Privileged Access Management (PAM)
Privileged Access Management is the discipline of controlling, monitoring, and securing elevated access to critical systems and data.
# Privileged Access Management (PAM)
Definition
Privileged Access Management is the discipline of controlling, monitoring, and securing elevated access to critical systems and data. Privileged accounts (domain administrators, root accounts, cloud IAM administrators, database administrators, security tool administrators) hold the keys to the environment. A compromised standard user account exposes one person's data. A compromised privileged account exposes the entire organization.
PAM exists because privilege is the objective of every attack that seeks control rather than just access. Ransomware operators escalate to domain administrator before encrypting the network. Espionage actors escalate to cloud IAM administrator before exfiltrating data at scale. Insider threats abuse the elevated access they were granted for legitimate purposes. In every case, the path from initial compromise to catastrophic damage runs through privileged access. PAM makes that path operationally difficult.
The PAM market includes dedicated platforms (CyberArk, BeyondTrust, Delinea, Saviynt) and capabilities embedded in broader identity platforms (Microsoft Entra PIM, Okta Advanced Server Access, HashiCorp Vault). The technology is mature. The operational discipline of using it effectively (rotating every credential, enforcing just-in-time access, recording every session, governing every service account) remains the gap between organizations that have PAM and organizations that are protected by PAM.
How It Works
Core Capabilities
PAM platforms provide five interconnected capabilities:
Credential vaulting. Privileged passwords, SSH keys, API tokens, and other credential material are stored in an encrypted vault. Human administrators do not know the passwords to privileged accounts. When they need privileged access, they request it through the PAM platform, which retrieves the credential from the vault, establishes the session, and revokes the credential after use. The human never sees the password. The password is never written down, shared, or stored outside the vault.
Credential vaulting eliminates the most common privileged access failures: shared passwords stored in spreadsheets, sticky notes on monitors, credentials in shared documentation, and passwords that have not changed in years. If the credential is in the vault, it is encrypted, access-controlled, and auditable. If the credential is outside the vault, it is a risk.
Just-in-time (JIT) access. Elevated privileges are granted for a specific task duration and automatically revoked when the task completes. An administrator who needs domain admin access to modify Active Directory group policy receives the access for 60 minutes, with automatic revocation at expiration. No standing privileged accounts exist. Every privileged session has a defined start time, duration, and end time.
JIT eliminates standing privileges, the condition where privileged accounts are permanently active and accessible. Standing privileges are the attacker's preferred target because they are always available. If domain admin credentials exist in Active Directory 24/7, an attacker who steals them can use them at any time. If domain admin access is provisioned only for the 60-minute window when an administrator needs it, the attacker's window of opportunity shrinks from permanent to 60 minutes.
Session recording. Every privileged session (RDP, SSH, database console, cloud management portal) is recorded: keystrokes, screen capture, commands executed, and data accessed. Session recordings provide a complete audit trail of every action taken with elevated privileges.
Session recording serves dual purposes: forensic investigation (when something goes wrong, the recording shows exactly what happened) and deterrence (administrators who know their sessions are recorded are less likely to perform unauthorized actions). The recording also supports compliance evidence: SOC 2, ISO 27001, PCI DSS, and HIPAA all require accountability for privileged access, and session recordings provide that accountability.
Automated credential rotation. The PAM platform automatically rotates privileged credentials on a defined schedule (daily, weekly, or after every use). Automated rotation ensures that even if a credential is compromised, it is valid only for a limited period before the rotation renders it useless.
Rotation frequency should match risk tolerance. Service accounts connecting production systems to databases should rotate credentials daily or after every session. Emergency break-glass accounts should rotate after every use. Application API keys should rotate on a defined schedule with zero-downtime rotation (the new key is provisioned before the old key expires).
Service account governance. Service accounts (non-human identities used for application-to-application communication, scheduled tasks, and automated processes) are the most neglected category of privileged access. A typical mid-market organization has hundreds of service accounts, many created years ago for integrations that may no longer exist, with passwords that have never been rotated and privileges that were granted at maximum scope because "it was easier during the project."
