Why the Simplicity of an Identity-Aware Proxy Wins Over Legacy Privileged Access Management

The Modern Cyber-Physical Crisis and the Regulatory Paradigm Shift

The industrial landscape is undergoing an unprecedented crisis of security and regulatory pressure. Historically, Operational Technology and SCADA systems operated in an environment of physical isolation, protected by the “air gap.” Today, the demands of industrial automation, remote diagnostics, and hyper-specialised supply chains have dismantled this isolation. Crucial infrastructure, including municipal water treatment facilities, electrical transmission grids, manufacturing plants, and oil and gas pipelines, must now be remotely accessible to a vast network of third-party engineers, maintenance technicians, and system integrators. This hyper-connectivity, whilst essential for operational efficiency, has exposed legacy industrial devices to the full spectrum of global cyber threats.

Traditional IT security tools, which rely on the concept of a “trusted network perimeter” secured by virtual private networks (VPNs) and firewalls, have proven wholly inadequate. When an organisation establishes a VPN tunnel for a remote vendor, it creates a direct path to the internal network. If the vendor’s device is compromised, attackers can easily move laterally across the subnet, scanning for vulnerable devices and launching attacks against critical assets. The risk is no longer merely digital; it is physical. A cyberattack on an exposed Programmable Logic Controller (PLC) or Human-Machine Interface (HMI) can result in physical destruction, environmental contamination, or even loss of life, as evidenced by recent real-world attacks targeting municipal water plants and grid utilities.

This physical risk has triggered a dramatic shift in regulatory oversight. Globally, critical infrastructure operators are facing a paradigm shift in compliance and personal liability. In Canada, the Canadian Centre for Cyber Security has issued the 36 Cyber Security Readiness Goals (CRGs), which demand rigorous, verifiable controls for authentication, authorisation, and access management. Concurrently, the Critical Cyber Systems Protection Act (CCSPA) imposes strict penalties for security failures. In North America, the North American Electric Reliability Corporation (NERC) enforces the NERC CIP standards, specifically CIP-003-9 and CIP-003-11, which mandate strict controls over vendor and external access to electronic security perimeters. In Europe, the NIS2 Directive establishes that essential entities must implement comprehensive supply chain security, zero-trust architectures, and robust cryptographic controls, with severe personal liability for corporate boards and executives who fail to exercise proper oversight.

Under these modern regulations, “best effort” security policies and manual administrative audits are no longer sufficient. Boards of directors and security officers must be able to provide verifiable, cryptographic evidence of individual accountability for every single remote access event. If a remote contractor modifies a PLC configuration, the compliance team must be able to prove exactly which physical human was using the account, why they were authorised, and what specific protocol-level commands they executed. This level of oversight requires a fundamental transition away from legacy, network-level connectivity models toward identity-governed, application-layer control. In this new regulatory and operational environment, organisations must choose between two competing paradigms: legacy Privileged Access Management (PAM) and modern, Layer 7 Identity-Aware Proxies.

The Burden of Credential Vaulting and Account Proliferation

The primary source of operational friction and security risk in traditional PAM systems is the reliance on credential vaulting. Because PAM is designed to manage high-privilege administrative accounts, it requires that every target resource have a corresponding account in the PAM vault. In a large enterprise or utility, this means maintaining thousands of credentials across hundreds of servers, databases, and network devices. The administrative overhead of configuring password rotation policies, managing vault synchronisation failures, and troubleshooting credential mismatch errors is a constant drain on IT resources.

This problem is severely compounded when dealing with external vendors, contractors, and third-party technicians. Under the traditional PAM model, to grant a vendor remote access to a system, administrators must first create a shadow user account in their own corporate directory (such as Active Directory) or provision a local account on each target machine. This leads to a massive “account proliferation” problem, where organisations are managing hundreds of stale, inactive vendor accounts. These shadow accounts represent a significant attack surface; they are frequently excluded from standard corporate multi-factor authentication policies, utilise weak or shared passwords, and are rarely de-provisioned in a timely manner when the contractor finishes their work. Furthermore, issuing Active Directory accounts to non-employees requires purchasing expensive client access licences (CALs), resulting in significant unnecessary software costs.

Agilicus AnyX completely eliminates the need for credential vaulting, password rotation, and shadow account creation by implementing Frictionless Identity Federation. Instead of creating new accounts for external vendors, Agilicus allows organisations to leverage federated single sign-on. When a third-party technician needs access, Agilicus federates their identity natively with their own corporate identity provider (such as Entra ID, Okta, or Google Workspace). The organisation does not provision any new user accounts, usernames, or passwords in their own Active Directory. Instead, they simply define an authorisation policy in Agilicus AnyX that maps the vendor’s external identity group to the specific internal resource they need to access.

When the vendor logs in, they are redirected to their own company’s identity provider, where they must authenticate using their existing credentials and multi-factor authentication. Once authenticated, their identity is securely verified by Agilicus AnyX via OpenID Connect (OIDC) or SAML, and they are granted clientless access strictly to the authorised resource. If the vendor is terminated by their parent company, their account is instantly deactivated in their home directory, automatically revoking their access across all Agilicus-protected systems. This eliminates the risk of stale accounts, removes the administrative burden of credential management, and provides perfect individual accountability without creating a single new credential or shadow account.

