Privileged Access Management

Privileged access bounded. The patterns.

The PAM model in 2026

Privileged access is anything that can change production state. Database admin credentials, cloud root access, kubectl admin context, payment processor keys; the blast radius of a compromise here is total. Standing privilege is the enemy because an admin role that exists permanently is one stolen credential away from full compromise; the modern model is just-in-time elevation.

• Privileged = production-changing. DB admin, cloud root, kubectl admin, payment keys; total blast radius.
• Standing privilege is the enemy. Permanent admin role = one stolen credential from full compromise.
• JIT model. Ask for elevation, get time-bounded session, session expires; access is on-demand.
• Three core controls. Identity verification, time-bounded sessions, full audit; together define modern PAM.

Just-in-time elevation

Engineers request elevation through a portal or CLI specifying what (service, resource), why (ticket or incident link), and how long (typically 1-4 hours). Approval flow varies by sensitivity (peer for routine debugging, manager for DB root, two-person for payment systems). Granted elevation creates short-lived credentials via AWS IAM session tokens, GCP impersonation, or Vault dynamic secrets.

• Three-input request. What (service, resource), why (ticket), how long (1-4 hours).
• Tiered approval. Peer for routine, manager for DB root, two-person for payments with security review.
• Short-lived credentials. AWS STS, GCP impersonation, Vault dynamic secrets; expires automatically.
• Per-elevation expiry. When the session expires, access is gone; no manual cleanup needed.

Session recording and audit

Every privileged session is recorded. Terminal sessions via Teleport or AWS Session Manager; database sessions via query logs; recordings reviewable but not always reviewed (sample 5% for routine quality control, review 100% for high-sensitivity and incident investigations); audit trail is immutable, append-only, signed, retained 1-2 years for SOC2/PCI.

• Terminal recording. Teleport or AWS Session Manager; the session is captured.
• Database session logs. Query logs capture privileged DB activity.
• 5% sample plus 100% incident. Routine sampling, incident-time full review.
• Immutable audit trail. Append-only, signed, 1-2 years retention for SOC2/PCI.

Break-glass procedures

Real emergencies need fast access without standing privilege. Break-glass accounts solve this: rarely used, heavily controlled, fully audited. Usage triggers immediate notification to security team; every use is followed by a postmortem regardless of incident severity (the bar is high to reduce normalisation); annual drill invokes break-glass deliberately to verify the procedure works.

• Rarely-used, heavily controlled. The bar is high; the account exists for genuine emergencies only.
• Immediate security notification. Every use triggers alert to security team.
• Mandatory postmortem. Regardless of incident severity; reduces normalisation of break-glass.
• Annual drill. Invoke deliberately; verify procedure; catch broken integrations or stale credentials.

Operating PAM at scale

Operating PAM well needs the right tools and ongoing review. Teleport, BeyondTrust, CyberArk for enterprise; AWS SSO with permission sets for AWS-native; Vault dynamic secrets for credential generation; quarterly review converts standing access to JIT one role at a time; track elevation request volume and approval times because the healthy balance is 5-15 minute median approval with documented rationale.

• Enterprise tools. Teleport, BeyondTrust, CyberArk; the recording-and-audit surface.
• Cloud-native. AWS SSO with permission sets; Vault for credential generation.
• Quarterly conversion review. Standing access converted to JIT one role at a time.
• Approval-time balance. 5-15 minute median; slow pushes workarounds, fast without scrutiny defeats the system.