CINXE.COM

<!DOCTYPE html><html><head><meta charSet="utf-8"/><title>Understanding privileged access management · Tailscale</title><meta name="robots" content="index,follow"/><meta name="description" content="Privileged access management (PAM) is the practice of restricting or allowing permissions for users to create a more streamlined workflow. (This is distinct from pluggable authentication modules, which is commonly used on Unix systems and also goes by the acronym PAM.) In this guide, you will learn how PAM can help safeguard your organization’s digital workspace and enhance productivity."/><meta property="og:title" content="Understanding privileged access management · Tailscale"/><meta property="og:description" content="Privileged access management (PAM) is the practice of restricting or allowing permissions for users to create a more streamlined workflow. (This is distinct from pluggable authentication modules, which is commonly used on Unix systems and also goes by the acronym PAM.) In this guide, you will learn how PAM can help safeguard your organization’s digital workspace and enhance productivity."/><meta property="og:url" content="https://tailscale.com/learn/privileged-access-management"/><meta property="og:image" content="https://cdn.sanity.io/images/w77i7m8x/production/8e0455b2d9b33c6151016afdf2ea81d7623c2f04-1200x628.png"/><link rel="canonical" href="https://tailscale.com/learn/privileged-access-management"/><link rel="alternate" type="application/rss+xml" href="https://tailscale.com/blog/index.xml"/><link rel="alternate" type="application/rss+xml" href="https://tailscale.com/changelog/index.xml"/><link rel="alternate" type="application/rss+xml" href="https://tailscale.com/security-bulletins/index.xml"/><meta name="viewport" content="initial-scale=1.0, width=device-width, maximum-scale=1"/><link rel="icon" href="/favicon.png" type="image/png"/><link rel="icon" href="/favicon.svg" type="image/svg+xml"/><meta name="msapplication-TileColor" content="#492847"/><meta name="theme-color" content="#ffffff"/><script data-cfasync="false" async="" src="https://client-registry.mutinycdn.com/personalize/client/2717960877f6aef7.js"></script><meta name="twitter:card" content="summary_large_image"/><meta name="twitter:title" content="Understanding privileged access management · Tailscale"/><meta name="twitter:image" content="https://cdn.sanity.io/images/w77i7m8x/production/8e0455b2d9b33c6151016afdf2ea81d7623c2f04-1200x628.png"/><meta name="twitter:description" content="Privileged access management (PAM) is the practice of restricting or allowing permissions for users to create a more streamlined workflow. (This is distinct from pluggable authentication modules, which is commonly used on Unix systems and also goes by the acronym PAM.) In this guide, you will learn how PAM can help safeguard your organization’s digital workspace and enhance productivity."/><meta name="twitter:site" content="@tailscale"/><meta name="next-head-count" content="23"/><link rel="preload" href="/_next/static/media/97a52bce187043ec-s.p.woff2" as="font" type="font/woff2" crossorigin="anonymous" data-next-font="size-adjust"/><link rel="preload" href="/_next/static/media/a34f9d1faa5f3315-s.p.woff2" as="font" type="font/woff2" crossorigin="anonymous" data-next-font="size-adjust"/><link rel="preload" href="/_next/static/css/d308b8beb775a4ba.css" as="style"/><link rel="stylesheet" href="/_next/static/css/d308b8beb775a4ba.css" data-n-g=""/><link rel="preload" href="/_next/static/css/42f9528a97cee609.css" as="style"/><link rel="stylesheet" href="/_next/static/css/42f9528a97cee609.css" data-n-p=""/><noscript data-n-css=""></noscript><script defer="" nomodule="" src="/_next/static/chunks/polyfills-78c92fac7aa8fdd8.js"></script><script src="/_next/static/chunks/webpack-9309a5f1832f1a93.js" defer=""></script><script src="/_next/static/chunks/framework-2f437cbb805415a5.js" defer=""></script><script src="/_next/static/chunks/main-c8768e115d97c193.js" defer=""></script><script src="/_next/static/chunks/pages/_app-24b4acf999dd861e.js" defer=""></script><script src="/_next/static/chunks/3671-9d17777c1c0bc44c.js" defer=""></script><script src="/_next/static/chunks/8795-81ec804e42b5fcac.js" defer=""></script><script src="/_next/static/chunks/1571-ed8df959bc448c2f.js" defer=""></script><script src="/_next/static/chunks/1056-a1006d72e8e23619.js" defer=""></script><script src="/_next/static/chunks/1566-9db767b2ef5c11e6.js" defer=""></script><script src="/_next/static/chunks/8100-98b2867a0c4566e6.js" defer=""></script><script src="/_next/static/chunks/7007-68710207f4721455.js" defer=""></script><script src="/_next/static/chunks/9981-94d346862ac847d9.js" defer=""></script><script src="/_next/static/chunks/6987-c7b0da924d346e0e.js" defer=""></script><script src="/_next/static/chunks/1354-bb96c24072e71811.js" defer=""></script><script src="/_next/static/chunks/5897-7416627ff430ede3.js" defer=""></script><script src="/_next/static/chunks/pages/%5B...slug%5D-12a383ecfb2d53de.js" defer=""></script><script src="/_next/static/vgIO3z4nAO4I2TaCHWOpQ/_buildManifest.js" defer=""></script><script src="/_next/static/vgIO3z4nAO4I2TaCHWOpQ/_ssgManifest.js" defer=""></script><style id="__jsx-1535044592">:root{--font-inter:'__Inter_81dec9', '__Inter_Fallback_81dec9';--font-mdio:'__MDIOFont_8d6c39', '__MDIOFont_Fallback_8d6c39'}</style></head><body><div id="__next"><div class="z-[20000] flex min-h-[40px] w-full items-center justify-center p-2 px-10 text-center bg-heading-black text-white"><a class="group flex flex-wrap justify-center gap-x-4 text-sm tracking-tight" href="https://tailscale.com/reinvent">Attending AWS re:Invent?<span class="font-bold underline group-hover:no-underline">Where to find us</span></a></div><header class="left-0 right-0 top-0 z-[100] h-[60px] transition-colors duration-300 lg:h-[66px] sticky bg-transparent"><div class="is-wide container flex items-center justify-between py-4 lg:py-3"><div class="flex gap-[35px]"><a class="w-[110px] transition-colors duration-200 text-heading-black" title="Homepage" href="/"><svg class="transition-colors duration-200 " width="100%" height="100%" viewBox="0 0 110 20" fill="none" xmlns="http://www.w3.org/2000/svg"><ellipse cx="2.44719" cy="10.1796" rx="2.44719" ry="2.44128" fill="#242424"></ellipse><ellipse cx="9.79094" cy="10.1796" rx="2.44719" ry="2.44128" fill="#242424"></ellipse><ellipse opacity="0.2" cx="2.44719" cy="17.5077" rx="2.44719" ry="2.44128" fill="#242424"></ellipse><ellipse opacity="0.2" cx="17.1269" cy="17.5077" rx="2.44719" ry="2.44128" fill="#242424"></ellipse><ellipse cx="9.79094" cy="17.5077" rx="2.44719" ry="2.44128" fill="#242424"></ellipse><ellipse cx="17.1269" cy="10.1796" rx="2.44719" ry="2.44128" fill="#242424"></ellipse><ellipse opacity="0.2" cx="2.44719" cy="2.85924" rx="2.44719" ry="2.44128" fill="#242424"></ellipse><ellipse opacity="0.2" cx="9.79094" cy="2.85924" rx="2.44719" ry="2.44128" fill="#242424"></ellipse><ellipse opacity="0.2" cx="17.1269" cy="2.85924" rx="2.44719" ry="2.44128" fill="#242424"></ellipse><path d="M34.3979 18.458C35.0907 18.458 35.6536 18.3933 36.3248 18.2637V15.7584C35.9134 15.9096 35.4588 15.9528 35.0258 15.9528C33.965 15.9528 33.5753 15.4344 33.5753 14.441V9.34402H36.3248V6.83875H33.5753V3.12403H30.5443V6.83875H28.5742V9.34402H30.5443V14.7217C30.5443 17.0974 31.8 18.458 34.3979 18.458Z" fill="#242424"></path><path d="M41.2747 18.458C42.8984 18.458 43.9809 17.9181 44.5222 17.0758C44.5655 17.443 44.6954 17.9397 44.8686 18.2421H47.5964C47.4449 17.7237 47.3366 16.903 47.3366 16.3631V10.4455C47.3366 8.005 45.583 6.62277 42.617 6.62277C40.3654 6.62277 38.6118 7.46507 37.6376 8.69611L39.3696 10.4023C40.149 9.5384 41.1448 9.08486 42.3572 9.08486C43.8294 9.08486 44.4789 9.58159 44.4789 10.3159C44.4789 10.9422 44.0459 11.3742 41.7077 11.3742C39.4562 11.3742 37.183 12.3028 37.183 14.8945C37.183 17.2918 38.9149 18.458 41.2747 18.458ZM41.8809 16.1687C40.7118 16.1687 40.1706 15.672 40.1706 14.7865C40.1706 14.009 40.8201 13.4907 41.9026 13.4907C43.6345 13.4907 44.1108 13.3827 44.4789 13.0155V13.9442C44.4789 15.1753 43.4397 16.1687 41.8809 16.1687Z" fill="#242424"></path><path d="M49.3069 5.39173H52.4677V2.5625H49.3069V5.39173ZM49.3718 18.2421H52.4028V6.83875H49.3718V18.2421Z" fill="#242424"></path><path d="M54.6109 18.2421H57.6418V2.90805H54.6109V18.2421Z" fill="#242424"></path><path d="M63.9416 18.458C67.2757 18.458 68.986 16.7087 68.986 14.8729C68.986 13.2099 68.1417 11.9789 65.3705 11.4821C63.4221 11.1366 62.2097 10.7046 62.2097 10.0351C62.2097 9.45201 62.9025 9.04166 64.0715 9.04166C65.1107 9.04166 65.9767 9.38722 66.6262 10.1431L68.553 8.52333C67.5788 7.31389 65.9767 6.62277 64.0715 6.62277C61.1489 6.62277 59.3303 8.17777 59.3303 10.0783C59.3303 12.1517 61.2354 13.0803 63.2922 13.4475C65.0025 13.7499 65.9551 14.0738 65.9551 14.8081C65.9551 15.4344 65.2839 15.9528 64.0066 15.9528C62.7509 15.9528 61.7767 15.3696 61.322 14.5058L58.7674 15.7152C59.3952 17.2702 61.5385 18.458 63.9416 18.458Z" fill="#242424"></path><path d="M75.7621 18.458C77.9271 18.458 79.4859 17.5942 80.6549 15.6504L78.2302 14.4194C77.7755 15.3265 77.0395 15.9528 75.7621 15.9528C73.8353 15.9528 72.7961 14.3978 72.7961 12.5188C72.7961 10.6399 73.9003 9.12805 75.7621 9.12805C76.9312 9.12805 77.7106 9.75437 78.1652 10.7046L80.6116 9.40882C79.7889 7.61625 78.1652 6.62277 75.7621 6.62277C71.8003 6.62277 69.7652 9.5168 69.7652 12.5188C69.7652 15.78 72.2333 18.458 75.7621 18.458Z" fill="#242424"></path><path d="M85.4829 18.458C87.1067 18.458 88.1891 17.9181 88.7304 17.0758C88.7737 17.443 88.9036 17.9397 89.0768 18.2421H91.8046C91.6531 17.7237 91.5448 16.903 91.5448 16.3631V10.4455C91.5448 8.005 89.7912 6.62277 86.8252 6.62277C84.5737 6.62277 82.8201 7.46507 81.8458 8.69611L83.5778 10.4023C84.3572 9.5384 85.353 9.08486 86.5654 9.08486C88.0376 9.08486 88.6871 9.58159 88.6871 10.3159C88.6871 10.9422 88.2541 11.3742 85.9159 11.3742C83.6644 11.3742 81.3912 12.3028 81.3912 14.8945C81.3912 17.2918 83.1231 18.458 85.4829 18.458ZM86.0891 16.1687C84.9201 16.1687 84.3788 15.672 84.3788 14.7865C84.3788 14.009 85.0283 13.4907 86.1108 13.4907C87.8427 13.4907 88.319 13.3827 88.6871 13.0155V13.9442C88.6871 15.1753 87.6479 16.1687 86.0891 16.1687Z" fill="#242424"></path><path d="M93.3263 18.2421H96.3573V2.90805H93.3263V18.2421Z" fill="#242424"></path><path d="M103.631 18.458C105.861 18.458 107.658 17.5726 108.654 15.996L106.359 14.5274C105.753 15.4776 104.952 15.996 103.631 15.996C102.138 15.996 101.055 15.1753 100.774 13.5771H109.39V12.5188C109.39 9.5168 107.55 6.62277 103.61 6.62277C99.8643 6.62277 97.8293 9.5384 97.8293 12.5404C97.8293 16.8167 101.055 18.458 103.631 18.458ZM100.882 11.2014C101.358 9.75437 102.354 9.08486 103.675 9.08486C105.168 9.08486 106.078 9.97034 106.381 11.2014H100.882Z" fill="#242424"></path></svg></a><nav class="relative hidden lg:flex lg:gap-6"><div class="fixed bottom-0 left-0 right-0 z-[90] h-screen w-full transition duration-200 pointer-events-none opacity-0 top-[120px] bg-transparent"></div><div role="button" aria-haspopup="true" tabindex="0" class="group relative text-[14px] font-medium leading-normal tracking-[-0.28px] transition-colors duration-300 text-heading-black/80 hover:text-heading-black/100" data-track="Link Clicked" data-track-properties="{"label": "Product"}"><span>Product</span><div class="absolute bottom-[-6px] left-[25%] right-0 z-[100] flex h-[3px] w-[50%] items-center justify-center rounded-[5px] opacity-0 group-hover:opacity-100 bg-heading-black/80"></div></div><div role="button" aria-haspopup="true" tabindex="0" class="group relative text-[14px] font-medium leading-normal tracking-[-0.28px] transition-colors duration-300 text-heading-black/80 hover:text-heading-black/100" data-track="Link Clicked" data-track-properties="{"label": "Solutions"}"><span>Solutions</span><div class="absolute bottom-[-6px] left-[25%] right-0 z-[100] flex h-[3px] w-[50%] items-center justify-center rounded-[5px] opacity-0 group-hover:opacity-100 bg-heading-black/80"></div></div><a class="group relative text-[14px] font-medium leading-normal tracking-[-0.28px] transition-colors duration-300 text-heading-black/80 hover:text-heading-black/100" data-track="Link Clicked" data-track-properties="{"label": "Enterprise"}" href="/enterprise"><span>Enterprise</span><div class="absolute bottom-[-6px] left-[25%] right-0 z-[100] flex h-[3px] w-[50%] items-center justify-center rounded-[5px] opacity-0 group-hover:opacity-100 bg-heading-black/80"></div></a><a class="group relative text-[14px] font-medium leading-normal tracking-[-0.28px] transition-colors duration-300 text-heading-black/80 hover:text-heading-black/100" data-track="Link Clicked" data-track-properties="{"label": "Customers"}" href="/customers"><span>Customers</span><div class="absolute bottom-[-6px] left-[25%] right-0 z-[100] flex h-[3px] w-[50%] items-center justify-center rounded-[5px] opacity-0 group-hover:opacity-100 bg-heading-black/80"></div></a><a class="group relative text-[14px] font-medium leading-normal tracking-[-0.28px] transition-colors duration-300 text-heading-black/80 hover:text-heading-black/100" data-track="Link Clicked" data-track-properties="{"label": "Docs"}" href="/kb/1017/install"><span>Docs</span><div class="absolute bottom-[-6px] left-[25%] right-0 z-[100] flex h-[3px] w-[50%] items-center justify-center rounded-[5px] opacity-0 group-hover:opacity-100 bg-heading-black/80"></div></a><a class="group relative text-[14px] font-medium leading-normal tracking-[-0.28px] transition-colors duration-300 text-heading-black/80 hover:text-heading-black/100" data-track="Link Clicked" data-track-properties="{"label": "Blog"}" href="/blog"><span>Blog</span><div class="absolute bottom-[-6px] left-[25%] right-0 z-[100] flex h-[3px] w-[50%] items-center justify-center rounded-[5px] opacity-0 group-hover:opacity-100 bg-heading-black/80"></div></a><a class="group relative text-[14px] font-medium leading-normal tracking-[-0.28px] transition-colors duration-300 text-heading-black/80 hover:text-heading-black/100" data-track="Link Clicked" data-track-properties="{"label": "Pricing"}" href="/pricing"><span>Pricing</span><div class="absolute bottom-[-6px] left-[25%] right-0 z-[100] flex h-[3px] w-[50%] items-center justify-center rounded-[5px] opacity-0 group-hover:opacity-100 bg-heading-black/80"></div></a></nav></div><div class="hidden lg:flex lg:items-center lg:gap-[25px]"><a class="t-14 font-medium opacity-80 transition-colors duration-300 text-heading-black/80 hover:text-black/100" data-track="Link Clicked" data-track-properties="{"label": "Download"}" href="/download">Download</a><a class="t-14 font-medium opacity-80 transition-colors duration-300 text-heading-black/80 hover:text-black/100" data-track="Link Clicked" data-track-properties="{"label": "Log in"}" href="https://login.tailscale.com/welcome">Log in</a><a data-track="Link Clicked" data-track-properties="{"label": "Get started"}" href="https://login.tailscale.com/start"><div class="inline-flex shrink-0 border transition-colors duration-200 w-full xs:w-auto items-center justify-center text-center relative focus:outline-none group transition-all overflow-hidden font-body font-medium rounded-lg group gap-[11px] py-2 px-[17px] leading-[1.46] tracking-[-0.16px] transition-colors duration-300 bg-heading-black border-heading-black text-white hover:bg-black-4 hover:border-black-4 "><div>Get started</div></div></a></div><button