IAM, PIM and PAM:

What is Privileged Account Management (PAM)?
Privileged account management is the process of using software to control who gets the “keys to the kingdom.” In other words: Who can unlock a door, enter, and affect what’s inside? Who can use a privileged account and access a sensitive server, adjust permissions, make backdoor accounts, or change or delete critical data?

This can be done within a privileged account management tool. When you add users to your privileged account management software you are provisioning their user accounts (making them available for use); and while setting up those accounts within the PAM tool you are deciding what they will be able to access. Most organizations do not give full access to everyone within their PAM tool.Instead, they are allowed to see only privileged accounts related to their tasks. Many organizations add users to their PAM tools manually, but more sophisticated ones use an API to connect their privileged account management software to their identity and access management software. This way, when a new IT admin employee comes onboard, they are automatically set up as a privileged user with the correct level of access within the PAM tool.

Privileged account management includes managing the passwords of a privileged account. You can read about privileged password management a little further on.

What is Privileged Access Management (again, PAM)?
Gartner defines privileged access management as managing privileged passwords and delegating privileged actions. It’s a broader category than privileged account management because it includes both privileged account management and privileged session management. It concerns who can access a privileged account and what they can do once logged in with that privileged account.

What is Privileged Account and Session Management (PASM)?
Privileged account and session management is the same as privileged access management. It specifically includes shared account and password management, privileged session management, and can include application-to-application password management.

What is Shared Account Password Management (SAPM)?
Shared account password management is the same as privileged account management, but it can be problematic. For simplicity, many IT teams sidestep best practice and create one privileged account per server, or even one username and password to use for multiple privileged accounts. These are shared accounts. The problem with sharing accounts is that you never know precisely who is using them at any given time. So if you have a server failure, you cannot tell who logged in before the system went down.

What is Application-to-Application Password Management (AAPM)?
Privileged account passwords aren’t used only by people. They are also used by software applications that need to run scheduled tasks and services. Enterprise-class privileged account management solutions can give applications access to privileged accounts. This access is carefully controlled and logged. An audit trail is provided so you know exactly what application accessed a credential, and when.

IT teams have a headache on their hands when they need to change privileged account passwords for security reasons because they must then update all applications using those passwords so the application doesn’t break. This manual process is time consuming and error prone. Privileged account management software should be able to automatically update applications with the new password or use APIs to let the applications retrieve passwords dynamically.

What is Superuser Privilege Management (SUPM)?
On Unix systems, superusers are users who gain privileged access for a limited period of time. Unix allows certain users to elevate their privilege to superuser status for a specific task, and when they’ve completed their task they revert to being a standard user. Superuser privilege management controls when users are allowed to elevate to superuser status, and what commands they can run in superuser mode.

Also sometimes listed under SUPM, is application and command whitelisting, blacklisting, and greylisting. This controls what Windows applications or Unix commands someone can run while logged into a server or device as an administrator or superuser. Whitelisting means you have a list of approved commands, and anything on that list can be used. If it’s not on the list, it won’t work. Blacklisting is the opposite. It’s where users can do anything they want, as long as it is not on the blacklist. Greylisting is more flexible. It often includes integrations into lists of known risks, or the ability to review and approve requested application elevation on the fly. Application whitelisting, blacklisting, and greylisting is also frequently referred to under the categories of Application Control or Privilege Elevation.

What is Privilege Elevation and Delegation (PEDM)?
In Gartner’s most recent Privileged Access Management Market Guide they changed terminology from SUPM to Privilege Elevation and Delegation (PEDM). They mean the same thing.

What is Privileged Session Management (PSM)?
Privileged session management refers to managing what someone is allowed to do after they’ve logged in with a privileged account. There are several ways organizations use software to manage access on systems, or manage a server session.

Session Monitoring is a useful feature of privileged session management. It typically includes the ability to record videos of privileged sessions and log keystrokes of what’s typed. It even makes it possible for someone to review sessions live or shut the session down if the user is doing something harmful.

What is Privileged Identity Management (PIM)?
Privileged identity management refers to how people are given access to privilege. In technical terms, it is how people are provisioned into user accounts to give them access to a higher level of network privilege.

What is a Privileged Account?
A privileged account is a login credential to a server, firewall, or other administrative account. Often, privileged accounts are referred to as admin accounts. Your Local Windows Admin accounts and Domain Admin accounts are examples of admin accounts. Other examples are Unix root accounts, Cisco enable, etc.

When we talk about privileged accounts we’re talking about the actual username and password; these two things together make up the account. A privileged account is allowed to do more things (i.e. it has more privileges) than a normal account.

Privileged accounts are doorways to an organization’s “kingdom”—the place where sensitive information is stored—and as such they need to be very secure. Examples of sensitive information include medical records, credit card details, social security numbers, government files, and more.

What is a Privileged Identity?
Within an organization “identities” are essentially digital versions of real people or in other words, an account used by a human. A privileged identity is when an identity has been granted access to sensitive systems, data, etc.

What is Privileged Password Management?
Privileged passwords are passwords used to access privileged accounts. Privileged password management is the same as privileged account management. Both refer to the practice of protecting privileged accounts, managing them, sharing them, and being accountable for them. Privileged account management software not only controls who can access the account itself, but also manages the account’s password according to customized policies, such as automatically generating strong passwords, changing passwords on a schedule, and even automatically changing privileged account passwords with a single click. This enables you to limit your organization’s vulnerability risk when an employee or contractor leaves.

What is Identity and Access Management (IAM)?
PAM, PIM and PSM all fall under the discipline known as IAM, or identity and access management. IAM as defined by Gartner is: The security discipline that enables the right individuals to access the right resources at the right times for the right reasons. With IAM you can create and manage identities for the human users in your organization and furthermore, the access they should have.

Some of your users, like your IT administrators, will receive privileged identities—identities that are given higher levels of access on the network—while your sales team and other employees will receive standard user identities that do not allow them to customize network settings, access servers, or use any sort of network privilege.