PIM PUM PAM PAS and ECPLM

Published: 12 January 2016

Andy Harris, the future of criminal justice

By Tom Guyatt


With Osirium, the passwords of privileged accounts are never sent to the SysAdmin's workstations. Instead the SysAdmins are connected to a session that Osirium has set-up on their behalf based on a least privilege model. There are a whole range of terms used in this industry, and since Osirium is a framework for managing privileged user workflow it uses most of them!

PIM PUM PAM PAS Abbreviations

Here's a quick rundown of all these terms, what they do and which bits of Osirium does them:

PIM (Privileged Identity Management)

Osirium does this in a light way, in that you can locally define incoming privileged users. In a large installation Osirium will more likely use the services of an Identity Manager which in itself might use Two Factor Authentication.

PUM (Privileged User Management)

This is the business of controlling what systems and devices at what time can be accessed by the Privileged User. Osirium's main PUM tool is a Profile. A Profile is a collection of users, tools and tasks along with a set of roles. Therefore a user in a Profile can use the defined tools and tasks at the role defined for each of the systems or devices defined in that Profile.

Osirium's PUM is further defined within the Profile by:

  • Session Recording Are sessions going through this Profile to be recorded?
  • Time Windows Should sessions in this Profile be limited to set parts of the day?
Living above Profiles there is the concept of Device Group Separation where meta data describes to whom the device or system belongs. Typically this would be by function or customer. DGS ensures that a privileged user cannot be connected to system that belong to different designations. For example, a MSP could define that SysAdmins cannot connect to the systems or more than one customer at a time.

Our underlying technology allows us to extend this to concepts like "Has the privileged user been issued an incident or change ticket for this session".

PAM and PAS (Privileged Account Management, Privileged Account Security)

These are very closely related and refer to the management of the actual accounts used on systems, applications and devices. Osirium can discover the accounts defined on systems. I can be told that a specific account is to be used as a Control Account and that others can be used for Roles. In many cases Osirium will create accounts at a specific role for the use of a specific user based on their profile membership.

So part of PAM and PAS is the discovery, creation, enabling, disabling and deletion of accounts on systems, applications and devices. Password Management is a particular function described next.

ECPLM (Enterprise Class Password Life-Cycle Management)

For the accounts that Osirium manages, or has created itself the ECPLM function will create passwords that are truly random and as long as the system or device can accept. These passwords are regularly changed based on schedules, events or SysAdmin requests. There are various technologies that deal with provisioning, un-provisioning and backup and restore of those systems and devices.

PTA and PTD (Privileged Task Automation and Privileged Task Delegation)

Not in the title, but a very important part of Osirium. PTA/PTD allows users to issue predetermined, parameter driven tasks on systems and devices. This gives the users the effects of the privilege for their work, but does so without granting the privilege to the user.

Release Date: 
Tuesday, 12 January 2016
Article Type: 
Blog Post
Author: 
Tom Guyatt