IAM and PAM dilemma !!!
IAM — Identity Access Management and PAM — Privileged Access Management, from the looks it sounds similar. But these are two different interfaces that control user access.
IAM is similar to the front door where you control access of general users from customers to employees on multiple applications. Whereas, PAM is the management/back door, where you control the access of the privileged accounts that allow administration of a System or provide higher levels of access within a system such as Root ( Linux, Unix), Administrator(Windows), DB sysadmins, Infrastructure accounts ( firewall, Routers, VMs), Embedded accounts, Service Accounts and etc.
How PAM and IAM is different?
Risk
When comparing the risk, PAM/back-door is the highest vulnerable surface where 80% of breaches involve compromised privileged credentials. Privilege accounts are at high risk compared to general user accounts. Because attackers want to take over privilege accounts in order to escalate key administrative functions and access to other applications.
PAM protects users with privileged access to sensitive data, whereas IAM deals with everyday business data.
Scope
IAM domain has a large scope when compared to PAM. IAM manages all general user identities along with different applications from On-prem to SaaS and maintains all the general business use cases. IAM also has a large eco-system of protocols and authentication mechanisms to secure identities.
Whereas, PAM manages access through the control, storage, segregation, and tracking of all privileged credentials, which is a limited scope. Limited standard protocols and limited area of control.
Therefore, for an organization, PAM and IAM are two important areas that they need to have control of. But out of them, PAM comes first.
It’s always ‘PAM’ before ‘IAM’, to protect the ‘I’ in IAM.
PAM features that are not offered by IAM
- Password vault: management and protection of critical credentials through session monitoring.
- Usage limit: Limiting account usage based on a specific time, or a certain approval extent.
- Discovery: auto-discovery of privileged credentials that may be on the system without the administrator’s knowledge.
- Visibility: view of what happens when an access is requested, approved, and performed.
- Audit: recording of evidence from accesses performed correctly or not.
Simply there is some overlap between PAM and IAM. PAM is focused on privileged user access. IAM concerns authenticating and authorizing any user who needs access to a system. PAM as it is designed to be closed on purpose and IAM is designed with openness in mind. PAM supports Lightweight Directory Access Protocol (LDAP) and SAML standards. But PAM does not use security assertions or third party authorization standards. They are neither needed nor wanted in PAM.
Why you need PAM and IAM together ?
PAM and IAM are two most important components in a system. If your organization has all these requirements, then you need a PAM + IAM solution integrated to your system.
- Lot of servers, databases and prevailed accounts to be maintained and audited — PAM
- To keep remember passwords of service accounts — PAM
- To provide least privilege to users — PAM
- To maintain lot of users and applications — IAM
- Single Sign On and federations for applications via OpenID connect and other standard protocols — IAM
- Provide advance authentication mechanism like adaptive, MFA, bio metric — IAM (some PAM) .
- General user life cycle management — IAM
The best practice in integration usually is PAM solution to be primarily implemented, followed by a complimentary IAM solution.
Because IAM solution will provide following for your PAM solution
- Ensure strong authentication for PAM password vault.
- Centralized secure privilege access to most sensitive resources via single sign on.
- Reduce password management due to Single Sign On.
Individuals tend to protect their own local account compared to their privileged accounts. Hence through an IAM + PAM solution integration, the local user can be provisioned to the PAM solution with his or her own credentials.
In conclusion, it is clear that if you organization is managing lot of privileged accounts and passwords, along with other CIAM and Workforce IAM capabilities, better to back you system with a good PAM solution integrated to a IAM solution. Because PAM and IAM are two solutions that cover two different scopes.
reference:
https://www.osirium.com/blog/privileged-access-management-and-identity-access-management
