Privileged accounts — domain administrators, local administrators, service accounts with elevated rights, database administrators — are the primary target of virtually every advanced attacker operating in enterprise environments today. Not because privilege escalation is hard, but because once an attacker has privileged access, the entire organization is exposed. Every system, every database, every backup, every secret.
Privileged Access Management (PAM) is the discipline of controlling, monitoring, and auditing how privileged accounts are used. It is one of the highest-return security investments available to an enterprise — and one of the most commonly implemented poorly.
Why Privileged Accounts Are the Top Target
The attacker's economic model is straightforward: privileged accounts eliminate the need for additional exploitation. A threat actor who has compromised a domain administrator account does not need to find and exploit vulnerabilities in individual systems — they already have the keys to every lock. They can dump credential databases, disable security tooling, exfiltrate data at will, and deploy ransomware across the entire environment in hours.
The data supports this model: the Verizon DBIR consistently shows stolen credentials as a leading breach vector — 39% of breaches in 2026 (Verizon DBIR 2026). The specific targeting of privileged accounts is a deliberate attacker strategy, not incidental access.
What PAM Covers
Password Vaulting
The foundational capability of PAM is a credential vault that stores privileged account passwords and serves them to authorized users without those users knowing the actual password. This eliminates shared credentials, enforces credential uniqueness, enables automatic password rotation after each use, and provides an audit trail of every credential access.
Session Recording
PAM platforms record privileged sessions — RDP sessions, SSH connections, database queries — and store those recordings for forensic review. When a privileged account is used in an incident, you can play back exactly what was done, by whom, and when. Session recording also has a deterrence effect on insider threats.
Just-In-Time Access
Just-in-time (JIT) access is the practice of not granting standing privileged access at all. Instead, privileged access is requested, approved, granted for a defined time window (e.g., 4 hours), and automatically revoked at expiration. An attacker who compromises a user account that has no standing privileged access cannot move laterally using that account's privileges — they would need to compromise the PAM platform itself.
Tiered Administration Model
Microsoft's Active Directory tiered administration model, now evolved into the Enterprise Access Model, establishes three tiers of administrative access:
- Tier 0: Domain controllers, certificate authorities, privileged identity management infrastructure. Accounts at this tier should never log on to Tier 1 or Tier 2 assets.
- Tier 1: Member servers, applications, cloud services. Separate accounts from Tier 0.
- Tier 2: End-user workstations. Local admin accounts, help desk.
The model prevents credential exposure across tiers. If a Tier 2 workstation is compromised, the attacker cannot capture Tier 0 credentials that have never logged into that system.
PAM Vendor Landscape
The major enterprise PAM platforms are: CyberArk (market leader, comprehensive but complex and expensive), BeyondTrust (strong in Linux/Unix environments and endpoint privilege management), Delinea (formerly Thycotic and Centrify, mid-market friendly), and HashiCorp Vault (developer and DevOps focused, excellent for secrets management in CI/CD pipelines but not a full enterprise PAM replacement). Selection depends on your environment's complexity, existing identity infrastructure, and budget.
Implementation Phases
PAM implementation follows a natural progression: Discovery (enumerate all privileged accounts — automated discovery is essential because privileged accounts routinely outnumber employees, and most environments harbor unknown or unmanaged accounts — orphaned service accounts, shared admin logins, embedded application credentials — that manual inventories miss), Vault (onboard discovered accounts into the vault), Rotate (enable automatic password rotation), Record (enable session recording for all vaulted accounts), and Analyze (connect PAM telemetry to SIEM for behavioral analytics).
Handling Sysadmin Resistance
PAM implementation consistently encounters resistance from systems administrators who experience it as an obstacle to doing their jobs. The most effective approach is phased rollout starting with the highest-risk accounts (Domain Admins, service accounts for critical systems), combined with workflow optimization that makes the PAM access request process as frictionless as possible. Invest in automation of common approval workflows and demonstrate that the recorded sessions protect administrators from false accusations — not just constrain them.
Compliance Requirements
PAM directly satisfies controls in PCI DSS 4.0 (Requirements 7 and 8 on access control), HIPAA (access control and audit control requirements), and NYDFS 23 NYCRR 500 (access privilege requirements, Section 500.07). Demonstrating PAM capability to auditors is far stronger than policy statements alone. For NYC financial services firms, PAM is increasingly an examiner expectation rather than a recommendation. Contact Fortress to discuss PAM implementation scoping for your environment.