PAM Academy › Module 1 — Foundational Pillars of PAM

Module 1: Foundational Pillars of PAM

Master the core principles that underpin every successful PAM programme — from what privileged access really means, to the five account types attackers target most, the six threat vectors that cause real breaches, and the compliance frameworks your auditors already require.

Self-study reference material
90–120 minutes
Foundational to Practitioner
★★★★★ 4.9 (124 learners)
PAM Foundations Privileged Accounts Least Privilege GDPR · SOX · PCI DSS Threat Vectors NIST · ISO 27001 Three-Gap Framework
Free
Full module access — no sign-up required
Start Module 1 ▶ Watch Narrated Video
  • What PAM really is (and what it is not)
  • 5 privileged account types explained
  • 5 access control models with compliance tie-ins
  • 6 real-world threat vectors & case studies
  • GDPR, SOX, PCI DSS, NIST, ISO 27001 mapping
  • The Three-Gap Framework (PAM Best Practice IP)
  • 5-question knowledge check
  • Certificate on completion
Overview
Curriculum
Instructors
Reviews
6
Sections
5
Quiz Questions
~2hrs
Study time
1
Certificate
Module 1 — Narrated Presentation
Foundational Pillars of PAM
~2:00:00

Expert narration covering all six sections. Follow along with the curriculum below.

What you will learn
Understand what PAM is and why it’s the most critical cybersecurity discipline most organisations underestimate
Identify the 5 privileged account categories that form your PAM strategy — and where each one is most at risk
Apply the 5 access control models (PoLP, RBAC, SoD, Two-Person, JEA) to real-world scenarios
Recognise the 6 threat vectors that exploit privileged access — with real breach case studies
Map PAM to GDPR, SOX, PCI DSS, NIST and ISO 27001 requirements your auditors already care about
Diagnose your organisation’s PAM gaps using the Three-Gap Framework — PAM Best Practice’s own IP
Module curriculum
1
What PAM Really Is (Not What Vendors Say It Is)Definition · The Master Key Analogy · What PAM is NOT · Why it matters
Slides
2
The Five Types of Privileged AccountsHuman · Service · System · Shared/Generic · Third-Party/Vendor
Slides
3
Five Core PAM Access Control ModelsPoLP · RBAC · Segregation of Duties · Two-Person Control · Just-Enough Privilege
Slides
4
Six Threat Vectors That Exploit Privileged AccessMalicious insiders · Negligent insiders · Hacktivists · Organised crime · Nation-state · Config errors
Slides
5
Compliance Mapping — Why Your Auditor Cares About PAMGDPR · SOX · PCI DSS · NIST CSF · ISO 27001
Reading
6
The Three-Gap FrameworkKnowledge Gap · Process Gap · Technology Gap — PAM Best Practice IP
Slides
7
Module 1 Knowledge CheckTest your understanding of PAM fundamentals — 5 questions
Quiz
Section 1: What PAM Really Is
“Most PAM programmes fail because organisations buy technology before understanding their problem.”

Privileged Access Management is the practice of controlling, monitoring, and auditing access to privileged accounts — not just storing credentials. Think of it this way: if regular employees have a keycard to the lobby, privileged users have the master key to every room, every safe, and every server rack. PAM controls who gets that key, when they use it, and records everything they do.

PAM is not antivirus. It is not a firewall. It is not a password manager for personal use. It is the discipline that sits at the intersection of identity, access, and security governance.

