Skip to main content

Skillber v1.0 is here!

Learn more

PAM Architecture

Checking access...

PAM architecture defines how privileged access management components are deployed, integrated, and scaled across the enterprise. A well-designed PAM architecture balances security (least privilege, segmentation) with operational requirements (availability, performance, user experience).

This page covers the key architectural patterns, decisions, and integration points for enterprise PAM deployments.

PAM Deployment Models

Tier 1: Basic Credential Vaulting

The simplest PAM architecture — a central vault stores privileged credentials, and administrators check them out on demand.

Admin ──→ Vault (credential checkout) ──→ Target System

Best for: Small organisations (< 500 employees), basic compliance requirements. Limitations: No session monitoring, no JIT, no proxy.

Tier 2: Vault + Session Proxy

Adds a session proxy through which all privileged sessions are routed, recorded, and monitored.

Admin ──→ Vault (credential checkout) ──→ Session Proxy ──→ Target System
Recording
Monitoring

Best for: Mid-size organisations (500-5000 employees), SOX/PCI compliance. Limitations: No JIT, limited automation.

Tier 3: Full PAM Platform

Integrates vaulting, session management, JIT access, discovery, and governance into a unified platform.

Admin ──→ PAM Portal (request access) ──→ Approval Workflow ──→ JIT Elevation ──→ Session Proxy ──→ Target
│ │ │ │
Vault Approval AD group Recording
(credential storage) Engine membership Engine

Best for: Large enterprises (5000+ employees), regulated industries, hybrid cloud.

Tier 4: Zero Standing Privileges

No user has permanent privileged access. All privilege is ephemeral, JIT-approved, and automatically expires.

Admin ──→ JIT Request ──→ Approval ──→ Temporary Elevation ──→ Time-bound Session ──→ Auto-De-escalation
(no standing (workflow) (15 min-4 hours) (monitored) (privilege
privs) removed)

Best for: Mature security programs, Zero Trust architectures, high-risk environments.

PAM Tiering Model (Microsoft Enterprise Access Model)

Microsoft defines a tiering model for privileged access that is widely adopted:

TierSystemsAccess RequirementsPAM Controls
Tier 0Identity systems (AD, Azure AD, PKI, CA)Extreme — highest securityDedicated PAW, FIDO2 MFA, no internet, session recording all access
Tier 1Server infrastructure (hypervisors, file servers, databases)High — server administrationPAW recommended, MFA required, JIT access, session recording
Tier 2User workstations and devicesStandard administrationMFA required, least privilege, application allowlisting

Tiering rule: Administrators in Tier 0 can manage Tier 0, Tier 1, and Tier 2. Administrators in Tier 1 can only manage Tier 1 and Tier 2. Administrators in Tier 2 can only manage Tier 2.

    flowchart TD
    subgraph Tier0["Tier 0 — Identity Systems"]
        AD[Active Directory]
        AAD[Azure AD]
        CA[Certificate Authority]
    end
    subgraph Tier1["Tier 1 — Server Infrastructure"]
        HyperV[Hypervisors]
        SQL[Database Servers]
        FS[File Servers]
    end
    subgraph Tier2["Tier 2 — User Workstations"]
        WK[Workstations]
        APP[Line-of-Business Apps]
    end
    T0Admin[Admin] -->|Can manage| Tier0
    T0Admin -->|Can manage| Tier1
    T0Admin -->|Can manage| Tier2
    T1Admin[Admin] -->|Can manage| Tier1
    T1Admin -->|Can manage| Tier2
    T2Admin[Admin] -->|Can manage| Tier2
  

High Availability Architecture

Vault HA Deployment

┌─────────────────────┐
│ Load Balancer │
│ (VIP / DNS) │
└──────┬──────────────┘
┌───────────────┼───────────────┐
│ │ │
┌─────┴─────┐ ┌─────┴─────┐ ┌─────┴─────┐
│ Vault │ │ Vault │ │ Vault │
│ Node 1 │ │ Node 2 │ │ Node 3 │
│ (Primary) │ │ (Replica) │ │ (Replica) │
└─────┬─────┘ └─────┬─────┘ └─────┬─────┘
│ │ │
└───────────────┼───────────────┘
┌─────┴─────┐
│ Database │
│ (HA/DR) │
└───────────┘

