A comprehensive guide to protecting your most sensitive accounts, credentials, and secrets — and ensuring they survive any disaster.
🛡️
What is PAM?
Controls & monitors access to critical systems for elevated-privilege accounts
🔑
Why It Matters
80% of breaches involve compromised privileged credentials
🔄
Resilience
Ensure secrets & access survive outages, ransomware, and disasters
What is Privileged Access?
Privileged access refers to permissions that go beyond those of a standard user — the ability to install software, modify system configurations, access sensitive data, or manage other user accounts. These elevated rights exist across every layer of the enterprise: operating systems, databases, applications, network devices, and cloud platforms.
Privileged accounts include local administrator accounts, domain admin accounts, service accounts, application accounts, SSH keys, API tokens, and emergency/break-glass accounts.
⚠️
The Privileged Account Problem
Most organizations have 3–4× more privileged accounts than employees. Many are undocumented, shared, or have never had their passwords changed. Each one is a potential entry point for attackers.
80%
of breaches involve privileged credentials
3–4×
privileged accounts per employee on average
$4.9M
average cost of a data breach in 2024
Core PAM Capabilities
🔐
Credential Vaulting
Securely store and encrypt all privileged passwords, SSH keys, and secrets in a central, audited vault with access controls.
🔄
Automated Rotation
Automatically rotate credentials on a schedule or after each use to eliminate standing privileges and reduce exposure windows.
📹
Session Monitoring
Record, monitor, and audit all privileged sessions in real-time with keystroke logging and video replay capabilities.
🎯
Least Privilege
Grant users only the minimum permissions needed for their role, eliminating unnecessary standing access across the enterprise.
Module 02 — Identity Security
Identity-Centric Security
Identity is the new perimeter. Every machine, human, and application that accesses your infrastructure has an identity — and every identity is a potential attack vector.
In the modern enterprise, the traditional network perimeter has dissolved. Cloud workloads, remote work, third-party integrations, and microservices mean that identity is the only consistent control point across all environments.
The Identity Attack Chain
Phishing / Social Engineering
→
Credential Theft
→
Privilege Escalation
→
Lateral Movement
→
Data Exfiltration / Ransomware
PAM breaks this chain at the Privilege Escalation step — the critical inflection point of most attacks.
The Three Identity Pillars
🧑 Human Identities▼
Human identities include all employees, contractors, vendors, and third parties. Key risks include shared credentials, password reuse, excessive standing privileges, and accounts that persist after offboarding.
PAM Controls:
Just-in-time (JIT) provisioning — grant access only when needed
MFA enforcement on all privileged access
Centralized account lifecycle management
Automatic account disablement on termination
⚙️ Machine / Service Identities▼
Machines, applications, scripts, CI/CD pipelines, and microservices all require credentials to communicate. These "non-human identities" are often the most neglected — hardcoded passwords in scripts, API keys in code repositories, and service accounts with never-expiring credentials.
PAM Controls:
Secrets management to eliminate hardcoded credentials
Dynamic secrets with short TTLs (time-to-live)
Automated rotation of service account passwords
Certificate lifecycle management
☁️ Cloud & DevOps Identities▼
Cloud-native workloads use IAM roles, workload identities, service principals, and API tokens. DevOps pipelines require access to deployment secrets, database credentials, and cloud provider keys. Without governance, these proliferate rapidly.
PAM Controls:
Centralized secrets injection for CI/CD pipelines
Cloud entitlement management and right-sizing
Short-lived credentials via dynamic secrets engines
Integration with Kubernetes, AWS IAM, Azure AD
💡
Zero Trust & PAM
Zero Trust architecture assumes no identity is inherently trusted. PAM operationalizes Zero Trust by enforcing continuous verification, least privilege access, and just-in-time provisioning for every privileged action — regardless of network location.
