PAM vs. PIM: Privilege by Any Name Any Name Is a Priority
Privileged accounts, credentials and secrets – and the access they provide – represent the largest security vulnerability enterprises face today. Nearly all of the most destructive cyber attacks this decade were executed by successfully exploiting privileged access. As such, managing and securing privilege is increasingly an organizational priority and a core component of an effective cyber security strategy. But, knowing where to start can be confusing. The market offers an alphabet soup of different terms and tools for addressing privileged access security. For example, consider Privileged Access Management, aka PAM, and its close associate, Privilege Identity Management, aka PIM.
To add to the confusion, even top industry analysts like Forrester and Gartner don’t agree on whether to use PAM or PIM. The Gartner Magic Quadrant refers to managing and securing privilege as PAM and the Forrester Wave refers to it as PIM.
However, at the end of the day, privilege by any name is a priority, which is why the Center for Internet Security (CIS) now lists “Controlling the Use of Administrative Privileges” as a basic CIS control. There is also common ground found within the category, with recommendations for best practices and vendor selection provided by trusted industry analysts such as Forrester, Gartner, IDC and KuppingerCole. Vendors who fall into PAM or PIM categories typically offer the following capabilities:
- Vault and rotate passwords and other credentials.
- Isolate, monitor, record and audit privileged sessions.
- Control privileged commands, actions and tasks, including privilege delegation and elevation.
- Leverage analytics to monitor for anomalous activities involving privileged access.
- Manage and broker credentials and secrets for applications from traditional commercial off-the-shelf applications to new cloud-native applications built using DevOps tools and methodologies.
As it relates to analytics, some analysts do not consider this to be a separate capability. They instead cover analytics as a feature that enhances vaulting, session isolation and controlling privileged sessions. The degree of emphasis placed on securing the credentials used by DevOps tools and cloud-native applications vs. traditional commercial off-the-shelf applications depends upon the analyst firm. Of course, what ultimately matters across these five areas of privileged access will depend on the priorities of your business and your security organization.
Interestingly, privileged access management for end-user endpoints (a.k.a. workstations) is not included on the list above since not all analysts consider this part of the PAM or PIM category. That being said, many vendors who fall into the PAM or PIM category, including CyberArk, offer solutions that limit privilege on end-user endpoints, especially since many attacks involving privileged access start there.
So, where does the CyberArk Privileged Access Security Solution come in, you might ask? CyberArk provides a critical layer of IT security to protect data, infrastructure and assets across the enterprise, in the cloud and throughout the DevOps pipeline. CyberArk has a strong track record for product innovation and a dedicated focus on customer success that includes offering multiple deployment options, including on-premises, cloud and as-a-service.
If you’re here to learn more about securing privileged access, here are some resources you might find of value:
- Privileged Access Security for Dummies eBook is a great resource if you need an overview of privileged access management or would like a refresher.
- Intro to Privileged Access Security training course is free training course that covers the basics of privileged access management and why it matters.
- Why CyberArk resource page covers how the CyberArk Privileged Access Security Solution compares to alternatives from other vendors.
It’s time to put semantics aside and focus on what’s truly important: securing privileged access across your enterprise to ensure you can reduce risk from external attackers or malicious insiders and launch new initiatives – such as investing in modern infrastructure and supporting digital transformation strategies – with confidence.