Recently a customer asked us to compare Privileged Access Management (PAM) and Password Manager (PM) products, thinking they were the same thing. Single Sign-On (SSO) is also often confused for these other two types of products. Let’s look at each and their differences.

Privileged Access Management is great for monitoring and controlling use of privileged accounts. It allows you isolate the use of these accounts, gives you more control of your environment, and proactively warns managers of changes to critical accounts. Many also allow for robust auditing and monitoring. While it does those things well, what it doesn’t do is manage passwords for your whole organization. PAM is highly technical to deploy and manage and could be outside the budget of many organization.  However, if you want to control a high-risk attack vector and meet many compliance requirements, PAM is necessary.

Password Managers allow you to keep all your businesses passwords in a vault. Many solutions allow you to roll out clients to all users and they are simple for users to manage.  Features may include being able to discern  weak passwords and apply stricter standards to all passwords, as well as scanning the web to see if the password used with the user account is any known data breach databases.  These do not provide much monitoring and while PMs could be used for privileged account, PMs are not specifically designed for this use.

Single Sign-On uses Security Assertion Markup Language (SAML) to provide authentication that is synced between on-premise and cloud systems. We included it in this post as it does provide some monitoring (including privileged accounts), like PAM and helps improve password complexity through out the organization like PM. However, it is not suitable for all environments and does not cover all cloud applications.

So, which one is right for you? That depends on what risk you are trying to mitigate.  Some organizations can meet their risk with just one solution, others need all three. The best approach is to determine what risks you have and how much tolerance the organization has for the risks.