Key concepts

PAM is a set of principles and practices to control, monitor, and secure access to critical resources by human and machine identities. PAM is essential for organizations to protect their critical assets and maintain data security.

In simpler terms, PAM ensures that privileged users have access with the right-sized permissions to access critical resources. Critical resources are infrastructures, applications, or data essential to an organization’s operations, and could cause significant harm if compromised or unavailable.

Within the self-service portal, administrators can provision access for users by setting policies or approving requests submitted through the user console. PingOne Privilege identifies the connected device, user, access privileges, and tenant information. When a user requests access to a resource, the workflow engine generates an on-demand, short-term token, granting secure access to the cloud infrastructure for the required duration.

Modern Windows and macOS laptops support a built-in TPM chip. TPM offers a secure, tamper-resistant location for storing private keys. Unlike credentials stored in a file, private keys remain stored in the TPM. This hardware-based security provides stronger security, as you can’t read the private key stored in the TPM chip.

The PingOne Privilege agent creates and stores a private key on the TMP chip of the user’s device that can never be extracted or copied. You install the agent as part of the set up process for PingOne Privilege. When the agent runs on your device, it uses the TPM to establish a mutual TLS (mTLS) connection with PingOne Privilege. Through the agent, the platform always knows who the user is and what device the user is coming from.

The agentless CLI is a shell utility that provides users with secure access to resources without installing the PingOne Privilege agent. The agentless CLI supports SSH, cloud CLI, and Kubernetes access. When users authenticate through the agentless CLI, they’re redirected to PingOne SSO for authentication. After successful authentication, users can access resources based on their permissions.