PIM vs. PAM vs. IAM 

What is Application-to-Application Password Management (AAPM)?
Privileged account passwords aren’t used only by people. They are also used by software applications that need to run scheduled tasks and services. Enterprise-class privileged account management solutions can give applications access to privileged accounts. This access is carefully controlled and logged. An audit trail is provided so you know exactly what application accessed a credential, and when.

IT teams have a headache on their hands when they need to change privileged account passwords for security reasons because they must then update all applications using those passwords so the application doesn’t break. This manual process is time consuming and error prone. Privileged account management software should be able to automatically update applications with the new password or use APIs to let the applications retrieve passwords dynamically.

What is a Chief Information Security Officer (CISO)?
A Chief Information Security Officer, CISO, is by definition the senior-level executive responsible for overall information security within the organization. The CISO is generally a member of the executive team, and is responsible for maintaining strategy and execution related to protecting information, infrastructure and technology. The CISO may work closely with the CTO (Chief Technology Officer) and CIO (Chief Information Officer). Part of a CISO’s responsibility is preventing and mitigating a breach of corporate infrastructure, with a heavy emphasis on prevent, protect, and defend. Teams that manage privileged accounts and associated solutions like vulnerability testing, incident response, least privilege management, and security compliance policies tend to report to a central CISO.

What is Endpoint Detection and Response (EDR)?
Originally known as Endpoint Threat Detection and Response (ETDR), Endpoint Detection and Response addresses the need for continuous monitoring and response to advanced threats, with a focus on detecting, investigating, and mitigating suspicious activities and issues on hosts and endpoints. EDR looks deep into your system and records and analyzes ALL activity.

What is Endpoint Privilege Management (EPM)?
Endpoint Privilege Management eliminates risks on the endpoint by using a combination of least privilege (users get ONLY the access they need) and application control (unauthorized applications are restricted or blocked). EPM ensures that end users run trusted applications with the lowest possible privilege, and determines whether an application can run, and how (under what privilege conditions) it can run. EPM enables organizations to block and contain attacks on desktops, laptops and servers thereby reducing the risk of information being stolen or encrypted, and held for ransom.

What is Endpoint Protection Platform (EPP)?
Also known as EPPs, an Endpoint Protection Platform is a set of software tools that combine endpoint device security functionality into one software product. EPP core functionality includes protecting the endpoint device from viruses, spyware, phishing and unauthorized access, but may also include a personal firewall, data protection features—such as disk and file encryption—data loss prevention, and device control. Advanced EPP solutions can integrate with vulnerability, patch and configuration management capabilities. An EPP is primarily designed for protecting endpoint devices in an enterprise IT environment.

What is Identity and Access Management (IAM)?
PAM, PIM and PSM all fall under the discipline known as IAM, or identity and access management. IAM as defined by Gartner is: The security discipline that enables the right individuals to access the right resources at the right times for the right reasons. With IAM you can create and manage identities for the human users in your organization and furthermore, the access they should have.

Some of your users, like your IT administrators, will receive privileged identities—identities that are given higher levels of access on the network—while your sales team and other employees will receive standard user identities that do not allow them to customize network settings, access servers, or use any sort of network privilege.

What is Least Privilege?
In a least privilege model, administrative accounts with elevated privileges are given only to people who really need them, when they need them. All others operate as general, everyday users with an appropriate set of privileges. A least privilege policy requires you to define the specific requirements for different users and systems. By limiting access and keeping most people on Standard User or Domain User accounts instead of Local Admin accounts, you protect your network from malware exploits.

What is Privileged Access Governance (PAG)?
Gartner defines privileged access governance as understanding and implementing appropriate privileged access management (PAM) access.

Privileged access governance goes beyond issuing credentials. It requires complete lifecycle management for all privileged users as well as service and application accounts. Most critically, it requires continually maintaining and updating privileged access and credentials.

Privileged access governance ensures that, after access has been granted, users and privileged accounts only retain least privilege access commensurate with their current needs. Some processes commonly associated with PAG are: automated account provisioning; automated deprovisioning when roles, systems and needs change; approval processes to ensure those people and systems requesting access should rightfully be granted it; a review and attestation/recertification process to ensure roles and permissions remain current.

