Phone Number +1-202-802-9399 (US)

Thycotic PAM Glossary

Learn about Privileged Account Management and Cyber Security

  • A

      Application to Application Password Management (AAPM)

      Privileged account passwords aren’t used only by people. They are also used by software applications that need to run scheduled tasks and services. Enterprise-class privileged account management solutions can give applications access to privileged accounts. This access is carefully controlled and logged. An audit trail is provided so you know exactly what application accessed a credential, and when. IT teams have a headache on their hands when they need to change privileged account passwords for security reasons because they must then update all applications using those passwords so the application doesn’t break. This manual process is time consuming and error prone. Privileged account management software should be able to automatically update applications with the new password or use APIs to let the applications retrieve passwords dynamically.

  • C

      Chief Information Security Officer (CISO)

      A Chief Information Security Officer, CISO, is by definition the senior-level executive responsible for overall information security within the organization. The CISO is generally a member of the executive team, and is responsible for maintaining strategy and execution related to protecting information, infrastructure and technology. The CISO may work closely with the CTO (Chief Technology Officer) and CIO (Chief Information Officer). Part of a CISO’s responsibility is preventing and mitigating a breach of corporate infrastructure, with a heavy emphasis on prevent, protect, and defend. Teams that manage privileged accounts and associated solutions like vulnerability testing, incident response, least privilege management, and security compliance policies tend to report to a central CISO.

      Cloud Computing Security

      The practice of safeguarding data assets and access for cloud-based applications, services, and more from cyber-attacks and insider abuse is referred to as cloud security computing, or cloud security. When organizations move to a cloud-first or hybrid cloud computing environment, their user credentials become prime targets for attackers. Cloud security helps these users gain secure access to the cloud while remaining productive. Learn more about cloud computing security 

      Read the full entry:
      Cloud Computing Security
  • D

      Defense-in-Depth (DiD)

      Defense-in-depth cyber security is the strategy of layering different controls to create a robust and redundant security system. When there are multiple layers of defense for endpoints, each layer offers a different type of security, which will protect the endpoint even if one or more of the controls fails. This approach minimizes the risk of a single point of failure and is often used to address a variety of possible vulnerabilities across the range of physical, technical, and administrative layers.

      Read the full entry:
      Defense-in-Depth (DiD)
  • E

      Endpoint Detection and Response (EDR)

      Originally known as Endpoint Threat Detection and Response (ETDR), Endpoint Detection and Response addresses the need for continuous monitoring and response to advanced threats, with a focus on detecting, investigating, and mitigating suspicious activities and issues on hosts and endpoints. EDR looks deep into your system and records and analyzes ALL activity.

      Endpoint Privilege Management (EPM)

      Endpoint Privilege Management eliminates risks on the endpoint by using a combination of least privilege (users get ONLY the access they need) and application control (unauthorized applications are restricted or blocked). EPM ensures that end users run trusted applications with the lowest possible privilege, and determines whether an application can run, and how (under what privilege conditions) it can run. EPM enables organizations to block and contain attacks on desktops, laptops and servers thereby reducing the risk of information being stolen or encrypted, and held for ransom.

      Endpoint Protection Platform (EPP)

      Also known as EPPs, an Endpoint Protection Platform is a set of software tools that combine endpoint device security functionality into one software product. EPP core functionality includes protecting the endpoint device from viruses, spyware, phishing and unauthorized access, but may also include a personal firewall, data protection features—such as disk and file encryption—data loss prevention, and device control. Advanced EPP solutions can integrate with vulnerability, patch and configuration management capabilities. An EPP is primarily designed for protecting endpoint devices in an enterprise IT environment.

  • I

      Identity and Access Management (IAM)

      Privileged Access Management (PAM), Privileged identity Management (PIM), and Privileged Session Management (PSM) all fall under the discipline known as identity and access management (IAM). As defined by analyst firm Gartner, IAM is: The security discipline enables the right individuals to access the right resources at the correct times for the right reasons. With IAM, you can create and manage identities for your organization's users and govern the access they should have.

