Privileged access vaulted (PAM)
Demonstrate that all privileged credentials are stored in a secure vault, accessed only through authenticated and logged workflows, rotated automatically, and never stored in clear text on endpoints or within scripts.
Description
What this control does
Privileged Access Management (PAM) vaulting ensures that credentials with elevated permissions—such as domain administrator accounts, root passwords, service accounts, and secrets—are stored in a centralized, encrypted vault and accessed only through controlled workflows. The vault enforces checkout/check-in workflows, automatic password rotation, session recording, and just-in-time access provisioning. By removing static, shared, or embedded credentials from endpoints, scripts, and human memory, PAM vaulting reduces credential theft, lateral movement, and unauthorized privilege escalation.
Control objective
What auditing this proves
Demonstrate that all privileged credentials are stored in a secure vault, accessed only through authenticated and logged workflows, rotated automatically, and never stored in clear text on endpoints or within scripts.
Associated risks
Risks this control addresses
- Credential theft via phishing, malware, or memory scraping leading to unauthorized administrative access
- Lateral movement by attackers using compromised privileged accounts to pivot across systems
- Insider threat exploitation of unmonitored shared administrator passwords
- Persistence mechanisms established through stolen service account credentials or API keys
- Compliance violations from unencrypted or poorly audited privileged credential usage
- Password reuse or weak credentials on critical infrastructure due to lack of enforced rotation
- Loss of forensic evidence when privileged sessions are not recorded or logged centrally
Testing procedure
How an auditor verifies this control
- Obtain the inventory of all privileged accounts including domain admins, local administrators, service accounts, database sa accounts, cloud IAM root users, SSH keys, API tokens, and emergency access credentials.
- Review the PAM solution configuration to confirm credential storage encryption standards, vault architecture, access control policies, and integration with directory services.
- Select a representative sample of privileged accounts from the inventory and verify each is enrolled in the vault with automated password rotation schedules defined.
- Attempt to locate privileged credentials stored outside the vault by scanning configuration management repositories, scripts, documentation, and endpoint credential stores.
- Test the checkout workflow by requesting privileged access to a sampled system and confirm multi-factor authentication, approval workflow (if configured), session initiation logging, and automatic session recording are enforced.
- Review session recordings and access logs for a sample period to verify all privileged activities are captured with timestamps, user identity, target system, and actions performed.
- Validate automatic password rotation by reviewing rotation logs and confirming passwords changed within policy-defined intervals without manual intervention.
- Examine emergency access or break-glass procedures to ensure they require vault access or dual authorization and generate auditable alerts when invoked.