PIM, PUM and PAM explained

Andy Harris

Privileged Identity Management, Privileged User Management and Privileged Account Management
Here we describe how the PxM Platform implements Privileged Identity Management (PIM), Privileged User Management (PUM) and Privileged Access Management (PAM) to increase your cyber security by reducing the attack surface of your systems.
With the Platform, the passwords of privileged accounts are never sent to the SysAdmin’s workstations. Instead the SysAdmins connect to a session that the PxM Platform has set-up on a least privilege model. There are a whole range of terms used in this industry, and since the Platform is a framework for managing privileged user workflow it uses most of them!
Here’s a quick rundown of all these terms, what they do, and which bits of the PxM Platform performs them:
Privileged Identity Management (PIM)
This is the inbound part of the PxM Platform. It’s what happens when a SysAdmin logs in to the Desktop Client. The SysAdmin’s identity checks against an authentication service. A range of two factor authentication schemes is then used along with Active Directory. Built-in local authentication is also used here. In a large installation the PxM Platform will likely use the services of an Identity Manager. This Identity Manager might use Two Factor Authentication as well!
Privileged User Management (PUM)
This is the business of controlling what systems and devices are available to the Privileged User. The PxM Platform’s main PUM tool is a Profile. A Profile is a collection of users, tools and tasks along with a set of roles. Thus, a user in a Profile can use the defined tools and tasks at the role defined for each of the systems or devices defined in that Profile.
PUM is further defined within the Profile by:
Session Recording: Are sessions going through this Profile recorded?
Time Windows: Should sessions in this Profile limit to set parts of the day?
Living above Profiles there is the concept of Device Group Separation. This is where meta data describes to whom the device or system belongs. Generally, this would be by function or customer. DGS ensures that a privileged user cannot connect to system that belong to different designations. For example, a MSP could define that SysAdmins cannot connect to the systems or more than one customer at a time.
Our underlying technology allows us to extend this to concepts. For example: “Has the privileged user received an incident or change ticket for this session”.
Privileged Account Management (PAM)
This refers to the management of the actual accounts used on systems, applications and devices. The PxM Platform can discover the accounts defined on systems. I can tell that a specific account is to used as a Control Account and that others used for Roles. Often, the Platform will create accounts at a specific role for the use of a specific user based on their profile membership.
So, part of PAM is the discovery, creation, enabling, disabling and deletion of accounts on systems, applications and devices.