In enterprises, there are different ways you can manage access to your critical data. The two most common approaches are privileged access management (PAM) and privileged user management (PUM). But what is the difference between them?
In this article, we compare PUM vs PAM. In 2019, it’s still challenging to draw the line between these approaches. We also take a look at which of the two is best for ensuring your company’s cybersecurity.
The problem of uncontrolled privileges
The less control you have, the more money you risk.
Privileged access is access to data, systems, and computers unavailable to the general public. But why do we restrict access to certain systems and data in our networks?
This data is super important, and losing or damaging it will not only cost lots of money but affect the company’s reputation. Therefore, only people with the right level of authority and expertise are allowed to access, use, and alter such data.
Privileged credentials are the keys used to access different business-critical resources, including:
- Critical systems – With access to a legitimate privileged account, attackers can freely use restricted resources and block business-critical systems.
- Databases – The moment attackers get privileged access credentials, they get the opportunity to access, copy, modify, and even destroy information stored in your company’s databases.
- Applications – Various application-to-application processes also involve the use of privileged credentials. If an attacker gets hold of these credentials, critical business processes can be disturbed.
- Cloud environments – In cloud and containerized environments, special administrator keys and secrets are used for creating new instances, managing workloads, and interacting with databases. Once attackers get access to these credentials, they can tamper with both cloud resources and valuable information.
This is why privileged access credentials often are the main target of cybercriminals who want to access their victims’ most valuable and confidential information.
The main problem is that people make mistakes. For example, some people store passwords on sticky notes where anyone can see them.
Others click links they receive in strange emails without giving it a second thought.
The result is always the same: an attacker, be it a malicious insider or an intruder, gets access to business-critical information and can use it to their advantage.
According to “The Forrester Wave™: Privileged Identity Management, Q4 2018” report, at least 80% of data breaches are connected to the compromise of privileged credentials, such as tokens or passwords. Louis Columbus, writing for Forbes, also mentions a survey showing similar results: in 74% of organizations, data breaches are believed to be related to the abuse of privileged access credentials. Furthermore, privilege misuse is among the top three causes of cybersecurity incidents in healthcare, manufacturing, finance, insurance, and retail according to Verizon.
Controlling privileged access is one of the main requirements of regulations by NIST, the PCI DSS standards, the Sarbanes-Oxley Act, and HIPAA. This is why for enterprises, ensuring proper management of privileged users and privileged accounts is vital.
From the technical point of view, privileged access can be either granted temporarily or assigned permanently. In the first case, we’re usually talking about privilege elevation, when you issue a time-limited privilege to a specific user. In the second case, the access permission is usually assigned to a specific account. Basically, that’s the key difference we’ll be focusing on when talking about privileged access management vs privileged user management.
Now let’s dig deeper. In the next section, we talk about privileged access management and how it differs from privileged user management.
Privileged Access Management
In PAM, it’s all about elevating current privileges.
What is PAM ? There are several ways we can look at privileged access management (PAM). Gartner refers to PAM as an umbrella term for all kinds of privilege management solutions.
In this article, we talk about PAM not as a solution but rather as a user-specific process.
Privileged access management is a process of managing one-time permissions that temporarily elevate privileges of regular users upon request. Gartner refers to this type of privilege control as privilege elevation and delegation management (PEDM).
Here's an easy way to think about it. In many organizations, there are facilities with different access restrictions:
- Basic facilities that any employee or even guest can enter freely
- Working facilities that all regular employees of the organization can enter
- Restricted areas that only people with special access levels can enter
Now, imagine that to access the third type of facility, you need to request special access permission – say, a badge that will let you pass through the security check. Once you’re done with your job, you must hand the badge back to the security officer: your permission has expired.
The trick is that this badge will have your name on it, so you’ll be the only person who can use it. Furthermore, you can only use this badge once for accessing a very specific facility. This is how PAM works.
PAM allows regular users to request access to protected data, applications, or systems from their current accounts. Similarly to the least privilege principle, the main idea of PAM is that there’s no such thing in your network as a regular user with permanent access to sensitive data.
You can take this approach even further by implementing a zero trust security model. This model has two important characteristics:
- There’s no general secured perimeter – Instead of securing the perimeter of the entire network, each critical application, endpoint, and database is protected individually. A user can only access a particular endpoint if they have the right level of access permission.
- There’s no separation between trusted and untrusted users – In zero trust, no one is trusted by default. A user can only get access to protected assets if they verify their identity, for instance with multi-factor authentication (MFA).
One of the benefits of PAM is the range of access granularity. You can specify:
- Who gets access
- What exactly those users get access to
- For how long access is granted
- What those users are allowed to do within the protected perimeter
With PAM, you can set a number of elevated access levels and specify what kinds of actions are permitted and restricted for each of them.
