Comprehensive software reviews to make better IT decisions
Delinea’s Identity Security Platform: A Deep Dive Into Privileged Access Management
If you plan on creating an identity and access management program in your organization or simply want to mature your current cybersecurity program, getting a handle on privileged access is paramount. The Delinea Platform integrates privileged access management (PAM) with other critical security components like cloud infrastructure entitlement management (CIEM), identity governance and administration (IGA), and identity threat detection and response (ITDR) to provide a robust solution for identity and access governance. I met with the Delinea team over two analyst briefing sessions to explore their capabilities and how they address key security concerns.
Delinea Company Overview
In a recent discussion, Alan, one of my Delinea points of contact, shed light on Delinea’s trajectory and its platform’s evolution. He broke it down into four categories below:
- Delinea Platform: Alan emphasized the growth and modernization of the Delinea Platform. With a solid double-digit growth rate, Delinea demonstrates robust market performance and financial stability. This growth is a testament to Delinea’s ability to adapt and innovate in the fast-evolving cybersecurity landscape.
- Growth and Revenue: The platform’s impressive double-digit annual growth, alongside its significant revenue, highlights not just market acceptance but also Delinea’s strategic execution in expanding its footprint in the cybersecurity sector. Delinea’s nearly 10,000-strong customer base is not only renewing at record rates but expanding their Delinea footprint as well.
- Platform Modernization: The modernization of the Delinea platform is crucial. It’s designed to be agile, adapting seamlessly to various cloud platforms. This flexibility ensures that Delinea remains at the forefront of technology, providing solutions that are both current and future-proof.
- Strategic Focus: The adaptability of the platform, as discussed by Alan, underlines Delinea’s strategic intent to not only grow but also to ensure that its services meet the dynamic needs of its customers, thereby maintaining a competitive edge in a highly competitive market.
Handling Identity Context
Delinea excels in providing context around identities through its identity threat detection and response (ITDR) capabilities. By integrating ITDR, Delinea not only manages identities but also detects and responds to threats related to identity misuse. The acquisition of Fastpath has further enhanced Delinea’s ability to manage the lifecycle of user accounts and their access rights, ensuring that identities are not just managed but also monitored for unusual activities, as well as ensuring segregation of duties (SoD) for compliance purposes. This holistic approach to identity context allows for a more nuanced understanding of access patterns and potential security risks.
Source: Delinea, PAM Analyst Briefing Deck, 2024
Support for Segregation of Duties
Delinea implements SoD by deeply analyzing roles within an organization. It extends to identity repositories like traditional ERP systems to ensure that access rights are appropriately segmented across all organizational assets. This is achieved by defining strict authorization policies that align with specific roles, thereby preventing conflicts of interest and reducing the risk of insider threats. The platform’s focus on policy-driven access control ensures that users are granted only the permissions necessary for their roles, adhering to the principle of least privilege.
Source: Delinea, PAM Analyst Briefing Deck, 2024
Becoming the Authorization Source of Truth
One of the standout aspects of Delinea vision is its effort to deliver a source of truth for authorization policies across an organization. Through extensive asset and identity discovery, Delinea compiles a comprehensive database of users, assets, roles, activities, and policies. This centralized repository not only aids in policy enforcement but also in real-time analysis and decision-making regarding access control. By maintaining this centralized control, Delinea ensures that every access decision can be traced back to a policy, making it an authoritative source for authorization across the enterprise.
Source: Delinea, PAM Analyst Briefing Deck, 2024
Zero Trust Architecture Compliance
Delinea aligns well with NIST SP 800-207 by incorporating elements of zero trust architecture. Here’s how:
- Policy Enforcement Point (PEP): Agents installed on endpoints enforce Delinea’s policies directly where access occurs.
- Policy Decision Point (PDP): Centralized policy management using tools like Open Policy Agent (OPA) ensures decisions are made based on the latest policy data.
- Policy Information Point (PIP): The platform’s discovery and analysis capabilities provide the data needed for these decisions, ensuring policies are based on current and accurate information.
This integration facilitates a dynamic security model as called for in zero trust architecture, where trust is never assumed and verification is continuous.
