Privileged Access Management (PAM)

Privileged access management (PAM) controls and monitors accounts with elevated rights in IT systems. PAM protects the accounts that can cause the most damage if compromised and is one of the most effective security measures.

Back to Dictionary

What is privileged access management?

Privileged accounts are accounts with elevated rights: domain administrators, root accounts, database administrators, cloud administrators and service accounts. These accounts can change configurations, access all data and control other accounts. This makes them the primary target for attackers.

PAM is a set of technologies and processes that ensure privileged accounts are used only by authorised individuals, only for approved purposes, and that all usage is logged and monitored. It is an extension of identity management with a focus on the most critical accounts.

In a zero trust architecture, PAM is essential. The principle of least privilege requires that no one has permanent admin rights and that all privileged actions are verified and logged.

PAM components

A PAM solution typically consists of:

Password vault: A central repository for privileged credentials. Passwords are rotated automatically and are never visible to the user in plain text.
Session management: Privileged sessions are initiated via the PAM platform, which records and logs all activity. This provides a full audit trail and enables real-time monitoring.
Just-in-time (JIT) access: Instead of permanent rights, privileged access is granted temporarily via an approval process. Rights are removed automatically after a defined period.
Privileged threat analytics: Behavioural analysis of privileged sessions to detect abnormal usage that may indicate compromise.

PAM integrates with multi-factor authentication (MFA) for strong authentication of privileged users and with SIEM systems for centralised logging and alerting.

Best practices

Effective privileged access management follows these principles:

Inventory of privileged accounts: Map all privileged accounts, including service accounts and shared accounts. You cannot protect what you do not know about.

Least privilege: Grant only the rights necessary for the task. Avoid permanent admin rights. Use JIT access where possible.

Separate accounts: IT administrators should have separate accounts for daily work and administration. The privileged account is used only when necessary.

Automatic password rotation: Privileged passwords are rotated automatically after each use or at fixed intervals. This eliminates the risk of reused or forgotten credentials.

Monitor and log everything: All privileged sessions are logged with a full audit trail. Combine with SIEM to detect misuse in real time.

Do not forget service accounts. They often have elevated rights, passwords that are never rotated, and no associated person. PAM should cover them just as thoroughly as human accounts. Security awareness for IT administrators is important, as they are primary targets for social engineering.

Regulations and standards

ISO 27001 and Annex A include control A.8.2 specifically on privileged access rights. An ISMS must define how privileged accounts are managed as part of technical and organisational measures.

NIS2 requires strong access control, and privileged accounts are the most critical element. DORA imposes specific requirements on the management of privileged accounts in financial institutions.

CIS 18 Controls 5 and 6 address account management and access control with a particular focus on privileged accounts. Under GDPR, PAM is important for ensuring that access to personal data is restricted to authorised individuals.

Frequently Asked Questions about Privileged Access Management (PAM)

What is a privileged account?

A privileged account is an account with elevated rights that grants access to critical systems, data or configurations. Examples include domain administrators, root accounts, database administrators, cloud administrators and service accounts with elevated rights.

What is just-in-time (JIT) access?

JIT access grants privileged rights only when they are needed and removes them automatically afterwards. Instead of permanent admin rights, the user requests access, which is approved and granted temporarily.

Why are privileged accounts a primary target for attackers?

Privileged accounts provide broad access to systems and data. A compromised admin account can give the attacker control over the entire IT environment. Most advanced attacks involve escalation to privileged accounts.