What is PAM vs PIM? Privileged Identity Management Explained

If access management jargon leaves you perplexed, you’re not alone

We know this because we are so often asked to explain the difference between PIM, PAM and IAM—privileged identity management, privileged access management and identity and access management. People also ask if privileged access management and privileged account management both PAM—are the same thing. Or are they just similar?

So, we created a glossary of these cybersecurity acronyms, and more, and below we clarify how the meaning of these phrases differ and factor into an organization’s cybersecurity setup.

So, what is PAM vs PIM vs IAM? And what makes these acronyms so confusing?

PAM, PIM, IAM and other access management acronyms are related to the same thing: Solutions to secure your sensitive assets. These terms are about safeguarding data and systems by managing who has access and what they’re allowed to see and do. You’ll notice that several definitions overlap a little, so people are inclined to use them as if they were fully interchangeable—and this creates confusion.

“Privilege” is the authority to make changes to a network or computer. Both people and accounts can have privileges, and both can have different levels of privilege.

For example, a senior IT administrator or “super user” may be able to configure servers, firewalls, and cloud storage, and has a high level of privilege. A sales rep, however, should be able to use some systems—by logging into laptops and accessing sales data, for instance—but they shouldn’t be able to change network settings, permissions, or download software unless it’s on an approved list.

Picture all the people who have different levels of access on the network of a single organization: the Unix administrator can access Unix systems; the Windows admins manage Windows systems; Help Desk staff can configure printers, etc. Add to that all the accounts required to log into those systems and you can quickly imagine the thousands upon thousands of privileges within an organization.

What is the meaning of “Privileged Access?”

Briefly, it’s definitive, authorized access of a user, process, or computer to a protected resource.

Privileged Access Management, therefore, encompasses a broader realm than Privileged Account Management, focused on the special requirements for managing those powerful accounts within the IT infrastructure of an organization. It also consists of the cybersecurity strategies and technologies for exerting control over the elevated access and permissions for users, accounts, processes, and systems across an IT environment.

Also incorporated under Privileged Access Management is how the account is being protected. For example, access workflows, two-factor/multi-factor authentication, session recording, and launching are critical elements of a comprehensive Privileged Access Management strategy.

What is Privilege Management vs. Privileged Access Management vs. Privileged Account Management

You’ll often hear the words “privilege” and “privileged” used in context with “management.” Privilege Management refers to the process of managing who or what has privileges on the network.

This is different from privileged account management, which refers to the task of managing the actual accounts that have already been given privileges.

We always say privileged accounts are the keys to the kingdom. They provide access to a company’s most critical information.

A privileged account can be human or non-human. These accounts exist to allow IT professionals to manage applications, software and server hardware. They also provide administrative or specialized levels of access based on higher levels of permissions that are shared. The typical user of a privileged account is a system administrator responsible for managing an environment or an IT administrator of specific software or hardware.

The domain of Privilege Management is generally accepted as a sub-set of Identity and Access Management (IAM). However, identity and privilege are inextricably linked. As Privilege Management and Privileged Identity Management solutions become more sophisticated, the lines continue to blur. In many organizations, the same team security or IT operations group is responsible for both Privilege Management and Privileged Identity Management tools, policies, and monitoring.

Privileged Identity Management assumes that every user is a privileged user. Identity refers to users. You, your boss, the IT admin, and the HR person are only a handful of examples of people who may be entitled for accessing, creating, updating, or deleting privileged content.

A core objective of IAM is to have one digital identity per individual, even if that individual accesses many types of accounts. Once that digital identity has been established, it must be maintained, modified, and monitored.

Privilege Management, as a part of IAM, manages entitlements, not only for users but also for privileged accounts such as administrative or service accounts. PAM tools, unlike IAM tools or password managers, protect and manage all privileged accounts. Mature PAM solutions go even further than simple password generation and access control to individual systems. They also provide a unified, robust, and—importantly—transparent platform integrated into an organization’s overall Identity and Access Management (IAM) strategy.

