PAM Academy › Module 4 — Protecting Digital Assets

Module 4: Protecting Digital Assets

Credential vaulting, session management, and endpoint privilege control are the three pillars of operational PAM. This module covers how to vault credentials correctly, manage privileged sessions with full recording and real-time monitoring, and implement endpoint privilege management to eliminate local admin rights without breaking operations.

Self-study reference material
90–120 minutes
Security Engineers, PAM Architects, IT Operations
★★★★★ 4.9 · Security Engineers, PAM Architects, IT Operations
Credential VaultingSession ManagementEndpoint PrivilegePassword RotationMFA
Included
Part of the PAM Best Practice Academy curriculum
Start Module 4 → ← Back to Module 3
  • 5 in-depth content sections
  • Real-world case studies and industry statistics
  • Practical frameworks and templates
  • Compliance alignment guidance
  • 4-question knowledge check
Overview
Curriculum
Instructors
4
Module Number
5
Content Sections
90+
Minutes
4
Quiz Questions
Module 4 — Protecting Digital Assets
90–120 min
COMING SOON
What you will learn
Master credential vaulting and apply it to real-world PAM challenges
Master session management & recording and apply it to real-world PAM challenges
Master endpoint privilege management and apply it to real-world PAM challenges
Master multi-factor authentication for privileged access and apply it to real-world PAM challenges
Master secrets management for non-human identities and apply it to real-world PAM challenges
Module curriculum
1
Section 1: Credential Vaulting
Reading
2
Section 2: Session Management & Recording
Reading
3
Section 3: Endpoint Privilege Management
Reading
4
Section 4: Multi-Factor Authentication for Privileged Access
Reading
5
Section 5: Secrets Management for Non-Human Identities
Reading
6
Knowledge CheckTest your understanding
Quiz
Section: Credential Vaulting
The vault is not a password manager — it is a security control

A credential vault is a hardened, encrypted repository for privileged credentials. It is not a password manager. The vault enforces access controls, rotates passwords automatically, provides audit trails, and integrates with SIEM and ticketing systems. Every Tier 0 and Tier 1 account must be vaulted before any other PAM control is applied.

Industry data: Verizon DBIR 2024: 86% of breaches involving privileged accounts used credentials that were either shared, static (never rotated), or stored in plain text. Credential vaulting eliminates all three attack vectors simultaneously.
Automatic Password Rotation
Vault rotates passwords on a schedule (daily for Tier 0, weekly for Tier 1) and after every use. No human ever knows the current password — they request access through the vault.
Check-Out / Check-In
Users request access to a credential. The vault grants time-limited access. When the session ends, the vault rotates the password. The credential is never reused.
Dual Control
For critical credentials (domain admin, root), two authorised people must approve the check-out. Prevents single-person abuse. Satisfies SOX two-person integrity requirement.
Emergency Break-Glass
For genuine emergencies, a break-glass procedure allows immediate access with automatic alerting to the security team. All break-glass access is recorded and reviewed within 24 hours.
Section: Session Management & Recording
Every privileged session is a potential crime scene

Session management captures everything that happens during a privileged session — keystrokes, commands, screen activity, file transfers, and clipboard content. Session recordings are the primary forensic evidence in incident response. They answer the question: what did this person do, when, and on which system?

In the 2020 Twitter hack, attackers used a compromised privileged account to access the admin panel and hijack 130 high-profile accounts. The breach took 4 hours to contain. Without session recording, the full scope of the attack took 3 weeks to determine. With session recording, it would have taken 15 minutes.
Keystroke Logging
Every command typed during a privileged session is logged with timestamp, user identity, and target system
Enables forensic reconstruction of exactly what was done during any session
Screen Recording
Full video recording of screen activity during privileged sessions, searchable by keyword
Provides visual evidence for compliance audits and incident investigations
Command Filtering
Block specific high-risk commands (DROP DATABASE, rm -rf, format) in real time before they execute
Prevents accidental or malicious destruction of critical data
Real-Time Monitoring
Security team can monitor live privileged sessions and terminate suspicious activity instantly
Reduces breach dwell time from hours to minutes
Section: Endpoint Privilege Management
Local admin rights are the #1 lateral movement vector

Local administrator rights on endpoints are the primary mechanism for lateral movement in 70% of breaches. When an attacker compromises a standard user account, local admin rights allow them to install malware, extract credentials, and move laterally across the network. Endpoint Privilege Management (EPM) removes local admin rights from all endpoints while allowing specific applications to run with elevated privileges when needed.

Industry data: Microsoft Security Report 2024: Removing local admin rights from endpoints would prevent 94% of critical Windows vulnerabilities from being exploitable. Yet 68% of enterprise endpoints still have local admin rights enabled.
Application Elevation
Specific approved applications can run with elevated privileges without giving the user admin rights. IT approved the application — the user does not need to be an admin to run it.
Just-In-Time Admin
Users can request temporary local admin rights for a specific task (software installation, driver update). Access is time-limited and session-recorded. No standing admin rights.
Application Whitelisting
Only approved applications can run on endpoints. Unknown executables are blocked. Prevents malware execution even if the user's credentials are compromised.
Privilege Broker
When an application requires elevation, the privilege broker evaluates the request against policy and grants the minimum privilege required — not full admin rights.
Section: Multi-Factor Authentication for Privileged Access
Passwords alone are not enough

MFA is the single most effective control for preventing unauthorised privileged access. It reduces the risk of credential-based attacks by 99.9% (Microsoft, 2023). Every privileged account must require MFA — without exception. This includes service accounts where possible, break-glass accounts, and vendor accounts.

