CS Jul-Aug 2023
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
technology focus<br />
'PAM BEFORE IAM'?<br />
PAM AND IAM ARE BOTH CRUCIAL AREAS OF PROTECTION - THOUGH PAM<br />
SHOULD LEAD THE WAY, ARGUES ONE ADVOCATE OF THE TECHNOLOGIES<br />
Graham Hawkey, Osirium.<br />
Identity and Access Management is a<br />
critical consideration in cybersecurity,<br />
says the National Institute of Standards<br />
and Technology, which is working on an<br />
IAM roadmap (see pages 20-21) - that is<br />
welcomed by Graham Hawkey, PAM<br />
specialist, Osirium.<br />
"NIST says the purpose is to present 'a set<br />
of strategic objectives, priorities, and<br />
initiatives' and it's clear that this is a project<br />
looking at the long-term strategy and<br />
requirements," he says. "With that in mind,<br />
it is important that this roadmap should<br />
also seriously consider and factor in the role<br />
of Privileged Access Management (PAM)<br />
and the way it couples with and complements<br />
IAM, combining to create a powerful,<br />
complete solution for a modern IT<br />
environment. NIST says IAM is a 'key<br />
component to creating trusted, modern<br />
digital services' and 'a fundamental and<br />
critical cybersecurity capability'. Some<br />
would view IAM as being so critical that<br />
it is the central view of truth, delivering a<br />
'single pane of glass' to control everything<br />
they can do within an organisation by<br />
knowing everything about a person's<br />
identity. Somewhat akin to George Orwell's<br />
dystopian view of the future."<br />
But this is an illusion, he adds, and breaks<br />
down when it is realised you need to take<br />
into account what a privilege (or attribute<br />
that maps to a privilege) means. "Because<br />
these privileges are so contextual, the<br />
further you are from a device, the further<br />
you are from the truth of privilege-based<br />
risk," states Hawkey. "So, although IAM is<br />
one piece of the puzzle in building robust<br />
cyber resilience, it leaves a hole in the<br />
bigger picture, with a crucial component<br />
missing. What it boils down to is that IAM<br />
is essentially about proving who you are,<br />
but it doesn't provide any help in controlling<br />
what users can do once they've<br />
retrieved credentials and logged in. You<br />
also need to be able to control what you<br />
can do and how you do it. IAM tools authenticate<br />
the person, then PAM manages the<br />
system access for that user. It's a powerful<br />
combination."<br />
Furthermore, he states, IAM and PAM<br />
users enter applications through different<br />
interfaces. "Whilst the audience of IAM<br />
enter through the 'shop door', PAM users<br />
are 'back office' based. Consequently, there<br />
is a difference in attack surface. While both<br />
areas of protection are crucial, it's not a<br />
chicken-and-egg situation. AM should<br />
always come first. This is because PAM<br />
delivers a connection between privileged<br />
users and the role-based accounts that they<br />
need. These accounts exist on the raw<br />
systems before deployment and continue<br />
throughout the lifetime of system, device or<br />
application. In fact, they are so important<br />
that they are the very accounts that are<br />
needed to set up a connection to an IAM<br />
system in the first place. In summary, it's<br />
'PAM' before 'IAM', to protect the 'I' in IAM."<br />
08<br />
computing security <strong>Jul</strong>y/<strong>Aug</strong>ust <strong>2023</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
Change language