What is Privileged Account Management (PAM)?
Privileged account management is the process of using software to control who gets the “keys to the kingdom.” In other words: Who can unlock a door, enter, and affect what’s inside? Who can use a privileged account and access a sensitive server, adjust permissions, make backdoor accounts, or change or delete critical data?

This can be done within a privileged account management tool. When you add users to your privileged account management software you are provisioning their user accounts (making them available for use); and while setting up those accounts within the PAM tool you are deciding what they will be able to access. Most organizations do not give full access to everyone within their PAM tool.Instead, they are allowed to see only privileged accounts related to their tasks. Many organizations add users to their PAM tools manually, but more sophisticated ones use an API to connect their privileged account management software to their identity and access management software. This way, when a new IT admin employee comes onboard, they are automatically set up as a privileged user with the correct level of access within the PAM tool.

Privileged account management includes managing the passwords of a privileged account. You can read about privileged password management a little further on.

What is Privileged Access Management (again, PAM)?
Gartner defines privileged access management as managing privileged passwords and delegating privileged actions. It’s a broader category than privileged account management because it includes both privileged account management and privileged session management. It concerns who can access a privileged account and what they can do once logged in with that privileged account.

What is Privileged Account and Session Management (PASM)?
Privileged account and session management is the same as privileged access management. It specifically includes shared account and password management, privileged session management, and can include application-to-application password management.

What is Privilege Elevation and Delegation (PEDM)?
In Gartner’s most recent Privileged Access Management Market Guide they changed terminology from SUPM to Privilege Elevation and Delegation (PEDM). They mean the same thing.

What is Privileged Identity Management (PIM)?
Privileged identity management refers to how people are given access to privilege. In technical terms, it is how people are provisioned into user accounts to give them access to a higher level of network privilege.

What is Privileged Session Management (PSM)?
Privileged session management refers to managing what someone is allowed to do after they’ve logged in with a privileged account. There are several ways organizations use software to manage access on systems, or manage a server session.

Session Monitoring is a useful feature of privileged session management. It typically includes the ability to record videos of privileged sessions and log keystrokes of what’s typed. It even makes it possible for someone to review sessions live or shut the session down if the user is doing something harmful.

What is a Pass-the-Hash-Attack (PtH)?
Passwords should never be stored on a system “in the clear,” so the actual password text is encrypted before it’s stored. The encrypted version of the password is called the hash. An attacker who has compromised a system could steal a hashed version of a password and use the hashed version to access whatever that credential unlocks, without ever knowing the original password.

Pass-the-Hash is a popular attack because it can be executed in less than a minute on a compromised machine, and the stolen hash can be used in place of the original password to grant access to sensitive systems. It’s especially dangerous when a privileged password hash is obtained.

What is Privileged User Management (PUM)?
Whereas PAM is a user-specific process in which users can request elevated access with their existing account, PUM is account-specific and involves the management of a system’s existing accounts, such as administrator, root, or other administrative service accounts. PUM is also referred to as PAM and PIM, but as you’ll learn from other definitions in our cyber dictionary—there are subtle differences. PUM accounts are often shared, a second authentication factor is rarely added, and typically, authorized users access the PUM accounts by simply using passwords.

What does PWN mean?
PWN is hacker jargon meaning to conquer or dominate. In the context of online security, Pwned often means that your account or system has been breached, and your passwords—user passwords or privileged passwords—have been compromised. The word originated in online gaming forums as a misspelling of “owned.”

Extra credit: How do you pronounce PWN? There is no single accepted pronunciation, but most frequently, it’s pronounced “pawn” (like the chess piece) or “pown” (rhymes with “own”).

How do you avoid getting Pwned? Consider implementing a PAM cyber security tool in your company.

What is a Privileged Account?
A privileged account is a login credential to a server, firewall, or other administrative account. Often, privileged accounts are referred to as admin accounts. Your Local Windows Admin accounts and Domain Admin accounts are examples of admin accounts. Other examples are Unix root accounts, Cisco enable, etc.

When we talk about privileged accounts we’re talking about the actual username and password; these two things together make up the account. A privileged account is allowed to do more things (i.e. it has more privileges) than a normal account.

