PAM vs. PIM vs. IAM
What do all those acronyms mean?
Looking to learn more about Privileged Access Management and Cyber Security?
If access management jargon leaves you perplexed, you’re not alone
We know this because we are so often asked to explain the difference between PIM, PAM and IAM—privileged identity management, privileged access management and identity and access management. People also ask if privileged access management and privileged account management—both PAM—are the same thing. Or are they just similar?
So, we created a glossary of these acronyms, and more, and below we clarify how the meaning of these phrases differ and factor into an organization’s cyber security setup.
So, what is PAM vs PIM vs IAM?
And what makes these acronyms so confusing?
PAM, PIM, IAM and other access management acronyms are related to the same thing: solutions to secure your sensitive assets. These terms are about safeguarding data and systems by managing who has access and what they’re allowed to see and do. You’ll notice that several definitions overlap a little, so people are inclined to use them as if they were fully interchangeable—and this creates confusion.
Many of these acronyms include the words “privilege” and “privileged.” What’s the difference?
Privilege:
“Privilege” is the authority to make changes to a network or computer. Both people and accounts can have privileges, and both can have different levels of privilege.
For example, a senior IT administrator or “super user” may be able to configure servers, firewalls, and cloud storage, and has a high level of privilege. A sales rep, however, should be able to use some systems—by logging into laptops and accessing sales data, for instance—but they shouldn’t be able to change network settings, permissions, or download software unless it’s on an approved list.
Picture all the people who have different levels of access on the network of a single organization: the Unix administrator can access Unix systems; the Windows admins manage Windows systems; Help Desk staff can configure printers, etc. Add to that all the accounts required to log into those systems and you can quickly imagine the thousands upon thousands of privileges within an organization.
What is the meaning of “privileged access?”
Briefly, it’s definitive, authorized access of a user, process, or computer to a protected resource.
Privileged Access Management, therefore, encompasses a broader realm than Privileged Account Management, focused on the special requirements for managing those powerful accounts within the IT infrastructure of an organization. It also consists of the cyber security strategies and technologies for exerting control over the elevated access and permissions for users, accounts, processes, and systems across an IT environment.
Also incorporated under Privileged Access Management is how the account is being protected. For example, access workflows, two-factor/multi-factor authentication, session recording, and launching are critical elements of a comprehensive Privileged Access Management strategy.
Privileged:
“Privileged” is an adjective that describes things with privilege (e.g. privileged account, privileged identity).
When someone says, “That account has privilege,” they mean it has a higher level of access and permissions than a standard account. One could also say, “That is a privileged account.”
In the example of the administrator role, although the admin has a certain level of privilege he or she still needs a privileged account in order to perform privileged tasks.
What is Privilege Management vs. Privileged Access Management vs. Privileged Account Management
You’ll often hear the words “privilege” and “privileged” used in context with “management.” Privilege Management refers to the process of managing who or what has privileges on the network.
This is different from privileged account management, which refers to the task of managing the actual accounts that have already been given privileges.
We always say privileged accounts are the keys to the kingdom. They provide access to a company’s most critical information.
A privileged account can be human or non-human. These accounts exist to allow IT professionals to manage applications, software and server hardware. They also provide administrative or specialized levels of access based on higher levels of permissions that are shared. The typical user of a privileged account is a system administrator responsible for managing an environment or an IT administrator of specific software or hardware.
Related Reading:
The Evolution from Password Managers to Privileged Access Management. Which is right for you?
Privileged Identity Management (PIM) and identity-centric security controls
Identity Management vs. Privilege Management
The domain of Privilege Management is generally accepted as a sub-set of Identity and Access Management (IAM). However, identity and privilege are inextricably linked. As Privilege Management and Privileged Identity Management solutions become more sophisticated, the lines continue to blur. In many organizations, the same team security or IT operations group is responsible for both Privilege Management and Privileged Identity Management tools, policies, and monitoring.
Privileged Identity Management assumes that every user is a privileged user. Identity refers to users. You, your boss, the IT admin, and the HR person are only a handful of examples of people who may be entitled for accessing, creating, updating, or deleting privileged content.
A core objective of IAM is to have one digital identity per individual, even if that individual accesses many types of accounts. Once that digital identity has been established, it must be maintained, modified, and monitored.
Privilege Management, as a part of IAM, manages entitlements, not only for users but also for privileged accounts such as administrative or service accounts. PAM tools, unlike IAM tools or password managers, protect and manage all privileged accounts. Mature PAM solutions go even further than simple password generation and access control to individual systems. They also provide a unified, robust, and—importantly—transparent platform integrated into an organization’s overall Identity and Access Management (IAM) strategy.
What other privileged access terminology should I be aware of?
