The rise of remote work and cloud adoption forever changed the way organizations manage and safeguard user identities. As distributed workplaces increase in popularity, so does the occurrence of data breaches and other cyberattacks. This is especially true for privileged accounts, those users who hold above-average permissions. <\/p>\n\n\n\n
The best way to protect privileged identities from cybercriminals is by implementing a comprehensive privileged access management (PAM)<\/a> strategy. But what PAM is and isn\u2019t, especially with related terms like privileged identity management (PIM) and privileged user management (PUM) floating around, can be confusing.\u00a0<\/p>\n\n\n\n In this article, we\u2019ll decode the common security acronyms PAM, PIM, and PUM, explain their similarities and differences, and talk about how they all fit into a holistic security strategy.<\/p>\n\n\n\n Let\u2019s start with demystifying PAM, because it is the larger framework that PIM and PUM both belong to. If you\u2019re familiar with identity and access management (IAM)<\/a>, PAM is the counterpart that focuses exclusively on privileged accounts. The concept of privileged access management revolves around how to protect accounts with uniquely powerful permissions. <\/p>\n\n\n\n The best way to define PAM is by breaking it into its two main components: privileged access and least privilege<\/a>. <\/p>\n\n\n\n For access to be considered \u201cprivileged,\u201d the account holder must have permissions above and beyond a \u201cstandard\u201d user. These people, sometimes called superusers, may have some type of admin privileges, or access to sensitive information, like company financials or personnel files. <\/p>\n\n\n\n For a privileged account to operate based on least privilege, users must have access to the fewest apps and accounts possible, without restricting what they need to do their job. Combining least privilege<\/em> and privileged access<\/em> together means that only certain accounts are privileged with the more sensitive information and admin rights, but all<\/em> accounts have the most limited access. <\/p>\n\n\n\n The framework for putting these two principles into practice is what PAM is all about: managing who has privileged accounts while ensuring all<\/em> accounts have the least privileges possible. <\/p>\n\n\n\n In action, privileged access management<\/a> can have several applications. Let\u2019s look at a few examples of PAM in a typical organization. <\/p>\n\n\n\n Privileged access isn\u2019t limited to one pay grade or team. Any application or server that only a select group of employees can access has the potential to be considered \u201cprivileged,\u201d and must therefore be managed carefully. <\/p>\n\n\n\n Privileged identity management, or PIM, is a subsection of PAM. While the term used to be a general reference to managing the identities of privileged users, it was commercialized by Microsoft, and now relates specifically to Azure Active Directory (AD). <\/p>\n\n\n\n PIM can be a confusing acronym, because it has two definitions that are related, but certainly not the same. The more general definition of PIM is the management of which applications and data a privileged identity can access. Basically, in the PAM framework, it\u2019s the part of the approach that focuses on identities. <\/p>\n\n\n\n While this definition is technically accurate, the term PIM has been adopted by Microsoft in recent years to refer to a specific subset of identity management. In the Microsoft context, PIM is the PAM strategy pertaining specifically to Azure Active Directory. Microsoft uses PAM and PIM to differentiate between their on-prep active directory, which manages privileged accounts with PAM, and their cloud platform, whose privileged management is called PIM. When using Azure, IT admins can login to the Privileged Identity Quickstart menu to set PAM controls for remote systems. Both definitions of PIM are correct. But these days, the Microsoft definition is more common. <\/p>\n\n\n\n In action, privileged identity management can have several applications. Let\u2019s look at a few examples of PIM in a typical organization. <\/p>\n\n\n\n While these use cases are specific to the Microsoft active directory space, this is the most common use of the PIM acronym, so it makes sense to focus our attention here. The use case for PIM\u2019s broader, more generic definition would be very similar to the above PAM use cases. <\/p>\n\n\n\n The final acronym to decode is privileged user management, or PUM. PAM and PUM are sometimes incorrectly used interchangeably. While they are both related to maintaining privileged account security, the type of account they each secure is distinct. <\/p>\n\n\n\n While PAM is the broader umbrella, and PIM is effectively PAM for Azure AD, PUM refers to managing privileged permissions at the level of the user<\/em>, instead