Audio Cast:

Takeaway Points:

• PAM stands for privileged access management

• The focus as the name suggests is on privileged accounts - which refer to things like administrators, root accounts, service accounts and non-standard end users

• These accounts if used maliciously can cause significant disruption, degradation and destruction of key services, infrastructure and compute power

• PAM aims to wrap these accounts with a set of functions to help improve security

• PAM only impacts a subset of identities within the employee environment

• PAM functions include the ability to restrict access to privileged functions to specific users - essentially principle of least privilege - likely through an inventory of permissions and users and tying the two together “just in time” or through another concept called “zero standing privilege” - which means not tying privileged access to a user permanently

• Another main function is being able to monitor and audit uses of privileged access - so this could include recording a session of command line activity and being able to map that to a real identity

• When a user requests access to user a privileged account or function, it will likely be wrapped by strong multi-factor authentication and perhaps device checks

• Other features include credential rotation - so this could include the changing of passwords for certain accounts after a user has finished using it

• Requests for privileged access are typically mapped into well designed workflows - that handle who can request access, under what conditions and how those requests are approved and fulfilled

• Use cases:

  • Allowing a real identity to “checkout” an account or permissions that have administrative capabilities

  • Manage and monitor those requests with strong authentication, auditing, monitoring and approval