.png)
What is Privileged Access Management (PAM)?
PAM secures the accounts with the most powerful access in your environment. Learn what it is, why attackers target privileged accounts, and what boards should require.
What Makes an Account Privileged
Privileged accounts are those with permissions that exceed standard user access. Domain administrator accounts have the ability to control every system joined to the Active Directory domain — create and delete accounts, modify group policies, access any file on any system, and disable security software. Local administrator accounts have elevated permissions on individual machines. Service accounts run applications and automated processes, often with elevated system permissions. Database administrator accounts have unrestricted access to database contents. Cloud infrastructure administrator accounts can create, modify, or destroy cloud resources. API keys and service account credentials function as privileged accounts in cloud and SaaS environments.
The attack value of privileged accounts is proportional to their scope. A domain administrator account is the highest-value target in most on-premises environments because compromising it provides access to everything in the domain. Cloud root accounts are equivalent in cloud environments. Service accounts present a different but significant risk: they often have permissions that accumulated over time as applications requested access, they are rarely reviewed for least-privilege compliance, and they may have passwords that have not been changed in years because changing them risks breaking the applications that depend on them.
Why Attackers Prioritize Privileged Credentials
In virtually every significant enterprise breach, privileged credential compromise is either the initial vector or an early objective. The SolarWinds attackers, after establishing initial access through the backdoored update, immediately pivoted to stealing SAML signing certificates — privileged identity infrastructure that provided authenticated access across the victim's entire cloud environment. The Colonial Pipeline attackers used a compromised VPN credential (an inactive account without MFA) to establish access and then moved laterally using privileged account credentials found in the environment. The MGM attackers used a social-engineered MFA reset to obtain privileged access to the identity provider, then used that access to reset credentials for other accounts across the environment.
The pattern is consistent because the economics are consistent. Lateral movement through an environment without privileged access requires finding and exploiting multiple additional vulnerabilities — time-consuming, noisy, and likely to trigger detection. Lateral movement with a privileged credential requires only authentication — fast, quiet, and using the same tools legitimate administrators use.
Core PAM Controls
Credential vaulting stores privileged credentials in an encrypted, access-controlled repository — a PAM vault — rather than in spreadsheets, password managers, or the heads of individual administrators. Credentials are checked out when needed, access is logged, and credentials can be automatically rotated after use. The attacker who compromises a workstation does not find saved administrator passwords — they find a reference to the vault, which requires separate authentication to access.
Just-in-time (JIT) access provisioning grants privileged access only for the specific time window when it is needed, then automatically revokes it. An administrator who needs to perform a specific task requests access, receives a time-limited grant, performs the task, and the access expires. Standing privileged access — accounts that have administrator permissions at all times — is the attack surface that JIT access eliminates.
Session recording and monitoring captures what privileged users do during elevated access sessions. This serves two purposes: it creates an audit trail for compliance and incident investigation, and it enables behavioral anomaly detection — identifying when privileged account activity deviates from baseline patterns in ways that suggest compromise.
Privileged account discovery is the first step that many organizations skip. Before you can manage privileged accounts, you need to know what privileged accounts exist. Service account proliferation — where accounts created for specific applications accumulate over years without cleanup — means most organizations have significantly more privileged accounts than they know about. Discovery often reveals service accounts with administrator privileges that were provisioned for convenience and never reviewed.
PAM in the PE Context
For PE due diligence, PAM posture is a reliable indicator of overall security program maturity. Organizations with mature PAM programs have done the foundational work: they know what privileged accounts exist, they have applied least-privilege principles, and they have controls that limit the blast radius of any individual credential compromise.
Organizations without PAM are common at mid-market companies, particularly those that grew through acquisition. Shared local administrator accounts with the same password across hundreds of machines. Service accounts with domain administrator rights because it was easier than figuring out the minimum permissions needed. Former IT administrator accounts that still have active privileged access after the person left the organization. All of these conditions are routine PE due diligence findings and all represent material post-close remediation requirements.
PAM and Ransomware Defense
Ransomware operators specifically prioritize privileged credential acquisition because it enables the most damaging deployment pattern. A ransomware operator with domain administrator access can deploy ransomware to every machine in the domain simultaneously, disable backup agents centrally, and destroy shadow copies across all systems in a single operation. The difference between a ransomware incident that encrypts one machine and one that encrypts an entire organization is almost always the attacker's privileged access level.
PAM controls that prevent ransomware operators from reaching domain administrator access limit ransomware to the blast radius of the initial access credential. This is the difference between a recoverable incident and an existential one.
Related Reading
SolarWinds: How Privileged Identity Infrastructure Becomes the Target
After the SolarWinds attackers established initial access through the backdoored Orion update, their immediate priority was not data exfiltration — it was privileged credential acquisition. Specifically, they targeted SAML token signing certificates, which provide the ability to create authenticated tokens for any user in the environment — the equivalent of a master key to every application and service in the victim's cloud environment. With forged SAML tokens, the attackers could authenticate as any user, to any application, without triggering MFA or authentication anomaly detection. This technique — the Golden SAML attack — required no subsequent credential compromise because it bypassed credential verification entirely. The lesson for PAM programs: protecting privileged accounts is not just about protecting account credentials. It requires protecting the identity infrastructure — certificate authorities, token signing infrastructure, federation services — that privileged accounts depend on.
of security breaches involve privileged credentials, according to Forrester Research. Admin accounts, service accounts, and shared credentials are the primary targets in virtually every significant enterprise breach — not because they are easy to steal but because compromising them provides the most access.