identify the parent process of an application to support context-aware application
privileged control. This allows the protection of high-risk, trusted business applications that are
common for exploits, such as document handlers, PowerShell and cscript.
■ Integrity protection: The PAM solution must be able to protect itself from privilege-based
attacks originating from elevated commands and must not allow for back-door methods of
elevation. That includes tamper-proof mechanisms that protect all components, including
policies and configuration settings, from tampering by processes elevated under standard user
accounts. The solution should also protect against modification of privileged groups on the
endpoint, ensuring at a minimum that users cannot modify administrators’ groups or backup
operators’ groups. Examples are:

■ Cryptographic signing of policy with both enforce and audit modes that provide blocking
of unauthorized policies or visibility of their use, respectively.
■ Validating the properties of the individual .msc console files (such as file and folder
name, file hash, command line or publisher) when elevating Microsoft Management Console
(MMC). This is to prevent the console from being launched with author abilities, which
would allow the console to be customized with other snap-ins.
■ Preventing back doors into the system by stripping the admin privileges from any of the
common file open/save dialogs of an elevated application that has full explorer capabilities.
■ Remediating privileged application vulnerabilities to prevent attacks such as code
injection, token hijack and shatter attacks. Sophisticated malware looks for elevated
processes and may use them as an attack vector when they are not protected properly.
Preferred
■ Multiplatform support: The PAM solution should cover all key endpoints in an environment.
This includes Windows operating systems, Mac operating systems, and UNIX and Linux
implementations.
■ MFA (including smart cards) for elevated processes: The PAM solution should provide the
ability to reauthenticate users using methods other than password entry. Messages should be
configurable to allow authentication options, including passwords, smart cards, algorithm-
based response codes and designated user override. When messages are requesting
credentials, they should be presented on the secure endpoint interface for enhanced security.
■ Active Directory bridge for UNIX/Linux: The PAM solution should have the ability to centralize
authentication and configuration management for UNIX, Linux and Mac environments. The PAM
solution should extend Active Directory’s Kerberos authentication and SSO, key Group Policy
capabilities to these platforms.
■ Elevation management: The PAM solution should have the ability to automate execution
approval or blocking based on factors like reputation, origin, installing user, group or process.
The solution should be able to identify trustworthy applications using broad trust attributes to
remove the need to update the solution for each application that shares a common trust
attribute. This includes whitelisting, using simple rules that trust the operating system and
business applications without having to add each individual application.
■ Full support for all OS applications, tasks, and scripts: The PAM solution should allow native
support for all applications, tasks and scripts on endpoints and servers within an organization.
Native support ensures secure application identification using multiple metadata without
elevating the rule engine using command line arguments. For Windows endpoints, this should
extend to executables, control panel applets, management console snap-ins, Windows installer
packages, Windows scripting host scripts, batch files, registry settings, PowerShell scripts,
remote PowerShell command execution, ActiveX controls, COM classes, Windows Store
applications, Windows services, applications downloaded from network locations based on
source URL, and scripts. Additionally, it should control DLL files that are allowed to run under

contextual circumstances, delivered or loaded by a trusted application such as Internet
Explorer, Microsoft Word or Excel.
■ Consistent user experience for disconnected users: The PAM solution should enforce
policies when the endpoint is offline. The solution should cache policies securely on the client to
ensure that the solution continues to function when the client is disconnected from the network.
A network connection should only be required for policy updates, since events should cache on
the endpoint pending the next successful connection to the back end. For permanently
disconnected users, the tool should facilitate a manual policy update for endpoints when
required, and support exception handling workflows, such as challenge and response, that do
not rely on a connection to function.
Optional
■ Elevate applications on demand: The PAM solution should have the option to allow end users
to selectively elevate an application, where the application does not normally require elevation
to function, or where the application has not been configured to automatically elevate. The
solution, in addition to elevating individual applications seamlessly, should provide users the
ability to elevate applications as needed by integrating with the shell to provide the user with an
on-demand elevation facility. This type of functionality is often deployed to advanced users,
such as developers or mobile workers, who require more flexibility.
■ Silent elevation of individual applications: The PAM solution should provide automatic
elevation of applications with no change to the user experience, based on policy for a user that
has logged on with standard (nonelevated) user rights. This is implemented without a prompt.
This policy may be used to target specific applications or to identify any application that triggers
user access control. These applications require granular audit and reporting centrally to assist
with policy refinements over time. This is especially important during the initial deployment,
before wider enterprise deployment.
Integration With Adjacent Systems

This capability provides functions and features to integrate and interact with adjacent security and
service management capabilities.
Required
■ Multifactor authentication: The PAM solution must either provide built-in MFA requiring no
external or third-party MFA software/hardware, or integrate with MFA solutions by means of
multiple protocols. This includes external MFA vendors or MFA RADIUS when it is not desired to
use vendor-provided MFA solutions.
■ Single sign-on: The PAM solution must support all SSO protocols, such as Kerberos, SAML
and OAuth.
■ Enterprise directory: The PAM solution must integrate with LDAP and/or Active Directory to
access user and system metadata, such as entitlements for privileged access.

