Royal Army College

Lesson Overview

Not all access is equal. The earlier lessons taught how access is granted by role and kept to the least needed, but a particular kind of access stands apart and demands its own discipline: privileged access, the powerful, administrative access that can create and destroy accounts, alter configuration, reach across a service's data, and hold the keys other systems trust. Privileged access is the access that can break things, not just use them, and because it is so powerful, a privileged account is the highest-value prize an attacker can win and the gravest insider risk a force carries. This lesson is about privileged access management: the special controls that surround the most powerful access, so that it is held by as few as possible, protected as strongly as possible, used as narrowly as possible, and watched as closely as possible. It deepens the least-privilege of Lesson 03 and the elevated-access conduct of CIS 210 into a specific discipline for the access that matters most.

The governing idea is that privileged access is treated as a special, dangerous thing, not as ordinary access with bigger numbers. Ordinary access is managed by the lifecycle and least-privilege already taught; privileged access needs more, because the consequence of its compromise or misuse is so much greater. A single compromised administrator account can hand an attacker the whole estate, a single misused privileged action can do damage no ordinary account could, so the controls around privileged access are correspondingly stricter: fewer holders, separate accounts, the strongest protection, the narrowest and most time-limited grants, and the closest watching. The principles are the familiar ones, minimisation, least privilege, separation, accountability, applied at their strictest to the access where the stakes are highest. The member who handles privileged access with this special care protects the estate at its most vulnerable point; one who treats it casually, as just another login, leaves the keys to the kingdom poorly guarded.

This is the knowledge layer; the practice of holding and managing privileged access is done under those who administer the estate, with privileged access following appointment as the framework requires. It rests on recognised privileged-access practice and is wholly defensive, about protecting the Principality's systems, never about attacking. Read this to understand the discipline; the practice comes under appointment and guidance.

By the end you will be able to explain what privileged access is and why it is a special, dangerous category, minimise and separate privileged accounts, protect privileged credentials at the highest level, grant privileged access narrowly and only when needed, and watch privileged use closely, all within a small force's means.

Key Terms

Privileged access: powerful, administrative access that can create, alter, or destroy across a system, hold its keys, and break it, not merely use it.
Privileged account: an account holding privileged access, the highest-value target for an attacker and the gravest insider risk, requiring special control.
Administrator (admin) account: an account with administrative power over a system; the common form of a privileged account.
Separate (dedicated) admin account: a privileged account used only for privileged work, distinct from the holder's everyday account, so the powerful access is not exposed in daily use.
Just-in-time access: granting privileged access only when it is needed and for a limited time, rather than holding it standing and permanent.
Just-enough access: granting only the specific privileged access a task needs, not blanket administrative power, the least-privilege principle applied to privileged access.
Break-glass access: a controlled, audited emergency means of gaining privileged access when normal access fails, used rarely and accounted for.
Standing privilege: privileged access held permanently whether or not it is in use, which is riskier than time-limited access and is minimised.
Privileged session monitoring: the close logging and watching of what is done with privileged access, so misuse or compromise is seen.
Blast radius: the extent of damage a compromised account could do; privileged accounts have the largest, which is why their compromise is so grave.

Why privileged access is a special category

The reason privileged access needs its own discipline is the size of its blast radius, the extent of the damage a compromise could do. An ordinary account, compromised, lets an attacker do what that user could do, read some data, use some services, which is bad but bounded; a privileged account, compromised, can let an attacker do almost anything, create and destroy accounts, alter or exfiltrate data across a service, change configuration, disable defences, reach other systems through the keys it holds. The privileged account is, in effect, the keys to the estate, so its compromise is not one more breach but potentially the loss of the whole, which is why privileged access is the single most valuable thing an attacker tries to obtain and the most dangerous thing a force can hold carelessly.

This makes privileged accounts the prime target of attackers and the gravest insider risk. Attackers who get any foothold typically work to escalate toward privileged access, because that is what turns a small breach into a total one; so the privileged accounts are exactly where attackers are trying hardest to reach, and where the defence must be strongest. And because privileged access can do so much, it is also where the misuse of a trusted insider, deliberate or careless, does the most harm, which the elevated-access conduct lesson of CIS 210 addressed and which this lesson surrounds with controls. The combination, highest attacker priority and gravest insider risk, is why privileged access is managed as a special, dangerous category rather than as ordinary access scaled up.

The consequence is a discipline of proportionate extra control: because the stakes are so much higher, the controls are correspondingly stricter than for ordinary access. Everything the course has taught about access, minimise it, grant least privilege, protect credentials, hold accountability, applies to privileged access at its strictest setting, plus controls specific to privilege, separate accounts, time-limited grants, close monitoring, that ordinary access does not need. The rest of this lesson is those stricter and specific controls, which together guard the access where guarding matters most.

Minimise and separate privileged accounts

The first two disciplines reduce how much privileged access exists and where it is exposed. Minimise privileged access: privileged access is held by as few people as genuinely need it, in as few accounts as possible, because every privileged account is a high-value target and a risk, so the fewer there are, the smaller the attack surface and the easier they are to protect and watch. A force does not grant administrative power widely or by default; it grants it only to the few whose appointment genuinely requires it, and reviews even those, because privileged access is exactly the access where over-granting is most dangerous. The smallest possible number of privileged accounts, held only by those who must, is the foundation.