PAM extends governance to service accounts: discovering all service accounts, inventorying their privileges, identifying excessive or orphaned permissions, implementing credential rotation, and monitoring their usage for anomalous behavior. Service accounts that behave differently from their established baseline (connecting to systems they have never accessed, running at unusual times, transferring unusual data volumes) trigger alerts.
PAM Architecture
Modern PAM deployments follow a gateway architecture:
The vault. The encrypted credential store. Deployed as a hardened appliance or cloud-hosted service with multi-layered access controls, encryption at rest, and replication for availability. The vault is the most critical infrastructure in the PAM deployment because it contains every privileged credential. Compromise of the vault compromises everything.
The session manager. The gateway through which all privileged sessions pass. Administrators connect to the session manager. The session manager retrieves the credential from the vault, establishes the connection to the target system, and records the session. The administrator never connects directly to the target system. All traffic flows through the session manager, ensuring that every privileged action is mediated, logged, and recordable.
The access request workflow. The system through which users request elevated access. Requests specify the target system, the required privilege level, the duration, and the business justification. Requests are approved (automatically for pre-authorized combinations, manually for exceptions), and the JIT session is provisioned. After the approved duration, access is automatically revoked.
Break-glass procedures. Emergency access mechanisms for when the PAM system itself is unavailable. Break-glass accounts are sealed credentials (stored in physical safes or encrypted emergency vaults) that bypass the normal PAM workflow. Their use is logged, and any break-glass event triggers a mandatory review to determine why the PAM system was unavailable and what actions were taken during the emergency access.
Why It Matters
Privilege Escalation Is the Ransomware Kill Chain's Critical Phase
Every major ransomware incident involves privilege escalation to domain administrator or equivalent credentials. Without domain admin, the attacker can encrypt the single compromised endpoint. With domain admin, the attacker can encrypt every endpoint, server, and file share in the domain simultaneously, and delete the backups.
PAM is the control that prevents (or dramatically slows) this escalation. If there are no standing domain admin accounts to steal (because JIT provisions them only when needed), if credential material is not cached on endpoints (because the vault manages credentials centrally), and if every privileged session is monitored for anomalous behavior, the attacker's path from initial foothold to domain dominance is blocked at the most critical juncture.
The organizations that survive ransomware events without paying are overwhelmingly organizations with effective PAM (attackers could not escalate to domain admin), effective backup architecture (data was recoverable), or both. PAM and immutable backups are the two controls that, together, reduce ransomware from an existential threat to a manageable incident.
Insider Threat Accountability
Privileged users (system administrators, database administrators, security administrators) have the access to cause the greatest damage, whether through malicious intent or operational error. PAM provides accountability: every privileged action is attributed to a specific individual through the access request workflow and session recording. The question "who made this change?" always has an answer.
Without PAM, shared privileged accounts (the "admin" account that six people know the password for) eliminate accountability. When a destructive change is made using a shared account, the organization cannot determine who made the change. PAM eliminates shared accounts by design: every privileged session is associated with an individual identity.
Compliance Mandates
PAM is required or strongly implied by every major compliance framework:
PCI DSS 4.0 Requirement 8: controls for all users with administrative access to cardholder data environments. ISO 27001 A.8.2 and A.8.3: privileged access rights and restriction of access to information. NIST 800-53 AC-6: least privilege. SOC 2 CC6.1: logical and physical access controls. HIPAA Security Rule: access control and audit controls for systems containing PHI. CMMC 2.0: access control practices at Level 2 and above.
Auditors increasingly ask not just "do you have PAM?" but "show me the vault inventory, the rotation schedule, the JIT access logs, and the session recordings." The evidence requirements are specific. The controls must be operational, not just purchased.
CDA Perspective
PAM sits squarely in the IAT (Identity Access and Trust) domain of the Planetary Defense Model. IAT is civilization: who is in the environment, what can they access, and how is trust established. PAM governs the most powerful identities in that civilization: the administrators, the service accounts, the emergency access mechanisms. These are the senatorial class of the digital environment. Their access is disproportionate to their numbers. Their compromise is disproportionate in impact.
