The PAM Sandwich: Joining Privileged Access Management with Identity

Have you ever had a s’mores with a chocolate peanut butter cup instead of just chocolate?  And instead of the graham cracker you use two Ritz crackers?  It is life changing!  Seriously … after you have had one you will be astounded that you have lived your life to this point without pairing these ingredients.  That’s kind of how I felt recently when I started exploring the world of Privileged Access Management (PAM) more deeply.

If you are unfamiliar with PAM, the concept is pretty simple.  You can think of PAM software like a library, but instead of holding books, it holds onto privileged information (for example, credentials for administrative accounts).  You must have a card to check out books from a library, and similarly you must be authorized to check out privileged information from a PAM system.  Unlike a library where you can check out any book if you have a card, a PAM system only lets you check out privileged information that you are authorized to.  This allows for some great stuff – sharing accounts, tracking and auditing actions that are taken when an account checked out, connecting to sensitive systems without the end user ever seeing a password, and automatically rotating credentials so that anything that is leaked won’t be useful for long.

Traditionally, identity governance and administration software – like SailPoint’s IdentityIQTM – has had limited support for privileged (especially shared) accounts.  They can be tracked and managed in identity governance software, but the question of who owns a shared account and how you can request access without handing out the same password to multiple people has been vexing.  On the other hand, PAM software has excelled at providing security and operational control around privileged accounts, but has not provided the level of governance that is required for a truly secure system

Peanut butter cup … meet Ritz.

These worlds are being brought together in IdentityIQ.  IdentityIQ is adding support for reading and writing information on PAM systems, which is part of our new Privileged Account Management Module.  This module adds governance controls such as auditing, approvals, policy checking, and access reviews to privileged access. It also gives quick visibility into who has access to what, and allows making requests to add or remove privileged access.

Of course, the first question that comes to mind is “will my favorite PAM software integrate with IdentityIQ?”  That’s a great question! Once you have tasted it … you don’t want to keep the magic s’mores recipe a secret.  You want everyone to be able to enjoy!  That’s why SailPoint has spent the last half year working with the titans of the PAM industry to create a standard API that integrates identity governance with PAM.  This API is a simple extension to the System for Cross-Domain Identity Management (SCIM) specification.  It augments the SCIM specification by adding PAM-related concepts such as containers (the sections of the library), privileged data (the books), and access controls lists that govern who can access the containers and privileged data (the super-smart library card).  The best part – five of the top PAM vendors have already committed to supporting this API in their products, with others likely to follow.  That’s what you call an industry standard, folks!

If you can’t tell, I’m really excited about this!  So much so that I’ll be speaking about it at the Cloud Identity Summit on Thursday, delving into more of the gory details.  If you’re in Chicago this week, come by and see me.  We can chat about my favorite things as of late – identity governance, PAM, and s’mores.