The first time I started learning about IAM, I was studying AWS, so it was in the context of the cloud. But then I started learning about enterprise IAM and at first I was very confused because they all seemed to overlap in functionality. So in this post, I aim to clear the confusion that I, and (maybe) a lot of other people have too.
What is IAM? What is PAM?
IAM, as I’ve mentioned in a previous post, revolves around 4 A’s:
- Admin (provisioning and deprovisioning accounts)
- Authentication (making sure the user is who they say they are)
- Authorization (giving proper access according to what they’re entitled to)
- Audit (making sure the previous 3 A’s are done correctly)
PAM (Privileged Access Management), is actually a part of IAM, but has a more narrow scope. While IAM does the 4 A’s in general, PAM does it for privileged accounts.
Privileged accounts are usually referring to credentials that have high clearance to do important things. A few examples might be database credentials (cause usually the account is for accessing certain data or doing administrative tasks), or server logins (SSH keys, usernames and passwords, etc). And not only could it be used for humans, it could also be used by machines, such as service accounts (accounts that are used by machines that require certain permissions).
To secure these things, a PAM system is used in between the humans and the resources (DBs, servers, etc) so that the users don’t have to remember all the passwords, can be logged and monitored while using them, can have proper access approval flows, and all that good stuff.
The clear difference?
It’s the scope, IAM is the big picture comprising of all the 4 A’s, and in general can be used by anyone, from customers to employees. PAM on the other hand, is more specialized for privileged accounts, so it’s used by DB admins, server admins, DevOps engineers, and anyone else who needs access to the IT infrastructure.
In addition, here’s a small note I’m mentally using for the 4 A’s:
- Admin, usually talks about user directories and identity lifecycle management.
- Examples of user directory services : IBM Verify Directory, Microsoft Active Directory, Microsoft Azure Directory, JumpCloud Directory.
- Examples of lifecycle management services: IBM Verify Governance, Microsoft Entra ID, CyberArk Identity Lifecycle Management.
- Authentication, usually talks about MFA, SSO, Federation, risk based access, basically verifying identities. Examples: IBM Verify Access, PingOne, Auth0 by Okta, ForgeRock Identity, Firebase Authentication, Amazon Cognito,
- Authorization, usually talks about giving access to what the users are entitled to. PAM plays a big part in this, since it deals with privileged accounts, examples include: IBM Verify Privilege, Delinea Secret Server, CyberArk PAM, BeyondTrust PAM, HashiCorp Vault, Azure Secrets Manager.
- Audit is usually baked into all the products already, since they all do a certain thing, like provision accounts, enable access to certain resources, they’re all logged and written down somewhere in their respective menus. It’s definitely useful to have, lets say if in your PAM system, someone used it and logged in in the middle of the night to do some shady stuff. The forensics team can definitely track down who did it based on the logs, such as “user x did something at 11:42 PM”.
And that’s it. Thanks for reading.
Trying something a little bit different today, I know I’ve largely written in Indonesian in the past. But this time I’m feeling a little different, so I’ve just gone ahead and done it. This may be a little bit of a fresh air compared to my usual writing style.
Jika menurut kalian lebih baik saya menggunakan bahasa Indonesia saja, bilang saja. Akan saya buatkan versi yang sepenuhnya Indo kembali.
(Atau mungkin lebih baik seperti ini?)
Extra references if you’re interested in reading more:
https://www.ibm.com/id-id/think/topics/privileged-access-management
https://delinea.com/what-is/privileged-account
https://www.cyberark.com/what-is/privileged-access-management/
Leave a Reply