What is Privileged Identity Management (PIM)? | One Identity (2024)

Privileged Identity Management (PIM) is the practice of securing and managing privileged accounts. Privileged accounts are accounts that have elevated access to sensitive data or critical systems. Examples of privileged accounts include system administrators, database administrators, service accounts, root users and super users.

An organization may implement PIM via a specialized, standalone tool or a set of tools and processes. PIM solutions provide a consolidated platform to create, govern and track privileged accounts. They reduce the risk of data breaches and ensure compliance with industry regulations and standards.

Privileged accounts require special protection because if they are compromised, an attacker can gain access to sensitive data and critical systems. In addition, privileged accounts can also lead to insider threats, where an employee (intentionally or unintentionally) misuses their elevated access. Properly managing privileged accounts is crucial for preventing such security incidents and maintaining the trust of customers and stakeholders.

Privileged Identity Management is a crucial component of any comprehensive cybersecurity strategy. Its key features include, but are not limited to:

• Discovery of all privileged accounts in an organization, regardless of which platform or application they are used in
• Centralized provisioning and storage of privileged accounts in a specialized vault
• Role-based, granular authorization policies for privileged accounts, allowing organizations to enforce the principle of least privilege
• Enforcement of strong password policies (e.g., automatic, periodic rotation of passwords)
• Temporarily assignment of privileges to accounts and revoking them when no longer needed. This is particularly useful when an employee only needs access to a system to perform a single task
• Tracking and monitoring all activity associated with privileged accounts, including who accessed them, when and what that person did while using them
• Reporting and auditing of security-critical events (e.g., login and logout events, access requests, and changes to permissions and configurations)

Privileged Identity Management solutions aim to provide authorized personnelwith time-bound access to sensitive resources, under appropriatecirc*mstances. Here’s how a typical, real-life PIM solution works:

1. Provisioning

The first step involves creating privileged roles that come with specificsets of permissions. For example, one such role could be an Oracle_DB_Admin,which would grant elevated access rights to a pool of Oracle databases. Oncethe role has been defined, you can then identify a list of authorizedidentities that are permitted to assume this role (e.g., you may allow seniordatabase administrators to assume the role).

2. User requests time-bound role activation

Once the first step is complete, a user can send a request to assume aprivileged role to the PIM solution. This request includes the duration andjustification for access. The request undergoes a pre-defined approvalworkflow that may involve automated processing or require manual approval froma delegated approver.

3. The request is approved or denied

If the user has the necessary rights to assume the privileged role, the PIMsolution checks out the credentials and injects them to the user session. Ifthe approval workflow fails, the request is denied and a security incident islogged in the audit records.

4. Privileges are revoked

The privileges are revoked and the session is terminated when the durationends or the user logs out, whichever occurs first. If the user requires asession to continue beyond the initially approved duration, they can send asession extension request to the PIM.

5. Audit and monitoring

Most PIM tools offer session replay, monitoring and auditing features totrack and ensure safe usage of privileged accounts. Admins can examine auditlogs to identify any unusual activity and may use session replays toinvestigate further, if necessary.

PIM, Privileged Access Management (PAM) and Identity & Access Management(IAM) are all related but have different focuses. IAM manages and secures useridentities and access to resources, including privileged users. PIM managesand secures the identities of privileged accounts. PAM manages and secures theaccess of privileged accounts to sensitive resources. These solutions oftenwork together to provide comprehensive security, with IAM providing thefoundation, and PIM and PAM providing additional layers of security.

IAM

IAM is a broad term that refers to the policies, processes, and technologiesused to manage digital identities and their access to resources. IAMencompasses various access management mechanisms, including PIM and PAM, aswell as other identity management tools.

PIM

PIM focuses on managing and securing the identities of privileged accounts,including the creation, maintenance and revocation of accounts with elevatedpermissions. PIM tools typically provide support for discovering privilegedaccounts, managing their lifecycle and enforcing access controls to limitaccess to only authorized individuals or groups.

PAM

PAM can be considered a superset of PIM, as PAM solutions provide a broaderrange of functionalities for managing and securing privileged accounts.

While both PIM and PAM are concerned with managing and securing privilegedaccounts, PAM goes beyond PIM to offer additional features such asJust-in-Time privilege assignment, secure passwordless remote access andsession recording capabilities. PAM solutions provide granular control overprivileged access, allowing organizations to monitor and validate privilegedaccess in real time and detect and respond to suspicious activity.

Some PIM tools integrate with Active Directory (AD) to discover and manage privileged accounts stored in an AD server. This integration adds security layers to AD-based authentication, such as granular access control, monitoring and Just-in-Time privileged access.

By integrating with AD, PIM solutions can identify and manage privileged accounts in the AD environment, reducing the risk of privilege escalation attacks. PIM tools can also provide granular access controls for privileged accounts, limiting access to only authorized individuals or groups. Additionally, PIM tools can monitor and audit privileged account activity in real time, helping to detect and respond to suspicious activity.

Just-in-Time privileged access is another feature that some PIM solutions offer. This feature allows users to request temporary privileged access to perform specific tasks and automatically revokes the access once the task is completed. This approach ensures that privileged access is only granted for as long as it is needed, reducing the risk of misuse.

PAM Tools