Heimdal
article featured image

Contents:

Looking to find the right privileged access management (PAM) solution for your organization? Well, you’ve certainly come to the right place.

PAM tools play a key role in any modern cybersecurity strategy. Without them, you can’t hope to protect yourself against a complex and ever-changing landscape of internal and external threats. But knowing where to start and what tools to choose can be a minefield.

The Challenge of Choosing the Right Privileged Access Management Solution

When it comes to finding the best privileged access management tools, the biggest problem is knowing where to start. There is a bewildering array of different acronyms, terms, and product categories that you’ll need to get your head around before choosing the right solution.

The issue is providers generally offer multiple products and aren’t always consistent about how they package, market, and discuss the features they offer. This can make it uniquely difficult to compare like for like.

So, before we start, it’s helpful to discuss the different types of privileged access management features and terms you may come across:

  1. Privileged account and session management (PASM) – This is the standard suite of privileged access tools. Generally, it will include policies to implement secure access controls, manage sign-in, and govern privileged credentials. Single sign on, multi-factor authentication, and password management policies all fall into this category.
  2. Privilege elevation and delegation management (PEDM) – PEDM is a newer functionality that’s becoming increasingly common in the tools we list below. It allows organizations to analyze real-time behavioral patterns, detect anomalies, and offer ‘just-in-time’ access. This avoids any user or service accounts having standing privileges.
  3. Secrets management (SM) – These tools allow organizations to securely store and manage a whole range of privileged credentials – including passwords, keys, APIs, and tokens.
  4. Cloud infrastructure entitlements management (CIEM) – This helps analyze and manage security in cloud environments. Crucially, it lets organizations automatically scan and identify all privileged users and service accounts.

Generally, providers will offer the traditional PASM feature-set through a single main product, and additional PEDM, SM, or CIEM functionality will be added through add-ons, modules, or other solutions.

However, this isn’t always the case – and you may find yourself needing to purchase multiple tools just to get the standard PASM features. As always, users should thoroughly research their chosen provider before identifying the right solution for them.

In this blog, we focus mostly on PASM features, though others are referred to when relevant.

Top 11 Privileged Access Management Software Platforms

There are lots of PAM of options available, each with their own pros and cons. Generally, they will vary based on the breadth of features they offer, the ease of use, and the cost of the overall solution.

So which ones are right for you? Here are our picks for the top 11:

Heimdal®

heimdalpam1

Heimdal®’s Privilege Elevation and Delegation Management & Application Control solution provides unparalleled control and flexibility to IT professionals, system administrators, and security teams.

It is the world’s only bundled product that combines the functionalities of Access Management and Application Control. The line-up proactively secures your entire environment, ensuring compliance with the most common industry standards such as Cyber Essentials, NIST, HIPAA, PCI-DSS, and many more. Moreover, it helps in boosting the productivity of users and admins while being completely transparent.

Heimdal® Top Features

  • Total Privilege Management: Define and manage role-based access control and delegation policies with ease.
  • Threat-Responsive Rights Management: Combined with our Next-Gen Antivirus, it is the sole software on the market that auto-deescalates user rights upon threat detection.
  • Just-in-Time Secured Privilege Access: By adopting JIT access to grant temporarily enhanced privileged to users only when necessary, you can drastically limit the attack surface and mitigate the risk of prolonged exposure to privileged access.
  • Reporting and Compliance:Generate comprehensive reports, monitor privileged access/session activities, and easily prove adherence to local or global regulatory standards.

heimdalpam3

Heimdal® Pros

  • Heimdal®’s solution is infinitely customizable. You can set filters, create white and blacklists, engage passive mode as defined by admins, and more.
  • User-friendly interface.
  • Heimdal® incorporates and easy to enable Passive Mode for system indexing.
  • Easy to enable Auto-approval flow with defined rules and automatic de-escalation on threat.
  • Heimdal® lets you expand your suite with cross-functional modules, that you can control all in a single interface and dashboard.

heimdalpam2

For AD (Active Directory), Azure AD, or hybrid settings, Heimdal®’s Privileged Access Management enables PEDM-type non-privileged user account curation features.

