Privileged Access Management (PAM) for Remote Access

Privileged access management (PAM) concentrates privileged access to critical systems at one controlled point and extends classic access control with four building blocks: just-in-time access, credential vaulting with automatic rotation, approval and four-eyes workflows, and complete session recording. For remote maintenance by vendors, service providers and third-party firms, PAM is the key lever to remove permanent accounts and shared passwords and to demonstrably meet the requirements of NIS2 and the IEC 62443 standards series.

What PAM adds beyond RBAC and audit

Role-based access control and tamper-evident logging are the foundation of every secure remote access. How to build roles, object-bound rights and tamper-evident audit trails is covered in our article on RBAC & audit for remote access. RBAC answers the question of who may reach which object.

PAM answers the next question: how a privileged session actually runs. It targets exactly where remote maintenance becomes risky in practice:

• A machine vendor holds a permanent administrative account on your plant.
• Several technicians share a common service password that is never rotated.
• Nobody can prove afterwards which command was really issued on the controller.

PAM solves these three problems structurally: no standing rights, no handed-out secrets, no unobserved sessions.

Credential vaulting: rotate passwords and keys, never hand them to technicians

The most dangerous state in remote maintenance is a service password that lives in a spreadsheet, in emails or in the heads of several external technicians. With credential vaulting, passwords, SSH keys and API tokens instead live in a central, encrypted vault.

The decisive mechanism is credential injection: the PAM solution establishes the connection on behalf of the technician and inserts the secret itself, without ever displaying it. The technician works on the target machine but does not know the password. After the session, or on a schedule, the secret is rotated automatically, which makes a leaked password worthless.

An open-source, self-hosted secrets vault such as Vaultwarden is a solid building block here, keeping credentials encrypted and tenant-separated; details on our Vaultwarden page. Three properties matter: credentials never leave the vault in clear text toward a human, every account is a named account rather than a shared collective login, and every retrieval is logged.

Just-in-time access, approval and the four-eyes principle

Standing privileges are the biggest entry point: if an account is taken over, access is immediately open. Just-in-time access (JIT) reverses the principle. A privileged role is activated only for a defined time window and a specific machine, and expires automatically afterwards.

Three workflows make privileged remote maintenance additionally controllable:

• Time-limited access: the permission applies for a maintenance window, not indefinitely.
• Approval: before a sensitive action, an authorised party releases the access. The request, its justification and the release land in the audit trail.
• Four-eyes principle: for especially critical plants, an action is approved by a second person or accompanied live, who can terminate the session if needed.

This leaves no hidden permanent access for external firms, and every elevation of rights is time-boxed, justified and documented.

Session recording: capturing privileged sessions

Session recording captures a privileged session in full: screen content, executed commands and keystrokes. For remote maintenance by external firms it is often the only solid proof of what was actually changed on a machine. Recordings are produced server-side and stored tamper-evident, separate from the access of the recorded users.

IEC 62443-3-3 explicitly lists session recording as a compensating control where strong authentication cannot be retrofitted directly on legacy systems. Combined with searchable command logs, a long recording becomes a precisely analysable audit record. Each session's metadata also belongs in the audit trail and, via Syslog or CEF, in a SIEM; how events are correlated and analysed centrally is shown on our Wazuh page. Continuous vulnerability management of the components in use complements this, see CVE monitoring.

Open-source PAM: Teleport and JumpServer

Sovereign, self-hosted PAM can be built from open-source blocks. Two widely used projects:

• Teleport (AGPL-3.0) provides unified RBAC/ABAC, just-in-time access requests and session recording for SSH, Kubernetes, databases, RDP and web apps; playback runs via the web UI or tsh play. Most RBAC features are included in the open-source variant; the approval UI with a waiting room is reserved for the Enterprise edition (Teleport documentation).
• JumpServer (GPL-3.0) is a bastion and PAM platform with a credential vault, automatic password rotation and full session recording including command history and video playback, for SSH, RDP, VNC, databases and Kubernetes through a single audited gateway (JumpServer).

Both work as components of a platform. In OT remote maintenance, the key is to embed them cleanly into the site and network architecture rather than running them as an isolated island.

Why PAM is central for third-party and maintenance access

External access by vendors and service providers is under particular regulatory scrutiny because it extends the attack surface beyond your own organisation.

NIS2: Article 21 of the NIS2 Directive and Germany's Section 30 BSIG list access-control policies, multi-factor authentication and supply-chain security among the minimum measures. For supplier and maintenance access this means, in practice: named accounts instead of shared ones, just-in-time access with approval, vaulting and rotating shared credentials, and logged, traceable supplier sessions. Germany's NIS2 implementation law (NIS2UmsuCG) was published in the Federal Law Gazette on 5 December 2025 and has been in force since 6 December 2025. How to set up remote access compliantly overall is covered in our article on NIS2-compliant remote access.

IEC 62443: In IEC 62443-3-3, the foundational requirements FR1 (Identification and Authentication Control) and FR2 (Use Control) cover the core building blocks of PAM. SR 1.5 (authenticator management) addresses managing, storing and changing credentials, SR 2.1 covers enforced authorisation following least privilege, and the audit requirements SR 2.8 (auditable events), SR 2.11 (timestamps) and SR 2.12 (non-repudiation from Security Level 3) cover session recording and logging. The complementary IEC 62443-2-4 is aimed specifically at providers of automation solutions, that is, exactly the maintenance scenarios where PAM applies.

This article is general information and not legal advice. You should have your specific obligations and implementation reviewed professionally.

How WZ-IT implements PAM in remote platforms

In our sovereign platforms, privileged access is not a bolt-on but built into the access path. Access runs through a broker that checks the permission server-side on a deny-by-default basis, injects credentials from the vault and uses short-lived session tokens instead of permanently distributed keys. No external technician carries a permanent secret to your plants.

Sensitive actions can be bound to an approval or the four-eyes principle, critical sessions are recorded, and all events flow tamper-evident into the audit trail and, on request, into the SIEM. The actual access is brokered in the browser, so neither a VPN client nor open inbound ports are required. We run this approach in production: at ABCO Water Systems in Australia for HMI and machine access across distributed sites, and at nextGYM in Germany for a deployed IoT device fleet.

Next steps

PAM is the layer that makes third-party remote maintenance secure, time-boxed and provable. If you would rather not build such a platform yourself, we take it on: from credential vaulting and just-in-time workflows through session recording to the audit and SIEM connection. Read more on our remote management platforms page. We assess the current state of your privileged access in a security audit. Want to discuss this in concrete terms? Book a free initial consultation.