      Identity as a Service (IDaaS)

      Identity as a Service is a SaaS-based offering that provides both identity authentication and access controls to security access to both cloud and on-premise infrastructure and applications. The goal of an IDaaS is to ensure users are who they claim to be and to give them appropriate access to software applications, files, or other resources at the right times. IDaaS leverages authentication techniques such as single sign-on (SSO), multi-factor authentication (MFA), user directory bridges, and federated access to streamline the login experience and govern access to the appropriate resources.

      Read the full entry:
      Identity as a Service (IDaaS)

      Identity Governance and Administration (IGA)

      Identity governance and administration is a process designed to help reduce risk and manage digital identities, both human and non-human, and entitlements across services, servers, and applications.

      Identity Lifecycle Management (ILM)

      Identity lifecycle management governs the entire span of an identity’s requirement to access critical business data, applications, and tools in order to effectively perform their tasks and accomplish business objectives.

  • J

      Just-in-Time (access)

      Just-in-time access is a fundamental security practice where the privilege granted to access applications or systems is limited to predetermined periods of time, on an as-needed basis.

  • L

      Least Privilege

      Least privilege means granting only the minimum permissions required by an end-user, application, service, task or system to perform the jobs they have been assigned. By preventing over-privileged access, it helps prevent the risk of exploitation should user credentials get compromised.

      Read the full entry:
      Least Privilege
  • M

      Multi-Factor Authentication (MFA)

      Multi-factor authentication is a characteristic requirement of an authentication service that requires more than one authentication factor for successful authentication. It requires at least but not limited 2 factors of: Something you know (like a password); something you have (like a token); something you are (like your fingerprint).

  • P

      Pass-the-Hash-Attack (PtH)

      Passwords should never be stored on a system “in the clear,” so the actual password text is encrypted before it’s stored. The encrypted version of the password is called the hash. An attacker who has compromised a system could steal a hashed version of a password and use the hashed version to access whatever that credential unlocks, without ever knowing the original password.

      Privilege Elevation and Delegation (PEDM)

      In Gartner’s most recent Privileged Access Management Market Guide they changed terminology from SUPM to Privilege Elevation and Delegation Management (PEDM). They mean the same thing.

      Privileged Access Governance (PAG)

      Privileged access governance ensures that, after access has been granted, users and privileged accounts only retain least privilege access commensurate with their current needs. Some processes commonly associated with PAG are: automated account provisioning; automated deprovisioning when roles, systems and needs change; approval processes to ensure those people and systems requesting access should rightfully be granted it; a review and attestation/recertification process to ensure roles and permissions remain current.

      Privileged Access Management (PAM)

      Gartner defines privileged access management as managing privileged passwords and delegating privileged actions. It’s a broader category than privileged account management because it includes both privileged account management and privileged session management. It concerns who can access a privileged account and what they can do once logged in with that privileged account.

      Privileged Access Management as a Service (PAMaaS)

      In a PAMaaS model, your PAM software is deployed in the cloud. Instead of incurring the expense and resources of installing PAM on premise, you can rely on your PAM vendor to manage hosting and updates. In a fully outsourced PAMaaS model, a third-party vendor provides managed services to create, manage and monitor activity on your privileged accounts.

      Privileged Access Workstations (PAWs)

      A Privileged Access Workstation (PAW), also known as a Secure Access Workstation (SAW), is a dedicated operating system used for the sole purpose of securely accessing privileged accounts and resources. The goal is to insulate the workstation from Web-based attacks and other threats. PAWs require privileged users to operate with one operating system for day-to-day corporate tasks and another OS for privileged use.

      Privileged Account

      A privileged account is a login credential to a server, firewall, or other administrative account. Often, privileged accounts are referred to as admin accounts. Your Local Windows Admin accounts and Domain Admin accounts are examples of admin accounts. Other examples are Unix root accounts, Cisco enable, etc. When we talk about privileged accounts we’re talking about the actual username and password; these two things together make up the account. A privileged account is allowed to do more things (i.e. it has more privileges) than a normal account. Privileged accounts are doorways to an organization’s “kingdom”—the place where sensitive information is stored—and as such they need to be very secure. Examples of sensitive information include medical records, credit card details, social security numbers, government files, and more.

