Episode 130 - GluuFederation/identerati-office-hours GitHub Wiki

Title: PAM 101

Description

How does PAM work? When is it helpful? Who are the main vendors? Why is it not going away?

Mike Schwartz asserts that PAM is proof that we've previously failed at authorization--each PAM solution offers operational improvement over a bunch of one-offs. So while every PAM solution has a ton of actual business value--PAM systems by definition have no incentive to fix our failed authz architecture. In this episode, Rainer will re-introduce us to PAM, so perhaps with fresh eyes Mike can reassess his cynicism.

Homework

Takeaways

  • ⚡ Mike's futuristic vision of how security should work is nice, but it doesn't offer any solution for technical debt. Most companies are struggling with how to tame Active Directory and VPN login.

  • ⚡ A PAM achitecture starts by inventoring "assets" -- the stuff you want to protect. An asset might be Active Directory or SAP. A classification is assigned to each asset class, for example "top secret".

  • ⚡ PAM enforces a workflow for people to obtain access to protected assets that results an audit log that can be used for compliance.

  • ⚡ PAM systems are top down and people focused. They try to work without putting any requirements on application developers. Sometimes they are as simple as locking up the admin password, and making people check it out.

Livestream Audio Archive

here