Our Privileged Access Management (PAM in MIM) White Paper discusses the New Security feature that comes with MIM
We explain how PAM works and its process
Privileged Access Management, or PAM, is a completely new feature to Microsoft Identity Manager 2016, the successor to Forefront Identity Manager 2012 R2. PAM has powerful permissions which allow systems administrators, who are commonly targeted by hackers, to reduce the threat and impact of cyber attacks.
PAM addresses a problem which has often been neglected, that is, the detailed management of administrative, or privileged, permissions. In other words, PAM can keep safe those who have the keys to your kingdom. Many of recent well-publicised hacking attacks have targeted system administrators, with hackers gaining access to administrative credentials, with which they have created further accounts with extensive permissions.
Organizations must take action to counter these attacks, by
- preventing theft of administrative credentials, as far as possible
- tightly controlling the process of creation and authorization of administrative credentials
- monitoring administrative groups to detect misuse, and
- responding swiftly and appropriately to evidence of misuse.
PAM’s functionality brings an administrative architecture which makes each of these steps achievable with appropriate implementation.
MIM typically runs in the corporate network, providing integration between HR systems and identity providers like Active Directory, synchronizing attributes, and mediating processes, for example, creating secondary accounts and managing of group memberships. These activities are essential, and are not the targets of PAM. So it’s worth noting that an implementation of MIM’s PAM features would be a completely separate from the implementation of MIM itself.
In this white paper, Privileged access management – a primer, a 9-page pdf, I describe PAM’s features and concepts, its architecture and structures, and I discuss some design considerations for deploying PAM in the real world.