githubfoam · May 23, 2025 11:09
diff --git a/PAM - privilleged access management cheat sheet b/PAM - privilleged access management cheat sheet
 #===================================================================================================================================
 What does a Holistic Approach in PAM involve?

    Comprehensive User Access Control

        Not only managing privileged users, but also regular employees, third-party contractors, and automated system accounts.

        Example: Instead of just securing admin accounts, PAM also tracks access for interns, vendors, and service accounts across all systems
        
 Integration with Other Systems

    Works seamlessly with identity management (IDM), single sign-on (SSO), SIEM systems, and multi-factor authentication (MFA).

    Example: A user logs in via SSO; PAM checks their identity via MFA, logs the access, and forwards it to the SIEM for correlation.

 Real-Time Monitoring and Auditing

    Provides session recording, keystroke logging, and real-time behavior analytics.

    Example: If a user tries to access a database they don’t usually touch, PAM flags it, alerts the SOC team, and may block access.

 Policy Enforcement Across the Organization

    Ensures consistent enforcement of security policies, no matter the platform (Windows, Linux, cloud).

    Example: A policy that forbids access to financial systems outside business hours is applied uniformly, whether the system is on-prem or in AWS.

 User Lifecycle Management

    Access is automatically adjusted as users change roles or leave the organization.

    Example: When an employee is promoted, their access rights change automatically based on their new job profile.

 PAM PAM's holistic approach means it doesn’t just control who logs in—it manages, monitors, and protects the entire lifecycle of access across people, processes, and technology. 
 This makes organizations more secure, efficient, and compliant.
 #===================================================================================================================================    
 Improves Compliance: Easier to meet standards like ISO 27001, NIST, or GDPR when your access control is centralized and auditable.
 Reduces Operational Complexity: Instead of managing multiple tools, admins can rely on a single platform for visibility and control.
 #===================================================================================================================================
 1. Approval Workflow
 📌 What It Does:

    Enforces access requests and approvals before privileged sessions can start.

    Users request access; a manager or administrator approves it based on role, time, purpose, or risk.

 ✅ Best Practices:

    Implement just-in-time (JIT) approvals for sensitive systems.

    Require users to specify purpose and duration in the request.

    Set auto-expiry for approvals to reduce access creep.

 #===================================================================================================================================
 2. Session Recording and OCR (Optical Character Recognition)
 📌 What It Does:

    Records full user sessions (e.g., SSH, RDP, database).

    OCR enables searching session content (e.g., commands typed, screen output).

 ✅ Best Practices:

    Enable recording for all privileged sessions.

    Use OCR for incident investigations or compliance audits.

    Store session logs in tamper-proof, access-controlled storage.
 #===================================================================================================================================
 3. Identity-Aware Proxy (IAP)
 📌 What It Does:

    Grants access to resources based on user identity and context, not IP alone.

    Access decisions are based on who the user is, not where they come from.

 ✅ Best Practices:

    Integrate with enterprise identity providers (AD, LDAP, SSO).

    Use role-based access controls (RBAC) to restrict visibility.

    Combine with MFA and context-aware policies (e.g., time of day, geolocation).
 #===================================================================================================================================

 4. Remote Application Access
 📌 What It Does:

    Users can access specific applications (e.g., database tools, admin consoles) without direct desktop or shell access.

    Limits access scope to exact tools or actions needed.

 ✅ Best Practices:

    Replace full desktop/RDP access with remote app access wherever possible.

    Limit app access by user role and approval workflow.

    Monitor and log all app interactions like other sessions.
 #===================================================================================================================================
 Multi-Factor Authentication (MFA)
 📌 What It Does:

    Adds a second factor (e.g., OTP, push notification) before access is granted.

 ✅ Best Practices:

    Enforce MFA for all privileged users.

    Use MFA chaining (e.g., password + TOTP + biometric).

    Regularly rotate and audit enrolled MFA devices.
 #===================================================================================================================================
 6. TOTP (Time-based One-Time Password)
 📌 What It Does:

    A form of MFA using time-synced codes (e.g., Google Authenticator, Authy).

 ✅ Best Practices:

    Require TOTP for approval and session start.

    Ensure TOTP is mandatory for password vault access.

    Periodically rotate TOTP secrets.
 #===================================================================================================================================
 SSH Public Key Authentication
 📌 What It Does:

    Allows access via SSH key pairs instead of passwords.

 ✅ Best Practices:

    Store private keys securely, or avoid user-held keys via proxy-based access.

    Enforce key expiration and revocation policies.

    Use PAM's proxy to authenticate via keys without exposing them to users
 #===================================================================================================================================    
 Live Session Monitoring
 📌 What It Does:

    Security teams can view sessions in real-time, terminate sessions, or send alerts.

 ✅ Best Practices:

    Monitor high-risk user sessions (e.g., production, root, finance systems).

    Set up automated alerts for suspicious behavior (e.g., keyword matching).