type="button" aria-label="Open Menu" class="flex lg:hidden"><svg width="55" height="30" viewBox="0 0 55 30" fill="none" xmlns="http://www.w3.org/2000/svg"><rect class="fill-black-4" x="0.5" y="0.5" width="54" height="29" rx="5.5"></rect><line class="origin-center transition duration-300 rotate-0" x1="17" y1="11.5" x2="38" y2="11.5" stroke="white"></line><line class="origin-center transition duration-300 rotate-0" x1="17" y1="17.5" x2="38" y2="17.5" stroke="white"></line><rect x="0.5" y="0.5" width="54" height="29" rx="5.5" stroke="#242424"></rect></svg></button></div></header><div class="fixed inset-0 z-[90] h-full w-full overflow-auto bg-white px-5 pb-20 pt-24 transition-opacity duration-200 will-change-[opacity] lg:hidden pointer-events-none opacity-0"><div class="space-y-[22px]"><div class="relative overflow-hidden border-b border-stroke-grey pb-6 "><div class="t-20 flex w-full items-center justify-between font-medium "><span>Product</span><span class="flex h-[22px] w-[22px] items-center justify-center rounded-full text-black transition-transform duration-300 rotate-90 bg-black-4 text-white"><svg width="10" height="10" viewBox="0 0 10 10" fill="none" xmlns="http://www.w3.org/2000/svg"><path fill-rule="evenodd" clip-rule="evenodd" d="M5.83344 7.82482L8.83656 4.99835L5.83344 2.17188L5.24469 2.72658L7.24156 4.60599H1.16406V5.3907H7.24156L5.24469 7.27011L5.83344 7.82482Z" fill="currentColor"></path></svg></span></div><div class="flex flex-col transition duration-300 will-change-[height] h-0 opacity-0"><div class="left-[-110px] top-[57px] z-[100] flex flex-col justify-between gap-8 rounded-2xl bg-white py-[30px] will-change-transform lg:absolute lg:flex-row lg:gap-[50px] lg:border lg:px-[30px] xl:left-[-40px]" style="opacity:0"><div class="flex-1 lg:min-w-[266px]"><div class="t-14 relative z-[10] mb-2 text-[#706E6D] lg:mb-[15px] lg:ml-3">Meet Tailscale</div><ul><li class="group relative whitespace-nowrap"><a class="relative z-[10] inline-block w-full rounded-lg px-1 py-2 hover:bg-[#F9F7F6] lg:p-[12px]" data-track="Link Clicked" data-track-properties="{"label": "How it works"}" href="/blog/how-tailscale-works"><div class="flex items-center gap-2"><div class="t-16 relative z-[10] text-heading-black">How it works</div></div></a></li><li class="group relative whitespace-nowrap"><a class="relative z-[10] inline-block w-full rounded-lg px-1 py-2 hover:bg-[#F9F7F6] lg:p-[12px]" data-track="Link Clicked" data-track-properties="{"label": "Why Tailscale"}" href="/why-tailscale"><div class="flex items-center gap-2"><div class="t-16 relative z-[10] text-heading-black">Why Tailscale</div></div></a></li><li class="group relative whitespace-nowrap"><a class="relative z-[10] inline-block w-full rounded-lg px-1 py-2 hover:bg-[#F9F7F6] lg:p-[12px]" data-track="Link Clicked" data-track-properties="{"label": "WireGuard® for Enterprises"}" href="/wireguard-vpn"><div class="flex items-center gap-2"><div class="t-16 relative z-[10] text-heading-black">WireGuard® for Enterprises</div></div></a></li><li class="group relative whitespace-nowrap"><a class="relative z-[10] inline-block w-full rounded-lg px-1 py-2 hover:bg-[#F9F7F6] lg:p-[12px]" data-track="Link Clicked" data-track-properties="{"label": "Bring Tailscale to Work"}" href="/bring-tailscale-to-work"><div class="flex items-center gap-2"><div class="t-16 relative z-[10] text-heading-black">Bring Tailscale to Work</div></div></a></li></ul></div><div class="flex-1 lg:min-w-[266px]"><div class="t-14 relative z-[10] mb-2 text-[#706E6D] lg:mb-[15px] lg:ml-3">Explore</div><ul><li class="group relative whitespace-nowrap"><a class="relative z-[10] inline-block w-full rounded-lg px-1 py-2 hover:bg-[#F9F7F6] lg:p-[12px]" data-track="Link Clicked" data-track-properties="{"label": "Integrations"}" href="/integrations"><div class="flex items-center gap-2"><div class="t-16 relative z-[10] text-heading-black">Integrations</div></div></a></li><li class="group relative whitespace-nowrap"><a class="relative z-[10] inline-block w-full rounded-lg px-1 py-2 hover:bg-[#F9F7F6] lg:p-[12px]" data-track="Link Clicked" data-track-properties="{"label": "Features"}" href="/features"><div class="flex items-center gap-2"><div class="t-16 relative z-[10] text-heading-black">Features</div></div></a></li><li class="group relative whitespace-nowrap"><a class="relative z-[10] inline-block w-full rounded-lg px-1 py-2 hover:bg-[#F9F7F6] lg:p-[12px]" data-track="Link Clicked" data-track-properties="{"label": "Compare Tailscale"}" href="/compare"><div class="flex items-center gap-2"><div class="t-16 relative z-[10] text-heading-black">Compare Tailscale</div></div></a></li><li class="group relative whitespace-nowrap"><a class="relative z-[10] inline-block w-full rounded-lg px-1 py-2 hover:bg-[#F9F7F6] lg:p-[12px]" data-track="Link Clicked" data-track-properties="{"label": "Partnerships"}" href="/partnerships"><div class="flex items-center gap-2"><div class="t-16 relative z-[10] text-heading-black">Partnerships</div></div></a></li></ul></div></div></div></div><div class="relative overflow-hidden border-b border-stroke-grey pb-6 "><div class="t-20 flex w-full items-center justify-between font-medium "><span>Solutions</span><span class="flex h-[22px] w-[22px] items-center justify-center rounded-full text-black transition-transform duration-300 rotate-90 bg-black-4 text-white"><svg width="10" height="10" viewBox="0 0 10 10" fill="none" xmlns="http://www.w3.org/2000/svg"><path fill-rule="evenodd" clip-rule="evenodd" d="M5.83344 7.82482L8.83656 4.99835L5.83344 2.17188L5.24469 2.72658L7.24156 4.60599H1.16406V5.3907H7.24156L5.24469 7.27011L5.83344 7.82482Z" fill="currentColor"></path></svg></span></div><div class="flex flex-col transition duration-300 will-change-[height] h-0 opacity-0"><div class="left-[-110px] top-[57px] z-[100] flex flex-col justify-between gap-8 rounded-2xl bg-white py-[30px] will-change-transform lg:absolute lg:flex-row lg:gap-[50px] lg:border lg:px-[30px] xl:left-[-40px]" style="opacity:0"><div class="flex-1 lg:min-w-[266px]"><div class="t-14 relative z-[10] mb-2 text-[#706E6D] lg:mb-[15px] lg:ml-3">By use-case</div><ul><li class="group relative whitespace-nowrap"><a class="relative z-[10] inline-block w-full rounded-lg px-1 py-2 hover:bg-[#F9F7F6] lg:p-[12px]" data-track="Link Clicked" data-track-properties="{"label": "Remote Access"}" href="/use-cases/remote-access"><div class="flex items-center gap-2"><div class="t-16 relative z-[10] text-heading-black">Remote Access</div></div></a></li><li class="group relative whitespace-nowrap"><a class="relative z-[10] inline-block w-full rounded-lg px-1 py-2 hover:bg-[#F9F7F6] lg:p-[12px]" data-track="Link Clicked" data-track-properties="{"label": "Site-to-site Networking"}" href="/use-cases/site-to-site-networking"><div class="flex items-center gap-2"><div class="t-16 relative z-[10] text-heading-black">Site-to-site Networking</div></div></a></li><li class="group relative whitespace-nowrap"><a class="relative z-[10] inline-block w-full rounded-lg px-1 py-2 hover:bg-[#F9F7F6] lg:p-[12px]" data-track="Link Clicked" data-track-properties="{"label": "Multi-Cloud Networking"}" href="/use-cases/multi-cloud-networking"><div class="flex items-center gap-2"><div class="t-16 relative z-[10] text-heading-black">Multi-Cloud Networking</div></div></a></li><li class="group relative whitespace-nowrap"><a class="relative z-[10] inline-block w-full rounded-lg px-1 py-2 hover:bg-[#F9F7F6] lg:p-[12px]" data-track="Link Clicked" data-track-properties="{"label": "Kubernetes Networking"}" href="/use-cases/kubernetes"><div class="flex items-center gap-2"><div class="t-16 relative z-[10] text-heading-black">Kubernetes Networking</div></div></a></li><li class="group relative whitespace-nowrap"><a class="relative z-[10] inline-block w-full rounded-lg px-1 py-2 hover:bg-[#F9F7F6] lg:p-[12px]" data-track="Link Clicked" data-track-properties="{"label": "Edge & IoT Deployments"}" href="/use-cases/iot"><div class="flex items-center gap-2"><div class="t-16 relative z-[10] text-heading-black">Edge & IoT Deployments</div></div></a></li><li class="group relative whitespace-nowrap"><a class="relative z-[10] inline-block w-full rounded-lg px-1 py-2 hover:bg-[#F9F7F6] lg:p-[12px]" data-track="Link Clicked" data-track-properties="{"label": "Zero Trust Networking"}" href="/use-cases/zero-trust-networking"><div class="flex items-center gap-2"><div class="t-16 relative z-[10] text-heading-black">Zero Trust Networking</div></div></a></li><li class="group relative whitespace-nowrap"><a class="relative z-[10] inline-block w-full rounded-lg px-1 py-2 hover:bg-[#F9F7F6] lg:p-[12px]" data-track="Link Clicked" data-track-properties="{"label": "AI Workloads"}" href="/use-cases/ai"><div class="flex items-center gap-2"><div class="t-16 relative z-[10] text-heading-black">AI Workloads</div></div></a></li><li class="group relative whitespace-nowrap"><a class="relative z-[10] inline-block w-full rounded-lg px-1 py-2 hover:bg-[#F9F7F6] lg:p-[12px]" data-track="Link Clicked" data-track-properties="{"label": "Secure SaaS"}" href="/use-cases/secure-saas"><div class="flex items-center gap-2"><div class="t-16 relative z-[10] text-heading-black">Secure SaaS</div></div></a></li><li class="group relative whitespace-nowrap"><a class="relative z-[10] inline-block w-full rounded-lg px-1 py-2 hover:bg-[#F9F7F6] lg:p-[12px]" data-track="Link Clicked" data-track-properties="{"label": "Business VPN"}" href="/use-cases/business-vpn"><div class="flex items-center gap-2"><div class="t-16 relative z-[10] text-heading-black">Business VPN</div></div></a></li><li class="group relative whitespace-nowrap"><a class="relative z-[10] inline-block w-full rounded-lg px-1 py-2 hover:bg-[#F9F7F6] lg:p-[12px]" data-track="Link Clicked" data-track-properties="{"label": "Homelab"}" href="/use-cases/homelab"><div class="flex items-center gap-2"><div class="t-16 relative z-[10] text-heading-black">Homelab</div></div></a></li></ul></div><div class="flex-1 lg:min-w-[266px]"><div class="t-14 relative z-[10] mb-2 text-[#706E6D] lg:mb-[15px] lg:ml-3">By role</div><ul><li class="group relative whitespace-nowrap"><a class="relative z-[10] inline-block w-full rounded-lg px-1 py-2 hover:bg-[#F9F7F6] lg:p-[12px]" data-track="Link Clicked" data-track-properties="{"label": "DevOps"}" href="/solutions/devops"><div class="flex items-center gap-2"><div class="t-16 relative z-[10] text-heading-black">DevOps</div></div></a></li><li class="group relative whitespace-nowrap"><a class="relative z-[10] inline-block w-full rounded-lg px-1 py-2 hover:bg-[#F9F7F6] lg:p-[12px]" data-track="Link Clicked" data-track-properties="{"label": "IT"}" href="/solutions/it"><div class="flex items-center gap-2"><div class="t-16 relative z-[10] text-heading-black">IT</div></div></a></li><li class="group relative whitespace-nowrap"><a class="relative z-[10] inline-block w-full rounded-lg px-1 py-2 hover:bg-[#F9F7F6] lg:p-[12px]" data-track="Link Clicked" data-track-properties="{"label": "Security"}" href="/solutions/security"><div class="flex items-center gap-2"><div class="t-16 relative z-[10] text-heading-black">Security</div></div></a></li></ul></div></div></div></div><div class="relative overflow-hidden border-b border-stroke-grey pb-6 "><a class="t-20 flex w-full items-center justify-between font-medium " href="/enterprise"><span>Enterprise</span><span class="flex h-[22px] w-[22px] items-center justify-center rounded-full text-black transition-transform duration-300 -rotate-0 bg-grey-2"><svg width="10" height="10" viewBox="0 0 10 10" fill="none" xmlns="http://www.w3.org/2000/svg"><path fill-rule="evenodd" clip-rule="evenodd" d="M5.83344 7.82482L8.83656 4.99835L5.83344 2.17188L5.24469 2.72658L7.24156 4.60599H1.16406V5.3907H7.24156L5.24469 7.27011L5.83344 7.82482Z" fill="currentColor"></path></svg></span></a><div class="flex flex-col transition duration-300 will-change-[height] h-0 opacity-0"><div class="left-[-110px] top-[57px] z-[100] flex flex-col justify-between gap-8 rounded-2xl bg-white py-[30px] will-change-transform lg:absolute lg:flex-row lg:gap-[50px] lg:border lg:px-[30px] xl:left-[-40px]" style="opacity:0"><div class="flex-1 lg:min-w-[266px]"><ul></ul></div></div></div></div><div class="relative overflow-hidden border-b border-stroke-grey pb-6 "><a class="t-20 flex w-full items-center justify-between font-medium " href="/customers"><span>Customers</span><span class="flex h-[22px] w-[22px] items-center justify-center rounded-full text-black transition-transform duration-300 -rotate-0 bg-grey-2"><svg width="10" height="10" viewBox="0 0 10 10" fill="none" xmlns="http://www.w3.org/2000/svg"><path fill-rule="evenodd" clip-rule="evenodd" d="M5.83344 7.82482L8.83656 4.99835L5.83344 2.17188L5.24469 2.72658L7.24156 4.60599H1.16406V5.3907H7.24156L5.24469 7.27011L5.83344 7.82482Z" fill="currentColor"></path></svg></span></a><div class="flex flex-col transition duration-300 will-change-[height] h-0 opacity-0"><div class="left-[-110px] top-[57px] z-[100] flex flex-col justify-between gap-8 rounded-2xl bg-white py-[30px] will-change-transform lg:absolute lg:flex-row lg:gap-[50px] lg:border lg:px-[30px] xl:left-[-40px]" style="opacity:0"><div class="flex-1 lg:min-w-[266px]"><ul></ul></div></div></div></div><div class="relative overflow-hidden border-b border-stroke-grey pb-6 "><a class="t-20 flex w-full items-center justify-between font-medium " href="/kb/1017/install"><span>Docs</span><span class="flex h-[22px] w-[22px] items-center justify-center rounded-full text-black transition-transform duration-300 -rotate-0 bg-grey-2"><svg width="10" height="10" viewBox="0 0 10 10" fill="none" xmlns="http://www.w3.org/2000/svg"><path fill-rule="evenodd" clip-rule="evenodd" d="M5.83344 7.82482L8.83656 4.99835L5.83344 2.17188L5.24469 2.72658L7.24156 4.60599H1.16406V5.3907H7.24156L5.24469 7.27011L5.83344 7.82482Z" fill="currentColor"></path></svg></span></a><div class="flex flex-col transition duration-300 will-change-[height] h-0 opacity-0"><div class="left-[-110px] top-[57px] z-[100] flex flex-col justify-between gap-8 rounded-2xl bg-white py-[30px] will-change-transform lg:absolute lg:flex-row lg:gap-[50px] lg:border lg:px-[30px] xl:left-[-40px]" style="opacity:0"><div class="flex-1 lg:min-w-[266px]"><ul></ul></div></div></div></div><div class="relative overflow-hidden border-b border-stroke-grey pb-6 "><a class="t-20 flex w-full items-center justify-between font-medium " href="/blog"><span>Blog</span><span class="flex h-[22px] w-[22px] items-center justify-center rounded-full text-black transition-transform duration-300 -rotate-0 bg-grey-2"><svg width="10" height="10" viewBox="0 0 10 10" fill="none" xmlns="http://www.w3.org/2000/svg"><path fill-rule="evenodd" clip-rule="evenodd" d="M5.83344 7.82482L8.83656 4.99835L5.83344 2.17188L5.24469 2.72658L7.24156 4.60599H1.16406V5.3907H7.24156L5.24469 7.27011L5.83344 7.82482Z" fill="currentColor"></path></svg></span></a><div class="flex flex-col transition duration-300 will-change-[height] h-0 opacity-0"><div class="left-[-110px] top-[57px] z-[100] flex flex-col justify-between gap-8 rounded-2xl bg-white py-[30px] will-change-transform lg:absolute lg:flex-row lg:gap-[50px] lg:border lg:px-[30px] xl:left-[-40px]" style="opacity:0"><div class="flex-1 lg:min-w-[266px]"><ul></ul></div></div></div></div><div class="relative overflow-hidden border-b border-stroke-grey pb-6 "><a class="t-20 flex w-full