Identity Type
Risk Level
Key Control
Rotation
Domain Admin
CRITICAL
Vaulting + MFA + Session Recording
After every use
Service Accounts
CRITICAL
Automated rotation + Secrets mgmt
Every 24–90 days
SSH Keys
HIGH
Centralized key management
Annual + on demand
API Tokens
HIGH
Dynamic secrets / short TTL
Per-session / hourly
Standard Admin
MEDIUM
JIT + Least privilege
90 days
Module 03 — Architecture
PAM Architecture & Components
Understanding how enterprise PAM solutions are built — from vaults and proxies to policy engines and secrets managers.
Core Architecture Components
1
Secrets Vault (Credential Store)
The encrypted, hardened repository for all privileged credentials. The vault manages encryption keys, enforces access policies, logs every retrieval, and provides the single source of truth for all secret material. Modern vaults support HSM integration for hardware-backed encryption.
2
Access Request & Approval Workflow
Users or machines request access through a portal or API. Requests trigger policy evaluation — checking role, time-of-day, asset criticality, and risk score. Approvals can be automated (low-risk) or require human review (high-risk). Access is time-bounded and auto-revoked.
3
Session Proxy & Broker
Privileged sessions are brokered through a proxy so the end-user never directly sees credentials. The proxy records keystrokes, video, commands, and file transfers. Live session termination, alerts, and anomaly detection operate at this layer.
4
Policy & Governance Engine
Centrally defines who can access what, when, from where, and under what conditions. Integrates with HR systems, ITSM tools (ServiceNow, Jira), and SIEM platforms. Provides the enforcement backbone for least privilege and Zero Trust policies.
5
Secrets Management API
Programmatic interface for applications, CI/CD pipelines, and automated processes to securely retrieve secrets at runtime — eliminating hardcoded credentials. Supports dynamic secrets with automatic expiry and renewal.
Delinea Secret Server
Delinea Secret Server is a leading enterprise PAM platform providing a unified vault, session management, secrets management API, and privileged behavior analytics. It supports on-premises, cloud, and hybrid deployments — with high availability and resilience capabilities including Delinea Resilient Secrets (covered in Module 05).
Deployment Topologies
🏢
On-Premises
Full control, air-gapped option, on-site HA clustering. Best for highly regulated environments. Requires internal infrastructure management.
CONTROLAIR-GAP
☁️
Cloud-Hosted (SaaS)
Managed by vendor, automatic updates, global availability. Lower operational overhead. Delinea offers cloud-native deployment.
MANAGEDSCALABLE
🔀
Hybrid
Vault on-premises with cloud management plane. Combines data sovereignty with managed operations. Suits most enterprises.
FLEXIBLE
Module 04 — Disaster Recovery
PAM & Disaster Recovery Risks
When disaster strikes — ransomware, hardware failure, or datacenter outage — your PAM system becomes the most critical single point of failure in your entire recovery process.
🚨
The PAM Paradox in Disaster Recovery
PAM protects your most critical credentials. But if your PAM system itself goes down during a disaster, your recovery team may be locked out of the very systems they need to restore — creating a catastrophic deadlock where you can't access credentials to fix the systems that hold the credentials.
Critical DR Failure Scenarios
🦠 Ransomware Attack▼
Ransomware can encrypt PAM servers along with everything else. If your vault data is encrypted by attackers, all managed credentials become inaccessible. Modern ransomware specifically targets backup infrastructure and credential stores to maximize leverage.
DR Impact: Recovery teams cannot log into any PAM-managed system to begin restoration. Manual password resets for thousands of accounts may be required — taking days or weeks.
Hardware failure, OS corruption, failed updates, or database errors can render the PAM system unavailable. Without HA configuration, a single PAM node failure means no one can retrieve managed credentials.
DR Impact: All automated processes using PAM-managed credentials (scripts, scheduled tasks, application service accounts) fail simultaneously.
Mitigation: Active-active clustering, database mirroring, distributed cache nodes for local secret availability.
🌐 Network Segmentation / Outage▼
Network partitioning — whether from a DDoS attack, ISP failure, or DR failover to an isolated recovery site — can disconnect remote systems from a centralized PAM vault. Systems needing to rotate credentials or retrieve secrets cannot reach the vault.
