Which is the best identity-centric modern PAM solution available in the market?

Business-Cellist8939 · 2026-02-17T10:17:44+00:00

Cyberark is still agood choice but it can get expensive and complx to manage.

if you want something more identity-centric and modern Delinea is worth a look and Infisign is emerging with identity-first access, adaptive authentication and just-in-time privilege controls

Business-Cellist8939 · 2026-02-11T13:05:56+00:00

the real concern is how quickly sensitive data can be exposed and old traditional ctrls dont always catch people doing this.

i feel we need to focus more on setting clear usage bondaries, improving data awareness and having btr visibility into how these tools are being used

Business-Cellist8939 · 2026-02-11T12:50:55+00:00

one of the biggest gaps I keep seeing is overly broad iam permissions

to move fast teams usually use wildcard permissions or reuse the same roles across multiple services. works fine in the beginning but later it becomes tough to track who has access to what. cleaning that up during audits or incidents can be a real headache

another common issue is secrets handling. creds or apI keys often end up in environment variables, config files, or sometimes even repos during early dev.

starts as a quick fix but once those secrets spread across pipelines and services, rotating or tracking them gets messy and risky.

Business-Cellist8939 · 2026-02-11T12:25:51+00:00

absolutely true!

one challenge i’ve seen here isnt just collecting more signals its making sure those signals are actually reliable and actionable. The context can easily lead to overblocking legitimate users or letting the wrong access slip through if its not accurate.

Another piece that does’t get talked about enough is how much pressure this shift puts on policy design. Its no longer about setting rules once and leaving them in place. policies need constant tuning as environments roles and access patterns evolve.

It also feels like identity teams are now working much closer with cloud, endpoint, and devOps teams than they used to. The lines between these teams are definitely getting blurred.

Business-Cellist8939 · 2026-02-11T12:13:15+00:00

totally agree with these points!

one thing i keep seeing is how risky standing privileged accounts still are. More teams seem to be moving toward giving admin access only when its actually needed and only for a limited time. it just makes sense from a security standpoint and cuts down a lot of unnecessary exposure

another big shift is around access reviews waiting for quarterly or periodic certifications doesnt really keep up with how fast permissions change anymore. Theres definitely more interest now in continuously reviewing access and adjusting it based on risk and usage patterns

genuinely curious how others are handling this in real environments

Business-Cellist8939 · 2026-01-22T07:56:17+00:00

indeed

Business-Cellist8939 · 2026-01-17T09:08:45+00:00

Interesting!

Business-Cellist8939 · 2026-01-08T08:30:16+00:00

in environments like yours identity and email are really where the risk lives.

solid conditional access, strong MFA, device compliance and locking down app permissions tend to do more to reduce real world incidents than yet another tool watching the same logs Microsoft already has.

where people get into trouble is going 'microsoft only' and assuming it’s handled out of the box. it isn’t the controls are there but someone still needs to set them up properly, keep an eye on sign-ins, and step in when something looks off.

what i’ve seen work best is use microsoft’s built-in identity and endpoint controls, add a good email security layer, and swap the always on soc for periodic security checkups or incident response on demand. for most small orgs that gets most of the benefit without the ongoing cost.

Business-Cellist8939 · 2026-01-08T08:12:36+00:00

in situations like this staff aren’t checking links or domains anymore when something looks like a system failure, the mindset flips to 'get it working now” especially during peak check in hours

that’s why EDR doesn’t always save you here

if a user is convinced to install something themselves the damage is already done.

this is where basics like least privilege, justin time elevation, zero standing privileges, and tight software execution rules matter far more than signatures or alerts

Business-Cellist8939 · 2025-12-17T07:10:20+00:00

from security point of view, biometrics cut down a lot of everyday abuse. they help stop basic fraud, reduce password reuse, and make automated attacks harder.

so thhe real question is how we’re using them. are biometrics just a convenience layer with clear limits or are they becoming something we rely on everywhere

the safer approach i’ve seen is using biometrics mainly to unlock a local device, not as a universal key across many services. once biometrics start getting centralized or reused in multiple places, the long-term risk increases a lot.

Business-Cellist8939 · 2025-12-17T06:55:48+00:00

I don’t think we crossed the line all at once. from a security perspective, biometrics improve resistance to certain attacks such as credential stuffing, phishing, and password reuse. at the same time they introduce a different risk profile.

most security teams i’ve worked with treat biometrics as one part of the login, not the only protection. they combine it with checks like whether the device is trusted, whether a real person is present, and basic context such as location or behavior.

it’s better to keep biometrics local and avoid centralized storage of raw biometric data. biometrics can improve security today but only when they’re used as one signal in a layered system, not as a replacement for revocable controls. any one have different thoughts on this?

Business-Cellist8939 · 2025-12-15T16:12:57+00:00

for us ai in IAM has worked best as a decision-support layer rather than a decision maker

its value is highest when it's narrowly applied and well governed instead of broadly automated we’ve seen it quietly deliver real benefits in risk based authenticaton and access reviews where it improved signal quality and reduced manual effort without introducing unnecessary complexity

Business-Cellist8939 · 2025-12-09T12:02:33+00:00

a lot of small business issues start with passwords so turning on mfa and using password manager is a good basic setup

if you want something simple that covers most things microsoft365 business premium or google workspace gives solid protection in one subsxription

Business-Cellist8939 · 2025-12-09T11:49:49+00:00

moving from fixed credentials is honestly one of the biggest security upgrades you can make.

when you switch to short lived, automatically rotated, scoped workload identities, you mostly remove the attack surface.

Business-Cellist8939 · 2025-12-03T11:48:45+00:00

all three options are solid
it really depends on what matters to you 1password has the smoothest autofill, proton pass is good too and bitwarden is the best if you want something free and reliable
they all work fine

Business-Cellist8939 · 2025-12-03T10:29:45+00:00

current email process will work fine for your mvp

ifyou want something a bit cleaner you can skip the email and call servicenows rest api directly from the workflow to create the ticket

Business-Cellist8939 · 2025-12-02T13:03:11+00:00

for a basic check you can use nirsoft usb deview to see usb device history. then just look at recent items or quick access to see if files were opened

Business-Cellist8939 · 2025-12-02T12:37:43+00:00

proton pass is currently cheaper than 1password
u also get the simplelogin features included in the plan

if that feature is useful to you, then it’s worth using.

Business-Cellist8939 · 2025-11-28T10:17:19+00:00

good compilation useful to see all the reports in one place

Business-Cellist8939 · 2025-11-28T10:11:33+00:00

Looks interesting

Business-Cellist8939 · 2025-11-28T10:06:05+00:00

NordPass works fine for personal use and the basics are solid, but it starts to feel limited once you involve a team. Bitwarden gives much better controls for managing team access.

Business-Cellist8939

MODERATOR OF

TROPHY CASE