Privileged Access Management (PAM) Archives

SSH Session Logging and Authentication Logging Are Not the Same Control.

A security incident investigation is three days in. A privileged user accessed a production database server on a Tuesday afternoon. Something changed on that server that caused a downstream service failure two days later.

The authentication log shows the login event. Username, timestamp, source IP, session duration. 23 minutes. The session ended cleanly. Nothing else is in the record.

The investigation needs to know what SQL queries were run. Which tables were accessed. Whether any schema changes were made. Whether any data was exported. None of that is in the log. The record proves the user was there. It cannot prove what they did while they were there.

The scope of the incident cannot be determined. The remediation cannot be confirmed as complete. The finding goes into the report as inconclusive.

This is not an unusual outcome. It is the default outcome in environments where privileged session governance means authentication logging without SMART Audit Trails. And it is increasingly a compliance gap as well as an operational one.

What Authentication Logs Capture and What They Do Not

Authentication logs record the events at the boundary of a session: the login event with actor identity, timestamp, source IP, MFA method used, and authentication outcome. The session termination event with timestamp and duration. In some implementations, the target system and protocol.

What authentication logs do not capture: commands executed during an SSH session, SQL queries run during a database session, files accessed or modified, configuration changes made, RDP screen activity, Kubernetes kubectl commands. All of this happens inside the session, after the authentication event.

The distinction matters because authentication logs and SMART Audit Trails are used for different purposes. Authentication logs are useful for access certification, anomalous authentication pattern detection, and confirming that access occurred. They feed directly into the MFA failure and login metrics APIs discussed in previous blogs in this series.

SMART Audit Trails are useful for post-incident investigation, compliance evidence production, and insider threat detection. They answer a different question: not whether access occurred, but what happened during the access.

What ISO 27001:2022 and SOC 2 Actually Require

ISO 27001:2022 Annex A Control A.8.15

Control A.8.15 requires that event logs recording user activities, exceptions, faults, and information security events are produced, stored, protected, and analysed. The specific language is user activities. A login event is not a user activity. The commands the user ran during the session, the queries they executed, the files they accessed: those are user activities. A.8.15 requires the latter. An authentication log satisfies the access record requirement at the session boundary. It does not satisfy the activity record requirement for what occurred inside the session. SMART Audit Trails satisfy this second requirement.

The 2022 revision of the standard also strengthened the protection requirement for event logs. Control A.8.15 specifies that log facilities and log information shall be protected against tampering and unauthorised access. For SMART Audit Trail recordings, this means they must be stored in a location the privileged user who ran the session cannot access or modify, regardless of their privilege level on the target system.

SOC 2 Trust Services Criteria CC7.2

SOC 2 CC7.2 requires that the organisation monitors system components and the operation of those controls for anomalous behaviour. Monitoring for anomalous behaviour in a privileged session requires SMART Audit Trail recordings. A login timestamp does not tell you whether the session contained anomalous commands.

The evidence standard for CC7.2 in a SOC 2 audit increasingly includes demonstrating that session-level monitoring is in place for privileged access, not just that authentication events are logged.

PCI-DSS Requirement 10

PCI-DSS Requirement 10.2 requires implementing audit logs to reconstruct activities for all individual user access to cardholder data and all actions taken by any individual with root or administrative privileges. For database sessions on systems containing cardholder data, this explicitly requires query-level logging, not authentication-level logging.

How AkkuReka Implements SMART Audit Trail Recording

AkkuReka is the session proxy component within Akku PAM. All privileged sessions are routed through AkkuReka rather than connecting directly to the target system. This proxy position means AkkuReka operates at the protocol layer between the authenticated user and the target, which is where the SMART Audit Trail data is generated.

SSH Sessions

For SSH sessions, AkkuReka captures a complete keystroke log per command, timestamped at the protocol level. Every command typed, every output returned, every file path referenced. The recording is structured per command as a discrete event with its own timestamp, making it searchable by command string rather than requiring review of a continuous recording.

Database Sessions

For MySQL and PostgreSQL sessions, AkkuReka captures both a screen recording and a structured SQL query log as part of the SMART Audit Trail. Each query is stored as a discrete record with execution timestamp, query text, and result metadata.

For financial services organisations where PCI-DSS, RBI, and SEBI compliance requires evidence of database access at the query level, this is the specific evidence type those frameworks are asking for. The authentication log confirms who logged in. The SQL query log confirms what they did once connected.

RDP and Kubernetes Sessions

For RDP sessions, AkkuReka captures full screen recordings at a configurable frame rate. For Kubernetes cluster access via kubectl, AkkuReka captures both a session event recording and a command log for kubectl operations. Kubernetes access is one of the most commonly excluded infrastructure categories from PAM deployments. The kubectl command log closes the same governance gap for container orchestration that SSH keystroke logging closes for Linux servers.

The Outbound Worker Architecture

AkkuReka uses an outbound worker model. A lightweight worker process is deployed in the same network segment as the target systems. The worker initiates an outbound TLS 1.3 connection to the Akku cloud platform. No inbound ports are required on target systems or firewalls. No agent installation. No SSH configuration changes. Target systems require no modification.

For ITeS and BPO organisations where target systems include client-managed infrastructure that cannot be modified, and for manufacturing organisations with OT-adjacent infrastructure where agent installation is operationally constrained, the agentless outbound worker model means session recording coverage can extend to systems that would be excluded from an agent-based architecture.

Tamper Evidence and Storage

SMART Audit Trail recordings are stored encrypted using AES-256-GCM in Akku’s audit storage layer. The storage is append-only. Recordings cannot be modified or deleted after they are written. The privileged user who ran the session has no access to the recording layer regardless of their privilege level on the target system. Even a user with root access on a Linux server cannot modify their recording because it is written to Akku’s audit storage at the proxy layer, outside the scope of any privilege the user holds on the target.

What to Check in Your Current Privileged Access Environment

For each category of privileged session in your environment, answer this question: if a privileged user ran a command during a session last Tuesday that caused a problem, how many minutes would it take your security team to identify the specific command, the specific session, and confirm attribution to a specific individual?

If the answer requires accessing logs on the target system itself, and the user who ran the session had the ability to modify those logs, the evidence integrity is compromised before the investigation starts.

For Linux servers, check whether SSH sessions are being captured in SMART Audit Trails beyond the standard auth.log authentication events. For database servers, check whether query-level logging is enabled and whether those logs are stored in a tamper-evident location outside the database server itself.

See AkkuReka Session Proxy Architecture | Explore Akku PAM | Talk to the Akku Team

Questions Security and Compliance Teams Ask About Privileged Session Logging

Q: What is the technical difference between an authentication log and a SMART Audit Trail?

A: An authentication log records events at the session boundary: the login event with actor identity, timestamp, source IP, MFA method, and authentication outcome, and the session termination event with timestamp and duration. It records that access occurred. A SMART Audit Trail records what happened during the session: every command executed, every query run, every file accessed, every configuration change made. ISO 27001 A.8.15 requires both: the authentication record for access accountability and the activity record for user activity logging. Most privileged access environments have built the first and not the second.

Q: What is the storage format for AkkuReka SMART Audit Trail recordings?

A: SSH keystroke logs are stored as structured text with per-command timestamps, searchable by command string across all sessions in a time period. RDP recordings are stored as compressed video at the configured frame rate. Database session recordings include both a screen capture and a structured SQL query log where each query is a discrete record with execution timestamp, query text, and result metadata. All recordings are encrypted at rest with AES-256-GCM and accessible through the Akku admin console or API under RBAC-controlled access.

Q: Does AkkuReka require any agent installation or configuration changes on target systems?

A: No. AkkuReka uses an outbound worker model. The worker process is deployed on a separate host in the same network segment as the target systems. Target systems require no modification, no agent installation, and no configuration changes. The only requirement is that the AkkuReka worker has network access to target systems on their native protocol ports and outbound HTTPS on port 443 to the Akku cloud.

Q: How does AkkuReka protect SMART Audit Trail recordings from tampering by the privileged user?

A: AkkuReka records sessions at the proxy layer, outside the target system and outside the user’s access scope. A user with root access on a Linux server cannot modify their recording because it is not stored on the target. The storage is append-only and tamper-evident by design.

Q: How does SMART Audit Trail recording support compliance with PCI-DSS Requirement 10?

A: PCI-DSS Requirement 10.2 requires logging of all individual user access to cardholder data and all actions by individuals with root or administrative privileges. For database sessions in the cardholder data environment, this requires SQL query-level logging. AkkuReka’s structured SQL query log for MySQL and PostgreSQL sessions captures each query as a discrete record with execution timestamp and query text, directly satisfying the Requirement 10.2 evidence standard.

Q: What is the forensic search capability for SSH session recordings?

A: AkkuReka indexes SSH session recordings by command string and timestamp. An investigator querying for a specific command across all sessions in a defined time window receives the sessions where the command appeared, the exact timestamp, and a link to the playback position. An investigation that would require reviewing hours of recordings can be completed through a command string query in minutes.

MFA Verified the User. Nobody Verified the Device.

Your user authenticated this morning. They presented the right credentials. They completed the MFA challenge. Your access control system granted the session.

Here is what your authentication stack evaluated during that process: the identity of the person requesting access.

Here is what it did not evaluate: the security posture of the device they used to request it.

Whether the device was enrolled in any management system. Whether the OS had been patched in the last four months. Whether endpoint protection was running. Whether the device had been compromised. Whether it was a personal phone with no corporate security policy applied to it at all.

