What Is the Difference Between PAM, PIM and PUM?

When it comes to managing restricted access within an organization’s IT and digital assets, systems administrators have many factors to consider when granting privileges. IT decision-makers need to prioritize cybersecurity while also providing a way for users to streamline their work when they need certain permissions. 

When establishing a protocol for how to control restricted access within an organization, administrators have a few different options in approaching access management. Privileged access management (PAM), privileged identity management (PIM), and privilege user management (PUM) are three access control and privilege management solutions that you can use to establish a comprehensive account and user security strategy.

Use this guide to compare how PAM, PIM, and PUM work and the best ways to apply each approach to your organization’s security strategy. 

Why Is Restricted Access Essential?

Restricting access to critical data is an essential best practice that protects your business against the costs of lost, damaged or compromised information. Critical data needs to be restricted so only certain types of authorized users can gain access to it under a predetermined set of conditions or protocols. That way, businesses can rest assured no one except the privileged users handles specific types of data, reducing the risk of malicious actors or other threats controlling the data instead.

Restricting access to data limits the type of employees or third-party providers that can use or alter that data. Businesses can decide based on a number of different factors what determines whether someone has a sufficient level of authority or expertise to access the data. The ability to define which types of users get access to certain types of data is what lets companies protect themselves from cyberattacks and other data loss concerns.

Below are some of the top reasons it's essential for your business to implement restricted access:

• Avoid accidental data exposure: Restricting user access to certain systems reduces the risk of users accidentally exposing critical data when they don’t follow proper protocols. 
• Prevent hackers from gaining access: Limiting user permissions minimizes the damage that hackers can do if they gain access to a restricted user’s credentials.
• Reduce access abuse and misuse: Indiscriminate granting of user access opens the company up to the potential for abuse and malicious behavior from the inside or cooperation with outside threats.

Companies that implement restricted access understand not every employee needs to be granted credentials to access every network, system or device. The risk of the credentials falling into the wrong hands increases with every new user that’s granted permission. Instead, you can choose a limited number of users to have access to certain assets at specific times to mitigate the risk of data loss, theft or damage.

What Is Privileged Access Management (PAM)?

Companies have different ways they can control and track which users have access to which sets of data or systems or who can update or change user access settings. One way is through privileged access management. PAM is a user-specific process whereby a user can request that access permissions to their existing account be increased. This occurs when a user needs access to an application or system to perform their job, but current permission levels are insufficient.

When comparing identity and access management (IAM) vs. PAM, IAM is the overall approach used to identify and authorize users throughout the entire organization. PAM is a further specific approach within the broader IAM strategy that focuses on privileged users.

PAM is what lets a user request the privileges needed for a specific system and be granted approval for their request so they can access it through their existing account. With PAM, administrators can grant a specific user privileged access to a single system for a set period of time. Usually, an administrator grants permission to the user for the length of time needed to complete the task that requires elevated permission, ranging from hours to days. 

Some of the benefits of deploying a PAM system are:

• Avoids granting a single user elevated permissions at all times, reducing data loss threats.
• Offers a simple mechanism for granting users specific access on an as-needed basis, keeping access to the absolute minimum.
• Streamlines business processes through privileged access on demand.
• Reduces the organization’s overall security risks by having a way to control the details of who gets access to what and when.

PAM is a straightforward system with predefined levels of access, starting with a basic user and increasing multiple permission levels to a full system administrator. In other words, users don’t need to go from basic access to full access as there are levels in between that will work. PAM lets users receive the exact or least amount of privilege necessary at the right time for a certain type of system.

What Is Privileged User Management (PUM)? 

Whereas PAM is a user-specific approach to restricting or granting privileged access to specific systems, privileged user management (PUM) is the approach that limits or grants permissions based on the account type being accessed rather than the user accessing it. PUM refers to a system’s built-in privilege accounts, such as a root or administrator account. 

In a PAM system, there is only one user per account. With PUM, there are usually a limited number of accounts or seats available, meaning multiple users need permission to the same account. To grant more users access to a single account, you'll likely share the account password with multiple different users. This is particularly the case with certain types of software with licensing restrictions. You may purchase one license, but multiple different users access it. 

Because passwords are shared among PUM users, a second-factor authentication isn't usually added since that would make it inefficient to verify access. Instead, a PUM administrator manages the number of privileged accounts and their associated passwords. Organizations can still control these accounts and change passwords at certain intervals or in response to security concerns. They can also audit when the accounts are being used and by how many users.

Some of the advantages of a PUM system are:

• Easy and flexible management: Having an overview of a limited number of accounts makes it easy and flexible to safely manage privileges to these non-traditional single-user accounts.
• Convenient and safe storage: PUM tools help administrators encrypt and keep track of account passwords, keys and credentials and can keep a password history so you can restore backups from earlier settings.
• Efficient investigations and audits: Since PUM grants account-level privileges and access is the same for everyone, auditors can look at activity associated with one account easier than the activity of one individual and the various access levels they’ve been granted.

