Module 01
Foundations
Privileged Access Management
Understanding what PAM is, why it matters, and the core controls that protect your most sensitive access paths.
Learning Objective
By the end of this module, you'll understand what privileged access is, why it's the #1 attack target, and how PAM controls reduce risk.
What is Privileged Access?
Privileged access refers to accounts, credentials, or permissions that have elevated rights beyond those of a standard user β the ability to modify system configurations, access sensitive data, install software, or make changes that affect multiple users or systems.
74%
of breaches involve privileged credential abuse
3Γ
more costly breaches involving privileged access
83%
of organizations experienced an identity-related breach in 2023
ποΈ Types of Privileged Accounts β Click to explore
Local Admin
Full control over a single endpoint
Domain Admin
Control over entire AD domain
Service Accounts
Run applications and processes
Root / Superuser
Unrestricted Unix/Linux access
Cloud IAM Roles
AWS, Azure, GCP super-roles
SSH Keys & Certs
Cryptographic privileged access
β¬ Click any account type above to learn more
⬑ Core PAM Controls
Privileged Account Vaulting
βΌ
Credentials for privileged accounts are stored in an encrypted, access-controlled vault β never in spreadsheets, scripts, or memory. Users check out credentials for a session and they are rotated automatically afterwards. This ensures no shared static passwords and a full audit trail of who accessed what, when.
Privileged Session Management (PSM)
βΌ
All privileged sessions (RDP, SSH, database, web) are proxied through a session management layer. Sessions are recorded, monitored in real-time, and can be terminated instantly. Keystroke logging and video recording provide forensic evidence and support compliance requirements (SOX, PCI-DSS, HIPAA).
Least Privilege & Just-In-Time Access
βΌ
Least privilege ensures accounts only have the minimum permissions needed for a task. Just-In-Time (JIT) access takes this further β privilege is granted only for the duration of an approved task and automatically revoked. This dramatically shrinks the attack surface by eliminating standing privilege.
Credential Rotation & Management
βΌ
PAM solutions automatically rotate passwords and API keys on a schedule or after each use. This prevents credential reuse attacks and limits the window of exposure if a credential is compromised. Modern PAM can also manage SSH keys, certificates, and cloud access tokens.
Module Complete
You've covered the core concepts of Privileged Access Management. Continue to Module 2 to explore the broader identity security landscape.
Module 02
Threat Landscape
Identity Security
Why identity has become the new perimeter, and how modern threats exploit the identity attack surface.
The Shift: Identity IS the Perimeter
Traditional network perimeters have dissolved. With cloud, remote work, and SaaS, the question is no longer "are you inside the network?" but "who are you, and what are you allowed to do?"
Human Identities
Employees, contractors, partners, and customers. Each has unique access needs that change over time. Joiners, movers, and leavers all represent risk if identity lifecycle isn't managed.
Non-Human Identities (NHI)
Applications, services, bots, pipelines, and scripts that need access to resources. NHIs often outnumber humans 10:1 and are frequently invisible to security teams.
β‘ The Identity Kill Chain β How attackers exploit identities
π£
Initial Access
Phishing
Credential Theft
Credential Theft
π
Reconnaissance
AD Enumeration
Bloodhound/Kerberoast
Bloodhound/Kerberoast
π
Privilege Escalation
Local Admin
to Domain Admin
to Domain Admin
π
Lateral Movement
Pass-the-Hash
Golden Ticket
Golden Ticket
π₯
Exfiltration
Data Theft
Ransomware
Ransomware
PAM disrupts every stage
By vaulting credentials, enforcing least privilege, and requiring MFA for privileged access, PAM makes each step of the kill chain significantly harder or detectable.
⬑ The Identity Attack Surface
| Attack Vector | Description | PAM Control |
|---|---|---|
| Credential Stuffing | Reusing leaked passwords across systems | Vault + auto-rotation |
| Kerberoasting | Extracting service account hashes from AD | Strong SPN passwords, CID discovery |
| Pass-the-Hash | Authenticating without knowing plaintext password | Session isolation, MFA enforcement |
| Privilege Escalation | Exploiting misconfigurations for higher access | Least privilege, JIT access |
| Shadow IT Accounts | Unmanaged accounts with excessive rights | Continuous Identity Discovery |
π PAM + Identity Security: A Unified Approach
- Discover all identities β including those you don't know about
- Assess and prioritize risk across the entire identity landscape
- Protect privileged credentials with vaulting and session controls
- Detect anomalous identity behavior in real time
- Respond automatically to identity-based threats
Module Complete
You understand the modern identity threat landscape. Next: the specific challenge of identity discovery.