For most MFA deployments, none of these questions is part of the authentication decision. And in environments with distributed workforces, BYOD, and high-turnover teams, that gap is not a minor implementation detail. It is a structural exposure that exists at scale, every day, across every session that passes through an authentication layer designed to verify identity, but not endpoint security posture.

Why MFA Is an Identity Assertion, Not a Device Health Assertion

This distinction is worth being precise about because it is frequently misunderstood at the architecture level.

When a user authenticates with an OTP-based second factor, whether TOTP through an authenticator app, SMS OTP, or a push notification, the verification confirms one thing: that the person authenticating has access to the enrolled second factor at that moment. It confirms possession of a device or account associated with the enrolled factor. It says nothing about the security state of the device making the authentication request.

Certificate-based device authentication is different. When a device certificate is presented during authentication, the certificate is issued to a specific enrolled device, and the authentication proves that the request originated from a device holding that certificate. This is closer to device verification, but it still does not confirm the current security posture of the device. A certificate-enrolled device can be compromised, out of compliance with OS patching, or running prohibited applications. The certificate is present. The device may not be safe.

Genuine device verification requires something different: a real-time check of the device’s compliance state against defined policy criteria at the point of every access request. Not a check that was performed during enrollment and cached. A current check at the moment of the session. This is the principle behind zero-trust access security applied specifically to the endpoint layer.

The Environments Where This Gap Is Most Consequential

The device verification gap matters everywhere, but it is most consequential in specific environments because of how work actually happens in them.

ITeS and BPO organisations handling client financial, healthcare, or legal data operate under contractual obligations that specify data handling requirements at the endpoint level. A client contract that requires corporate-managed devices for accessing client data is violated the moment a team member accesses that data from a personal, unmanaged phone, regardless of whether their authentication credentials are valid. The authentication layer does not enforce the contract. A device compliance check does.

The ITeS and BPO industry in India handles some of the most sensitive data in the world on behalf of international clients. The workforce is large, distributed, and high-turnover. Remote work is the default for many roles. The probability that a significant portion of daily access happens from unmanaged personal devices is not theoretical. It is the operational reality. This is precisely what making your BYOD policy more secure means in practice: not a stricter policy document, but a technical control that enforces the policy at the access layer.

Healthcare organisations accessing Electronic Health Records face DPDPA obligations around how patient data is accessed at the device layer. An unmanaged device with no remote wipe capability that accesses patient records creates a data protection exposure that MFA does not address. If that device is lost or stolen, the data accessed during its last session has no technical protection once the authentication session is closed. Remote Security and Data Wipe through Akku MDM allows IT to remove work profile data without affecting personal content, but only from devices that were enrolled and managed in the first place.

Financial services firms under RBI and SEBI oversight face specific endpoint security requirements in the frameworks governing their cybersecurity posture. Unmanaged devices accessing trading systems, customer account data, or financial records represent a documented compliance gap in an audit context.

What Device Compliance Verification Actually Requires at the Architecture Level

Closing the device verification gap requires the access decision to incorporate device state, not just identity state. At the architecture level, this means the session proxy or access control layer must be able to query the device management system for the current compliance status of the requesting device before granting access.

The check needs to evaluate specific, configurable criteria. Device enrollment status in the MDM system. OS version compliance against minimum requirements. Endpoint protection status. Screen lock policy compliance. Data transfer restrictions. These are not binary enrolled or not enrolled checks. They are policy-based compliance evaluations against criteria the organisation defines through Device and Access Policy Enforcement.

The access decision then reflects both identity verification and device compliance. An authenticated user on a non-compliant or unenrolled device is denied access, not because their identity is invalid, but because the device through which they are authenticating does not meet the policy requirements for the data they are trying to access.

How Akku MDM and AkkuReka Enforce This Together

Akku MDM provides the device management and compliance layer. Device enrollment, policy application, and compliance monitoring are managed centrally from a single console across Android and iOS devices. The platform enforces specific device policies, including passcode requirements, screen capture restrictions, camera and microphone governance, and USB and Bluetooth data transfer controls through Device and Access Policy Enforcement. Application governance is handled through App Governance and Whitelisting, ensuring users can only access approved applications on managed devices.

For BYOD environments, Work Profile Isolation separates corporate applications and data from personal applications on Android devices, with enforced boundaries that prevent cross-profile data movement. Corporate data remains under IT control even on personally owned devices. If a device is lost or compromised, Remote Security and Data Wipe allows IT to remove work profile data without affecting personal content.

The compliance verification connects directly into the AkkuReka session proxy and the broader Akku access control layer through the Security Hardening and Zero-Trust Posture framework. When a session is requested, AkkuReka evaluates identity through Akku IAM, device compliance through the MDM system, and contextual factors, including IP, location, and time of day, through Contextual Access Control. A device that fails the MDM compliance check is blocked before the session opens, regardless of whether MFA is passed.

The adaptive MFA layer adds behavioural anomaly detection on top of device compliance verification. The system evaluates the context of every access request against the user’s established patterns. When a request deviates from normal behaviour, such as a new device, an unexpected location, or an unusual time of day, the system escalates the authentication challenge even if the device is enrolled and compliant. Identity verification, device compliance, and contextual behaviour work together as a unified zero-trust verification chain rather than as independent checks.

The same policy engine governs both SaaS application access and privileged server access through Akku PAM. An employee authenticating to a business application and an administrator requesting a privileged server session both pass through the same device compliance check. The policy is consistent across the entire access surface. For teams that need to work from any location securely, the work from anywhere use case covers how device compliance enforcement integrates with the broader remote access security model.

For organisations building out a BYOD security posture, the BYOD security use case covers how device enrollment, work profile isolation, and policy enforcement work together in practice. For teams managing compliance obligations under GDPR, HIPAA, NIS2, or DORA alongside DPDPA, the compliance use case page covers how Akku’s controls map to each framework’s specific access and endpoint requirements.

The Questions Worth Asking About Your Current Setup

Look at the access requests that came through your authentication system in the last thirty days. For each one, answer honestly.

Do you know whether those requests originated from managed, enrolled devices or from personal devices with no corporate security policy applied?

If a device used to access corporate data in that period was lost or stolen today, what data accessed during its last session would be exposed, and what technical control would limit that exposure?

For your ITeS or healthcare teams accessing client or patient data from home: is there a technical mechanism verifying device compliance before access is granted, or is the BYOD policy a document that relies on user compliance?

If your organisation underwent a DPDPA or ISO 27001 audit next month and the auditor asked you to demonstrate that access to personal data is limited to compliant, managed devices, what evidence would you produce?

If any of those questions produced a gap rather than a clear answer, the device verification layer in your access architecture is carrying exposure that MFA alone is not designed to close.

See How Akku MDM Works | See How Akku Enforces Zero-Trust at Every Session | Talk to the Akku Team

Questions IT and Security Teams Ask About Device Verification and MFA

Q: Why does passing MFA not mean the device is secure?

A: MFA verifies identity. It confirms that the person authenticating has access to the enrolled second factor at that moment. It does not evaluate the security posture of the device making the authentication request. An OTP challenge confirms possession of an authenticator app or phone number. It says nothing about whether the device is enrolled in an MDM system, running a compliant OS version, protected by endpoint security software, or in a compromised state. Identity verification and device health verification are separate technical checks that require separate mechanisms.

Q: What is the difference between device enrollment status and device compliance status?

A: Enrollment status confirms that a device is registered in the MDM system and subject to management. Compliance status confirms that the device currently meets the specific policy criteria defined through Device and Access Policy Enforcement: OS version, passcode strength, endpoint protection active, and prohibited applications absent. A device can be enrolled but non-compliant if it has fallen out of policy since enrollment. Genuine device verification checks compliance state at the point of every access request, not just at enrollment.

Q: How does Work Profile Isolation protect corporate data on personally owned BYOD devices?

A: Work Profile Isolation on Android devices creates a separate, isolated container for corporate applications and data. Applications within the work profile cannot share data with personal applications. Copy and paste between profiles is restricted. Files from the work profile cannot be shared externally through personal applications. Corporate data remains under IT control within the work profile boundary. If the device is lost, IT can remotely wipe the work profile data through Remote Security and Data Wipe without affecting the user’s personal data.

Q: What happens technically when a non-compliant device attempts to access corporate resources through Akku?

A: When a session is requested, AkkuReka evaluates the compliance status of the requesting device through the MDM system as part of the zero-trust verification chain. If the device fails the compliance check, regardless of whether MFA passed, AkkuReka denies the session before it opens. The event is logged. No session is created. No data is accessible.

Q: What compliance frameworks specifically reference endpoint or device-level access controls?

A: ISO 27001 Annex A control A.6.2 covers mobile device policy and teleworking requirements, including device management. The RBI Cybersecurity Framework specifies endpoint security requirements for BFSI organisations. DPDPA requires data fiduciaries to implement appropriate technical measures to protect personal data, which regulators interpret as including endpoint controls for devices accessing personal data. HIPAA’s Physical Safeguard requirements at 45 CFR 164.310 include workstation use and device controls. Akku’s approach to meeting these requirements is covered on the compliance use case page.

Server Access Isn’t All-or-Nothing. The Organisations Treating It That Way Have a Problem.

When you give someone SSH access to a Linux server, what exactly have you given them?

Think about that carefully before answering. Because the instinct is to say “access to do the thing they were brought in to do.” But what the SSH session actually provides, absent any command-level restrictions, is an interactive shell with whatever privileges the account carries. That is not the same thing. Not even close.

