In late 2019, attackers silently infiltrated SolarWinds' software build system, planting a backdoor into routine updates that went undetected for months. By 2020, the attack had escalated dramatically, with compromised updates reaching over 18,000 organisations worldwide, including UK government suppliers and US federal agencies (GAO, 2021). They did not hack the front door. They walked through it using stolen privileged credentials.
This is not just a problem for large corporations. The UK's National Cyber Security Centre (NCSC) consistently identifies privileged access abuse as one of the top attack vectors targeting British businesses, public sector organisations and critical national infrastructure (NCSC, 2023).
We are a group of cybersecurity students based in the United Kingdom (UK), and in this article we break down Privileged Access Management (PAM) in plain English: what it is, how it works, and why understanding it could be the most important thing you learn this year.
So, what exactly is PAM?
PAM makes sure that the most "powerful" accounts can only be used by the right people, at the right time, and only for the specific tasks they are allowed to perform.
It does this by controlling access, monitoring activity and shutting down anything that looks risky or unexpected.
A good way to think of it might be as follows:
PAM acts like a bouncer for the most dangerous accounts: domain admins, database admins, root and cloud super-users
It enforces least privilege in practice (meaning users only get the minimum access they need to do their job, nothing more)
It records and audits privileged actions, so if something goes wrong, you know Who did what, and When
A practical example of this is WengHR, a real-world HR management platform built for small and medium-sized businesses (SMEs). It handles sensitive data such as employee PII, attendance records, leave history, payroll metadata, and billing information, and it uses role-based access across ADMIN, HR_MANAGER, OBSERVER, and EMPLOYEE accounts. Without Privileged Access Management (PAM), a compromised ADMIN account could export workforce records, manipulate approvals, alter structures, or even delete tenant data in a single action, leading to privacy breaches, legal exposure, financial loss, and operational disruption. With PAM in place, every privileged action is monitored and logged, giving clear visibility into who did what and when, so security teams can investigate quickly and contain threats before they escalate.
PAM is important because it protects the most powerful accounts in any system. If an attacker compromises a normal user account, the damage they can do would be limited; but if they get hold of an admin account, they can take over everything. PAM prevents that escalation.
Simply put, PAM is the gatekeeper for the keys to the kingdom.
PAM vs IAM: What's the difference?
Identity Access Management (IAM) and Privileged Access Management (PAM) sound similar but serve different purposes.
IAM (Identity and Access Management) governs who a user is and what general resources they can access. It applies to every employee, contractor, or system identity. It validates identity using credentials and enforces access policies across apps, files, and systems.
PAM (Privileged Access Management) is a subset of IAM that focuses on accounts with elevated permissions, admins, IT staff, executives, service accounts. These accounts can make system‑level changes or access sensitive data, so PAM adds stricter controls and monitoring.
A Simple Analogy: Think of a Large Office Building
IAM is the reception desk and ID badge system: it verifies who you are, issues you a badge, and determines which floors and rooms you can access.
PAM is the secure vault room with biometrics scanners, CCTV, and time-locked door: It protects the most critical assets with additional layers of security beyond a standard badge.
Consider a Nigerian fintech company using a core banking platform. IAM verifies that a user is a valid Finance Manager and grants them access to the system. PAM then determines whether that Finance Manager can approve bulk transactions above a certain threshold, export customer account data, or modify interest rates. Every privileged action is logged, timestamped and auditable. This matters particularly in the Nigerian context, where the Central Bank of Nigeria (CBN) and the Nigeria Data Protection Act place strict obligations on financial institutions to control and monitor access to sensitive customer data (NDPA, 2023).
*How the Three Pillars Work Together *
None of these pillars work in isolation. In November 2019, attackers compromised the Rouen University Hospital (CHU de Rouen) in France. They gained access to a Domain Controller and manually spread ransomware across the network using privilege escalation through Active Directory (AD). Within hours, approximately 6,000 computers across five hospital sites were paralysed. Medical staff were forced to revert to pen, paper and telephone for prescriptions, admissions and patient records (ANSSI, 2020).
The attack succeeded because no single pillar of PAM was functioning effectively: there was no Process to review privileged access, no Technology enforcing least privilege on the Domain Controller, and no People-led oversight to detect the escalation before it was too late.
Remove any one pillar and the system breaks. Technology without Process means no one reviews access. Process without Technology means no enforcement. Technology and Process without People means no one understands why it matters.