For instance, an employee with the basic user access level might see protected data but not be able to modify or delete it. To change the protected data, they’ll need a higher level of authority, such as that of an administrator. This makes PAM a powerful, granular, and complex solution for managing privileges.
Let’s take a closer look at PUM.
Privileged User Management
In PUM, it’s all about sharing privileges with others.
Remember our example with restricted facilities? Now imagine that you still need to get a special badge. But this time, there are a limited number of these badges. And in contrast to the first badge, this one doesn’t have an expiration date. Furthermore, it doesn’t have your name written on it, so you can use it yourself or you can hand it over to one of your colleagues and ask them to do the job. This is how privileged user management, or PUM, works.
What is PUM exactly? As confusing as it may sound, privileged user management is all about accounts and not particular people.
Privileged user management is the process of managing privileged accounts with permanent access to critical assets. PUM is responsible for managing built-in admin accounts, such as root and system administrator accounts.
Another term for PUM that’s widely used is Privileged Identity Management (PIM), where privileged accounts are seen as digital identities and not particular people. This type of privilege control is also close to what Gartner calls privileged access and session management (PASM).
Privileged users have more privileges than regular users. They have full and permanent access to protected data, applications, and systems. And usually, a number of employees can log into the system as a privileged user under the same account. So PUM is account-specific.
Every organization has a number of user accounts that have permanent access to either all or part of their protected assets. Usually, these accounts are built into the system and can’t be removed.
We can split all privileged accounts into two large categories:
The first are associated with individual users, while the second are application accounts.
Here are some of the most commonly used types of privileged accounts:
- Local admins – Usually shared, non-personal accounts that provide administrative access to the local system and services. These accounts are typically used for setting up new workstations and maintaining the system.
- Domain admins – Accounts with unrestricted access across all servers and workstations on a Windows domain. These accounts have full control over all domain controllers and administrative accounts within the domain.
- Privileged users – User accounts with elevated privileges. They’re typically used for solving business-related tasks and working with critical data. Privileged user accounts can be either shared by several employees or assigned to a particular individual.
- Service accounts – Any type of privileged accounts (local or domain) that applications and services use for interacting with the operating system.
- Application accounts – Accounts used by applications to get access to system resources, databases, and other applications. Credentials for these accounts are often shared across the network.
- Emergency accounts – Special accounts that can be used for accessing protected systems or data in case of an emergency.
Shared privileged accounts increase the risk of data breaches. First, many organizations still keep credentials for such accounts in an unencrypted text file somewhere in the network. If an attacker gets this file, they’ll get all the valuable data the compromised account has access to.
Second, even though you can monitor privileged user activity, you can’t determine who did what under a shared account. This makes investigating cybersecurity incidents a serious challenge.
One of the PUM best practices that can solve this problem is secondary authentication. With secondary authentication, once a user is logged in under a shared account they’re still required to log in to their regular account as well in order to pass additional identity verification. By doing so, you can associate a particular session started under a shared account with a specific user.
PUM vs PAM
Should you use PUM or PAM to secure your valuable data?
Finally, let’s summarize the main differences between PAM and PUM.
|Access||Temporary, upon request||Permanent|
|Number of accounts||Unlimited||Limited|
|Main benefit||Access granularity||Access consistency|
|Main drawback||Management complexity||Lack of visibility|
PAM allows you to configure user-level access permissions and specify who can do what according to specific roles or attributes.
PUM is more helpful when it comes to performing security audits, as you can conduct a report on the activity of a limited number of accounts instead of investigating the activity of multiple users with elevated privileges.
Generally, PAM and PUM complement rather than substitute each other. So instead of comparing PAM vs PUM , it’s better to combine these two approaches for managing privileged access in your organization.
Ekran System can help you make the most out of these two privilege management approaches. By deploying our platform, you can:
- Monitor privileged users with our NIST-recognized PAM solution
- Monitor and manage privileged sessions with our PASM functionality
- Verify user identities with our identity management system and 2FA tool
- Add visibility to the activity of shared accounts with our secondary authentication feature
- Integrate Ekran System with your SIEM and ticketing system for additional access control and granularity
Privileged access management and privileged user management are two complementary approaches to managing access to sensitive data, applications, and systems. When comparing PUM vs PAM , the most important thing to remember is that:
- PUM focuses on specific accounts that are usually built into the system or applications, are shared, and are limited in number;
- PAM focuses on regular users that request a temporary privilege elevation for solving a particular task.
Since these two approaches are complementary, it would be most beneficial to an organization’s cybersecurity to use them together. To ensure an even higher level of access flexibility and better protection of sensitive data, you can deploy these two approaches in combination with IAM solutions.