A developer given SSH access to restart a service has, in the same session, the technical ability to read log files, navigate the file system, view running processes, install packages if the account permits it, modify configuration files, and run any command the system allows for that user. The restart-the-service use case is a one-liner. The SSH session is a general-purpose compute environment.

Most organisations know this is true and treat it as acceptable risk. This blog explains why that calculation is wrong, and what enforcing least privilege at the command level actually looks like technically.

Where the Principle of Least Privilege Stops Short in Most Environments

Least privilege is well understood as a principle and inconsistently applied as a control. At the application layer, role-based access control is reasonably mature in most organisations. Users have the permissions their role requires, and access is reviewed periodically. At the server layer, the model collapses.

The reason is architectural. SSH provides an authenticated shell. Once the shell opens, what the user can do is governed by the Unix permission model on the target system, not by any IAM policy. The IAM system verified the identity. It has no further influence over what happens inside the session.

This means privileged access management that stops at session authentication is not enforcing least privilege. It is enforcing authenticated access, which is a different and weaker control. If you want to understand the full scope of what PAM is supposed to cover, the PAM explained blog covers the complete framework, including where session-level controls fit within the broader privileged access architecture.

There are two common approaches organisations use to address this within the Unix permission model, and both have significant limitations in enterprise environments.

sudo policy files. Restricting commands through the sudoers file on each target server is technically viable but operationally brittle. Every change to the permitted command set requires an update to the sudoers file on every affected server. In environments with dozens or hundreds of servers, this creates a configuration management burden that leads to inconsistency. Servers end up with different policies because updates are applied inconsistently. Over time, the gap between what the policy says and what is actually enforced on each server grows.

The deeper problem is that sudoers management happens at the server layer, disconnected from the identity and access management system. When a user’s role changes or they leave the organisation, the sudoers entries do not automatically update. This is the same offboarding gap that automated provisioning and de-provisioning address at the application layer, but misses entirely at the server layer when PAM is not in place.

Restricted shells. Rbash and similar restricted shell environments limit certain operations within the shell itself. They are easy to escape in ways that are well documented, and they are not a serious control in environments where the user has any technical sophistication.

Neither approach gives you what you actually need: per-user, per-server command restrictions managed centrally, enforced at the session layer, and connected to your IAM system so that changes propagate automatically.

What Happens When the Restriction Model Breaks Down

The risk is not abstract. Consider a third-party vendor brought in to perform database maintenance on a production server. They need to connect to the database service, run specific diagnostic queries, and restart a process if needed. The IT team grants SSH access to the relevant server.

During the session, the vendor is working on the task they were given. But nothing technical prevents them from exploring the file system, reading application configuration files that may contain connection strings for other systems, viewing the contents of log files that include user activity or transaction data, or running commands outside the scope of their engagement.

Most vendors would not do this deliberately. But the risk is not primarily deliberate misuse. It is the combination of accidental exposure and the absence of any audit evidence that would surface it. If the session produces only a login and logout timestamp, there is no record of what was accessed or explored. The SMART Audit Trails capability in Akku PAM closes this specific gap, capturing every command executed during an SSH session with a precise timestamp. But audit trails tell you what happened after the fact. Granular Access Control prevents what should not happen in the first place.

When a compliance audit asks you to demonstrate that your third-party vendor had access scoped to their specific task, an SSH session with no command restrictions and no command-level audit log does not satisfy that requirement. Not under ISO 27001 Annex A.9, not under DPDPA’s data processor governance requirements, not under the RBI Cybersecurity Framework’s privileged access monitoring requirements. For manufacturing organisations managing contractor access to OT-adjacent systems, or financial services firms operating under SEBI’s CSCRF, this is a documented audit gap, not a theoretical concern.

What Command-Level Restriction Actually Requires at the Architecture Level

Effective command-level restriction needs to satisfy three technical requirements simultaneously.

The restriction must be enforced at the session layer, not the server layer. Configuration on the target server is operationally unsustainable at scale and disconnected from the IAM system. The session proxy is the correct enforcement point because it sees every command before execution and has access to the identity and policy context.

The restriction must be per user per server. The same user on different servers may require different permitted command sets. Different users on the same server may require different permitted commands. A flat policy that applies the same restrictions to everyone on a given server does not map to real operational requirements.

The restriction must be connected to the identity system so that policy changes, role changes, and offboarding propagate automatically without a separate remediation step at the server layer.

How Akku PAM Enforces This

Granular Access Control in Akku PAM allows administrators to define a permitted command list for each user on each SSH server, configured from the Akku Admin Console. Different users on the same server can have different permitted command sets. The same user on different servers can have different permissions.

Enforcement happens at the AkkuReka session layer. When the user executes a command inside the SSH session, it is checked against their permitted list in real time before execution on the target server. If the command is permitted, it executes normally. If it is not on the list, it is blocked at the point of execution, regardless of the user’s underlying system privileges on the server. This requires no agent on the target server and no changes to the server configuration.

Because enforcement happens at AkkuReka rather than the server layer, changes to permitted command lists propagate immediately across every server in scope. There is no sudoers file to update, no configuration management job to run, no inconsistency between servers.

SMART Audit Trails capture every command executed during the session, including every command that was attempted and blocked, with a precise timestamp. The combination of Granular Access Control and SMART Audit Trails provides two things neither delivers alone: technical enforcement of the intended access scope, and a complete logged record of how that scope was used. Both are exportable as compliance evidence for ISO 27001, RBI, DPDPA, SOC 2, and PCI-DSS requirements.

The just-in-time access layer adds another dimension on top of command-level restriction. Rather than granting standing SSH access that persists indefinitely, JIT access means elevated access is requested, approved through a configurable chain, granted for the duration of the task, and automatically revoked when the session ends. When you combine JIT access with Granular Access Control, the result is privileged access that is time-bounded, scope-bounded, and command-bounded simultaneously.

The security hardening and zero-trust posture layer applies across every session that AkkuReka governs: adaptive MFA, MDM device compliance enforcement, IP and location restrictions, and time-of-day policies. The same policy engine that governs access to your SaaS applications governs access to your servers. There is no separate security posture for infrastructure versus applications.

When an employee or contractor is offboarded from Akku IAM, their infrastructure access is revoked immediately through AkkuReka. The permitted command lists are irrelevant at that point because the session proxy will not open a session for a deprovisioned identity. There is no separate step at the server layer.

For organisations with third-party vendor access to production infrastructure, Granular Access Control enables a specific capability that is otherwise architecturally difficult to achieve: contractors and vendors can be given SSH access scoped precisely to the tasks they need to perform, with a technical boundary preventing them from exceeding that scope. This is directly relevant for ITeS and BPO organisations managing vendor access to client environments, and for manufacturing organisations where third-party maintenance contractors regularly need server access scoped to specific operational tasks.

Before You Move On

Pull the sudoers configuration from three production servers in your environment. For each server, answer these questions.

Does the current configuration accurately reflect the minimum commands each user requires for their current role, or does it reflect the configuration that was set up when the server was provisioned and has not been meaningfully reviewed since?

If a contractor completed their engagement six months ago and their account was disabled in Active Directory, do the sudoers entries on these servers still reference their account?

If a user exceeds their intended scope during an SSH session today, where in your current logging setup would that show up?

If the policy on these servers needed to change tomorrow, how many systems would you need to update manually, and how confident are you that the update would be applied consistently across all of them?

See How Akku PAM Granular Access Control Works | Talk to the Akku Team

Questions Infrastructure and Security Teams Ask About Command-Level Access Control

Q: Why is SSH access considered all-or-nothing even when role-based access control is in place at the application layer?

A: RBAC at the application layer controls what users can do within applications. SSH access operates at the operating system layer, below the application. Once an SSH session is open, the user has an interactive shell governed by Unix file permissions and sudo policies on the target server, not by any IAM policy. The IAM system verified the identity at the point of authentication and has no further influence inside the session. Least privilege at the application layer and least privilege at the server layer are two separate and independent controls.

Q: What are the limitations of using sudoers files to restrict commands?

A: The sudoers approach works in principle but fails operationally at scale. Every change to the permitted command set requires updating the sudoers file on every affected server individually. In environments with dozens or hundreds of servers, this creates configuration drift where the effective policy on each server diverges from the intended policy over time. Sudoers management is also disconnected from the IAM system, meaning that role changes and offboarding do not automatically propagate to server-level command restrictions. AkkuReka enforces command restrictions centrally at the session proxy layer, eliminating both the configuration drift problem and the IAM disconnection problem.

Q: How does command-level restriction differ from session recording?

A: Session recording captures what happened. Command-level restriction prevents what should not happen. Recording tells you after the fact that a user ran a command they were not supposed to run. Restriction blocks the command before it executes. SMART Audit Trails handle recording. Granular Access Control handles restrictions. Together, they provide enforcement plus forensic evidence.

Q: Does command-level restriction require installing an agent on target servers?

A: Akku PAM’s Granular Access Control does not require any agent on target servers and no changes to server configuration. Enforcement happens at the AkkuReka session proxy layer, which intercepts every command before it reaches the target server. The server receives only commands that passed the permitted list check.

Q: How are permitted command lists managed when contractors or third-party vendors need temporary access?

A: Permitted command lists are configured per user per server from the Akku Admin Console. For a contractor engagement, the administrator creates a list specific to that contractor on the specific servers they need to access. Just-in-time access can be layered on top, so the access is also time-bounded. When the engagement ends, and the contractor’s IAM identity is deprovisioned from Akku IAM, AkkuReka stops opening sessions for that identity immediately. No separate cleanup of server-level configurations is required.

