PIM? PAM?….. Something different from IAM?

Before we get into what PIM, PAM & IAM stands for, let’s get through a little bit of the basics first. And yes don’t worry I’ll keep it as simple as possible so you can read and enjoy this as much as possible.

Let's break it down into simple parts and go along the flow starting from what we know about authentication so that you understand what certain terms are as we progress further down the line of this article.

We all know authentication is basically the process of determining that someone or something is in fact who or what they claim to be, and the best analogy for this would be how you produce your passport as a form of identification to prove that you are the person that is requesting to get on that specific flight.

But always remember, Authentication & Authentication are two different things. While one determines the identity and verifies it, the other grants permission to access resources. So remember, they are different.

So now that’s out of the way, let's talk a little about what IAM or Identity Access Management is.

Identity Access Management or IAM is basically an efficient way of integrating and managing identities while providing access to the right resource at the right time. So in another sense, we can say IAM also uses both authentications as well as authorization so it's the best of both worlds.

Just like how vanilla ice cream pairs with chocolate syrup, the best 🍨🍫😋

Since we covered the prerequisites that needed to be covered, we can finally move on to our real topic.

Before we get into what PIM and PAM are, we have to first understand that both PIM and PAM are not exclusively different concepts from IAM but rather both are subsets of Identity Access Management. Although it being subset of IAM, there are different scenarios that highlight why it can be set apart from one another but we’ll get to that as we go along this article.

Privileged Identity Management or PIM is a security solution that addresses the particular requirements of handling highly privileged access or known as monitoring, management, and protection of super-user accounts within the IT infrastructure of an enterprise. In a generic perspective, super-user accounts might refer to Database Admins (DBA), CIO, CEO and etc.

A PIM product oversees the lifespan of all user accounts with access to an IT infrastructure, with a particular focus on privileged accounts. It first locates and documents all essential IT assets and the privileged accounts and roles that have access to them. It then makes sure that restrictions for those accounts are followed, such as password difficulty and time of use. It also logs, monitors and audits each privileged access request, issuing alarms whenever one is deemed suspicious or inappropriate.

Generic PIM Architecture

But now you must be wondering what a super-user account really means….. is it something that gives you superpowers within that account? Well not exactly but from a different perspective, it kind of is like having a superpower juiced up an account. Well, a more sensible explanation would be,

Super-user account means that the user has access to every app and can modify or terminate any type of window process.

Now if you think about it that’s a lot of power right there, especially for someone working on a company machine or device 😉

In order to prevent abuse or misuse of these types of accounts, monitoring is highly required. Unmonitored superuser accounts can result in malware that compromises the system or the loss or theft of important company data.

Therefore, it is important to carefully manage and keep an eye on these accounts, with PIM procedures and systems put in place to safeguard your company’s networks from abuse.

To make sure that these procedures are in place PIM consists of a multitude of roles offered,

• Offers “Just-In-Time” Access : Providing users, applications or systems are given privileged access but only for a short time and only when needed
• Allows access for custom defined periods of time
• Implement multi-factor authentication
• View access privilege record
• Generate reports

So if you look at it in a broader perspective, some features like JIT provisioning and implementing MFA are roles of PIM that makes Privileged Identity Management a subset of IAM.

See the dots slowly starting to connect between what we were discussing before on PIM and PAM being subsets of IAM 😉

Privileged Identity Management or PIM can go about with a multitude of benefits such as,

• Facilitates accessibility
• Enhances security
• Keeps up with regulatory compliance
• Lowers the cost of IT and auditing
• Addresses risks associated with active accounts that are not used

So that we now know a little on what PIM is, in a more simplistic summary, PIM or Privileged Identity Management is the most effective method for managing superuser accounts across an organization. C-level executives and senior management may also have administrative privileges and access to confidential data. In order to prevent breaches, specific privileges and access need careful monitoring and the appropriate restrictions in place. PIM ensures that each user has a specific distribution of identity and rights, guaranteeing that they can only access data within the scope of their permissions and only conduct certain actions.

Bonus Content 😋

Implementation of PIM
----------------------
1. Create a policy that specifies how highly privileged accounts will be controlled, together with the rights and restrictions that apply to the users of these accounts.
2. Build a management model that designates the person who is accountable for ensuring that the aforementioned policies are followed.
3. Identify and monitor all superuser accounts.
4. Establish procedures and deploy technologies for management, such as provisioning tools or specialized PIM solutions.

