How much do privileged access management (PAM) solutions cost?

Privileged Access Management or PAM solutions are a relatively new breed of tools that allow you to manage credentials with advanced permissions. It’s vital to properly monitor and secure these accounts because they grant access to critical network systems and applications. If you are considering purchasing one of these tools, here are a few key elements to review as you assess costs and the PAM pricing structure. At the end of the day, it is important to make sure you understand what these fees are, if they are optional, and what they cover.

PAM pricing models

Most Privileged Access Management tools offer either a subscription or perpetual pricing model.

  • Cloud: The Software as a Service (SaaS) model is becoming prevalent where you basically pay for the use of the company's infrastructure running the software.  This makes access easier for multiple locations and can bring availability benefits, but it also has security concerns as you do not directly control the infrastructure. SaaS software is usually a flat monthly subscription fee.  Maintenance or support is typically built into the fee.
  • Subscription: This payment model allows an enterprise to rent the software for a monthly or quarterly cost. Often, the vendors offer a lower price for the first few installments then transition to a higher price for long term contracts.  If you choose this model, make sure you know if support and maintenance are included in the subscription.
  • Perpetual: In this pricing model, an enterprise will buy the software license with a one-time payment and receive the rights to use it in perpetuity. In another version of this license model, the provider accepts a one-time payment with a smaller annual cost - typically 20-25% of the list price for support and other services.  However, you will have to pay for upgrades to future versions if you want new features. These prices can be significant if the vendor changes their pricing model or scheme, for example when Microsoft switched from per-processor to per-core pricing for SQL.

Budgeting for PAM

The actual cost of a PAM tool may vary by use case. Meaning, the size of your organization, the number of endpoint users, or servers accessed impact the price. Each company has different approaches, so be sure to map out your PAM implementation and usage plan in advance to estimate the number of users that will need access and how it will scale up as you increase use. When considering a new solution, IT managers should understand how their choices will affect how accounting classifies the expense.  This can make a big difference to CFOs and the bottom-line. There are two major categories of software expenditure: a capital expense (CapEx) and an operating expense (OpEx).

  • Capital expense: This refers to a fixed asset. If you buy a PAM tool in this category such as with a perpetual license, you need to be confident it will be a resource used for at least 3 years as tax laws require the expense to be spread over at least that many, sometimes longer.
  • Operating expense: This refers to day-to-day business costs. If you have an ongoing subscription model, you can generally categorize the purchase as an operating expense, which means it can be written off in the same year you paid for the platform.  Additional maintenance and support services fees are generally categorized this way as well.

A robust PAM solution will dramatically reduce the attack surface of your network offering a significant return on investment. However, it’s important to first lay out your use case, vet a wide selection of PAM providers, and consider all the cost and process implications of implementation. NOTE: This article is not meant to be construed as tax advice, but rather a general discussion of options and their possible tax treatment.  Always consult your accountant for the proper reporting of the actual purchase.