Privileged Access Management (PAM) Forum

Victoria Smith
User at Yogafun
Jul 26 2021


Can someone explain the difference between PAM and PAS?


ABHILASH THPAM, PIM and PAS and acronyms are related to the same thing: (PAM) solutions control and monitor access “privileged access” by these special users. In an enterprise environment, “privileged access” is a term used to designate special access or abilities above and beyond that of a standard user. Privileged access allows organizations to secure their infrastructure and applications, run the business efficiently and maintain the confidentiality of sensitive data and critical infrastructure. Privileged access can be associated with human users as well as non-human users such as applications and machine identities. Organizations implement privileged access management (PAM) to protect against the threats posed by credential theft and privilege misuse. PAM refers to a comprehensive cybersecurity strategy – comprising people, processes and technology – to control, monitor, secure and audit all human and non-human privileged identities and activities across an enterprise IT environment. PAM is grounded in the principle of least privilege, wherein users only receive the minimum levels of access required to perform their job functions. The principle of least privilege is widely considered to be a cybersecurity best practice and is a fundamental step in protecting privileged access to high-value data and assets. (PAS) Privileged Access Security is a full life-cycle solution for managing the most privileged accounts and SSH Keys in the enterprise. It enables organizations to secure, provision, manage, control and monitor all activities associated with all types of privileged identities, such as: -Administrator on a Windows server -Root on a UNIX server -Cisco Enable on a Cisco device -Embedded passwords found in applications and scripts (Privileged Threat Analytics ) is an important feature of PAS. Since privileged accounts are most often compromised as part of an attack, Privileged Threat Analytics (PTA) continuously monitors the use of privileged accounts that are managed in the PAS platform, as well as accounts that are not yet managed by PAM, and looks for indications of abuse or misuse of the platform. PTA also looks for attackers who compromise privileged accounts by running sophisticated attacks, such as Golden Ticket. This functionality enables the platform to provide proactive security To mitigate the risk of a serious breach, enterprises need to adopt a security solution that specifically addresses their privileged access exposure. Privileged Access Security Solution provides the comprehensive protection, monitoring, detection, alerting, and reporting required to stay one step ahead of the attackers and safeguard organizations' most critical assets.
Kishan KendreHi Victoria, Please find the difference between PAM and PAS (PIM) We have two different directory environments:  Active Directory (AD) and Azure Active Directory (AAD). One being on-premises (AD) and one in the Cloud (AAD).  PAM deals with elevated privileges on-premises with any system that uses Active Directory to control the access. PIM does the same sort of thing for access to roles in Azure AD. Easy to remember if you think that ‘pAm’ is Active Directory and ‘pIm’ is the Internet. PIM and PAM can be used to help address the following problems: Pass the hash attacks. Pass the ticket attacks. Spear phishing. Lateral movement attacks. Privilege escalation. So, PIM and PAM are related but live in two different realms. One provides access to AD resources and one to the Internet. Providing access to elevated privileges for the right users, when they need them. Both have their place, but they work independently to control privileged access to services. I hope this gives a basic idea. Kishan
reviewer1637214Hi Victoria, In short, PAM (Privileged Access Management) is but one of the technologies defined within PAS (Privileged Access Security).  While a PAM solution protects your administrative and other sensitive accounts used by both humans and processes, PAS is the superset wrapping endpoint management, provisioning, monitoring, automation, workflow, auditing/reporting and governance into the mix. -- Bruce
Luis Surmay
Copywriter at Gb Advisors
Jul 08 2021


I am researching Privilege Access Management solutions. I'd like to know if BeyondTrust is considered expensive in comparison to similar solutions? 

Any additional feedback?


Giovanni PeriniIt depends on a lot of things.  We are currently doing a comparison and it depends on our growth scenario which solution will be more expensive. (Compared to CyberArk). So I don't think that it is more expensive than similar solutions. 
reviewer1388394It is not much expensive as compared with other leading solutions, much easier to deploy and manage. All about what architecture you selected to use and then depends upon a number of other factors. 
Evgeny Belenky
IT Central Station
Jul 01 2021

Hi community, 

Let's discuss this relatively new term: Cybersecurity Mesh. What is Cybersecurity Mesh? And how is this term related to Zero Trust architecture?