*Why Does Privileged Access Management (PAM) matter? *
In May 2021, attackers gained access to Colonial Pipeline's systems in the United States through a single legacy VPN account belonging to a former employee. The account was inactive, had never been deprovisioned, and had no Multi-Factor Authentication (MFA) enabled. The breach forced the company to shut down operations, cutting off 45% of the fuel supply to the US East Coast for six days, triggering state-wide emergencies and widespread panic buying. Colonial Pipeline paid a ransom of 4.4 million US dollars in Bitcoin, approximately 2.3 million of which was later recovered by the FBI (CISA, 2023; Turton and Mehrotra, 2021).
The attack was not just a technology failure. It was a failure of all three PAM pillars simultaneously. Process failed because the account was never deprovisioned when the employee left. Technology failed because MFA was not enforced on external access points. People failed because the panic-driven response led to shutting down the physical pipeline out of fear the IT breach would spread to operational systems.
PAM allows organisations to grant elevated permissions strictly on a need-to-use basis. Nobody holds permanent admin rights they do not actively need. The diagram below illustrates exactly how this works in practice.
Privileged access abuse is not a distant threat reserved for large corporations or government agencies. As we have seen from SolarWinds to Colonial Pipeline to Rouen University Hospital, the consequences of unmanaged privileged accounts are real, costly and far-reaching. Whether you are a student just entering the field, a developer building platforms like WengHR, or a decision-maker in a Nigerian fintech or a British public sector organisation, understanding PAM is no longer optional. It is foundational. The question is not whether your organisation needs Privileged Access Management. The question is whether you will implement it before or after an attacker forces your hand.
Reference
ANSSI (2020) Ransomware attacks: all organisations concerned. Agence Nationale de la Sécurité des Systèmes d'Information. Available at: https://messervices.cyber.gouv.fr/documents-guides/anssi-guide-ransomware_attacks_all_concerned-v1.0.pdf (Accessed: 14 April 2026).
CISA (2023) 'The Attack on Colonial Pipeline: What We've Learned and What We've Done Over the Past Two Years', Cybersecurity and Infrastructure Security Agency. Available at: https://www.cisa.gov/news-events/news/attack-colonial-pipeline-what-weve-learned-what-weve-done-over-past-two-years (Accessed: 14 April 2026).
Cyberark (n.d.). What is PAM? Privileged Access Management Definition. [online] CyberArk. Available at: https://www.cyberark.com/what-is/privileged-access-management/. (Accessed: 14 April 2026).
Fortinet (2023) What is Privileged Access Management (PAM)? Available at: https://www.fortinet.com/uk/resources/cyberglossary/privileged-access-management (Accessed: 14 April 2026).
GAO (2021) 'SolarWinds Cyberattack Demands Significant Federal and Private Sector Response', United States Government Accountability Office. Available at: https://www.gao.gov/blog/solarwinds-cyberattack-demands-significant-federal-and-private-sector-response-infographic (Accessed: 14 April 2026).
Microsoft (2025) What is Privileged Access Management (PAM)? Available at: https://www.microsoft.com/en-us/security/business/security-101/what-is-privileged-access-management-pam (Accessed: 14 April 2026).
NCSC (2023) Use Privileged Access Management. Available at: https://www.ncsc.gov.uk/collection/secure-system-administration/use-privileged-access-management (Accessed: 14 April 2026).
NDPA (2023) Nigeria Data Protection Act 2023. Available at: https://placng.org/i/wp-content/uploads/2023/06/Nigeria-Data-Protection-Act-2023.pdf (Accessed: 14 April 2026).
Shastri, V. (2024). What is Privileged Access Management (PAM)? | CrowdStrike. [online] Crowdstrike.com. Available at: https://www.crowdstrike.com/en-us/cybersecurity-101/identity-protection/privileged-access-management-pam/. (Accessed: 14 April 2026).
Turton, W. and Mehrotra, K. (2021) 'Hackers Breached Colonial Pipeline Using Compromised Password', Bloomberg. Available at: https://www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-compromised-password (Accessed: 14 April 2026).
About the Authors
This article was researched and written collaboratively by The Packet Sniffers, a group of cybersecurity practitioners based in the United Kingdom committed to making security knowledge accessible to everyone.
Canis Breal Ouambo, Matt Wood, Tom Simpson and Jamie Barlow
Top comments (0)