Software companies are removing racially biased language from their products and other materials. New terms have replaced the application control terms: whitelisting, blacklisting, and greylisting.
- Whitelisting is now allow or allowlist
- Blacklisting is now deny or denylist
- Greylisting is now restrict or restrictlist
What are the top risks of having unknown or unmanaged privileged accounts?
A privileged account that is unknown is an account that has been forgotten and lost in the system. Virtually all organizations have some unknown accounts and some have thousands. Accounts become unknown for many reasons:
- An employee leaves and the account is simply abandoned.
- The account is utilized less and less until it becomes obsolete and forgotten.
- Default accounts for new devices are not utilized.
Every unknown account increases your vulnerability and presents an opportunity for an intrusion.
Here are a few things that could happen:
- An employee finds the account and uses it to perform unauthorized tasks.
- An ex-employee continues to access the account.
- A hacker finds the account and penetrates your organization, steals information, and wreaks untold havoc.
How does PAM software thwart hackers and other external threats?
Effective PAM solutions employ numerous features to lock down privileged access and thwart cyber attacks. They can discover privileged accounts across your organization and import them into a secure, encrypted repository—a password vault. Once all privileged credentials are inside, the solution can manage sessions, passwords, and access automatically. Combine all this with features like hiding passwords from certain users, auto-rotating valuable passwords, recording sessions, auditing, and multi-factor authentication and you have a robust defense against external threats.
How does Privileged Access Management software protect organizations from internal threats?
PAM solutions contain multiple features to safeguard against internal threats. Audit trails and email alerts keep administrators informed of what’s going on in the environment. Session monitoring and recording increases visibility of privileged account activity. There are also permissions as well as role-based access controls to give users the access they need to do their jobs. Last but not least, there should be a feature to sever the access users had the moment they leave the organization.
Is my small business ready for enterprise-level Privileged Account Management software?
PAM is critical regardless the size of your business. Every organization needs privileged account management. Fortunately, there are free or inexpensive solutions that make it easy and affordable:
If your company has fewer than 25 users and under 250 passwords, you can manage them securely and professionally for free >
If your company has over 25 users or 250 passwords, you can securely manage them on-premises or in the cloud >
Finally, is there a checklist of things I should know before I purchase Privileged Access Management software?
Choosing the right PAM software for your organization is a task to be taken seriously. Research can be hard to do because even once you have your final contenders on a shortlist you’re still not comparing apples with apples.
Here’s a checklist of some important items to consider. We recommend calling vendors and asking questions before purchasing PAM software. Also, request a free trial to be sure your IT team will use it. Once you have a checkmark next to every item, you’re looking at software you’ll be happy with.
| Item | Things to Consider | Check |
| Fully scalable | Will the software scale up to meet your needs as your organization grows? | |
| Complete solution | Does the price include everything you need to truly lock down your privileged accounts in the manner most suitable for your organization? You should not have to navigate numerous add-ons for every little feature or pay later for additional functionality. Everything you need in a solution should start from Day One. | |
| Easy to install Fast to deploy |
Your IT admins will thank you for this. | |
| Simple to manage | Good PAM software makes your IT admin’s job easier not more complex. | |
| Well accepted by users | A high adoption rate among users results in better security across your organization. | |
| Excellent time to value | The solution should be swift, effective, and assist you with the kind of protection promised without having to establish any extended timelines. | |
| Affordable | Prices vary—a lot. View our charts to see how popular vendors compare price-wise. | |
| Feature Rich | Are new features added regularly to keep the software up to standard? Ask to view the features list. | |
| Top notch support | Support must be guaranteed from trial to purchase. The best vendors offer phone, email, knowledge base and forum support. | |
| Innovation and frequent updates | Attack vectors keeping increasing in number and complexity. The solution should be able to keep up. | |
| Customer responsiveness | You should have a say in the direction the solution is developed. |
Related Reading:
How to find your best match among Privileged Access Management Vendors
Privileged Access Management (an overview of PAM from the basics to becoming an expert)
If you’re concerned that your organization does not have a super-secure privileged access management system in place, please encourage your IT admin to try the free version of our PAM software.
At every stage of your PAM journey, we’re here to help
Ready to get started with Privileged Account Management?
Get the basics in place with Wiley’s PAM for Dummies
Want to take Privileged Account Management to the next level?
Get advanced tips in the Expert’s Guide to PAM
Ever wondered how privileged access management fits into your organization’s overall security strategy?
Your security strategy must account for many aspects of security in both real and digital environments: cyber security, network security, operational security, personnel security and physical security. Many people and systems are involved in making corporate security successful:
Cyber
|
Personnel
|
Network
|
Operational
|
Physical
|
