The Top 6 PAM Features That You Actually Need

Privileged Access Management (PAM) is a subset of Identity and Access Management (IAM) that specifically addresses controlling access for users who work with the most sensitive systems and data within an organization, such as IT, information security and DevOps personnel. Among other tasks, PAM enforces the principle of least privilege, which grants users the minimum level of systems and data access they need to do their jobs.

As cyber attacks rise in frequency, intensity and financial impact, more organizations are adding PAM solutions to their security technology stacks. However, evaluating and selecting the right one can be challenging with so many competing PAM products available. 

Let’s examine the top six privileged access management features you actually need to secure your organization.

1. Cloud-based, zero-trust and zero-knowledge security

Even though today’s organizational data environments are heavily or even entirely cloud-based, many “modern” PAM products were originally developed for on-premises infrastructures, with cloud features shoehorned in later. PAM products that weren’t developed in the cloud don’t take full advantage of cloud features such as the ability to automatically scale cloud resources up and down as needed (auto scaling), zero-trust security and zero-knowledge encryption.

Products that are not zero knowledge are inherently less secure because the service provider has access to sensitive user data. Non-zero-knowledge providers store data in a readable format or have the ability to decrypt user data. If their systems are breached, attackers can potentially access this sensitive data. Conversely, zero-knowledge providers cannot read user data – even if a breach occurs – because the data is encrypted, and only the user holds the keys.

In addition to preventing breaches of sensitive user data from external threat actors or malicious insiders, zero-knowledge encryption keeps sensitive data out of the hands of government regulators. Data stored by the provider is subject to local laws and could be accessed or monitored without the user’s consent, and governments or regulatory bodies can request access to user data. A company that does not use zero-knowledge encryption may be legally compelled to provide user data in response to such a request. If an organization uses zero-knowledge encryption, they are unable to comply with such requests because they simply cannot decrypt user data.

Finally, zero knowledge builds trust between service providers and their customers. Organizations must trust their service provider to handle and protect their data responsibly.

In a zero-knowledge environment, this trust is easier to give because the service provider cannot access sensitive user information – no matter what.

KeeperPAM®: Zero-knowledge security built in the cloud, for the cloud

Unlike many of our competitors, KeeperPAM is not an on-prem product with cloud features tacked on later. KeeperPAM was built in the cloud, for the cloud, using Keeper’s zero-knowledge security architecture. This means that no one but the end user can view the passwords, files or other data stored in their Keeper Vault – not your local administrator, not even Keeper’s own employees. Keeper’s infrastructure brokers connections, and end-to-end encrypted, peer-to-peer connections are created from the user’s browser to the target infrastructure.

2. Granular access control and policy enforcement

Granular access control helps organizations create a secure, efficient and compliant environment by limiting access to exactly what users or systems need. It is usually paired with Role-Based Access Control (RBAC) and least-privilege access (also known as just enough privilege, or JEP), where permissions to access systems and data are based on an employee’s job function, with the end goal being to ensure that users can access only those resources they need to perform their jobs – and no more. Since granular access control, RBAC and least-privilege/JEP are cornerstones of modern zero-trust security environments, it is imperative that your PAM solution supports them.

Just-in-Time (JIT) access is another important feature to ensure secure privileged access. JIT grants users or systems temporary, time-limited access to resources only when they need them to perform specific tasks. This means that access is:

• Provisioned on-demand: Activated when requested or triggered by a specific event.
• Time-bound: Automatically revoked after a predefined period or once the task is complete.
• Context-aware: May incorporate conditions such as user role, location, device or security posture.

How KeeperPAM simplifies granular access control and policy enforcement KeeperPAM can provide JIT access to any target infrastructure or system without exposing credentials. Once access expires, the credentials can be automatically rotated. By implementing JIT and least-privilege/JEP principles, KeeperPAM reduces standing privileges, mitigating security vulnerabilities and reducing the risk of excessive permissions.

3. Session management, monitoring and recording

In the context of privileged access management, session management, monitoring and recording are critical features that provide oversight, control and accountability over privileged user activities. These features ensure that actions performed by privileged accounts are carefully tracked, logged and reviewed to mitigate risks associated with their elevated access.

