Auto-sync: update nexus workspace

2026-04-29 15:44:38 +08:00
parent b2aadf771a
commit c961c6a394
114 changed files with 4784 additions and 1334 deletions
--- a/wiki/concepts/Privileged-Access-Management.md
+++ b/wiki/concepts/Privileged-Access-Management.md
@@ -0,0 +1,89 @@
+---
+title: "Privileged-Access-Management"
+type: concept
+tags:
+  - Security
+  - PAM
+  - Compliance
+  - Cloud
+  - DevOps
+---
+
+## Definition
+
+Privileged Access Management（PAM，特权访问管理）是一类安全解决方案，用于管理和监控具有 elevated permissions 的账号访问权限。特权账号包括系统管理员、数据库管理员、安全管理员等拥有超出普通用户权限的账号，以及应用程序服务账号、API 账号等非人工身份。
+
+## Core Objectives
+
+1. **凭据保护**：集中存储和管理特权账号密码、SSH 密钥、API Key 等敏感凭据
+2. **访问控制**：实施最小权限原则，确保用户仅获得完成任务所需的最小权限
+3. **会话监控**：记录和审计所有特权会话，支持事后追溯和合规审查
+4. **威胁检测**：实时检测异常特权行为，防止凭据滥用和横向移动攻击
+
+## PAM Architecture
+
+```
+┌─────────────────────────────────────────────────────────────┐
+│                      PAM Solution                           │
+├─────────────────────────────────────────────────────────────┤
+│  ┌─────────────┐  ┌─────────────┐  ┌─────────────┐       │
+│  │  Credential │  │   Session   │  │    Risk    │       │
+│  │   Vault     │  │   Manager   │  │   Engine   │       │
+│  └─────────────┘  └─────────────┘  └─────────────┘       │
+│                                                             │
+│  ┌─────────────────────────────────────────────┐           │
+│  │              Access Control Layer            │           │
+│  │  (RBAC, MFA, Policy-based Access)            │           │
+│  └─────────────────────────────────────────────┘           │
+└─────────────────────────────────────────────────────────────┘
+                          ↑
+        ┌─────────────────┼─────────────────┐
+        ↓                 ↓                 ↓
+   ┌─────────┐      ┌─────────┐      ┌─────────┐
+   │  Root   │      │   DB    │      │  API    │
+   │ Account │      │  Admin  │      │ Service │
+   └─────────┘      └─────────┘      └─────────┘
+```
+
+## Cloud-Native vs Traditional PAM
+
+| Aspect | Traditional PAM | Cloud-Native (AWS Secrets Manager) |
+|--------|-----------------|----------------------------------|
+| Deployment | On-prem / Hybrid | Fully managed SaaS |
+| Client Agent | Required | Not required |
+| Scalability | Manual scaling | Auto-scaling |
+| Cost Model | Perpetual license + maintenance | Pay-per-use |
+| Integration | Manual configuration | Native AWS integration |
+
+## Key Vendors
+
+- **CyberArk**：Enterprise PAM market leader, on-prem and cloud offerings
+- **AWS Secrets Manager**：Cloud-native secrets management
+- **HashiCorp Vault**：Cloud-agnostic secrets and privileged access
+- **BeyondTrust**：Endpoint privilege management
+- **Thycotic**：Privileged access management
+
+## Related Concepts
+
+- [[SecretsManagement]]：敏感信息管理的整体框架
+- [[SecretRotation]]：密钥轮换机制
+- [[IAM-Roles]]：基于角色的访问控制
+- [[Zero-Trust]]：零信任安全模型
+
+## Related Entities
+
+- [[CyberArk]]：Enterprise PAM vendor
+- [[AWS]]：Cloud-native secrets management provider
+- [[HashiCorp]]：Cloud-agnostic secrets management
+
+## Sources
+
+- [[ctp-topic-37-secrets-certificates-management]] — CyberArk Micro Focus PAM evaluation
+- [[ctp-topic-62-aws-secrets-manager]] — AWS-native PAM implementation
+
+## Aliases
+
+- PAM
+- Privileged Access Management
+- Privileged Identity Management
+- PIM