Separate privileged from everyday access: those who hold privileged access use a separate, dedicated admin account for privileged work, distinct from their ordinary everyday account, rather than carrying their administrative power around in the account they use for email and browsing. The reason is exposure: an everyday account is used constantly, on the web, in mail, across the daily risks the cyber-hygiene course described, and is therefore far more likely to be compromised; if that everyday account also held privileged access, its compromise would hand over the estate. By keeping privileged access in a separate account used only for privileged work, and the everyday account free of privilege, the powerful access is not exposed to the daily risks, and the compromise of the everyday account does not yield privilege. This separation, an admin's daily account being an ordinary account and their privileged work being done through a distinct admin account, is a basic and high-value privileged-access control.

To these is added the least-privilege within privilege: even privileged access is granted as just-enough access, the specific administrative rights a role needs, not blanket total power, so that a privileged account compromised yields only its particular privileges, not everything. An administrator of one service need not be an administrator of all; the privilege is scoped to what the appointment requires, exactly as ordinary access is, so that the blast radius even of a privileged compromise is bounded to that privilege's scope. Minimise the privileged accounts, separate them from everyday accounts, and scope each to just enough: these three shrink and contain privileged access before any other control.

   MINIMISE AND SEPARATE PRIVILEGED ACCESS

   MINIMISE        privileged access held by the FEWEST people, in the
                   FEWEST accounts, that genuinely need it (every privileged
                   account is a high-value target)
   SEPARATE        a dedicated ADMIN account for privileged work, distinct
                   from the everyday account
                   ......... the everyday account (mail, web) is far more
                             exposed; don't carry privilege in it
   JUST-ENOUGH     even privileged access is scoped to what the role needs,
                   not blanket total power (least privilege within privilege)
                   ......... bounds the blast radius even of a privileged compromise

   Privileged access follows appointment, like all access.

Protect, time-limit, and grant narrowly

Beyond minimising and separating, privileged access is protected, time-limited, and granted narrowly, applying the strongest versions of the course's protections to the access that needs them most. Protect privileged credentials at the highest level: privileged accounts get the strongest credential protection the force can provide, strong unique secrets, multi-factor authentication always (never optional for privileged access), and the careful secrets handling of Lesson 04 at its strictest, because the privileged credential is the most valuable to steal and so the most important to protect. A privileged account without strong authentication is an unlocked door to the estate; multi-factor authentication and strong secrets on every privileged account are non-negotiable.

Time-limit privileged access where possible through just-in-time access: rather than holding privileged access standing, permanent and active whether or not it is in use, the better practice is to grant it only when it is needed and for a limited time, so that the powerful access exists only during the work that requires it and is not a standing target the rest of the time. Standing privilege is a permanent high-value target; just-in-time privilege, granted for a task and then expiring, is a target only briefly, which greatly reduces the window in which a compromised privileged account is useful to an attacker. Where a force cannot fully implement just-in-time granting, the principle still guides: privileged access is activated and used deliberately for the work that needs it, not left standing and live by default.

And privileged access is granted narrowly and accounted for, with a controlled break-glass path for emergencies. Privileged access is given only to those whose appointment requires it, for the scope they need, following the lifecycle and review of Lessons 02 and 10 at their strictest, and removed promptly when the appointment ends, because an orphaned privileged account, a leaver's admin access never revoked, is among the most dangerous gaps a force can leave. For the rare case where normal privileged access fails and emergency access is genuinely needed, a controlled, audited break-glass mechanism provides it, used rarely, logged fully, and accounted for afterward, so that emergency access is possible without leaving standing emergency privilege lying about. Protected at the highest level, time-limited where possible, granted narrowly, and with controlled emergency access, privileged access is held as tightly as the small force can manage.

Watch it closely, and the small-force reality

The final discipline is to watch privileged access closely, through privileged session monitoring: because privileged actions are the most consequential, what is done with privileged access is logged and watched more closely than ordinary access, so that misuse or compromise is seen quickly. Every privileged action leaves a protected record (the audit trail of Lesson 10), privileged accounts are watched for anomalous use, and the close monitoring both deters misuse, since the privileged user knows their actions are recorded and reviewed, and detects it, since a compromised or misused privileged account shows in the monitoring. The access with the largest blast radius is the access most worth watching, so privileged use gets the closest scrutiny, which connects privileged-access management directly to the audit and accountability that close the course.