Privileged accounts are doorways to an organization’s “kingdom”—the place where sensitive information is stored—and as such they need to be very secure. Examples of sensitive information include medical records, credit card details, social security numbers, government files, and more.

What is a Privileged Identity?
Within an organization “identities” are essentially digital versions of real people or in other words, an account used by a human. A privileged identity is when an identity has been granted access to sensitive systems, data, etc.

What is Privileged Password Management?
Privileged passwords are passwords used to access privileged accounts. Privileged password management is the same as privileged account management. Both refer to the practice of protecting privileged accounts, managing them, sharing them, and being accountable for them. Privileged account management software not only controls who can access the account itself, but also manages the account’s password according to customized policies, such as automatically generating strong passwords, changing passwords on a schedule, and even automatically changing privileged account passwords with a single click. This enables you to limit your organization’s vulnerability risk when an employee or contractor leaves.

What is Role Based Access Control (RBAC)?
Role Based Access Control, or RBAC, is a process for limiting system access to authorized users, based on the permissions granted to that user by their role. Each role is assigned a set of permissions, and anyone assigned that role will inherit those permissions. Role Based Access Control simplifies how access control and credentials are managed, since access can be granted or revoked to a group of users sharing a similar role, rather than having to adjust each individual’s rights. Using RBAC is a quick way to assign a new user permissions, while also ensuring that anyone assigned that role will have similar access. Users may also be assigned multiple roles, thereby inheriting all of the permissions associated with each role.

What is Service Account Governance (SAG)?
Corporate IT services need to communicate across application pools, databases, file systems and network services. In order to ensure secure access, service accounts require a service account password with an elevated level of network privilege. This makes service account passwords a high value target for bad actors.

Service Account Governance, or SAG, is the combination of software tools, policies and workflow processes which ensure service accounts remain secure and accounted for. This includes assigning ownership, controlling access to service account passwords, ensuring strong password strength across all accounts, and understanding which applications are dependent on each service account (so changing a service account privilege password does not result in a broken connection). SAG is a critical yet often overlooked part of the privileged account management process.

What is Security Assertion Markup Language (SAML)?
Security Assertion Markup Language, or SAML, is used to exchange authentication and authorization data between parties, such as between a service provider and an identity management system. SAML is an open standard developed to promote interoperability across systems, and is commonly used for Single Sign On (SSO) within web browsers and applications.

What is Shared Account Password Management (SAPM)?
Shared account password management is the same as privileged account management, but it can be problematic. For simplicity, many IT teams sidestep best practice and create one privileged account per server, or even one username and password to use for multiple privileged accounts. These are shared accounts. The problem with sharing accounts is that you never know precisely who is using them at any given time. So if you have a server failure, you cannot tell who logged in before the system went down.

What is Software Change and Configuration Management (SCCM)?
Gartner defines Software Change and Configuration Management as the implementation of a set of disciplines used to stabilize, track and control the versions and configurations of a set of software items using tools designed for this purpose. SCCM may include development change management, defect tracking, change automation, development release management, integrated test management, integrated build management and other related processes. SCCM tools are designed to support version and configuration management of software source code and supporting artifacts.

What is Security as a Service (SaaS / SecaaS)?
Infrastructure specialists are in short supply and in high demand. Many organizations, rather than field a team of security specialists to maintain an in-house network security infrastructure, are choosing to integrate hosted security solutions. This business model is known as security as a service, and is abbreviated as SaaS or SecaaS. An organization will work directly with a vendor who provides a full suite of managed cloud computing services, such as PAM or IAM platforms.

The advantage of this model is that small and mid-sized businesses can get access to dedicated security professionals who provide continually up-to-date security solutions. These businesses might not have the budget, know-how, or cachet to hire that level of cyber security talent directly.

Larger organizations can also benefit from SecaaS, since it frees up resources to focus on other mission-critical IT security issues. SecaaS providers are experts at deploying, maintaining, patching and upgrading software, infrastructure and platforms, and since it’s their core business, they are able to pass on their IT security expertise in an efficient and scalable way.

