nexus/wiki/concepts/Privileged-Access-Management.md at b40abbcd473a7093d8261e212e3d6de97c1e516a

ishenwei/nexus

Fork 0

Files

weishen c961c6a394 Auto-sync: update nexus workspace

2026-04-29 15:44:42 +08:00

4.4 KiB

Raw Blame History

title, type, tags

title

type

Definition

Privileged Access Management（PAM，特权访问管理）是一类安全解决方案，用于管理和监控具有 elevated permissions 的账号访问权限。特权账号包括系统管理员、数据库管理员、安全管理员等拥有超出普通用户权限的账号，以及应用程序服务账号、API 账号等非人工身份。

Core Objectives

凭据保护：集中存储和管理特权账号密码、SSH 密钥、API Key 等敏感凭据
访问控制：实施最小权限原则，确保用户仅获得完成任务所需的最小权限
会话监控：记录和审计所有特权会话，支持事后追溯和合规审查
威胁检测：实时检测异常特权行为，防止凭据滥用和横向移动攻击

PAM Architecture

┌─────────────────────────────────────────────────────────────┐
│                      PAM Solution                           │
├─────────────────────────────────────────────────────────────┤
│  ┌─────────────┐  ┌─────────────┐  ┌─────────────┐       │
│  │  Credential │  │   Session   │  │    Risk    │       │
│  │   Vault     │  │   Manager   │  │   Engine   │       │
│  └─────────────┘  └─────────────┘  └─────────────┘       │
│                                                             │
│  ┌─────────────────────────────────────────────┐           │
│  │              Access Control Layer            │           │
│  │  (RBAC, MFA, Policy-based Access)            │           │
│  └─────────────────────────────────────────────┘           │
└─────────────────────────────────────────────────────────────┘
                          ↑
        ┌─────────────────┼─────────────────┐
        ↓                 ↓                 ↓
   ┌─────────┐      ┌─────────┐      ┌─────────┐
   │  Root   │      │   DB    │      │  API    │
   │ Account │      │  Admin  │      │ Service │
   └─────────┘      └─────────┘      └─────────┘

Cloud-Native vs Traditional PAM

Aspect	Traditional PAM	Cloud-Native (AWS Secrets Manager)
Deployment	On-prem / Hybrid	Fully managed SaaS
Client Agent	Required	Not required
Scalability	Manual scaling	Auto-scaling
Cost Model	Perpetual license + maintenance	Pay-per-use
Integration	Manual configuration	Native AWS integration

Key Vendors

CyberArk：Enterprise PAM market leader, on-prem and cloud offerings
AWS Secrets Manager：Cloud-native secrets management
HashiCorp Vault：Cloud-agnostic secrets and privileged access
BeyondTrust：Endpoint privilege management
Thycotic：Privileged access management

SecretsManagement：敏感信息管理的整体框架
SecretRotation：密钥轮换机制
IAM-Roles：基于角色的访问控制
Zero-Trust：零信任安全模型

CyberArk：Enterprise PAM vendor
AWS：Cloud-native secrets management provider
HashiCorp：Cloud-agnostic secrets management

Sources

ctp-topic-37-secrets-certificates-management — CyberArk Micro Focus PAM evaluation
ctp-topic-62-aws-secrets-manager — AWS-native PAM implementation

Aliases

PAM
Privileged Access Management
Privileged Identity Management
PIM

4.4 KiB Raw Blame History Unescape Escape