      Privileged Account and Session Management (PASM)

      Privileged account and session management is the same as privileged access management. It specifically includes shared account and password management, privileged session management, and can include application-to-application password management.

      Privileged Account Management (PAM)

      Privileged account management is the process of using software to control who gets the “keys to the kingdom.” In other words: Who can unlock a door, enter, and affect what’s inside? Who can use a privileged account and access a sensitive server, adjust permissions, make backdoor accounts, or change or delete critical data?

      Privileged Identity Management (PIM)

      Privileged identity management refers to how people are given access to privilege. In technical terms, it is how people are provisioned into user accounts to give them access to a higher level of network privilege.

      Privileged Session Management (PSM)

      Privileged session management refers to managing what someone is allowed to do after they’ve logged in with a privileged account. There are several ways organizations use software to manage access on systems, or manage a server session.Session Monitoring is a useful feature of privileged session management. It typically includes the ability to record videos of privileged sessions and log keystrokes of what’s typed. It even makes it possible for someone to review sessions live or shut the session down if the user is doing something harmful.

      Privileged User Management (PUM)

      Whereas PAM is a user-specific process in which users can request elevated access with their existing account, PUM is account-specific and involves the management of a system’s existing accounts, such as administrator, root, or other administrative service accounts. PUM is also referred to as PAM and PIM, but as you’ll learn from other definitions in our cyber dictionary—there are subtle differences. PUM accounts are often shared, a second authentication factor is rarely added, and typically, authorized users access the PUM accounts by simply using passwords.

      PWN

      PWN is hacker jargon meaning to conquer or dominate. In the context of online security, Pwned often means that your account or system has been breached, and your passwords—user passwords or privileged passwords—have been compromised. The word originated in online gaming forums as a misspelling of “owned.”

  • R

      Remote Desktop Protocol (RDP)

      Remote desktop protocol is a protocol used for remote access to Windows machines. RDP is used to transmit a monitor from the remote server to the client and the keyboard and/or mouse from the client to the remote server.

      Robotic Process Automation (RPA)

      Robotic Process Automation is a type of Business Process Automation that helps organizations replace repetitive manual work with automation. RPA essentially creates a non-person account—a “bot”—that mimics the activities of a user. The bot accesses the user’s computer and interacts with various systems in the same manner a person would, using specific keystrokes to engage in two-way “conversations,” share and document information, launch programs, and run processes. Robots typically need privileged access to other computers, applications, files, a website, databases, etc. PAM best practices avoid the need to hard code credentials into scripts and give security teams visibility to accounts the robots access and privileged activities they perform.

      Role Based Access Control (RBAC)

      Role Based Access Control, or RBAC, is a process for limiting system access to authorized users, based on the permissions granted to that user by their role. Each role is assigned a set of permissions, and anyone assigned that role will inherit those permissions. Role Based Access Control simplifies how access control and credentials are managed since access can be granted or revoked to a group of users sharing a similar role, rather than having to adjust each individual’s rights. Using RBAC is a quick way to assign a new user permissions, while also ensuring that anyone assigned that role will have similar access. Users may also be assigned multiple roles, thereby inheriting all of the permissions associated with each role.

  • S

      Secure Shell (SSH)

      Secure Shell protocol, or SSH, is a way to operate network services in a secure manner over an unsecured network. It’s also used to establish a secure connection between computers, and includes robust authentication and encryption to ensure secure end-to-end data transmission.

      Security as a Service (SaaS / SecaaS)

      Infrastructure specialists are in short supply and in high demand. Many organizations, rather than field a team of security specialists to maintain an in-house network security infrastructure, are choosing to integrate hosted security solutions. This business model is known as security as a service, and is abbreviated as SaaS or SecaaS. An organization will work directly with a vendor who provides a full suite of managed cloud computing services, such as PAM or IAM platforms.

      Security Assertion Markup Language (SAML)

      Security Assertion Markup Language, or SAML, is used to exchange authentication and authorization data between parties, such as between a service provider and an identity management system. SAML is an open standard developed to promote interoperability across systems, and is commonly used for Single Sign On (SSO) within web browsers and applications.