Your Server Credentials Are a Liability. Most IT Teams Already Know It.

When did you last rotate the root password on your most critical production server?

Not when it was scheduled. Not when the policy says it should have been. When it actually happened, with a documented record, and with every system that depended on that credential updated at the same time.

If that question made you pause, you are not alone. And the pause itself is the problem, because an attacker or an auditor is not going to wait for you to work out the answer.

Most infrastructure teams carry this risk quietly. Not because they are careless, but because the operational cost of rotating credentials manually across a production environment is high enough that it gets deferred, and deferred again, until the password that was set during initial provisioning is still running in production two years later.

This blog covers what that actually means at the infrastructure layer, where the failure modes are specific, where they hide, and what it takes to close them properly.

The Three Ways Static Credentials Fail, and None of Them Are Obvious Until Something Goes Wrong

SSH keys that outlive the people who hold them. Disabling an Active Directory account does not revoke SSH access on Linux servers. The two authentication systems operate independently. The server’s authorized_keys file holds public keys that are trusted for connection regardless of whether the corresponding identity is active in any directory service. Unless the public key is explicitly removed from authorized_keys on every target server, a former employee’s SSH key remains valid indefinitely after their AD account is disabled.

In environments with dozens or hundreds of servers, this removal step is almost never done consistently. The result is a standard offboarding process that appears complete, AD account disabled, email deactivated, VPN revoked, while SSH access to production infrastructure persists untouched. This is exactly the kind of gap that automated provisioning and de-provisioning is designed to eliminate, but only when the provisioning system is connected to the infrastructure access layer, not just the application layer.

Service account passwords embedded in configuration files. Database connection strings, API service accounts, and application configuration files frequently contain static credentials. Rotating them requires updating every instance simultaneously, testing that nothing breaks, and coordinating a deployment. The operational cost is high enough that most teams do it infrequently. The password that was set during the initial deployment is often the password running in production three years later, embedded in config files across multiple servers, known by everyone who has ever touched the deployment pipeline.

Jump server credential passthrough. In environments using a bastion host, the jump server frequently holds static credentials to target systems. The user authenticates to the jump server, and the jump server authenticates to the target using credentials stored in its own configuration. From the user’s perspective, access appears controlled. From a security perspective, the target credentials exist in plaintext in the jump server’s configuration, accessible to anyone who can extract them from memory during an active session or read them from the configuration store directly.

What a Credential Compromise Looks Like From the Inside, and Why It Is Hard to Detect

The incident does not start with an alert. It starts with an anomaly. A dataset that looks wrong. A configuration file that has been modified. A process running that was not there yesterday.

The investigation team pulls the access logs. They have authentication events: timestamps, source IPs, and session durations. What they do not have is command-level attribution within sessions. They can establish that a specific service account authenticated to a server during a specific window. They cannot establish what that account did once the session opened, because the logging was never configured at that depth.

This is the visibility gap that SMART Audit Trails address directly. Every SSH command executed during a privileged session is captured with a precise timestamp, automatically, tamper-proof, and searchable. But that audit trail only exists if the session ran through a governed proxy. Static credentials used through a jump server or direct SSH connection produce no such record.

The investigation then tries to attribute the service account to a specific individual. This is where static shared credentials produce their most damaging consequence. When a password has been held by multiple people over time, with no rotation log to establish which version was active at any given moment, the attribution chain collapses. The investigation cannot prove who was responsible. It cannot prove that an unauthorised party was involved either. It produces no conclusion.

For regulated organisations, this is not just an operational failure. The RBI Cybersecurity Framework requires privileged access monitoring and audit trails that support forensic investigation. DPDPA requires data fiduciaries to demonstrate accountability over access to personal data. ISO 27001 Annex A control A.9.4 requires that access to privileged utility programs is restricted and controlled. An inconclusive investigation is evidence that none of these controls were operating effectively.

What Actually Fixing This Requires at the Architecture Level

The answer is not a stricter password policy. A policy requiring 90-day rotation on a 200-server estate still depends on a person doing the work, updating every dependent system, and documenting the change. It fails the moment the person is unavailable, the process is skipped, or the dependency map is incomplete.

Closing this gap requires three things to be true simultaneously.

Credentials must be stored in a central encrypted vault with no local copies, no configuration file embeddings, and no human-readable form outside the vault itself. Every retrieval event must be logged.

Rotation must be automated and independent of human scheduling. The credential changes on a defined interval. The vault stores the new value. Every system that needs the credential retrieves it from the vault at runtime rather than holding a cached copy.

Credential injection must happen at the session layer, not the user layer. This is the architectural distinction most credential management tools miss. Giving a user a rotated password from a vault still gives the user a password. They can copy it, photograph it, or retain it after rotation. True credential security requires that the user never receives the credential at all. The zero-trust session proxy injects it directly into the connection at the protocol layer. The user connects. The credential exchange happens between the proxy and the target system. The user never sees it.

When these three layers work together, the credential never exists in human-accessible form at any point in the session lifecycle. This is the architecture behind enforcing zero-trust access security at the infrastructure level.

How AkkuArka and AkkuReka Implement This

AkkuArka is the credential vault and rotation engine at the core of Akku PAM. Every privileged credential across the infrastructure, server passwords, SSH keys, database credentials, service account passwords, is stored and encrypted centrally. There is no local credential storage, no per-server password management, and no credential distribution to endpoints.

Rotation is automated on a configurable schedule. When rotation runs, AkkuArka generates the new credential, updates the target system, stores the encrypted value in the vault, and invalidates the previous credential. No IT intervention required. No deployment coordination. No risk of a partially updated environment where some instances still hold the old credentials.

For database access, AkkuArka goes further than password rotation. Rather than rotating a shared service account password, it generates a unique throwaway user for every single database session. For PostgreSQL, MySQL, and MongoDB, a new role is created at the point of the access request, scoped with the minimum permissions required for that session. When the session closes, the role is dropped. There is no persistent shared database credential in any form. Every session is isolated by design. This is what just-in-time access looks like applied to credentials, not just sessions.

AkkuReka is the zero-trust session proxy that handles credential injection. When an administrator requests a session, AkkuReka verifies identity through Akku IAM, checks device compliance, evaluates contextual access policies including IP, location, and time of day, and checks approval status if a just-in-time workflow is configured. Only when all conditions are satisfied does AkkuReka open the session.

The credential injection happens at the protocol layer within AkkuReka. For SSH sessions, AkkuReka handles key injection transparently. The administrator opens a browser-based terminal through AkkuReka. The connection to the target server uses credentials retrieved from AkkuArka and injected into the SSH handshake. The administrator never sees the key. Every command executed in the session is captured with a precise timestamp through SMART Audit Trails, tamper-proof and searchable by user, command, server, or time window.

The offboarding gap closes automatically. When an employee is offboarded from Akku IAM, their access to all privileged systems is revoked at that moment. Because access is mediated through AkkuReka rather than direct SSH key authentication, removing the IAM identity terminates infrastructure access immediately. The authorized_keys file on target servers does not need individual updates. There is no window between HR offboarding and IT revocation where a departing employee retains live access.

This matters particularly for manufacturing organisations managing contractor access to OT-adjacent systems and financial services firms where RBI and SEBI audit obligations require documented credential lifecycle management. In both cases, the risk of a former employee or contractor retaining active server credentials is a compliance finding, not just a security concern.

If you want to understand how privileged access management fits into the broader infrastructure security framework, the PAM explainer on the Akku blog covers the full architecture in detail. For teams managing PAM across cloud and hybrid environments, specifically, the PAM in cloud and hybrid environments blog covers the deployment considerations that apply across mixed infrastructure estates.

The Four Questions Worth Asking Before You Move On

Pick your three most critical production servers and answer these honestly.

Can you produce a documented rotation record for every credential used to authenticate to these servers in the last ninety days?

For every authentication event in that period, can you show command-level attribution, not just which account connected, but what that account did inside the session?

If a former employee who left in the last twelve months attempted to authenticate using SSH keys they held before their departure, would the attempt succeed?

Are any service account passwords embedded in configuration files on these servers currently shared with other systems or individuals?

If any of those produced an uncertain answer, the gap between your current posture and what a forensic investigation or compliance audit requires is not theoretical. It is live, right now, in your infrastructure.

See How Akku PAM Works | Talk to the Akku Team

Questions Infrastructure and Security Teams Ask About Server Credential Management

Q: Why does disabling an Active Directory account not revoke SSH access to Linux servers?

A: SSH key-based authentication on Linux servers operates independently of Active Directory. The server’s authorized_keys file holds public keys trusted for authentication regardless of whether the corresponding identity is active in any directory service. Unless the public key is explicitly removed from authorized_keys on every target server, or unless SSH access is gated through a proxy like AkkuReka that enforces IAM state in real time, a disabled AD account does not affect SSH connectivity. This is the most common and least-discussed credential persistence gap in hybrid infrastructure environments.

Q: What is the technical difference between rotating a database password and using per-session throwaway users?

A: Password rotation changes a shared credential on a schedule. Every application, script, and service connecting to the database using that credential must be updated simultaneously, or the connection fails. Throwaway users solve the problem at a different layer. A unique database role is created for each session with permissions scoped to that task, then dropped when the session closes. For PostgreSQL, MySQL, and MongoDB, AkkuArka handles role creation and expiry automatically at the point of each session request.

