Privileged Access Management (PAM)
Privileged Access Management (PAM) is a practice that restricts and protects administrative rights for administrator, privileged, service, and root accounts. To do so, PAM uses ephemeral credentials, meaning that they are single-use only and normally have a time limit. With PAM, user accounts are given the equivalent of a temporary ticket with limited administrator rights appropriate for their job role, and an unchangeable password. Once the administrator has closed the PAM session, this ticket expires. PAM also keeps track of who uses these important accounts and what they do with them.
To understand how PAM is set up, consider Figure 19.8:
Figure 19.8: PAM
Note the ABC
domain on the left side of the diagram. This domain contains regular user accounts that don’t have special privileges. On the right side, however, there’s something called a bastion forest
. This is the secure area where the important...