Share your professional expertise with other peers!

Cybersecurity Mesh vs Zero Trust


Ahmad ZuhdiThe cybersecurity mesh is a key component of a zero-trust network philosophy, whereby any device is by default not trusted to access the broader network.
Paresh Makwana
Director at a tech services company with 1-10 employees
May 21 2021

I am a director of a small tech services company.

How do you think AI and ML will help or work with Privileged Identity Management (PIM) and Privileged Access Management (PAM)?

Idan ShohamFirst, terminology - there really is no such thing as privileged identity management. PAM systems broker access to existing accounts and other entitlements - they do not normally create or manage the lifecycles of identities (login accounts, etc.) which is what identity management means. That's just a misnomer introduced and later abandoned by some vendors. As for the link between ML/AI and PAM - it is basically to identify unusual but authorized access and trigger either extra authorization or at least alerts. It's normal that John connects to root on the Linux server M-F in the morning, but it's really strange at 3AM on Saturday, so invite John's manager to approve the odd-looking request.
AslamImrozeTypically any new latest PAM comes with a great number of options for automation. Integration with JSON scripts is also possible. It depends on what is the use case you want to achieve. If an ML can trigger AI to send some request to PAM then based upon the input received and configured automation rules in PAM the action will be taken. BeyondTrust PAM can do this.
Evgeny Belenky
IT Central Station
Apr 30 2021


Please share your expertise and experience with the community on how to start implementing a Zero Trust model in an enterprise.

Thank you!

ABHILASH THWhat is zero trust? Assume zero trust when someone or something requests access to work assets. You must first verify their trustworthiness before granting access. Zero Trust is rapidly becoming the security model of choice for many organisations; however, security leaders often struggle with the major shifts in strategy and architecture required to holistically implement Zero Trust. As Zero Trust security itself is a strategy, so too is its deployment. The best approach to reaching a Zero Trust framework is to start with a single-use case, or a vulnerable user group, for validation of the model. Main Pillars of Zero Trust and where to start 1. Inventory of Devices ( HW and SW Asset ) 2. Identities ( Visibility and Management of Users ) – including internal and external workforce, services, customer access and IOT components 3. Privilege Account and Access Management, Least Privileges for std users 4. NAC, Visibility of Devices connected to your network- and enforcing device health and compliance 5. Apps and APIs – ensuring they have appropriate permissions and secure configurations 6. Endpoint Management Solution 7. Data – giving it the necessary attributes and encryption to safeguard it. 8. Networks – establishing controls to segment, monitor, analyse and encrypt end-to-end traffic
Simone Antonaci
User at 2Five1
Feb 19 2021

Kindly advise on the top 5 solutions within the industry to look at. 