Q: How does credential injection work at the SSH protocol layer without the user seeing the key?

A: When a session is opened through AkkuReka, the session proxy handles the SSH handshake to the target server directly. AkkuReka retrieves the current credential from AkkuArka, uses it to authenticate to the target on behalf of the session, and presents the user with a proxied terminal connection. The credential is used in the protocol exchange between AkkuReka and the target server. It is never transmitted to the user’s endpoint and never appears in the user’s session context.

Q: How are service account passwords embedded in application configuration files handled?

A: AkkuArka addresses this by becoming the credential source at runtime rather than at deployment time. Instead of embedding a static password in a configuration file, applications retrieve the current credentials from AkkuArka at the point of connection. When AkkuArka rotates the credential, the application automatically retrieves the new value on its next connection attempt. There are no stale configuration files holding old credentials, and no coordinated deployment is required when rotation occurs.

Q: What compliance frameworks specifically require privileged credential management controls?

A: ISO 27001 Annex A control A.9.4 requires restriction and control of access to privileged utility programs, including credential management. The RBI Cybersecurity Framework requires privileged access management controls covering credential governance and audit trails for scheduled commercial banks. DPDPA requires data fiduciaries to implement appropriate technical measures to protect personal data. SOC 2 Trust Services Criteria CC6.1 through CC6.3 cover logical access controls, including privileged account management. PCI-DSS Requirement 8 specifies rotation intervals and shared credential prohibitions. Akku PAM is built to satisfy all of these. See the compliance coverage on the Akku PAM page for the full breakdown.

Is Your PAM Solution Built on a Remote Desktop Gateway?

If you are currently evaluating Privileged Access Management solutions, there is a question worth asking the vendors in your shortlist: what is this product actually built on?

Not every PAM solution on the market was built from the ground up as a PAM platform. Some are remote desktop gateways with PAM features bolted on. Some are built on top of open-source tools like Apache Guacamole, a browser-based access gateway that was never designed for privileged access management.

That distinction matters more than most buyers realise. Here is why.

What Apache Guacamole Actually Is

Apache Guacamole is a free, open-source, clientless remote desktop gateway maintained by the Apache Software Foundation. It allows users to access servers via SSH, RDP, VNC, and Telnet through a web browser, with no client software installed.

It is a well-built tool for what it was designed to do: give administrators browser-based access to infrastructure without a VPN. Many IT teams deploy it as a jump server or bastion host. At zero licensing cost, it is an attractive starting point.

But it is a starting point, not a destination for organisations with real security or compliance requirements.

The Problem With Calling It PAM

The term Privileged Access Management describes a specific set of security controls: dynamic credential management, session approval workflows, adaptive multi-factor authentication, compliance-ready audit trails, and least-privilege enforcement. These are the capabilities auditors look for when they assess your PAM posture for SOC 2, ISO 27001, PCI-DSS, RBI, or DPDPA.

Apache Guacamole provides none of these natively.

It records sessions. It logs who connected and when. It can integrate with LDAP for authentication. But credentials are stored statically in its connection configuration, meaning someone in your IT infrastructure knows the actual server password, or it exists in a file that could be accessed. There is no credential vault that generates dynamic, per-session credentials. There is no approval workflow that stands between a user’s request and the target server. There is no adaptive MFA that escalates when a login comes from an unfamiliar device.

This is not a criticism of Guacamole. It was not designed to be a PAM platform. The issue arises when a product built on Guacamole is sold as one.

What a Gateway-Based ‘PAM’ Cannot Do

Credential Security

In a genuine PAM platform, users never see or handle the target credentials. The platform generates a unique, short-lived credential for each session, injects it silently into the proxied connection, and destroys it when the session ends. There is nothing to leak because there is nothing the user ever knows.

In a Guacamole-based solution, credentials are pre-configured and stored statically. The system passes them through, but they exist in a form that can be accessed, extracted, or exposed. Password rotation is manual. A departing administrator who knew a server password still knows it after you delete their account from the gateway.

Session Governance

A PAM platform includes a session approval workflow: a user requests access, an administrator reviews and approves, and only then does the session open. This provides a human checkpoint for every privileged action on critical infrastructure.

Guacamole has no approval workflow. A user with connection access connects immediately. The audit trail tells you what happened, but nothing prevented it from happening.

Database Access

Guacamole does not support database sessions at all. For organisations where database administrators access PostgreSQL, MySQL, or other systems, a Guacamole-based solution provides zero visibility into what SQL queries were executed during a session, a direct gap in any audit that asks for database activity logs.

A purpose-built PAM platform proxies database sessions and captures every query, timestamped and structured, alongside the session recording.

Compliance Evidence

When an auditor asks for evidence of privileged access controls, they are looking for dynamic credential management, session approval records, searchable audit trails, and adaptive MFA. Guacamole can provide a session recording and a connection log. It cannot provide the rest.

For teams pursuing SOC 2, ISO 27001, PCI-DSS, or India’s RBI Cybersecurity Framework and DPDPA requirements, this gap requires additional tooling, tooling that typically costs more than a purpose-built PAM platform would have in the first place.

How to Tell What You Are Actually Buying

When evaluating a PAM solution, ask these questions directly:

Does the platform generate dynamic, per-session credentials, or does it store static credentials in connection configuration?
Do users ever see, know, or handle the actual target password, or is credential injection completely invisible to them?
Is there a session approval workflow where a human must explicitly authorise access before a session opens?
Does the platform proxy database sessions (MySQL, PostgreSQL) and capture SQL query logs, or only SSH and RDP?
Is MFA adaptive, does it escalate based on device, location, IP, or time, or is it binary on/off?
If you remove a user from the identity platform, is their access to all privileged systems revoked immediately, or does the gateway need to be updated separately?

If the answers reveal a gateway with credential pass-through and no approval workflow, you are looking at infrastructure access tooling, not a PAM platform.

What Akku PAM Is Built On

Akku PAM was designed from the ground up as a Privileged Access Management platform, not adapted from a remote desktop gateway. It is built around two purpose-built components.

AkkuArka is the credential vault. It generates a unique credential for each privileged session, server passwords, database users, SSH keys, at the moment access is requested. When the session ends, the credential expires. There are no static passwords in configuration files. There is nothing for a user to know or leak.

AkkuReka is the session proxy. Every privileged connection, SSH, RDP, database, Kubernetes, passes through AkkuReka. Before a session opens, AkkuReka verifies the identity, the device, the location, the IP, the time of day, and the approval status. The session is recorded end to end. Every SSH command, every SQL query, every RDP action is captured, timestamped, and stored in SMART Audit Trails, tamper-proof and fully searchable.

The result is a privileged access architecture where users connect to critical systems without ever knowing the password, every session requires explicit verification, and every action leaves a complete, searchable audit trail.

For organisations with compliance obligations, or for IT teams that simply want to know, with certainty, what is happening on their infrastructure, that is the difference between a remote desktop gateway and a PAM platform.

The Bottom Line

Apache Guacamole is a capable, free, open-source tool. If browser-based server access with basic session recording is all you need, and compliance, credential security, and audit trails are not requirements, it does its job.

But if a PAM solution is being positioned to you as meeting your compliance and security requirements, and it is built on or compared to a remote desktop gateway, the gap between what it promises and what it can actually prove in an audit is worth understanding before you sign.

Ask the six questions above. The answers will tell you what you are actually buying.

See How Akku PAM Works | Talk to the Akku Team

Questions We Hear Most From IT and Security Teams

Q: Is Apache Guacamole a PAM solution?

A: No. Guacamole is a remote desktop gateway. It provides browser-based access to servers but does not include a credential vault, dynamic credential generation, session approval workflows, or adaptive MFA. These define a Privileged Access Management platform.

Q: Can a Guacamole-based solution meet PAM compliance requirements?

A: Partially, and only with significant additional tooling. Guacamole provides session recording and a connection log, which satisfies some audit requirements. But dynamic credential management, session approval workflows, database session logging, and adaptive MFA require either purpose-built additions or a separate platform.

Q: What is the difference between a remote desktop gateway and a PAM platform?

A: A remote desktop gateway provides access to servers via browser or proxy. A PAM platform governs, records, and controls everything about that access: who approved it, what credentials were used, what actions were taken, and whether those credentials still exist after the session ended. The gateway gets you in. The PAM platform is accountable for what happens once you are.

Q: How does Akku PAM handle privileged session access?

A: Every privileged session passes through AkkuReka, which verifies identity, device, location, IP, and approval before opening the connection. AkkuArka generates a unique credential for the session, one the user never sees, and destroys it when the session ends. Every action is recorded and logged in SMART Audit Trails, searchable by user, command, system, or time window.

Q: Does Akku PAM require complex infrastructure like Guacamole?

A: No. Akku PAM deploys a lightweight worker near your target infrastructure. No Tomcat, no guacd, no database to manage. Most organisations are live within hours to a few days without specialist infrastructure expertise.

You Know Who Logged In. But Do You Know What They Did?

You probably think you know what your admins are doing on your servers. Here is what your logs are actually showing you.

A name. A timestamp. A session duration.

That’s it.

Forty-one minutes on a production server, and your audit trail tells you someone was there. It doesn’t tell you what they typed. What they changed. What they looked at. Whether they ran one command or fifty. Whether anything that happened in those forty-one minutes is the reason your environment looks the way it does today.

Sound familiar? It should, because this isn’t a rare edge case. It’s the default state for most IT environments, and most teams don’t realise it until something breaks and they go looking for answers that aren’t there.