      Security Information and Event Management (SIEM)

      Security Information and Event Management systems are used to manage critical assets including software applications. These systems can be integrated into application control systems as part of privilege management, for example software applications in a SIEM system could be used to build a whitelist.

      Self-Service Password Reset (SSPR)

      Self-Service Password Reset, or SSPR, is a process and feature set which allows a user to manage their passwords and credentials without the need for third-party intervention or a helpdesk. SSPR is often used to recover or reset lost passwords. An effective SSPR solution offers many benefits, ranging from time-savings for those who need to manage their passwords, to the cost-savings of fewer helpdesk calls, to a more secure overall process that requires fewer intermediaries or weak links.

      Service Account Governance (SAG)

      Service Account Governance, or SAG, is the combination of software tools, policies and workflow processes that ensure service accounts remain secure and accounted for. This includes assigning ownership, controlling access to service account passwords, ensuring strong password strength across all accounts, and understanding which applications are dependent on each service account (so changing a service account privilege password does not result in a broken connection). SAG is a critical yet often overlooked part of the privileged account management process.

      Shared Account Password Management (SAPM)

      Shared account password management is the same as privileged account management, but it can be problematic. For simplicity, many IT teams sidestep best practice and create one privileged account per server, or even one username and password to use for multiple privileged accounts. These are shared accounts. The problem with sharing accounts is that you never know precisely who is using them at any given time. So if you have a server failure, you cannot tell who logged in before the system went down.

      Single Sign On (SSO)

      A central domain performs user authentication and then shares the authenticated session with other domains. This provides a seamless authentication experience for users when using applications and services that share the authenticated session. SSO reduces burden because users can simply authenticate once and use SSO to access multiple applications. SSO can also improve security as well because it reduces the risk of compromised user credentials for each separate application.

      Software Change and Configuration Management (SCCM)

      Gartner defines Software Change and Configuration Management as the implementation of a set of disciplines used to stabilize, track and control the versions and configurations of a set of software items using tools designed for this purpose. SCCM may include development change management, defect tracking, change automation, development release management, integrated test management, integrated build management and other related processes. SCCM tools are designed to support version and configuration management of software source code and supporting artifacts.

      SuperUser Privilege Management (SUPM)

      What is Superuser Privilege Management (SUPM)? On Unix systems, superusers are users who gain privileged access for a limited period of time. Unix allows certain users to elevate their privilege to superuser status for a specific task, and when they’ve completed their task they revert to being a standard user. Superuser privilege management controls when users are allowed to elevate to superuser status, and what commands they can run in superuser mode.

  • U

      User Account Control (UAC)

      User Account Control is a security feature of Microsoft Windows which helps prevent unauthorized changes (which may be initiated by applications, users, viruses or other forms of malware) to an operating system. UAC improves the security of Windows by limiting application software to standard user privileges until an administrator authorizes an increase or elevation.

      User and Entity Behavioral Analytics (UEBA)

      User and Entity Behavior Analytics is the use of sophisticated algorithms to create a baseline for the activity of entities such as users, apps, devices, servers, etc. Once baseline behavior is established an organization can calculate its risk based on deviations from the baselines in order to identify security anomalies. UEBA recognizes that entities other than users are regularly profiled in order to more accurately pinpoint threats, in part by comparing the behavior of these other entities with user behavior. UEBA software correlates both user activity and other entities such as managed and unmanaged endpoints, applications, networks, and also external threats.

  • V

      Vendor Privileged Access Management (VPAM)

      Vendors, such as third-party service providers, often need temporary access to sensitive systems. Vendor Privileged Access Management, or VPAM, is a tool which provides least privilege access for employees of a vendor, while also keeping track of what each of those individuals does with that access. When the vendor, or an individual employed by the vendor, no longer needs access, VPAM systems simplify the process of restricting or removing each user’s access.

  • W

      Web Access Management (WAM)

      Web access management is a form of access control governance specific to web resources and typically provides authentication, authorization, and audit and reporting services. CASB – Cloud Access Security Broker is used to monitor cloud-related activity and apply security, compliance, and governance rules to cloud based resources.