Privileged Access Management (PAM) and Privileged Identity Management (PIM) are much the same thing. It is a security process that focuses on managing and monitoring the use of privileged accounts within an organization (admin accounts, power user accounts, and so on). Privileged accounts are likely to have elevated permissions, and so can gain access to systems, data, and resources not normally available to everyday users. Since they are clearly a potential security risk, they need special controls. PIM or PAM can help companies meet compliance regulations and prevent system and data breaches through the improper use of privileged accounts.
One strategy for securing privileged identities includes the periodic change of the privileged account password, the secure storage of the current password, and the management of the disclosure of the password.
A more comprehensive strategy is to add and remove privileges to users’ accounts on an as-needed basis. A key concept here is that of “least privilege”. There was a time when an admin might stay logged in with their admin account more or less permanently – presenting a nice easy target for a bad actor to manipulate. In today’s more security-aware world, that admin can use an account with ordinary permissions and simply ask for the elevated permissions they need to perform a task, when they need them, and for the time they need them. The request may require justification, approval, and/or additional authentication (like multi-factor authentication – MFA). This reduces the opportunity for a would-be attacker.
In addition to simply providing access to privileged accounts, most PIM or PAM solutions also implement auditing. Some of the critical aspects of auditing include tracking:
- Which users were given access to which account or privilege and at what times access was granted?
- The details of any approvals related to granting of access.
- The activities performed by the user – including systems accessed and commands executed.
Microsoft Identity Manager (MIM), offers PAM a means of protecting your on-premises Active Directory. MIM PAM is not something you can just tick a box to activate. It’s a process that needs careful implementation. The Microsoft Entra ID implementation of PIM is cloud-oriented, rather more up-to-date, and much easier to implement.
More Information – MIM PAM
If you want to know more about MIM PAM, see our PAM white paper, (note that there are references to Azure AD, which has been renamed as Microsoft Entra ID).
To discover even more, join our next PAM training course, delivered via Teams.
Join Pam Training
More Information – Microsoft Entra ID
To learn more about PAM within Microsoft Entra ID, read this article from Microsoft.
To discover more, join our next Entra ID training course, delivered via Teams.