Which Privilege Account Management (PAM) Security Solution is Best for You | THYCOTIC

WHICH PRIVILEGE ACCOUNT MANAGEMENT (PAM) SECURITY SOLUTION IS BEST FOR YOU:

CLOUD, ON-PREMISE, OR HYBRID? CLOUD-BASED SERVICES GROWING MORE POPULAR Cloud based services have become more and more attractive in recent years as organizations seek to reduce upfront costs, lower the burden on IT staff, and enable them to focus more on their core responsibilities of growing their businesses. The reasons organizations choose cloud-based services are as diverse as the organizations themselves. Just under one-third of those using cloud-based services do so to operate relatively minor applications. One in four utilize cloud services for security applications, and one in five for CRM/ ERM systems. Another 27% indicate the use of hosted services in the cloud for network monitoring, backup and storage. Until now, organizations wishing to use a cloud-based service for Privileged Account Management and Security have had little choice. Nearly all commercial solutions were on premise, typically requiring a server and staff to maintain them. Thycotic is the first Privilege Account Management solution provider to offer a freedom of choice in how organizations want to deploy our award-winning Secret Server technology. With the introduction of Secret Server Cloud, customers can choose to deploy Secret Server software on premise, through our secure Secret Server Cloud offering or a hybrid combination of the two. This guide will help you assess which deployment option will work best for you and your organization.

Which Privilege Account Management (PAM) Security Solution is Best for You | THYCOTIC

RULES OF THUMB FOR ON-PREMISE, CLOUD OR HYBRID PAM SOLUTION DEPLOYMENT There is really no right or wrong answer when choosing the right combination of PAM protection for your organization. You first need to assess your specific business needs and infrastructure to make a more informed decision. The table below outlines several considerations you will want to consider when choosing among a Cloud, on premise and Hybrid PAM delivery model. Consideration

Cloud

On Premise

Hybrid

Location

Data center

On Premise

Data Center & On premise

Ownership

Lease

Own

Own & Lease

IT infrastructure

Included

Company

Company & included

Management

3rd Party

Own

Self & Third Party

Scale

Usually built for peak

On demand

Peak & on demand

Technology updates

Automatic

Software releases

Automatic and software releases

IT staff

Low – No professional services

Low – no professional services

Low & no professional services

Time to value with Thycotic Nearly immediate

Fast

Fast

Licensing

Subscription – includes maintenance

Perpetual & maintenance

Perpetual and subscription

Budget

Op-Ex

Cap-Ex

Op-Ex & Cap-Ex

Beyond these “Rules of Thumb,” the following scenarios can also help you assess the optimum deployment solution for your organization.

CHOOSING A CLOUD-BASED PAM SOLUTION DEPLOYMENT: PASSING SECURITY AUDITS AND DEMONSTRATING COMPLIANCE Nearly every small to medium size business today faces compliance with myriad of government and industry policies and regulations. Demonstrating PAM security is playing a larger role in these regulations. Thycot-

Which Privilege Account Management (PAM) Security Solution is Best for You | THYCOTIC

ic Secret Server Cloud delivers a convenient, easy to track and report capability to demonstrate compliance with privileged account access across a diverse set of industry regulations including HIPAA, PCI, SOX, NIST and more. For example, Thycotic Secret Server Cloud manages the availability, rotation, and integrity of privileged accounts that allow access to electronic Protected Health Information. The same goes for PCI DSS requirements that revolve around access control, and specifically, privileged accounts which exist on nearly every system, device and applications. Secret Server Cloud helps address several PCI DSS requirements related to privileged access including requirements 2, 7, 8 and 10. MANAGING DISTRIBUTED EMPLOYEES ACROSS THE GLOBE Many organizations of all sizes in today’s Internet connected world are moving away from centralized office-based operations to managing employees distributed across the world. These organizations often rely on cloud services to deliver 100 percent of their services to business and retail customers. With this kind of distributed business model, organizations use many cloud services that create multiple privileged accounts spread across multiple clouds. This quickly becomes a major challenge when it comes to managing different policies for maintaining, changing, updating and sharing those privileged accounts. The Thycotic Secret Server Cloud option is ideal for those organizations that require access to multiple services hosted in the cloud. Secret Server Cloud enables companies to economically assure a robust solution that includes security and backup, global scalability, central privileged account management and compliance, automatic updates, and more that reduce overall costs without sacrificing flexibility or functionality. ASSURING BUILT-IN HIGH AVAILABILITY AND DISASTER RECOVERY For many organizations, it’s imperative to make sure applications such as a PAM security solution are always available and redundant in the case of system outages or downtime. Thycotic Secret Server Cloud provides high availability and disaster recovery as built in capabilities through a secure cloud connection without requiring any additional cost, hardware or maintenance. As a cloud-base service, any organization can now ensure HA and DR with continuous updates and support all through an Op-Ex model that significantly reduces upfront costs while enhancing PAM security. NEED AUTOMATED PAM SECURITY BUT NO CAP-EX BUDGET As more organizations recognize the risks of maintaining privileged account password management through manual methods---often in Excel spreadsheets---they are looking for a solution like Secret Server but do not have the Cap-Ex budget to purchase an on premise PAM version. Secret Server Cloud gives you the option to automate PAM security with no upfront capital expense and little risk since you pay as you go with our Op-Ex delivery model. Plus, there’s no need to purchase or maintain an additional Windows server, nor worry about updates with Secret Server Cloud.