Three Real Scenarios Worth Examining

Here are three scenarios. See if any of them have happened in your organisation.

Scenario one:

A contractor was brought in for a three-week infrastructure project. They were given SSH access to two production servers. The project ended, HR offboarded them, and their email was deactivated. Six months later, during a routine review, you find their SSH key is still live. You want to know how often they connected after the project ended and what they did. Your logs show connection events. That is all.

Scenario two:

Your senior DBA ran a maintenance job last Friday night. The session lasted two hours. Monday morning, a business team reports that a dataset looks wrong. Rows that should be there are not. You pull the logs. You can confirm the DBA was connected. You cannot see a single query they ran.

Scenario three:

A developer needed production access to restart a service. It was meant to take ten minutes. The session lasted forty-five. You approved the access, you can see the login and logout times, and you have no idea what else they did while they were in there.

None of these is hypothetical. These are the conversations happening in security post-mortems across mid-market organisations right now. And in each case, the team investigating the incident hits the same wall. They know who was there. They can’t tell you what happened.

The Root Cause Is Architectural, Not Operational

It’s not because your team isn’t doing their job. It’s because the tools most organisations use for infrastructure access were built for connectivity, not governance.

A VPN gets your admin to the network. A jump server creates a single pathway. Direct SSH authentication proves identity. None of these was designed to record what happens after the connection opens. They get the person in the room. They don’t watch what the person does inside it.

And honestly, for a standard user accessing a business application, that’s probably fine. The application itself logs activity. The scope of what they can do is bounded.

But privileged users are a different conversation entirely. A sysadmin on a production server can modify configurations, delete files, install scripts, change permissions, and exfiltrate data, all in a single session. A DBA with direct database access can run queries that touch millions of records. A DevOps engineer with Kubernetes access can make changes that won’t surface as problems for days.

The result? Privileged account security is the most under-governed area in most IT environments. You have more documented visibility into what a junior analyst does in your CRM than into what your most trusted infrastructure admins do on your most critical systems.

That’s not a comfortable thing to sit with.

Where the Absence of Session Visibility Becomes a Business Risk

Post-incident investigations: Something breaks. You need to know what changed and when. Without command-level logs, you are working backwards from symptoms. What should take an hour takes days. Sometimes you never find the answer. And ‘we can see someone was logged in, but we don’t know what they did’ is not an acceptable conclusion when you are explaining an incident to leadership or a regulator.

Compliance and audit requirements: Whether your obligations sit under ISO 27001, RBI’s Cybersecurity Framework, SEBI’s CSCRF, HIPAA, or India’s DPDPA, the requirement is consistent. You need to be able to demonstrate what privileged users did, not just that they authenticated. ‘We have login records’ gets you through the basic check. It does not satisfy a forensic audit. Auditors are getting better at knowing the difference.

Insider threat detection: This one’s uncomfortable but worth saying plainly. Your most dangerous insider threat isn’t someone trying to break in from outside. It’s someone who already has legitimate access and uses it in ways they shouldn’t. Detecting that requires knowing what normal behaviour looks like for each privileged user, and building that baseline is impossible if you’re not logging what they do in every session. Right now, if an admin is misusing their access, you might find out eventually. But you won’t find out from your logs.

What Session-Level Accountability Looks Like in Practice

Privileged session monitoring, done properly, operates at a level below authentication events. It captures what happens inside the session itself.

For SSH sessions, that means every command is logged individually with a precise timestamp, automatically, with no setup required on the target server. You can search it later by user, by command, by server, or by time. If something changed, you can find out exactly when and exactly what was run.

For RDP sessions, it means full session recording, a video-playback record of what happened on screen during the session. No more guessing. No more reconstructing from system logs that weren’t built for forensic investigation.

For database access, it means query logging. Every query, every session, every user. That Friday night maintenance job? You’d have a complete record of every statement that ran.

This is the difference between knowing someone was in the room for forty-one minutes and knowing what they did in every minute of it.

Akku PAM is built on this model, where no privileged session reaches your infrastructure unrecorded. But the more immediate question is whether your current setup can answer what we are about to ask.

A Practical Diagnostic for Your Current Environment

Pick any privileged session from the last thirty days in your environment. A sysadmin on a server, a DBA on a database, and a contractor who was given temporary access.

Now answer these:

What commands did they run?
What files did they access or change?
Can you produce a timestamped record of every action they took during that session?

If you’re hesitating on any of those, your audit trail ends at the login event. You know the door opened. You don’t know what happened inside.

That’s the gap. And now you know it’s there.

Complete session visibility across SSH, RDP, and database access. Every command. Every query. Every action. Recorded automatically, searchable instantly, ready for the moment you need it.

See How Akku PAM Works | Talk to the Akku Team

Still don’t have PAM in 2026? Here are 10 reasons you need it today!

In today’s high-stakes cybersecurity environment, privileged accounts control access to your most critical systems and sensitive data. Poor management or insufficient oversight of these accounts creates easy targets for cyberattackers, leading to costly breaches and compliance failures.

According to the 2025 Verizon Data Breach Investigations Report (DBIR), 22% of data breaches in 2025 involved stolen/compromised credentials – with 6% tied to misuse of privileged accounts with access to critical information. Thus, Privileged Access Management (PAM) becomes critical.

Here’s how PAM makes a difference:

Periodically changes privileged passwords, so stolen credentials expire fast
Provides Just-in-Time (JIT) access, eliminating standing privileges
Records every privileged session for complete tamper-proof evidence
Enforces zero-trust principles across hybrid cloud and on-premises environments

Here are 10 reasons you need a Privileged Access Management system.

1. To gain one-window visibility into accounts, credentials and privileges

Privileged accounts can pose serious security risks when they have too many permissions and too little oversight. Hackers can exploit these accounts to gain access to sensitive data. Additionally, the real number of privileged accounts can be quite different from what organizations believe! This lack of visibility can increase vulnerability.

2. To enforce strict access management & identity verification

By implementing strict access controls, you ensure that users have only the permissions they need to enhance security and promote accountability. By adding in adaptive multi-factor authentication (AMFA), you verify the identity of the users of those privileged accounts to prevent impersonation.

3. To automate the enforcement of least privilege principles

Role-based access control (RBAC) automatically assigns precise permissions based on user roles, ensuring that privileged users receive only what’s needed for their job functions. It also enforces least privilege access with segregation of duties (SoD) rules and automated remediation of violations for stronger compliance.

4. To monitor & record privileged sessions in real-time

Without real-time monitoring, attackers could operate freely during privileged sessions. Without recordings, investigations fail due to missing evidence or deleted logs. Akku delivers live session visibility with anomaly alerts, enabling instant termination of suspicious activity before data exfiltration or damage occurs. It captures full video playback, command-level activity, and tamper-evident audit logs for every privileged session.

5. To prevent the usage of stolen credentials

Stolen privileged credentials can pose a significant threat indefinitely, as they do not rotate automatically. Privileged credential vault addresses this issue by storing passwords, keys, and certificates with automated rotation after every use. This not only prevents credential exposure through direct injection but also maintains detailed audit trails for all interactions with privileged credentials. PAM automates management using strong passwords that are stored securely and changed regularly to minimize breaches.

6. To avoid the hassles of deploying a client-based system

Traditional PAM often necessitates the use of VPNs, endpoint agents, and client software, which can create deployment complexity across hybrid environments. Some PAMs, like Akku, use clientless privileged session management (PSM) to offer secure browser-based RDP/SSH access without agents or installations, ensuring that credentials never reach end users.

7. To apply just-in-time (JIT) privileged access

Users often require elevated access for specific tasks, but these permissions can remain active long after the tasks are completed, leading to security breaches and insider threats. Such always-on privileges provide attackers with permanent backdoors to exploit sensitive systems. PAM offers a solution by delivering temporary, time-bound access that is granted only when necessary. This access is automatically revoked once the tasks are completed, eliminating the need for manual intervention. Additionally, all activities during JIT sessions are monitored and recorded, allowing for the immediate termination of any suspicious behaviour.

8. To centralize server access

Sharing multiple server passwords and credentials across Windows and Linux environments violates zero-trust principles. Implementing single sign-on (SSO) for server access provides centralized authentication for RDP and SSH sessions, with enforced multi-factor authentication (MFA) and conditional access policies applied consistently.

9. To meet compliance requirements

Comprehensive audit logs, session recordings, and privileged account discovery deliver tamper-proof evidence essential for compliance with HIPAA, PCI-DSS, and SOX. By providing clear visibility into privileged activities across critical systems, these features automate the generation of complete, audit-ready records. This centralized approach streamlines compliance efforts and enhances security, eliminating the risks associated with relying on scattered manual processes.

10. To boost IT productivity

Manual credential management and VPN access create ongoing workflow challenges for IT teams, leading to wasted time on password resets and access requests. Akku simplifies the delegation of access through centralized management tools that include single sign-on (SSO) integration, automated credential rotation using secure vaulting, and clientless session management for smooth server access. This enables teams to work efficiently without compromising security.

Choose Akku’s PAM solution for Complete Protection

Akku’s PAM solution offers all the essential features you need: just-in-time (JIT) access, clientless privileged session management (PSM), credential vaulting, role-based access control (RBAC), and real-time monitoring – all integrated into one seamless platform. Deploy this solution across hybrid environments with zero trust enforcement at every step.

Talk to us today to find out how Akku’s privileged access management solutions can help your business.

