Every technology system manages its security by providing users with different levels of access. This role-based security model offers system administrators greater control and determines the actions each user can perform on the system. The principle of least privilege states that every user should only have the access they need to perform their duties and nothing more. Therefore, increasing the platform's security requires an organization to limit the number of users who have privileges to access administrative functions. Since actions such as accessing restricted information, adding or deleting users, and reconfiguring the application have security and operational ramifications, only trusted users should have the relevant access to perform these tasks.

We often refer to these privileged accounts as superusers or administrators. However, privileged accounts can also refer to non-human system users. For instance, some enterprise services require a system account to access confidential data or restricted networks. You may also have services that rely on shared secrets like encryption keys that grant regular users access. As all these privileged accounts have access to confidential data and secure environments, we need to implement additional security measures to protect them.

What is PAM? Privileged Access Management (PAM) is an information security (infosec) mechanism that safeguards identities with special access or capabilities beyond regular users. Like all other infosec solutions, PAM works through a combination of people, processes, and technology.

We treat privileged accounts with extra care because of the risk they pose to the technology environment. For example, should the credentials of an administrator or service account fall into the wrong hands, it could lead to the compromise of the organization's systems and confidential data.

Data breaches occur when threat actors compromise privileged access accounts. As these accounts hold the keys that unlock every door in a technology environment, we need to add additional layers of protection. That extra security is a Privileged Access Management solution.

What does Privileged Access mean? In a technology environment, privileged access refers to accounts with elevated capabilities beyond regular users. For example, in a Linux environment, the root user can add, amend, or delete users, install and uninstall software, and access restricted parts of the operating system that are off-limits to a standard user. Windows environments follow a similar security construct, but the root user in that instance is called an administrator.

Let's illustrate the concept of privileged access with a real-world banking example. A typical bank has customers, tellers, and managers. Each 'user' has different levels of authority when it comes to accessing the bank's cash. Customers can only access the money in their bank accounts. Tellers have more privileges than regular customers as they have access to all the cash in their respective drawers. Managers have even greater access than tellers, as they can access the money stored in the bank's vault. Technology systems also use this tiered privilege access model. Your role within the system determines what you can or cannot do.

In our banking example, the tellers and managers would be the users with privileged access. As these roles have access to more of the bank's cash than customers, the bank needs to implement additional security measures before granting tellers and managers access. For instance, during their job interviews, they may need to pass a criminal record check. When they start working at the bank, their role will also determine their physical access. For example, tellers may be able to enter the secure area of the bank, but only managers will have the privileged access needed to enter the vault.