The rise of remote work and cloud adoption forever changed the way organizations manage and safeguard user identities. As distributed workplaces increase in popularity, so does the occurrence of data breaches and other cyberattacks. This is especially true for privileged accounts, those users who hold above-average permissions.
The best way to protect privileged identities from cybercriminals is by implementing a comprehensive privileged access management (PAM) strategy. But what PAM is and isn’t, especially with related terms like privileged identity management (PIM) and privileged user management (PUM) floating around, can be confusing.
In this article, we’ll decode the common security acronyms PAM, PIM, and PUM, explain their similarities and differences, and talk about how they all fit into a holistic security strategy.
What Is Privileged Access Management?
Let’s start with demystifying PAM, because it is the larger framework that PIM and PUM both belong to. If you’re familiar with identity and access management (IAM), PAM is the counterpart that focuses exclusively on privileged accounts. The concept of privileged access management revolves around how to protect accounts with uniquely powerful permissions.
Definition of PAM
The best way to define PAM is by breaking it into its two main components: privileged access and least privilege.
For access to be considered “privileged,” the account holder must have permissions above and beyond a “standard” user. These people, sometimes called superusers, may have some type of admin privileges, or access to sensitive information, like company financials or personnel files.
For a privileged account to operate based on least privilege, users must have access to the fewest apps and accounts possible, without restricting what they need to do their job. Combining least privilege and privileged access together means that only certain accounts are privileged with the more sensitive information and admin rights, but all accounts have the most limited access.
The framework for putting these two principles into practice is what PAM is all about: managing who has privileged accounts while ensuring all accounts have the least privileges possible.
PAM Use Cases
In action, privileged access management can have several applications. Let’s look at a few examples of PAM in a typical organization.
- IT admins hold privileged accounts, since they can access the underlying tools that manage user passwords, remote overrides, and software updates. But operating in a PAM framework with least privilege, even these accounts can’t see irrelevant sensitive info, like company financials or employee files.
- A CFO’s account is privileged, since he or she will be able to access all company financial documents, spreadsheets, and servers. But in a PAM organization, even the CFO can’t access IT admin resources, or applications used by Marketing, for example.
- A contracted web designer hired externally on a project-by-project basis has a privileged account if they have access to the backend of the company website. But a PAM framework would ensure they can’t access any employee-only resources.
Privileged access isn’t limited to one pay grade or team. Any application or server that only a select group of employees can access has the potential to be considered “privileged,” and must therefore be managed carefully.
What Is Privileged Identity Management (PIM)?
Privileged identity management, or PIM, is a subsection of PAM. While the term used to be a general reference to managing the identities of privileged users, it was commercialized by Microsoft, and now relates specifically to Azure Active Directory (AD).
Definition of PIM
PIM can be a confusing acronym, because it has two definitions that are related, but certainly not the same. The more general definition of PIM is the management of which applications and data a privileged identity can access. Basically, in the PAM framework, it’s the part of the approach that focuses on identities.
While this definition is technically accurate, the term PIM has been adopted by Microsoft in recent years to refer to a specific subset of identity management. In the Microsoft context, PIM is the PAM strategy pertaining specifically to Azure Active Directory. Microsoft uses PAM and PIM to differentiate between their on-prep active directory, which manages privileged accounts with PAM, and their cloud platform, whose privileged management is called PIM. When using Azure, IT admins can login to the Privileged Identity Quickstart menu to set PAM controls for remote systems. Both definitions of PIM are correct. But these days, the Microsoft definition is more common.
PIM Use Cases
In action, privileged identity management can have several applications. Let’s look at a few examples of PIM in a typical organization.
- A Privileged Role Administrator or Global Administrator running Azure AD can set up PIM in the application. This version of PIM allows admins to enable or disable permissions for specific roles, accept or deny user access requests, and enforce multi-factor authentication (MFA).
- A Microsoft-based IT admin who has both an on-prem active directory and Azure AD can use PIM to set up a cloud security framework that mirrors the on-prem PAM framework.
While these use cases are specific to the Microsoft active directory space, this is the most common use of the PIM acronym, so it makes sense to focus our attention here. The use case for PIM’s broader, more generic definition would be very similar to the above PAM use cases.
What Is Privileged User Management (PUM)?
The final acronym to decode is privileged user management, or PUM. PAM and PUM are sometimes incorrectly used interchangeably. While they are both related to maintaining privileged account security, the type of account they each secure is distinct.
Definition of PUM
While PAM is the broader umbrella, and PIM is effectively PAM for Azure AD, PUM refers to managing privileged permissions at the level of the user, instead of by device, platform, or identity.
PUM relates specifically to the system’s built-in privileged accounts, like administrator or root accounts. While a typical PAM account has one user per account, the number of PUM accounts is often limited by the application or system that created them, so they are usually shared between multiple users within the organization. Because they are shared amongst users, they are typically accessed with a password that can be safeguarded using single sign-on (SSO) for added security.
PUM accounts can be thought of like books in a library. There are a finite number of copies of a book that can be checked out at any given time. You have to get “permission” from the librarian to remove the book, and it must be returned at a predetermined time. Similarly, IT admins can check PUM accounts out to a user, and establish an expiration date where the user will no longer have access to the privileged resource. Because accessing these accounts requires direct oversight from IT, they can easily be kept track of, and passwords can be changed as often as necessary to maintain security.
PUM Use Cases
Privileged user management may seem like the most foreign of the three concepts to understand, so here’s an analogy to help you with the difference between PUM and PAM.
- Say you start at a new company and you’re given an access badge to enter the building from the parking lot. But you’re an IT admin, so for a couple days while you’re upgrading hardware, you need privileged access to the on-prem server room.
In a PAM example, the security team may rescan your normal employee badge to allow it to access the server room for a specified period of time. Theoretically, they can make as many of these “temporary keys” as they need to. In a PUM example, on the other hand, instead of changing the clearance on your normal badge, security would check out a second badge to you specifically for the server room, that must be returned by a specified date. Since there are only a limited number of these privileged badges, if they are all in use, you may have to wait for your turn to check them out. Keeping the number of privileged badges low makes them easier for security to track and maintain.
Both PUM and PAM may have a functional place in your organization. While PAM allows for an unlimited amount of privileged accounts for a limited amount of time, PUM limits the number of privileged users at any given time. There are pros and cons to both models, and one may naturally lend itself to your security needs more than the other.
JumpCloud: Modern Management of Privileged Accounts
Regardless of whether your company uses Windows, Mac, or Linux systems, or a combination of the three, the gold standard in a PAM/PUM framework will always be integration with a cloud-native platform. Remote and hybrid workplace models already call for these technologies, but they also streamline access management for IT teams. In the PAM market, this tech is called a Cloud Directory Platform.
A modern Cloud Directory Platform offers an efficient, combined approach to PAM and PIM by bringing directory services, privileged account management, directory extensions, web app SSO, and multi-factor authentication into one optimized solution.
These platforms offer centralized privileged identities instantly mapped to IT resources like devices, applications, and networks, regardless of platform, provider, location, or protocol. They also leverage multiple protocols such as LDAP, RADIUS, SAML, and SCIM so IT admins can seamlessly provision and deprovision, while users have secure, frictionless access to their resources.If you’re interested in learning more about how to implement a PAM or PUM solution, drop us a note. We’d love to chat about how you can leverage JumpCloud’s Cloud Directory Platform, or try it yourself by signing up for a free account. Your first 10 users and 10 systems are free. If you have any questions, access our in-app chat 24×7 during the first 10 days and a customer success engineer will be there to help.