Kishan KendreHi Simone, Following are the products which you can look for your requirement. I recommend to select any solutions depend on the your organization need. Is it needed on premise or on cloud. Do you need SAAS service or have in house deployment. On these conditions cost will differ. My personal opinion is  CyberArk,  Thycotic,  Wallix Beyondtrust Microsoft Azure AD Premium Thanks, Kishan
reviewer1308201Hi Simone, When we started the PAM journey we POC'ed three vendors based on the use cases and the roadmap for your requirements.  Since the world is shifting to cloud infrastructure, i would recommend looking at these vendors.   One Identity (Safe Guard), CyberArk, and Beyondtrust.  We decided to go with One Identity because it was the right fit for our use cases and requirements.  We have been using safe guard for several years and it did not disappoint so far! Rock Solid tool.
reviewer1324719I would first state that you are asking an unqualified question. The PAM tool that matches your organizations requirements, use cases, volume, and many other considerations, will need to be considered in this equation. I like the previous answer by Kishan as I like those products and see them employed successfully. The converse is also true if not carefully scoped and evaluated. PAM tools can be costly and contain confounding arrays of security features and terminology synchronization will be key in ensuring you are getting what you actually are asking for. On top of the software cost implications you will have the Architectural, Implementation, and Administration costs nipping at your heels. Consider also that this is not a "PAM Project", but a long term Program and buy-off must start from the very top of your organization. I have witnessed, and participated, in projects that started out with your question, and many went off the rails, unless important considerations are taken into account: 1. Define your requirements with granularity, including integration with your existing infrastructure such as: Authentication / Authorization / MFA, syslog, analytics, Disaster Recovery and High Availability just to name a few. 2.Determine your overall goals relating to Least Privilege, Standing Privilege, Just in time Privilege, and No standing privilege. Do you require Session Recording and Keystroke Logging, as they are not always bundled  into the initial price and sometimes not together, and may be individual features in your initial quotations and can unpleasantly surprise you. 3. Provision a comprehensive test environment to confirm the viability of the product choices within your infrastructure. 4. Select a vendor or integration partner to back-fill the expertise gaps in your organization as these skill-sets are very expensive and marketable. I apologize for not answering your question directly, but I would consider looking into the Gartner resources, KuppingerCole and so on. In a short direct answer I favor CyberArk, BeyondTrust, Thycotic, Centrify, and StealthBits, and these are definitely not in any preferential order.
Oluwatosin Soyoye
User at Union Bank PLC

My Bank is currently looking at PAM Solutions.

Kindly advise on the top 5 solutions within the industry that can be looked at. We would like to engage from the OEM point of view to have a POC carried out before we make any commercial engagement.

Aji JosephPAM solutions worth considering are CyberArc, Centrify, Beyond Trust, Thycotic & Fudo.
Alex LozikoffI would advise choosing among Gartner MQ Leaders. You are a Bank so the solution should be robust. According to the latest Gartner PAM MQ the leader are CyberArk, Centrify, Beyond Trust, Thycotic. If you need 5 options, take a look at One Identity. FUDO was excluded by Gartner from the latest PAM MQ.
Oleg ShaburovI'd say that everything depends on your detailed requirements. I can tell that I know many customers who selected One Identity because it was ideal for their needs. Here is what they valued most: 1. Ease of deployment. After several months of piloting competitive solutions, One Identity pilot was started within 1 week (in basic scenarios that can be started within 2 days). 2. No need to deploy agents on servers. That is really important for critical infrastructure. 3. No need to change tools on the client's side. Admins really like it. They are not forced to use some inconvenient tools. 4. Scalability: I'd say that there is no company whose needs cannot be covered by this solution. If you value the same things than have a look at One Identity.
Menachem D Pritzker
Director of Growth
IT Central Station

On July 15, 2020, several verified Twitter accounts with millions of followers were compromised in a cyberattack. Many of the hacked accounts we protected using two-factor authentication, which the hackers were somehow able to bypass.

Hacked accounts included Barack Obama, Joe Biden, Bill Gates, Jeff Bezos, Mike Bloomberg, Warren Buffett, Kim Kardashian, and Kanye West, Benjamin Netanyahu, and several high profile tech companies, including Apple and Uber.

The hackers posted variation of a message asking follower to transfer thousands of dollars in Bitcoin, with the promise that double the donated amount would be returned.

How could Twitter have been better prepared for this? How do you rate their response?

Ken ShauretteFor some good information from a leading expert check out the webinar today 7/17 on Brighttalk by Alex Holden..... We have a lot of questions about the Twitter breach but not so many answers. I can tell you that similar cryptocurrency fraud campaigns are on-going on different social media platforms and on a different scale. Tomorrow (Friday) at 11 am CT on BrightTalk We will discuss what we know about the breach and disturbing patterns that are emerging everywhere.
Ken ShauretteI like the potential for catching an unusual activity like that with our recently implemented endpoint detection tool, Cynet360.  It seems so far to have about the highest level of transparency into the endpoint with a 24x7x365 backing of monitoring.  
Russell WebsterSpan of control, Solid RBAC, Privileged Access Management (PAM)