Privileged Access Management (PAM)
Status: Final
Privileged Access Management (PAM) is the discipline of controlling, monitoring, and auditing access by privileged accounts — accounts with elevated permissions that, if compromised, cause the greatest damage. PAM reduces the identity attack surface but does not eliminate it: attackers routinely bypass, abuse, or directly target PAM systems.
What PAM Controls
| Function | Description |
|---|---|
| Credential vaulting | Store privileged credentials (local admin, service accounts, root passwords) encrypted; issue on-demand |
| Session management | Record and monitor privileged sessions (keystroke logging, screen recording, command auditing) |
| Just-in-time access | Grant privilege only when needed, for defined duration (minimize standing privilege) |
| Least privilege enforcement | Restrict what privileged users can do via command filtering or privilege elevation policies |
| Password rotation | Automatically rotate credentials after use or on schedule |
| Application identity (secrets management) | Manage non-human identities and API keys used by applications |
PAM vs IGA vs PIM
| Tool | Scope | Primary Use |
|---|---|---|
| PAM (CyberArk, BeyondTrust) | Privileged account credential and session control | Protect, record, and audit privileged access |
| IGA (SailPoint, Saviynt) | Lifecycle and access governance | Certify who has access to what; automate provisioning |
| PIM (Entra ID PIM) | Cloud role activation and JIT | Just-in-time cloud role elevation |
All three are complementary. A full identity security program needs all three.
Major PAM Vendors
CyberArk
The market leader in PAM. Dominant in financial services, government, and large enterprises.
| Component | Function |
|---|---|
| Privilege Cloud / Vault | Core credential vault — stores and brokers privileged credentials |
| Central Policy Manager (CPM) | Rotates passwords according to policy |
| Privileged Session Manager (PSM) | Proxy-based session recording and monitoring |
| Endpoint Privilege Manager (EPM) | Least-privilege on Windows/macOS endpoints |
| Secrets Manager (Conjur) | API/application credential management — DevSecOps |
| Identity Security Platform | Unified platform combining PAM + Identity security |
CyberArk in ITDR context: CyberArk itself can be a target. The Vault is protected by a hardcoded "Master" password and a "DR" password — both are high-value targets in advanced attacks. CyberArk also releases security advisories when its own components have vulnerabilities.
BeyondTrust
Strong in Unix/Linux PAM, Unix privilege management, and remote access.
| Product | Function |
|---|---|
| Password Safe | Privileged credential vaulting |
| Privilege Management for Windows/Mac | Endpoint least privilege |
| Privilege Management for Unix & Linux | pbrun — Unix privilege elevation with policy |
| Remote Support | Secure remote access for IT/help desk |
| Privileged Remote Access | PAM-integrated remote access gateway |
Delinea (formerly Thycotic + Centrify)
Positioned as more accessible (SaaS-first) alternative to CyberArk for mid-market.
| Product | Function |
|---|---|
| Secret Server | Credential vaulting |
| Privilege Manager | Endpoint privilege management |
| Server Suite | Unix/Linux PAM, AD bridging |
| Cloud Suite | Cloud resource privilege management |
One Identity
SAP-adjacent, strong in IGA + PAM combination.
| Product | Function |
|---|---|
| Safeguard for Privileged Passwords | Credential vault |
| Safeguard for Privileged Sessions | Session monitoring/recording |
| One Identity Manager | IGA platform |
Wallix
European PAM vendor, strong in EU regulated industries and OT/ICS environments.
PAM Attack Vectors
PAM systems are themselves high-value targets. Attackers who can compromise the PAM system gain access to all credentials stored within it.
| Attack | Target | Method |
|---|---|---|
| PAM admin account compromise | Full vault access | Phishing PAM admins, credential theft |
| Vault database exfiltration | Encrypted credential store | Ransomware, insider threat, DB exposure |
| PSM session hijacking | Live session intercept or replay | Compromise PSM server |
| CPM account abuse | Credential rotation service account has write access to every target | Compromise CPM credentials |
| API abuse | PAM REST API with stolen API key | Bulk credential retrieval |
| Memory scraping on PAM server | In-memory credentials during session brokering | Privileged endpoint compromise |
| DLL injection into vault agent | Intercept credentials before they reach the vault | Malware on PAM-connected servers |
PAM and ITDR
| Integration Point | ITDR Value |
|---|---|
| PAM session logs → SIEM | Rich context for privileged activity detection |
| PAM credential access logs | Alert on unusual credential checkouts (off-hours, new accounts, bulk) |
| PAM + UBA | Behavioral baseline for privileged users — detect deviation |
| PAM policy violations | Commands blocked by PAM policy = detection signal |
| Secrets Manager → workload identity | Non-human credential access anomalies |
Cross-Links
| Topic | Link |
|---|---|
| IGA | iga-overview |
| MFA Technologies | mfa-technologies |
| AD Attacks | kerberoasting |
| Entra PIM | pim |