ishenwei/nexus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
111bc65b7b36796956b7061a1e7f0e859eedb9ba
nexus/wiki/concepts/Privileged-Access-Management.md

90 lines
4.4 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
---
title: "Privileged-Access-Management"
type: concept
tags:
- Security
- PAM
- Compliance
- Cloud
- DevOps
---
## Definition
Privileged Access ManagementPAM特权访问管理是一类安全解决方案用于管理和监控具有 elevated permissions 的账号访问权限。特权账号包括系统管理员、数据库管理员、安全管理员等拥有超出普通用户权限的账号以及应用程序服务账号、API 账号等非人工身份。
## Core Objectives
1. **凭据保护**集中存储和管理特权账号密码、SSH 密钥、API Key 等敏感凭据
2. **访问控制**:实施最小权限原则,确保用户仅获得完成任务所需的最小权限
3. **会话监控**:记录和审计所有特权会话,支持事后追溯和合规审查
4. **威胁检测**:实时检测异常特权行为,防止凭据滥用和横向移动攻击
## PAM Architecture
```
┌─────────────────────────────────────────────────────────────┐
│ PAM Solution │
├─────────────────────────────────────────────────────────────┤
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │
│ │ Credential │ │ Session │ │ Risk │ │
│ │ Vault │ │ Manager │ │ Engine │ │
│ └─────────────┘ └─────────────┘ └─────────────┘ │
│ │
│ ┌─────────────────────────────────────────────┐ │
│ │ Access Control Layer │ │
│ │ (RBAC, MFA, Policy-based Access) │ │
│ └─────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────┘
┌─────────────────┼─────────────────┐
↓ ↓ ↓
┌─────────┐ ┌─────────┐ ┌─────────┐
│ Root │ │ DB │ │ API │
│ Account │ │ Admin │ │ Service │
└─────────┘ └─────────┘ └─────────┘
```
## Cloud-Native vs Traditional PAM
| Aspect | Traditional PAM | Cloud-Native (AWS Secrets Manager) |
|--------|-----------------|----------------------------------|
| Deployment | On-prem / Hybrid | Fully managed SaaS |
| Client Agent | Required | Not required |
| Scalability | Manual scaling | Auto-scaling |
| Cost Model | Perpetual license + maintenance | Pay-per-use |
| Integration | Manual configuration | Native AWS integration |
## Key Vendors
- **CyberArk**Enterprise PAM market leader, on-prem and cloud offerings
- **AWS Secrets Manager**Cloud-native secrets management
- **HashiCorp Vault**Cloud-agnostic secrets and privileged access
- **BeyondTrust**Endpoint privilege management
- **Thycotic**Privileged access management
## Related Concepts
- [[SecretsManagement]]:敏感信息管理的整体框架
- [[SecretRotation]]:密钥轮换机制
- [[IAM-Roles]]:基于角色的访问控制
- [[Zero-Trust]]:零信任安全模型
## Related Entities
- [[CyberArk]]Enterprise PAM vendor
- [[AWS]]Cloud-native secrets management provider
- [[HashiCorp]]Cloud-agnostic secrets management
## Sources
- [[ctp-topic-37-secrets-certificates-management]] — CyberArk Micro Focus PAM evaluation
- [[ctp-topic-62-aws-secrets-manager]] — AWS-native PAM implementation
## Aliases
- PAM
- Privileged Access Management
- Privileged Identity Management
- PIM
Reference in New Issue View Git Blame Copy Permalink