The PAM solution under PEDM permits the maintenance of administrative rights for particular users and/or domain groups that are linked to particular endpoints or groups. Its Time-to-Live (TIL) function serves as a Just-in-Time (JIT) system.

Heimdal® Cons

As of now, Heimdal®’s solution is unable to send notifications in real time when user activity anomalies occur. The administrators must consider each request individually before determining whether or not to approve it.

Heimdal® Pricing

Heimdal®’s pricing for its solution depends on the size of the company and the number of managed endpoints. Take the tool for a spin, and then receive a personalized offer from our experts!

JumpCloud: Directory Platform

JumpCloud

JumpCloud describes itself as “a single seamless solution for IT, HR, and security, that your users will love.”

The company offers several tiers of PAM and IAM tools, running from individual features (known as ‘a la carte’) to the full package. The most popular option is the ‘Directory Platform’, which features a wide range of PAM features and protections.

JumpCloud Features:

  • Access control permissions;
  • Compliance management;
  • Password management;
  • Access management;
  • Credential management;
  • Single sign on;
  • Authentication;
  • Multi-factor authentication;
  • User management.

JumpCloud Pros:

  • Single sign on & IAM – Users report an effective and easy-to-use sign on experience.
  • User and device management – Another popular feature due to the simplicity of managing multiple users and devices.
  • Ease of use – The UI and overall navigation are intuitive and easy to use.

JumpCloud Cons:

  • Limited Mac MDM support – The mobile device management (MDM) in Mac environments isn’t as extensive as in other operating systems.
  • Lack of technical documentation – JumpCloud’s documentation isn’t as extensive as other providers.
  • Reporting/auditing – Some users have also expressed a desire for more extensive tracking, auditing, and reporting features to help achieve compliance requirements.

JumpCloud Pricing:

  • Individual features: From $2 /user/month (Billed annually)
  • Core Directory package: From $11 /user/month (Billed annually)
  • PlatformPlus: From $18 /user/month (Billed annually)

JumpCloud has a sliding pricing scale where users can choose individual features for between $2-$5 each a month. For example, the password manager alone would cost $3 per user/per month.

There is also a free version of the full platform that can support up to 10 users and devices and includes 10 days of premium in-app support.

CyberArk: Privileged Access Manager

CyberArk

CyberArk is the oldest player in the PAM scene, with over two decades on the market. In that time, they’ve brought several innovations to the market, including vault technology, secrets management, and CIEM functionality.

But with scale comes challenges. The pricing and ease of use of CyberArk products, for instance, are often cited as drawbacks. At the same time, some legacy features like privileged session management (PSM) now lag behind competitors.

The majority of CyberArk PAM features are available through their main product, Privileged Access Manager. Customers can also extend its features through separate services, such as:

  • Identity Governance and Administration
  • Secrets Management
  • Endpoint Privilege Security (For PEDM functionality)

This may also cause confusion for some customers looking for a simpler, all-in-one solution.

CyberArk Features:

  • Access control permissions;
  • Compliance management;
  • Password management;
  • Access management;
  • Credential management;
  • Single sign on;
  • Authentication;
  • Multi-factor authentication;
  • User management.

CyberArk Pros:

  • Market scale – CyberArk’s size and market share means it has a large partner ecosystem and a wide range of integrations with other relevant technologies.
  • Features – CyberArk offers a broad range of modern cybersecurity features, including just-in-time (or ‘just enough’) access, CIEM, secrets management, and more.

CyberArk Cons:

  • Product complexity – CyberArk products can be difficult to manage and upgrade. Users may also struggle to distinguish between their overlapping suite of features and solutions.
  • Privileged session management – Some features like PSM struggle to match the output of smaller, more dynamic competitors.
  • Pricing – CyberArk products are consistently placed at the top end of the PAM market.