Now that we covered what PIM is, lets get into exploring what PAM or Privileged Access Management is. But before we get into that, to better understand what PAM is, first we need to grasp the concept of Privileged Access.

A simple definition for privileged access would be, this embodies those functionalities or types of access that exceed standard user access. Through privileges, specific security restrictions can be bypassed, a system can be shut down, a system or network configuration is enabled or different cloud accounts can be configured, and so on.

Those accounts that benefit from privileged access are known as privileged accounts. Classified into two main categories: privileged user accounts and privileged service accounts. These types of privileged rights within an organization/establishment are vital for critical infrastructure and sensitive data protection.

Now since that’s out of the way, we can finally move on to what PAM or Privileged Access Management is.

PAM is basically an Infosec mechanism comprising of toolkits and technologies to enable a company to safeguard, limit and track access to even more sensitive data and resources.

Some of the subcategories of PAM are:

• Shared folders password policy
• Privileged access control
• Vendor-privileged access management (VPAM)
• App access management

PAM systems store privileged account credentials in a vault, such as admin accounts. System administrators must access the PAM system’s credentials while inside the vault, where they will be authorized and their access will be logged. Whenever a password is tried to check in, it is reset, requiring administrators to use the PAM system the next time they need it.

Generic PAM Architecture

PAM is grounded in the principle of least privilege (POLP), wherein users only receive the minimum levels of access required to perform their job functions. The principle of least privilege is widely considered to be a cyber security best practice and is a fundamental step in protecting privileged access to high-value data and assets.

The Principle of Least Privilege (POLP) states that a subject should be given only those privileges needed for it to complete its task. If a subject does not need an access right, the subject should not have that right. Further, the function of the subject (as opposed to its identity) should control the assignment of rights. If a specific action requires that a subject’s access rights be augmented, those extra rights should be relinquished immediately upon completion of the action.

Let's talk a little about the principles of Privileged Access Management. There are 3 guiding principles to PAM,

• Guiding Principle 1: Prevent Credential Theft

For assigning and tracking privileged account credentials, many organizations rely on inefficient manual methods. Passwords and keys can sometimes stay the same for months or even years after being given out. Former employees, contractors, and business partners frequently keep access to vital applications and systems after leaving the company, exposing it to data breaches and hostile attacks.

To launch complex attacks, disgruntled workers or external intruders can exploit dormant accounts or outdated passwords. So therefore it is of mandate to make sure that the prevention of credential theft is of utmost priority.

• Guiding Principle 2: Constrict and Stop Vertical & Lateral Movement

An adversary will frequently pivot from lower-value devices to greater targets that hold sensitive information or can be utilized to govern an environment once they have credentials. There are two ways to do this:

1. Moving laterally inside the same “risk tier” in the hopes of discovering better, more valuable credentials.
2. Moving vertically from one risk layer to the next (for example, from workstations to servers) to get closer to the target.

So it is important that compromise is to be avoided through the prevention of vertical and lateral movement.

• Guiding Principle 3: Limit Privilege Escalation & Abuse

Privileged accounts are all around us. Each host, application, database, and platform comes with its unique set of administrative credentials. Many businesses manually manage privileged credentials and have limited visibility and control over privileged session activity.

To make problems worse, many companies over-privilege end-users and application processes, giving them full admin capabilities regardless of their actual needs. The proliferation of privileged accounts, as well as a lack of administrative visibility and control, offer a large attack surface for hostile insiders and foreign attackers to take advantage of.

Therefore it is important that exploitation is deterred in terms of privileges and privileged accounts associated.

Well I know it was a little overwhelming to take all those information in but trust me you’ll get the whole gig of it in no time

PAM or Privileged Access Management has a multitude of features to tie in everything such as,

• Multi-Factor Authentication (MFA) is required for administrators
• Authorizations and confidential user data management
• A password vault that securely stores privileged passwords
• Once you’ve been granted privileged access, you’ll be able to track your sessions
• Dynamic authorization capabilities, such as providing access just for a set amount of time
• To reduce insider threats, automate provisioning and de-provisioning
• Audit logging software that assists organizations in achieving compliance.

