This chapter covers Privileged Access Management (PAM) and its associated tools, a critical domain in cybersecurity operations. For the CS0-003 exam, PAM falls under Domain 1.0 (Security Operations), Objective 1.4: 'Given a scenario, analyze indicators of compromise and determine the type of attack.' Understanding PAM helps you detect and prevent privilege escalation and credential-based attacks. Approximately 10-15% of exam questions touch on identity and access management, with PAM being a key sub-topic. This chapter will equip you with the technical depth to answer scenario-based questions about privileged session management, credential vaulting, and just-in-time access.
Jump to a section
Imagine a bank vault containing all the master keys to every safe deposit box. The vault has a thick steel door with two separate combination locks. To open it, two authorized employees—say, the branch manager and the head teller—must each enter their own unique combination. Neither knows the other's combination. Once inside, they can retrieve a specific key, but only after logging the retrieval in a tamper-proof ledger that records who took which key, when, and why. The key itself is wrapped in a sealed envelope that self-destructs if tampered with. After use, the key must be returned and the envelope replaced. If an employee tries to open the vault alone, an alarm triggers and security is notified. This mirrors Privileged Access Management: privileged accounts are like the master keys, the vault is the PAM tool, the dual combinations represent multifactor authentication and approval workflows, the ledger is the audit log, and the self-destructing envelope represents session recording and credential rotation. Just as the bank prevents any single person from accessing all keys, PAM ensures no user has standing privileged access; credentials are checked out just-in-time, used under monitoring, and automatically rotated or expired after use.
What is Privileged Access Management (PAM)?
Privileged Access Management (PAM) is a cybersecurity discipline that controls, monitors, and audits access to critical systems and data by users with elevated permissions. These users—often system administrators, database administrators, or service accounts—hold 'keys to the kingdom.' PAM aims to reduce the attack surface by enforcing the principle of least privilege, ensuring that privileged accounts are used only when necessary and under strict supervision.
Why PAM Exists
Traditional identity management treats all users equally, but privileged accounts pose unique risks. A compromised admin account can lead to ransomware deployment, data exfiltration, or full system takeover. The 2024 Verizon Data Breach Investigations Report found that 74% of breaches involved a human element, including credential misuse. PAM mitigates this by:
Vaulting credentials (storing them in a secure, encrypted repository).
Implementing just-in-time (JIT) access (granting permissions only for a specific task).
Recording and monitoring sessions (providing a full audit trail).
Rotating passwords automatically (reducing the window of exposure).
How PAM Works Internally
A typical PAM solution (e.g., CyberArk, BeyondTrust, HashiCorp Vault) operates through these core components: 1. Credential Vault: An encrypted database storing privileged account credentials. The vault uses a master encryption key (often hardware security module-backed) and enforces strict access controls. Credentials are never exposed in plaintext to end users. 2. Access Request Workflow: A user requests access to a specific privileged account via a web portal or API. The request includes the target system, duration (e.g., 15 minutes), and justification. An approver (or automated policy) grants or denies the request. 3. Session Management: Once approved, the user launches a session—typically via a proxy or jump host. The PAM tool injects the credential into the session without the user ever seeing it. The session is recorded (keystrokes, screen capture) and optionally monitored in real-time. 4. Credential Rotation: After the session ends, the PAM tool automatically changes the password of the privileged account. Rotation policies can be time-based (e.g., every 24 hours) or event-based (after each use).
Key Components, Values, Defaults, and Timers
Session Timeout: Default often 15-30 minutes; can be extended via approval. The exam may test that idle session timeout is typically 10-15 minutes.
Password Rotation: NIST SP 800-53 Rev. 5 recommends 90-day rotation for privileged accounts, but PAM often rotates after each use. The exam may ask: 'What is the benefit of rotating passwords after each use?' Answer: It prevents credential reuse after compromise.
Approval Workflow: Can be multi-level (e.g., two-person rule). The default is often single-level approval.
Session Recording Retention: Typically 90 days for compliance (e.g., PCI DSS, SOX). The exam may test that recording is stored in a tamper-proof format.
Vault Encryption: AES-256 is standard. The vault itself is FIPS 140-2 validated.
Configuration and Verification Commands (Example: CyberArk)
CyberArk is the market leader and frequently appears in exam scenarios. Key commands:
- cyberark login -u admin -p password (authenticate to vault).
- cyberark account add -a target_account -s target_system (onboard an account).
- cyberark session start -a target_account -d 30 (start a 30-minute session).
- cyberark session log -s session_id (view session recording).
For verification, check the vault audit log: cyberark audit list -t 2024-01-01.
How PAM Interacts with Related Technologies
Active Directory: PAM often integrates with AD to manage service accounts and implement tiered administration (Tier 0, 1, 2).