items-center justify-between font-medium " href="/pricing"><span>Pricing</span><span class="flex h-[22px] w-[22px] items-center justify-center rounded-full text-black transition-transform duration-300 -rotate-0 bg-grey-2"><svg width="10" height="10" viewBox="0 0 10 10" fill="none" xmlns="http://www.w3.org/2000/svg"><path fill-rule="evenodd" clip-rule="evenodd" d="M5.83344 7.82482L8.83656 4.99835L5.83344 2.17188L5.24469 2.72658L7.24156 4.60599H1.16406V5.3907H7.24156L5.24469 7.27011L5.83344 7.82482Z" fill="currentColor"></path></svg></span></a><div class="flex flex-col transition duration-300 will-change-[height] h-0 opacity-0"><div class="left-[-110px] top-[57px] z-[100] flex flex-col justify-between gap-8 rounded-2xl bg-white py-[30px] will-change-transform lg:absolute lg:flex-row lg:gap-[50px] lg:border lg:px-[30px] xl:left-[-40px]" style="opacity:0"><div class="flex-1 lg:min-w-[266px]"><ul></ul></div></div></div></div><div class="relative overflow-hidden border-b border-stroke-grey pb-6 "><a class="t-20 flex w-full items-center justify-between font-medium " href="/download"><span>Download</span><span class="flex h-[22px] w-[22px] items-center justify-center rounded-full text-black transition-transform duration-300 -rotate-0 bg-grey-2"><svg width="10" height="10" viewBox="0 0 10 10" fill="none" xmlns="http://www.w3.org/2000/svg"><path fill-rule="evenodd" clip-rule="evenodd" d="M5.83344 7.82482L8.83656 4.99835L5.83344 2.17188L5.24469 2.72658L7.24156 4.60599H1.16406V5.3907H7.24156L5.24469 7.27011L5.83344 7.82482Z" fill="currentColor"></path></svg></span></a><div class="flex flex-col transition duration-300 will-change-[height] h-0 opacity-0"></div></div></div><a class="mt-[42px] block" data-track="Link Clicked" data-track-properties="{"label": "Get started"}" href="https://login.tailscale.com/start"><div class="inline-flex shrink-0 border transition-colors duration-200 w-full xs:w-auto items-center justify-center text-center relative focus:outline-none group transition-all overflow-hidden font-body font-medium rounded-lg group gap-[11px] py-2 px-[17px] leading-[1.46] tracking-[-0.16px] !w-full py-3 bg-heading-black border-heading-black text-white hover:bg-black-4 hover:border-black-4 "><div>Get started</div></div></a><a class="mt-[15px] block" data-track="Link Clicked" data-track-properties="{"label": "Login"}" href="https://login.tailscale.com/welcome"><div class="inline-flex shrink-0 border transition-colors duration-200 w-full xs:w-auto items-center justify-center text-center relative focus:outline-none group transition-all overflow-hidden font-body font-medium rounded-lg group gap-[11px] py-2 px-[17px] leading-[1.46] tracking-[-0.16px] !w-full py-3 bg-grey-3 border-grey-3 text-heading-black"><div>Login</div></div></a><div class="t-14 mx-auto mt-[55px] max-w-[264px] text-center text-black-4/60">WireGuard is a registered trademark of Jason A. Donenfeld.</div><div class="mt-[35px] flex flex-wrap justify-center gap-[14px]"><a class="t-16 !leading-[1.05] underline underline-offset-4" href="/terms">Terms of Service</a><a class="t-16 !leading-[1.05] underline underline-offset-4" href="/privacy-policy">Privacy Policy</a></div><div class="mt-[60px] flex items-center justify-center gap-[8px]"><span class="scale-[1.1] text-heading-black transition-colors duration-300 hover:text-red-1"><svg width="28" height="29" viewBox="0 0 28 29" fill="none" xmlns="http://www.w3.org/2000/svg"><rect y="0.988281" width="28" height="28" rx="14" fill="currentColor"></rect><path class=" transition-colors duration-300 group-hover:fill-heading-black" d="M8.03169 9L13.0509 15.0672L8 20H9.13675L13.5587 15.6812L17.1317 20H21L15.6985 13.5916L20.3997 9H19.263L15.1906 12.9775L11.9001 9H8.03169ZM9.70337 9.75698H11.4805L19.3281 19.2429H17.551L9.70337 9.75698Z" fill="white"></path></svg></span><span class="scale-[1.1] text-heading-black transition-colors duration-300 hover:text-red-1"><svg width="28" height="28" viewBox="0 0 28 28" fill="none" xmlns="http://www.w3.org/2000/svg"><rect x="0.21875" width="27.2195" height="27.2195" rx="13.6098" fill="currentColor"></rect><path class=" transition-colors duration-300 group-hover:fill-heading-black" d="M12.434 19.6598L12.4179 14.8081H10.3008V12.7289H12.4179V11.3427C12.4179 9.47188 13.5974 8.57031 15.2966 8.57031C16.1106 8.57031 16.8101 8.62983 17.014 8.65643V10.6115L15.8355 10.612C14.9114 10.612 14.7324 11.0433 14.7324 11.6762V12.7289H17.3577L16.652 14.8081H14.7324V19.6598H12.434Z" fill="#fff"></path></svg></span><span class="scale-[1.1] text-heading-black transition-colors duration-300 hover:text-red-1"><svg width="28" height="28" viewBox="0 0 28 28" fill="none" xmlns="http://www.w3.org/2000/svg"><rect x="0.439453" width="27.2195" height="27.2195" rx="13.6098" fill="currentColor"></rect><path class=" transition-colors duration-300 group-hover:fill-heading-black" d="M8.68685 18.6518H10.8825V11.5871H8.68685V18.6518Z" fill="white"></path><path class=" transition-colors duration-300 group-hover:fill-heading-black" d="M8.50195 9.34036C8.50195 10.0352 9.07976 10.6143 9.77312 10.6143C10.4896 10.6143 11.0443 10.0584 11.0443 9.34036C11.0443 8.64547 10.4665 8.06641 9.77312 8.06641C9.07976 8.06641 8.50195 8.64547 8.50195 9.34036Z" fill="white"></path><path class=" transition-colors duration-300 group-hover:fill-heading-black" d="M16.8917 18.6518H19.0873V14.7836C19.0873 12.8843 18.6713 11.425 16.4525 11.425C15.3894 11.425 14.6729 12.0041 14.3724 12.56H14.3493V11.5871H12.2461V18.6518H14.4418V15.1542C14.4418 14.2509 14.6267 13.3475 15.7592 13.3475C16.8686 13.3475 16.8917 14.413 16.8917 15.2237V18.6518Z" fill="white"></path></svg></span><span class="scale-[1.1] text-heading-black transition-colors duration-300 hover:text-red-1"><svg width="28" height="28" viewBox="0 0 28 28" fill="none" xmlns="http://www.w3.org/2000/svg"><rect x="0.658203" width="27.2195" height="27.2195" rx="13.6098" fill="currentColor"></rect><path class=" transition-colors duration-300 group-hover:fill-heading-black" d="M19.6754 11.46C19.5368 10.5863 19.121 9.98138 18.1506 9.84696C16.6258 9.57813 14.2693 9.57812 14.2693 9.57812C14.2693 9.57812 11.9128 9.57813 10.388 9.84696C9.4177 9.98138 8.93254 10.5863 8.86323 11.46C8.72461 12.3337 8.72461 13.6106 8.72461 13.6106C8.72461 13.6106 8.72461 14.8876 8.86323 15.7613C9.00185 16.635 9.4177 17.2399 10.388 17.3743C11.9128 17.6432 14.2693 17.6432 14.2693 17.6432C14.2693 17.6432 16.6258 17.6432 18.1506 17.3743C19.121 17.1727 19.5368 16.635 19.6754 15.7613C19.814 14.8876 19.814 13.6106 19.814 13.6106C19.814 13.6106 19.814 12.3337 19.6754 11.46ZM12.8831 15.6269V11.5944L16.3486 13.6106L12.8831 15.6269Z" fill="white"></path></svg></span></div><div class="t-14 mx-auto mt-10 max-w-[264px] text-center text-black-4/60"> © 2024 Tailscale Inc. All rights reserved. Tailscale is a registered trademark of Tailscale Inc.</div></div><main class="mt-[-60px] lg:mt-[-66px]"><section class="overflow-x-clip pt-20 md:pt-[110px]"><div class="is-wide container"><div class="flex items-center gap-[30px] "><a type="button" aria-label="Go back" class="t-18 flex items-center gap-[5px]" data-track="Link Clicked" data-track-properties="{"label": "Go Back"}" href="/"><svg width="12" height="12" viewBox="0 0 12 12" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M7.98047 2.21094L4.01953 6.17188L7.98047 10.1328" stroke="url(#paint0_radial_243_61489)" stroke-width="1.2" stroke-miterlimit="10" stroke-linecap="square"></path><defs><radialGradient id="paint0_radial_243_61489" cx="0" cy="0" r="1" gradientUnits="userSpaceOnUse" gradientTransform="translate(7.98047 7.22813) rotate(-165.069) scale(4.09935 7.79047)"><stop stop-color="#373636"></stop><stop offset="1" stop-color="#212121"></stop></radialGradient></defs></svg><span>Go back</span></a><div class="t-18 hidden items-center gap-3 md:flex"><div class="flex items-center gap-[5px] text-subheading-black"><a class="transition-colors duration-300 hover:text-heading-black" data-track="Link Clicked" data-track-properties="{"label": "Learn"}" href="/learn">Learn</a><div class="rotate-180"><svg width="12" height="12" viewBox="0 0 12 12" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M7.98047 2.21094L4.01953 6.17188L7.98047 10.1328" stroke="currentColor" stroke-width="1.2" stroke-miterlimit="10" stroke-linecap="square"></path></svg></div></div><div>Understanding privileged access management</div></div></div></div><div class="container"><div class="mt-8 w-full max-w-[950px] md:mt-[100px]"><h1 class="t-72 text-heading-black">Understanding privileged access management</h1><p class="t-20 mt-4 max-w-[780px] text-subheading-black">Privileged access management (PAM) is the practice of restricting or allowing permissions for users to create a more streamlined workflow. (This is distinct from pluggable authentication modules, which is commonly used on Unix systems and also goes by the acronym PAM.) In this guide, you will learn how PAM can help safeguard your organization’s digital workspace and enhance productivity.</p><div class="t-18 mt-5 flex gap-2 md:mt-[35px]"><span class="text-subheading-black">Written By</span><div class="flex flex-wrap gap-[26px] text-[#787676]"><div class="flex flex-wrap items-center gap-[10px]"><div class="items-center text-black">Eric Kahuha</div></div></div></div></div></div></section><section class="my-16 md:my-[120px]"><div class="container"><div class="flex flex-col-reverse justify-between gap-6 md:flex-row"><div class="basis-72"><div class="sticky top-20"><nav class="table-of-content t-18 mb-[95px] hidden space-y-4 md:block"><a href="#the-value-of-privileged-access-management" class="block text-start text-black" data-anchor-level="3">The value of privileged access management</a><a href="#what-are-privileges-and-permissions" class="block text-start text-subheading-black" data-anchor-level="3">What are privileges and permissions?</a><a href="#what-is-privileged-account-management" class="block text-start text-subheading-black" data-anchor-level="3">What is privileged account management?</a><a href="#what-is-privileged-session-management" class="block text-start text-subheading-black" data-anchor-level="3">What is privileged session management?</a><a href="#implementing-privileged-access-management" class="block text-start text-subheading-black" data-anchor-level="3">Implementing privileged access management</a><a href="#the-principle-of-least-privilege" class="block text-start text-subheading-black" data-anchor-level="3">The principle of least privilege</a><a href="#automating-privilege-management" class="block text-start text-subheading-black" data-anchor-level="3">Automating privilege management</a><a href="#final-thoughts" class="block text-start text-subheading-black" data-anchor-level="3">Final thoughts</a></nav></div></div><div class="w-full max-w-[950px] flex-1"><div class="mx-auto w-full max-w-[730px]"><div class=""><div class="content-prose blog prism prose "><p>In the modern business environment, organizations must manage secure access to resources and systems to maintain productivity, collaboration, and growth. At the same time, businesses have evolved to use an increasingly distributed workforce, relying on contractors and third-party vendors to handle part of their workload, which makes secure access ever more challenging. Fortunately, privileged access management, or PAM (not the authentication framework commonly used in UNIX systems also known as PAM), allows us to establish a more streamlined workflow to improve productivity.</p><p>PAM involves creating and managing privileged accounts within an IT environment. Privileged accounts have greater access or more permissions than those of a standard user. The use of privileged accounts aims to keep workers focused on their work, prevent others from tampering with that work, and minimize the likelihood of problems caused by misuse of privileges.</p><p>In this article, you’ll come to understand the importance of PAM and its components, including privileged account management and privileged session management. You’ll also learn answers to some of the most frequently asked questions about privileged access management.</p><p></p><div></div><h3 id="the-value-of-privileged-access-management"><span class="group">The value of privileged access management<a class="select-none opacity-0 !transition group-hover:opacity-100" href="#the-value-of-privileged-access-management" aria-hidden="true"> <svg class="inline" xmlns="http://www.w3.org/2000/svg" width="0.4em" height="0.4em" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M15 7h3a5 5 0 0 1 5 5 5 5 0 0 1-5 5h-3m-6 0H6a5 5 0 0 1-5-5 5 5 0 0 1 5-5h3"></path><line x1="8" y1="12" x2="16" y2="12"></line></svg></a></span></h3><p>As businesses grow, they accumulate more applications, services, and accounts. It’s important to have a solid plan for managing privileges and passwords before they become too complex for the IT department to handle manually.</p><p>Privileged access management is an essential part of maintaining a secure IT environment. It involves providing elevated privileges to individuals only when those privileges are explicitly required for the individual’s role or position. This reduces the possibility that a compromised account could be used by a malicious attacker or insider.</p><p>The most critical part of PAM is managing access privileges to encourage organization, accountability, and ease of navigation. For example, it’s common for employees to access systems that don’t directly pertain to their job function or department. To increase security for these systems, PAM grants employees access only to the resources they require to do their jobs, and nothing more. In addition to increasing security, this makes things easier for employees by reducing the likelihood of a security breach, streamlining access to needed resources, reducing the chances of human error, and making clear what resources they are — or aren’t — expected to use.</p><p>Reducing the risk associated with privileged account abuse also reduces the likelihood of data confidentiality, integrity, and availability issues arising.</p><p>To better understand PAM, we will take a detailed look at the major components of PAM and learn how we can best implement PAM processes. But first, we need to understand what permissions and privileges mean.</p><div></div><h3 id="what-are-privileges-and-permissions"><span class="group">What are privileges and permissions?<a class="select-none opacity-0 !transition group-hover:opacity-100" href="#what-are-privileges-and-permissions" aria-hidden="true"> <svg class="inline" xmlns="http://www.w3.org/2000/svg" width="0.4em" height="0.4em" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M15 7h3a5 5 0 0 1 5 5 5 5 0 0 1-5 5h-3m-6 0H6a5 5 0 0 1-5-5 5 5 0 0 1 5-5h3"></path><line x1="8" y1="12" x2="16" y2="12"></line></svg></a></span></h3><p>Privileged users have an increased ability to make changes to a system. Examples of privileges given to specific users include configuring systems or apps (including creating, adding, and removing user accounts); maintaining databases, workstations, and servers; and managing domain controllers. Privileged users can also load device drivers and configure cloud instances and accounts.