IBM 2024 Data Breach Report: 74% of insider breaches involve privileged accounts. The average cost of a data breach is $4.88 million. Breaches involving compromised credentials cost 55% more to identify and contain than other breach types. Average time to detect: 292 days.
Section 2: The Five Types of Privileged Accounts
“You cannot protect what you cannot see — and most organisations don’t see all their privileged accounts. The real number is typically 3–5× higher than expected.”
Account Type
Industry Problem
PAM Control Point
Human Accounts
Admins, DBAs, engineers
Shared accounts eliminate audit trails — multiple people using the same admin ID
Enforce individual, unique accounts for every privileged user
Service Accounts
Apps, databases, batch processes
Hardcoded passwords or never-expire settings create persistent exposure
Automated password rotation + approval workflows
System Accounts
Root, SYSTEM, domain controllers
Default installations leave default credentials unchanged
Initial access hardening + ongoing monitoring
Shared/Generic Accounts
Support teams, on-call rotations
Multiple users, zero individual accountability
JIT (Just-In-Time) provisioning + session recording
Third-Party/Vendor Accounts
SaaS vendors, MSPs, integrations
Least-documented, highest-risk access in most environments
Formal vendor access agreements + quarterly access reviews
Section 3: Five Core PAM Access Control Models
“The control model you choose determines whether your PAM programme succeeds or fails.”
1. Principle of Least Privilege (PoLP)
Give users the minimum access needed to do their job. Reduces blast radius of a breach from “full domain control” to “single app access.” Required by NIST, ISO 27001 and SOX.
2. Role-Based Access Control (RBAC)
Assign access to roles, not individuals. Makes onboarding and offboarding consistent and auditable. Required by PCI DSS and ISO 27001.
3. Segregation of Duties (SoD)
One person cannot approve and execute the same transaction. Example: payment approver ≠ payment processor. Required by SOX Section 404 and PCI DSS Requirement 7.
4. Two-Person Control (TPC)
High-risk actions (credential vault access, production changes) require two approvals. Prevents insider threats. Recommended by NIST for sensitive systems.
5. Just-Enough Privilege (JEA)
Grant access to a specific system, for a specific task, for a specific time window only — then it expires automatically. Dramatically reduces insider threat risk. Recommended by GDPR Article 32 and NIST.
Section 4: Six Threat Vectors That Exploit Privileged Access
“These threats are not hypothetical. They happened to real organisations — and privileged access was the entry point every time.”
1. Malicious Insiders
Tesla 2024: employee attempted data exfiltration using privileged access
Controls: Session recording, behaviour analytics, access reviews
2. Negligent Insiders
SingHealth 2018: misconfigured database exposed 1.5M patient records
Controls: Automated password rotation, configuration scanning
3. Hacktivists
Anonymous targeting critical infrastructure via exposed admin credentials
Controls: Network segmentation, privileged workstations
4. Organised Crime
Colonial Pipeline 2021: $11M ransom demand after credential compromise
Controls: MFA, vault encryption, alert monitoring
5. Nation-State Attacks (APTs)
SolarWinds 2020: supply-chain attack via compromised privileged build system
Controls: Zero Trust architecture, privileged access workstations
6. Configuration Errors
AWS S3 misconfiguration: millions of records exposed via unchecked admin access
Controls: Change detection, approval workflows, automated rollback
Verizon DBIR: 61% of all breaches involve credential access. Average time to contain a breach: 292 days. Every day without PAM controls is a day of undetected exposure.
Section 5: Compliance Mapping
“Audit readiness is not just a compliance checkbox — it’s a business advantage. Organisations ready for audits close deals faster, attract better partners, and command higher valuations.”
Framework
PAM Requirement
GDPR
Article 32
Access controls + audit logs + documented security policies. Purpose limitation: access only for stated job function.
SOX
Section 404
Segregation of duties + change approval workflows + audit trails for all financial system access.
PCI DSS
Req. 2 & 7
Change default vendor credentials. Limit access based on need-to-know. Unique user IDs, access reviews, password policies.
NIST CSF
Protect → AC
Enforce PoLP, manage privileged accounts, monitor user activity. Increasingly adopted as the de facto US and global standard.
ISO 27001
A.9.2 & A.12.4
Formal access provisioning, periodic access reviews, audit logs. User access management and logging & monitoring controls.
Section 6: The Three-Gap Framework
“Most PAM programmes fail because organisations buy technology before understanding their problem. We teach you the problem first.” — PAM Best Practice
Knowledge Gap
Most teams understand tools, not processes. They can configure CyberArk but cannot articulate why they’re doing it.
Solution: PAM Foundations curriculum teaches principles first
Process Gap
Organisations have ad-hoc processes, not documented workflows. Provisioning is inconsistent; deprovisioning is forgotten.
Solution: 38-guide practitioner library provides repeatable processes
Technology Gap
Teams buy tools before they know what to protect. The result: expensive tools, poor adoption, failed audits.
Solution: PAM Score assessment identifies gaps before tool selection
Requirements
No prior PAM experience required — this is your starting point
Basic familiarity with IT or cybersecurity concepts is helpful but not essential
An interest in cybersecurity, identity management or compliance
Target audience: CISOs, IT Directors, Security Teams (foundational to practitioner-level)
Your instructors
NK
Nabeel Khaliq
IAM & Privileged Access Management SME · Founder, PAM Best Practice Ltd
Practitioner with deep hands-on experience implementing PAM across enterprise environments. Founder of PAM Best Practice Academy, a UK-registered education and community hub for PAM professionals. Arsenal and Middlesbrough fan.
AR
Adrian Russo
IAM & Privileged Access Management Architect
Senior PAM architect with extensive experience designing and deploying large-scale CyberArk and BeyondTrust implementations across enterprise environments globally. Keen cyclist.
ID
Iftikar Din
Manufacturing-focused Cyber Security Engineer
Cyber security engineer specialising in industrial and manufacturing environments. Brings real-world operational technology (OT) security perspective to PAM implementation. Middlesbrough fan who loves gardening.
Your progress
Module 1 — Foundational Pillars of PAM
Not started0%
Module breakdown
What PAM Really IsSection 1
Five Account TypesSection 2
Access Control ModelsSection 3
Six Threat VectorsSection 4
Compliance MappingSection 5
Three-Gap FrameworkSection 6
Knowledge Check5 questions
Up next
Module 2 — Crafting a PAM Strategy
Define scope, master access control methodologies, and plan stakeholder engagement
Also in this course
M2Crafting a PAM Strategy
M3Discovery & Assessment
M4Protecting Digital Assets
M5Automating PAM
M6Vendor Selection
M7Cloud & DevOps PAM
M8Governance & Reporting
M9Incident Response
PAM Community
Join our network of PAM practitioners, mentors and industry partners across the UK.