Comprehensive software reviews to make better IT decisions
PAM vs. IAM Confusion Is Leading Organizations to Miss Out on Vital PAM Capabilities
Based on a recent survey conducted by Enterprise Management Associates (EMA), organizations are confused about what privileged access management (PAM) is and whether they are using it effectively within their organization.
The main insight from the EMA survey concerns the apparent confusion around how PAM and identity and access management (IAM) differ. This insight came from the fact that 99% of respondents claimed they use PAM, but only 49% stated they were using a dedicated PAM tool. This means that the remaining 50% are either managing privileged access without a dedicated tool or are confusing PAM with IAM. The latter point is supported by the fact that most respondents stated they use a directory service or native endpoint operating system tools to conduct PAM.
The confusion around PAM intensifies with survey respondents giving contradictory answers regarding the effectiveness of their PAM practices. Specifically, more than 80% of respondents said they were satisfied with their management of privileged access, yet only 40% of respondents said they trust their PAM tools to prevent the misuse of privileged accounts. Further, the average annual remediation cost for PAM policy violations was calculated to be approximately $23,400, based on survey results – an amount that seems too high for most organizations to be satisfied with.
Source: SoftwareReviews Identity and Access Management Data Quandrant, Accessed August 20, 2019.
To understand the difference between IAM and PAM, I am going to parrot a great analogy used by Osirium in a related article:
Imagine your organization is a small store. IAM serves as the front door to your store. The policies defined within the directory are used to determine who is allowed inside, based on the key they present to the door’s lock. Once inside, a person will have access to anything in the front room. All items in the front room are non-sensitive, non-critical business applications that the general user has access to. If the person in the store wished to access sensitive, critical information, they must go into the backroom. We can think of the backroom door as the PAM tool. In addition to a door, the PAM tool also provides a security camera that faces into the backroom. Not only can the PAM tool decide who can go into the backroom, it can also monitor all the activity being conducted back there. If suspicious activity is detected, the PAM tool can lock the door and prevent the sensitive information from leaving the shop.
So, while these two tools have similar purposes (i.e. controlling access), they serve very different purposes. From the analogy we can deduce that it is more important to implement PAM first. If an organization were to implement IAM first, they would have a store with an unprotected backroom. In the event of a breach, the organization could lose a large and unknown amount of information. If PAM is implemented first, but IAM is still nonexistent, a breach would have far lower impact due to the limited access available to the stolen credentials.
If the IAM and PAM tools are able to talk to each other, they can share information about who is allowed to access what systems. Additionally, this connection would allow system administrators and other privileged users to share their privileged account passwords with their identity, therefore reducing the number of passwords they are required to remember. This, in turn, would increase password hygiene and create a more secure set of privileged accounts. So it turns out IAM and PAM are not the same thing; but they do share some overlap that allows applications to connect and provide some defense-in-depth (of identities) benefits to an organization.
Want to Know More?
For organizations that experience time-sensitive incidents that must be resolved in the most optimal and efficient manner, Bomgar (Beyond Trust) and BMC Software may have the solution. The two vendors have teamed up to address a reduction in the time it takes to resolve problematic tickets and assist in lessening the impact of cyber threats to which all organizations are subjected.
Okta announces its new partnerships with endpoint security vendors VMware Carbon Black, CrowdStrike, and Tanium. Integrating endpoint protection management analysis with Okta Verify’s user identity risk indicators, Okta Identity Cloud consolidates the information and creates a risk profile of the individual login attempt.
Avatier, an IAM vendor, has developed an innovative solution for automating mundane IAM tasks: a chatbot called Apollo. Apollo is a great example of how ANI can enable simple task automation that ultimately frees up IT staff to tackle more pressing issues.
Recent data released from SoftwareReviews' Identity Access Management (IAM) Customer Experience Report reveals Symantec VIP is performing above the rest when it comes to providing good customer service.
HID officially announced its support of Seos-enabled IDs in Apple Wallet on August 13. This enables a more convenient and secure authentication process for iPhone users using HID technology.
Micro Focus’s new offering, AD Bridge, extends AD policies and account management to Linux machines, simplifying identity and access management (IAM) for organizations running both Windows and Linux.
Canadian-based technology company Vivvo eyes government services as it launches e-services platform, CitizenOne.
SAP SE announced on April 30, 2019, that business-to-business (B2B) functionality has come to its customer identity and access management (CIAM) solutions.
Microsoft is working to usher in the era of passwordless multi-factor authentication as passwordless API becomes an official W3C standard. Strong authentication using biometrics and FIDO2-compatible hardware is the better, and more secure, method of multi-factor authentication.