</p><p>Privileged users often have different levels of privilege, which means that not everyone has the same amount of access. Users of domain administrative accounts have the highest levels of access and are the keepers of the keys to the IT kingdom. They have absolute authority over domain controllers. The power to change the membership of an administrative account in the domain is in their hands.</p><p>Privileged accounts need to be powerful so their users have sufficient access to perform their tasks, but the privileges can be dangerous if abused. Misuse of permissions, whether accidentally, intentionally, or maliciously, can lead to downtime, loss of sensitive data, negative publicity, and compliance failures.</p><p>Properly approving, controlling, decommissioning, and monitoring privileged accounts throughout their lifecycle is a standard IT governance practice. It ensures that privileged accounts are not misused within an organization. In addition to the standard IT governance, organizations may choose to run criminal or background checks on privileged users to help ensure the safety and security of their data, systems, and processes.</p><div></div><h3 id="what-is-privileged-account-management"><span class="group">What is privileged account management?<a class="select-none opacity-0 !transition group-hover:opacity-100" href="#what-is-privileged-account-management" aria-hidden="true"> <svg class="inline" xmlns="http://www.w3.org/2000/svg" width="0.4em" height="0.4em" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M15 7h3a5 5 0 0 1 5 5 5 5 0 0 1-5 5h-3m-6 0H6a5 5 0 0 1-5-5 5 5 0 0 1 5-5h3"></path><line x1="8" y1="12" x2="16" y2="12"></line></svg></a></span></h3><p>Privileged account management protects the security system from deliberate or accidental misuse of privileged accounts. The process uses policy-based strategies and software to restrict access to sensitive data and systems. Privileged accounts have high levels of access to data, devices, and systems, and can perform tasks that users with standard accounts cannot, such as deleting data, upgrading operating systems, modifying application configurations, and installing or uninstalling software.</p><p>Managing privileged accounts involves securely storing privileged identities such as SSH keys and credentials. You can use a standardized encryption algorithm like <a target="" rel="noreferrer" href="https://cybernews.com/resources/what-is-aes-encryption/">AES-256</a> to secure privileged identities.</p><p>To protect privileged accounts from security breaches, you should audit privileged user logins, password sharing, password resets, and other identity-related operations. A PAM best security practice is to enforce policies requiring users to adopt complex passwords, utilize strong SSH key pairs, and auto-rotate passwords.</p><p>Managing privileged accounts is more important now than ever before, especially with the increase in remote working and the adoption of the internet of things (IoT) and cloud environments. Controlling access to privileged accounts requires more than just using a strong password. Organizations need to depend on more structured means of access management, such as multi-factor authentication.</p><div></div><h3 id="what-is-privileged-session-management"><span class="group">What is privileged session management?<a class="select-none opacity-0 !transition group-hover:opacity-100" href="#what-is-privileged-session-management" aria-hidden="true"> <svg class="inline" xmlns="http://www.w3.org/2000/svg" width="0.4em" height="0.4em" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M15 7h3a5 5 0 0 1 5 5 5 5 0 0 1-5 5h-3m-6 0H6a5 5 0 0 1-5-5 5 5 0 0 1 5-5h3"></path><line x1="8" y1="12" x2="16" y2="12"></line></svg></a></span></h3><p>Granting privileged users uncontrolled access to an organization’s critical systems creates a security loophole. A secure IT infrastructure involves more than controlling what permissions privileged users are granted — it also includes monitoring what these users do during their active privileged access sessions and terminating inappropriate activities.</p><p>Privileged session management (PSM) acts as an additional security layer to regulate privileged access to an organization’s critical systems by monitoring the sessions of privileged users. This includes recording sessions of privileged users and continually monitoring and auditing the activities of users, applications, systems, and third-party contractors.</p><p>By recording and monitoring the activities of every privileged user from the time they start to the time they end a session, you can proactively recognize a compromised account. With the ability to view active connections, you can notify or terminate unauthorized or suspicious connections in real time.</p><div></div><h3 id="implementing-privileged-access-management"><span class="group">Implementing privileged access management<a class="select-none opacity-0 !transition group-hover:opacity-100" href="#implementing-privileged-access-management" aria-hidden="true"> <svg class="inline" xmlns="http://www.w3.org/2000/svg" width="0.4em" height="0.4em" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M15 7h3a5 5 0 0 1 5 5 5 5 0 0 1-5 5h-3m-6 0H6a5 5 0 0 1-5-5 5 5 0 0 1 5-5h3"></path><line x1="8" y1="12" x2="16" y2="12"></line></svg></a></span></h3><p>How you implement the PAM program is one determining factor in its success in protecting the organization from malicious actors, both internal and external. You need to create a concrete plan that guides this implementation.</p><p>To begin, you need to identify what permissions you need to assign to the privileged accounts. For example, you may want privileged users to access sensitive company data, install or update security patches, create or modify user accounts, and configure or otherwise make changes to systems.</p><p>The next step is determining who needs access to what systems, as well as <em>how much</em> access is required and <em>when</em> it’s required. This access should be in line with the user’s role in the organization’s IT infrastructure, so you’ll need to determine which groups and users will be granted administrative privileges within each system or application.</p><p>Once you’ve given the accounts access to specific systems, you need to monitor and audit the activities of privileged users for accountability. Tracking and logging privileged sessions is one way to increase accountability. Keeping a detailed log of all privileged sessions will enable you to identify any system anomalies.</p><div></div><h3 id="the-principle-of-least-privilege"><span class="group">The principle of least privilege<a class="select-none opacity-0 !transition group-hover:opacity-100" href="#the-principle-of-least-privilege" aria-hidden="true"> <svg class="inline" xmlns="http://www.w3.org/2000/svg" width="0.4em" height="0.4em" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M15 7h3a5 5 0 0 1 5 5 5 5 0 0 1-5 5h-3m-6 0H6a5 5 0 0 1-5-5 5 5 0 0 1 5-5h3"></path><line x1="8" y1="12" x2="16" y2="12"></line></svg></a></span></h3><p>PAM is founded on the principle of least privilege (PoLP). Following PoLP, each privileged user, workload, network, or device has access to only the systems and the level of resources they need to execute assigned tasks. If workers are given only those privileges they need to complete a task, there will be fewer distractions and opportunities for external interference.</p><p>PoLP minimizes the attack surface in case of a malware attack. Since users have limited rights, even if the account is compromised, there’s a limit to the damage that can be done. For example, when most accounts don’t have installation rights, even a compromised account can’t become a vector for malware.</p><p>You can implement PoLP to allow users access to an application for a predetermined period of time. This is interlinked with the just-in-time (JIT) privileged access model. JIT access provisioning allows you to grant privileged users limited, on-demand access to IT resources and eliminates the risks of standing privileges. Remote workers, third parties, developers, and service accounts need JIT access.</p><p><a target="" rel="noreferrer" href="https://en.wikipedia.org/wiki/Role-based_access_control">Role-based access control</a> (RBAC), which assigns permissions to roles rather than individuals, can help implement PoLP. Assuming a case where each employee is only assigned a single role in an organization, a marketing analyst, for instance, would have access to marketing lists. But if that employee moves to the finance department as a financial analyst, they would lose access to marketing data. The analyst now requires access to financial reports to enable them to do their job.</p><div></div><h3 id="automating-privilege-management"><span class="group">Automating privilege management<a class="select-none opacity-0 !transition group-hover:opacity-100" href="#automating-privilege-management" aria-hidden="true"> <svg class="inline" xmlns="http://www.w3.org/2000/svg" width="0.4em" height="0.4em" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M15 7h3a5 5 0 0 1 5 5 5 5 0 0 1-5 5h-3m-6 0H6a5 5 0 0 1-5-5 5 5 0 0 1 5-5h3"></path><line x1="8" y1="12" x2="16" y2="12"></line></svg></a></span></h3><p>Privileged access management involves many potential steps. Managing PAM processes manually is an intensive, error-prone process of controlling privilege risk, so it’s important to automate as much of the process as possible. Once PAM processes are configured, software automation can take over privilege management.</p><p>You can rely on automated privileged access management solutions to eliminate manual management and monitoring of privileged accounts, and to streamline workflows by reducing administrative complexity. These tools can scale across millions of privileged users and accounts to improve IT infrastructure security.</p><p>Automation also allows you to audit the usage of privileged accounts in real time and detect suspicious activity. You’re also able to automate the lifecycle of privileges, from password generation to disposal and replacement, so you don’t have to worry about manually resetting passwords when administrators leave an organization or change roles. The privileged access lifecycle involves streamlining user provisioning and de-provisioning, managing access, and verifying the actions of privileged users.</p><div></div><h3 id="final-thoughts"><span class="group">Final thoughts<a class="select-none opacity-0 !transition group-hover:opacity-100" href="#final-thoughts" aria-hidden="true"> <svg class="inline" xmlns="http://www.w3.org/2000/svg" width="0.4em" height="0.4em" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M15 7h3a5 5 0 0 1 5 5 5 5 0 0 1-5 5h-3m-6 0H6a5 5 0 0 1-5-5 5 5 0 0 1 5-5h3"></path><line x1="8" y1="12" x2="16" y2="12"></line></svg></a></span></h3><p>PAM is an essential element of information security and an efficient means to provide secure access to an organization’s systems and resources. When it is properly implemented and integrated into other security aspects, this concept can make it easier to manage user access and reduce the number of security breaches. It also promotes accountability and better cohesion within an organization.</p><p>Tailscale allows you to create a secure network between servers, cloud instances, and computers to further improve IT infrastructure security. Tailscale’s zero configuration VPN ensures secure remote access to an organization’s applications and devices. Learn more about how you can <a target="" rel="noreferrer" href="https://tailscale.com/">build secure networks with Tailscale</a>.</p></div></div></div></div></div></div></section><section class="bg-grey-1 pb-6 pt-16 md:pb-0 md:pt-[160px]"><div class="container"><div class="flex w-full flex-col justify-between gap-6 gap-y-12 md:flex-row"><div class="max-w-[280px] flex-1 "><h2 class="t-48">FAQs</h2></div><div class="max-w-[950px] flex-1"><div class="mx-auto w-full max-w-[730px]"><div class="flex flex-col gap-3 col-span-3"><div class="rounded-2xl border border-grayNew-2 bg-white p-6"><h3 class="featured-body-new font-medium text-grayNew-7 [&_li]:text-grayNew-5 [&_p]:body-new" id="what-does-pam-do"><a href="#what-does-pam-do">What does PAM do?</a></h3><div class="!body-new prism blog"><div class="content-prose !ts-prose"><p>Privileged access management helps organizations protect sensitive data and systems by allowing only the right people to access exactly what they need, when they need it. It also allows security teams to control and monitor user access privileges and quickly respond to potential threats.</p></div></div></div><div class="rounded-2xl border border-grayNew-2 bg-white p-6"><h3 class="featured-body-new font-medium text-grayNew-7 [&_li]:text-grayNew-5 [&_p]:body-new" id="why-do-we-need-pam"><a href="#why-do-we-need-pam">Why do we need PAM?</a></h3><div class="!body-new prism blog"><div class="content-prose !ts-prose"><p>PAM reduces the risk of a security breach by protecting against accidental or malicious misuse of privileged access. Through PAM, privileged user activity is monitored and controlled.</p></div></div></div><div class="rounded-2xl border border-grayNew-2 bg-white p-6"><h3 class="featured-body-new font-medium text-grayNew-7 [&_li]:text-grayNew-5 [&_p]:body-new" id="how-does-pam-work"><a href="#how-does-pam-work">How does PAM work?</a></h3><div class="!body-new prism blog"><div class="content-prose !ts-prose"><p>PAM takes a multilayered approach to securing privileged accounts. It involves access provisioning, session management, and activity monitoring.</p></div></div></div><div class="rounded-2xl border border-grayNew-2 bg-white p-6"><h3 class="featured-body-new font-medium text-grayNew-7 [&_li]:text-grayNew-5 [&_p]:body-new" id="what-is-the-difference-between-pim-iam-and-pam"><a href="#what-is-the-difference-between-pim-iam-and-pam">What is the difference between PIM, IAM, and PAM?</a></h3><div class="!body-new prism blog"><div class="content-prose !ts-prose"><p>Privileged access management focuses on the security surrounding privileged users and accounts with elevated rights and permissions. It is a subset of identity access management (IAM). IAM deals with the security requirements around those who need to perform or request privileged tasks or activities on behalf of an organization.<br/><br/>Privileged identity management (PIM) is a subset of PAM that addresses the management of privileged accounts and protects the credentials used by these accounts.</p></div></div></div><div class="rounded-2xl border border-grayNew-2 bg-white p-6"><h3 class="featured-body-new font-medium text-grayNew-7 [&_li]:text-grayNew-5 [&_p]:body-new" id="what-is-a-pam-tool"><a href="#what-is-a-pam-tool">What is a PAM tool?</a></h3><div class="!body-new prism blog"><div class="content-prose !ts-prose"><p>A privileged access management tool is software that gives organizations the ability to consolidate, control, and monitor privileged accounts, user activity, access requests, sessions, and passwords.