4.6.6 Privileged Access Management
JIT, vaulting, ephemeral credentials.
Privileged Access Management (PAM) encompasses the specialized strategies, tools, and policies used to secure, control, and monitor identities with elevated permissions.
Core PAM Mechanisms PAM differs from standard access control by focusing on high-risk accounts—such as root, administrator, or service accounts—that have the power to change system configurations or access sensitive data. - Privileged Account Vaulting: Storing administrative credentials in a secure, centralized digital vault. Users check out the credentials they need, ensuring they are never stored in plaintext on local machines. - Credential Rotation: Automatically changing passwords for service and administrative accounts at frequent intervals to mitigate the risk of stolen or leaked credentials. - Password Masking: Providing a user access to a system through the PAM tool without ever revealing the actual password to the human operator.
Just-in-Time (JIT) Access JIT access moves away from "always-on" (standing) privileges, which represent a constant attack surface. - Temporal Access: Granting elevated rights only for the specific timeframe required to complete a task (e.g., two hours for a maintenance window). - Request/Approval Workflow: Requiring a manual or automated approval process before a user is elevated into a privileged role. - Reduced Attack Surface: By ensuring accounts are standard users by default and privileged only when necessary, the impact of a compromised account is severely neutralized.
Ephemeral Credentials Ephemeral credentials are temporary, short-lived secrets created on-demand for a specific session or task. - Dynamic Secrets: Unlike static passwords, these are generated dynamically by the PAM system and expire automatically after a very short duration (minutes or hours). - Automated Revocation: Because the credential has a built-in expiration (TTL - Time to Live), there is no need for manual cleanup or revocation if the secret is intercepted. - Service-to-Service Security: Frequently used in cloud environments and automated CI/CD pipelines to allow applications to talk to databases without hardcoding "forever" secrets into the code.
Auditing and Governance Because privileged users have "the keys to the kingdom," their actions must be strictly logged. - Session Recording: Capturing video or keystroke logs of everything a privileged user does while using vaulted credentials. - Role-Based Training: Specialized security awareness training for privileged users, focusing on the higher stakes of their access level compared to standard users.
Quick recall - Vaulting: Centralized, secure storage for high-level "root" or "admin" passwords. - JIT (Just-in-Time): Providing access only when needed and revoking it immediately after. - Ephemeral: Short-lived, one-time-use credentials that expire automatically. - Standing Privileges: The "persistent" access that PAM seeks to eliminate. - Trigger words: Check-out/Check-in, credential rotation, automated expiration.