Demystifying Acronyms for PAMAnirban Banerjee
PAM stands for Privileged Access Management (Access is often interchanged with Account). The area is also identified as PUM or PIM (User or Identity). There are various acronyms that have been published over the years by various research firms like Gartner and in this article we will go about explaining what they all mean. I would strongly suggest reading Gartner’s Market Guide for Privileged Access Management for 2015 by Felix and Anmol. Its a very well written, researched and clear guide on what to look for when you decide to bring on a PAM solution.
What is PAM
PAM is tasked with making sure that access and operational rights to any IT or system resource is tightly controlled. Traditionally, PAM has been used to make sure scenarios where bad actors get access to your systems cannot easily take place. PAM contains various facets: credentials vaulting, auditing, checkouts and more. All these are designed to reduce the risk exposure to having credentials lying around and fall into the wrong hands.
PAM is a set of tools, possibly rolled up under one control panel. These tools help IT and security teams not only manage and control the keys to the kingdom but also put in processes that keep their lives sane. Consider the fact when users want to install bittorrent on the laptop and can do so without any advice from IT, security groups. Taking away admin rights cuts off this possibility but in turn also creates a lot of tickets for the IT teams. PAM can be used to reach a happy medium. Have your cake and eat it too.
Quoting from the Gartner Report, interest in PAM technology is driven by several factors:
– The risk of insider threats
– The existence of malware that specifically targets privileged accounts
– Operational efficiency for administrator access
– Regulation and failed audits, because auditors are paying closer attention to privileged accounts, and regulations are forcing organizations to create an irrefutable trail of evidence for privileged access
– Access to privileged accounts by third parties: vendors, contractors and service providers
Various categories for PAM
According to Gartner’s report there are various groups of products that a PAM solution needs to have. We will discuss these products, the acronyms and talk about the implication and benefit from them. Several high-profile breaches and insider attacks have been known to exploit privileged accounts, and this has increased the interest in tools to tighten controls on privileged activity, as well as interest in two-factor authentication for privileged access.
SAPM – Shared Account Password Management. Here is an example.
SAPM helps you manage how account access is being shared. In most companies there will be SaaS and server accounts that are being used by multiple individuals. It is imperative to control this process and be able to audit access rights.
PSM – Privileged Session Management. Here is an example.
PSM helps you maintain a single source of truth for credential storage for privileged accounts. One place that can manage passwords, tokens and whatever else. A vault is a prime example. The user should not have to worry about credentials, they should simply get access. The system should figure out the identity and the access rights as transparently as possible.
SUPM – Super User Privilege Management. Here is an example.
SUPM is a critical part of the PAM landscape. You want to be able to audit, replay and monitor all privileged sessions to your resources. case in point, if you are running linux servers on AWS for production you absolutely need to have session recording turned on for compliance purposes (SOX, SOC 2, HIPAA, Privacy-shield).
AAPM – Application to Application Password Management. Here is an example.
This is a relatively newer area in the PAM landscape. This has gained importance in the last couple of years as DevOps organizations have become ever more prominent and machine to machine communications have to now traverse public Internet infrastructure. This specific area deals with validating the identities and rights of machine to machine communication.
The new kid on the block – SaaS PAM
Applications and servers are moving to the cloud. This is a well known trend that has gained serious momentum over the last few years. This means that fewer and fewer applications and servers are going to be housed in colos and data centers and are moving into a different, 3rd party vendor infrastructure. The move to SaaS is inevitable. The thing to watch out for is that when you do move to SaaS services you need a way to manage fine grained privileges on SaaS apps. Here is a typical example: You migrate App X to the cloud. Your on premise version had support to handle various user groups like marketing level 1, sales level 2, with different privileges. How are you making sure that the SaaS app understands and responds to your needs to have fine grained control? Here is an example .
This type of capability can be used for many purposes – EU-US Data privacy, HIPAA compliance principle of least privilege and much more. In fact with the move to cloud and SaaS services: SaaS PAM is a must have.
Keep in mind the solution you pick must not just do authentication (logins) but must actually manage the user interaction with the application (authorization) in every way. Also, note that you don’t necessarily need to proxy traffic in order to do this, and therefore not incur latencies.
In this article we have discussed some of the acronyms that are popular in the Privileged Access Management (PAM) space. We hope this article has given you a basic idea of this field.