How to Implement Privileged Access Management (PAM) in Cloud and Hybrid Environments

Privileged accounts are an under-recognized center of risk in modern IT. The move to cloud and hybrid environments multiplies the number of privileged accounts, and an overlooked admin credential on a single system can become a path to the entire estate. In this article, we examine privileged access management (PAM) and how to approach privileged access at scale, and outline a clear implementation program.

What is Privileged Access Management (PAM) in Cyber Security? Understanding Its Meaning and Full Form

To understand PAM, you first need to understand what a privileged user is. This is not your average employee who just needs access to their applications – a privileged user is one who has control over how the system itself works.

Privileged Users can include system administrators who manage servers and databases; developers who run automation pipelines; even senior executives who hold the authority to approve sensitive actions. These accounts can move levers that affect entire environments. If compromised, the potential for damage is significant.

Privileged Access Management is the discipline that makes sure privileged accounts are handled responsibly. PAM is about ensuring that:

Only authorized users can perform critical actions
Every privileged activity is logged and reviewable
Elevated credentials are issued only when needed and revoked after use

The technology that supports this can take on many forms. Policy engines that enforce least-privilege access by default. Session monitoring that records administrator activity. Even password vaults that rotate credentials automatically. But the goal is always the same: make privileged access secure without slowing the business down.

So again, what is PAM in cybersecurity? Simply put, it is the safety net that prevents unauthorized access and mitigates threats associated with privileged accounts with elevated access rights.

Why Privileged Access Management (PAM) is Critical for Cloud and Hybrid Environments

In a traditional on-premises data center, privileged access was far easier to manage. You had a few administrators and a clearly defined, limited set of systems. Tracking who did what was simpler.

The cloud has changed this completely. Privileged access now extends across platforms, APIs, and hundreds of machine identities. Temporary keys appear and expire constantly. Scripts and services talk to each other without human involvement. And too often, administrators still hold permanent rights that give attackers a wide attack surface.

PAM brings order to this chaos by:

Enforcing consistent policies and rules across on-premises servers and cloud platforms
Enabling least-privilege access for privileged users to limit the blast radius in case of a breach
Generating verifiable logs that help organizations prove compliance
Limiting standing privileges by introducing just-in-time access
Allowing security teams to revoke access in seconds in the event of an attack

PAM has moved from good-to-have to essential. Without it, the complexity of cloud and hybrid systems leaves organizations exposed. With it, privileged access can be controlled while still being trusted.

Step-by-Step Framework for Implementing Privileged Access Management (PAM)

1. Inventory and Classification

Start by mapping every account that has elevated rights. That includes human admins and embedded service accounts. It also includes automation credentials. Use discovery features in your PAM application to find hidden accounts. This inventory answers the question “Where are the privileges?”.

2. Define Roles and Apply Least Privilege

Convert the inventory into roles. Assign permissions to roles, not to individuals. Reduce broad admin access and prefer narrowly scoped rights. This is the clearest way to enforce least privilege access.

3. Adopt Secure Credential Management

Move privileged passwords and keys into a vault. Rotate credentials automatically. Prevent direct password sharing. These are basic functions in privileged access management that are central to any PAM solution.

4. Use Just-in-Time Access and Session Controls

Replace permanent root-level access with time-bound approvals. Record privileged sessions. Capture commands for forensic analysis. This is where PAM in cybersecurity becomes actionable rather than theoretical.

5. Centralize Policy and Automate Enforcement

One policy engine should handle password rotation. It should also manage approval workflows and exceptions. Automation reduces human error. It enforces consistency across multiple environments.

6. Monitor, Alert, and Improve

Feed privileged activity into centralized logging. Use behavior detection to flag anomalies. PAM applications increasingly include analytics that surface unusual patterns. This is essential in large cloud estates.

Applications of PAM in Cloud, Hybrid, and Multi-Cloud Scenarios

Privileged Access Management (PAM) solves real-world problems that arise as infrastructure grows. Here are some of the common applications of PAM.

1. Protect cloud management consoles

Administrators use consoles to change cloud resources. These consoles are high-value targets. A good PAM solution locks down console access, enforces approvals, and records activity for audits.

2. Secure API keys and service accounts

Cloud systems talk to each other through machine identities. Those identities often hold broad privileges. Privileged access management tools can be used to discover and rotate keys, and to store them in a vault so they are never left exposed.

3. Control third-party and vendor access

External contractors need temporary access sometimes. With a PAM solution, it is possible to grant access for a limited window, monitor sessions, and revoke rights when the requirement ends. This is a core PAM application that reduces the attack surface created by vendor accounts.

4. Make DevOps safer

CI/CD pipelines often require elevated permissions to deploy code. By integrating PAM into cybersecurity pipelines, credentials can be issued on demand and recorded. That keeps automation fast and traceable.

5. Manage multi-cloud complexity

When you run on more than one cloud, inconsistency becomes the enemy. A centralized PAM tool enforces the same policy across your cloud environments, whether you are using AWS, Azure, or Google Cloud, as well as on-prem systems. This creates a single source of truth for privileged access.

6. Session recording and forensics

When something goes wrong, logs are not enough. Recording privileged sessions gives you a timeline of actions and commands. That makes incident response faster and audits simpler.

Common Pitfalls to Avoid in PAM Implementation

Deploying a PAM solution is only the start. Here are some mistakes many organizations make, and how you can avoid them.

1. Treating PAM as a one-time project

Teams often install a vault and call it done. It is important to make PAM a part of your regular operations, with discovery, policy reviews, and audits.

2. Siloed policies

If cloud teams, security, and on-prem teams each have their own rules, you end up with gaps. Centralize policy and enforce consistent rules from a single policy engine.

3. Ignoring DevOps and CI/CD

Many PAM application rollouts focus on human users and miss automation tools. Integrate your PAM tool with your pipelines, secrets manager, and container orchestration to protect machine identities, too.

4. Excessive friction for engineers

If daily workflows slow down, people will bypass controls. Design your approvals processes and workflows to be quick. Where possible, automate approvals and use just-in-time access so engineers do not feel blocked.

5. Poor credential hygiene

Not rotating keys and passwords is a common failure. Implement automatic rotation and short-lived credentials to reduce the window an attacker has.

Future of PAM in Cloud and Hybrid Environments

When we think about the future of privileged access management, it is not about more rules. It is about systems that adapt and learn as people and risks change. Here is how we believe the shift will unfold:

Policy automation moves toward risk-driven orchestration

Access is no longer a static set of permissions but adjusts in real time. A user signing in from a trusted office device will experience a smoother flow. The same user connecting from an unusual location at night may face stricter checks. Context will guide the decision, not just the policy written on paper.

Artificial intelligence and machine learning take center stage

The system will not only flag behavior that looks unusual. It will also learn what normal activity feels like for each user. Over time, it can suggest corrective actions before a breach even takes place. This is not about catching mistakes after they happen. It is about preventing the wrong move before it grows dangerous.

Zero Trust becomes the anchor

Privileged access management will stand as one of the strongest enforcers of Zero Trust. No action will be taken at face value. Every step will require proof, and least privilege will not be a policy statement but a daily reality. Continuous verification will become second nature.

Deeper connection with DevOps

Developers often move fast, and speed brings risk. The future of PAM will meet them where they work. Privileged credentials in CI/CD pipelines will be protected. Access to containerized environments will be secured without slowing down the flow of innovation. Security will blend with development instead of standing in the way.

For a company in motion, the real question is not whether privileged access management is needed – it’s how quickly you can deploy PAM and move to continuous governance. With the right PAM tools, security becomes modern, compliance becomes natural, and transformation is accelerated. Talk to us today about how Akku can help you implement simple, powerful PAM solutions quickly at your organization.

PAM Explained: What Is Privileged Access Management and How Does It Work?

Privileged Access Management (PAM) is a cybersecurity discipline that controls, monitors, and audits access to accounts with elevated system privileges, including server administrators, database users, DevOps engineers, and any account that can make changes to critical infrastructure. PAM ensures that privileged access is granted only when needed, only to authorised users, and leaves a complete audit trail every time.

This guide covers what PAM is, how it works, what technologies it involves, and how Indian enterprises are using it to meet compliance requirements under RBI, SEBI, IRDAI, and DPDPA.

What Is Privileged Access Management (PAM)?

So, what is privileged access management in cybersecurity?

At its core, PAM is a cybersecurity solution designed to control and track access to privileged accounts. These include administrator logins, root accounts, domain controllers, service accounts, and any other credentials that allow broad or sensitive access.

The full form of PAM is Privileged Access Management, and its purpose is simple: to reduce the risk that comes from having too much power in too many hands. By managing these accounts through policies, workflows, and automation, PAM helps you apply the principle of least privilege, giving users access only to what they absolutely need, for as long as they need it.

Think of PAM as a lockbox for your organization’s most sensitive systems. But instead of just locking things down, it also watches who goes in, what they do, and makes sure keys are rotated and never misused.

Why Is PAM Important in Cybersecurity?

Privileged accounts are a favorite target for attackers. Once inside, they can move laterally across systems, create backdoors, and steal sensitive data, often without being noticed.

PAM is critical because it:

Reduces attack surface by limiting who can access critical systems and for how long
Protects against insider threats, whether intentional or accidental
Meets compliance requirements for RBI Cybersecurity Framework, SEBI CSCRF, IRDAI Information Security Guidelines, DPDPA, ISO 27001, PCI-DSS, SOC 2, and HIPAA
Provides the audit evidence auditors ask for: session recordings, approval records, credential logs, and access history
Supports a Zero Trust architecture by eliminating standing privileges and enforcing continuous verification

It also strengthens your organization’s Zero Trust strategy. In a Zero Trust model, every request must be verified, and standing access is eliminated. PAM fits perfectly into this by enabling just-in-time access, continuous monitoring, and real-time policy enforcement.

