Get to know the gatekeepers of privileged access.
There has been a lot of discussion around privileged identity management (PIM) and privileged access management (PAM), and how they are related. There is also some confusion over what they do and where they live within the Microsoft identity space.
By the end of this blog, you will have a better idea of what they do, where they do it, and why they’re a good idea.
Every IT system can be split into a set of privileges. There is always an administrator role (it could be called supervisor, admin or ‘big boss’), there may be a management role, and there is a user role.
If we look at a system that everyone uses (as an example, let’s say timesheets), then every user has to have an account – we all have to submit timesheets! But some users also have to manage the timesheet system: removing rogue records, setting up new project codes, creating new IDs, etc.
View 'Microsoft identity stack demos: Overcoming typical challenges when setting up new user' and learn about:
In the past, it has required some form of separation of duties for the same account so that mistakes are not made. This means that the people who are doing the administration need to have two accounts with two passwords. Quite often these become conflated and the admin account becomes the de-facto standard and is always in use.
With directory services and other back end services, this becomes more of an issue. If this was a secure location that we needed access to, we would put the keys in a box and make people sign them out when they needed them.
“When a user needs to elevate their privileges, they go to the PIM or PAM site and ask for permission to take the keys.”
What we really need is the same sort of control, with an audit log, for the IT systems. When an administrator needs to complete administration tasks then they ask for the keys, do the work, and then return them.
In effect, this is what PIM and PAM do. When a user needs to elevate their privileges, they go to the PIM or PAM site and ask for permission to take the keys. Once this is approved, they are granted the relevant privileges and can do the work. After a set period the keys are taken back from them and they become a normal user again.
Because the request is audited it is easy to see who had the keys and when. Mistakes become less likely as the user does not always have the higher-level access.
So, why do we have PIM and PAM? Simply put, we have two different directory environments – Active Directory (AD) and Azure Active Directory (AAD). One being on-premises (AD), and one in the Cloud (AAD). PAM deals with elevated privileges on-premises with any system that uses Active Directory to control the access. PIM does the same sort of thing for access to roles in Azure AD.
Easy to remember if you think that ‘pAm’ is Active Directory and ‘pIm’ is Internet.
PIM and PAM are related but live in two different realms. One provides the access to AD resources and one to the Internet. Cousins separated by an Internet pipe. Providing access to elevated privileges for the right users, when they need them. Both have their place, but work independently to control privileged access to services.
Next, watch the Microsoft identity stack demos to see how Microsoft’s key identity management technologies enable seamless user creation journeys.
Or download the identity trends e-Guide to learn what’s driving demand for modern IAM.
Simply request a free Vision Call. We can help you with solution ideas, technology education, best practice advice and more.Request Vision Call
Eight-time winner of the Microsoft Partner of the Year Award for Identity Management, Enterprise Mobility, and Security and Compliance.
You are seeing this because you are using a browser that is not supported. The ThirdSpace website is built using modern technology and standards. We recommend upgrading your browser with one of the following to properly view our website:Windows
Please note that this is not an exhaustive list of browsers. We also do not intend to recommend a particular manufacturer's browser over another's; only to suggest upgrading to a browser version that is compliant with current standards to give you the best and most secure browsing experience.