SecaaS providers don’t guess if there is a relationship between privilege access management and cyber security. They understand that when it comes to IAM vs. passwords, it’s all about implementing a robust cyber security solution.

Security as a Service providers offer a range of services, including: strategic security assessments and continuity planning, disaster recovery, access and credential management, infrastructure monitoring and intrusion detection, firewall management, PAM tools, data loss prevention consulting, compliance and overall reporting.

What is Security Information and Event Management?
Security Information and Event Management system, used to manage critical assets including software applications. These systems can be integrated into application control systems as part of privilege management, for example software applications in a SIEM system could be used to build a whitelist.

What is Secure Shell (SSH)?
Secure Shell protocol, or SSH, is a way to operate network services in a secure manner over an unsecured network. It’s also used to establish a secure connection between computers, and includes robust authentication and encryption to ensure secure end-to-end data transmission.

To establish a secure connection, system administrators will use generated keys consisting of a public/private key pair. The key pair should be rotated on a regular basis, to prevent the keys from being passed around and reused. Consider using a tool like SSH Key Management for Secret Server to manage SSH keys, from key generation, to rotation, control, and secure storage.

What is Self-Service Password Reset (SSPR)?
Self-Service Password Reset, or SSPR, is a process and feature set which allows a user to manage their passwords and credentials without the need of third-party intervention or a helpdesk. SSPR is often used to recover or reset lost passwords. An effective SSPR solution offers many benefits, ranging from time-savings for those who need to manage their passwords, to the cost-savings of fewer helpdesk calls, to a more secure overall process that requires fewer intermediaries or weak links.

What is Superuser Privilege Management (SUPM)?
On Unix systems, superusers are users who gain privileged access for a limited period of time. Unix allows certain users to elevate their privilege to superuser status for a specific task, and when they’ve completed their task they revert to being a standard user. Superuser privilege management controls when users are allowed to elevate to superuser status, and what commands they can run in superuser mode.

Also sometimes listed under SUPM, is application and command whitelisting, blacklisting, and greylisting. This controls what Windows applications or Unix commands someone can run while logged into a server or device as an administrator or superuser. Whitelisting means you have a list of approved commands, and anything on that list can be used. If it’s not on the list, it won’t work. Blacklisting is the opposite. It’s where users can do anything they want, as long as it is not on the blacklist. Greylisting is more flexible. It often includes integrations into lists of known risks, or the ability to review and approve requested application elevation on the fly. Application whitelisting, blacklisting, and greylisting is also frequently referred to under the categories of Application Control or Privilege Elevation.

What is User Account Control (UAC)?
User Account Control is a security feature of Microsoft Windows which helps prevent unauthorized changes (which may be initiated by applications, users, viruses or other forms of malware) to an operating system. UAC improves the security of Windows by limiting application software to standard user privileges until an administrator authorizes an increase or elevation.

What is User and Entity Behavioral Analytics (UEBA)?
User and Entity Behavior Analytics is the use of sophisticated algorithms to create a baseline for the activity of entities such as users, apps, devices, servers, etc. Once baseline behavior is established an organization can calculate its risk based on deviations from the baselines in order to identify security anomalies. UEBA recognizes that entities other than users are regularly profiled in order to more accurately pinpoint threats, in part by comparing the behavior of these other entities with user behavior. UEBA software correlates both user activity and other entities such as managed and unmanaged endpoints, applications, networks, and also external threats.

What is Vendor Privilege Access Management (VPAM)?
Vendors, such as third-party service providers, often need temporary access to sensitive systems. Vendor Privilege Access Management, or VPAM, is a tool which provides least privilege access for employees of a vendor, while also keeping track of what each of those individuals does with that access. When the vendor, or an individual employed by the vendor, no longer needs access, VPAM systems simplify the process of restricting or removing each user’s access.

VPAM is key to reducing third-party vendor risk associated with privilege management. Without it, some organizations will take the path of least resistance and grant broad access rights to a swath of systems so as not to constrain the vendor. The vendor may retain that access long after completing their work, or may share their credentials with other individuals working for the vendor. Loosely managing access for vendors increases the risk that a malicious actor can infiltrate the system. Vendor Privilege Access Management tools, along with other PAM tools, offer a structured, defined way to reduce this risk.