^.^;

Privileged Access Management

Zero Standing Privileges • JIT Access • Session Recording

Blue TeamPrivileged AccessJIT AccessInteractive

What is Privileged Access Management?

Privileged Access Management (PAM) controls who can access critical systems, when they can access them, and what they can do. Unlike standard user accounts, privileged accounts (admin, root, service accounts) have elevated permissions that can modify systems, access sensitive data, or deploy code.

Core PAM Principles:

Zero Standing Privileges (ZSP)

No permanent admin access - request when needed

Just-In-Time (JIT) Access

Temporary elevation for specific time windows

Least Privilege

Minimum permissions needed for the task

Session Recording & Audit

Every privileged action is logged and reviewable

Why PAM Matters: Real Breaches

Many of the largest breaches in history resulted from compromised privileged credentials. Once attackers gain admin access, they can move laterally, exfiltrate data, and deploy ransomware.

SolarWinds Supply Chain Attack (2020)

  • Attackers compromised admin credentials for SolarWinds Orion build system
  • Injected malicious code into software updates sent to 18,000+ customers
  • PAM Gap: No session recording or anomaly detection on build server access

MGM Resorts Ransomware (2023)

  • Social engineering against IT helpdesk to reset admin credentials
  • Attackers used elevated privileges to deploy ransomware across 100+ ESXi servers
  • PAM Gap: Permanent admin credentials without MFA or approval workflow

CircleCl Token Breach (2023)

  • Malware on engineer's laptop stole GitHub session token with write access
  • Attackers used token to access production secrets and encryption keys
  • PAM Gap: Long-lived tokens without rotation or anomaly detection

Zero Standing Privileges (ZSP) Architecture

Traditional model: Users have permanent admin access "just in case" they need it.
ZSP model: No one has admin access by default. Request it when needed, for a limited time, with justification.

❌ Old Model (Standing Privileges)

  • • User "alice@corp.com" is in "Domain Admins" group 24/7
  • • If Alice's credentials are stolen, attacker has full access
  • • No audit trail of why admin privileges were used
  • • Harder to detect malicious activity vs. legitimate admin work

✓ ZSP Model (JIT Access)

  • • Alice requests "Domain Admin" for "2 hours" with justification
  • • Manager/Security approves (or AI auto-approves low-risk requests)
  • • Alice gets temporary elevation, all actions are logged
  • • After 2 hours, privileges auto-revoke

Just-In-Time (JIT) Access Workflow

1

User Requests Privilege Elevation

Engineer needs to restart production database. Requests "DB Admin" role for "30 minutes" with justification: "Emergency restart for incident #1234"

2

Risk Assessment (Automated)

PAM system checks: Is this user authorized for this role? Is the request time reasonable? Are there active incidents? Is the user's device compliant?

3

Approval (Human or AI)

Low-risk requests: Auto-approved. High-risk (e.g., Domain Admin, 8+ hours): Requires manager + security team approval.

4

Privilege Grant + Session Recording

User gets elevated role. All commands, file access, and API calls are logged. Video recording of terminal session.

5

Auto-Revoke After Time Expires

After 30 minutes, privileges are automatically removed. User must request again if more time is needed.

PAM Tools & Technologies

Enterprise PAM Solutions

  • CyberArk: Vault for secrets, session recording
  • BeyondTrust: Privileged Remote Access, password rotation
  • Delinea (Thycotic): Secret Server, privilege elevation
  • HashiCorp Vault: Dynamic secrets, cloud-native

Cloud-Native PAM

  • AWS IAM Identity Center: JIT access to AWS accounts
  • Azure PIM: Privileged Identity Management for Entra ID
  • GCP IAM: Time-bound role assignments
  • Okta PAM: Identity-driven privilege elevation

Session Recording Tools

  • Teleport: Infrastructure access platform with session replay
  • Boundary (HashiCorp): Zero-trust access with audit logs
  • StrongDM: Universal gateway for DB/server access

Password Vaulting

  • Keeper Enterprise: Secrets management + PAM
  • 1Password Business: Shared secrets with access logs
  • AWS Secrets Manager: Auto-rotation of DB credentials

Detection & Anomaly Monitoring

Even with PAM, attackers may try to abuse privileged access. Behavioral analytics detect suspicious patterns:

Unusual Access Patterns

User requests "Domain Admin" at 3 AM (never done before) → Flag for review

Privilege Escalation Attempts

User with "DB Read" access tries to execute DROP TABLE → Block + alert

Rapid-Fire Access Requests

10 different users request same role in 5 minutes → Potential coordinated attack

Data Exfiltration During Privileged Session

Admin session downloads 10GB of customer data → Suspicious, trigger DLP alert

Credential Reuse from Breached Accounts

PAM login from IP address in threat intel feed → Auto-deny + force password reset

PAM Implementation Best Practices

Do This:

  • Inventory all privileged accounts (service, emergency, shared)
  • Rotate credentials automatically (every 24-48 hours)
  • Enforce MFA for all privileged access
  • Record all sessions for forensic review
  • Set max access duration (2-4 hours for most tasks)

Avoid This:

  • Permanent admin credentials for convenience
  • Shared admin passwords across teams
  • No justification required for access requests
  • Unlimited access duration (e.g., 24+ hours)
  • No session recording or audit logs
Pending Requests
2
Active Sessions
1
Approved Today
0
High-Risk Alerts
1

Pending Access Requests

alice@corp.com
6:08:46 PM
Risk: 25/100
Requested Role
Database Admin
Duration
30 minutes
Auto-Revoke At
6:38:46 PM
Justification:
Emergency restart for incident #1234
bob@corp.com
6:08:46 PM
Risk: 85/100
Requested Role
Domain Admin
Duration
480 minutes
Auto-Revoke At
2:08:46 AM
Justification:
Need to create new AD user accounts

Recent Activity

Terms of ServiceLicense AgreementPrivacy Policy
Copyright © 2025 JMFG. All rights reserved.