Home > Categories > Identity and Access Management > PAM vs. IAM Confusion Is Leading Organizations to Miss Out on Vital PAM Capabilities

Home > Categories > Identity and Access Management > Research > PAM vs. IAM Confusion Is Leading Organizations to Miss Out on Vital PAM Capabilities

PAM vs. IAM Confusion Is Leading Organizations to Miss Out on Vital PAM Capabilities

Based on a recent survey conducted by Enterprise Management Associates (EMA), organizations are confused about what privileged access management (PAM) is and whether they are using it effectively within their organization.

The main insight from the EMA survey concerns the apparent confusion around how PAM and identity and access management (IAM) differ. This insight came from the fact that 99% of respondents claimed they use PAM, but only 49% stated they were using a dedicated PAM tool. This means that the remaining 50% are either managing privileged access without a dedicated tool or are confusing PAM with IAM. The latter point is supported by the fact that most respondents stated they use a directory service or native endpoint operating system tools to conduct PAM.

The confusion around PAM intensifies with survey respondents giving contradictory answers regarding the effectiveness of their PAM practices. Specifically, more than 80% of respondents said they were satisfied with their management of privileged access, yet only 40% of respondents said they trust their PAM tools to prevent the misuse of privileged accounts. Further, the average annual remediation cost for PAM policy violations was calculated to be approximately $23,400, based on survey results – an amount that seems too high for most organizations to be satisfied with.

Source: SoftwareReviews Identity and Access Management Data Quandrant, Accessed August 20, 2019.

Our Take

To understand the difference between IAM and PAM, I am going to parrot a great analogy used by Osirium in a related article:

Imagine your organization is a small store. IAM serves as the front door to your store. The policies defined within the directory are used to determine who is allowed inside, based on the key they present to the door’s lock. Once inside, a person will have access to anything in the front room. All items in the front room are non-sensitive, non-critical business applications that the general user has access to. If the person in the store wished to access sensitive, critical information, they must go into the backroom. We can think of the backroom door as the PAM tool. In addition to a door, the PAM tool also provides a security camera that faces into the backroom. Not only can the PAM tool decide who can go into the backroom, it can also monitor all the activity being conducted back there. If suspicious activity is detected, the PAM tool can lock the door and prevent the sensitive information from leaving the shop.

So, while these two tools have similar purposes (i.e. controlling access), they serve very different purposes. From the analogy we can deduce that it is more important to implement PAM first. If an organization were to implement IAM first, they would have a store with an unprotected backroom. In the event of a breach, the organization could lose a large and unknown amount of information. If PAM is implemented first, but IAM is still nonexistent, a breach would have far lower impact due to the limited access available to the stolen credentials.

If the IAM and PAM tools are able to talk to each other, they can share information about who is allowed to access what systems. Additionally, this connection would allow system administrators and other privileged users to share their privileged account passwords with their identity, therefore reducing the number of passwords they are required to remember. This, in turn, would increase password hygiene and create a more secure set of privileged accounts. So it turns out IAM and PAM are not the same thing; but they do share some overlap that allows applications to connect and provide some defense-in-depth (of identities) benefits to an organization.

Want to Know More?

“Survey Reveals Challenges of Effective Privileged Access Management,” Forbes, 2019.
“Are Privileged Access Management (PAM) and Identity & Access Management (IAM) the Same?” Osirium, 2018.

Other Recent Research in Identity and Access Management

Identity and Access Management

IBM Raises Price on Software Support; Shoves Customers Toward the Cloud

IBM is changing the terms of its ubiquitous Passport Advantage agreement to remove entitled discounts on over 5,000 on-premises software products, resulting in an immediate price increase for IBM Software & Support (S&S) across its vast customer landscape.

Identity and Access Management

Bomgar & BMC Team Up to Speed Trouble-Ticket Resolution

For organizations that experience time-sensitive incidents that must be resolved in the most optimal and efficient manner, Bomgar (Beyond Trust) and BMC Software may have the solution. The two vendors have teamed up to address a reduction in the time it takes to resolve problematic tickets and assist in lessening the impact of cyber threats to which all organizations are subjected.

Identity and Access Management

Okta Partners With VMware Carbon Black, CrowdStrike, and Tanium

Okta announces its new partnerships with endpoint security vendors VMware Carbon Black, CrowdStrike, and Tanium. Integrating endpoint protection management analysis with Okta Verify’s user identity risk indicators, Okta Identity Cloud consolidates the information and creates a risk profile of the individual login attempt.

Identity and Access Management

Avatier Releases AI Chatbot to Automate Common IAM Helpdesk Requests

Avatier, an IAM vendor, has developed an innovative solution for automating mundane IAM tasks: a chatbot called Apollo. Apollo is a great example of how ANI can enable simple task automation that ultimately frees up IT staff to tackle more pressing issues.