Module 03
Core Challenge
The Identity Discovery Challenge
You can't protect what you can't see. Understanding why discovering all identities is hard β and essential.
The Visibility Gap
Most organizations have 3β5Γ more identities than they think. Unknown accounts β stale, orphaned, or shadow β are among the most common breach entry points.
40%
of all accounts are orphaned or stale
10:1
ratio of machine identities to human identities
197
average days to identify an identity-based breach
Why Identity Discovery Is Hard
Modern enterprise environments span on-premises Active Directory, cloud directories (Entra ID, Okta), dozens of SaaS applications, DevOps pipelines, IaaS environments, and legacy systems β each with its own identity store. Identities are created by IT, by developers, by automation, and even by shadow IT with no central oversight.
πΊοΈ Where Identities Hide β The Discovery Surface
Active Directory
Local & domain accounts, SPNs, GPOs
Cloud Directories
Entra ID, Okta, AWS IAM, GCP
Databases
Shared DB accounts, local DBAs
SaaS Apps
Salesforce, GitHub, Slack admins
DevOps / CI-CD
Pipeline service accounts, tokens
Automation / RPA
Scripts, bots, service principals
⬑ Common Discovery Failures
Orphaned Accounts
βΌ
Accounts belonging to employees who have left the organization but were never disabled or deleted. These are frequently targeted by attackers because they have no active owner who would notice anomalous activity. Manual offboarding processes almost always leave gaps.
Shadow Admin Accounts
βΌ
Accounts that have effective admin privileges through indirect group memberships, ACL delegations, or GPO permissions β without being in any obvious "Admins" group. These are invisible to standard account audits and represent one of the most dangerous blind spots in Active Directory environments.
Service Account Sprawl
βΌ
Service accounts are created as applications are deployed, but rarely cleaned up when apps are decommissioned. They often have static passwords, excessive permissions, and no owner. Many are also used interactively by humans, bypassing intended controls and creating significant audit risk.
Unmanaged SSH Keys & API Credentials
βΌ
SSH keys, API tokens, OAuth credentials, and cloud service principals are frequently created by developers and never tracked centrally. They may grant powerful access, never expire, and live in source code, container images, or configuration files where they can be exfiltrated.
Why Periodic Discovery Isn't Enough
Point-in-time scans miss the dynamic nature of modern environments. Identities are created, modified, and escalated continuously β sometimes by attackers already inside the network. Only continuous, automated discovery can keep pace.
Module Complete
You now understand the identity discovery challenge in depth. Ready to learn how Delinea's CID solves it?
Module 04
Delinea Platform
Delinea Continuous Identity Discovery
How Delinea CID provides always-on visibility across the entire identity attack surface β and automatically connects discoveries to remediation.
πΆ Delinea Platform Feature β Continuous Identity Discovery (CID)
What is Delinea CID?
Delinea Continuous Identity Discovery is a capability within the Delinea Platform that automatically and continuously discovers all identities β human and non-human, managed and unmanaged β across your entire environment, assesses their risk, and drives remediation through integrated PAM workflows.
DISCOVERY SOURCES
π’ Active Directory
βοΈ Cloud Directories
π» Endpoints
π± SaaS & Apps
π Credentials
βββ
DELINEA CID ENGINE
π Continuous Scan
πΈοΈ Relationship Mapping
π Risk Scoring
β‘ Change Detection
βββ
AUTOMATED OUTPUTS & REMEDIATION
πΊοΈ Identity Inventory
π¨ Risk Alerts
π¦ Vault Enrollment
π« ITSM Workflows
⬑ Key CID Capabilities
Continuous, Agentless Discovery
βΌ
Unlike periodic scans, CID continuously monitors identity stores and endpoints for new accounts, permission changes, and anomalies β in real time. It operates agentlessly, scanning Active Directory, cloud directories, and endpoints without requiring software installation on each system. This means new accounts are discovered within minutes of creation, not during the next scheduled audit.
