A Definition of Commonly Used Terms in Privileged Access Security
What is PAM and PEM and all the other 3 (or 4) letter acronyms?
If you spend any time on the Osirium website (or any PAM vendor for that matter), you’ll soon start drowning in jargon and acronyms that are, at best, tricky while many are just confusing. This is an updated version of the blog adding a few more terms you might have come across. Let me know if there's anything else you think I should include.
I’ve had several requests for a PAM FAQ (see, can’t help but use TLAs 🙂 ) and I’ll get to that at some point, but I thought I might as well just start collecting some thoughts together and ask for contributions. It won’t be a final or comprehensive list, so I’ll come back and update this list over time.
Before I start: There will be plenty of people that won’t like my definitions, or will actively disagree with them. That’s OK. I’ll take it on the chin and try to learn. I may ignore comments, but mostly I hope I’ll be learning.
What is PAM?
PAM is the most common short version of Privileged Access Management. The short description might be taking control of administrator and similar valuable user or application credentials (i.e., usually, usernames and passwords). Find out more at https://www.osirium.com/pam.
What is Privileged Access Management?
Most devices, services and applications have users with more permissions than normal. Typically, they may be able to create or delete other users, change permissions, access personally identifiable data and much more. These are powerful accounts and should only be used by staff with the right experience and training. If the credentials for these accounts are compromised, they are the dream rewards for an attacker as they can be used to move around the network and access valuable resources and data. A modern PAM solution like Osirium PAM includes a secure password vault, session recording, analytics, flexible integrations for credential injection and much more. As security tools need administrator access to keep systems safe, Privileged Access Management (PAM) has to be a critical part of any cybersecurity strategy.
What is POLP or Principle of Least Privilege?
"Principle of Least Privilege" is an important model to consider when making cybersecurity plans. The fundamental principle is that users should only have the amount of privilege they need (which may be none) on only the systems they need and only for the time they need it. This is where PAM is a vital asset - when all privileged access to systems is via PAM, you have a point of control to ensure only the right people have access to the right systems. Osirium PAM also allows users to request access when they need it, so no need for dangerous "standing" or persistent access rights. Finally, with this centralised control, you can easily perform routine audits to ensure privileged access is removed when no longer needed.
What are Privileged Sessions?
A "privileged session" is a connection being made by a user to a device, service or system using credentials that have elevated privileges such as those used by an administrator. As these sessions are very powerful, they should only be allowed by users that have a need and the experience to use them safely (see "Principle of Least Privilege" above). The best Privileged Access Management systems include tools to monitor privileged sessions in real time, close the sessions if risky behaviour is shown and to record the sessions for later investigation or audit.
What is IAM?
IAM, or Identity Access Management, deals with users identifying who they are. It may include multi-factor authentication and password lifecycle management (e.g. rules for password rotation, complexity, creation and deletion etc.) It’s distinguished from PAM because it only deals with “who” the user is, not the “what” they’re able to do. An earlier blog is an excellent discussion of the topic.
What is PIM?
Privileged Identity Management (PIM) is feature often provided in IAM tools. It goes some way towards improving management of the powerful admin accounts or other privileged accounts in that they can report that these accounts exist and how/when they are being used. However, that is not a replacement for Privileged Access Management which is more active protection of those privileged account credentials and management of privileged sessions.
What is Privileged User Management?
Privileged User Management (PUM) is pretty much the same as "Privileged Identity Management (PIM) with the same limitations in how admin and privileged account credentials are used.
What is PPA?
PPA, also known as Privileged Process Automation, is a new breed of process automation used by IT infrastructure and operations teams to automate cross-system processes. The automation is wrapped in a great user experience so that complex operations that need privileged account credentials can be delegated to first-line help desk engineers or even to end-users.
What is Privileged Process Automation?
Privileged Process Automation, known as PPA, is a powerful tool for IT infrastructure and operations teams to automate complex repetitive tasks. Robotic Process Automation (RPA) has had some success in automating relatively simple but highly repetitive business processes. However, they aren’t appropriate for more complex tasks as seen in IT teams or where an element of human review, decision-making and confirmation are needed. When all admins are overworked, the opportunity to automate and safely delegate repetitive tasks is better for end-users and lets admins get on with more interesting work. For more information, see https://www.osirium.com/ppa.
What is PEM?
PEM, also known as Privileged Endpoint Management, is Osirium’s solution for removing local administrator accounts from Windows computers without slowing down end-users while also reducing the load on IT help desks.
What is Privileged Endpoint Management?
Privileged Endpoint Management (PEM) allows approved applications to be run with elevated privileges, what would typically be by using the “Run as Administrator” option on an applications context menu. Importantly, the privileges of the application are elevated without exposing valuable administrator credentials or having to call the IT help desk. Find out more at https://osirium.com/pem.
What is Privileged Access Security?
Privileged Access Security, or PAS, is Osirium’s solution that takes a holistic view of managing privileged accounts and automation. It includes PAM to protect shared devices and services, PPA for secure IT operations automation and PEM for managing privileged application execution on endpoints.
What is PASM, PEDM, SUPM, SAPM?
These acronyms, and others, are all variations of the capabilities of a modern PAM solution like Osirium PAM. They stand for a variety of features including Privileged Access Session Management, Privileged Elevation and Delegation Management, Superuser Privileged Management, Shared Account Password Management.
What is IGA?
Identity Governance & Administration (IGA) is closely related to IAM but often includes more tools for controlling password lifecycles.
What is ECV & EPV?
These are short forms of Enterprise Credential Vault and Enterprise Password Vault. As the name suggests, they are essentially password stores which can be useful but, just like IAM, aren’t a solution for managing Privileged Accounts.
What is Zero Trust?
In the past, it was ok to manage security based on where a device or person happened to be (at least to some degree). So it was OK to say "a user in the office can connect to a server and make changes". But with the modern proliferation of devices, users working remotely and the need to let external partners have access to internal systems, a better solution is needed. For many the "Zero Trust" approach is a good start: assume no user has access to any system, they have to prove their identity, usually with a high degree of proof such as multi-factor authentication (MFA), and based on that authorise the user to have access. PAM builds on this to ensure only the least level of privileged needed is granted, provide further control over what those users do in those sessions (including session recording), and maintaining full audit trails.