CyberArk - PAM Glossary

There is a lot of lingo used around Privileged Access Management and CyberArk. This glossary is intended to define some of the most frequently used terms.

Privileged Account

A privileged account is a login credential to a server, firewall, or other administrative account. Often, privileged accounts are referred to as admin accounts. Your Local Windows Admin accounts and Domain Admin accounts are examples of admin accounts. Other examples are Unix root accounts, Cisco enable, etc. When we talk about privileged accounts we’re talking about the actual username and password; these two things together make up the account. A privileged account is allowed to do more things (i.e. it has more privileges) than a normal account. Privileged accounts are doorways to an organization’s “kingdom”—the place where sensitive information is stored—and as such they need to be very secure. Examples of sensitive information include medical records, credit card details, social security numbers, government files, and more.

Privileged Access Management (PAM)

PAM consists of the cybersecurity strategies and technologies for exerting control over the elevated (“privileged”) access and permissions for users, accounts, processes, and systems across an IT environment. By dialing in the appropriate level of privileged access controls, PAM helps organizations condense their attack surface, and prevent, or at least mitigate, the damage arising from external attacks as well as from insider malfeasance or negligence.

Least Privilege

Least privilege means granting only the minimum permissions required by an end-user, application, service, task or system to perform the jobs they have been assigned. By preventing over-privileged access, it helps prevent the risk of exploitation should user credentials get compromised.

Just-in-Time Access

Just-in-Time access is a fundamental IT security practice where the privilege granted to access applications or systems is limited to predetermined periods of time, on an as-needed basis. 

Account

A set of credentials typically consisting of a username and password that are stored in the PAM tool.

Secret

Any type of privileged information stored within the PAM tool, such as a passphrase or certificate key.

Vault

Another term for the PAM tool. "Vaulting" is the term often used to describe adding an account to CyberArk.

CyberArk Safes

Safes are the mechanism used to store accounts and secrets within CyberArk.

CyberArk Safe Manager

Safe Managers are distributed CyberArk admins that provision access to the Safes that have been set up for their team.