Session management involves controlling privileged user sessions, including initiating, maintaining and terminating access to sensitive systems. Make sure your PAM solution has the following capabilities:

• Session initiation: Facilitating secure, time-bound connections to target systems.
• Access control: Enforcing policies like time limits or specific device usage during sessions.
• Session termination: Automatically ending sessions based on inactivity or policy violations.
• Session monitoring: Real-time tracking of user activities during privileged sessions that allows IT and security personnel to view what actions are being performed, often through live dashboards or screen-sharing mechanisms.
• Session recording: Capturing and storing detailed logs and, often, video-like playback of privileged sessions. Recordings typically include keystrokes, commands executed, screens viewed and more.

Session management, monitoring and recording help prevent malicious activities by allowing security teams to intervene if suspicious or unauthorized actions are detected during a privileged session. They reduce insider threats by deterring privilege misuse and providing evidence for forensic investigations if incidents do occur. Session management, particularly session recording, is also key for compliance. Many industry standards and regulatory frameworks (e.g., HIPAA, PCI DSS and GDPR) require tracking, documenting and reporting on privileged user activities to protect sensitive data.

Make sure you select a PAM solution that supports tunneling and Bring Your Own Tools (BYOT). Tunneling refers to the ability to securely route and manage communications or interactions with remote systems through an intermediary or proxy without requiring direct access to the target system. This is particularly important in PAM solutions because it enables secure, encrypted communication between the user’s device and the target system; routes all communications through a PAM gateway or proxy, which enforces RBAC and allows session management; and supports multiple protocols (e.g., SSH, RDP, HTTPS) to enable users to manage diverse environments securely.

BYOT is a feature in comprehensive PAM solutions that allows users to securely use their preferred tools and applications to interact with systems rather than relying solely on the tools provided by the PAM platform. For example, it lets system administrators use their favorite SSH client, like PuTTY or Terminal, to connect to a server through the PAM platform. This accommodates workflows that require specialized tools or user preferences while maintaining security and governance. 

How KeeperPAM enhances session management, monitoring and recording

KeeperPAM’s Privileged Session Management (PSM) tools use secrets vaulting, JIT/JEP and recording and playback of remote sessions to ensure that critical credentials and infrastructure are protected. Through session recording and keystroke logging, user activity during connections and on protected websites can be recorded for review, compliance or security purposes. This ensures proper interactions, and reduces insider threats and fraud.

User actions within the Keeper Vault are also recorded, and Keeper’s Advanced Reporting and Alerts Module (ARAM) tool allows organizations to set up alerts for suspicious activity, such as failed login attempts, administrative policy changes, record sharing and user lifecycle changes. ARAM can also generate reports specifically to address compliance frameworks such as FedRAMP, SOC 2, ISO 27001 and HIPAA.

Organizations can integrate Keeper with their existing Security Information and Event Management (SIEM) tool for more sophisticated analysis. Keeper integrates with any SIEM that supports syslog push and has out-of-the-box integrations for many, including but not limited to Splunk, Datadog, Azure and LogRhythm.

KeeperPAM gives developers a choice to access systems – they can use Keeper Connection Manager’s visual interface to access resources, or they create encrypted TCP tunnels to access systems using their preferred tools, such as databases or terminal emulators. 

KeeperPAM also offers Remote Browser Isolation (RBI), which isolates a user’s web browsing activity from their local device by running it in an isolated virtual environment, such as a sandbox or virtual machine, on a remote server. The web content is rendered on the remote server, so malicious scripts, malware or exploits cannot reach the user’s device.

4. Support for passkeys

Passkeys are a modern, phishing-resistant authentication method designed to replace traditional passwords. They are a type of passwordless login system that uses public-key cryptography to enhance security and ease of use. Passkeys are being adopted by major tech companies, including Apple, Google and Microsoft, and are supported by the FIDO Alliance. As they become more widespread, they are expected to dramatically reduce password-related cyber attacks, make online experiences safer and more user-friendly, and transform digital identity verification by standardizing secure, easy-to-use methods.