The domain of Privilege Management is generally accepted as a sub-set of Identity and Access Management (IAM). However, identity and privilege are inextricably linkeSoftware companies are removing racially biased language from their products and other materials. New terms have replaced the application control terms: whitelisting, blacklisting, and greylisting. As Privilege Management and Privileged Identity Management solutions become more sophisticated, the lines continue to blur. In many organisations, the same team security or IT operations group is responsible for both Privilege Management and Privileged Identity Management tools, policies, and monitoring.

Whitelisting is now allow or allowlist
Blacklisting is now deny or denylist
Greylisting is now restrict or restrictlist

A privileged account that is unknown is an account that has been forgotten and lost in the system. Virtually all organizations have some unknown accounts and some have thousands. Accounts become unknown for many reasons:

An employee leaves and the account is simply abandoned.
The account is utilized less and less until it becomes obsolete and forgotten.
Default accounts for new devices are not utilized.

Every unknown account increases your vulnerability and presents an opportunity for an intrusion.
Here are a few things that could happen:

An employee finds the account and uses it to perform unauthorized tasks.
An ex-employee continues to access the account.
A hacker finds the account and penetrates your organization, steals information, and wreaks untold havoc.

Effective PAM solutions employ numerous features to lock down privileged access and thwart cyber attacks. They can discover privileged accounts across your organization and import them into a secure, encrypted repository—a password vault. Once all privileged credentials are inside, the solution can manage sessions, passwords, and access automatically. Combine all this with features like hiding passwords from certain users, auto-rotating valuable passwords, recording sessions, auditing, and multi-factor authentication and you have a robust defense against external threats.

PAM solutions contain multiple features to safeguard against internal threats. Audit trails and email alerts keep administrators informed of what’s going on in the environment. Session monitoring and recording increases visibility of privileged account activity. There are also permissions as well as role-based access controls to give users the access they need to do their jobs. Last but not least, there should be a feature to sever the access users had the moment they leave the organization.

PAM is critical regardless the size of your business. Every organization needs privileged account management. Fortunately, there are free or inexpensive solutions that make it easy and affordable:

If your company has fewer than 25 users and under 250 passwords, you can manage them securely and professionally for free >

If your company has over 25 users or 250 passwords, you can securely manage them on-premises or in the cloud >

Finally, is there a checklist of things I should know before I purchase Privileged Access Management software?

Choosing the right PAM software for your organization is a task to be taken seriously. Research can be hard to do because even once you have your final contenders on a shortlist you’re still not comparing apples with apples.

Here’s a checklist of some important items to consider. We recommend calling vendors and asking questions before purchasing PAM software. Also, request a free trial to be sure your IT team will use it. Once you have a checkmark next to every item, you’re looking at software you’ll be happy with.

Item	Things to Consider
Fully scalable	Will the software scale up to meet your needs as your organization grows?
Complete solution	Does the price include everything you need to truly lock down your privileged accounts in the manner most suitable for your organization? You should not have to navigate numerous add-ons for every little feature or pay later for additional functionality. Everything you need in a solution should start from Day One.
Easy to install Fast to deploy	Your IT admins will thank you for this.
Simple to manage	Good PAM software makes your IT admin’s job easier not more complex.
Well accepted by users	A high adoption rate among users results in better security across your organization.
Excellent time to value	The solution should be swift, effective, and assist you with the kind of protection promised without having to establish any extended timelines.
Affordable	Prices vary—a lot. View our charts to see how popular vendors compare price-wise.
Feature Rich	Are new features added regularly to keep the software up to standard? Ask to view the features list.
Top-notch support	Support must be guaranteed from trial to purchase. The best vendors offer phone, email, knowledge base and forum support.
Innovation and frequent updates	Attack vectors keep increasing in number and complexity. The solution should be able to keep up.
Customer responsiveness	You should have a say in the direction the solution is developed.

Related Reading:
How to find your best match among Privileged Access Management Vendors
Privileged Access Management (an overview of PAM from the basics to becoming an expert)

If you’re concerned that your organization does not have a super-secure privileged access management system in place, please encourage your IT admin to try the free version of our PAM software.