</p></div></div></div></div></div></div></div></div></section></main><section class=" pb-[50px] pt-10 lg:pt-[175px] bg-grey-1"><div class="is-wide container flex flex-col gap-6 md-large:flex-row"><div class="flex flex-1 flex-col justify-between rounded-[14px] bg-[#420000] overflow-hidden"><div class="relative z-10 flex-1 overflow-hidden px-[48px] py-[80px]"><div class="absolute bottom-[0%] -right-[1.5px] h-full w-auto opacity-25 xs:opacity-100 md:opacity-100 md-large:opacity-25 xl:opacity-100"><div class="flex h-full w-auto justify-end"><svg width="100%" height="100%" viewBox="0 0 263 394" fill="none" xmlns="http://www.w3.org/2000/svg"><rect x="131.334" width="131.333" height="131.333" rx="65.6667" fill="#940821"/><rect x="131.334" y="131.333" width="131.333" height="262.667" rx="65.6667" fill="#ED6F66"/><rect y="394" width="131.333" height="131.333" rx="65.6667" transform="rotate(-90 0 394)" fill="#940821"/><path d="M131.334 0C58.7854 2.30606e-06 0.000657996 58.7848 0.000660303 131.333L131.334 131.333L131.334 0Z" fill="#ED6F66"/><rect y="262.667" width="131.333" height="131.333" transform="rotate(-90 0 262.667)" fill="#940821"/></svg></div></div><div class="text-left mx-0 relative z-10"><h2 class="t-h3 text-white mb-4 md:mb-8" style="max-width:292px;color:#ED6F66">Try Tailscale for <span class="text-white">free</span></h2><div class="w-full xs:w-auto flex justify-start"><div class="flex w-full !w-auto flex-col gap-y-4 xs:w-auto xs:flex-row xs:items-center xs:space-x-5 md:space-x-[30px]"><a target="" data-track="Link Clicked" data-track-properties="{"label": "Get started"}" href="https://login.tailscale.com/start"><div class="inline-flex shrink-0 border transition-colors duration-200 w-full xs:w-auto items-center justify-center text-center relative focus:outline-none group transition-all overflow-hidden font-body font-medium rounded-lg group gap-[11px] py-2 px-[17px] leading-[1.46] tracking-[-0.16px] bg-heading-white border-white text-heading-black hover:bg-grey-2 hover:border-grey-2"><div>Get started</div><div class="relative "><span class="block will-change-transform" style="opacity:1;transform:none"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 18" class="w-4"><use href="/sprite.svg#arrowRight"></use></svg></span><span class="absolute inset-0 block will-change-transform" style="opacity:0;transform:translateX(-15px) translateY(0px) translateZ(0)"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 18" class="w-4"><use href="/sprite.svg#arrowRight"></use></svg></span></div></div></a></div></div></div></div><div class="relative w-full rounded-b-[14px] px-[48px] py-[60px] bg-[#ED6F66]" style="color:#1F1E1E"><div class="t-h5 !font-normal">Schedule a demo</div><a class="mt-3 block" data-track="Link Clicked" data-track-properties="{"label": "/contact/sales"}" href="/contact/sales"><div class="inline-flex shrink-0 border transition-colors duration-200 w-full xs:w-auto items-center justify-center text-center relative focus:outline-none group transition-all overflow-hidden font-body font-medium rounded-lg group gap-[11px] py-2 px-[17px] leading-[1.46] tracking-[-0.16px] !w-auto bg-heading-black border-heading-black text-white hover:bg-black-4 hover:border-black-4 "><div>Contact sales</div></div></a></div></div><div class="flex flex-1 items-end justify-center overflow-hidden rounded-[14px] bg-[#420000] pt-[50px]"><div class="px-5" style="transform:translateY(100px) translateZ(0)"><img _type="asset" alt="cta phone" loading="lazy" width="362" height="567" decoding="async" data-nimg="1" class="md:block mx-auto" style="color:transparent;background-size:cover;background-position:50% 50%;background-repeat:no-repeat;background-image:url("data:image/svg+xml;charset=utf-8,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 362 567'%3E%3Cfilter id='b' color-interpolation-filters='sRGB'%3E%3CfeGaussianBlur stdDeviation='20'/%3E%3CfeColorMatrix values='1 0 0 0 0 0 1 0 0 0 0 0 1 0 0 0 0 0 100 -1' result='s'/%3E%3CfeFlood x='0' y='0' width='100%25' height='100%25'/%3E%3CfeComposite operator='out' in='s'/%3E%3CfeComposite in2='SourceGraphic'/%3E%3CfeGaussianBlur stdDeviation='20'/%3E%3C/filter%3E%3Cimage width='100%25' height='100%25' x='0' y='0' preserveAspectRatio='none' style='filter: url(%23b);' href='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8/wcAAwAB/ucNC4UAAAAASUVORK5CYII='/%3E%3C/svg%3E")" srcSet="https://cdn.sanity.io/images/w77i7m8x/production/b715b4ca5e2577da60f0d529a4a9bc2ad4cadf59-362x567.svg?w=384&q=75&fit=clip&auto=format 1x, https://cdn.sanity.io/images/w77i7m8x/production/b715b4ca5e2577da60f0d529a4a9bc2ad4cadf59-362x567.svg?w=750&q=75&fit=clip&auto=format 2x" src="https://cdn.sanity.io/images/w77i7m8x/production/b715b4ca5e2577da60f0d529a4a9bc2ad4cadf59-362x567.svg?w=750&q=75&fit=clip&auto=format"/></div></div></div><div class="container mt-[60px]"><div><div class="flex flex-wrap items-center justify-center gap-4 lg:justify-between"><div class="flex w-[calc(33%-16px)] flex-col items-center gap-2 sm:w-[calc(33%-16px)] md:w-auto"><img alt="mercury" loading="lazy" width="199" height="81" decoding="async" data-nimg="1" class="mx-auto undefined" style="color:transparent;background-size:cover;background-position:50% 50%;background-repeat:no-repeat;background-image:url("data:image/svg+xml;charset=utf-8,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 199 81'%3E%3Cfilter id='b' color-interpolation-filters='sRGB'%3E%3CfeGaussianBlur stdDeviation='20'/%3E%3CfeColorMatrix values='1 0 0 0 0 0 1 0 0 0 0 0 1 0 0 0 0 0 100 -1' result='s'/%3E%3CfeFlood x='0' y='0' width='100%25' height='100%25'/%3E%3CfeComposite operator='out' in='s'/%3E%3CfeComposite in2='SourceGraphic'/%3E%3CfeGaussianBlur stdDeviation='20'/%3E%3C/filter%3E%3Cimage width='100%25' height='100%25' x='0' y='0' preserveAspectRatio='none' style='filter: url(%23b);' href='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8/wcAAwAB/ucNC4UAAAAASUVORK5CYII='/%3E%3C/svg%3E")" srcSet="https://cdn.sanity.io/images/w77i7m8x/production/459a7a8492910eeb22f22bb8d4c0f864b0bae25f-199x81.svg?w=256&q=75&fit=clip&auto=format 1x, https://cdn.sanity.io/images/w77i7m8x/production/459a7a8492910eeb22f22bb8d4c0f864b0bae25f-199x81.svg?w=640&q=75&fit=clip&auto=format 2x" src="https://cdn.sanity.io/images/w77i7m8x/production/459a7a8492910eeb22f22bb8d4c0f864b0bae25f-199x81.svg?w=640&q=75&fit=clip&auto=format"/></div><div class="flex w-[calc(33%-16px)] flex-col items-center gap-2 sm:w-[calc(33%-16px)] md:w-auto"><img alt="instacrt" loading="lazy" width="199" height="81" decoding="async" data-nimg="1" class="mx-auto undefined" style="color:transparent;background-size:cover;background-position:50% 50%;background-repeat:no-repeat;background-image:url("data:image/svg+xml;charset=utf-8,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 199 81'%3E%3Cfilter id='b' color-interpolation-filters='sRGB'%3E%3CfeGaussianBlur stdDeviation='20'/%3E%3CfeColorMatrix values='1 0 0 0 0 0 1 0 0 0 0 0 1 0 0 0 0 0 100 -1' result='s'/%3E%3CfeFlood x='0' y='0' width='100%25' height='100%25'/%3E%3CfeComposite operator='out' in='s'/%3E%3CfeComposite in2='SourceGraphic'/%3E%3CfeGaussianBlur stdDeviation='20'/%3E%3C/filter%3E%3Cimage width='100%25' height='100%25' x='0' y='0' preserveAspectRatio='none' style='filter: url(%23b);' href='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8/wcAAwAB/ucNC4UAAAAASUVORK5CYII='/%3E%3C/svg%3E")" srcSet="https://cdn.sanity.io/images/w77i7m8x/production/7d127f4bb62a408b056328349f291857df6251b3-199x81.svg?w=256&q=75&fit=clip&auto=format 1x, https://cdn.sanity.io/images/w77i7m8x/production/7d127f4bb62a408b056328349f291857df6251b3-199x81.svg?w=640&q=75&fit=clip&auto=format 2x" src="https://cdn.sanity.io/images/w77i7m8x/production/7d127f4bb62a408b056328349f291857df6251b3-199x81.svg?w=640&q=75&fit=clip&auto=format"/></div><div class="flex w-[calc(33%-16px)] flex-col items-center gap-2 sm:w-[calc(33%-16px)] md:w-auto"><img alt="Retool" loading="lazy" width="199" height="82" decoding="async" data-nimg="1" class="mx-auto undefined" style="color:transparent;background-size:cover;background-position:50% 50%;background-repeat:no-repeat;background-image:url("data:image/svg+xml;charset=utf-8,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 199 82'%3E%3Cfilter id='b' color-interpolation-filters='sRGB'%3E%3CfeGaussianBlur stdDeviation='20'/%3E%3CfeColorMatrix values='1 0 0 0 0 0 1 0 0 0 0 0 1 0 0 0 0 0 100 -1' result='s'/%3E%3CfeFlood x='0' y='0' width='100%25' height='100%25'/%3E%3CfeComposite operator='out' in='s'/%3E%3CfeComposite in2='SourceGraphic'/%3E%3CfeGaussianBlur stdDeviation='20'/%3E%3C/filter%3E%3Cimage width='100%25' height='100%25' x='0' y='0' preserveAspectRatio='none' style='filter: url(%23b);' href='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8/wcAAwAB/ucNC4UAAAAASUVORK5CYII='/%3E%3C/svg%3E")" srcSet="https://cdn.sanity.io/images/w77i7m8x/production/e9579b00087d7896e9cb750f4eb39f2c11ed11b8-199x82.svg?w=256&q=75&fit=clip&auto=format 1x, https://cdn.sanity.io/images/w77i7m8x/production/e9579b00087d7896e9cb750f4eb39f2c11ed11b8-199x82.svg?w=640&q=75&fit=clip&auto=format 2x" src="https://cdn.sanity.io/images/w77i7m8x/production/e9579b00087d7896e9cb750f4eb39f2c11ed11b8-199x82.svg?w=640&q=75&fit=clip&auto=format"/></div><div class="flex w-[calc(33%-16px)] flex-col items-center gap-2 sm:w-[calc(33%-16px)] md:w-auto"><img alt="duolingo" loading="lazy" width="199" height="81" decoding="async" data-nimg="1" class="mx-auto undefined" style="color:transparent;background-size:cover;background-position:50% 50%;background-repeat:no-repeat;background-image:url("data:image/svg+xml;charset=utf-8,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 199 81'%3E%3Cfilter id='b' color-interpolation-filters='sRGB'%3E%3CfeGaussianBlur stdDeviation='20'/%3E%3CfeColorMatrix values='1 0 0 0 0 0 1 0 0 0 0 0 1 0 0 0 0 0 100 -1' result='s'/%3E%3CfeFlood x='0' y='0' width='100%25' height='100%25'/%3E%3CfeComposite operator='out' in='s'/%3E%3CfeComposite in2='SourceGraphic'/%3E%3CfeGaussianBlur stdDeviation='20'/%3E%3C/filter%3E%3Cimage width='100%25' height='100%25' x='0' y='0' preserveAspectRatio='none' style='filter: url(%23b);' href='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8/wcAAwAB/ucNC4UAAAAASUVORK5CYII='/%3E%3C/svg%3E")" srcSet="https://cdn.sanity.io/images/w77i7m8x/production/7958bf3d43a30e661ca74cf0510f250d9b99ecef-199x81.svg?w=256&q=75&fit=clip&auto=format 1x, https://cdn.sanity.io/images/w77i7m8x/production/7958bf3d43a30e661ca74cf0510f250d9b99ecef-199x81.svg?w=640&q=75&fit=clip&auto=format 2x" src="https://cdn.sanity.io/images/w77i7m8x/production/7958bf3d43a30e661ca74cf0510f250d9b99ecef-199x81.svg?w=640&q=75&fit=clip&auto=format"/></div><div class="flex w-[calc(33%-16px)] flex-col items-center gap-2 sm:w-[calc(33%-16px)] md:w-auto"><img alt="Hugging Face" loading="lazy" width="199" height="82" decoding="async" data-nimg="1" class="mx-auto undefined" style="color:transparent;background-size:cover;background-position:50% 50%;background-repeat:no-repeat;background-image:url("data:image/svg+xml;charset=utf-8,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 199 82'%3E%3Cfilter id='b' color-interpolation-filters='sRGB'%3E%3CfeGaussianBlur stdDeviation='20'/%3E%3CfeColorMatrix values='1 0 0 0 0 0 1 0 0 0 0 0 1 0 0 0 0 0 100 -1' result='s'/%3E%3CfeFlood x='0' y='0' width='100%25' height='100%25'/%3E%3CfeComposite operator='out' in='s'/%3E%3CfeComposite in2='SourceGraphic'/%3E%3CfeGaussianBlur stdDeviation='20'/%3E%3C/filter%3E%3Cimage width='100%25' height='100%25' x='0' y='0' preserveAspectRatio='none' style='filter: url(%23b);' href='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8/wcAAwAB/ucNC4UAAAAASUVORK5CYII='/%3E%3C/svg%3E")" srcSet="https://cdn.sanity.io/images/w77i7m8x/production/68e2e5024898bcd6f6d142e0306dc7564787e1d7-199x82.svg?w=256&q=75&fit=clip&auto=format 1x, https://cdn.sanity.io/images/w77i7m8x/production/68e2e5024898bcd6f6d142e0306dc7564787e1d7-199x82.svg?w=640&q=75&fit=clip&auto=format 2x" src="https://cdn.sanity.io/images/w77i7m8x/production/68e2e5024898bcd6f6d142e0306dc7564787e1d7-199x82.svg?w=640&q=75&fit=clip&auto=format"/></div></div></div></div></section><footer class=" pb-16 md:pb-28 md:pt-20 bg-grey-1"><div class="container grid gap-x-4 gap-y-8 pb-8 xxs:grid-cols-2 sm:grid-cols-3 sm:gap-5 md:pb-[110px] lg:grid-cols-6"><div><p class="t-16 !leading-[1.05] text-heading-black">Product</p><div class="mt-4 flex flex-col gap-3 lg:mt-8 lg:gap-4"><a class="text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100" href="/blog/how-tailscale-works">How it works</a><a class="text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100" href="/pricing">Pricing</a><a class="text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100" href="/integrations">Integrations</a><a class="text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100" href="/features">Features</a><a class="text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100" href="/compare">Compare Tailscale</a></div></div><div><p class="t-16 !leading-[1.05] text-heading-black">Use Cases</p><div class="mt-4 flex flex-col gap-3 lg:mt-8 lg:gap-4"><a class="text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100" href="/use-cases/business-vpn">Business VPN</a><a class="text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100" href="/use-cases/remote-access">Remote Access</a><a class="text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100" href="/use-cases/site-to-site-networking">Site-to-Site Networking</a><a class="text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100" href="/use-cases/homelab">Homelab</a><a class="text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100" href="/enterprise">Enterprise</a></div></div><div><p class="t-16 !leading-[1.05] text-heading-black">Resources</p><div class="mt-4 flex flex-col gap-3 lg:mt-8 lg:gap-4"><a class="text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100" href="/blog">Blog</a><a class="text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100" href="/events-webinars">Events & Webinars</a><a class="text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100" href="/partnerships">Partnerships</a></div></div><div><p class="t-16 !leading-[1.05] text-heading-black">Company</p><div class="mt-4 flex flex-col gap-3 lg:mt-8 lg:gap-4"><a class="text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100" href="/company">Company</a><a class="text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100" href="/careers">Careers</a><a class="text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100" href="/press">Press</a></div></div><div><p class="t-16 !leading-[1.05] text-heading-black">Help & Support</p><div class="mt-4 flex flex-col gap-3 lg:mt-8 lg:gap-4"><a class="text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100" href="/contact/support">Support</a><a class="text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100" href="/contact/sales">Sales</a><a class="text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100" href="/security">Security</a><a class="text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100" href="/legal">Legal</a><a class="text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100" href="/opensource">Open Source</a><a class="text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100" href="/changelog">Changelog</a></div></div><div><p class="t-16 !leading-[1.05] text-heading-black">Learn</p><div class="mt-4 flex flex-col gap-3 lg:mt-8 lg:gap-4"><a class="text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100" href="/learn/generate-ssh-keys">SSH keys</a><a class="text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100" href="/learn/ssh-into-docker-container">Docker SSH</a><a class="text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100" href="/learn/devsecops">DevSecOps</a><a