The Devolutions State of IT Security in SMBs in 2022-23 survey revealed that only 12% of SMBs have a fully-deployed PAM solution in place, and 52% of SMBs have not implemented any PAM controls whatsoever.
To get a better understanding of this situation, last month we asked the Devolutions community: Are you using a PAM solution?
The Nay’s Have It
30% of respondents said they are using a PAM solution, and 70% said they are not. However, 25% of those that said “no” also mentioned that they are either planning on adding PAM in the near future, or they are in the process of adding PAM now.
In addition, 4% said that while they have implemented a PAM solution, they are not yet using the PAM functionality. Instead, they are only using it for password management at this time.
PAM Obstacles and Challenges
What is blocking PAM adoption? These were the obstacles noted (comments with a * were mentioned more than once):
- A "real" PAM would be a nice to have, but putting the resources into that and implementing it globally would be a challenge due to other more urgent projects.
- We don't use a PAM product, for multiple reasons, but the biggest are perceived implementation complexity and costs.*
- It's not on top of our priority list.*
- Our company is too small for PAM right now.
Here is what some respondents had to say about their current PAM solution:
- We have Delinea Secret Server but I'm not a fan really. I cringe at the annual maintenance. Support isn’t great, they really spend a lot of time creating a document explaining what they won't support as they would rather sell professional services. It takes a lot of work to manage and so many features are a paid add-on.
- We use IAM (CyberArk), it's terribly slow.
- We also use Secret Server, but honestly I find it very bad (user interface) and I don't use it personally.
- My company has a PAM tools, but we're moving to an IT Documentation provider that does passwords. Right now, we have people still using the PAM tool and others using the PWs in the new tool. It's a mess! We WERE using Thycotic Secret Server and I was happy with the tool. It has a browser plugin to make it easy to copy/paste the PWs out of the tool. The new tool also has a browser plugin, but it ends up taking over for my personal PW Manager application so the floating icon to fill in the forms isn't there for my personal tool. The only issue we had with Secret Server was the on-prem server would hang and need to be restarted occasionally.
- Our org is using a PAM solution that I (personally) don't love; our Digital Security team chose and runs the solution for the org so my experience with it is really as an end-user. I find this particular PAM solution to be burdensome for some operations, but generally speaking perfectly adequate.
To PAM or Not to PAM
Furthermore, it is critical to understand that password managers are basically business continuity tools. They are not robust security products, because they cannot do things like secure credential injection, account discovery, automatic password rotation, etc.
Our Sales Ops Manager Gabriel recently wrote a great article about this. Check it out, and share it with the decision-makers in your company who mistakenly believe that only using a password manager is enough.
The Winners Are
Now, let’s reveal the two randomly selected poll participants who will each win a $25 Amazon gift card. Congratulations to Darko Bazulj and Kjartan Konradsson! Please email me at firstname.lastname@example.org to claim your prize.
The April poll is right around the corner. Please stay tuned for another chance to participate and win!