Since PAM and PUM are solutions to different types of account use scenarios, they are considered complementary to each other rather than competing alternatives. PUM is useful for applications with restricted accounts, while PAM is a solution implemented at the individual level for ongoing tasks.

What Is Privileged Identity Management (PIM)?

Another approach to restricting and controlling access is privileged identity management (PIM), a term that’s often used interchangeably with PUM. In the PIM approach, privileged accounts are considered digital identities and not particular users or individuals, as is the case with PAM. In this sense, PIM and PUM are closely related since PUM deals with accounts, not users.

PIM lets systems administrators activate and deactivate roles based on timing and approvals. With more control over account activity, PIM lessens your organization's risk of users accessing sensitive resources when it's unnecessary, inappropriate or too frequent. 

Below are some of the top benefits of PIM:

• Two-factor authentication: Unlike PUM systems, which rarely use two-factor authentication, PIM systems do use two-factor authentication to identify digital identities.
• Easy user role activation: PIM lets admins elevate privileged access only with permission changes. It also lets them control changes to privileges with access start and end times. 
• Reduces privilege creep: PIM helps administrators oversee the lifespan of account activity. This lets them see how privileges have been requested so they can curb privilege creep as it arises.
• Excellent forensic insight: PIM lets admins collect information about why people request privileged access. With this information, they can perform ongoing access audits that confirm whether privileged access is still required.

With these benefits in mind, think of PIM as an approach that solves Privileged Identity Lifecycle Management issues. PIM addresses many concerns admins have about overseeing user account lifespans because PIM products let you track, manage and audit the entire history of account activity. 

PIM solutions locate and record all types of assets and resources associated with privileged accounts. With this information, you can then apply restrictions on those accounts and ensure they're followed. By logging and monitoring each privilege access request, PIM can also alert you to suspicious behavior that could indicate potential abuse or misuse. This is a significant benefit considering the rise of insider threats within organizations.

PAM vs. PIM vs. PUM: Which Is Best for Securing Critical Data? 

With so many different cloud and IT assets in the modern digital ecosystem, you need to know that the multiple passwords, keys and other credentials issued within your organization are managed safely. Having a centralized access control strategy makes credential management and authorization easier and safer.

Businesses needing to secure critical data must rely on privilege management systems that keep access credentials secure and controlled and offer conveniences, such as ease of management, efficient auditing and versatility. Since businesses often run multiple different types of applications and data systems, having a flexible privilege access management approach is necessary to protect sensitive data and provide tailored solutions.

Deploying a combination of PAM, PUM and PIM is ideal for most businesses. The approaches are complementary, offering scenario-specific solutions that help your business cover all situations where privileged access needs to be administered to certain individuals within the organization. While the solutions are complementary, it’s important to understand the strengths and weaknesses of each so you can best apply them to the given scenario.

Below is an overview of PIM vs. PAM vs. PUM comparing the three approaches in how they function and the benefits they deliver:

• Identities, users and accounts: PIM, PAM and PUM together offer a comprehensive solution for identity management, access management and controlling privileged users. Identity management through PIM lets you know which users come in and out, providing a way to understand how identities have been given authorization. PAM provides a way to oversee which users have access and when and can be based on roles or time. PUM lets you manage privileged user accounts, such as superuser, whose identity and access are managed by a Single Sign On across all devices or accounts configured together.
• Critical data protection: Privileged accounts and users are typically the main targets of malicious attacks since these are the accounts or user roles with the power to create new users or accounts or change their permission levels. All three approaches to identity and access management are crucial in thwarting malicious attacks. PAM thwarts attacks at the user level, while PUM and PIM thwart at the account level. The combination of the three approaches protects your critical data in an integrated way.
• Lateral and vertical movement prevention: Both lateral and vertical movement is a major risk to data protection within an organization. As more and more privileged users and accounts become accessible, it increases the risk of insider and outsider threats. Lateral movement occurs when a user with the same tier of permissions gains access to more and more types of assets but with the same level of access. Vertical movement happens when users or those with credentials to accounts can elevate their permission levels on a signal type of account or asset. Both types of movement can be solved by implementing an integrated PAM, PUM and PIM strategy, as together they address both lateral and vertical movement.

Implement PAM, PIM and PUM With Bravura Security

Deploying a highly integrated PAM, PUM and PIM strategy that achieves secure identity and access management is vital in today’s digital environment. Your organization needs IAM systems and solutions that help you cover all sources of potential threats that come with the multitude of users, accounts and identities active at any given time and throughout the role or identity lifecycle. 

It’s essential that organizations partner with a trusted IAM vendor that can deliver a robust solution that deploys access management and control with comprehensive PAM, PUM or PIM solutions. For industry-leading digital security solutions, choose Bravura Security.

Learn more about the Bravura Security integrated PAM platform that solves admin account management challenges, including granting temporary entitlements and ensuring a least-privilege approach. Discover also how the combination of IAM and PAM solutions delivers zero trust that improves security across your entire IT architecture.

Request a demo today to learn more about how Bravura Security offers a complete PAM, PIM and PUM strategy that keeps your organization’s critical data protected in a dynamic access management landscape.

This post originally appeared on the Bravura Security blog.