class="text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100" href="/learn/multicloud">Multicloud</a><a class="text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100" href="/blog/how-nat-traversal-works">NAT Traversal</a><a class="text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100" href="/blog/2021-09-private-dns-with-magicdns">MagicDNS</a><a class="text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100" href="/learn/privileged-access-management">PAM</a><a class="text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100" href="/learn/principle-of-least-privilege">PoLP</a><a class="text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100" href="/learn">All articles</a></div></div></div><div class="container"><div class="grid grid-cols-1 gap-x-5 gap-y-8 border-t border-stroke-grey pt-8 xxs:grid-cols-2 md:grid-cols-12 md:pt-[70px] lg:gap-y-[60px]"><div class="xxs:col-span-2 md:col-span-4"><a class="block w-[160px]" title="Homepage" data-track="Link Clicked" data-track-properties="{"label": "Footer logo"}" href="/"><svg class="transition-colors duration-200 " width="100%" height="100%" viewBox="0 0 110 20" fill="none" xmlns="http://www.w3.org/2000/svg"><ellipse cx="2.44719" cy="10.1796" rx="2.44719" ry="2.44128" fill="#242424"></ellipse><ellipse cx="9.79094" cy="10.1796" rx="2.44719" ry="2.44128" fill="#242424"></ellipse><ellipse opacity="0.2" cx="2.44719" cy="17.5077" rx="2.44719" ry="2.44128" fill="#242424"></ellipse><ellipse opacity="0.2" cx="17.1269" cy="17.5077" rx="2.44719" ry="2.44128" fill="#242424"></ellipse><ellipse cx="9.79094" cy="17.5077" rx="2.44719" ry="2.44128" fill="#242424"></ellipse><ellipse cx="17.1269" cy="10.1796" rx="2.44719" ry="2.44128" fill="#242424"></ellipse><ellipse opacity="0.2" cx="2.44719" cy="2.85924" rx="2.44719" ry="2.44128" fill="#242424"></ellipse><ellipse opacity="0.2" cx="9.79094" cy="2.85924" rx="2.44719" ry="2.44128" fill="#242424"></ellipse><ellipse opacity="0.2" cx="17.1269" cy="2.85924" rx="2.44719" ry="2.44128" fill="#242424"></ellipse><path d="M34.3979 18.458C35.0907 18.458 35.6536 18.3933 36.3248 18.2637V15.7584C35.9134 15.9096 35.4588 15.9528 35.0258 15.9528C33.965 15.9528 33.5753 15.4344 33.5753 14.441V9.34402H36.3248V6.83875H33.5753V3.12403H30.5443V6.83875H28.5742V9.34402H30.5443V14.7217C30.5443 17.0974 31.8 18.458 34.3979 18.458Z" fill="#242424"></path><path d="M41.2747 18.458C42.8984 18.458 43.9809 17.9181 44.5222 17.0758C44.5655 17.443 44.6954 17.9397 44.8686 18.2421H47.5964C47.4449 17.7237 47.3366 16.903 47.3366 16.3631V10.4455C47.3366 8.005 45.583 6.62277 42.617 6.62277C40.3654 6.62277 38.6118 7.46507 37.6376 8.69611L39.3696 10.4023C40.149 9.5384 41.1448 9.08486 42.3572 9.08486C43.8294 9.08486 44.4789 9.58159 44.4789 10.3159C44.4789 10.9422 44.0459 11.3742 41.7077 11.3742C39.4562 11.3742 37.183 12.3028 37.183 14.8945C37.183 17.2918 38.9149 18.458 41.2747 18.458ZM41.8809 16.1687C40.7118 16.1687 40.1706 15.672 40.1706 14.7865C40.1706 14.009 40.8201 13.4907 41.9026 13.4907C43.6345 13.4907 44.1108 13.3827 44.4789 13.0155V13.9442C44.4789 15.1753 43.4397 16.1687 41.8809 16.1687Z" fill="#242424"></path><path d="M49.3069 5.39173H52.4677V2.5625H49.3069V5.39173ZM49.3718 18.2421H52.4028V6.83875H49.3718V18.2421Z" fill="#242424"></path><path d="M54.6109 18.2421H57.6418V2.90805H54.6109V18.2421Z" fill="#242424"></path><path d="M63.9416 18.458C67.2757 18.458 68.986 16.7087 68.986 14.8729C68.986 13.2099 68.1417 11.9789 65.3705 11.4821C63.4221 11.1366 62.2097 10.7046 62.2097 10.0351C62.2097 9.45201 62.9025 9.04166 64.0715 9.04166C65.1107 9.04166 65.9767 9.38722 66.6262 10.1431L68.553 8.52333C67.5788 7.31389 65.9767 6.62277 64.0715 6.62277C61.1489 6.62277 59.3303 8.17777 59.3303 10.0783C59.3303 12.1517 61.2354 13.0803 63.2922 13.4475C65.0025 13.7499 65.9551 14.0738 65.9551 14.8081C65.9551 15.4344 65.2839 15.9528 64.0066 15.9528C62.7509 15.9528 61.7767 15.3696 61.322 14.5058L58.7674 15.7152C59.3952 17.2702 61.5385 18.458 63.9416 18.458Z" fill="#242424"></path><path d="M75.7621 18.458C77.9271 18.458 79.4859 17.5942 80.6549 15.6504L78.2302 14.4194C77.7755 15.3265 77.0395 15.9528 75.7621 15.9528C73.8353 15.9528 72.7961 14.3978 72.7961 12.5188C72.7961 10.6399 73.9003 9.12805 75.7621 9.12805C76.9312 9.12805 77.7106 9.75437 78.1652 10.7046L80.6116 9.40882C79.7889 7.61625 78.1652 6.62277 75.7621 6.62277C71.8003 6.62277 69.7652 9.5168 69.7652 12.5188C69.7652 15.78 72.2333 18.458 75.7621 18.458Z" fill="#242424"></path><path d="M85.4829 18.458C87.1067 18.458 88.1891 17.9181 88.7304 17.0758C88.7737 17.443 88.9036 17.9397 89.0768 18.2421H91.8046C91.6531 17.7237 91.5448 16.903 91.5448 16.3631V10.4455C91.5448 8.005 89.7912 6.62277 86.8252 6.62277C84.5737 6.62277 82.8201 7.46507 81.8458 8.69611L83.5778 10.4023C84.3572 9.5384 85.353 9.08486 86.5654 9.08486C88.0376 9.08486 88.6871 9.58159 88.6871 10.3159C88.6871 10.9422 88.2541 11.3742 85.9159 11.3742C83.6644 11.3742 81.3912 12.3028 81.3912 14.8945C81.3912 17.2918 83.1231 18.458 85.4829 18.458ZM86.0891 16.1687C84.9201 16.1687 84.3788 15.672 84.3788 14.7865C84.3788 14.009 85.0283 13.4907 86.1108 13.4907C87.8427 13.4907 88.319 13.3827 88.6871 13.0155V13.9442C88.6871 15.1753 87.6479 16.1687 86.0891 16.1687Z" fill="#242424"></path><path d="M93.3263 18.2421H96.3573V2.90805H93.3263V18.2421Z" fill="#242424"></path><path d="M103.631 18.458C105.861 18.458 107.658 17.5726 108.654 15.996L106.359 14.5274C105.753 15.4776 104.952 15.996 103.631 15.996C102.138 15.996 101.055 15.1753 100.774 13.5771H109.39V12.5188C109.39 9.5168 107.55 6.62277 103.61 6.62277C99.8643 6.62277 97.8293 9.5384 97.8293 12.5404C97.8293 16.8167 101.055 18.458 103.631 18.458ZM100.882 11.2014C101.358 9.75437 102.354 9.08486 103.675 9.08486C105.168 9.08486 106.078 9.97034 106.381 11.2014H100.882Z" fill="#242424"></path></svg></a></div><div class="flex flex-col gap-[14px] md:col-span-2"><a class="t-14 !leading-[1.05] underline transition-colors duration-300 text-heading-black/60 hover:text-black/100" href="/terms">Terms of Service</a><a class="t-14 !leading-[1.05] underline transition-colors duration-300 text-heading-black/60 hover:text-black/100" href="/privacy-policy">Privacy Policy</a></div><div class="md:col-span-3"><div class="t-14 max-w-[250px] !leading-[1.35] text-heading-black/60 ">WireGuard is a registered trademark of Jason A. Donenfeld.</div></div><div class="flex gap-[6px] xxs:col-span-2 md:col-span-3 md:flex md:justify-end"><a target="_blank" class="group transition-colors duration-300 text-heading-black" data-track="Link Clicked" data-track-properties="{"label": "Footer Twitter logo"}" href="https://twitter.com/tailscale"><svg width="28" height="29" viewBox="0 0 28 29" fill="none" xmlns="http://www.w3.org/2000/svg"><rect y="0.988281" width="28" height="28" rx="14" fill="currentColor"></rect><path class=" transition-colors duration-300 group-hover:fill-heading-black" d="M8.03169 9L13.0509 15.0672L8 20H9.13675L13.5587 15.6812L17.1317 20H21L15.6985 13.5916L20.3997 9H19.263L15.1906 12.9775L11.9001 9H8.03169ZM9.70337 9.75698H11.4805L19.3281 19.2429H17.551L9.70337 9.75698Z" fill="white"></path></svg></a><a target="_blank" class="group transition-colors duration-300 text-heading-black" data-track="Link Clicked" data-track-properties="{"label": "Footer Facebook logo"}" href="https://www.facebook.com/tailscale/"><svg width="28" height="28" viewBox="0 0 28 28" fill="none" xmlns="http://www.w3.org/2000/svg"><rect x="0.21875" width="27.2195" height="27.2195" rx="13.6098" fill="currentColor"></rect><path class=" transition-colors duration-300 group-hover:fill-heading-black" d="M12.434 19.6598L12.4179 14.8081H10.3008V12.7289H12.4179V11.3427C12.4179 9.47188 13.5974 8.57031 15.2966 8.57031C16.1106 8.57031 16.8101 8.62983 17.014 8.65643V10.6115L15.8355 10.612C14.9114 10.612 14.7324 11.0433 14.7324 11.6762V12.7289H17.3577L16.652 14.8081H14.7324V19.6598H12.434Z" fill="#fff"></path></svg></a><a target="_blank" class="group transition-colors duration-300 text-heading-black" data-track="Link Clicked" data-track-properties="{"label": "Footer LinkedIn logo"}" href="https://www.linkedin.com/company/tailscale"><svg width="28" height="28" viewBox="0 0 28 28" fill="none" xmlns="http://www.w3.org/2000/svg"><rect x="0.439453" width="27.2195" height="27.2195" rx="13.6098" fill="currentColor"></rect><path class=" transition-colors duration-300 group-hover:fill-heading-black" d="M8.68685 18.6518H10.8825V11.5871H8.68685V18.6518Z" fill="white"></path><path class=" transition-colors duration-300 group-hover:fill-heading-black" d="M8.50195 9.34036C8.50195 10.0352 9.07976 10.6143 9.77312 10.6143C10.4896 10.6143 11.0443 10.0584 11.0443 9.34036C11.0443 8.64547 10.4665 8.06641 9.77312 8.06641C9.07976 8.06641 8.50195 8.64547 8.50195 9.34036Z" fill="white"></path><path class=" transition-colors duration-300 group-hover:fill-heading-black" d="M16.8917 18.6518H19.0873V14.7836C19.0873 12.8843 18.6713 11.425 16.4525 11.425C15.3894 11.425 14.6729 12.0041 14.3724 12.56H14.3493V11.5871H12.2461V18.6518H14.4418V15.1542C14.4418 14.2509 14.6267 13.3475 15.7592 13.3475C16.8686 13.3475 16.8917 14.413 16.8917 15.2237V18.6518Z" fill="white"></path></svg></a><a target="_blank" rel="me" class="group transition-colors duration-300 text-heading-black" data-track="Link Clicked" data-track-properties="{"label": "Footer Mastodon logo"}" href="https://hachyderm.io/@tailscale"><svg width="28" height="29" viewBox="0 0 28 29" fill="none" xmlns="http://www.w3.org/2000/svg"><rect y="0.988281" width="28" height="28" rx="14" fill="currentColor"></rect><path class="transition-colors duration-300 group-hover:fill-heading-black" fill="white" d="M19.9516 10.8781C19.7667 9.48128 18.5693 8.38051 17.1498 8.16721C16.9104 8.13117 16.003 8 13.9011 8H13.8854C11.7829 8 11.3319 8.13117 11.0924 8.16721C9.71243 8.3746 8.45223 9.3637 8.14648 10.777C7.99942 11.4731 7.98373 12.2447 8.01105 12.9526C8.04999 13.9677 8.05755 14.981 8.14823 15.992C8.21091 16.6635 8.32027 17.3297 8.47548 17.9855C8.76612 19.1968 9.94262 20.2048 11.0953 20.616C12.3294 21.0449 13.6566 21.1161 14.9282 20.8216C15.0681 20.7886 15.2065 20.7502 15.3432 20.7064C15.6519 20.6066 16.014 20.4949 16.2803 20.2987C16.2839 20.296 16.2869 20.2924 16.289 20.2883C16.2911 20.2842 16.2923 20.2797 16.2925 20.2751V19.2955C16.2924 19.2911 16.2914 19.2869 16.2895 19.283C16.2876 19.2791 16.2849 19.2758 16.2815 19.2731C16.2782 19.2704 16.2743 19.2686 16.2702 19.2676C16.266 19.2667 16.2617 19.2667 16.2576 19.2677C15.4429 19.4655 14.608 19.5647 13.7703 19.5631C12.3288 19.5631 11.941 18.8677 11.83 18.5782C11.7408 18.3279 11.6841 18.0669 11.6614 17.8018C11.6612 17.7973 11.662 17.7929 11.6638 17.7888C11.6656 17.7847 11.6683 17.7811 11.6717 17.7783C11.6751 17.7755 11.6791 17.7735 11.6834 17.7726C11.6876 17.7716 11.6921 17.7717 11.6963 17.7728C12.4975 17.9693 13.3188 18.0685 14.1429 18.0682C14.3411 18.0682 14.5387 18.0682 14.737 18.0629C15.5659 18.0393 16.4395 17.9962 17.255 17.8343C17.2754 17.8301 17.2957 17.8266 17.3132 17.8213C18.5995 17.5701 19.8237 16.7819 19.9481 14.786C19.9527 14.7074 19.9644 13.963 19.9644 13.8814C19.965 13.6043 20.0521 11.9156 19.9516 10.8781ZM17.9718 15.8584H16.6191V12.4905C16.6191 11.7815 16.3285 11.4199 15.7373 11.4199C15.0875 11.4199 14.762 11.8477 14.762 12.6926V14.5361H13.4175V12.6926C13.4175 11.8477 13.0914 11.4199 12.4415 11.4199C11.8538 11.4199 11.5603 11.7815 11.5597 12.4905V15.8584H10.2083V12.3883C10.2083 11.6793 10.3863 11.116 10.7425 10.6985C11.1098 10.2819 11.5917 10.068 12.1898 10.068C12.8821 10.068 13.4053 10.3386 13.754 10.8793L14.0906 11.4536L14.4277 10.8793C14.7765 10.3386 15.2996 10.068 15.9908 10.068C16.5883 10.068 17.0702 10.2819 17.4387 10.6985C17.7949 11.1156 17.9729 11.6789 17.9729 12.3883L17.9718 15.8584Z"></path></svg></a><a target="_blank" class="group transition-colors duration-300 text-heading-black" data-track="Link Clicked" data-track-properties="{"label": "Footer Youtube logo"}" href="https://www.youtube.com/@Tailscale"><svg width="28" height="28" viewBox="0 0 28 28" fill="none" xmlns="http://www.w3.org/2000/svg"><rect x="0.658203" width="27.2195" height="27.2195" rx="13.6098" fill="currentColor"></rect><path class=" transition-colors duration-300 group-hover:fill-heading-black" d="M19.6754 11.46C19.5368 10.5863 19.121 9.98138 18.1506 9.84696C16.6258 9.57813 14.2693 9.57812 14.2693 9.57812C14.2693 9.57812 11.9128 9.57813 10.388 9.84696C9.4177 9.98138 8.93254 10.5863 8.86323 11.46C8.72461 12.3337 8.72461 13.6106 8.72461 13.6106C8.72461 13.6106 8.72461 14.8876 8.86323 15.7613C9.00185 16.635 9.4177 17.2399 10.388 17.3743C11.9128 17.6432 14.2693 17.6432 14.2693 17.6432C14.2693 17.6432 16.6258 17.6432 18.1506 17.3743C19.121 17.1727 19.5368 16.635 19.6754 15.7613C19.814 14.8876 19.814 13.6106 19.814 13.6106C19.814 13.6106 19.814 12.3337 19.6754 11.46ZM12.8831 15.6269V11.5944L16.3486 13.6106L12.8831 15.6269Z" fill="white"></path></svg></a></div><div class="t-14 flex flex-wrap tracking-[0.07px] xxs:col-span-2 md:col-span-12 text-heading-black/60 ">© 2024 Tailscale Inc. All rights reserved. Tailscale is a registered trademark of Tailscale Inc.</div></div></div></footer><script id="hs-script-loader" async="" defer="" src="//js.hs-scripts.com/40004831.js"></script></div><script id="__NEXT_DATA__" type="application/json">{"props":{"pageProps":{"global":{"socials":null,"newsBar":null,"legal":null,"redirects":[{"destination":"/wireguard-vpn","source":"/wireguard","_key":"8b0a3ebcf822"}],"seo":{"ogImage":{"_type":"image","asset":{"_ref":"image-8e0455b2d9b33c6151016afdf2ea81d7623c2f04-1200x628-png","_type":"reference"}}},"announcement":{"link":{"label":"Where to find us","url":"https://tailscale.com/reinvent"},"text":"Attending AWS re:Invent?"