About Privileged Account Management
Privileged Account Management (PAM) refers to managing access to privileged or high-level accounts such as domain administrator accounts, root accounts, or superuser accounts, as well as to critical or sensitive accounts and systems. These privileges are often associated with IT accounts, such as root access to a Unix system or the ability to add or delete email accounts on a Microsoft Exchange application. They can also apply to access to sensitive accounts such as a company's social media, or sensitive assets such as a financial database or list of credit card numbers or security certificates.
By controlling access to privileged accounts, PAM solutions provide a way to protect organizations from accidental or deliberate misuse of privileged access. There are numerous PAM solution providers in the market, such as Thycotic, Leiberman, CyberArk, and BeyondTrust. The details of how access to privileged accounts is managed can vary by solution provider, and might mean different things to different companies. Things like automatic rotation of credentials, time-boxing user access, making passwords invisible to end users, and tracking and auditing actions can all be parts of a PAM solution.
Think of PAM solutions as a library, but instead of books, the library holds privileged accounts. To check a book out of the library you need a library card, but for PAM, you need some kind of credential or authorization to access what is in the library, or vault. ("Vault" is a common term for the logical container of assets protected by PAM.) However, unlike a library card, which gives you access to every book in a library, with PAM your credential might only give you access to a limited set of specific PAM vaults, and not every vault that is managed by the PAM solution.
PAM Terminology
Although specific terms for common PAM concepts vary from vendor to vendor, in general these are the terms you will encounter when working with PAM solutions:
-
Vault or safe: a logical container or folder that contains privileged accounts and passwords. A safe or vault is a container in which you store privileged access, for example, a container for all your company’s Windows administrator accounts, or a container for all Unix root accounts. In IdentityIQ, these are called containers.
-
Privileged Item: a piece of privileged data that is managed by the PAM solution, such an account, credential, file, or key. The types and names of privileged data vary by PAM vendor.