Deployment, Maintenance, and Firewall Topology

The operational and financial differences between a traditional PAM suite and an Identity-Aware Proxy become starkly apparent when analyzing their deployment topologies and infrastructure footprints. Installing a legacy PAM solution is a major, multi-month system-integration project. To support a solution like CyberArk or BeyondTrust, organisations must provision a substantial on-premise or cloud-hosted server footprint. This typically includes multiple Microsoft SQL Server databases for credential and session logging, Password Vault Web Access servers for the user portal, Privileged Session Manager servers to proxy RDP and SSH traffic, and HTML5 Gateway clusters to translate those protocols into the browser. Maintaining, backing up, patching, and securing this massive enterprise software stack is an ongoing operational burden that requires highly specialised, expensive administrative teams.

Furthermore, legacy PAM architectures require opening inbound ports on the corporate firewall. For users to connect clientlessly, the HTML5 Gateway and web portals must be exposed to the public internet, creating an immediate target for scanning, brute-forcing, and zero-day exploits. In OT SCADA networks, this is a significant non-compliance risk; NERC CIP and NIS2 strictly regulate or forbid opening inbound firewall ports to OT environments, forcing organisations to build complex, multi-tiered DMZ architectures to isolate the PAM components. This adds layers of firewall rules, routing tables, and network translation layers, rendering the entire network highly complex and fragile.

In addition, traditional systems struggle with complex networking topologies. In municipal and utility networks, it is common to have overlapping IP addresses across different physical facilities or substations. A PAM system trying to route sessions over a Layer 3 network tunnel faces significant routing conflicts when trying to address the same IP address (e.g., 192.168.1.10) in substation A and substation B. To solve this, network administrators must deploy complex NAT rules, double-NAT layers, or implement split-horizon DNS servers where internal DNS records do not match external records. This “split-horizon” configuration creates a highly complex maintenance landscape where resolving internal web hosts on SCADA networks requires local overrides, host file modifications, and custom routing configurations.

The Agilicus AnyX platform completely eliminates this infrastructure footprint and firewall exposure by utilising a cloud-brokered, software-defined perimeter model. AnyX is a fully managed, cloud-native platform; organisations do not need to deploy, maintain, or licence databases, web servers, or session gateways. The entire enterprise management console, user directory federation, and logging engines are hosted and maintained in the cloud by Agilicus. The only component installed on the organisation’s network is the Agilicus AnyX Connector, a lightweight, containerised software agent that can run on any standard Linux or Windows machine, virtual machine, or even directly on an industrial gateway router (such as those from Siemens or Cisco).

Most importantly, the AnyX Connector operates strictly via outbound-only connections.

It initiates a secure, encrypted connection to the Agilicus cloud broker over outbound port 443. It never requires opening any inbound firewall ports, and the protected PLCs, HMIs, and SCADA systems do not need public IP addresses. This means that the internal operational technology network remains completely dark and invisible to public search engines like Shodan. Outbound-only connectivity allows AnyX to deploy effortlessly in highly constrained network environments, including behind cellular backdoors, satellite links (such as Starlink), or carrier-grade NAT (CGNAT) without complex routing or DNS configurations. A complete zero-trust, identity-aware remote access deployment can be accomplished in minutes purely through software, delivering immense cost savings and superior security.

Total Cost of Ownership Analysis: Commercial and Operational Comparison

To fully appreciate why modern security leaders are shifting from legacy PAM to Agilicus AnyX, it is necessary to examine the commercial and financial realities of both architectures. Implementing a traditional PAM solution (such as CyberArk or BeyondTrust) is not just a software purchase; it represents a major, recurring capital and operational expense. The total cost of ownership (TCO) of legacy PAM is driven by several hidden factors:

1. Active Directory Client Access Licences (CALs): Because PAM forces organisations to provision AD accounts or domain accounts for external contractors, utilities must purchase a client access licence for every external vendor. For organisations with hundreds of third-party integrators, this represents a massive, recurring, and entirely unnecessary software cost.
2. Windows Server and Remote Desktop Service (RDS) CALs: To run engineering software (such as Rockwell Studio 5000) on Windows-based jump host VMs, organisations must purchase a Windows Server licence and an RDS CAL for every concurrent remote user. These licences are highly expensive and must be renewed annually.
3. Infrastructure Hosting Costs: Running a multi-server PAM stack (including SQL Server, PVWA, PSM, HTML5 Gateways, and Jump Hosts) requires substantial hardware resources. Whether hosted on-premise or in the public cloud, the CPU, memory, and storage costs of running these servers 24/7 represents a major, recurring operational expense.
4. Administrative Overhead (FTEs): Due to the sheer complexity of legacy PAM architectures, organisations typically require 2 to 3 full-time equivalents (FTEs) purely to manage the PAM software stack, troubleshoot credential rotation failures, configure jump host software, and provide/de-provision vendor accounts.

By implementing Agilicus AnyX, critical infrastructure operators can realise immediate, massive financial savings. Because AnyX relies on Federated Single Sign-On, there is no need to provision user accounts in the corporate Active Directory. This completely eliminates the need for AD CALs and removes the administrative burden of user provisioning. Furthermore, because AnyX allows engineers to run their native software natively on local machines, organisations completely eliminate Windows Server jump hosts and RDS CALs, saving thousands of dollars in software licensing. Finally, because AnyX is a fully managed, cloud-native SaaS platform, there is zero hosting infrastructure to manage, and the entire platform can be managed by a single IT generalist, drastically reducing administrative overhead and delivering a far superior return on investment (ROI).