■ Active Directory Group Policy: The PAM solution must integrate with Active Directory Group
Policy to support privileged elevation and delegation capabilities. The solution must have the
ability to be deployed through existing Group Policy architecture using the extension, without
the need to extend the schema. The solution should be capable of using both computer and
user configuration sections of Group Policy and can optionally be configured via Group Policy
Management Console, Advanced Group Policy Management, and GPEdit. That includes using
the filtering capabilities of GPOs, such as user groups, computer groups, organizational units
and Windows Management Instrumentation filters, such as hardware type, application version
and operating system. The solution should fully respect Active Directory’s group precedence
order and support all modes of operation.
■ General API access: The PAM solution must have comprehensive API access for custom
workflows and integration. The solution should provide a comprehensive API with the ability to
automate the implementation of approved policy modifications on the server and client side,
extract audit data and manage endpoints.
■ Flexible connector and integration framework: The PAM solution must have a robust and
flexible framework for integration with target systems and other security and service
management systems. This may include plug-in capability and related tools to make it easier to
connect other systems that are not supported out of the box.
■ IT service management: The PAM solution must have the ability to use the workflow features
of ITSM systems for administrative users to request access and for authorized approvers to
grant this access. Service desk tickets usually contain change control authorizations or incident
reports that document outages or anomalies that need to be rectified. The solution should
validate ticket format (change and incident), validate the ticket by state, validate by operation
time, validate by approval status and validate requesting a username.
■ Security information and event management: The PAM solution must integrate with any
SIEM vendor over typical protocols. The solution must send audit logs through the syslog
protocol and create a complete audit trail of privileged account activities. It should provide a
flexible SIEM configuration to define multiple target SIEM servers (as needed), specify dynamic
format translators and filter the events that will be sent. The protocols (such as Transport Layer
Security [TLS], TCP and UDP) to send messages to a SIEM should be configurable for greater
support and security.
■ User and entity behavior analytics (UEBA): The PAM solution must have its own behavioral
analytics or integrate with a third-party behavioral analytics solution. The users of privileged
accounts should be continuously monitored with real-time analytics to detect and alert about
suspicious behavior and in-progress attacks with additional automated remediated actions by
the PAM solution. The analytics integration should collect data from multiple sources across the
IT infrastructure and be part of the core suite of software.
■ Central logging services: The PAM solution must provide central, tamper-proof logging of all
privileged account activities for standard operational and compliance reporting. The solution
should have its own secure, tamper-proof logging and/or integrate with other solutions via the
syslog protocol.

■ Vulnerability management: The PAM solution must have the ability to provide credentials to a
vulnerability management system and manage those credentials. The solution should support
retrieving the necessary credentials (as needed) at scan time from a credential vault/safe. The
integration ensures that credentials are stored in a secure vault where their access is controlled,
audited and updated based on defined policies. This can be accomplished either by an
application agent or by a web services call. The integration also needs the option for a
certificate-based authenticated credential for Windows, UNIX/Linux and database systems.
Preferred
■ McAfee ePO: The PAM solution should fully integrate with the McAfee ePolicy Orchestrator
(McAfee ePO) platform to provide end-to-end management of a solution from within McAfee
ePO as a single pane of glass.
■ Identity governance and administration (IGA): The PAM solution should have a bidirectional
integration using REST API with IGA capabilities. This is to exchange policy, entitlement, risk,
account, access and activity data between the two systems. When integrated, the IGA
capabilities automatically provision or deprovision privileged user entitlements as life cycle
events occur. Bidirectional integration provides greater visibility into and control over privileged
accounts in their environment. This type of integration is possible in most PAM and IGA tools.
For example, the solution can have the ability to provide credentials to an IGA and manage
those credentials. Where organizations manage and govern privileged access in the cloud, the
PAM solution should have bidirectional integration with cloud IGA or IDaaS services. The
solution can preferably use SCIM 2.0 REST endpoints to provision users and groups to the
available security providers.
Optional
■ External encryption services: The PAM solution should have the ability to integrate with a
variety of encryption-related services, such as:
■ SSL/TLS certificate management: The solution can request and automatically renew
SSL/TLS certificates used by secure remote access appliances. This allows for easy
administrations of SSL/TLS certificates.
■ Key management: The solution can choose to encrypt session data stored on appliances
using the key management interoperability protocol (KMIP). KMIP allows broad support for
the various key management solutions available.
■ Hierarchical storage management (HSM): The solution can use any PKCS #11-compliant
HSM for key and encryption management.
■ SNMP monitoring: The solution needs to be able to be monitored by external monitoring
systems via SNMP for the critical server components.
■ Robotic process automation: The PAM solution should have the ability to provide credentials
to a software robot process and manage those credentials. These credentials are retrieved
whenever software robot entities require the login credentials for a specific account. For
example, when an RPA process requests a credential, instead of the username and password, it