CyberArk Pricing:

CyberArk does not publish its pricing details, and prospective customers are encouraged to book a demo to find out more.

That being said, reviews consistently place CyberArk among the most expensive products on the market. G2 gives it 3/4 stars for pricing, and user reviews suggest it is roughly 22% more expensive than the average PAM solution.

ManageEngine: PAM360

ManageEngine provides a suite of security and access management products, of which PAM360 is the most important.

This product features the standard suite of privileged access and session management (PASM) controls, together with privileged elevation and delegation management (PEDM), and secrets functionality.

ManageEngine Features:

  • Access control permissions;
  • Compliance management;
  • Password management;
  • Access management;
  • Credential management;
  • Single sign on;
  • Authentication;
  • Multi-factor authentication;
  • User management.

ManageEngine Pros:

  • Pricing – ManageEngine’s pricing is generally considered lower than market average.
  • Scale – The company’s customer base is distributed across multiple global regions, including EMEA, North America, and Asia Pacific.
  • Discovery – PAM360 has extensive discovery capabilities to identify privileged users and service accounts across systems, databases, infrastructure, networks, etc.

ManageEngine Cons:

  • Session management – Though some session management capabilities are available, the full functionality is only available through a resource-heavy HTML5 browser session emulation.
  • PEDM – Though PEDM is bundled into the main product (unlike competitors), its functionality is less extensive.
  • Wider functionality – Features such as secrets management, CIEM, and privileged credential management tend to lag behind the competition.

ManageEngine Pricing:

ManageEngine does not publish pricing details for PAM360 or other products. Instead, prospective customers are encouraged to get a quote or schedule a demo through the website to find out more.

Public reviews do not mention pricing information, though according to Gartner’s 2023 Magic Quadrant report, Manage Engine’s pricing is now “consistently less than market average.”

BeyondTrust: Total PASM

BeyondTrust is a PAM provider with global reach. Many of its customers are large global enterprises.

BeyondTrust offers two main products, known as Privileged Remote Access and Password Safe, which can be bundled together into the Total PASM package.

Privileged elevation and delegation management (PEDM) functionality is also available in a separate product called Privilege Management.

BeyondTrust Features:

  • Access control permissions;
  • Compliance management;
  • Password management;
  • Access management;
  • Credential management;
  • Single sign on;
  • Authentication;
  • Multi-factor authentication;
  • User management.

BeyondTrust Pros:

  • UNIX/Linux support – The UNIX/Linux support is often praised, with many considering this the go-to platform for these operating systems.
  • Discovery – Users often cite the ease of use of the discovery capabilities as a key draw here.  

BeyondTrust Cons:

  • Pricing – BeyondTrust products are generally priced at the top of the market.
  • Multiple tools – Customers may also find costs and complexity rise as there are several different PAM products on offer, each with different features and use cases.
  • Features – Tools such as single sign on, MFA, and PEDM aren’t available in the total PASM bundle. Customers may need to combine it with other BeyondTrust or third-party tools to achieve full coverage.

BeyondTrust Pricing:

BeyondTrust does not publish pricing details. Instead, prospective customers are encouraged to contact the sales team.

Public reviews do not mention pricing information, though according to Gartner’s 2023 Magic Quadrant report, Manage Engine’s pricing is “higher than market average.”

Okta: Privileged Access

One of the newer entrants on this list, Okta is specifically designed for cloud-native organizations. Its main PAM offering, Privileged Access, comes as part of a wider suite of ‘Workforce Identity Cloud’ products. This includes tools offering multi-factor authentication, single sign-on, lifecycle management, and more.

The features in this list are based on capabilities available across all these products – though customers should be wary of the potential rising costs of multiple bundled subscriptions.

Okta Features:

  • Access control permissions;
  • Compliance management;
  • Password management;
  • Access management;
  • Credential management;
  • Single sign on;
  • Authentication;
  • Multi-factor authentication;
  • User management.

