Blog
IAM vs ACM vs PAM vs ZTNA vs MFA

IAM vs ACM vs PAM vs ZTNA vs MFA

By now these acronyms have become quite well known because they are cited as mitigating cyber attacks that populate the daily news.

These tools together help create a solid infrastructure that enables ZTNA architectures (we will also explain this term in this paper).

To be concise, we will not deal in this article with the philosophy or architecture that these elements must have but will give you an explanation of the terms, as a vocabulary would describe, so as to immediately frame what we are talking about. .


cover

IDM: Identity Manager

Identities and groups of identities management system (often defined as roles). It can be integrated with an Access Management system or use one or more than one external.

An IDM system is typically based on a repository that can be a Directory Server (also vulgarly called LDAP which is actually a communication protocol like a Relational Database or other object database). In any case, the databases must be persistent and replicable up to block-chain architectures, given the nature of the service.


ACM: Access Management

By Access Management system we mean the system – usually a daemon process – that provides services, nowadays normalized into APIs, which, called-back safely by the applications, enable a user’s authentication and authorization maintaining the payloads (user session identifiers) and their life cycle from login to logout or to the term for non-use (lease time) of the user from the time of the login.

IAM: Identity and Access Management

This acronym is the set of IDM+ACM systems.


PAM: Privileged Access Management

Privileged Access Management refers to all those tools intended to track, in a way that cannot be modified by the users themselves, all the activities that are carried out by the operators. The characteristics of a PAM are well delineated and derive services from ACM and IAM systems, but they are distinguished from these for certain specific characteristics that define PAM.

The most important are:

  1. Video recording of all operations made by the operators in graphic environments (Windows, X Windows, VNC)
  2. Recording of everything typed by operators, whether in graphical or character-based environments such as ssh sessions or command line (excluding passwords)
  3. Tracking or interdiction of all file transfer operations
    • Download
    • Upload
    • Internal infrastructure transfers
  4. Possibility to disable Copy & Paste operations
    • Copy & Paste from outside to inside
    • Copy & Paste from inside to outside
  5. Ability of not letting the user know access passwords through various techniques including:
    • Single Sign On transparent to the user, who does not know the password, but simply operates on the services by assigned rights (this in more sophisticated solutions such as Oplon Secure Access)
    • to use temporary single-use passwords (first-generation PAM with the need to install agents in each server)
  6. Ability to change passwords cyclically
  7. Management of dormant users with disabling after a period of non-use
  8. Management of a user's activation date
  9. Management of the deactivation date of a user
  10. Management of time slots in which a user can operate

Any of these functional points must be absolutely satisfied to be labeled as PAM solution. These functions are managed on IAM registries – if this is how we want to call them (once upon a time directory servers were called Yellow Pages) – and access credentials are by ACM systems during their use, but that does not take away from the fact that IAM and ACM alone can be a PAM.


ZTNA: Zero Trust Network Access

Zero Trust Network Access means that any user of a service does not have any kind of trust. Therefore it must in sequence be:

  • Identified
  • Associated to a group of users
  • Authorized to access only certain networks or certain services (in the most sophisticated solutions, like Oplon Secure Access). The system must guarantee these three characteristics in order to be defined as ZTNA and must moreover guarantee, once entered a network or service, the inability to move laterally, such as, once you enter with an ssh, not being able to jump to another machine belonging to the same network.

MFA: Multifactor Autentication

The multi-factor authentication systems, sometimes also known as 2FA, are used for the identification of a user in order to be as certain as possible that the person that is asking to use those services actually is the person who we espect.

Extensive documentation of MFA systems has already been published in a previous blog (opens in a new tab)

All these elements together offer today an elevated security system that enables to manage and control granularly the operations of modern datacenters.

These guide is not exhaustive, but we hope we have managed to bring some order to the terms and the need for these technologies in order to be able to protect business activities or the most critical or strategic activities, which have long since hinged on information technology and digital data and can no longer be based on VPNs to which the double factor of authentication is added.

Why do IT organizations continue to use dangerous and expensive VPNs