9 Privileged Access Management Best Practices

9 Privileged Access Management Best Practices

Privileged accounts are your biggest security risk, period. When attackers get admin credentials, they don't just break in - they own your entire environment. At Multiplier, we've built our privileged access management (PAM) approach from the trenches of IT service management. I'm sharing nine of our top PAM security measures below, and they'll work whether you're new to privileged access management or want to beef up your current implementation. But first, let's talk about privileged accounts.

table of contents

What Actually Counts as Privileged Accounts These Days?

Privileged accounts are anything that can cause significant security risk if compromised. These accounts can access resources and modify everything in your company's IT systems.

Domain admins, database admins, cloud platform administrators, the obvious stuff. But aside from human users, you also have service accounts connecting applications, API keys with admin permissions sitting in old repositories, and integration accounts that basically have access to your critical systems and sensitive data.

Imagine these getting into the wrong hands. Absolute catastrophe.

PAM is simply the security controls your apply to those privileged accounts.

Step one to creating a secure environment is conducting an inventory of all privileged accounts.

1. Hunt Down All Accounts with Elevated Access

List every privileged account, especially those with access to your sensitive systems and critical resources. They include, but are not limited to:

  • Network device admin credentials
  • Identity provider admins
  • Service accounts
  • Emergency/break-glass accounts
  • Application administrator accounts
  • CI/CD pipeline accounts with deployment capabilities
  • Former contractor accounts still active in identity systems
  • API keys and service tokens with IT admin access
  • SSH keys with root access
  • Certificate and encryption key administrators
  • Backup system administrator accounts
  • Privileged accounts with access to your operating systems
  • Directory service admin accounts
  • Root accounts
  • Privileged remote access accounts

Don't just scan your Identity Provider and call it done. Dig into your JSM request history to find access that was granted but never revoked. You'll be shocked how many former vendors and employees still have elevated permissions months after their contracts ended.

2. No Shared Accounts - One Admin, One Account

Shared accounts are classic cyber threats to your organization's security posture. They're incredibly attractive targets. And that needs to stop today.

A cornerstone of PAM best practices is having one admin account that can perform privileged actions and access sensitive information across your tech stack.

When you control shared accounts, you prevent privilege creep and enforce accountability for secure access. When someone makes unauthorized changes to your Azure configuration at midnight, you need to know exactly who did it, not guess which of seven people might have used the shared credential.

3. Get Your Credentials Into a Vault

Admin credentials don't belong in spreadsheets, Slack messages, or sticky notes. When someone leaves the company, you shouldn't be scrambling to figure out what they had access to.

A password vault gives you central storage for all privileged credentials - from your Entra ID Global Admin password to the root SSH keys for your servers. It lets you control who can use those credentials, when, and for what systems.

It also helps you automatically rotate passwords. When your AWS admin checks out the password, uses it, and checks it back in, the system should immediately change that password so even they can't use it again without going through the vault.

4. Require MFA From All Privileged Users - No Exceptions

Multi-Factor Authentication requires users to provide two or more verification factors to gain access to a system, rather than just a password.

Common MFA implementations include:

  • Authenticator apps that generate time-based codes (Google Authenticator, Microsoft Authenticator)
  • Push notifications to a registered mobile device
  • Hardware security keys
  • SMS or email codes (though these are considered less secure)
  • Biometric verification (fingerprint, face recognition)

Configure Okta, Entra ID, and Google Workspace to require MFA for all administrator accounts. Set up MFA on your JSM instance for anyone who can approve access requests. For JumpCloud administrators, enforce the strongest authentication methods available.

Don't create backdoors as you create strong password policies. If an account can manage privileges, it needs MFA. Period.

5. Implement Just-In-Time Access with Least Privilege

Permanent admin access is a security nightmare waiting to happen. Instead, combine two powerful approaches: just-in-time access and least privilege.

Just-in-time means access to your cloud infrastructure exists only when needed.

Someone troubleshooting a production issue gets access for 4 hours, not forever. When the time's up, permissions disappear automatically - no more forgotten access hanging around for months.

Sharing our complete guide to just in time access here if you'd like to learn more about the concept.

The principle of least privilege means they get exactly what they need, nothing more.

Your database admin doesn't need AWS console access. Your front-end developer doesn't need production database write permissions. Stop handing out god-mode access for routine tasks.

JSM doesn't have these capabilities built in, but you can still enforce it using tools like Multiplier.

After installing Multiplier in your Jira instance, you can set up your JSM workflows to handle this automatically. When someone submits a request for elevated permissions, they have to specify:

  • Which specific system they need access to
  • What exact permissions they need
  • How long they need it for
  • Why they need it (with a real business justification)

This should also be connected to your identity providers like Entra ID, JumpCloud, or Okta. When JSM approves temporary access, it should trigger role assignment in your identity system with automatic cleanup afterward.

The payoff is massive: smaller attack surface, better audit trails, and fewer standing privileges that attackers can exploit.

6. Closely Monitor Privileged Access and Log Everything

If you're not watching user activities and privileged sessions like a hawk, you're inviting data breaches. Hope isn't a cybersecurity strategy. Detailed session tracking for privileged account activity is.

When someone uses Entra ID admin privileges at 2am on a Saturday, you want to know about such access - especially if they're normally a 9-5 weekday employee.