DR Impact: Applications in isolated recovery sites fail to start because they cannot contact the central secrets vault to retrieve database passwords or API keys.
Mitigation: Local/distributed secret caching, Resilient Secrets nodes at each site, offline access modes.
🔑 Encryption Key Loss▼
If the master encryption keys protecting vault data are lost or corrupted (HSM failure, key escrow problems), all vaulted credentials become permanently inaccessible even if the data itself is intact.
DR Impact: Complete loss of all managed credentials. Requires full password reset campaign across entire infrastructure.
Mitigation: Key escrow with multiple trustees, hardware backup of key material, distributed key shares (Shamir's Secret Sharing).
RTO: Hours — Local cache serves credentials, limited new rotations
PAM Unavailable
RTO: Days to Weeks — Manual resets, unknown credentials, audit gaps
DR Planning Requirements for PAM
RTO/RPO Definition: Define Recovery Time Objective and Recovery Point Objective specifically for the PAM system — typically more stringent than general IT.
Emergency Break-Glass Accounts: Pre-provisioned, highly secured accounts accessible without PAM for absolute emergency recovery.
Immutable Backups: Vault backups stored in write-once storage, isolated from production network, tested regularly.
Distributed Architecture: No single points of failure; secrets must be retrievable even when primary vault is unavailable.
DR Runbooks: Documented, tested procedures for PAM recovery under each disaster scenario.
⬡ DELINEA PRODUCT DEEP DIVE
Module 05 — Delinea Resilient Secrets
Resilient Secrets
Delinea's answer to the PAM-DR paradox: a distributed, fault-tolerant secrets caching architecture that ensures credential availability even when the central vault is unreachable.
✅
Core Value Proposition
Delinea Resilient Secrets ensures that applications and automated processes can continue to retrieve and use credentials even if the primary Secret Server vault is completely offline — eliminating the single point of failure in PAM-dependent recovery workflows.
How Resilient Secrets Works
1
Secret Distribution & Caching
When Resilient Secrets is configured, designated secrets are proactively distributed from the central vault to encrypted local cache nodes. Each cache stores an encrypted copy of the secret, keyed so it can only be decrypted with authorization from the distributed node — not the central server alone.
2
Quorum-Based Authorization
Resilient Secrets uses a distributed authorization model. Multiple cache nodes (deployed at different sites or failure domains) hold key shares. A defined quorum of nodes must agree to authorize secret retrieval — preventing any single compromised node from exposing secrets, while allowing continued operation if minority nodes fail.
3
Offline / Degraded Mode Operation
When the central vault is unavailable (network partition, system failure, disaster), local cache nodes can serve secrets independently using their cached data. Applications and scripts receive secrets without contacting the primary vault. Audit logs are queued locally and synchronized upon vault restoration.
4
Automatic Sync & Reconciliation
Once the primary vault returns online, all distributed nodes re-synchronize. Any credential rotations that occurred during the outage period are reconciled. New secrets added during the outage are propagated to all configured cache nodes. The system returns to a consistent state automatically.
5
Rotation & Lifecycle During Outage
Resilient Secrets maintains a consistent credential lifecycle even during vault unavailability. Rotation schedules are honored where possible using the distributed nodes. Where central vault coordination is required, rotation is queued and executed immediately upon vault restoration, with no credential gaps.
Resilient Secrets Architecture
🏛️ Delinea Secret Server (Primary Vault)
Encrypted secret distribution↓
📦
Cache Node
Site A / DC1
📦
Cache Node
Site B / DC2
📦
Cache Node
DR Site
📦
Cache Node
Cloud
Applications request secrets locally↓
App Servers
DB Connectors
CI/CD Pipelines
Scripts / Automation
Even if the primary vault is offline, applications continue to retrieve secrets from the nearest cache node — without interruption.