is returned a placeholder. A credential library intercepts this placeholder and does a secondary
query to the PAM server to retrieve credential details. This credential retrieval should be
accomplished either by an agent or by an agentless web services call, depending on the
specific RPA tool integration requirements.
Ease of Deployment and Availability

This capability provides functions and features to simplify the deployment of the PAM solution while
ensuring availability, recoverability, performance and scalability.
Required
■ Flexible deployment model: The PAM solution should offer deployment models that match a
variety of use cases. Examples are:
■ Physical appliance deployment: A hardened physical appliance to run the PAM software.
This alternative minimizes the administrative overhead to keep the solution operating in
production.
■ Virtual appliance deployment: A popular model is the capability to deploy a virtual
appliance within an existing VMware, Microsoft Hyper-V, Azure or AWS virtual infrastructure.
This alternative also minimizes the administrative overhead to keep the solution operating in
production.
■ Software-based deployment: Install and leverage software on a provided system that
leverages configured security policies.
■ Out-of-the-box installation scripts and templates: The PAM solution must have scripts and
templates to provide automated installation and deployment of PAM software on one or multiple
servers. If it is necessary, the installation scripts should check for prerequisites and install them.
■ Out-of-the-box configuration templates: The PAM solution must support out-of-the-box
configuration of common policies, operating system tasks and trusted applications. The
solution should come with out-of-the-box policy templates for all endpoint and server OSs.
These provide a comprehensive baseline configuration to enable organizations to fully and
quickly remove admin rights from end-user devices without compromising end-user
productivity, by providing a best-practice approach. This should use a UAC replacement (for
Windows) and on-demand strategy to facilitate rapid product adoption and rollout. For example:
■ Rules: To automatically approve trusted business applications, including those deployed via
SCCM or other trusted security sources, common third-party tools such as printer drivers,
and meeting software.
■ Exception handling process: To deal with unknown applications with a workflow suited to
multiple user types, such as a developer, field workers and task workers.
■ Granular service control: The PAM solution must have the ability to control the service action
(start/stop, pause/resume, configure) granularly. This is to prevent the need for elevating the
service console, which would allow the user to tamper with any other service.

■ Support for managing groups of applications: For speed of deployment and ease of
management, the PAM solution must support the logical grouping of applications, tasks and
scripts. Policy rules can then be created to apply privileges, block, warn or monitor these
groups.
■ Connectors: The PAM solution must have connectors to automate the launch and
authentication process of target application clients and open an active session. A connector is
software that is typically allowed to be installed in the PAM solution to either extend the
capability or transfer data. Session management has the most additional add-ons, considering
the different target systems that require access. The session management tool should have the
capability to customize application connectors and website connectors with encryption.
Additionally, the connectors should have the ability to support privileged task automation as
described earlier.
■ SDK and API: The PAM solution must provide a rich SDK that enables operations on account
objects by issuing commands. The application SDK provides a variety of APIs, including
Java, .NET, COM, CLI, C/C++ and web services. Web services should be able to be installed
and used immediately without any additional configuration. This solution should also include an
out-of-the-box web services SDK. A web services SDK is a RESTful API that can be invoked by
any RESTful client for various programming and scripting environments, including Java, C#,
Perl, PHP, Python and Ruby.
■ Minimal agent impact on the endpoint performance: The PAM solution must have the ability
to perform all functions with a typical CPU and memory usage that should be unnoticeable to
the end user. Policy updates should be processed in the background and not slow down the
client. The solution should not require or perform any type of initial inventory on the endpoint or
perform any ongoing scanning.
■ Hardening of the system for reliability and security: The PAM solution must have the ability
to consider security hardening requirements to lock down the system to only what is required as
far as software, firewall, services, ports, computer policies and users. This hardening process
should be part of the installation scripts for the PAM servers, such as credential/password
management, session management and the web console.
■ Disaster recovery: The PAM solution is a critical system of an organization’s cyberdefense
capabilities. Disaster recovery solutions must ensure service availability in case of total data
center failure or shutdown. For example, the proxy server and credential vault can be replicated
into a secondary data center or IaaS with failover capability.
■ High availability: The PAM solution must ensure that PAM controls remain available due to any
solution component failure, whether inherently in the tool or as an add-on in the solution design.
High-availability options should cover all aspects of the solution. This includes network load
balancing for web applications and services, clustering or data availability groups for data
stores, and multiple active/active nodes for all components of the solution.
■ Emergency break glass: The PAM solution must have a secure fail-safe method for
accommodating access to the recovery of credentials/passwords if access to critical privileged
credentials/passwords is needed. Emergency break glass access is often implemented with a
ticketing system integration. Accountability is maintained through logs and approvals during an