Configure alerts for user activities with suspicious behavior like:

  • Off-hours unauthorized activities and user access (that Okta admin change at 3AM deserves investigation)
  • Unusual location-based access (admin logging in from another country)
  • Privilege escalation (regular user suddenly added to admin groups)
  • Mass changes (modifying permissions for dozens of users at once)
  • Unusual access patterns (HR admin accessing finance systems)

For anything touching production data or infrastructure, record the entire session. Don't settle for knowing someone logged into your database - see every query they ran. That "minor schema update" might actually be someone extracting customer data.

Pipe these logs into your security tools. When something suspicious happens, you need to trace it back to the specific ticket, the business justification, and the person who approved it.

This visibility does two things: it makes people think twice before abusing privileges (amazing how behavior improves when actions are logged), and it gives you the evidence you need when things go sideways.

7. Regularly Review Access Rights and Privileged Activity

People change roles. Projects end. Contractors leave. But their admin access often sticks around forever if you don't check those privileged accounts.

To clean this up, you need to conduct regular access reviews as part of your privileged access management implementation.

By the way, one of the most important privileged access management best practices is to ditch your spreadsheets. They're clunky and get outdated fast. Instead, connect your identity systems directly to your review process so you can pull real-time access data.

Make privileged access reviews dead simple

The more friction in your review process, the less effective it will be. Most systems make revoking access a multi-step process across different admin consoles. Fix this by:

  • Send JSM tickets with exactly what each person has access to
  • Use plain language like "Can reset all user passwords" instead of cryptic role names
  • Make revocation one-click - if it's complicated, it won't happen

Start with what matters

Not all access carries the same risk. A Global Admin in Entra ID can take over your entire environment, while a Billing Reader in AWS can only view cost reports. Prioritize accordingly:

  • Review critical admin access monthly (identity providers, cloud platforms)
  • Check everything else quarterly
  • Pay extra attention to contractor and vendor accounts

Use privileged access management automation tools

Manual processes inevitably fail when people get busy or change roles themselves. Build a sustainable process by automating user access reviews. Some easy wins with big impact:

  • Set up recurring review schedules
  • Send nagging reminders to managers who ignore reviews
  • Keep an audit trail of who reviewed which user accounts and when

Don't worry about getting everything perfect right away. Even basic reviews are great for proper management than none. Just start with your most important systems and expand from there as you get more comfortable with the process.

As you mature, you can automate more of this process and make it more sophisticated.

8. Apply Role-Based Access Control Through App Catalogs

Role-based access is just assigning permissions based on job function instead of random one-off requests. It's essential for PAM because it prevents privilege sprawl and kills those vague "give me admin access" tickets.

And by "catalogs," I mean packaging permissions based on what a user needs to do. Some general examples:

  • "Network Admin" gets firewall access, switch configuration, but not server admin rights
  • "Database Admin" gets database management tools without OS-level access
  • "Security Analyst" gets log visibility across systems without change permissions

This works for any organization, regardless of your specific tools. Whether you're using Active Directory, Entra ID, JumpCloud, or Okta, the principle is the same - define the role, then assign the exact permissions needed.

Build these in your identity system first, then put them in your service catalog as one-click options. When someone needs privileged access, they request a specific role package instead of vague admin rights.

Role changes become easy too. When someone moves teams, remove the old role package and add the new one. No more permission accumulation where admins keep access from previous positions.

This approach cuts down admin overhead and slashes your attack surface at the same time. It works whether you have 50 employees or 50,000.

9. Create Break-Glass Procedures

"But what about emergencies?"

That's always the excuse to keep standing admin rights. Without a clear break-glass process, you'll never kill those 24/7 admin accounts.

Apps like Multiplier solves this with automated emergency access management. A user can request emergency access through JSM, gets fast approval, and gains temporary admin rights that automatically disappear when the crisis is over.

Key elements of emergency access management

  • Predefined emergency scenarios with appropriate access levels
  • Accelerated approval workflows that can happen in seconds, not hours
  • Strict time limits with auto-revocation of privileged access
  • Full audit trails for compliance requirements
  • Immediate notifications to security teams

Create dedicated emergency accounts as well. These aren't normal admin accounts - they only exist for emergencies and stay inactive until needed. Set them up in your directory service, cloud platforms, and critical apps with full but heavily audited privileges.

Don't forget to test your break-glass access management procedures, at least quarterly. Run drills where you simulate system failures and practice activating emergency access.

Start Securing Your Privileged Credentials

A good PAM program isn't about having those strict access controls on paper. It's an ongoing process that balances operational efficiency and implementation of privileged access management best practices.

On that note, the PAM implementations that actually stick are the ones that plug straight into your ITSM processes.

When privileged access requests flow through JSM alongside other IT services, you get better visibility, more consistent enforcement, and less user frustration across your entire organization.

Not sure where your privileged access management gaps are? Start a 14-day free trial of Multiplier's JSM integration and secure your first three critical privileged accounts.

Be sure to book a demo so our team can help you configure everything for your environment.

About the author

Amaresh Ray

Amaresh Ray is co-founder of Multiplier, an IT automation tool built for Jira Service Management trusted by organizations such as Indeed, Opengov and National Geographic.

Amaresh previously served on the Jira Service Management team at Atlassian, where he gained extensive expertise in IT service management and workflow automation.

Related Posts