Source: Delinea, PAM Analyst Briefing Deck, 2024
Agent Usage and Deployment
Delinea employs agents for robust policy enforcement. These agents are engineered for high fault tolerance, capable of operating offline by caching policy data. The design ensures they can find the nearest operational domain controller, enhancing resilience against network issues. This approach not only secures but also ensures usability even in adverse conditions, which is crucial for large-scale deployments in varied IT environments. This approach also reduces friction in managing systems by enforcing PAM and least-privilege policies on direct machine access, and it enhances security by preventing lateral movement and PAM bypass.
Onboarding With Delinea
Starting with Delinea typically involves:
- Securing Vulnerable Accounts: By discovering and vaulting these accounts, Delinea helps manage access securely.
- Implementing a Checkout Process: This ensures that privileged access is logged, controlled, and auditable.
- Privileged Session Monitoring (PSM): These prevent direct connections from user devices to critical systems, enhancing security.
This methodical onboarding process allows organizations to build from basic security measures to advanced access control strategies.
Source: Delinea, PAM Analyst Briefing Deck, 2024
Authorization Maturity Levels
Delinea’s approach to PAM maturity mirrors the levels of assurance seen in authentication frameworks such as NIST SP 800-63B:
- Phase 1: Discovery, vaulting and privileged remote access control.
- Phase 2: Emphasizes right-sizing, MFA, and least privilege and JIT permissions for accountability.
- Phase 3: Advanced management of rights based on detailed activity analysis, aiming for minimal privilege escalation, as well as handling non-human identities like service accounts.
This phased approach not only enhances security but also aligns with progressive organizational security needs.
Source: Delinea, PAM Analyst Briefing Deck, 2024
The Delinea Platform Engine
The Delinea Platform Engine is a pivotal component for on-premises deployments. This engine simplifies and accelerates PAM deployments by consolidating all components necessary to manage on-premises systems.This single on-premises component is then managed via the SaaS console and facilitates workload provisioning, updates, and other administrative functions. It’s designed to be installed on VMs with support for Windows and Linux and ensures secure and verified updates. The engine helps with things like discovery, credential rotation to policy enforcement in AD, and privileged remote access and extends cloud security features to local environments.
Our Take
While Delinea’s evolution from a singular focus on PAM to a broader identity security platform encompassing PAM, identity governance and administration, and cloud infrastructure entitlement management represents a significant advancement, it can also introduce complexities:
- AI Integration: The integration of AI for enhancing functionalities like session recording analysis, in-product assistance, and query creation is forward-thinking. However, the dependency on AI could become a concern if the algorithms do not evolve as quickly as cyber threats or if there’s a lack of transparency in how AI decisions are made, potentially impacting trust and usability.
- User Experience: Offering a browser plugin for non-IT workers to access the vault simplifies access for business users but might also introduce security risks if not managed correctly. Ensuring that this ease of access does not compromise security will be crucial.
- Vault Enhancements: While the improvements in vault capabilities, including current Fast IDentity Online v2 (FIDO2) support, are promising, the transition or integration with existing systems could be resourceintensive for organizations. Ensuring compatibility and seamless upgrade paths will be vital for widespread adoption.
- Optional Agent-Based Model: The optional use of agents provides additional robust policy enforcement and cachingbut adds another layer of management (agent updates, compatibility issues) that organizations need to handle. This could be a point of friction for those aiming for minimal infrastructure overhead.
In closing, the Delinea Platform for Identity Security stands out for its integrated approach to managing privileged access within a broader identity security context. Its alignment with zero trust principles, robust agent technology, and maturity in handling authorization make it a formidable tool in cybersecurity. However, organizations should be prepared for the integration effort required to fully leverage its capabilities. For those willing to invest in this setup, Delinea provides a powerful, scalable solution to modern identity and access management challenges.
Want to Know More?
Develop a Comprehensive IAM Improvement Strategy | Info-Tech Research Group
Assess and Govern Identity Security | Info-Tech Research Group
Best Privileged Access Management (PAM) Software 2024 | SoftwareReviews