emergency. In an emergency workflow, users are required to specify a ticketing system and a
ticket reference number that will be validated against the ticketing system. Depending on the
type of privileged access security ticket that has been specified, users may or may not be
required to create a dual control request needing an approver. Another option is the just-in-time
or ad hoc approach to access privileged accounts. For example, users can see a button in the
web interface for requesting temporary access to the target machine with a privileged
credential. This access is granted for a set period, after which the access is automatically
removed.
■ Scalability: The PAM solution must be able to scale for capacity expansion or accommodate
for broad geographic spread and performance. The solution should have a proven track record
of small-, medium- and large-scale deployments to cover the evolving requirements of dynamic
organizations. Scalability starts with architecture that allows integration with existing proven
technologies, such as Active Directory group policy or McAfee ePO. It therefore does not
necessarily require any additional back-end server infrastructure, such as policy deployment
and management, when getting started with a deployment. Integration with these platforms
ensures it is scalable across any size of organization from the outset. Additionally, scalability
also refers to management overhead, which should stay consistent regardless of the size of the
deployment. It is not uncommon to need a hybrid architecture to accommodate niche scenarios
or business units. Using hybrid architecture should not require the use of multiple agents or
different policy engines, which will significantly increase management overhead.
Preferred
■ Agent-based: For privilege elevation and delegation capability, the PAM solution should have
the ability to use agents on the target systems for credential update (e.g., password changes).
This is useful for disconnected scenarios or workstations/laptops where the system may not be
powered on or connected when password changes are scheduled.
■ Agents MSI installers: The PAM solution should create downloadable MSI versions of the
agents so that the option for agent deployment can be managed through the organization
system management solution.
■ Silent installation options for agents: The PAM solution must have the ability to install
agents without user interaction or notification so that it minimizes disruption to end users.
■ Agentless deployment: The PAM solution should have the ability to manage credentials
without the need for agents on the target systems. This simplifies implementation and
eliminates the need for agent maintenance and patching over time.
■ Bulk deployment installers: The PAM solution should create mass deployable installer
packages for representative consoles and jump clients (e.g., Windows and Mac). Also, it should
create MSI packages for session recording viewers and support buttons (for Windows only).
■ Automatic installation of critical updates: The PAM solution should be kept up to date with
minimal disruption to production.

■ Target systems and privileged user onboarding: The PAM solution should have multiple
options for populating target systems and privileged users. This can be something as simple as
a CSV file import or as sophisticated as integrating with a CMDB or external directory.
■ Web-based GUI administration console for UNIX and Linux privilege management: The
PAM solution should have a Web-based administration interface to discover, deploy, upgrade
and manage systems, and configure policies. Not all UNIX/Linux administrators, auditors, or
anyone interacting with a UNIX/Linux privilege management solution are comfortable with (or
want to) use only a command line to perform their job functions. Therefore, the solution should
provide the same functionality through a flexible and fully functional web-based GUI.
Optional
■ SaaS deployment: The PAM solution should support the emerging SaaS-based solutions
model for organizations that are limited in staff, physical resources and expertise, or have
strategic cloud-first initiatives.
Using the Criteria Toolkit

The criteria spreadsheet is attached as the file “pam_eval_criteria.xlsx” and can be used to score
various PAM solutions against Gartner’s evaluation criteria. For assistance with using the tool, refer
to the How To tab within the spreadsheet.
Gartner Recommended Reading

Some documents may not be available as part of your current Gartner subscription.
“Architecting Privileged Access Management for Cyber Defense”
“Magic Quadrant for Privileged Access Management”
“Best Practices for Privileged Access Management Through the Four Pillars of PAM”
“Manage Service Accounts to Mitigate Security and Operational Risks”
Evidence
Gartner’s observations and recommendations are based on data from:
■ Ongoing discussions with large and midsize enterprises (including RFP and proposal review) in
public and private sectors such as government, financial services, insurance, manufacturing
and healthcare.
■ Vendor surveys, briefings, interviews and product demos from PAM vendors.

