To understand Privileged Access Management (PAM), it’s important to cover some key IT security concepts, including IAM vs. PAM, the CIA Triad, and the differences between Authentication and Authorization, etc. Stay with me, as a number of these terms will be helpful for you as you learn about IT Security and PAM.

Privilege

In this context, it’s the ability to perform actions standard accounts can’t. For example, installing software, remote access to servers running the company website, and changing system configurations including workstations or servers. There are various types of accounts like personal accounts, shared accounts, and service accounts that can have privilege.

IAM vs. PAM

• IAM (Identity and Access Management) manages user identities and access across systems, focusing on regular users.
• PAM (Privileged Access Management) specifically secures, manages, and monitors privileged accounts (e.g., administrators) that have elevated access to critical systems.

The CIA Triad

No, not that CIA. In IT Security this refers to Confidentiality, Integrity, and Availability. Also known as the CIA triad. These are core items that IT security programs circle around.

• Read — Confidentially is where only authorized users are allowed to read or see data.
• Write — Integrity is where only authorized users are allowed to update or write data.
• Up — Availability is ensuring systems are up and running for use by the business.

PAM is crucial in protecting privileged access, supporting all three principles by limiting access to sensitive systems and data.

Authentication vs. Authorization

• Authentication verifies a user’s identity (e.g., via username/password or MFA).
• Authorization determines what actions an authenticated user can perform.

For example:

• Authentication is where say Jamal has his login ID and password, and is able to log into his laptop. He’s then able to use that account to use the laptop for business. For example, Active Directory authenticates the correctly provided login and password.
• Authorization is where Jamal’s account has access to various items he needs to work. So he would be authorized for an email account, a domain user which allows him to log into the laptop in the first place, SharePoint access to share documents, etc. He is not authorized, however, to log directly into servers, install software, or the ability to provide other accounts with access.
  

Least Privilege

• Least Privilege ensures users and systems only have the minimum necessary permissions to perform their tasks. This reduces the attack surface and limits the damage in case of a breach. It’s a core concept in PAM and is key to reducing security risks.

Role-Based Access Control (RBAC)

• RBAC is a method of restricting system access based on the roles of individual users within an organization. It helps ensure that employees have only the permissions necessary for their roles. This ties into both authorization and least privilege, particularly in PAM systems where you define who can access what based on their role.

Multi-Factor Authentication (MFA)

• MFA requires users to provide two or more verification factors to gain access to a system. This adds an extra layer of security beyond just usernames and passwords, making it harder for attackers to gain unauthorized access, especially to privileged accounts.

Audit and Monitoring

• Audit refers to tracking and recording user actions on systems, especially privileged activities. Monitoring these activities in real-time can help detect and respond to suspicious behavior quickly, which is essential for protecting privileged accounts and systems.

Password Management

• Proper management of passwords, especially for privileged accounts, is essential in any PAM strategy. This includes password rotation, vaulting (storing passwords securely), and ensuring passwords are strong and complex to avoid being easily compromised.