Lesson 57 of 60 advanced

Vendor Access, Privileged Access & Compliance Culture

Trust, controls, and third parties

Open interactive version (quiz + challenge)

Real-world analogy

Giving a vendor admin access is like handing a contractor the master key to a bank vault. You do it only when necessary, only for the time it takes, with a camera rolling, and with two colleagues watching.

What is it?

Vendor + privileged + SoD + maker-checker + PAM + access-review discipline is the ‘adult layer’ of IT operations in regulated industries. Ignoring it isn’t edgy; it’s career-limiting.

Real-world relevance

A vendor needs to patch a core banking module. Access is requested via PAM, approved by the app owner, time-limited to 2 hours, MFA-enforced, session recorded, change ticket linked. The vendor logs in, patches, verifies, and logs out. Recording is filed. Next quarter’s access review confirms nothing was missed.

Key points

Privileged Access Management (PAM) — PAM tools (CyberArk, Delinea, BeyondTrust, Azure PIM) vault credentials, grant time-limited just-in-time access, and record privileged sessions. Every serious enterprise uses something like this.
Vendor access basics — Named individuals, time-bounded, scoped, monitored, and revoked. Never share generic ‘vendor’ accounts. Never extend access ‘indefinitely for convenience.’
Break-glass accounts — A small set of high-privilege accounts used only when all other paths fail. Strong unique passwords, hardware MFA, offline storage, excluded from disruptive policies, and monitored for any use. Their value is in not being used.
Maker-checker pattern — The person who requests/executes is not the person who approves/validates. Standard in banking and many regulated industries. Reduces both fraud and honest mistakes.
Segregation of duties (SoD) — Separate roles and responsibilities so no single person controls an entire critical process. Developers don’t push to production alone; admins don’t approve their own changes; finance doesn’t approve their own payments.
Session recording and replay — High-risk sessions (vendor, emergency, root) should be recorded. Playback supports audits and incident investigations. Juniors don’t watch every session — they know where recordings live.
Access reviews (again) — Quarterly for normal, monthly for privileged. Managers sign off. Auto-generated reports + evidence retained. Access that isn’t used for 90 days is flagged and removed.
Compliance culture — not bureaucracy — Good compliance is just good judgment written down. The goal isn’t paperwork — it’s predictable, trustable operations. Juniors who internalize this early become senior leaders faster.

Code example

// Vendor access request checklist

[ ] Named individual(s), NOT shared vendor accounts
[ ] Business justification + system(s) in scope
[ ] Time-bounded (start + end timestamp)
[ ] Approval from system owner (recorded, via system)
[ ] MFA required; session via PAM tool (recorded)
[ ] Change ticket linked
[ ] Monitoring + alerts for vendor sessions active
[ ] Post-session verification logged
[ ] Access automatically revoked at end time
[ ] Recording retained per policy (e.g., 12 months)
[ ] Covered by quarterly access review

// Break-glass account hygiene
  [ ] 2 accounts, unique long passwords, hardware MFA
  [ ] Credentials stored offline in a sealed envelope in a safe
  [ ] Excluded from disruptive CA/MFA policies (not from audit!)
  [ ] Any login triggers immediate SOC alert + exec notification
  [ ] Tested at least twice a year; rotated after use

Line-by-line walkthrough

1. Vendor access checklist
2. Named individuals
3. Business justification + scope
4. Time-bounded
5. Owner approval recorded
6. MFA + recorded PAM session
7. Change ticket linked
8. Monitoring/alerts for vendor sessions
9. Post-session verification
10. Auto-revoke at end time
11. Recording retention
12. Quarterly review coverage
13. Blank separator
14. Break-glass hygiene
15. Two accounts with unique creds
16. Offline storage
17. Excluded from disruptive policies but not from audit
18. Immediate alert on use
19. Tested and rotated

Spot the bug

Policy: 'Share a single vendor admin account with a dozen vendor staff so support is easier.'

Need a hint?

Which controls does this destroy?

Show answer

(1) Accountability/audit — logs show one account did everything, no person-level attribution. (2) Credential rotation — revoking one person requires rotating and redistributing. (3) Session recording becomes useless for attribution. (4) Increased blast radius if credentials leak. Replace with: named accounts, PAM-brokered time-bounded access, MFA, session recording, revocation at end time.

Explain like I'm 5

You don’t give strangers the master key forever. You give a specific key, to one person, for a specific job, only for a specific time — with a camera rolling and a deadline.

Fun fact

Many major breaches in regulated industries trace to vendor access that was over-privileged, always-on, and poorly monitored. The single biggest cheap control is time-bounded, session-recorded, PAM-brokered vendor access — and it almost always pays for itself.

Hands-on challenge

Design a one-page vendor access workflow: request, approval, PAM session, monitoring, revoke, audit. Share it with a peer or mentor for critique.

More resources

Microsoft Entra PIM (Privileged Identity Management) (Microsoft Learn)
CyberArk Core PAM overview (CyberArk)
NIST SP 800-53 access control family (NIST)

Open interactive version (quiz + challenge) ← Back to course: IT Jobs Bootcamp