Articles / Agentless PAM without Vaults

on 01 Oct 2018

As a budding physicist in my early twenties (never to bloom, by the way), I learned from my undergraduate professors that great scientists learn to generalize their observations. That is, if you are witnessing a series of cause-and-effect cases for an isolated set of experiments, then it is wise to begin postulating a broad, general conclusion. This is how scientific laws are created – and it has driven the present understanding of our universe.

As a budding computer scientist in my early thirties (still trying to bloom back then), I began to realize, in contrast, that computing experts generalized poorly. They build tools, and write software, and administer systems – and that is pretty much that. For example, can you name one law in the IT or computing industry developed using the scientific method? I’m sure you cannot. (And, by the way, – Moore’s Law is not a scientific law, it is a marketing anecdote.)

I had these Big Science thoughts in mind while meeting recently with the executive team from Remediant, a San Francisco-based cyber security start-up focused on privileged access management. Founded by former enterprise practitioners with experience protecting resources in large industries including pharmaceuticals, Remediant is doing something I’d not previously considered for PAM – that is, they are generalizing its use.

“Our SecureOne platform supports world-class PAM for enterprise teams without the challenge of agents and vaults,” explained Paul Lanzi, who serves as the COO for the company. “Because our solution is based on just-in-time control of administrative privileges, we realized that this would work for both the existing PAM community, as well as literally all forms of access to hybrid and public cloud. We are dropping the P from PAM for cloud.”

Lanzi mentioned that existing PAM tools require vaults and agents, which is fine for a limited set of privileged entities. (He also claimed that few companies have a limited set, but that’s a different point.) When Remediant approached the problem from the perspective of adjusting access privileges dynamically, using an enabling and disabling switch, they realized that the resulting scale advantages supported protection of all forms of access.

“We know that clients require PAM solutions for their existing privileged enterprise base and we can certainly support that,” explained Tim Keeler, who serves as the company’s CEO. “But let’s face it – with the introduction of modern device-to-cloud architectures across highly distributed networks, our Remediant solution can be used to protect all forms of enterprise access, especially to cloud, because it does not rely on a centralized vault.”

I asked whether this emphasis on generalizing access and focusing on cloud access would hurt their ability to support near-term PAM opportunities and the Remediant team was quick to respond: “We have not met a company yet that was not asking about transition to cloud for privileged access,” explained Lanzi. “Since we are a young company, we were basically born in the context of cloud, and we’ve been able to optimize our support accordingly.”

My observation is that existing PAM solutions for legacy enterprise have reached full acceptance as a primary control, which is good news for security companies offing this capability. But the growing focus on cloud services is welcome, and I like the idea that if you have scalable means to protect privileged access, then this should extend to protecting all types of device-to-cloud access. It helps PAM and IAM converge – in the cloud.

If you would like to future-proof your protection of both privileged and normal access to enterprise resources amidst modern transition to cloud, then perhaps you should give Remediant a call. Ask to hear about how they are working to drop the P from PAM (a generalization that would make any experimental physicist proud). And, as always, please share your experiences for all of us to learn.