Okta Pros:

  • Integration – Okta tools integrate well with each other and more traditional PAM software.
  • Cloud-native – The suite of Workforce Identity Cloud tools is designed to work seamlessly in cloud, hybrid, or multi-cloud environments.
  • Onboarding – Onboarding and offboarding of users are automated and therefore comparatively easy in Okta.

Okta Cons:

  • Auditing – Lack of auditing and compliance capabilities compared with other competitors is one key drawback.
  • Expensive and complex – Okta’s resource-based pricing model can be difficult to understand, and the number of separate products on offer can also increase costs and complexity.
  • No individual permissions – Unlike many PAM tools, you cannot govern and control access for individuals – only teams. This limits how granular the controls you implement can be.

Okta Pricing:

Okta’s Privileged Access product is available for $14 per resource unit/ per month, which roughly equates to the amount of compute power that the deployment will require.

Microsoft: Entra ID (Formerly Azure Active Directory)

Microsoft Entra ID

Microsoft Entra ID might seem like an unfamiliar name on this list. In fact, it’s actually just a new name for Microsoft’s Azure Active Directory. The new service was launched towards the end of 2023.

This is slightly different from other options on this list, as there’s a good chance you already have it – at least in some form. Any organization using Windows 11, Microsoft 365, or Azure services will effectively already have access to a basic Microsoft Entra ID package. That’s because it acts as an extension of the existing identity and access management functionality all Microsoft customers already use to log in and authenticate.

Microsoft Entra ID Features:

  • Access control permissions;
  • Compliance management*;
  • Password management;
  • Access management;
  • Credential management;
  • Single sign on;
  • Authentication;
  • Multi-factor authentication;
  • User management.

Microsoft Entra ID Pros:

  • Windows integrations – Microsoft Entra ID works well with other Microsoft technologies, making this an attractive choice for Windows-based organizations.
  • Basic package – Microsoft offers a free package to all users and paid tiers to extend the functionality. This makes it easier to get started with these tools.
  • Cloud security policies –Microsoft’s security tools work well for cloud and hybrid organizations. Users cite multi-factor authentication, conditional access policies, and password management as effective tools in this product.

Microsoft Entra ID Cons:

  • Confusing features – It’s not instantly clear which features are available in different tiers of this product. Users may also struggle to work out how the different tiers interact with the Microsoft 365 and E5 packages – and by extension what features they already have and which they still need.
  • User interface – Some users find the layout and UI of Entra ID less straightforward than third-party competitors.
  • Microsoft only – Entra ID is an extension of the basic technology that all Microsoft 365, Windows, or Azure customers use. Non-Microsoft users will likely therefore find it less useful, and potentially confusing.

Microsoft Entra ID Pricing:

Microsoft Entra ID’s pricing information is publicly available on their website. The service includes three basic tiers of pricing model:

Microsoft Entra ID Free: Free

This is effectively Microsoft’s default PAM suite, included as standard with cloud services like Microsoft Azure and Microsoft 365. It comes with basic authentication, single sign on, multi-factor authentication, and event logging capabilities.

Microsoft Entra ID P1: $6.00 /user/month

The next tier up is available as a standalone product or included with a subscription to either Microsoft 365 E3 or Microsoft 365 Business Premium. Generally, it features more sophisticated versions of features from the free tier.

Microsoft Entra ID P2: $9.00 /user/month

The premium tier includes advanced versions of most PAM features. Compared with P1, it includes more sophisticated end-user self-service and extra identity protection controls such as risk-based conditional access.

Customers of the Entra ID’s P1 and P2 tiers can also purchase a separate add-on:

*Microsoft Entra ID Governance: $7.00 /user/month

This is an advanced set of privileged access management capabilities to govern auditing and compliance. It adds extra features to Entra ID’s existing toolset, including an identity governance dashboard, lifecycle workflows, entitlement management with verified ID, and more.

