Small and medium-sized enterprises (SMEs) might consider using Okta® and BeyondTrust for privileged access management (PAM). The companies had distinct product offerings in different categories until Okta introduced its Advanced Server Access control offering to integrate on-premises assets with its identity and access management (IAM) platform. That brought it into competition with BeyondTrust, which remains one of the recognized leaders in PAM.
PAM products are specialized solutions, and you guessed it, specialization means higher costs. As such, SMEs should have well-defined use cases for PAM. Let’s see how Okta and BeyondTrust stack up against each other and what strategic approach each may take as they go head-to-head. Then, we’ll explore how JumpCloud could be considered as an alternative.
Understanding the Need for PAM
Let’s take a moment for a brief overview of the privileged access management category.
PAM is a subset of IAM that manages user access to critical server and network infrastructure resources. It’s evolved over time, but its origins are on premises. Many solutions, including BeyondTrust, were born out of the need to extend Microsoft® Active Directory® (AD), because AD’s access and entitlement controls didn’t provide the depth of control that many enterprises needed to delegate user access and establish least privilege security.
IT networks were traditionally Windows®-based and used on-premises or collocated data centers that housed an organization’s servers. These servers ran the organization’s applications and other critical services and required a higher level of security than AD alone. Software makers, including BeyondTrust, capitalized on the opportunity for better security and created PAM solutions to provide an elevated level of authentication and authorization that AD couldn’t.
The technology has since evolved to integrate with web single sign-on (SSO) and meet modern day requirements such as Zero Trust security strategies. However, Okta is mostly focused on the broader IAM category with PAM capabilities while BeyondTrust is primarily PAM with some IAM.
Similarities Between BeyondTrust and Okta
- Both provide IAM and PAM solutions
- Both offer multi-factor authentication (MFA); although, BeyondTrust uses a time-based, one-time password (TOTP) and works through supported authentication providers for more advanced options
- Both have integrations with servers, cloud providers, and other software applications
Differences between BeyondTrust and Okta
BeyondTrust is more focused on PAM, while Okta is more focused on IAM.
Okta’s Advanced Server Access deploys an SSH key management-like approach focused on enabling secure access to servers, whether they’re hosted in AWS or elsewhere. It also offers Okta Privileged Access as an add-on service with basic PAM functionalities such as privileged session (SSH and RDP) monitoring and auditing. Okta is mainly focused on providing secure access to applications and web services through single sign-on. In that respect, Okta offers more integrations with third-party applications on the web than BeyondTrust. Its platform provides MFA, user provisioning, and lifecycle management. However, it has no unified endpoint management (UEM) to protect identities by establishing devices as a secure gateway.
BeyondTrust offers some IAM features, but its main focus is on PAM. Its solutions are more mature and have more granular control to secure privileged accounts, credentials, and remote access on premises and as a cloud privilege broker. BeyondTrust’s objective is to protect critical systems by reducing the risk of insider threats and enabling secure remote administration. It uses environmental scanning to inventory systems and focuses on securing the assets. BeyondTrust provides extensive integration capabilities through APIs, plugins, and connectors.
Bottom line: Okta isn’t a dedicated PAM solution and doesn’t establish a secure baseline for devices. BeyondTrust is a dedicated point solution for your server infrastructure and endpoints.
Pricing of BeyondTrust and Okta
Okta’s Advanced Server Access cost matches or exceeds its IAM subscriptions, and BeyondTrust is used by large enterprises with non-transparent per customer pricing.
Okta
- The list price for Advanced Server Access starts at $15/month per user. However, its IAM platform is a prerequisite for Advanced Server Access.
- Lifecycle management is necessary to manage entitlements and IT authorizations at an additional cost of $4/month per user.
- At the time of publication, Okta’s SSO plans range from $2/month per user for its standard offering for cloud and on-premises apps to $6/month per user for adaptive MFA. The former includes basic MFA and its ThreatInsight security layer; adaptive MFA adds contextual access management that takes risk, device state, location, and other factors into account.
- Fully functional MFA, i.e., push notifications, texts, and support for external hardware keys, is available for $3/month per user. More advanced MFA features are included in a premium subscription tier at $6/month per users.
- There may be additional a la carte costs for directory integration, API access management, automation workflows, et al. Costs may total as much as $22/month per user with a minimum contract of $1,500.
- On-prem components such as Okta Gateway require dedicated server resources.
- Okta doesn’t provide UEM or MDM, which must be obtained separately for secure device state.
- Support plans range from basic with 24-hour SLAs to several premium packages that offer more immediate support and/or dedicated support managers and VIP onboarding. Pricing for these services isn’t transparent, and customers must work with Okta sales representatives.
BeyondTrust
BeyondTrust doesn’t publish its pricing; however, a recent G2 review stated that pricing is “higher than most” in the PAM category. Keep in mind that there are instructure components:
- Microsoft SQL Server and all target databases
- IIS web server technologies
- Network administration
- System administration
These components must all be configured, patched, and supported.