By embracing passkeys, organizations can significantly enhance security while reducing the complexities associated with traditional password management – so be sure your PAM solution supports them.

KeeperPAM makes it easy to securely store and use passkeys

KeeperPAM is the simple and secure way for your organization to store passwords, passkeys and files for every employee on every device. When paired with SSO integration, KeeperPAM allows your users to enjoy a seamless, passwordless experience.

5. Password vaulting and management with automated rotation

Automated password rotation and vaulting are features of modern PAM solutions that enhance the security and management of privileged accounts by automating the handling of passwords and storing them securely.

Automated password rotation automatically changes privileged account passwords at specified intervals or after every use. The process is governed by predefined policies and does not require manual intervention. Automated password rotation reduces the risk of unauthorized access due to compromised or outdated credentials, ensures that no users retain persistent access to privileged accounts and meets regulatory requirements, such as PCI DSS and HIPAA, that mandate password rotation.

Password vaulting refers to securely storing privileged account credentials in an encrypted, centralized repository (the “vault”). Users or systems must authenticate with the PAM solution to retrieve passwords for accessing resources. Access to the vault is restricted based on policies like RBAC, and credentials can be retrieved for specific sessions and are hidden from the user. This eliminates scattered storage of sensitive credentials across systems or personal devices, integrates with access control policies to restrict who can retrieve or use specific passwords and logs every access to the vault, providing visibility into credential usage.

In general, cybersecurity best practices advise against password sharing. Ideally, all users should have unique logins for every system and application. However, in practice, this isn’t always realistic, so it’s important to ensure that your PAM solution lets your users share passwords securely. In addition to shared accounts, look for features such as temporary sharing (time-limited access), one-time shares and self-destructing shares.

How KeeperPAM secures password vaulting and automates rotation

KeeperPAM enables users to securely share account access without exposing credentials. Shared access can be indefinite or time-limited, including one-time shares and shares that self-destruct after a specified period. Once access expires, the credentials can be automatically rotated. KeeperPAM gives IT and security teams complete control over which users can share credentials and files. By ensuring that only authorized users can initiate shares, organizations can prevent data loss and more easily adhere to compliance regulations.

KeeperPAM’s zero-knowledge security architecture ensures completely secure password vaulting. Keeper cannot access anything within user vaults, and no traffic is routed through Keeper’s network, ensuring total data privacy. No one, not even Keeper employees, can access or decrypt user vault data.

KeeperPAM’s automated password rotation allows administrators to discover, manage and rotate credentials for service or administrator accounts throughout their enterprise data environments. Keeper’s centralized vaulting and password rotation feature aligns with the zero-trust model by ensuring credentials are not persistently accessible and that all access is verified and monitored.

6. Protects your entire organization, not just IT

Some PAM products on the market today are designed solely to protect IT administrators, DevOps personnel and other privileged users. However, it is critically important to secure all users within your organization, not just those with privileged access. This means you would have to deploy both a PAM solution and a general IAM solution – then manage and maintain both products. This creates more work for your IT and security teams and makes it more difficult to ensure that internal policies and controls are applied consistently across your entire user base.

KeeperPAM was made to secure your entire user base

With KeeperPAM, all organizations need to do is deploy the Keeper Vault to all of their users for complete coverage. KeeperPAM provides role-based, least-privilege access control tailored to job functions. This allows organizations to streamline user access while maintaining robust security policies, reducing administrative tasks for IT teams and friction for end users.

KeeperPAM is easy for everyone in your organization to use. It doesn’t require users to have line-of-sight access to the infrastructure or the Keeper Gateway. Just deploy the Keeper web vault to your users, and everything is fully embedded, with no desktop installation or agents required.

Choose KeeperPAM as your organization’s PAM solution

KeeperPAM is the first-ever solution to bring critical PAM functionality into a cloud vault that provides secure access to your entire user base – not just your IT department. As a fully cloud-native platform, KeeperPAM consolidates vaulting, secrets management, connection management, zero-trust access and remote browser isolation in a unified interface.

Schedule a KeeperPAM demo to learn more about Keeper’s proactive approach to securing access and unifying management for all your critical resources.