The PAM Commandments

In a previous blog, I discussed the basics of IAM (Identity Access Management), which encompasses IGA (Identity Governance and Administration), AM (Access Management), PAM (Privileged Access Management), and ADMgmt (Active Directory Management).

Today, I'll focus on one of these core pillars: Privileged Access Management (PAM). As the name suggests, its purpose is to safeguard critical accounts from cyber threats, considering the systems they frequently access, such as code repositories. The challenge lies in the fact that some users are Non-Human Identities (NHI), which cannot be easily tracked by a simple repository.

For a deeper understanding, I found an excellent reference blog by Jaryeong Kim at Keeper Security that explains how PAM functions: https://www.keepersecurity.com/blog/2025/05/19/how-does-privileged-access-management-work/

1. Credential Vaulting - Utilizes a vault repository to encrypt credentials, including passwords, SSH keys, and API tokens. This is audited to prevent unauthorized access, ensuring the credential is never exposed in an unencrypted form to the user.

2. Just-in-Time (JIT) Access - Grants authorized access for a limited time, which is immediately restricted once the task is completed.

3. Session Management - Offers real-time analytics for monitoring and securing active privileged user accounts, enabling administrators to take necessary actions against bad actors.

4. Access Control - Implements the Principle of Least Privilege (PoLP), granting only the minimum permissions users need to perform their jobs. Policies can be created based on attributes like role, department, or device type.

5. Compliance Support - Provides audit trails for strict security frameworks like GDPR and HIPAA, offering more than just basic logs by including screen recordings and keystroke activity.

6. Alerting and Reporting - Includes details such as requests, approvals, durations, and much more.

7. Automation - "By automating the lifecycle management of privileged accounts, including user provisioning and deprovisioning, access request approvals, password rotation, and session management, PAM reduces manual intervention and minimizes the risk of human error."

8. Integration - Seamlessly integrates with other systems, such as Identity platforms and ITSM tools like ServiceNow.