SIEM: PAM sends logs to SIEM (e.g., Splunk) for correlation with other events. The exam might ask: 'What is the purpose of forwarding PAM logs to a SIEM?' Answer: To detect anomalous access patterns.
MFA: PAM enforces MFA at the point of access request. Common factors: smart card, TOTP, or push notification.
IAM: PAM is a subset of IAM. IAM handles user lifecycle; PAM handles privileged sessions.
Exam-Relevant Details
The CS0-003 exam expects you to know that PAM tools can detect 'pass-the-hash' attacks by monitoring for credential reuse.
You should understand the difference between 'just-in-time' (JIT) and 'just-enough' (JEA) access. JIT grants temporary access; JEA grants minimal permissions needed for a task.
Know that session recording is a key differentiator between PAM and standard IAM.
The term 'credential vaulting' is synonymous with 'password vaulting.'
Be aware that PAM can be deployed on-premises or as a cloud service (PAMaaS).
Common Pitfalls
Assuming PAM only applies to human users. It also manages service accounts and application credentials.
Thinking PAM replaces MFA. In reality, PAM enforces MFA for access requests.
Believing that PAM eliminates the need for account monitoring. PAM enhances monitoring but does not replace it.
Step-by-Step: PAM Session Lifecycle
User Requests Access: The admin logs into the PAM portal and selects the target system, specifying a reason and duration.
Approval Process: The request is routed to an approver (or auto-approved based on policy). The exam may test that this step is skipped for emergency access (break-glass).
Credential Retrieval: Once approved, the PAM tool retrieves the credential from the vault and injects it into a secure session (e.g., RDP, SSH).
Session Monitoring: The session is recorded and optionally monitored by a security analyst. Suspicious activities (e.g., copying files) trigger alerts.
Session Termination: The session ends when the timeout expires or the user logs out. The PAM tool rotates the password immediately.
Audit and Review: The session recording and logs are stored for compliance review. The exam may ask about retention policies.
Real-World Section
In a large financial institution, PAM is used to manage access to core banking systems. The security team deploys CyberArk to vault the credentials of 500 privileged accounts across Windows, Linux, and databases. They configure session recording for all admin logins to comply with PCI DSS Requirement 10.2.4 (logging all access to cardholder data). A common issue is that developers often request standing access, which violates the principle of least privilege. The team implements JIT access with a maximum session duration of 4 hours. When a developer needs more time, they must submit a new request. The PAM tool integrates with ServiceNow for ticketing. During an audit, the team discovers that several service accounts had not been rotated in 90 days because the rotation policy was not applied to non-human accounts. They fix this by creating a separate rotation policy for service accounts with a 30-day rotation. Another scenario involves a cloud environment using HashiCorp Vault to manage temporary credentials for AWS IAM roles. The DevOps team uses Vault's dynamic secrets feature to generate short-lived API keys. This reduces the risk of leaked keys. However, if Vault's token renewal interval is misconfigured (default 30 minutes), sessions may expire prematurely, causing application outages. The team sets the default TTL to 1 hour with a max TTL of 24 hours.
Exam Focus Section
On the CS0-003 exam, PAM questions typically appear in scenario-based format. You must identify the correct tool or technique to mitigate a given attack. Objective 1.4 specifically asks you to analyze indicators of compromise and determine the type of attack. PAM is often the answer when the scenario involves credential theft, privilege escalation, or insider misuse.
Common Wrong Answers and Why They Are Wrong: 1. 'Implementing a password manager' – Password managers store credentials but do not provide session recording, approval workflows, or automatic rotation. They are not designed for privileged access. 2. 'Enforcing MFA' – MFA is a component of PAM but not sufficient alone. PAM includes MFA plus credential vaulting, session monitoring, and rotation. 3. 'Disabling privileged accounts' – This prevents work from being done. PAM allows temporary access rather than permanent disablement. 4. 'Using a SIEM to monitor logs' – SIEM is a detection tool, not a prevention or control tool. PAM proactively controls access.
Specific Numbers and Terms: - The exam may ask: 'What is the default idle session timeout in a typical PAM solution?' Answer: 10-15 minutes. - 'What is the recommended password rotation frequency for privileged accounts?' Answer: After each use or every 90 days. - 'What is the term for granting the minimum permissions needed for a task?' Answer: Just-Enough Access (JEA).
Edge Cases: - Break-glass access: Emergency access bypasses approval but is logged and triggers alerts. - Service accounts: PAM can manage non-human accounts, but rotation may break applications if not coordinated. - Cloud PAM: Some cloud providers offer native PAM (e.g., AWS IAM Access Analyzer, Azure Privileged Identity Management). The exam may test that these are cloud-specific PAM tools.