    Enable live termination capability for emergency response.    
 #===================================================================================================================================
	#===================================================================================================================================
	What does a Holistic Approach in PAM involve?

	Comprehensive User Access Control

	Not only managing privileged users, but also regular employees, third-party contractors, and automated system accounts.

	Example: Instead of just securing admin accounts, PAM also tracks access for interns, vendors, and service accounts across all systems

	Integration with Other Systems

	Works seamlessly with identity management (IDM), single sign-on (SSO), SIEM systems, and multi-factor authentication (MFA).

	Example: A user logs in via SSO; PAM checks their identity via MFA, logs the access, and forwards it to the SIEM for correlation.

	Real-Time Monitoring and Auditing

	Provides session recording, keystroke logging, and real-time behavior analytics.

	Example: If a user tries to access a database they don’t usually touch, PAM flags it, alerts the SOC team, and may block access.

	Policy Enforcement Across the Organization

	Ensures consistent enforcement of security policies, no matter the platform (Windows, Linux, cloud).

	Example: A policy that forbids access to financial systems outside business hours is applied uniformly, whether the system is on-prem or in AWS.

	User Lifecycle Management

	Access is automatically adjusted as users change roles or leave the organization.

	Example: When an employee is promoted, their access rights change automatically based on their new job profile.

	PAM PAM's holistic approach means it doesn’t just control who logs in—it manages, monitors, and protects the entire lifecycle of access across people, processes, and technology.
	This makes organizations more secure, efficient, and compliant.
	#===================================================================================================================================
	Improves Compliance: Easier to meet standards like ISO 27001, NIST, or GDPR when your access control is centralized and auditable.
	Reduces Operational Complexity: Instead of managing multiple tools, admins can rely on a single platform for visibility and control.
	#===================================================================================================================================
	1. Approval Workflow
	📌 What It Does:

	Enforces access requests and approvals before privileged sessions can start.

	Users request access; a manager or administrator approves it based on role, time, purpose, or risk.

	✅ Best Practices:

	Implement just-in-time (JIT) approvals for sensitive systems.

	Require users to specify purpose and duration in the request.

	Set auto-expiry for approvals to reduce access creep.

	#===================================================================================================================================
	2. Session Recording and OCR (Optical Character Recognition)
	📌 What It Does:

	Records full user sessions (e.g., SSH, RDP, database).

	OCR enables searching session content (e.g., commands typed, screen output).

	✅ Best Practices:

	Enable recording for all privileged sessions.

	Use OCR for incident investigations or compliance audits.

	Store session logs in tamper-proof, access-controlled storage.
	#===================================================================================================================================
	3. Identity-Aware Proxy (IAP)
	📌 What It Does:

	Grants access to resources based on user identity and context, not IP alone.

	Access decisions are based on who the user is, not where they come from.

	✅ Best Practices:

	Integrate with enterprise identity providers (AD, LDAP, SSO).

	Use role-based access controls (RBAC) to restrict visibility.

	Combine with MFA and context-aware policies (e.g., time of day, geolocation).
	#===================================================================================================================================

	4. Remote Application Access
	📌 What It Does:

	Users can access specific applications (e.g., database tools, admin consoles) without direct desktop or shell access.

	Limits access scope to exact tools or actions needed.

	✅ Best Practices:

	Replace full desktop/RDP access with remote app access wherever possible.

	Limit app access by user role and approval workflow.

	Monitor and log all app interactions like other sessions.
	#===================================================================================================================================
	Multi-Factor Authentication (MFA)
	📌 What It Does:

	Adds a second factor (e.g., OTP, push notification) before access is granted.

	✅ Best Practices:

	Enforce MFA for all privileged users.

	Use MFA chaining (e.g., password + TOTP + biometric).

	Regularly rotate and audit enrolled MFA devices.
	#===================================================================================================================================
	6. TOTP (Time-based One-Time Password)
	📌 What It Does:

	A form of MFA using time-synced codes (e.g., Google Authenticator, Authy).

	✅ Best Practices:

	Require TOTP for approval and session start.

	Ensure TOTP is mandatory for password vault access.

	Periodically rotate TOTP secrets.
	#===================================================================================================================================
	SSH Public Key Authentication
	📌 What It Does:

	Allows access via SSH key pairs instead of passwords.

	✅ Best Practices:

	Store private keys securely, or avoid user-held keys via proxy-based access.

	Enforce key expiration and revocation policies.

	Use PAM's proxy to authenticate via keys without exposing them to users
	#===================================================================================================================================
	Live Session Monitoring
	📌 What It Does:

	Security teams can view sessions in real-time, terminate sessions, or send alerts.

	✅ Best Practices:

	Monitor high-risk user sessions (e.g., production, root, finance systems).

	Set up automated alerts for suspicious behavior (e.g., keyword matching).

	Enable live termination capability for emergency response.
	#===================================================================================================================================