WALLIX: Bastion

WALLIX is another long-standing player in the PAM market, having rolled out its original product in 2007.

Today, the standard suite of PASM functionality is covered by the main product: WALLIX Bastion. The company also offers PEDM tools through WALLIX BestSafe.

WALLIX Features:

  • Access control permissions;
  • Compliance management;
  • Password management;
  • Access management;
  • Credential management;
  • Single sign on;
  • Authentication;
  • Multi-factor authentication;
  • User management.

WALLIX Pros:

  • Wide PASM capabilities – WALLIX Bastion offers a wide array of PASM tools, including features for session monitoring and auditing.
  • Pricing – Though pricing is not publically released, it is generally considered to be competitive.
  • Ease of use – Users report an easily navigable product and intuitive UI.

WALLIX Cons:

  • Lack of password rotation – Password rotation policies are not available for most machine or service accounts.
  • Global reach – The customer base is generally confined to EMEA.
  • Lack of discovery – WALLIX Bastion does not offer cloud infrastructure entitlement management (CIEM) functionality. This makes it less effective for organizations looking to automatically scan and identify privileged users and other identities.

WALLIX Pricing:

Like many providers on this list, WALLIX does not release its pricing information publicly. Potential customers are encouraged to get in touch to find out more. The vendor does, however, specify a series of pricing options:

  • Perpetual license (+ 12-36 month maintenance subscription)
  • Yearly license (+ 12-36 month maintenance subscription)
  • On-demand (Monthly, + minimum 12-36 month maintenance subscription)

The software can also be purchased through cloud vendors such as AWS, Azure, and GCP.

Delinea: Secret Server

Delinea

Delinea features a diverse set of security controls, though customers may be put off by the number of tools available. The standard set of PASM features (to manage privileged users and sessions) are available via the Secret Server product.

PEDM, secrets management, and CIEM functionality can all be added via additional tools, such as Privileged Behavior Analytics, Privilege Manager, and the Account Lifecycle Manager.

Despite the breadth of functionality, some users may find the overlapping functionalities between these products confusing.

Delinea Features:

  • Access control permissions;
  • Compliance management;
  • Password management;
  • Access management;
  • Credential management;
  • Single sign on;
  • Authentication;
  • Multi-factor authentication;
  • User management.

Delinea Pros:

  • Good for UNIX/Linux – Delinea has a competent product offering. In particular, users cite the PEDM functionality across Unix/Linux devices as among the best in the market.
  • User experience – Customers generally note a smooth experience working with Delinea tools.

Delinea Cons:

  • Overlapping products – Some users may find the range of products confusing – and costs may quickly rise when multiple solutions get bundled together.
  • Functionality – Some common functionality is missing with Delinea, and users may find they need to install extra tools or configure PowerShell commands for features that are more easily available in other products. For instance, there’s currently no support for cloud infrastructure entitlement management (CIEM) and RDP session management requires additional tools to be installed.
  • Service accounts – The functionality for managing service and machine accounts is less sophisticated than some other vendors on this list – particularly those involving local systems.

Delinea Pricing:

Delinea does not provide public pricing information for its Secret Server product. However, reviews suggest that it is among the more expensive products in the market. G2 user reviews rate it as 4/4 for expense, roughly 26% more than the market average.

ARCON: PAM

Like many providers on this list, ARCON has several different security tools available, which may cause confusion, including PAM Enterprise, Endpoint Privilege Management, My Vault, and Global Remote Access. The features discussed below are based on the PAM Enterprise product.

ARCON Features:

  • Password vault;
  • Virtual grouping;
  • Single sign on;
  • Ephemeral access;
  • Session monitoring.

ARCON Pros:

  • Features – Users and reviews suggest the functionality is generally above average when compared with other providers on this list.
  • Password capabilities – ARCON features a sophisticated set of password management capabilities, including a secure password vault, frequent password changes, as well as multi-factor authentication, and single sign on.
  • Auditing – The product also offers a detailed audit trail of privileged activities, complete with reports and analytics.