How to Eliminate Wrong Answers: If a question asks about a tool that records sessions, rotates passwords, and requires approval, the answer is PAM. If the scenario only mentions password storage, it is a password manager. If it mentions monitoring but not control, it is a SIEM. Always look for the combination of vaulting, session recording, and rotation.
User submits access request
The user authenticates to the PAM portal (e.g., CyberArk PVWA) using their personal credentials and MFA. They select the target privileged account from a list, specify a reason (e.g., 'Patch server X'), and choose a session duration (e.g., 30 minutes). The request is sent to the PAM engine, which checks if the user is authorized for that account based on group membership. If the policy requires approval, the request is placed in a pending queue.
Approval or auto-grant
An authorized approver (e.g., a manager) receives a notification. They review the request details and either approve or deny. In some configurations, the PAM tool can auto-approve requests that meet certain criteria (e.g., time of day, low-risk account). The approval triggers a token generation that grants the user a temporary session key. The exam may test that emergency access (break-glass) bypasses approval but requires a post-hoc justification.
Credential injection and session launch
The PAM tool retrieves the actual privileged credential from the encrypted vault. It then injects the credential into a secure session (RDP, SSH, or web console) without displaying it to the user. The session is proxied through the PAM tool, which records all keystrokes and screen output. The user never sees the password; they only interact with the target system through the PAM proxy.
Session monitoring and recording
During the session, the PAM tool captures all input and output. It may also perform real-time analysis—for example, flagging commands like 'rm -rf' or 'net user' as suspicious. If configured, a security analyst can view the session live and even terminate it if malicious activity is detected. The recording is stored in a tamper-proof format (e.g., video file with hash chain).
Session termination and credential rotation
When the session duration expires or the user logs out, the PAM tool terminates the connection. Immediately, it changes the password of the privileged account to a new random value. The new password is stored in the vault. The old password is invalidated. This prevents the user from reusing the credential after the session. The rotation event is logged with a timestamp and the session ID.
Audit log generation and review
After rotation, the PAM tool generates an audit record containing: user ID, target account, session start/end time, duration, commands executed, and rotation status. This log is sent to a SIEM (e.g., Splunk) for long-term storage and correlation. Compliance teams review these logs to ensure that privileged access is justified and that no unauthorized actions occurred. The exam may ask about retention periods—typically 90 days.
In a large financial institution, PAM is used to manage access to core banking systems. The security team deploys CyberArk to vault the credentials of 500 privileged accounts across Windows, Linux, and databases. They configure session recording for all admin logins to comply with PCI DSS Requirement 10.2.4 (logging all access to cardholder data). A common issue is that developers often request standing access, which violates the principle of least privilege. The team implements JIT access with a maximum session duration of 4 hours. When a developer needs more time, they must submit a new request. The PAM tool integrates with ServiceNow for ticketing. During an audit, the team discovers that several service accounts had not been rotated in 90 days because the rotation policy was not applied to non-human accounts. They fix this by creating a separate rotation policy for service accounts with a 30-day rotation.
Another scenario involves a cloud environment using HashiCorp Vault to manage temporary credentials for AWS IAM roles. The DevOps team uses Vault's dynamic secrets feature to generate short-lived API keys. This reduces the risk of leaked keys. However, if Vault's token renewal interval is misconfigured (default 30 minutes), sessions may expire prematurely, causing application outages. The team sets the default TTL to 1 hour with a max TTL of 24 hours.
A third scenario is a healthcare organization using BeyondTrust for remote vendor access. Vendors need to periodically access patient records for software support. The organization creates a vendor-specific PAM policy that requires approval for each session, limits access to specific IP addresses, and records all activity. The session is terminated if the vendor tries to access unauthorized systems. This ensures compliance with HIPAA audit requirements. A misconfiguration occurs when the vendor account is not rotated after a session, leaving the password unchanged. The team corrects this by enabling automatic rotation after each use.
On the CS0-003 exam, PAM questions typically appear in scenario-based format. You must identify the correct tool or technique to mitigate a given attack. Objective 1.4 specifically asks you to analyze indicators of compromise and determine the type of attack. PAM is often the answer when the scenario involves credential theft, privilege escalation, or insider misuse.
Common Wrong Answers and Why They Are Wrong: 1. 'Implementing a password manager' – Password managers store credentials but do not provide session recording, approval workflows, or automatic rotation. They are not designed for privileged access. 2. 'Enforcing MFA' – MFA is a component of PAM but not sufficient alone. PAM includes MFA plus credential vaulting, session monitoring, and rotation. 3. 'Disabling privileged accounts' – This prevents work from being done. PAM allows temporary access rather than permanent disablement. 4. 'Using a SIEM to monitor logs' – SIEM is a detection tool, not a prevention or control tool. PAM proactively controls access.
