If you spend any time on the Osirium website (or any PAM vendor for that matter), you’ll soon start drowning in jargon and acronyms that are, at best, tricky while many are just confusing.
I’ve had several requests for a PAM FAQ (see, can’t help but use TLAs 🙂 ) and I’ll get to that at some point, but I thought I might as well just start collecting some thoughts together and ask for contributions. It won’t be a final or comprehensive list, so I’ll come back and update this list over time.
Before I start: There will be plenty of people that won’t like my definitions, or will actively disagree with them. That’s OK. I’ll take it on the chin and try to learn. I may ignore comments, but mostly I hope I’ll be learning.
PAM is the most common short version of Privileged Access Management. The short description might be taking control of administrator and similar valuable user or application credentials (i.e., usually, usernames and passwords). Find out more at https://osirium.com/pam.
Most devices, services and applications have users with more permissions than normal. Typically, they may be able to create or delete other users, change permissions, access personally identifiable data and much more. These are powerful accounts and should only be used by staff with the right experience and training. If the credentials for these accounts are compromised, they are the dream rewards for an attacker as they can be used to move around the network and access valuable resources and data. A modern PAM solution like Osirium’s PxM Platform includes a secure password vault, session recording, analytics, flexible integrations for credential injection and much more. As security tools need administrator access to keep systems safe, Privileged Access Management (PAM) has to be a critical part of any cybersecurity strategy.
PPA, also known as Privileged Process Automation, is a new breed of process automation used by IT infrastructure and operations teams to automate cross-system processes. The automation is wrapped in a great user experience so that complex operations that need privileged account credentials can be delegated to first-line help desk engineers or even to end-users.
Privileged Process Automation, known as PPA, is a powerful tool for IT infrastructure and operations teams to automate complex repetitive tasks. Robotic Process Automation (RPA) has had some success in automating relatively simple but highly repetitive business processes. However, they aren’t appropriate for more complex tasks as seen in IT teams or where an element of human review, decision-making and confirmation are needed. When all admins are overworked, the opportunity to automate and safely delegate repetitive tasks is better for end-users and lets admins get on with more interesting work. For more information, see https://osirium.com/ppa.
PEM, also known as Privileged Endpoint Management, is Osirium’s solution for removing local administrator accounts from Windows computers without slowing down end-users while also reducing the load on IT help desks.
Privileged Endpoint Management (PEM) allows approved applications to be run with elevated privileges, what would typically be by using the “Run as Administrator” option on an applications context menu. Importantly, the privileges of the application are elevated without exposing valuable administrator credentials or having to call the IT help desk. Find out more at https://osirium.com/pem.
Privileged Access Security, or PAS, is Osirium’s solution that takes a holistic view of managing privileged accounts and automation. It includes PAM to protect shared devices and services, PPA for secure IT operations automation and PEM for managing privileged application execution on endpoints.
These acronyms, and others, are all variations of the capabilities of a modern PAM solution like Osirium’s PxM Platform. They stand for a variety of features including Privileged Access Session Management, Privileged Elevation and Delegation Management, Superuser Privileged Management, Shared Account Password Management.
IAM, or Identity Access Management, deals with users identifying who they are. It may include multi-factor authentication and password lifecycle management (e.g. rules for password rotation, complexity, creation and deletion etc.) It’s distinguished from PAM because it only deals with “who” the user is, not the “what” they’re able to do. An earlier blog is an excellent discussion of the topic.
Identity Governance & Administration (IGA) is closely related to IAM but often includes more tools for controlling password lifecycles.
These are short forms of Enterprise Credential Vault and Enterprise Password Vault. As the name suggests, they are essentially password stores which can be useful but, just like IAM, aren’t a solution for managing Privileged Accounts.