Privileged access management

Privileged access management (PAM) refers to the combination of organisational and technical measures used to secure, control and make accountable privileged accounts and elevated access rights. Privileged access concerns administrator, root, service and emergency accounts as well as technical application accounts that can make far-reaching changes to systems, configurations, identities or data. Because a single compromised admin account can undermine the protection of entire infrastructures, privileged access is regarded as a prime target for attackers and a central information security risk.

Effective PAM relies on several interlocking building blocks: inventorying and centrally managing all privileged accounts, storing credentials in a hardened password vault with automatic rotation, granting rights according to the least privilege and need-to-know principles, issuing time-limited just-in-time access instead of standing admin rights, and enforcing strong authentication, typically with multi-factor authentication. Privileged user sessions are isolated, recorded and monitored in real time through session management so that abusive activity can be detected and stopped.

In Germany and the EU, securing privileged access is not only state of the art but increasingly a legal requirement. The NIS2 Directive and its German transposition oblige in-scope entities to implement measures for access control, authentication and logging; the BSI IT-Grundschutz addresses privileged access in dedicated modules, and ISO/IEC 27001 requires control of privileged access rights in its Annex A. DORA likewise obliges financial entities to enforce strict identity and access controls. PAM is therefore a central component of a compliant information security management system (ISMS) and an effective lever for limiting insider and supply chain risks.