Understanding the Difference between PIM and PAM and Why You Need Both

Cloud computing has turned IT management on its head in multiple ways. Users have the power to procure and use cloud resources without the involvement of IT. In light of that, users have a greater need for privileged access to those resources, increasing the complexity of managing privileged accounts.

A privileged account allows the user to take administrator-level action, such as changing systems settings and permissions, adding users, and downloading software. Because of the power afforded to privileged accounts, they demand greater security than regular accounts. Many of the most notorious cyberattacks were executed through the successful exploitation of privileged accounts.

Any organization seeking to improve the security of its privileged accounts will quickly run into a couple of acronyms — PIM (privileged identity management) and PAM (privileged access management). The two terms are closely related and often used interchangeably but there are distinct differences.

Interested In Learning More?

Start with Identity

Identity management is the process of defining and managing roles and access privileges and associating them with individual users or groups. PIM is a subset of identity management focused on privileged accounts. It is smaller in scope but involves much greater risk to the organization.

Privileged accounts include those used by systems and software as well as human administrators. Furthermore, administrative accounts exist on systems even if no particular individual is associated with them. With identity management, you start with a user and define that user’s credentials and access rights. With PIM, you start with a given set of privileges and determine who gets to use them and under what circumstances.

To do so, you need to define a policy that specifies how administrative accounts will be managed and what privileged users will be allowed to do. The next step is to take inventory of the privileged accounts throughout the environment, and implement processes and tools for managing those accounts according to the established policy.

Add Strict Access Controls

Once you’ve identified your privileged accounts and established policies and procedures governing them, you need to establish processes for securing those credentials and ensuring that they’re used appropriately. That’s where PAM comes into play. PAM puts strict controls over privileged credentials and monitors activities that use those credentials.

Traditionally, organizations have done little to manage and control administrative accounts. Often, privileged credentials were given out to whoever needed that level of access and shared among multiple users. That makes a hacker’s job easy. And if privileged credentials were to fall into the wrong hands or be misused by a malicious insider, it would be virtually impossible to spot those activities.

According to Gartner, PAM requires some way of securing passwords and some form of privileged session management. Privileged credentials should be stored in a vault with the highest levels of security, rotated regularly and, ideally, never revealed. PAM solutions should also provide some means of monitoring active administrator sessions and allowing security teams to suspend or terminate those sessions if they spot suspicious activities.

Make It Granular

Privileged access is not an “all or nothing” proposition. Best-in-class PIM tools enable “just in time” access for users who need to perform a task or work on a project for a finite period of time. PIM tools should also identify and block dormant accounts and document all privileged access requests for auditing purposes.

DeSeMa offers a suite of consulting and professional services surrounding PIM and PAM. We help organizations develop a privileged account management strategy, define and implement privileged access policies, and implement tools that enhance privileged access security while increasing operational efficiency. Predefined policies and an established access structure reduce IT overhead and simplify compliance reporting.

PIM and PAM are two essential components of securing privileged credentials. DeSeMa can help you leverage these techniques to improve your security posture.