Access Management (AM), Identity Management, Identity and Access Management (IAM), and Privileged Access Management (PAM): while these terms use similar language and act to strengthen an organization’s security posture, they each have separate and distinct meanings.
Access Management (AM) ensures access is granted to valid users and prohibited to invalid users by identifying, tracking, and regulating users' access to a system or application. While Identity Management creates and manages different users, roles, groups, and policies, access management ensures these roles are assigned proper access to resources based on these policies. AM is a governance process often used in conjunction with Identity Management for a comprehensive IAM system, which manages both user identities and access privileges alike.
On the other hand, PAM is a subset of Access Management that provides additional protection for privileged accounts, or the primary accounts that are at an administrative or system level. These are typically powerful accounts that give the user complete access to the system or application, so organizations make strong efforts to protect them. While AM refers to having the rights to certain resources or systems, PAM refers to having the rights to use privileged accounts.
Where Do You Fall on the Access Management Maturity Model?
At Level 1, the most rudimentary access management level, there are two prerequisites from other IAM tenets, one of which we’ve already covered in our maturity model series, ILM, and one yet to come, governance. While fairly advanced ILM capabilities are required for Level 1 of the Access Management Maturity Model, only basic governance functionality is needed.
At Level 1, Access Management is based on two primary models of access control: Attribute-Based Access Control (ABAC) and Role-Based Access Control (RBAC). Level 1 birthright access management is automated utilizing ABAC; however, any exceptions needed are handled on a manual or ad-hoc basis.
In order to be at Level 2 in the Access Management Maturity Model, an organization must have a mechanism in place to handle these exceptional access requests.
In addition, another characteristic of level 2 is that Access Management is refined to associate users with entitlements, which typically go through a request or approval process. Using self-service capabilities, users request exceptions through the automated mechanism in place. Business owners then review requests for their given system or application and determine if access is needed. Most likely, business owners will consider factors, such as the sensitivity level and if licensing is associated, before approving or denying a request.
In Level 3, Privileged Access Management (PAM) comes into the mix to protect privileged or high risk accounts, such as shared system or service accounts. For example, this may include organization’s administrative user accounts and root user accounts for systems, like operating systems, directory services, databases, and individual applications that require a super user account.
In Level 4, the ultimate goal is to fully adopt the principle of least privileged access everywhere— providing users only the access they need for the minimum time they need it, and then removing that access or privilege. This principle affords another critical benefit: every request, grant, revoke, or other access control action is auditable. In this way, organizations will always know who did what and when, so they are always ready for an audit.