And with these features, it is important that each in every organization implements PAM as it brings about these specific benefits,

• A condensed attack surface that protects against both internal and external threats
• Reduced malware infection and propagation
• Enhanced operational performance
• Easier to achieve and prove compliance
• Help ensure compliance
• Better rights monitoring & control
• Local rights removal
• Facilitates productivity

So in a general perspective, implementing a PAM system helps organizations effectively monitor the entire network and provides insight into which users have access to what data.

A PAM system is one of the best ways for an organization to protect against external threats by preventing malicious parties from accessing sensitive corporate data through internal accounts.

Bonus Content 😋

Best Practices of PAM
----------------------
1. Eliminate irreversible network takeover attacks.
2. Control and secure infrastructure accounts.
3. Limit lateral movement. 
4. Protect credentials for third-party applications. 
5. Manage *NIX SSH keys. 
6. Defend DevOps secrets in the cloud and on premise. 
7. Secure SaaS admins and privileged business users. 
8. Invest in periodic Red Team exercises to test defenses. 
9. Establish and enforce a comprehensive privilege management policy
10. Segment systems and networks
11. Enforce password security best practices
12. Lock down infrastructure
13. Monitor and audit all privileged activity
14. Implement dynamic, context-based access
15. Secure privileged task automation (PTA) workflows
16. Implement privileged threat/user analytics
17. Enforce separation of privileges and separation of duties

Conclusion

Now that we talked about what IAM, PIM, and PAM are, we can finally get into the real topic of is PIM, PAM are different to IAM.

Let's have a look at this perspective between PIM and PAM first.

  +---------------------------------------------------------------------+
  | Parameters   |          PAM           |             PIM             |
  |---------------------------------------------------------------------|
  | Description  | A system for securing, | A system for managing,      |
  |              | managing, monitoring,  | controlling, and monitoring |
  |              | and controlling        | access to resources in the  |
  |              | privileges.            | company that has superuser  |
  |              |                        | access.                     |
  |--------------|------------------------|-----------------------------|
  | Technologies | LDAP & SAML            | LDAP                        |
  |--------------|------------------------|-----------------------------|
  | Applications | One Identity, Foxpass, | ManageEngine, Microsoft     |
  |              | Hitachi ID, etc.       | Azure, Okta identity cloud, |
  |              |                        | Auth0, etc.                 |
  +---------------------------------------------------------------------+

If you look at it from a closer perspective, you can see that PAM is a system that is there to control and manage privileges whereas PIM is a system that is specific on controlling and managing the access to resources for super-user accounts.

But if we compare it with IAM then we can come to conclusion as to if PIM and PAM are something different from the table below

 +-----------------------------------------------------------------------------------------+
 |              PIM               |            PAM           |             IAM             |
 |-----------------------------------------------------------------------------------------|
 | Concentrates on the rights     | The layer that secures a | Applies to all users in the |
 | assigned (typically set by     | certain access level and | organization who have an    |
 | IT departments or System       | the data that can be     | identity, which will be     |
 | Admins) to various identities. | accessed by a privilege. | monitored and handled.      |
 |--------------------------------|--------------------------|-----------------------------|
 | Also assists in the control of | Maintains privileged     | Keeps the overall network   |
 | unchecked IAM areas.           | identities under         | safe.                       |
 |                                | protection & ensures the |                             |
 |                                | ones with admin rights   |                             |
 |                                | do not engage in abuse   |                             |
 |                                | of privileges.           |                             | 
 +-----------------------------------------------------------------------------------------+

So as the network perimeter lines are now blurring due to the increasing popularity of remote work, network security alone may not suffice. One of the potential risks for all companies is unmanaged accounts, which means that all users must always be recognizable and permanently monitored for adequate rights. Lack of access controls will increase threats and can lead to the abuse of highly sensitive data. For instance, an ex-employee may still have access to your confidential data, an attacker may compromise an account and misuse it, or insider threats could exist in your company. This is where, PIM, PAM, and IAM come into play, protecting your organization against various types of identity management dangers.

And that is how we can tell that rather than them being different from each other, PIM and PAM are subsets of IAM that all come in unison to ensure that your confidential data and resources are safe.

So that right there sums it up on PIM, PAM, and IAM and wraps it up for this article everyone. I hope you’ll learn something from this and take an interest to explore more into the domain of IAM.

As always, keep shining and stay tuned for lots more exciting stuff coming your way. Continue to work hard, stay curious and dare to try something new or learn something new every day. Look out for one another and keep rocking.

This is your friendly neighborhood UX/UI junkie signing off. See you next time. Peace ✌️