HA requirements:

  • Minimum 3 vault nodes for production
  • Active-passive or active-active configuration
  • Database cluster (SQL Server Always On, PostgreSQL Patroni)
  • Geographic redundancy for DR (active in primary region, passive in secondary)
  • Automatic failover with RTO < 5 minutes, RPO < 1 minute

Integration Patterns

IAM Integration

IntegrationPurposeMethod
Identity feedSynchronise user accounts and groups from IAM to PAMSCIM, LDAP sync, API
SSO to PAM portalUsers authenticate to the PAM system using their corporate identitySAML 2.0, OIDC
RBAC for PAMMap IAM roles to PAM access policiesRole mapping, group-based access
HR integrationAutomatically deprovision PAM access when employee terminatesHR system → IAM → PAM

SIEM Integration

Data TypeForwarding MethodUse Case
Vault access logsSyslog, Splunk HEC, CEFWho accessed which credential when
Session metadataSyslog, APISession start, end, duration, source/dest
Command logsSyslog, file forwarderWhat commands were executed during privileged sessions
Alert eventsSyslog, email, webhookPolicy violations, suspicious activity
Session recordingsAPI or file shareOn-demand retrieval of recorded sessions for investigation

ITSM Integration

IntegrationMethodBenefit
Ticket-based accessPAM validates change ticket before granting elevationEnsures all privileged access is authorised
Auto-approvalPAM approves elevation request when ticket status is “Approved”Reduces manual approval friction
Post-session updatePAM updates change ticket with session details after completionComplete audit trail from request to execution

Architecture Decision Framework

DecisionOn-PremisesCloud / SaaSHybrid
Vault locationData centreVendor cloudSplit
Session proxyOn-prem jump hostsCloud proxyBoth
Managed targetsOn-prem serversCloud resourcesAll
HA strategyActive-passiveMulti-AZMulti-region
ComplianceFull controlVendor complianceSplit responsibility
Operational overheadHighLowMedium
LatencyLow (local)Variable (internet)Variable
Best forAir-gapped, regulatedCloud-native, small teamsLarge enterprises

Tip

Most enterprises should adopt a cloud-first PAM architecture — deploy the PAM control plane (vault, session proxy) in the cloud, with on-premises agents/bridges for legacy systems that cannot connect to the cloud. This provides the best balance of operational efficiency and comprehensive coverage.

PAM Sizing Guidelines

MetricSmall (< 500 users)Medium (500-5000)Large (5000-50000)Enterprise (50000+)
Managed accounts100-500500-50005000-5000050000+
Concurrent sessions5-1010-5050-200200-1000
Vault nodes1 (no HA)2-33-55+
DatabaseEmbeddedDedicated serverClusteredGeo-distributed
Storage (recordings)500 GB1-5 TB5-50 TB50+ TB
Dedicated PAM teamPart-time (0.5 FTE)1-2 FTEs3-5 FTEs5+ FTEs

Key Takeaways

  • PAM architecture spans four maturity tiers: basic vaulting → vault + proxy → full platform → zero standing privileges
  • The Microsoft Enterprise Access Model tiers systems (Tier 0: identity, Tier 1: infrastructure, Tier 2: workstations) — administrators in a higher tier can manage lower tiers but not vice versa
  • High-availability architecture requires 3+ vault nodes, clustered database, and geographic redundancy with RTO < 5 minutes
  • PAM integrates with IAM (identity sync, SSO, RBAC), SIEM (log forwarding, alerts, recordings), and ITSM (ticket validation, auto-approval, session updates)
  • Architecture decisions (on-prem vs cloud vs hybrid) balance compliance, operational overhead, latency, and coverage — cloud-first is recommended for most enterprises
  • PAM sizing depends on managed accounts, concurrent sessions, and storage requirements — scale from embedded database (small) to geo-distributed cluster (enterprise)