Privileged Access Management (PAM)

Privileged Access Management (PAM) refers to solutions and processes for managing privileged access—that is, accounts with elevated privileges: system administrators, domain administrators, root accounts, service accounts, and database administrators. These accounts are the most common target of cyberattacks because they can be used to compromise entire environments.

The Problem with Privileged Accounts

A domain admin account can:

• Read all passwords on the network (DCSync attack)
• Access all file systems
• Impersonate any user
• Create backdoors for persistent access
• Encrypt all systems (ransomware)

Common vulnerabilities in organizations:

• Shared credentials: Multiple admins use the same password
• Persistent privileges: Admin accounts are active 24/7, even when not needed
• No logging: It is impossible to track what the admin has done
• Default passwords: Service accounts have never been changed (for years)
• Overprivileging: Developers have more rights than necessary

Core PAM Functions

Credential Vault (Password Safe)

All privileged passwords are stored centrally, automatically rotated, and checked out only when needed. No one knows the permanent password—only the vault.

1. Admin authenticates with PAM using MFA
2. Requests database access (with justification)
3. PAM checks out the password from the vault (one-time, time-limited)
4. After X hours: Password is automatically rotated
5. Session is recorded for audit purposes

Session Management

• Video recording of RDP/SSH sessions (who did what?)
• Keystroke logging
• Live monitoring by SOC possible
• Sessions can be terminated in an emergency

Just-in-Time (JIT) Privileges

Admin rights are not granted permanently, but only for the duration of actual use:

• Normal: No admin rights (standard user account)
• When needed: Admin requests elevated privileges (ticket number, justification)
• Approved: Privileges active for 2 hours
• Afterward: Automatic revocation of privileges

Privileged Elevation and Delegation Management (PEDM)

Granular authorization of specific commands instead of full root privileges:

# Instead of: User "backup_admin" has full sudo privileges
# Better: User "backup_admin" is only allowed specific commands:
sudo /usr/bin/rsync --archive /data /backup
sudo systemctl start backup-service
# All other sudo commands: denied

Market-leading PAM solutions

Solution	Vendor	Key feature
CyberArk	CyberArk	Enterprise market leader, on-prem + cloud
BeyondTrust	BeyondTrust	PEDM focus, Windows strength
Delinea (Thycotic/Centrify)	Delinea	Mid-market, good SaaS option
HashiCorp Vault	HashiCorp	Developer-friendly, secrets management
Azure AD PIM	Microsoft	For Microsoft/Entra ID environments

Compliance Requirements

NIS2 Art. 21: Privileged access controls as an explicit requirement.

PCI DSS v4.0 Req. 7: Limit access to cardholder data to the minimum necessary.

ISO 27001 A.8.2: Privileged access rights – control and regular review.

BSI IT-Grundschutz ORP.4.A14: Protection of privileged accounts – regular reduction of privileges.

PAM vs. IAM vs. IDM

Term	Focus	Example
IAM (Identity & Access Management)	All users, all access	Employee onboarding, SSO, RBAC
PAM (Privileged Access Management)	Only privileged accounts	Admin passwords, session recording
IDM (Identity Management)	Lifecycle management	Provisioning/deprovisioning of accounts

PAM is a specialization of IAM for the high-risk privileged environment.

Quick Wins Without a Full PAM Solution

Can be implemented immediately without a budget for enterprise PAM:

1. LAPS (Local Admin Password Solution): Free from Microsoft, rotates local admin passwords
2. Azure AD PIM: For Microsoft environments, JIT for M365/Entra roles
3. Separation of Duties: Admin has two accounts (regular user + admin account)
4. Password Manager for Teams (KeePass, Bitwarden Teams): Credential Vault light
5. Audit Logging: Send all privileged sessions to SIEM