IGA, IAM and PAM: what is the difference?

Since the emergence of computer systems, one of the biggest challenges faced by IT teams is verifying the identity of users to authenticate and authorize access to these systems. This verification can be performed, for example, through the username and password paradigm, also called privileged credentials.

It is not by chance that the exploitation of vulnerabilities associated with the identity of users is one of the attack vectors most used by malicious actors to carry out cyber attacks.

According to the Data Breach report Investigations Report 2021,

61% of data breaches involved privileged credentials.

And the costs associated with this type of attack are also higher. According to the same report, while the average cost of data breaches surveyed was USD 4.24 million, when a breach is carried out through privileged credentials, this cost amounts to USD 4.37 million. In this way, mitigating the risks associated with user identity is increasingly associated with ensuring business continuity.

In this context, some disciplines were developed to implement identity programs and ensure the management of access for people, identities and privileged credentials in organizations of all sizes and verticals.

Identity and Access Management (IAM), Identity and Administration Governance (IGA) and Privileged Access Management (PAM) are among these disciplines, and are directly associated with the protection of identities and the respective accesses performed in the infrastructure.

We will then visit each of these concepts to understand their differences and particularities. You can also lern more about these concepts in the podcast Cyber Notes Cast.

Identity and Access Management or IAM is an area of IT management that allows the correct users and their respective roles within the organization to access the necessary tools to perform their activities.

IAM systems include policies, procedures, and technologies that help organizations reduce risks associated with accessing identities across the environment. It is worth remembering that these identities can be associated with users and machine identities, including software and devices, such as those related to the Internet of Things ( IoT ).

Gartner , for example, considers IAM to be the discipline that enables the right users to access the right resources at the right times and for the right reasons. Simply put, IAM solutions allow you to ensure that the user, software or device is who they claim to be by authenticating the associated credentials, offering a more secure and flexible solution than traditional username and password approaches.

Furthermore, this type of solution only provides the appropriate level of permissions for the activities to be performed.

IAM solutions allow you to increase both the level of security and the productivity of users, in addition to ensuring compliance with regulations and data protection laws, such as GDPR and CCPA. Thus, it is possible for organizations that implement IAM programs to mitigate security risks.

The second concept I bring is related to Identity and Administration Governance , or IGA . IGA solutions enable organizations to more effectively mitigate access risks associated with identity.

In addition, this type of tool automates the creation, management and certification of user accounts, roles and access permissions for users. In this way, it is possible to optimize user provisioning, password and policy management, access governance and access reviews within the infrastructure.

According to Gartner , IGA differs from IAM in that it

allows organizations to not only define and enforce IAM policies, but also connect IAM functions to meet audit and compliance requirements.

In short, Identity Governance and Administration tools are intended to ensure that IAM policies are connected and properly enforced.

The third discipline we will address is Privileged Access Management, or PAM . PAM is related to mechanisms for protecting identities with privileged or administrative access.

These accesses differ from standard accesses in that they allow you to perform maintenance activities, change settings, or provide superusers access . In addition, privileged access can be associated with credentials, including user accounts and service accounts, as well as SSH keys, digital certificates and secrets DevOps.

Complementing these concepts with the definition established by Gartner , it is possible to state that PAM is related to “technologies developed to protect accounts, credentials and operations that offer a high (privileged) level of access.

Gartner considers it

virtually impossible to mitigate privileged access risks without specialized PAM solutions.

In this way, PAM tools, according to Gartner , “help organizations provide secure privileged access to critical assets”, in addition to meeting compliance requirements through the management and monitoring of privileged accounts and access. Please, refer to the webinar specially made to present PAM best practices according to Gartner.

Key capabilities associated with PAM include discovery of privileged accounts spread across devices, applications, and infrastructure environments; credential management; management, monitoring and recording of remote sessions; and delegation and elevation of privileged commands. We have

The PAMaturity tool allows cybersecurity managers to check their level of maturity and PAM and then build a roadmap for deploying features.

Within the Privileged Access Management discipline, Gartner also establishes three classifications to refer to the different mechanisms of these tools. These ratings are:

Privileged Session and Account Management, or PASM: allows you to establish sessions with possible injection of credentials and remote session recording. PASM solutions also allow the management of privileged user and service credentials;

Privilege Delegation and Elevation Management, or PEDM: PEDM solutions provide command control and privilege elevation on Windows and Linux servers, allowing privileged commands to be executed. our webinar

Secret Management : Secret management tools allow the storage, management and querying of software and machine secrets through APIs and Software Development Kits ( SDKs ). These secrets can be, for example, passwords, O Auth tokens and SSH keys. Learn more in the webinar about Secrets management and how development teams can add the security aspect to the software development process.

With the increase in cyber attacks through privileged accounts and access, it is increasingly necessary for security leaders to understand the importance of implementing adequate policies to protect identity and access.

Investing in specific IAM, IGA and PAM tools help organizations of all sizes and verticals improve their identity management posture. Thus, you can mitigate security risks, support compliance with security regulations and policies, and increase your operational efficiency.