Configuration: Resilient Secrets Policy
# Delinea Secret Server — Resilient Secrets Configuration (simplified)resilient_secrets_policy:
enabled: truecache_nodes:
- name: "cache-dc1"site: "datacenter-primary"endpoint: "https://pam-cache-dc1.internal:443"
- name: "cache-dc2"site: "datacenter-secondary"endpoint: "https://pam-cache-dc2.internal:443"
- name: "cache-dr"site: "dr-site"endpoint: "https://pam-cache-dr.internal:443"quorum_required: 2# of 3 nodes must authorizecache_ttl_hours: 72# serve from cache for up to 72 hrssync_interval_minutes: 15encryption: AES-256-GCMaudit_queue_on_offline: trueapplicable_secrets:
- folder: "Production/ServiceAccounts"
- folder: "Production/DatabaseCredentials"
- folder: "Production/AppTokens"
Resilient Secrets cache nodes serve existing cached credentials only. New credential creation, complex policy changes, and some rotation operations still require the primary vault to be available. Cache TTLs mean secrets will eventually expire if the outage is prolonged — plan cache TTLs based on realistic RTO targets.
Module 06 — Assessment
Knowledge Check
Answer the questions below to complete your training. Select the best answer for each question.
1. What percentage of data breaches involve compromised privileged credentials?
A 40%
B 60%
C 80%
D 95%
✓ Correct! Around 80% of breaches involve compromised privileged credentials — making PAM one of the highest-ROI security investments.
✗ Not quite. The widely cited figure is approximately 80% of data breaches involve privileged credential compromise.
2. In a Zero Trust architecture, PAM enforces which key principle?
A Trust but verify for internal users
B Never trust, always verify — with just-in-time, least-privilege access
C VPN-based perimeter security
D Single sign-on for all applications
✓ Correct! Zero Trust's "never trust, always verify" is operationalized through PAM via JIT provisioning, continuous verification, and least privilege enforcement.
✗ Not quite. Zero Trust means "never trust, always verify" — PAM operationalizes this through just-in-time access and least privilege.
3. What is the "PAM Paradox" in disaster recovery?
A PAM systems are too expensive to deploy at DR sites
B PAM logs are unavailable during disasters
C If PAM goes down during a disaster, recovery teams are locked out of the systems they need to restore
D PAM requires network access that may not be available during DR
✓ Correct! The PAM paradox: PAM protects your credentials, but if PAM fails during a disaster, you can't access the credentials needed to restore PAM or anything else.
✗ Not quite. The PAM paradox is that PAM itself can become a deadlock point — without PAM, you can't access the credentials to restore PAM.
4. What authorization model does Delinea Resilient Secrets use to allow operation during vault outages while preventing single-node compromise?
A Master-slave replication
B Distributed quorum-based authorization across cache nodes
C Single active node with hot standby
D Round-robin load balancing
✓ Correct! Resilient Secrets uses a quorum model — a defined minimum number of cache nodes must agree to authorize a secret request, preventing single-node compromise while maintaining availability.
✗ Not quite. Resilient Secrets uses a distributed quorum model — multiple nodes must authorize access, balancing security and availability.
5. When the primary vault comes back online after an outage with Resilient Secrets deployed, what happens?
A All cache nodes must be manually restarted
B Audit logs from the outage period are permanently lost
C Nodes automatically resynchronize, queued audit logs are reconciled, and the system returns to consistent state
D All cached credentials are invalidated and must be re-issued
✓ Correct! Resilient Secrets handles vault restoration gracefully — automatic sync, audit log reconciliation, and rotation catch-up all happen without manual intervention.
✗ Not quite. When the vault returns, Resilient Secrets automatically synchronizes all nodes, reconciles queued audit logs, and catches up on any pending rotations.
🎓
Training Complete!
You have successfully completed all modules of the PAM & Identity Security training, including Delinea Resilient Secrets for Disaster Recovery.
Certificate of Completion
PAM & Identity Security
Including Delinea Resilient Secrets · Disaster Recovery Track