Relationship & Entitlement Mapping
βΌ
CID doesn't just list accounts β it maps the full web of relationships: group memberships, ACL delegations, SPN assignments, trust relationships, and effective permissions. This surfaces shadow admins and privilege escalation paths that are invisible in raw account listings. You can see exactly how an account can become an admin, even through a chain of indirect memberships.
Automated Risk Scoring & Prioritization
βΌ
Each discovered identity receives an automated risk score based on factors like: stale/inactive status, privilege level, whether credentials are in the vault, password age, exposure in cloud vs. on-prem, and anomalous behavior indicators. This allows security teams to prioritize remediation rather than drowning in undifferentiated alerts.
Automated Vault Enrollment & Remediation
βΌ
When CID discovers an unmanaged privileged account, it can automatically trigger a workflow to enroll the account in the Delinea vault, reset its password, assign an owner, and begin managing its lifecycle β without manual intervention. For accounts that can't be immediately vaulted, CID raises a ticket in ServiceNow, Jira, or other ITSM tools to track remediation.
Non-Human Identity (NHI) Coverage
βΌ
CID specifically targets the explosion of non-human identities: service accounts, API keys, OAuth tokens, managed identities, service principals, and certificates. It tracks their usage, ownership, expiry, and privilege level β and flags those that are over-privileged, unused, or about to expire before they become a security gap or operational incident.
# Delinea CID β Identity Risk Summary (Sample)
discovered_identities: 4,821
previously_known: 1,340 # what IT thought they had
newly_discovered: 3,481 # the visibility gap
risk_breakdown:
critical: 47 # unvaulted domain admin creds, shadow admins
high: 203 # stale privileged accounts, old SSH keys
medium: 891 # over-privileged service accounts
low: 2,340
auto_enrolled_to_vault: 38 # critical accounts auto-vaulted
tickets_raised: 212 # remediation workflows triggered
scan_coverage: "AD, Entra ID, AWS IAM, 12 endpoints"
last_scan: "continuous" # not a point-in-time
discovered_identities: 4,821
previously_known: 1,340 # what IT thought they had
newly_discovered: 3,481 # the visibility gap
risk_breakdown:
critical: 47 # unvaulted domain admin creds, shadow admins
high: 203 # stale privileged accounts, old SSH keys
medium: 891 # over-privileged service accounts
low: 2,340
auto_enrolled_to_vault: 38 # critical accounts auto-vaulted
tickets_raised: 212 # remediation workflows triggered
scan_coverage: "AD, Entra ID, AWS IAM, 12 endpoints"
last_scan: "continuous" # not a point-in-time
CID vs. Traditional Discovery
| Traditional | Delinea CID | |
|---|---|---|
| Frequency | Periodic / manual | Continuous |
| Coverage | AD only | Multi-source |
| NHI Support | Limited | Full coverage |
| Risk Scoring | Manual | Automated |
| Remediation | Separate tool | Integrated |
Use Cases
- Eliminate unmanaged privileged accounts before an audit
- Detect and remediate shadow admin paths in Active Directory
- Gain full NHI inventory for SOC 2 / ISO 27001 compliance
- Continuously enroll new service accounts as they are created
- Track certificate expiry across all systems to prevent outages
- Identify dormant admin accounts as breach indicators
Module Complete
Excellent! You've covered Delinea CID in depth. One last step β test your knowledge.
Module 05
Assessment
Knowledge Check
Answer the questions below to test your understanding. Select the best answer for each question.
Question 01 of 06
What does PAM stand for, and what is its primary purpose?
Question 02 of 06
What is "Just-In-Time" (JIT) access and why is it important?
Question 03 of 06
A "shadow admin" in Active Directory is best described as:
Question 04 of 06
Why do most organizations have far more identities than they think?
Question 05 of 06
What is the key differentiator of Delinea's Continuous Identity Discovery (CID) compared to traditional periodic scans?
Question 06 of 06
Which of the following is NOT typically a PAM control?