Specific Numbers and Terms: - The exam may ask: 'What is the default idle session timeout in a typical PAM solution?' Answer: 10-15 minutes. - 'What is the recommended password rotation frequency for privileged accounts?' Answer: After each use or every 90 days. - 'What is the term for granting the minimum permissions needed for a task?' Answer: Just-Enough Access (JEA).
Edge Cases: - Break-glass access: Emergency access bypasses approval but is logged and triggers alerts. - Service accounts: PAM can manage non-human accounts, but rotation may break applications if not coordinated. - Cloud PAM: Some cloud providers offer native PAM (e.g., AWS IAM Access Analyzer, Azure Privileged Identity Management). The exam may test that these are cloud-specific PAM tools.
How to Eliminate Wrong Answers: If a question asks about a tool that records sessions, rotates passwords, and requires approval, the answer is PAM. If the scenario only mentions password storage, it is a password manager. If it mentions monitoring but not control, it is a SIEM. Always look for the combination of vaulting, session recording, and rotation.
PAM controls, monitors, and audits privileged access through credential vaulting, session recording, and automatic rotation.
Just-In-Time (JIT) access grants temporary privileges; Just-Enough-Access (JEA) grants minimal permissions.
Default idle session timeout in PAM is typically 10-15 minutes.
Password rotation after each use is a key feature that prevents credential reuse.
PAM integrates with MFA, SIEM, and ticketing systems (e.g., ServiceNow).
Break-glass access bypasses approval but is logged and triggers alerts.
Service accounts and application credentials are also managed by PAM.
Cloud-native PAM examples: Azure Privileged Identity Management, AWS IAM Access Analyzer.
These come up on the exam all the time. Here's how to tell them apart.
PAM (Privileged Access Management)
Vaults credentials and injects them without user visibility.
Records all session activity (keystrokes, screen capture).
Requires approval workflow for access.
Automatically rotates passwords after each use or on schedule.
Integrates with SIEM for advanced detection.
Password Manager
Stores credentials in an encrypted database but user sees plaintext.
Does not record sessions or monitor activity.
No approval workflow; user can access any stored credential.
Does not rotate passwords automatically.
Focuses on convenience, not audit.
Mistake
PAM is just a password manager for admins.
Correct
PAM includes credential vaulting, but also session recording, approval workflows, automatic rotation, and monitoring. A password manager only stores and autofills credentials.
Mistake
PAM replaces the need for MFA.
Correct
PAM typically enforces MFA as part of the access request process. MFA is a component of PAM, not a replacement.
Mistake
PAM only applies to human users.
Correct
PAM also manages service accounts, application credentials, and API keys. Non-human accounts are often the most vulnerable.
Mistake
PAM eliminates the need for privileged account monitoring.
Correct
PAM enhances monitoring by providing detailed session recordings and logs, but it does not replace the need for a SIEM or manual review.
Mistake
PAM is only for on-premises environments.
Correct
PAM solutions are available for cloud (PAMaaS) and hybrid environments. Examples include Azure Privileged Identity Management and AWS IAM Access Analyzer.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
IAM (Identity and Access Management) manages user identities and general access to resources. PAM (Privileged Access Management) is a subset of IAM that specifically controls and monitors access for privileged accounts (admins, service accounts). PAM adds credential vaulting, session recording, and just-in-time access, which IAM typically does not provide.
Break-glass access is an emergency procedure that allows a user to gain privileged access without going through the normal approval workflow. It is typically used when the approval system is unavailable or during a critical incident. The PAM tool logs the access and sends an alert to administrators. The user must provide a justification after the fact.
PAM prevents pass-the-hash attacks by ensuring that privileged credentials are never exposed to the user. The PAM tool injects the credential directly into the session, so the user never sees or stores the password hash. Additionally, automatic rotation after each use means that even if a hash is captured, it is invalidated immediately.
NIST SP 800-53 Rev. 5 recommends rotating privileged passwords every 90 days. However, PAM best practice is to rotate after each use to minimize the window of exposure. The exam may test that rotation after each use is a key feature of PAM.
Yes, PAM can manage service accounts, application credentials, and API keys. However, care must be taken when rotating service account passwords because applications may cache credentials. PAM tools often support coordination with application restart or credential update mechanisms.
The default idle session timeout in most PAM solutions is 10-15 minutes. After this period of inactivity, the session is automatically terminated. This is configurable, but the exam expects you to know the typical default.
PAM sends detailed audit logs to a SIEM (e.g., Splunk, IBM QRadar) for correlation with other security events. The logs include user identity, target account, session duration, commands executed, and rotation status. This allows security analysts to detect anomalous behavior, such as a user accessing systems at unusual hours.
You've just covered Privileged Access Management and PAM Tools — now see how well it sticks with free CS0-003 practice questions. Full explanations included, no account needed.
Done with this chapter?