Mike Campbell, Senior Consultant, SecureITsource, Inc.
Identity and Access Management (IAM) covers a considerable portion of the information security domain, from providing employees and customers access to systems and applications, to managing the lifecycle of the accounts those users use to access them. IAM can create “identities” that encapsulate a user’s access to assets in the organization, or well, most all of them. It’s also decent at providing a workflow for requesting access to most applications. And it can provide single sign-on capabilities that allow users to log into these accounts with a single password. But the scope of most IAM products is at the application level. They don’t consider access to servers, hardware consoles and network devices, and when they do, they do not secure the systems proficiently.
That is why there are no products that try to tackle both Identity and Access Management and Privileged Access Management (PAM). Privileged access refers to accounts that have elevated permissions on a system. The person with access to a privileged account typically has full access to the system and can perform actions that an organization may not want to allow. IAM may provision a user to the correct security group to be able to access a server but cannot control how the user accesses the server or what the user does while logged in.
This division between access to applications hosted on systems or the cloud and access to the systems and cloud consoles themselves is why two products are needed to cover the full scope of identity governance in an organization. While the administrators of an application may have server access, the overall administrator group is not mutually exclusive. You may have business users administering a line of business application and an engineer administering the server that the application runs on. While both scenarios provide privileged access, they provide access to different things with varying consequences if their accounts were to be compromised.
PAM can indeed be used in both scenarios, securely storing account passwords, tapping into applications and servers to change passwords periodically, and providing isolated and monitored sessions to applications and systems. While PAM is typically slated towards access to servers and network devices and IAM is focused on access to applications, the two join forces to create an auditable, secure channel for all identities, whether human or not, to be able to accomplish their jobs.
Many organizations use shared accounts to manage systems and service accounts to manage applications and the interactions between them. These accounts likely don’t belong to any specific person (although all accounts should have an owner) and thus aren’t considered in identity governance. However, these accounts are some of the most important and can cause the most damage if they were to be compromised or used maliciously. Using both IAM and PAM tools in an overall identity governance program helps secure privileged and non-privileged, human and non-human, accounts by monitoring the identity that accesses these accounts.
Covering both aspects provides a unified look into what is going on across the enterprise and who is doing it. IAM can provide access request workflows, lifecycle management, and governance of privileged accounts where typical PAM solutions cannot by themselves. PAM can provide security around the accounts that IAM tools can only provide access to. Most compliance standards that healthcare, financial and manufacturing organizations need to abide by include aspects of privilege management and access governance.
When used together, IAM and PAM tools provide more value than they do independently. For example, a user can use the same portal to request access to applications and servers. Segregation of duties and approvals can be tracked and audited. The lifecycle of privileged accounts, including the provisioning and deprovisioning of accounts, can be kicked off automatically by rules in the IAM system. Directory services can be enhanced by feeding identity information back and forth between systems. An advanced integration of these systems can provide capabilities such as limiting the privileges an identity has on an account and providing analytics around the use of these accounts throughout the enterprise.
Like our content? Meet some of SecureITSource’s experts at CyberArk Impact 2018, July 16-18th in Boston, where we will be showcasing an integration between CyberArk’s Privileged Access Security and SailPoint’s IdentityIQ solutions.