PAM Feature 03
Managing & Brokering Access for Human and Machine
Enabling controlled access for authorized users and machines
A cybersecurity strategy used to control, monitor, and secure access to critical systems, applications, and data. Users and machines with elevated permissions — “privileged accounts” — pose the highest risk if compromised, so their access must be carefully managed.
Privileged Access Scope
- Human users: System administrators, operators, help desk staff, security personnel.
- Machines / non-human entities: Applications, scripts, services, workloads, automated processes.
Managing Privileged Access for Users
- Credential Vaulting – Passwords, SSH keys, and secrets are stored in a secure vault and rotated automatically to reduce misuse.
- Session Management – Cross-platform session isolation prevents direct access to critical systems, ensuring administrators connect through controlled channels.
- Granular Access Policies – Role-based access ensures that each user only gets the minimum privileges required.
- Least Privilege Principle – Users are given only the minimum access required for their role.
- Just-in-Time (JIT) Access – Privileged access is granted only for a limited time when needed.
- Multi-Factor Authentication (MFA) – Ensures that even if credentials are stolen, unauthorized access is blocked.
- Audit & Monitoring – Every privileged session is recorded for compliance and forensic analysis.
Managing Privileged Access for Machines / Applications
- Machine-to-Machine Authentication – Brokers access for applications and workloads using API keys and certificates stored in the vault.
- Access Segmentation – Applications get only the permissions they need for their function.
- Automated Secret Rotation – Application credentials are rotated without downtime, reducing risk of credential theft.
- Workload Security – Privileged access is extended to cloud workloads and containers, ensuring secure machine communication.
- Integration with DevOps – Supports dynamic environments where applications need temporary elevated access.
- Monitoring & Alerting – Logs machine activity to detect abnormal behavior, like unexpected access attempts.
Brokering Privileged Access
- Human brokering: Admin requests access → PAM verifies identity and role → grants temporary session → logs all actions.
- Machine brokering: Application requests credentials → PAM provides time-limited credentials → revokes after use.
Unified Workflow
01
Request
Entity identifies itself and asks for access
02
Verify
Checks authorization and if request meets policy
03
Broker
Retrieves secret from vault, creates secure bridge to target
04
Audit
Session logged, password rotated, compliance report generated
End-to-end flow: session is logged, password rotated, and compliance report generated