Free Trial
Products Products
MSP360 Backup Backup and Recovery
MSP360 Backup Backup and Recovery
Overview
back up DATA FROM
Windows VMware/Hyper-V MacOS Microsoft 365 Linux Google Workspace
BACK UP DATA TO
AWS Google Wasabi Azure B2 Local
MSP360 RMM IT Management MSP360 Connect included
MSP360 RMM IT Management
Overview
MONITOR AND MANAGE
Windows macOS Linux
Prevent cyber threats
Endpoint threat prevention and protection (powered by Deep Instinct)
MSP360 Connect Remote Access
MSP360 Connect Remote Access
Overview
Connect FROM
Windows Android MacOS iOS
Connect TO
Windows MacOS
Pricing
Pricing Pricing
MSPs Internal IT
Solutions Solutions
Business type
Industries
MSP IT Departments Small Busness
Healthcare Education
Business type
MSP IT Departments Small Busness
INDUSTRIES
Healthcare Education
use cases
ENDPOINT PROTECTION
Ransomware Protection Endpoint Threatbr
Prevention and Protection
powered by Deep Instinct
Remote Access
Web-Based Remote Access Remote Support Remote Access Remote Work Remote Collaboration
IT Management
Patch Management Monitoring and Alerting Remote Device Management SNMP Monitoring
Backup and Recovery
Server Backup Backup for Windows Backup to AWS Desktop Backup Backup for MacOS Backup to Wasabi File Backup Backup for Linux Backup to B2 Image-Based Backup Backup for VMware/Hyper-V Backup to Azure SQL Server Backup Backup for Google Workspace (GSuite) Backup to Google Cloud Synology NAS Backup Backup for Microsoft 365 (O365) Back Up Locally Recovery
Not sure if MSP360 is for you?
Request a Call
Resources Resources
MSP University Blog Whitepapers and Assets Videos Webinars Events Customer Stories Forum
Support Support
US-Based Support My Cases Open a Case Knowledge Base Online Help
Partners Partners
technology partners
AWS Wasabi Backblaze Google Cloud Microsoft Azure Deep Instinct
Partners
Resellers Distributors Become a Partner
ALLIANCE PARTNERS
Leet Cyber Security
Company Company
About Legal Information Events Careers Leadership Team Contact Us Trust Center
Blog Articles
Read MSP360’s latest news and expert articles about MSP business and technology
IAM vs PAM vs PIM

IAM vs PAM vs PIM: Guide to Access Management

IAM vs PAM vs PIM: Guide to Access Management

With the rise in the number of solutions and applications that organizations are using, corporate access management becomes a critical layer of protection and should be treated accordingly. However, access management is not a cloud-only concept. It directly affects most of the IT assets in the organization, starting with desktop log-ins and up to physical access to the server lockers. So, to provide maximum possible security in the organization, you should embed a centralized access management policy.
To help you with that task, there are three (two and a half, to be honest) big concepts to access management: IAM, PAM and PIM. Today, we will define their similarities and differences, and provide you with best practices for their implementation.

IAM vs PAM vs PIM: The Difference Explained

First, let's define these three concepts:

  • Identity and access management (IAM) – is a framework of policies, and security solutions tied to these policies, that overview and set rules to the access patterns of all users in the given organization for a defined set of resources.
  • Privileged access management (PAM) – is a framework of policies and security solutions that define access to a defined set of privileged resources.
  • Privileged identity management (PIM) – is a framework of policies and security solutions that define the access patterns of the privileged users to a defined set of resources.

So, to put it in a nutshell, IAM covers all access patterns for all users and all systems and resources, and PAM and PIM cover privileged access patterns. It might seem as if the last two are identical and, indeed, the formal difference between IAM, PAM and PIM can be ignored when you create your organizational access policies.

Further reading AWS Security In-Depth Part 2: Basics of IAM Policies

Implementing Identity and Access Management in the Organization

All these policies serve to authenticate and authorize users and grant them access to the appropriate resources, including hardware, applications and software, cloud resources, and data in storage -- in other words, all IT systems and subsystems in the organization. To develop IAM policies for the organization, you should define the rules for:

  New call-to-action
  • Authentification – a set of rules for verifying the identity of a user. For example, we can authenticate the identity of a user when they provide their credentials in order to enter a system.

Further reading Guide to Customer Verification for MSPs

  • Authorization – a set of rules that allow certain users to access certain resources. Authentication and authorization rules will allow you to form a granular set of policies. To define which resources and assets need which set of rules, you need to:
  • Gather a list of resources. First of all, you need to create an access map that will show you all the systems, resources, applications, software and hardware which need to be accessed and, thus, protected.
  • Create user groups and define permissions. Once you've gathered a list of resources, you should create a list of users with their authorization patterns. In other words, you should define who is allowed to access what.
    Define security rules. Lastly, you should define the exact security measures you will implement for different cases. These include the rules for setting and resetting users’ credentials, multi-factor authentication usage, and allowed access patterns for IT resources.

As a side note, we should mention that complex identity and access management is not always a good thing and will not always enhance your security. You should strike a balance between strict security measures and IT infrastructure usability for the end users. So, think about implementing single-sign-on systems, where possible. In many cases, this won't harm security but will reduce the number of password reset requests.

Whitepaper icon

New call-to-action
IT Security Assessment Checklist

Assess vulnerabilities and threats, network security, workspace and equipment security, documentation, and more. The pack includes:

  • a ready-to-print PDF file
  • an Excel file to help create a customizable assessment resource

Areas for Privileged Access and Identity Management

Any modern organization has a number of privileged users who have extended access to IT resources and systems. A basic example of a privileged user is a system administrator; that user can access and manage other users’ data, including their credentials, and set up authentication and authorization rules at the system level.
You should make a dedicated list of, and create rules for, privileged users and privileged resources. Here are some examples of such resources:

  • Credentials, including end users’ and other administrators’ log-ins, emails, passwords and other information that can be used to access IT resources.
  • Production resources, including direct and indirect access to any production databases and other resources that provide business continuity.
  • Sensitive data, such as any personal information relating to both staff members and company clients, and compliance data, which might be financial, legal or healthcare, to name a few examples -- in other words, any regulated data that might land you in court.

Risks of Shadow Privileged Access

Some system administrators or managed IT providers tend to solve end users' issues by granting these end users local or even domain administrator rights. That is both a well-known worst security practice and an example of shadow privileged access in the organization.
To ensure the security of your data and resources, create a list of all privileged users and a logging system to track their activity. Lastly, when you set the status of users, use the basic security rule of thumb -- the principle of minimal privilege. In other words, you should give the user access only to those resources they need.

Conclusion

It’s true that all these abbreviations might seem like they belong to the enterprise corporate space. But as soon as you dig deeper, it turns out that these are the basic rules for identity and access management that each organization should implement, if not from day one, then as soon as it starts to grow. This will ease the work of the IT department and reduce the possibility of a security breach.

WP icon
FREE WHITEPAPER
Mastering AWS IAM for Amazon S3
  • Introduction to Amazon S3 access tools
  • Writing IAM policies
  • Mastering Amazon S3 identities
New call-to-action