ARCON Cons:

  • Interface – A common complaint from ARCON customers relates to the user interface, which isn’t as straightforward as some competitors.
  • Customer base – ARCON’s customers are mostly based in Asia Pacific and EMEA, meaning it may be less attractive for US-based organizations.
  • Product stack – There are several products available and it may be confusing to understand which are needed – and costs will likely rise as separate solutions are bundled together.

ARCON Pricing:

ARCON does not publish pricing information. Gartner considers its pricing to be ‘competitive’.

One Identity: Safeguard

One Identity aims to provide a unified approach to cybersecurity across a whole range of different products and features. Their PAM and IAM management tools are designed to integrate seamlessly with active directory, identity governance, and other tools – to provide a 360-degree approach.

The standard suite of PASM features is available through the Safeguard product. This splits into three modules, each of which can be purchased individually:

  • Safeguard for privileged passwords;
  • Safeguard for privileged sessions;
  • Safeguard for privileged analytics.

There are also a number of additional products and tools that businesses can add to this core package. Examples include Active Roles which can provide just-in-time/just enough privileged access, and Identity, Governance, and Administration, which provides extended life cycle management and auditing capabilities.

One Identity Features:

  • Privileged session management & remote access;
  • Single sign on;
  • PAM lifecycle management;
  • Privilege elevation and delegation management;
  • Machine identity and secrets management.

One Identity Pros:

  • Ease of use – Safeguard is designed to be easy to use and users generally praise the product’s intuitive UI.
  • Customer support – One Identity assigns an account and customer success manager to each account, making their overall customer support a real draw.

One Identity Cons:

  • No CIEM functionality – One Identity does not offer CIEM tools, unlike other providers on this list. Instead, customers can access limited governance and auditing functionality through One Identity Governance & Administration – though this will generally be in addition to the main Safeguard product.
  • Overlapping products – Even with the full suite of Safeguard modules, customers may find they have to add other One Identity products to get the full functionality. Active Roles, for instance, is required for just-in-time privilege access and the One Identity IGA tool boosts the auditing and governance functionality.

One Identity Pricing:

One Identity does not publish pricing and no information is available to provide further details.

Getting the Right Tools for the Job

If you’ve made it this far, hopefully you understand a little more about the complex PAM landscape, and how you can distinguish between the confusing array of products and services available.

As is always the case in cybersecurity, there’s no one-size-fits-all approach. Instead, it’s important to take the time to properly understand your needs and the specific tools you already have. By doing that, you’ll be better placed to understand your requirements and which providers are best placed to fulfill them.

Privileged Access Management Solutions: FAQs

What is a privileged access management solution?

A privileged access management (PAM) solution is a cybersecurity tool designed to secure, manage, and monitor access to privileged accounts and sensitive data within an organization. It protects against unauthorized access, ensuring only authorized individuals have control over critical assets.

How to choose the right privileged access management solution

Selecting the ideal PAM solution involves assessing your organization’s specific needs, understanding what privileged credentials exist in your environment, evaluating the user interface for ease of use, and considering integration capabilities. Ensure the solution aligns with your security policies and compliance standards.

Best practices for choosing your PAM solution

Follow best practices by conducting a thorough risk assessment, involving key stakeholders in the decision-making process, seeking solutions that offer comprehensive auditing and reporting features, and ensuring the PAM solution aligns with your organization’s long-term cybersecurity strategy. Regularly update and adapt your PAM solution to address evolving security challenges.

Author Profile

Cristian Neagu

CONTENT EDITOR

linkedin icon

Cristian is a Content Editor & Creator at Heimdal®, where he developed a deep understanding of the digital threat landscape. His style resonates with both technical and non-technical readers, proof being in his skill of communicating cybersecurity norms effectively, in an easy-to-understand manner.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE