Proving PAM is possible. Happiest in the outdoors ⛷🎣 🏌🏻Thankful for my family and my team 🙏🏻
In my 15 years at CyberArk, I never once referred to our solution as a legacy PAM. At the time, I didn’t think it was — but becoming a legacy solution isn’t something that happens overnight. It’s like watching a tree grow: you don’t notice it day by day, and then suddenly it’s towering above you. The dictionary defines a "legacy solution" as: "...a system, product, or technology that is still in use but is based on outdated architecture, design, or approaches compared to modern alternatives. It often continues to serve its core purpose, but it typically comes with limitations that make it less efficient, flexible, or scalable in today’s environment" That's a great and weirdly accurate generic description but there are also PAM specific features that I think need to be highlighted - here are my suggestions on what constitutes a legacy PAM solution: 🔒 They are vault centric. Legacy PAM is anchored around the concept of a single vault, where you store the "Keys to the Kingdom" You may see support of other secret stores but inevitably there will be a link back to "the vault" 🤷 User experience will seem like it's an afterthought. Legacy solutions are very seldomly user friendly - Unnecessary friction such as multiple and frequent authentication steps, multiple user interfaces, latency and anything that involves "checking out and then back in" a credential creates a sub-optimal user experience that leads to push back, animosity between teams and failed deployments. 🏗️ Heavy on services. Legacy PAM is a services money pit. The "deployed in weeks" promises from vendors doesn't mean "onboarded in weeks" I worked with the worlds largest Enterprises and "Windows and *nix deployed in years" would be a better description. Services are great when they get you to your goals quickly and efficiently but when you are trying to "fix the unfixable" they take on a different guise. 💰 Everything comes with a cost. A legacy solution will feel like a weight around your neck, with little hope of modernizing without significant licensing cost. You're paying maintenance or an annual subscription but access to that new feature or "modern" solution is going to come at a significant cost in licensing, infrastructure and services. They say the first step to recovery is recognizing you have a problem, if the points I've raised above seem familiar then perhaps it's time to look for a modern solution? PAM doesn't need to be difficult.
Bradley Schagrin
1mo
Well said. Love the tree metaphor The real litmus test for legacy PAM is whether the architecture assumes static credential storage as the core design pattern. Modern environments demand ephemeral secrets, API-driven brokering, and frictionless identity propagation across hybrid and multi-cloud. If the platform still relies on credential checkout, persistent vault dependencies, or multi-year onboarding timelines, it’s already a liability. What looks like “feature depth” today will become unmanageable entropy tomorrow.
Richard A Weeks
1mo
Well said. Modern IAM solutions have clear advantages over legacy stacks.
Mark Phinick
1mo
I’m not challenging your point, but many companies see ‘legacy’ as ‘production.’ How do you help clients manage the change to modernize PAM?
Rich Wenning
1mo
Well said Mark. Times change.
Sean Rogers
1mo
Very well said Mark. With the acquisition by Palo Alto that tree is now fully grown. So great to see the many newer entrants to the Privilege Identity market. Companies now have a wide choice with less of a lock in.
Account Executive at Clarity Security | Endurance Athlete
1mocurious to hear how you handled those customer conversations with former customers that you sold cyberark to. how'd you continue to maintain a level of trust & consultative approach given the initial sale & were now educating them on a new way of doing things?