},"header":{"_type":"header","_id":"7797109d-2dc4-4a75-b5a3-b1019c33212f","menu":[{"submenu":{"product":{"rightCol":{"nav":{"heading":"Explore","links":[{"link":"/integrations","_key":"c653da519dfb","title":"Integrations"},{"link":"/features","_key":"a878da5fa54c","title":"Features"},{"link":"/compare","_key":"adda698ed879","title":"Compare Tailscale"},{"link":"/partnerships","_key":"b57369965809","title":"Partnerships"}]}},"leftCol":{"topNav":{"heading":"Meet Tailscale","links":[{"title":"How it works","icon":{"_type":"sanityImage","alt":"icon"},"link":"/blog/how-tailscale-works/","_key":"5495d201056a"},{"title":"Why Tailscale","icon":{"_type":"sanityImage","alt":"icon"},"link":"/why-tailscale","_key":"dc9cde7ff83cb94cfc98ff29bdcd0997"},{"icon":{"_type":"sanityImage","alt":"WireGuard®"},"link":"/wireguard-vpn","_key":"5d88e3ffcc6b","title":"WireGuard® for Enterprises"},{"icon":{"_type":"sanityImage","alt":"Bring Tailscale to Work"},"link":"/bring-tailscale-to-work","_key":"435de37ddd5f","title":"Bring Tailscale to Work"}]}}},"submenuType":"product"},"hasSubmenu":true,"_key":"95381f81d527","title":"Product"},{"submenu":{"product":{"rightCol":{"nav":{"heading":"By role","links":[{"link":"/solutions/devops","_key":"502a00f49baf","title":"DevOps"},{"link":"/solutions/it","_key":"0fe4c0d6fa83","title":"IT"},{"link":"/solutions/security","_key":"026f30b876a7","title":"Security"}]}},"leftCol":{"topNav":{"links":[{"link":"/use-cases/remote-access","_key":"193eaaa0cef8","title":"Remote Access"},{"_key":"05cadfcf3e65b04708a9d88060f68f9e","title":"Site-to-site Networking","link":"/use-cases/site-to-site-networking"},{"link":"/use-cases/multi-cloud-networking","_key":"fbd28dffeac0","title":"Multi-Cloud Networking"},{"link":"/use-cases/kubernetes","_key":"da202f1d966a","title":"Kubernetes Networking"},{"link":"/use-cases/iot","_key":"8c78e633c6b1","title":"Edge \u0026 IoT Deployments"},{"link":"/use-cases/zero-trust-networking","_key":"6a363d694952","title":"Zero Trust Networking"},{"link":"/use-cases/ai","_key":"9c49b97d6b06","title":"AI Workloads"},{"link":"/use-cases/secure-saas","_key":"2602b548bd52","title":"Secure SaaS"},{"title":"Business VPN","link":"/use-cases/business-vpn","_key":"6fc65e9fe1c6"},{"link":"/use-cases/homelab","_key":"d99d14013ab3","title":"Homelab"}],"heading":"By use-case"}}},"submenuType":"product"},"hasSubmenu":true,"_key":"a7062f1924df","title":"Solutions"},{"hasSubmenu":false,"_key":"fd055b16290df04c6012d0d33c2fad13","title":"Enterprise","submenu":{"submenuType":"product"},"link":"/enterprise"},{"submenu":{"submenuType":"product"},"link":"/customers","hasSubmenu":false,"_key":"b595975539c7407a7ed4510edd549223","title":"Customers"},{"title":"Docs","submenu":{"submenuType":"product"},"link":"/kb/1017/install/","hasSubmenu":false,"_key":"f06fabeb084c"},{"submenu":{"submenuType":"product"},"link":"/blog","hasSubmenu":false,"_key":"f2537b6fa068","title":"Blog"},{"hasSubmenu":false,"_key":"e1b7b44dc091","title":"Pricing","submenu":{"submenuType":"product"},"link":"/pricing"}],"title":"Production Header","button":{"buttonOptions":{"color":"black"},"_type":"button","link":{"title":"Get started","url":"https://login.tailscale.com/start"}},"_createdAt":"2023-10-06T12:21:23Z","_rev":"N06nnxz6bPVwWf6YI483uo","links":[{"_key":"157b4ad1150d","title":"Download","url":"/download"},{"_key":"f00209e74f6b","title":"Log in","url":"https://login.tailscale.com/welcome"}],"_updatedAt":"2024-11-19T18:13:18Z"},"footer":{"footerNav":[{"heading":"Product","links":[{"_key":"30386cf08177","title":"How it works","url":"/blog/how-tailscale-works/"},{"_key":"45dec9531713","title":"Pricing","url":"/pricing"},{"_key":"e6f4d8daff21","title":"Integrations","url":"/integrations"},{"_key":"d4f7875a767f","title":"Features","url":"/features"},{"url":"/compare","_key":"64846fcdaf3b","title":"Compare Tailscale"}],"_key":"05f3fa61c972"},{"_key":"7870d03d9802","heading":"Use Cases","links":[{"_key":"7b4858603fc7","title":"Business VPN","url":"/use-cases/business-vpn"},{"_key":"06fbf46e9354","title":"Remote Access","url":"/use-cases/remote-access"},{"url":"/use-cases/site-to-site-networking","_key":"ab3e69241df2","title":"Site-to-Site Networking"},{"_key":"b79f544a8266","title":"Homelab","url":"/use-cases/homelab"},{"_key":"8660f39ec574","title":"Enterprise","url":"/enterprise"}]},{"heading":"Resources","links":[{"_key":"b5ad8866742c","title":"Blog","url":"/blog"},{"_key":"21869f26f11b","title":"Events \u0026 Webinars","url":"/events-webinars"},{"_key":"c844ea072844","title":"Partnerships","url":"/partnerships"}],"_key":"2e262725243d"},{"heading":"Company","links":[{"_key":"8cc3fedb5b31","title":"Company","url":"/company"},{"_key":"e69d139c2c7c","title":"Careers","url":"/careers"},{"_key":"ad370d7ab2c1","title":"Press","url":"/press"}],"_key":"a1e16018d519"},{"heading":"Help \u0026 Support","links":[{"_key":"f7d6ef6a99c6","title":"Support","url":"/contact/support"},{"_key":"18077954da8f455140153a58c74e53ba","title":"Sales","url":"/contact/sales"},{"_key":"3b91a6bb3d6b","title":"Security","url":"/security"},{"_key":"9d3e837341e2","title":"Legal","url":"/legal"},{"url":"/opensource","_key":"a69304fe5b80","title":"Open Source"},{"_key":"a02943ca7fdd","title":"Changelog","url":"/changelog"}],"_key":"b25bd2c7203e"},{"heading":"Learn","links":[{"_key":"6c45141fcc65","title":"SSH keys","url":"/learn/generate-ssh-keys/"},{"_key":"86c070f995c4","title":"Docker SSH","url":"/learn/ssh-into-docker-container/"},{"url":"/learn/devsecops/","_key":"19c70bbf9478","title":"DevSecOps"},{"_key":"927093698579","title":"Multicloud","url":"/learn/multicloud/"},{"_key":"22e6d051e763","title":"NAT Traversal","url":"/blog/how-nat-traversal-works/"},{"_key":"4e51a8a4f0a7","title":"MagicDNS","url":"/blog/2021-09-private-dns-with-magicdns/"},{"_key":"f8f8893085b3","title":"PAM","url":"/learn/privileged-access-management/"},{"_key":"8775c2b1f419","title":"PoLP","url":"/learn/principle-of-least-privilege/"},{"title":"All articles","url":"/learn","_key":"e7fdb19bd312"}],"_key":"0bdaf34fbe61"}],"legalNav":[{"_key":"b3b1d8dfddea","title":"Terms of Service","url":"/terms"},{"_key":"3e22b7802445","title":"Privacy Policy","url":"/privacy-policy"}],"title":"Production Footer","copyrightContent":"Tailscale Inc. All rights reserved. Tailscale is a registered trademark of Tailscale Inc.","_type":"footer","legalContent":"WireGuard is a registered trademark of Jason A. Donenfeld.","_createdAt":"2023-10-06T14:44:29Z","_rev":"IlIq0JCGGmrvSiDdugDJgM","_id":"422b4abf-6e3f-4213-ab94-a03dd444be3d","_updatedAt":"2024-11-01T16:35:35Z","cta":{"logoGrid":[{"logo":{"_type":"sanityImage","alt":"mercury","asset":{"_ref":"image-459a7a8492910eeb22f22bb8d4c0f864b0bae25f-199x81-svg","_type":"reference"}},"_key":"a3a9b2012378"},{"logo":{"_type":"sanityImage","alt":"instacrt","asset":{"_ref":"image-7d127f4bb62a408b056328349f291857df6251b3-199x81-svg","_type":"reference"}},"_key":"993b75d39e13"},{"logo":{"_type":"sanityImage","alt":"Retool","asset":{"_ref":"image-e9579b00087d7896e9cb750f4eb39f2c11ed11b8-199x82-svg","_type":"reference"}},"_key":"8449f10eb5c7"},{"logo":{"_type":"sanityImage","alt":"duolingo","asset":{"_ref":"image-7958bf3d43a30e661ca74cf0510f250d9b99ecef-199x81-svg","_type":"reference"}},"_key":"3ab303288a39"},{"logo":{"_type":"sanityImage","alt":"Hugging Face","asset":{"_ref":"image-68e2e5024898bcd6f6d142e0306dc7564787e1d7-199x82-svg","_type":"reference"}},"_key":"5e630c781c8a"}],"secondaryCta":{"heading":"Schedule a demo","link":{"title":"Contact sales","url":"/contact/sales"}},"heading":"Try Tailscale for |free|","textCard":{"heading":"Try Tailscale for |free|","_type":"textCard","options":{"highlightColor":"blue-3","headingMarginBottom":"30","headingFontSize":"h3","headingFontColor":"white","sectionAlignment":"left","contentFontColor":"white","headingMaxWidth":292,"hasMobileTextAlignment":false},"links":[{"_key":"dc04d805f7e0","type":"button","textLink":{"_type":"textLink","textLinkOptions":{"arrowColor":"black","underlineColor":"black"}},"button":{"buttonOptions":{"color":"white"},"_type":"button","link":{"title":"Get started","url":"https://login.tailscale.com/start"}}}]},"asset":{"image":{"asset":{"_ref":"image-b715b4ca5e2577da60f0d529a4a9bc2ad4cadf59-362x567-svg","_type":"reference"},"_type":"sanityImage","alt":"cta phone"},"_type":"asset","type":"image"},"darkLogoGrid":[{"logo":{"asset":{"_ref":"image-a1fb7441ec6ea5254d0f14119dbe0abf5c822f9f-199x81-svg","_type":"reference"},"_type":"sanityImage","alt":"mercury"},"_key":"fb360d1bc6c4"},{"logo":{"_type":"sanityImage","alt":"instacart","asset":{"_ref":"image-62410277e3cd5df52c9b59e787ae52a5a2699580-199x81-svg","_type":"reference"}},"_key":"a24139987731"},{"_key":"0fa57e2eebee","logo":{"_type":"sanityImage","alt":"Retool","asset":{"_ref":"image-80654c9d97220caec3e35ba29d3e7439a03d482a-199x82-svg","_type":"reference"}}},{"logo":{"asset":{"_ref":"image-9b799915a326b1b78decc95e6ce251b87111f2bf-199x81-svg","_type":"reference"},"_type":"sanityImage","alt":"duolingo"},"_key":"b47251ca28bd"},{"logo":{"_type":"sanityImage","alt":"Hugging Face","asset":{"_ref":"image-b36780abd0594e34b52e74176a6b61811bbed602-199x82-svg","_type":"reference"}},"_key":"7bf06e2e5305"}],"ctaButton":{"link":{"title":"Get started","url":"/get-started"},"buttonOptions":{"color":"white"},"_type":"button"}}},"globalOptions":null},"preview":false,"hubspotForms":{},"learn":{"postMarkdown":null,"authors":[{"_rev":"5XfBzZ4MdvzIhiJbQxKdy5","_type":"teamMember","member":{"name":"Eric Kahuha"},"_id":"17586460-b509-4dbe-8549-bc3319331a04","title":"Eric Kahuha","_updatedAt":"2024-03-21T16:16:19Z","_createdAt":"2023-11-10T15:22:24Z"}],"content":null,"faqs":{"_type":"faqs","content":[{"question":"What does PAM do?","_type":"faq","_key":"0f2719033658","answer":[{"style":"normal","_key":"d0485c1263f8","markDefs":[],"children":[{"_type":"span","marks":[],"text":"Privileged access management helps organizations protect sensitive data and systems by allowing only the right people to access exactly what they need, when they need it. It also allows security teams to control and monitor user access privileges and quickly respond to potential threats.","_key":"469442f159950"}],"_type":"block"}]},{"answer":[{"children":[{"_type":"span","marks":[],"text":"PAM reduces the risk of a security breach by protecting against accidental or malicious misuse of privileged access. Through PAM, privileged user activity is monitored and controlled.","_key":"f64107a60b5b0"}],"_type":"block","style":"normal","_key":"0676e28189fa","markDefs":[]}],"question":"Why do we need PAM?","_type":"faq","_key":"ef91098f062f"},{"_key":"5c3690c109af","answer":[{"style":"normal","_key":"322b7790df87","markDefs":[],"children":[{"_key":"9b112b22e4c40","_type":"span","marks":[],"text":"PAM takes a multilayered approach to securing privileged accounts. It involves access provisioning, session management, and activity monitoring."}],"_type":"block"}],"question":"How does PAM work?","_type":"faq"},{"answer":[{"markDefs":[],"children":[{"_type":"span","marks":[],"text":"Privileged access management focuses on the security surrounding privileged users and accounts with elevated rights and permissions. It is a subset of identity access management (IAM). IAM deals with the security requirements around those who need to perform or request privileged tasks or activities on behalf of an organization.\n\nPrivileged identity management (PIM) is a subset of PAM that addresses the management of privileged accounts and protects the credentials used by these accounts.","_key":"a2319614608e0"}],"_type":"block","style":"normal","_key":"a7402983465e"}],"question":"What is the difference between PIM, IAM, and PAM?","_type":"faq","_key":"e0ddc98480b7"},{"answer":[{"markDefs":[],"children":[{"_type":"span","marks":[],"text":"A privileged access management tool is software that gives organizations the ability to consolidate, control, and monitor privileged accounts, user activity, access requests, sessions, and passwords.","_key":"d65ac7c78adf0"}],"_type":"block","style":"normal","_key":"c60ca2405c5a"}],"question":"What is a PAM tool?","_type":"faq","_key":"bc4c207c38b9"}]},"flexContent":[{"markDefs":[],"children":[{"_type":"span","marks":[],"text":"In the modern business environment, organizations must manage secure access to resources and systems to maintain productivity, collaboration, and growth. At the same time, businesses have evolved to use an increasingly distributed workforce, relying on contractors and third-party vendors to handle part of their workload, which makes secure access ever more challenging. Fortunately, privileged access management, or PAM (not the authentication framework commonly used in UNIX systems also known as PAM), allows us to establish a more streamlined workflow to improve productivity.","_key":"168dff8d2a1f0"}],"_type":"block","style":"normal","_key":"d235acb56158"},{"_type":"block","style":"normal","_key":"0107c8cd6abb","markDefs":[],"children":[{"marks":[],"text":"PAM involves creating and managing privileged accounts within an IT environment. Privileged accounts have greater access or more permissions than those of a standard user. The use of privileged accounts aims to keep workers focused on their work, prevent others from tampering with that work, and minimize the likelihood of problems caused by misuse of privileges.","_key":"70177040a6ad0","_type":"span"}]},{"_type":"block","style":"normal","_key":"1307ed7c4a8f","markDefs":[],"children":[{"_key":"63243b3e12800","_type":"span","marks":[],"text":"In this article, you’ll come to understand the importance of PAM and its components, including privileged account management and privileged session management. You’ll also learn answers to some of the most frequently asked questions about privileged access management."}]},{"_key":"c9ceab9390dd","markDefs":[],"children":[{"_type":"span","marks":[],"text":"","_key":"d3f8e49afb7f"}],"_type":"block","style":"normal"},{"anchor":"The value of privileged access management","_type":"anchorSection","_key":"7e4ed26013be"},{"markDefs":[],"children":[{"_type":"span","marks":[],"text":"The value of privileged access management","_key":"54437774497d0"}],"_type":"block","style":"h3","_key":"2793f31a6220"},{"children":[{"_key":"583a2a8e05d10","_type":"span","marks":[],"text":"As businesses grow, they accumulate more applications, services, and accounts. It’s important to have a solid plan for managing privileges and passwords before they become too complex for the IT department to handle manually."}],"_type":"block","style":"normal","_key":"e416b35bc9ef","markDefs":[]},{"markDefs":[],"children":[{"marks":[],"text":"Privileged access management is an essential part of maintaining a secure IT environment. It involves providing elevated privileges to individuals only when those privileges are explicitly required for the individual’s role or position. This reduces the possibility that a compromised account could be used by a malicious attacker or insider.","_key":"5533453263720","_type":"span"}],"_type":"block","style":"normal","_key":"6542fbb73f60"},{"_type":"block","style":"normal","_key":"809b8bb5f586","markDefs":[],"children":[{"_type":"span","marks":[],"text":"The most critical part of PAM is managing access privileges to encourage organization, accountability, and ease of navigation. For example, it’s common for employees to access systems that don’t directly pertain to their job function or department. To increase security for these systems, PAM grants employees access only to the resources they require to do their jobs, and nothing more. In addition to increasing security, this makes things easier for employees by reducing the likelihood of a security breach, streamlining access to needed resources, reducing the chances of human error, and making clear what resources they are — or aren’t — expected to use.","_key":"07f17cc28de70"}]},{"markDefs":[],"children":[{"_type":"span","marks":[],"text":"Reducing the risk associated with privileged account abuse also reduces the likelihood of data confidentiality, integrity, and availability issues arising.","_key":"0ec92b14e1650"}],"_type":"block","style":"normal","_key":"3cb368cccb59"},{"_key":"f90419cfa3cb","markDefs":[],"children":[{"_type":"span","marks":[],"text":"To better understand PAM, we will take a detailed look at the major components of PAM and learn how we can best implement PAM processes. But first, we need to understand what permissions and privileges mean.","_key":"e8101b66ed880"}],"_type":"block","style":"normal"},{"anchor":"What are privileges and permissions?","_type":"anchorSection","_key":"cb7d7ce8fd5a"},{"markDefs":[],"children":[{"_type":"span","marks":[],"text":"What are privileges and permissions?","_key":"c73e0d357ffe0"}],"_type":"block","style":"h3","_key":"a4ab9bad8acd"},{"markDefs":[],"children":[{"text":"Privileged users have an increased ability to make changes to a system. Examples of privileges given to specific users include configuring systems or apps (including creating, adding, and removing user accounts); maintaining databases, workstations, and servers; and managing domain controllers. Privileged users can also load device drivers and configure cloud instances and accounts.","_key":"7732a834cb160","_type":"span","marks":[]}],"_type":"block","style":"normal","_key":"525052c6dbd8"},{"children":[{"_type":"span","marks":[],"text":"Privileged users often have different levels of privilege, which means that not everyone has the same amount of access. Users of domain administrative accounts have the highest levels of access and are the keepers of the keys to the IT kingdom. They have absolute authority over domain controllers. The power to change the membership of an administrative account in the domain is in their hands.","_key":"69f617b95f820"}],"_type":"block","style":"normal","_key":"77c0a68cb053","markDefs":[]},{"markDefs":[],"children":[{"_type":"span","marks":[],"text":"Privileged accounts need to be powerful so their users have sufficient access to perform their tasks, but the privileges can be dangerous if abused. Misuse of permissions, whether accidentally, intentionally, or maliciously, can lead to downtime, loss of sensitive data, negative publicity, and compliance failures.","_key":"f60711e185760"}],"_type":"block","style":"normal","_key":"b31520724693"},{"_type":"block","style":"normal","_key":"c9b2da31b537","markDefs":[],"children":[{"_key":"46d438c4c2140","_type":"span","marks":[],"text":"Properly approving, controlling, decommissioning, and monitoring privileged accounts throughout their lifecycle is a standard IT governance practice. It ensures that privileged accounts are not misused within an organization. In addition to the standard IT governance, organizations may choose to run criminal or background checks on privileged users to help ensure the safety and security of their data, systems, and processes."