4.4 Identity & access management
📘CompTIA Security+ (SY0-701)
What Is Privileged Access Management (PAM)?
Privileged Access Management (PAM) is a set of security practices and tools that control, monitor, and protect privileged accounts — these are accounts that have higher levels of access than normal user accounts.
Privileged accounts can:
- Install software or change system configurations
- Access sensitive data or manage user permissions
- Control network devices, servers, or databases
Because privileged accounts have so much power, they are prime targets for attackers. If compromised, they can lead to data breaches, malware infections, and total system compromise.
PAM helps ensure that only authorized people can use privileged access, and only when it’s needed — reducing the risk of misuse or attack.
Key Concepts in PAM
There are three main methods to manage privileged access securely:
- Just-In-Time (JIT) Access
- Password Vaulting
- Ephemeral Credentials
Let’s explore each in detail.
1. Just-In-Time (JIT) Access
Definition:
Just-In-Time access means giving privileged access only when it’s needed and for a limited amount of time.
Instead of giving permanent administrative privileges, the system grants temporary elevated access that expires automatically once the task is done.
Purpose:
- Reduces the attack surface (fewer accounts with always-on admin rights)
- Prevents long-term misuse of privileged credentials
- Supports the principle of least privilege (users get only the access they truly need, and only when necessary)
How It Works in IT Environments:
- A user requests elevated access to perform an administrative task.
- The PAM system checks the request and approves it based on policies (like manager approval or automated rules).
- The system temporarily elevates the user’s privileges — for example, granting admin access to a server for 30 minutes.
- After the time expires, access is automatically revoked.
This approach ensures that no one retains privileged access indefinitely, minimizing the window for attackers.
Exam Tip:
Remember, Just-In-Time (JIT) = temporary, time-limited elevated access.
2. Password Vaulting
Definition:
Password vaulting is a PAM method where privileged passwords are stored, managed, and accessed through a secure, encrypted vault instead of being shared or manually entered by users.
Purpose:
- Protects privileged credentials from theft or misuse
- Ensures passwords are rotated automatically and stored securely
- Removes the need for users to know or remember sensitive passwords
How It Works in IT Environments:
- All privileged account passwords (for servers, routers, admin accounts, databases, etc.) are stored inside a password vault.
- When an administrator needs access, they log into the vault system, which provides the necessary credentials without revealing the actual password.
- The vault can:
- Automatically rotate (change) passwords after each use.
- Record sessions for auditing and compliance.
- Restrict access based on user roles and approval processes.
Benefits:
- Eliminates hard-coded or shared admin passwords
- Provides audit trails showing who accessed what and when
- Simplifies password management while improving security
Exam Tip:
If you see a question mentioning secure storage of privileged credentials or automatic password rotation, it’s referring to Password Vaulting.
3. Ephemeral Credentials
Definition:
Ephemeral credentials are temporary authentication credentials that exist only for a short time and are automatically destroyed after use.
They are similar to JIT access but focus on temporary, system-generated credentials (like tokens, certificates, or keys) instead of human-granted privileges.
Purpose:
- Prevents long-term credential exposure
- Ensures credentials can’t be reused or stolen
- Provides strong security for automated systems, scripts, and cloud resources
How It Works in IT Environments:
- When an application, system, or user needs to access a resource, the PAM system creates a temporary credential.
- This credential might be a temporary token, one-time password (OTP), or short-lived API key.
- The credential is valid only for a limited duration (for example, 10 minutes).
- Once the time expires, the credential becomes invalid and cannot be reused.
This is especially useful in cloud environments and DevOps, where automated processes need secure access without using permanent credentials.
Exam Tip:
Ephemeral credentials are short-lived and automatically expire, ensuring no persistent credentials are left exposed in systems.
Why Privileged Access Management Is Important
| Reason | Explanation |
|---|---|
| Reduces insider threats | Prevents users or administrators from misusing high-level privileges. |
| Protects against credential theft | Minimizes the risk of attackers stealing and reusing admin credentials. |
| Improves auditing and compliance | Tracks who accessed what, when, and for how long — useful for regulatory requirements. |
| Supports least privilege principle | Users and systems only get the access they truly need, reducing attack vectors. |
Summary Table
| Concept | Description | Duration | Key Feature |
|---|---|---|---|
| Just-In-Time (JIT) Access | Temporary privilege escalation granted only when needed | Time-limited | Automatically expires after task completion |
| Password Vaulting | Secure storage and management of privileged credentials | Long-term, but controlled | Centralized encrypted vault with rotation and auditing |
| Ephemeral Credentials | Automatically generated temporary credentials for short-term access | Very short-term | Auto-expire and cannot be reused |
Key Points for Security+ Exam
- PAM focuses on controlling, monitoring, and protecting privileged accounts.
- Just-In-Time access grants temporary admin rights.
- Password vaulting stores and manages privileged credentials securely.
- Ephemeral credentials are short-lived and self-expiring.
- All three methods support the principle of least privilege and reduce attack surfaces.
