Identities and Access with PAM & IAM
PAM for Dummies: Part III
This third installment of our “PAM for Dummies” series addresses one of the most important security issues you’ve never heard of: the connection between privileged access management (PAM) and identity access management (IAM).
Identity is a fundamental element of security. You only want people to see the information they’re allowed to see, right?
It sounds pretty simple. And the reality is that it is a very simple topic, but one with rather complicated implications. Who is really who? That is, how do you know if a user is who they claim to be?
If Hollywood is any indicator, even knowing the identity of the person right in front of you isn’t always so easy. If it were, you would never have had great movies like Freaky Friday, Big, or Faceoff. You would never have Mark Twain’s The Prince and the Pauper.
Now, imagine that the Pauper tries to log onto your ERP system to download your customer list. He knows he’s not supposed to, so he pretends to be the Prince. Are you sure you will know the difference?
IAM: Staying on Top of Identities for Day-to-Day Access Controls
Security and compliance managers need to define and enforce access policies based on identity. Identity governance is about ensuring that Mr. X can use System A, but not System B. Ms. Y can use Systems A and B, and so forth. It gets harder as organizations evolve into more complex digital enterprises with even employees of partner firms and other contractors often having extensive access rights.
An IAM system keeps track of such user identities. You have undoubtedly used this kind of technology many times, even if you weren’t aware of it. If you’ve ever been asked for a username and password in order to log into a site, you’ve used a simple identity management system.
Things can get complicated pretty fast, though. Big organizations may have dozens or even hundreds of IT assets with different access requirements. IAM systems typically deal with this by tracking people by role, with access privileges determined by role. Thus, a salesperson with a “sales” role might be granted access to sales-related systems, but not others. A salesperson is restricted from signing into the HR system, and so forth.
IAM will govern basic user access to IT resources like applications, databases, storage resources and networks. IAM could also control access to partner resources. To defend these assets against risks, IAM systems do the following:
• Authenticate – Establish that the Prince is the Prince and the Pauper is the Pauper.
• Authorize – Confirm that Prince has permission to access a given resource.
• Provision/Deprovision access – Grant appropriate entitlements and removing these entitlements on a timely basis when necessary.
• Track access rights – Enable audit of usage rights.
PAM: Controlling Access for Privileged Users
While your organization keeps track of users’ identities, you also have to keep an eye on PAM. Privileged users can get at the “back end” of your systems, making changes and setting up accounts. Privileged users are highly important but potentially dangerous with elevated privileges to access and modify sensitive assets. Either by mistake or with malfeasance, they can cause a lot of headaches. Think data breaches and non-compliance. These users are special and need special systems in place to track and control their actions.
PAM solutions control and monitor access by these special users. They make sure that the Pauper can’t erase the Prince’s email account, help themselves to sensitive IP, or get up to any other hanky-panky without being stopped or caught.
A Joint IAM-PAM Solution
Ideally, IAM and PAM work together. That way, a request for privileged access can be managed in accordance with established identity governance policies. This means that all access requests and grants – regardless of whether they are for standard or privileged users – are part of a single access control chain.
It’s a lot simpler for everything from provisioning to audits to have PAM and IAM working together. When it comes to IT security simpler = better.
Of course, the world is a complicated place, and predictably Identity management and PAM systems are often totally separate. That’s why you need to think about a joint or interoperative IAM-PAM solution to centralize your identity governance. Find a PAM solution that works with your IAM vendor. Or vice versa.
Taking This Seriously
The most frightening IT security threats involve manipulation of identity and especially the misappropriation of privileged identities and credentials. IAM solutions offer a way to govern identity, but they generally lack deep functionality for managing privileged account access. Conversely, PAM solutions tend to be standalone entities that are focused primarily on controlling and/or recording the actions of privileged users. A joint IAM-PAM solution can mitigate identity governance risks better than either IAM or PAM on its own.
Learn more about protecting yourself from a data breach by getting in touch or by requesting a free trial of our award-winning solutions for Privileged Access Management and Identity Management