Industry data: Microsoft 2023: MFA blocks 99.9% of automated credential attacks. Yet 61% of privileged accounts in enterprise environments do not have MFA enabled (Verizon DBIR 2024). This is the single most impactful control gap in PAM today.
Hardware Tokens (FIDO2)
Physical security keys (YubiKey, etc.) that cannot be phished or intercepted. Gold standard for Tier 0 accounts.
Recommended for: Domain admins, vault admins, root accounts, break-glass accounts
Authenticator Apps (TOTP)
Time-based one-time passwords via Microsoft Authenticator, Google Authenticator. Resistant to password spray attacks.
Recommended for: All Tier 1 accounts, standard privileged users
Push Notifications
Approval-based MFA via mobile app. Convenient but vulnerable to MFA fatigue attacks if not configured with number matching.
Recommended for: Tier 2 accounts, with number matching enabled
Certificate-Based Auth
Machine certificates for service accounts that cannot use interactive MFA. Certificates rotate automatically and are tied to specific systems.
Recommended for: Service accounts, automated processes, CI/CD pipelines
Section: Secrets Management for Non-Human Identities
Service accounts are the forgotten attack surface

Service accounts, API keys, certificates, and SSH keys are the most overlooked attack surface in PAM. They are often shared across multiple applications, never rotated, stored in plain text in configuration files, and have excessive permissions. Secrets management extends PAM controls to non-human identities.

The SolarWinds breach (2020) exploited a service account with excessive permissions and a static password that had not been rotated in 3 years. The account was used to move laterally across 18,000 organisations. A secrets management solution would have rotated the password automatically and detected the anomalous access within minutes.
Secrets Vault
All API keys, certificates, SSH keys, and service account passwords stored in a dedicated secrets vault. Automatic rotation. Access logged. No plain text storage in code or config files.
Dynamic Secrets
Instead of static credentials, applications receive short-lived credentials generated on-demand. Credentials expire after use. No credential reuse. No long-lived secrets.
CI/CD Pipeline Integration
Build pipelines retrieve secrets from the vault at runtime. No secrets in source code, environment variables, or build logs. Developers never see production credentials.
Certificate Lifecycle Management
Automated certificate issuance, renewal, and revocation. Alerts when certificates approach expiry. No more expired certificates causing outages or security gaps.
Knowledge Check
Q1: What is the primary purpose of automatic password rotation in a credential vault?
To make passwords harder to remember
To ensure no human ever knows the current password, eliminating credential sharing and static password risks ✓
To comply with password complexity policies
To reduce the number of passwords in use
Q2: Which control would MOST effectively prevent lateral movement after an endpoint is compromised?
Antivirus software
Removing local administrator rights via Endpoint Privilege Management ✓
Stronger passwords
Network segmentation alone
Q3: True or False: MFA is only required for human privileged accounts, not service accounts.
True
False — service accounts should use certificate-based authentication or secrets management as an equivalent control ✓
Q4: What is a 'break-glass' procedure?
A disaster recovery plan
An emergency access mechanism for critical credentials, with automatic alerting and mandatory post-access review ✓
A way to reset forgotten passwords
A physical security control
Requirements
Completion of Module 3 (recommended)
Basic understanding of IT administration or security concepts
Target audience: Security Engineers, PAM Architects, IT Operations
No vendor-specific tool knowledge required — this is methodology-first
Your instructors
NK
Nabeel Khaliq
IAM & Privileged Access Management SME · Founder, PAM Best Practice Ltd
Practitioner with deep hands-on experience implementing PAM across enterprise environments. Founder of PAM Best Practice Academy, a UK-registered education and community hub for PAM professionals. Arsenal and Middlesbrough fan.
AR
Adrian Russo
IAM & Privileged Access Management Architect
Senior PAM architect with extensive experience designing and deploying large-scale CyberArk and BeyondTrust implementations across enterprise environments globally. Keen cyclist.
ID
Iftikar Din
Manufacturing-focused Cyber Security Engineer
Cyber security engineer specialising in industrial and manufacturing environments. Brings real-world operational technology (OT) security perspective to PAM implementation. Middlesbrough fan who loves gardening.
Your progress
Module 4 — Protecting Digital Assets
Not started0%
Module breakdown
Section 1: Credential VaultingReading
Section 2: Session Management & RecordingReading
Section 3: Endpoint Privilege ManagementReading
Section 4: Multi-Factor Authentication for Privileged AccessReading
Section 5: Secrets Management for Non-Human IdentitiesReading
Knowledge Check5 questions
Up next
Module 5 — Automating PAM
Automate provisioning, rotation, and access workflows to eliminate manual PAM processes
PAM Community
Join our network of PAM practitioners, mentors and industry partners across the UK.