Everything you need to know about IAM and PAM working together

Blog by WALLIX


The road to digitization, while necessary for organizations of all types, is not exactly a bed of roses. As companies undergo these changes, they are witnessing how the complexity of their IT infrastructures increases. In this context, employees, contractors, and third parties’ access rights expand, making the job of security departments, which are responsible for defining and enforcing identity-based policies, more difficult.

The question here is, how do the security teams track user identities? Well, thanks to an IAM system. This technology, although its name may not be familiar to you, is widespread. Let us give you an example: have you ever been placing an order on a website and when you were about to pay, you were asked to enter your username and password to proceed with the payment? That is exactly what an identity management system does.

You may now think that this system is very simple, but the truth is that it is a technology that can quickly become complicated. Large companies can have hundreds of IT assets with different access requirements managed by IAM systems. These technologies keep track of people with access privileges determined by role, so, for example, a user with an HR role may have access to systems related to their job, but not sales systems.

IAM technology also governs the access of a company’s users to applications, databases, storage resources, or partners… and it does so by following these steps:

  • Authenticate – Determine if the user is who he/she claims to be.
  • Authorize – Confirm that the user has permission to access a given resource.
  • Provide/Revoke access – Grant and revoke access rights as needed.
  • Track access rights – Audit usage rights.

PAM: the missing ingredient

However, to achieve comprehensive protection of your organization, it is not enough to keep track of users’ identities, but also of their access privileges. Privileged users are very important to companies, but they are also a major source of danger. These users can access the back end of systems and then make changes, set up accounts, and modify sensitive assets thanks to their elevated privileges.

And since these users are special, the technologies used to track and control their actions should be too, since their malpractices or mistakes can lead to major headaches, from data breaches to non-compliance with regulations.

This is where Privileged Access Management or PAM solutions, which control and monitor the access of these special users, come into play.

A combined IAM-PAM solution

In an ideal — but possible — world, IAM and PAM technologies would work together. In this way, privileged access requests would be handled according to established identity governance policies, meaning that all access requests and grants would be part of a single access control chain.

But, of course, the world is not that simple and, as you might expect, IAM and PAM systems are often separate. That’s why a joint or interoperable IAM-PAM solution that can centralize identity governance is the key to success.

And this is no joke. The worst IT security threats involve the manipulation of privileged identities, such as misappropriation. IAM solutions, while offering a way to govern identity, often lack the functionality to manage access to privileged accounts, while PAM solutions tend to be standalone entities that focus primarily on monitoring and/or logging the actions of privileged users. Therefore, a combined IAM-PAM solution can mitigate identity governance risks better than separate IAM or PAM solutions.