GARTNER HEADQUARTERS
Corporate Headquarters
56 Top Gallant Road
Stamford, CT 06902-7700
USA
+1 203 964 0096
Regional Headquarters
AUSTRALIA
BRAZIL
JAPAN
UNITED KINGDOM
For a complete list of worldwide locations,

visit http://www.gartner.com/technology/about.jsp
© 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates. This
publication may not be reproduced or distributed in any form without Gartner's prior written permission. It consists of the opinions of
Gartner's research organization, which should not be construed as statements of fact. While the information contained in this publication
has been obtained from sources believed to be reliable, Gartner disclaims all warranties as to the accuracy, completeness or adequacy of
such information. Although Gartner research may address legal and financial issues, Gartner does not provide legal or investment advice
and its research should not be construed or used as such. Your access and use of this publication are governed by Gartner Usage Policy.
Gartner prides itself on its reputation for independence and objectivity. Its research is produced independently by its research
organization without input or influence from any third party. For further information, see "Guiding Principles on Independence and
Objectivity."

Evaluation Criteria For Priv 384458

Uploaded by

Copyright:

Available Formats

Evaluation Criteria For Priv 384458

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Evaluation Criteria For Priv 384458

Uploaded by

Copyright:

Available Formats

Evaluation Criteria for Privileged Access

Analyst(s): Homan Farahmand

This document provides a comprehensive set of evaluation criteria for

This research note is restricted to the personal use of [email protected].

Figure 1. Evaluation Criteria for PAM: Scoring Spreadsheet (Sample)...................................................... 4

Page 2 of 39 Gartner, Inc. | G00384458

This research note is restricted to the personal use of [email protected].

To make it easy to customize the requirements, a companion Microsoft Excel spreadsheet is

Gartner, Inc. | G00384458 Page 3 of 39

This research note is restricted to the personal use of [email protected].

PAM solutions should be evaluated for the following capability criteria:

■ Privileged access governance and administration

Page 4 of 39 Gartner, Inc. | G00384458

This research note is restricted to the personal use of [email protected].

Gartner, Inc. | G00384458 Page 5 of 39

This research note is restricted to the personal use of [email protected].

Privileged Account Discovery and Onboarding

Page 6 of 39 Gartner, Inc. | G00384458

This research note is restricted to the personal use of [email protected].

Gartner, Inc. | G00384458 Page 7 of 39

This research note is restricted to the personal use of [email protected].

Privileged Credentials Management

Page 8 of 39 Gartner, Inc. | G00384458

This research note is restricted to the personal use of [email protected].

Gartner, Inc. | G00384458 Page 9 of 39

This research note is restricted to the personal use of [email protected].

Page 10 of 39 Gartner, Inc. | G00384458

This research note is restricted to the personal use of [email protected].

Gartner, Inc. | G00384458 Page 11 of 39

This research note is restricted to the personal use of [email protected].

Page 12 of 39 Gartner, Inc. | G00384458

This research note is restricted to the personal use of [email protected].

Privileged Session Management

Gartner, Inc. | G00384458 Page 13 of 39

This research note is restricted to the personal use of [email protected].

Page 14 of 39 Gartner, Inc. | G00384458

This research note is restricted to the personal use of [email protected].

Gartner, Inc. | G00384458 Page 15 of 39

This research note is restricted to the personal use of [email protected].

Page 16 of 39 Gartner, Inc. | G00384458

This research note is restricted to the personal use of [email protected].

Gartner, Inc. | G00384458 Page 17 of 39

This research note is restricted to the personal use of [email protected].

Privileged Access for Applications and Services

Page 18 of 39 Gartner, Inc. | G00384458

This research note is restricted to the personal use of [email protected].

Gartner, Inc. | G00384458 Page 19 of 39

This research note is restricted to the personal use of [email protected].

Privileged Access Logging, Reporting and Audit

Page 20 of 39 Gartner, Inc. | G00384458

This research note is restricted to the personal use of [email protected].

Gartner, Inc. | G00384458 Page 21 of 39

This research note is restricted to the personal use of [email protected].

Page 22 of 39 Gartner, Inc. | G00384458

This research note is restricted to the personal use of [email protected].

Privileged Access Analytics and Response

Gartner, Inc. | G00384458 Page 23 of 39

This research note is restricted to the personal use of [email protected].

Page 24 of 39 Gartner, Inc. | G00384458