Which Privilege Account Management (PAM) Security Solution is Best for You | THYCOTIC

LIMITING THIRD-PARTY RISK AND LIABILITY Organizations of any size that need to share Privileged Accounts with Third Parties or Contractors but do not want to create privileged accounts that allow access to their internal systems should consider a cloud-based service. Secret Server Cloud, for example, allows organizations to share their privileged accounts with contractors or third parties without giving direct access to internal networks. This reduces a major security risk with minimal cost or commitment. THE STARTUP COMPANY WITH LIMITED OR NO IT RESOURCES In this first scenario, we consider a 50-person start-up company that needs to monitor and manage its internal systems but has limited resources. The company does not have its own IT team, and IT knowledge is minimal. This situation suggests the startup company should choose a managed service model such as Thycotic’s Secret Server Cloud. By relying on a cloud-based PAM service, the start-up benefits from lower capital costs (no IT personnel recruited, no new hardware/software required, no licensing issues) and, equally important, the company is not distracted from focusing on its core responsibilities – growing the business. As time passes and the business grows, this start-up could easily increase its workforce tenfold to manage more in-house support calls, hire its own dedicated IT staff and bring IT systems management in-house. At this point, an on premise PAM deployment model such as Secret Server On Premise may be more appropriate, giving the company full control over system growth and reducing ongoing subscription license costs---especially over the long-term.

CHOOSING AN ON PREMISE PAM SOLUTION DEPLOYMENT: POLICY, PRIVACY, AND CONTROL Some organizations may not be comfortable with managing privileged accounts in the cloud due to corporate policies or industry compliance requirements. For example, firms in the financial industry may not be able to allow internal systems access to the Internet. These situations can me managed with the On-Premise version of Thycotic Secret Server. The on-premise perpetual license option enables a company to comply with industry regulations, providing a central Enterprise PAM solution that is not internet accessible for air gapped environments. Privacy issues may also be a factor in storing Privileged accounts in the cloud. Cloud infrastructure located outside of the borders of a country in Europe, for example, may not be permitted by the laws restricting access to safeguard privacy of data. Where Cloud services restrict storing privileged accounts, the ideal deployment model would be Secret Server On-Premise.

Which Privilege Account Management (PAM) Security Solution is Best for You | THYCOTIC

Of course all of the PAM security benefits cited in Secret Server Cloud are available to Secret Server OnPremise customers including automated management, automatic password changing and audited password access activity monitoring and reporting. In addition, Secret Server On Premise Enterprise edition is available for organizations seeking a more full-featured PAM solution ideal for larger operations.

CHOOSING A HYBRID PAM SOLUTION DEPLOYMENT: EXISTING SECRET SERVER CUSTOMER REQUIRING SEPARATION OF DATA In this scenario, an existing Thycotic On Premise Secret Server customer is using Secret Server to manage highly regulated data within its network infrastructure. However, there are business units in field remote offices not subject to the same restrictive policies and regulations. But to eliminate the risk of manual privileged credential management, an automated PAM security solution in the cloud such as Secret Server Cloud is both efficient and economical. Consider a scenario where a 2000-person company has a central office data center with several remote sales offices. The company wants to assure PAM security for its remote sites without hiring IT personnel or spending on Windows servers for each office. In this case, a hybrid approach is likely the optimal solution. The company can run remote PAM management software in the Cloud and easily monitor and manage password security for its remote offices. In a similar scenario, a company may have a classification of privilege accounts by different ratings or risks, those privileged accounts for internal systems and those privileged accounts for cloud systems or services. The company may decide to keep both of those privileged accounts separate so that internal accounts do not leave the organizations perimeter and cloud based privileged accounts or accessible for anywhere. The ideal solution for this would be a Hybrid approach where the internal systems can be protected by Secret Server On Premise and for Cloud Services can be protected on Secret Server Cloud.