}]},{"anchor":"What is privileged account management?","_type":"anchorSection","_key":"e093e0d68852"},{"_type":"block","style":"h3","_key":"84d415d352e8","markDefs":[],"children":[{"_type":"span","marks":[],"text":"What is privileged account management?","_key":"03c50195a24e0"}]},{"style":"normal","_key":"d407cf514538","markDefs":[],"children":[{"marks":[],"text":"Privileged account management protects the security system from deliberate or accidental misuse of privileged accounts. The process uses policy-based strategies and software to restrict access to sensitive data and systems. Privileged accounts have high levels of access to data, devices, and systems, and can perform tasks that users with standard accounts cannot, such as deleting data, upgrading operating systems, modifying application configurations, and installing or uninstalling software.","_key":"08ce6a73f71e0","_type":"span"}],"_type":"block"},{"markDefs":[{"href":"https://cybernews.com/resources/what-is-aes-encryption/","_key":"c24e9521a55d","_type":"link"}],"children":[{"marks":[],"text":"Managing privileged accounts involves securely storing privileged identities such as SSH keys and credentials. You can use a standardized encryption algorithm like ","_key":"1fad41b1e9680","_type":"span"},{"_key":"1fad41b1e9681","_type":"span","marks":["c24e9521a55d"],"text":"AES-256"},{"text":" to secure privileged identities.","_key":"1fad41b1e9682","_type":"span","marks":[]}],"_type":"block","style":"normal","_key":"1aaa56576c9d"},{"children":[{"_type":"span","marks":[],"text":"To protect privileged accounts from security breaches, you should audit privileged user logins, password sharing, password resets, and other identity-related operations. A PAM best security practice is to enforce policies requiring users to adopt complex passwords, utilize strong SSH key pairs, and auto-rotate passwords.","_key":"20ffbb1687760"}],"_type":"block","style":"normal","_key":"caf658b08509","markDefs":[]},{"_key":"0a7c949f9113","markDefs":[],"children":[{"_key":"4ed175ce74560","_type":"span","marks":[],"text":"Managing privileged accounts is more important now than ever before, especially with the increase in remote working and the adoption of the internet of things (IoT) and cloud environments. Controlling access to privileged accounts requires more than just using a strong password. Organizations need to depend on more structured means of access management, such as multi-factor authentication."}],"_type":"block","style":"normal"},{"_key":"9744a23a83b8","anchor":"What is privileged session management?","_type":"anchorSection"},{"_type":"block","style":"h3","_key":"45f0a8de20ad","markDefs":[],"children":[{"_type":"span","marks":[],"text":"What is privileged session management?","_key":"bc49cf3e2ba30"}]},{"style":"normal","_key":"aaa26ae2520d","markDefs":[],"children":[{"_type":"span","marks":[],"text":"Granting privileged users uncontrolled access to an organization’s critical systems creates a security loophole. A secure IT infrastructure involves more than controlling what permissions privileged users are granted — it also includes monitoring what these users do during their active privileged access sessions and terminating inappropriate activities.","_key":"d4f8775814660"}],"_type":"block"},{"_type":"block","style":"normal","_key":"ff9b9ac3863f","markDefs":[],"children":[{"_key":"bb0af8782b9c0","_type":"span","marks":[],"text":"Privileged session management (PSM) acts as an additional security layer to regulate privileged access to an organization’s critical systems by monitoring the sessions of privileged users. This includes recording sessions of privileged users and continually monitoring and auditing the activities of users, applications, systems, and third-party contractors."}]},{"children":[{"_type":"span","marks":[],"text":"By recording and monitoring the activities of every privileged user from the time they start to the time they end a session, you can proactively recognize a compromised account. With the ability to view active connections, you can notify or terminate unauthorized or suspicious connections in real time.","_key":"34660cdae80c0"}],"_type":"block","style":"normal","_key":"5c13b65f5096","markDefs":[]},{"_key":"0a7505629bff","anchor":"Implementing privileged access management","_type":"anchorSection"},{"children":[{"_key":"d81247e3aa5c0","_type":"span","marks":[],"text":"Implementing privileged access management"}],"_type":"block","style":"h3","_key":"d6984768bb9b","markDefs":[]},{"markDefs":[],"children":[{"text":"How you implement the PAM program is one determining factor in its success in protecting the organization from malicious actors, both internal and external. You need to create a concrete plan that guides this implementation.","_key":"cf72bc260e6b0","_type":"span","marks":[]}],"_type":"block","style":"normal","_key":"2f082eb1e848"},{"children":[{"marks":[],"text":"To begin, you need to identify what permissions you need to assign to the privileged accounts. For example, you may want privileged users to access sensitive company data, install or update security patches, create or modify user accounts, and configure or otherwise make changes to systems.","_key":"63a32aee025b0","_type":"span"}],"_type":"block","style":"normal","_key":"e68122f6d430","markDefs":[]},{"_key":"540fbf669939","markDefs":[],"children":[{"_type":"span","marks":[],"text":"The next step is determining who needs access to what systems, as well as ","_key":"fe93a6a1e5550"},{"marks":["em"],"text":"how much","_key":"fe93a6a1e5551","_type":"span"},{"_type":"span","marks":[],"text":" access is required and ","_key":"fe93a6a1e5552"},{"_type":"span","marks":["em"],"text":"when","_key":"fe93a6a1e5553"},{"text":" it’s required. This access should be in line with the user’s role in the organization’s IT infrastructure, so you’ll need to determine which groups and users will be granted administrative privileges within each system or application.","_key":"fe93a6a1e5554","_type":"span","marks":[]}],"_type":"block","style":"normal"},{"_key":"ca19e63f828f","markDefs":[],"children":[{"text":"Once you’ve given the accounts access to specific systems, you need to monitor and audit the activities of privileged users for accountability. Tracking and logging privileged sessions is one way to increase accountability. Keeping a detailed log of all privileged sessions will enable you to identify any system anomalies.","_key":"510cc61cfd810","_type":"span","marks":[]}],"_type":"block","style":"normal"},{"anchor":"The principle of least privilege","_type":"anchorSection","_key":"074a938abaa2"},{"_key":"0c2f8d0e0a5b","markDefs":[],"children":[{"_type":"span","marks":[],"text":"The principle of least privilege","_key":"74679a1bb1e10"}],"_type":"block","style":"h3"},{"markDefs":[],"children":[{"_type":"span","marks":[],"text":"PAM is founded on the principle of least privilege (PoLP). Following PoLP, each privileged user, workload, network, or device has access to only the systems and the level of resources they need to execute assigned tasks. If workers are given only those privileges they need to complete a task, there will be fewer distractions and opportunities for external interference.","_key":"e175066e61270"}],"_type":"block","style":"normal","_key":"aa87e819cc7d"},{"_key":"d3fe33dc33c8","markDefs":[],"children":[{"_key":"31bfa2e65bed0","_type":"span","marks":[],"text":"PoLP minimizes the attack surface in case of a malware attack. Since users have limited rights, even if the account is compromised, there’s a limit to the damage that can be done. For example, when most accounts don’t have installation rights, even a compromised account can’t become a vector for malware."}],"_type":"block","style":"normal"},{"markDefs":[],"children":[{"marks":[],"text":"You can implement PoLP to allow users access to an application for a predetermined period of time. This is interlinked with the just-in-time (JIT) privileged access model. JIT access provisioning allows you to grant privileged users limited, on-demand access to IT resources and eliminates the risks of standing privileges. Remote workers, third parties, developers, and service accounts need JIT access.","_key":"d638405b4cb10","_type":"span"}],"_type":"block","style":"normal","_key":"0ea2ca4d1ca6"},{"_key":"67cf293e3ed8","markDefs":[{"_key":"2e760fe416b7","_type":"link","href":"https://en.wikipedia.org/wiki/Role-based_access_control"}],"children":[{"_key":"c6919d6afc650","_type":"span","marks":["2e760fe416b7"],"text":"Role-based access control"},{"_type":"span","marks":[],"text":" (RBAC), which assigns permissions to roles rather than individuals, can help implement PoLP. Assuming a case where each employee is only assigned a single role in an organization, a marketing analyst, for instance, would have access to marketing lists. But if that employee moves to the finance department as a financial analyst, they would lose access to marketing data. The analyst now requires access to financial reports to enable them to do their job.","_key":"c6919d6afc651"}],"_type":"block","style":"normal"},{"anchor":"Automating privilege management","_type":"anchorSection","_key":"ec7914fc4e16"},{"_key":"7447287081c3","markDefs":[],"children":[{"marks":[],"text":"Automating privilege management","_key":"43b5863a4bb90","_type":"span"}],"_type":"block","style":"h3"},{"style":"normal","_key":"7f11d7cb47fa","markDefs":[],"children":[{"text":"Privileged access management involves many potential steps. Managing PAM processes manually is an intensive, error-prone process of controlling privilege risk, so it’s important to automate as much of the process as possible. Once PAM processes are configured, software automation can take over privilege management.","_key":"c38d0be4460e0","_type":"span","marks":[]}],"_type":"block"},{"markDefs":[],"children":[{"_type":"span","marks":[],"text":"You can rely on automated privileged access management solutions to eliminate manual management and monitoring of privileged accounts, and to streamline workflows by reducing administrative complexity. These tools can scale across millions of privileged users and accounts to improve IT infrastructure security.","_key":"def82205b8a50"}],"_type":"block","style":"normal","_key":"0b291f318549"},{"_key":"7e3c06667ccb","markDefs":[],"children":[{"text":"Automation also allows you to audit the usage of privileged accounts in real time and detect suspicious activity. You’re also able to automate the lifecycle of privileges, from password generation to disposal and replacement, so you don’t have to worry about manually resetting passwords when administrators leave an organization or change roles. The privileged access lifecycle involves streamlining user provisioning and de-provisioning, managing access, and verifying the actions of privileged users.","_key":"8d5d2d0e0b8d0","_type":"span","marks":[]}],"_type":"block","style":"normal"},{"_key":"84ce7aa81e32","anchor":"Final thoughts","_type":"anchorSection"},{"_key":"7fd9ae17eb59","markDefs":[],"children":[{"_type":"span","marks":[],"text":"Final thoughts","_key":"a6e528d8ec8f0"}],"_type":"block","style":"h3"},{"_type":"block","style":"normal","_key":"628c6e3cc76d","markDefs":[],"children":[{"_type":"span","marks":[],"text":"PAM is an essential element of information security and an efficient means to provide secure access to an organization’s systems and resources. When it is properly implemented and integrated into other security aspects, this concept can make it easier to manage user access and reduce the number of security breaches. It also promotes accountability and better cohesion within an organization.","_key":"160a9f93a7ba0"}]},{"_type":"block","style":"normal","_key":"122862156aa7","markDefs":[{"_type":"link","href":"https://tailscale.com/","_key":"80f7a499ddab"}],"children":[{"marks":[],"text":"Tailscale allows you to create a secure network between servers, cloud instances, and computers to further improve IT infrastructure security. Tailscale’s zero configuration VPN ensures secure remote access to an organization’s applications and devices. Learn more about how you can ","_key":"f1b3377a2ac30","_type":"span"},{"text":"build secure networks with Tailscale","_key":"f1b3377a2ac31","_type":"span","marks":["80f7a499ddab"]},{"marks":[],"text":".","_key":"f1b3377a2ac32","_type":"span"}]}],"_id":"f5d911f8-7601-4c4b-9188-820218424a3a","title":"Understanding privileged access management","slug":{"_type":"slug","current":"privileged-access-management"},"seo":{"seoDescription":"Privileged access management (PAM) is the practice of restricting or allowing permissions for users to create a more streamlined workflow. (This is distinct from pluggable authentication modules, which is commonly used on Unix systems and also goes by the acronym PAM.) In this guide, you will learn how PAM can help safeguard your organization’s digital workspace and enhance productivity.","indexable":true,"seoTitle":"Understanding privileged access management · Tailscale"},"excerpt":"Privileged access management (PAM) is the practice of restricting or allowing permissions for users to create a more streamlined workflow. (This is distinct from pluggable authentication modules, which is commonly used on Unix systems and also goes by the acronym PAM.) In this guide, you will learn how PAM can help safeguard your organization’s digital workspace and enhance productivity."},"pageType":"learn"},"__N_SSG":true},"page":"/[...slug]","query":{"slug":["learn","privileged-access-management"]},"buildId":"vgIO3z4nAO4I2TaCHWOpQ","isFallback":false,"isExperimentalCompile":false,"gsp":true,"scriptLoader":[]}</script></body></html>