PAM vs. PIM: Privilege by Any Name Is a Priority
November 9, 2018 | Security and Risk | Katie Curtin-Mestre
Privileged accounts, credentials and secrets – and the access they provide – represent the largest security vulnerability enterprises face today. Nearly all of the most destructive cyber attacks this decade were executed by successfully exploiting privileged access. As such, managing and securing privilege is increasingly an organizational priority and a core component of an effective cyber security strategy. But, knowing where to start can be confusing. The market offers an acronym soup of different terms and tools for addressing privileged access security. For example, consider Privilege Access Management, aka PAM, and its close associate, Privilege Identity Management, aka PIM.
At the end of the day, privilege by any name is a priority, which is why the Center for Internet Security (CIS) now lists “Controlling the Use of Administrative Privileges” as a basic CIS control. There is also common ground found within the category, with recommendations for best practices and vendor selection provided by trusted industry analysts such as Forrester, Gartner, IDC and KuppingerCole. Vendors who fall into PAM or PIM categories typically offer the following capabilities:
- Vault and rotate passwords and other credentials
- Isolate, monitor, record and audit privileged sessions
- Control privileged commands, actions and tasks, including privilege delegation and elevation
- Leverage analytics to monitor for anomalous activities involving privileged access
- Manage and broker credentials and secrets for applications from traditional commercial off-the-shelf applications to new cloud-native applications built using DevOps tools and methodologies
As it relates to analytics, some analysts do not consider this to be a separate capability. They instead cover analytics as a feature that enhances vaulting, session isolation and the control of privileged sessions. The degree of emphasis placed on securing the credentials used by DevOps tools and cloud-native applications vs. traditional commercial off-the-shelf applications depends upon the analyst firm. Of course, what ultimately matters across these five areas of privileged access will depend on the priorities of your business and your security organization.
Interestingly, managing privilege for end-user endpoints (aka workstations) is not included on the list above since not all analysts consider this part of the PAM or PIM category. That being said, many vendors who fall into the PAM or PIM category, including CyberArk, offer solutions that limit privilege on end-user endpoints, especially since many attacks involving privileged access start there.
So, where does the CyberArk Privileged Access Security Solution come in, you might ask? CyberArk provides a critical layer of IT security to protect data, infrastructure and assets across the enterprise, in the cloud and throughout the DevOps pipeline. CyberArk has a strong track record for product innovation and a dedicated focus on customer success that includes offering multiple deployment options, including on-premises, cloud and as a service deployment options.
If you’re here to learn more about securing privileged access, here are some resources you might find of value:
- Privileged Access Security for Dummies eBook– This is a great resource if need an overview about privileged access or would like a refresher.
- Intro to Privileged Access Security training course – This free training course covers the basics of privileged access security and why it matters.
- Why CyberArk resource page – This page covers how the CyberArk Privileged Access Security Solution compares to alternatives from other vendors.
It’s time to put semantics aside and focus on what’s truly important: securing privileged access across your enterprise to ensure you can reduce risk from external attackers or malicious insiders and launch new initiatives – such as investing in modern infrastructure and supporting digital transformation strategies – with confidence.