Based on a recent survey conducted by Enterprise Management Associates (EMA), organizations are confused about what privileged access management (PAM) is and whether they are using it effectively within their organization.
The main insight from the EMA survey concerns the apparent confusion around how PAM and identity and access management (IAM) differ. This insight came from the fact that 99% of respondents claimed they use PAM, but only 49% stated they were using a dedicated PAM tool. This means that the remaining 50% are either managing privileged access without a dedicated tool or are confusing PAM with IAM. The latter point is supported by the fact that most respondents stated they use a directory service or native endpoint operating system tools to conduct PAM.
The confusion around PAM intensifies with survey respondents giving contradictory answers regarding the effectiveness of their PAM practices. Specifically, more than 80% of respondents said they were satisfied with their management of privileged access, yet only 40% of respondents said they trust their PAM tools to prevent the misuse of privileged accounts. Further, the average annual remediation cost for PAM policy violations was calculated to be approximately $23,400, based on survey results – an amount that seems too high for most organizations to be satisfied with.
Source: SoftwareReviews Identity and Access Management Data Quandrant, Accessed August 20, 2019.
To understand the difference between IAM and PAM, I am going to parrot a great analogy used by Osirium in a related article:
Imagine your organization is a small store. IAM serves as the front door to your store. The policies defined within the directory are used to determine who is allowed inside, based on the key they present to the door’s lock. Once inside, a person will have access to anything in the front room. All items in the front room are non-sensitive, non-critical business applications that the general user has access to. If the person in the store wished to access sensitive, critical information, they must go into the backroom. We can think of the backroom door as the PAM tool. In addition to a door, the PAM tool also provides a security camera that faces into the backroom. Not only can the PAM tool decide who can go into the backroom, it can also monitor all the activity being conducted back there. If suspicious activity is detected, the PAM tool can lock the door and prevent the sensitive information from leaving the shop.
So, while these two tools have similar purposes (i.e. controlling access), they serve very different purposes. From the analogy we can deduce that it is more important to implement PAM first. If an organization were to implement IAM first, they would have a store with an unprotected backroom. In the event of a breach, the organization could lose a large and unknown amount of information. If PAM is implemented first, but IAM is still nonexistent, a breach would have far lower impact due to the limited access available to the stolen credentials.
If the IAM and PAM tools are able to talk to each other, they can share information about who is allowed to access what systems. Additionally, this connection would allow system administrators and other privileged users to share their privileged account passwords with their identity, therefore reducing the number of passwords they are required to remember. This, in turn, would increase password hygiene and create a more secure set of privileged accounts. So it turns out IAM and PAM are not the same thing; but they do share some overlap that allows applications to connect and provide some defense-in-depth (of identities) benefits to an organization.