IAM and PAM dilemma !!!

IAM — Identity Access Management and PAM — Privileged Access Management, from the looks it sounds similar. But these are two different interfaces that control user access.

IAM is similar to the front door where you control access of general users from customers to employees on multiple applications. Whereas, PAM is the management/back door, where you control the access of the privileged accounts that allow administration of a System or provide higher levels of access within a system such as Root ( Linux, Unix), Administrator(Windows), DB sysadmins, Infrastructure accounts ( firewall, Routers, VMs), Embedded accounts, Service Accounts and etc.

How PAM and IAM is different?

Risk

When comparing the risk, PAM/back-door is the highest vulnerable surface where 80% of breaches involve compromised privileged credentials. Privilege accounts are at high risk compared to general user accounts. Because attackers want to take over privilege accounts in order to escalate key administrative functions and access to other applications.

PAM protects users with privileged access to sensitive data, whereas IAM deals with everyday business data.

Scope

IAM domain has a large scope when compared to PAM. IAM manages all general user identities along with different applications from On-prem to SaaS and maintains all the general business use cases. IAM also has a large eco-system of protocols and authentication mechanisms to secure identities.

Whereas, PAM manages access through the control, storage, segregation, and tracking of all privileged credentials, which is a limited scope. Limited standard protocols and limited area of control.

Therefore, for an organization, PAM and IAM are two important areas that they need to have control of. But out of them, PAM comes first.

It’s always ‘PAM’ before ‘IAM’, to protect the ‘I’ in IAM.

PAM features that are not offered by IAM

  • Password vault: management and protection of critical credentials through session monitoring.
  • Usage limit: Limiting account usage based on a specific time, or a certain approval extent.
  • Discovery: auto-discovery of privileged credentials that may be on the system without the administrator’s knowledge.
  • Visibility: view of what happens when an access is requested, approved, and performed.
  • Audit: recording of evidence from accesses performed correctly or not.

Simply there is some overlap between PAM and IAM. PAM is focused on privileged user access. IAM concerns authenticating and authorizing any user who needs access to a system. PAM as it is designed to be closed on purpose and IAM is designed with openness in mind. PAM supports Lightweight Directory Access Protocol (LDAP) and SAML standards. But PAM does not use security assertions or third party authorization standards. They are neither needed nor wanted in PAM.

Why you need PAM and IAM together ?

PAM and IAM are two most important components in a system. If your organization has all these requirements, then you need a PAM + IAM solution integrated to your system.

  • Lot of servers, databases and prevailed accounts to be maintained and audited — PAM
  • To keep remember passwords of service accounts — PAM
  • To provide least privilege to users — PAM
  • To maintain lot of users and applications — IAM
  • Single Sign On and federations for applications via OpenID connect and other standard protocols — IAM
  • Provide advance authentication mechanism like adaptive, MFA, bio metric — IAM (some PAM) .
  • General user life cycle management — IAM

The best practice in integration usually is PAM solution to be primarily implemented, followed by a complimentary IAM solution.

Because IAM solution will provide following for your PAM solution

  • Ensure strong authentication for PAM password vault.
  • Centralized secure privilege access to most sensitive resources via single sign on.
  • Reduce password management due to Single Sign On.

Individuals tend to protect their own local account compared to their privileged accounts. Hence through an IAM + PAM solution integration, the local user can be provisioned to the PAM solution with his or her own credentials.

In conclusion, it is clear that if you organization is managing lot of privileged accounts and passwords, along with other CIAM and Workforce IAM capabilities, better to back you system with a good PAM solution integrated to a IAM solution. Because PAM and IAM are two solutions that cover two different scopes.

reference:

https://www.osirium.com/blog/privileged-access-management-and-identity-access-management

--

--

--

Associate Lead Solutions Engineer @ WSO2, specialized in IAM, an Identity Evangelist, a blogger, a nature lover, a traveller

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Fix Windows 10 Error 809, L2TP/IPSec VPN

The Kickstarter event will be held on the MEXC exchange.

Bored Ape NFT company raises around $285 million of crypto in virtual land sale

2.3 Security

Known Open Source Vulnerabilities In Reusable Software Components: The Golden Goose For Hackers…

Free Custom Email Address

{UPDATE} Pen Run Hack Free Resources Generator

10 Web3 Terms For Beginners And What They Mean.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Dinali Rosemin Dabarera

Dinali Rosemin Dabarera

Associate Lead Solutions Engineer @ WSO2, specialized in IAM, an Identity Evangelist, a blogger, a nature lover, a traveller

More from Medium

SPLK-2003 Practice Test Questions — Splunk SOAR Certified Automation Developer

How to use AWS EFS Service with 2 instence....

AWS Sessions Manager as tunnel to SSH/WinSCP without port 22.

Run-Time Vulnerability Prevention using Red Hat Advanced Cluster Security for Kubernetes