of by device, platform, or identity. <\/p>\n\n\n\n PUM relates specifically to the system\u2019s built-in privileged accounts, like administrator or root accounts. While a typical PAM account has one user per account, the number of PUM accounts is often limited by the application or system that created them, so they are usually shared between multiple users within the organization. Because they are shared amongst users, they are typically accessed with a password that can be safeguarded using single sign-on (SSO) for added security. <\/p>\n\n\n\n PUM accounts can be thought of like books in a library. There are a finite number of copies of a book that can be checked out at any given time. You have to get \u201cpermission\u201d from the librarian to remove the book, and it must be returned at a predetermined time. Similarly, IT admins can check PUM accounts out to a user, and establish an expiration date where the user will no longer have access to the privileged resource. Because accessing these accounts requires direct oversight from IT, they can easily be kept track of, and passwords can be changed as often as necessary to maintain security. <\/p>\n\n\n\n Privileged user management may seem like the most foreign of the three concepts to understand, so here\u2019s an analogy to help you with the difference between PUM and PAM.<\/p>\n\n\n\n Both PUM and PAM may have a functional place in your organization. While PAM allows for an unlimited amount of privileged accounts for a limited amount of time, PUM limits the number of privileged users at any given time. There are pros and cons to both models, and one may naturally lend itself to your security needs more than the other. <\/p>\n\n\n\n Regardless of whether your company uses Windows, Mac, or Linux systems, or a combination of the three, the gold standard in a PAM\/PUM framework will always be integration with a cloud-native platform. Remote and hybrid workplace models already call for these technologies, but they also streamline access management for IT teams. In the PAM market, this tech is called a Cloud Directory Platform<\/a>. <\/a><\/p>\n\n\n\n A modern Cloud Directory Platform offers an efficient, combined approach to PAM and PIM by bringing directory services<\/a>, privileged account management, directory extensions, web app SSO, and multi-factor authentication into one optimized solution.<\/p>\n\n\n\n These platforms offer centralized privileged identities instantly mapped to IT resources like devices, applications, and networks, regardless of platform, provider, location, or protocol. They also leverage multiple protocols such as LDAP<\/a>, RADIUS, SAML, and SCIM so IT admins can seamlessly provision and deprovision, while users have secure, frictionless access to their resources.If you\u2019re interested in learning more about how to implement a PAM or PUM solution, drop us a note<\/a>. We\u2019d love to chat about how you can leverage JumpCloud\u2019s Cloud Directory Platform, or try it yourself by signing up for a free account<\/a>. Your first 10 users and 10 systems are free. If you have any questions, access our in-app chat 24\u00d77 during the first 10 days and a customer success engineer will be there to help.<\/p>\n","protected":false},"excerpt":{"rendered":" Learn the similarities and differences between the security acronyms PAM, PIM, and PUM. <\/p>\n","protected":false},"author":158,"featured_media":48670,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_oasis_is_in_workflow":0,"_oasis_original":0,"_oasis_task_priority":"","inline_featured_image":false,"footnotes":""},"categories":[23,2781],"tags":[2681,2717,2497,2716],"collection":[2779,2780],"platform":[],"funnel_stage":[3016],"coauthors":[2514],"acf":[],"yoast_head":"\nWhat Is Privileged Access Management? <\/h2>\n\n\n\n
Definition of PAM <\/h3>\n\n\n\n
PAM Use Cases <\/h3>\n\n\n\n
\n
\n
\n
What Is Privileged Identity Management (PIM)? <\/h2>\n\n\n\n
Definition of PIM <\/h3>\n\n\n\n
PIM Use Cases <\/h3>\n\n\n\n
\n
\n
What Is Privileged User Management (PUM)? <\/h2>\n\n\n\n
Definition of PUM <\/h3>\n\n\n\n
PUM Use Cases <\/h3>\n\n\n\n
\n
In a PAM example, the security team may rescan your normal employee badge to allow it to access the server room for a specified period of time. Theoretically, they can make as many of these \u201ctemporary keys\u201d as they need to. In a PUM example, on the other hand, instead of changing the clearance on your normal badge, security would check out a second badge to you specifically for the server room, that must be returned by a specified date. Since there are only a limited number of these privileged badges, if they are all in use, you may have to wait for your turn to check them out. Keeping the number of privileged badges low makes them easier for security to track and maintain. <\/li>\n<\/ul>\n\n\n\nJumpCloud: Modern Management of Privileged Accounts <\/h2>\n\n\n\n