CDA's Zero Possession Architecture (ZPA) methodology applies directly to PAM: "Trust nothing. Possess nothing. Verify everything." PAM embodies ZPA's principles: trust nothing (no standing privileges, every access request is verified), possess nothing (credentials are in the vault, not in human memory or endpoint cache), verify everything (every session is recorded, every action is auditable).
The Roman parallel: the Roman treasury was housed in the Temple of Saturn and guarded by the quaestors (treasury officials) who had defined, time-limited authority to access its contents. Withdrawals required documented authorization. Access was logged. The quaestor's authority expired at the end of their term. This is JIT access, credential vaulting, session recording, and time-limited authority, implemented in stone and parchment 2,000 years ago.
Three TOP missions connect directly to PAM:
- IAT-R02 (Privileged Access Audit): Audit all privileged accounts. Who has admin rights? Are they justified? Are there shared accounts? Are service accounts governed? 20 estimated hours. This is the mission that reveals the true state of privileged access, which is almost always worse than the organization assumes.
- IAT-B02 (Privileged Access Management): Deploy the PAM platform. Vault all privileged credentials. Implement JIT access. Enable session recording. Establish rotation schedules. Govern service accounts. 40 estimated hours. This is one of the two highest-hour IAT Build missions (alongside Zero Trust Architecture Design) because PAM touches every privileged identity in the environment.
- IAT-H02 (Service Account Governance): Specifically harden service account management. Discover all service accounts. Inventory privileges. Remove excessive permissions. Implement rotation. Monitor for anomalous behavior. 16 estimated hours.
The interaction with adjacent domains: TID detects privileged access abuse (anomalous admin activity, credential dumping attempts, impossible travel for admin accounts). SPH maintains the endpoint hardening that prevents credential material from being cached locally (LSA protection, Credential Guard). VSD benefits from PAM because administrative interfaces are no longer accessible with standing credentials. DPS is protected because access to sensitive data requires elevated privileges that PAM controls. RGA mandates PAM through compliance frameworks and uses session recordings as audit evidence.
Key Takeaways
- PAM controls elevated access to critical systems through credential vaulting, just-in-time access, session recording, automated credential rotation, and service account governance.
- Privilege escalation to domain admin is the critical phase of ransomware attacks. PAM blocks or slows this escalation by eliminating standing privileged accounts and vaulting credential material.
- Service accounts are the most neglected category of privileged access. Organizations typically have hundreds with excessive privileges, no rotation, and no monitoring.
- PAM is required or strongly implied by PCI DSS, ISO 27001, NIST 800-53, SOC 2, HIPAA, and CMMC. Auditors increasingly require operational evidence (vault inventory, rotation logs, session recordings), not just product deployment.
- CDA's ZPA methodology maps directly to PAM: trust nothing, possess nothing, verify everything.
Related Articles
- Identity Access and Trust (IAT): Civilization
- Zero Trust Architecture
- Multi-Factor Authentication (MFA)
- Ransomware
- Incident Response Lifecycle
- PDM Through History: How Rome Defended Its Information
Sources
- Gartner. "Magic Quadrant for Privileged Access Management." Gartner, 2024.
- MITRE Corporation. "ATT&CK Technique T1078 (Valid Accounts) and T1003 (OS Credential Dumping)." attack.mitre.org, updated continuously.
- National Institute of Standards and Technology (NIST). "Security and Privacy Controls for Information Systems and Organizations: SP 800-53 Rev. 5, AC-6 (Least Privilege)." U.S. Department of Commerce, 2020.
- PCI Security Standards Council. "PCI DSS v4.0: Requirement 8 (Identify Users and Authenticate Access)." PCI SSC, March 2022.
- Verizon. "2024 Data Breach Investigations Report." Verizon Enterprise, 2024. (Credential abuse as leading breach vector.)
Word count: 1,936
Related CDA Missions
CDA Theater missions that address topics covered in this article.
Written by Evan Morgan
Found an issue? Help improve this article.