Key Components of PAM Technology

A solid PAM solution includes multiple layers of technology. Here’s what goes into modern privileged access management technology:

1. Credential Vaulting

In Akku PAM, this is handled by AkkuArka, which generates a unique credential for every session and expires it automatically when the session ends, so there is no static password for an attacker to steal or an administrator to accidentally expose.

2. Role-Based Access Control (RBAC)

RBAC ensures users only get access based on their role in the organization. This reduces the chance of privilege creep, where users accumulate access over time that they no longer need.

3. Just-in-Time Access (JIT)

Instead of having long-term admin access, users can request temporary privileges for specific tasks. Once the session ends, access is automatically revoked, reducing the window of risk.

4. Session Recording and Monitoring

Akku PAM’s session proxy, AkkuReka, captures full session recordings alongside keystroke logs and, for database sessions, a complete SQL query log, all stored in SMART Audit Trails and exportable for compliance audits.

5. Automatic Credential Rotation

PAM tools can rotate passwords automatically after each use, reducing the chances of password reuse, theft, or sharing.

6. Reporting and Audit Trails

Every privileged action is logged. That means better accountability, faster incident response, and easier audits.

Together, these components define what makes PAM technology effective and scalable.

How Does a PAM Solution Work?

To fully understand how a PAM solution works, let’s walk through a typical workflow from start to finish:

Step 1 – Credential Vaulting and Storage

Privileged passwords and keys are stored in a centralized, encrypted vault. Only the PAM system has access to them, and users never see or handle these credentials directly.

Step 2 – Access Request and Approval Workflow

A user submits a request for access through the PAM portal. The request might need approval from a manager, based on role, time of day, or risk level. Approvals can be manual or automated, depending on policy.

Step 3 – Just-in-Time (JIT) Privileged Access

Once approved, access is granted for a limited time. This reduces the risk of lingering privileges and ensures access is purpose-driven.

Step 4 – Session Monitoring and Recording

While the user is working, their session can be watched in real time or recorded silently in the background. This creates an exact trail of what happened during access.

Step 5 – Automatic Logout and Credential Rotation

After the session, the user is automatically logged out. The system rotates the password immediately, preventing reentry and enforcing credential hygiene.

Step 6 – Reporting and Audit Trails

All actions and access events are logged. These logs can be sent to a SIEM, reviewed during audits, or used for internal investigations.

Applications of PAM Across Industries

PAM in Finance

The financial industry deals with highly sensitive data, from transaction records to credit histories. PAM helps financial institutions:

Prevent fraud by limiting admin access
Meet regulatory standards like PCI-DSS and SOX
Maintain accountability with audit trails

PAM in Healthcare

Hospitals and healthcare systems handle enormous volumes of patient data and personal information. PAM helps protect:

Electronic Health Records (EHRs)
Access to lab and imaging systems
Medical IoT device configurations
Compliance with HIPAA and HITECH

PAM in Enterprise IT

For large IT organizations and service providers, PAM is vital to:

Protect cloud environments and DevOps pipelines
Secure internal systems and infrastructure
Control third-party vendor access
Monitor internal admin activity at scale

No matter the industry, applications of PAM are always centered around one idea: keeping sensitive access under control.

How Akku PAM Implements These Controls

Akku PAM is a full-stack Privileged Access Management platform built for Indian enterprises. It implements all of the capabilities described in this guide through two integrated components.

AkkuArka is the credential vault. It generates a unique credential for each privileged session (server passwords, database users, SSH keys) at the moment access is requested. The user authenticates to Akku and reaches the target system without ever seeing or knowing the actual password. When the session ends, the credential expires. There is no static password in a configuration file, no shared admin password on a Slack channel, nothing to leak.

AkkuReka is the session proxy. Every privileged connection (SSH, RDP, database, Kubernetes) passes through AkkuReka. Before a session opens, it verifies identity, device posture, location, IP reputation, and approval status. The session is recorded end-to-end. Every command, every SQL query, every action is captured in SMART Audit Trails: searchable, tamper-proof, and exportable for your IS auditor.

Together, AkkuArka and AkkuReka give your IT team the controls your auditors are looking for, deployed in days, without a professional services engagement.

Looking for a trusted way to roll out PAM privileged access management in your business? Talk to us at Akku, and let’s secure what matters most.

PAM Questions We Hear Most From IT and Security Teams

Q: What is Privileged Access Management (PAM)?
A: Privileged Access Management (PAM) is a cybersecurity discipline that controls, monitors, and audits access to accounts with elevated system privileges. These include server administrators, database users, DevOps engineers, and any account that can make significant changes to IT infrastructure. PAM ensures privileged access is granted only when needed, only to authorised users, and always leaves a complete audit trail.

Q: What is the difference between IAM and PAM?
A: IAM (Identity and Access Management) governs all user identities and their access to applications and systems across the organisation. PAM is a subset of IAM that focuses specifically on privileged accounts, the high-risk accounts with elevated access to critical infrastructure. IAM manages who can access a system. PAM controls what privileged users can do once they are in, and records everything they do.

Q: What does a PAM solution include?
A: A PAM solution typically includes a credential vault for storing and rotating privileged passwords, a session proxy for recording and monitoring privileged sessions, just-in-time access controls that grant temporary rather than standing access, approval workflows for sensitive sessions, and audit trail generation for compliance reporting.

Q: What PAM compliance standards apply to Indian enterprises?
A: Indian enterprises in regulated sectors are subject to several frameworks with PAM-related requirements. These include the RBI Cybersecurity Framework for banks, the SEBI Cybersecurity and Cyber Resilience Framework (CSCRF) for market participants, IRDAI Information Security Guidelines for insurance companies, and India’s Digital Personal Data Protection Act (DPDPA). ISO 27001, PCI-DSS, and SOC 2 also include privileged access requirements relevant to Indian IT and technology companies.

Q: How does just-in-time access work in PAM?
A: Just-in-time (JIT) access means privileged access is granted on demand for a specific, time-limited session rather than as permanent standing access. A user requests access, an authorised approver grants it, the session opens with a temporary credential, and when the session ends the access is revoked automatically. This eliminates the risk of standing admin accounts that can be exploited if compromised.

Q: How long does it take to deploy a PAM solution?
A: Deployment time varies by vendor and complexity. Legacy enterprise PAM platforms from global vendors can take months to deploy. Akku PAM is designed for self-serve deployment, and most organisations are operational within a week, without professional services or specialist infrastructure expertise.

Q: What is the difference between PAM and a remote desktop gateway like Apache Guacamole?
A: A remote desktop gateway provides browser-based access to servers. It does not include a credential vault, dynamic credential injection, session approval workflows, or compliance-ready audit trails. PAM is a security and compliance platform: it controls, governs, and audits privileged access rather than simply providing it.

How does a true PAM work?

A Privileged Access Management (PAM) solution helps to secure and control privileged access to critical software and assets. Credentials and specific levels of access to various applications are provided through the PAM.

Usually, organizations implement PAM only for authorization and de-authorization of access to the apps. For instance, let’s say a new employee needs access to Gmail, Jira, and your CRM. Typically, organizations only provide access when the employee joins, and revoke it when he or she leaves. This can be done by a simple Identity and Access Management (IAM) solution – however, a PAM can do much more. (Quick side note: Akku serves both PAM and IAM needs.)

Here are some of the key functions that a PAM solution generally serves.

1. Assigning specific rights and access privileges

On each SaaS platform, what rights does each employee have? For example, take the CRM. Can they add and delete workflows? Is an individual user to be a super-administrator? Do they need to be allowed only to create contacts, but disallowed from editing or deleting?

Access may also be changed for the employee as they grow within the organization. When the employee is promoted, they may get additional responsibilities. For instance, a sales executive may not be allowed to edit contacts, but once promoted as a sales manager, this permission may become necessary.

You need not go to the CRM to make these changes – you can do so directly from your PAM platform. An IAM and PAM tool (like Akku) will allow you to manage changes to access permissions such as these from a single dashboard, with a single click.

2. Deprovisioning access

The day an employee leaves an organization, the IT team usually uses their generic IAM to revoke access to all SaaS apps (Gmail and Freshdesk, for example).

However, by doing this, only the IAM gateway to the app is deactivated: the license on the application itself remains. That means that the subscription charges continue on, as well, unless you go to the SaaS platform and delete the license there.

A true PAM directly deletes the license on Gmail or Freshdesk as well. It also follows the same exit procedure as that of the app itself. For instance, Gmail allows you to back-up email data to an email account of your choice before deleting the account. A professional IAM and PAM tool like Akku does the same, following the same laid-down process of the application.

By directly deleting the license on the application platform itself, you can be sure that you won’t waste money on subscription charges due to human error. This kind of automation is essential for enterprise-level customers. As they have a huge number of licenses, it is impossible to manually track the licenses in use and those no longer required. As a result, enterprises may realize that such a costly error has occurred only after subscription fees have built up!

The PAM also prompts you when you’re not using a license, upon which you can delete the license through the PAM.

Akku is a customizable IAM and PAM solution with user-friendly features that can be configured based on your specific requirements. Our team is well equipped to help you implement PAM at your organization and get the most out of it. Let’s talk.