Factors to Consider When Choosing a Pricing Plan
- Consider what components are required and what’s necessary to support them
- Consider the cost of protecting databases
- Consider whether there’s minimum pricing thresholds and other services required
- Consider the cost of implementing your PAM solution(s), i.e., auditing, databases, integrations, onboarding, provisioning new hires, and professional service fees.
- Consider whether a more holistic approach would benefit your organization by consolidating access control with device management.
Integration Between BeyondTrust and Okta
SMEs that are using Active Directory may end up using Okta for web application SSO and BeyondTrust for controlling access to servers. But, there’s a caveat: using “best-of-breed” point solutions may benefit large organizations, but will be cost prohibitive for an SME. Organizations that require an asset-focused approach to credential management may consider using BeyondTrust with a different Identity Provider (IdP) for a more holistic approach to IAM.
Why JumpCloud Is a Better Solution Overall for IAM and PAM
Many IT organizations are interested in making the shift to a cloud identity management solution that effectively eliminates on-prem solutions such as Active Directory, and subsequently, combines a number of different categories together. Ideally, an all-inclusive identity management solution would combine IAM, privileged access management, and UEM.
Overview of JumpCloud’s Features and Benefits
JumpCloud is an open directory platform with centralized IAM and unified endpoint management, regardless of the underlying authentication method or device ecosystem. JumpCloud authenticates users whether they use biometrics, digital certificates, passwords, or SSH keys. The platform provides secure, frictionless access to resources. JumpCloud ensures that every resource has a “best way” to connect to it. Let’s explore its features in more detail.
Frictionless Access Control
- Servers use SSH keys, which are more secure than passwords
- Passwordless certificates secure RADIUS Wi-Fi access
- LDAP with integrated MFA secures access to network devices
- JumpCloud offers a large collection of pre-built connectors for SSO apps and doesn’t charge for Custom SAML Applications
- A provisioning API (coming soon) supports apps that don’t use existing protocols
- Cloud RADIUS with MFA secures access to network devices and Wi-Fi
- Web applications use SAML and OIDC for authentication
- SCIM provisioning can be used for authorization
- Integration with Active Directory is available
- JumpCloud Password Manager is available as an integrated add-on for additional security and convenience to create, store, and protect user credentials
IAM and PAM Features
- Conditional access rules for privileged access management; device conditions account for device posture, location, and more
- MFA with an integrated authenticator app that supports biometrics, TOTP, and push notifications
- JumpCloud is developing a device-bound credential that’s hardware protected and phishing resistant
Unified Endpoint Management
JumpCloud provides EMM/MDM and agent-based deployments for UEM. MDM enforces tamper-proof security policies and configurations to demonstrate and comply with organization compliance requirements. Policies can be applied to endpoints and groups using templates. Agents offer additional telemetry through JumpCloud’s System Insights and pre-built reporting. JumpCloud supports Android, Apple devices from iOS to macOS, Linux, and Windows.
Other device management features include:
- Unlimited Remote Assist
- Root-level commands, including queued commands
- Optional cross-OS patch management for endpoints and web browsers
Lifecycle Management
Onboarding can be challenging with other platforms. JumpCloud solves that problem by integrating with popular HR systems and other IdPs including Okta, Google, and Microsoft. Memberships and entitlements are automated (or suggested) through dynamic groups.
Comparison with BeyondTrust and Okta
The open directory platform takes a combined approach to PAM and IAM by converging directory services, privileged account management, directory extensions, web app SSO, and MFA into one optimized SaaS-based solution.
Why JumpCloud Is a More Holistic Solution for IAM and PAM
JumpCloud focuses on treating identities as your perimeter to simplify how you implement and manage PAM. It combines IAM with PAM features with UEM, includes mature lifecycle management and other essential IT management tools such as patching to ensure confidentiality, integrity, and assurance. These features are priced to be affordable for SMEs that may not otherwise have the resources to deploy holistic IAM.
Streamline IAM, PAM, and More with JumpCloud
Unifying cross-domain identity and device management with JumpCloud will enable you to reduce costs, improve operational efficiencies, strengthen cybersecurity, support workplace and identity transformation, and reduce the pressure on your IT admins and security teams. You can explore JumpCloud’s IAM and PAM solutions for free for the first 10 users and devices.
Watch the 5-minute overview above, and then get started combining PAM with MFA, SSO, and more, for all your resources without the need for on-premises components. Delegate user access to cloud-based and on-prem servers via LDAP and SSH keys, and then try extending this access to the rest of your resources, no matter the platform, protocol, provider, or location in question.
JumpCloud offers free chat support to get you started as well as a variety of Professional Services to help ease the load your employees face. Learn more about JumpCloud Professional Services or try JumpCloud free for 30 days.