A realistic word on the small-force reality, because privileged-access management can sound like a large organisation's apparatus. A small force has very few administrators, sometimes the same one or two people who hold most of the privileged access, and it cannot always achieve the full separation, just-in-time tooling, and elaborate monitoring a large enterprise can. The lesson is honest about this, and the answer is the same as throughout the course: apply the principles as far as the force can, and protect the most important controls even when others cannot be fully achieved. Even a small force can minimise who holds privileged access, have its admins use separate admin accounts, put strong MFA on every privileged account, scope privilege to need, revoke privileged access promptly when appointments end, and log and review privileged actions. These are within any force's reach, cost little, and close most of the privileged-access risk; the more elaborate controls are refinements on top. And the conduct of those who hold privileged access, the discipline, restraint, and accountability that CIS 210's elevated-access lesson taught, remains the irreplaceable human core, because privileged access is, in the end, trust placed in a few people, and their conduct is what no control can replace. The small force manages privileged access by doing the achievable essentials rigorously and trusting its few privileged holders to conduct themselves as the trust demands.

In Practice: Guarding the Keys to the Estate

A member of the Royal Kaharagian Army responsible for the Principality's identity and access studies how privileged access is guarded, and sees that it is treated not as ordinary access scaled up but as a special, dangerous category, because its compromise could mean the loss of the whole estate. A careless approach would grant administrative power widely, let admins carry privilege in their everyday accounts, and watch it no more closely than ordinary access; the disciplined approach surrounds privileged access with stricter controls.

Privileged access is minimised: held by the few whose appointment genuinely requires it, in as few accounts as possible, because each privileged account is a prime target. Those few hold a separate, dedicated admin account for privileged work, distinct from the everyday account they use for mail and the web, so the powerful access is not exposed to daily risks and the compromise of an everyday account does not yield privilege. Even within privilege, each is scoped to just enough, the rights the role needs, not blanket total power, bounding the blast radius even of a privileged compromise. The privileged credentials get the strongest protection, MFA always, the strictest secrets handling, because they are the most valuable to steal. Where possible, privileged access is time-limited, granted just-in-time for the work and expiring, rather than standing live as a permanent target, and a controlled break-glass path covers genuine emergencies.

Privileged use is watched closely, every privileged action logged and reviewed, both to deter misuse and to detect a compromised account, which ties straight to the audit that closes the course. And the member sees the small-force reality handled honestly: the Principality's few administrators cannot field a large enterprise's apparatus, so they do the achievable essentials rigorously, minimise the privileged holders, use separate admin accounts, strong MFA on every one, scope to need, revoke promptly when appointments end, log and review, and trust the conduct of those few privileged holders, as CIS 210 taught, because privileged access is finally trust placed in a few people. The keys to the estate are guarded as the keys to the estate, which is exactly what privileged-access management is for, and what protects the Principality at its most vulnerable point.

Check Your Understanding

Explain what privileged access is and why its blast radius makes it a special, dangerous category, the prime target for attackers and the gravest insider risk, rather than ordinary access scaled up.
Describe the disciplines of minimising privileged accounts, separating them from everyday accounts (and why the everyday account is the wrong place for privilege), and scoping each to just-enough access.
Explain how privileged access is protected (strongest credentials, MFA always), time-limited (just-in-time versus standing privilege), granted narrowly (following appointment, revoked promptly, with controlled break-glass), and watched closely (privileged session monitoring). How does a small force apply these within its means?

Reflection (write a short paragraph): This lesson argues that privileged access is "the keys to the estate," so its compromise is not one more breach but potentially the loss of the whole, which is why attackers prize it most and a force must guard it most strictly. Why is the simple discipline of an administrator using a separate admin account, kept out of their risky everyday browsing and mail, such a high-value protection for so little effort? Then consider the small-force reality, where one or two people hold most of the privileged access and cannot field elaborate tooling: which achievable essentials would you protect first, and why does the conduct of those few privileged holders remain the irreplaceable core?

Summary

Privileged access is the powerful, administrative access that can break a system, not just use it, and hold its keys. Because its blast radius is the largest, a privileged account is the prime target for attackers (who escalate toward it) and the gravest insider risk, so it is managed as a special, dangerous category with proportionately stricter controls, not as ordinary access scaled up.
Minimise privileged access (fewest people, fewest accounts that genuinely need it), separate it from everyday access (a dedicated admin account distinct from the risky everyday account), and scope each to just-enough access (least privilege within privilege), bounding the blast radius even of a privileged compromise.
Protect privileged credentials at the highest level (strong secrets, MFA always), time-limit access where possible (just-in-time rather than standing privilege, so it is a target only briefly), grant narrowly (following appointment, revoked promptly, an orphaned admin account being especially dangerous) with a controlled, audited break-glass path for emergencies, and watch it closely (privileged session monitoring deters and detects misuse).
The small-force reality: with few administrators and no enterprise tooling, apply the principles as far as possible and protect the achievable essentials rigorously, minimise holders, separate admin accounts, strong MFA on every privileged account, scope to need, revoke promptly, log and review. The conduct of the few privileged holders (CIS 210's elevated-access discipline) remains the irreplaceable human core.
This is the knowledge layer; holding and managing privileged access is done under appointment and guidance, privileged access following appointment as the framework requires. The lesson deepens the least-privilege of Lesson 03 and the elevated-access conduct of CIS 210, applies the credential protection of Lesson 04 at its strictest, and feeds the audit and accountability of Lesson 10. Everything here is defensive.

Privileged Access Management