By Josh Neame, CTO, BlueFort Security
Identity and security has become one of the critical enablers for organisations today, both in terms of protection, but also revenue generation and collaboration. Active Directory, which has been around for over 25 years, is the bedrock for many organisations in the corporate identity world, but identity has changed.
We now have cloud platforms, SaaS, and VPNs, all essential elements of identity infrastructure in companies today. As a result, the identity and security landscape within organisations is ever more complex.
Privileged access management is no longer limited to protecting a small group of high-level human accounts, such as domain or Windows administrators. It now extends to a much broader range of users, as well as non-human accounts like services, applications, and automation.
Privileged Access Management has been around for a long time. But the world has changed, and it must evolve.
Identity Under Attack
Organisations’ identity and security threat landscapes have expanded to become a multi-dimensional challenge evolving from an Active Directory-focused world, to one proliferated with cloud platforms and apps, SaaS, VPNs, and everything in between. Unsurprisingly attackers are now routinely focusing their efforts on this area, with identity-based attacks now being the primary vector exploited.
Microsoft’s 85-page Digital Defense Report 2025 covers many cybersecurity issues including ransomware, nation-state attacks, AI, and more. For me one statistic that stood out more than most was the continued success of password attacks that allowed hackers to take over victim accounts. According to Microsoft, in the first half of 2025 alone, identity-based attacks surged by 32%.
Security analysts at SentinelOne have warned that cyber attackers have become so prolific at abusing legitimate enterprise accounts and identity systems to compromise networks, that it’s become a “mass-marketed impersonation crisis”.
To illustrate the point, the infamous 2022 Uber breach that began with a hacker purchasing stolen credentials belonging to an Uber employee from a dark web marketplace, ended in them gaining access to the company’s VPN and ultimately its PAM solution, facilitating full admin access to many of the company’s most critical and sensitive services. In this case Uber got off very lightly indeed as it appears the hacker was doing it for the thrill of the chase, rather than criminal gain. But everyone agrees it could have been so much worse.
Why Vaults Are No Longer Enough
PAM vaults really came into their own 25 years ago in the wake of the Enron accounting scandal. And still today traditional vault-based PAM remains critical for auditing and meeting compliance standards such as SOX (Sarbanes-Oxley), which was implemented in response to corporate scandals like that of Enron.
PAM solutions securely store privileged credentials in an encrypted vault, preventing direct access to passwords. Users authenticate to the vault rather than directly to target systems, adding a protective layer that enhances data encryption efforts.
To be clear, I’m not advocating that vaults are bad or the wrong investment for companies. What I am hearing first hand from customers is that collectively we have taken something that wasn’t designed for today’s challenges in terms of scale and complexity, and as a result it’s been stretched into that use case. This brings some pain points including:
- A vault secures the credential, not the access. As the Uber breach demonstrated, the password or access can be stolen, giving unauthorised users the keys to your kingdom. With the credentials compromised, the vault is no longer protecting those valuable assets. Once inside, the attacker had access to admin tools, infrastructure, and sensitive data. In other incidents, attackers have exploited vault misconfigurations, API tokens, or integration weaknesses to escalate their access.
- It’s operationally complex. A good friend and very experienced CSO once said to me that the first rule of PAM Club is not to break anything. The practice of adding an account to the vault can be time-consuming, introduce friction into workflows, and potentially break things. And there’s the visibility piece too. Hand on heart, how many IT and security teams can be 100% sure they know everything about their infrastructure. Why go to the trouble of putting something in the vault if you don’t know what it’s doing? Many organisations take years to roll out PAM at scale, if at all.
- PAM is not everywhere. Even though most organisations have a vault, it only protects a fraction of their privileged identities. Often, it’s the non-human accounts that are neglected. These are most difficult to integrate with vaults, often requiring a system design, and are simply skipped due to potential cost and complexity.
- It creates a false sense of security. Security teams often assume that rotating credentials and limiting access to the vault is enough. But if the password is still being handed to the user (see my first point above) it can still be exfiltrated or abused. The security controls (like MFA, session recording, or approval workflows) are tied to the vault, not to the privileged access itself. Once the login is done, there is no additional enforcement point to apply security controls.
The case for Vaultless PAMs
Ultimately PAM is about the ability to control risk. A vault-centric PAM worked well in the one dimensional world of static infrastructure and on-premise computing, a world where we locked away credentials to feel secure.
But we’re no longer in that world. Today’s IT environments are dynamic, distributed, and identity-driven. The PAM teams I speak to today are really thinking about resilience. They think about how they can control risk, control lateral movement, and stop attacks like ransomware.
The nature of the job PAM needs to do has changed.
A modern PAM solution needs to continuously analyse behaviour, usage trends, and entitlements to identify and eliminate excessive privileges.
BlueFort’s technology partner, Silverfort, is leading the way in this space. Its platform leverages role-based and attribute-based controls, ensuring permissions are precisely tailored and minimised, even for service accounts and other machine accounts. When anomalies arise, they are swiftly detected and addressed in real time, with security controls enforced and risk mitigation measures promptly implemented.
This new and modern approach to securing privileged access is not about where credentials are stored, it’s about how privilege is discovered, monitored, and controlled across your entire ecosystem.
It’s a significant shift away from the outdated practice of vaulting users, which introduces complex and long deployment of security controls, and fails to address modern security challenges.
Tech Talk Tuesday – 28th April at 2 pm
Join me for my next Tech Talk Tuesday: “PAM Has A Reputational Problem” where I’ll explore this topic in more detail, discussing the challenges of PAM and exploring how vaultless PAM, identity-first security, and just-in-time access are transforming the way organisations secure privilege in a Zero Trust era.
