Privileged Access in Action: Technical Controls for Real-World Environments
Table of Contents
Introduction
This article provides a technical walk-through demo to implement Privileged User Access (PUA) with BIG-IP APM.
In modern IT environments, privileged user access refers to elevated permissions granted to administrators, engineers, and service accounts that manage critical infrastructure, applications, and data. These accounts can bypass standard security controls, modify configurations, provision resources, and access sensitive systems. This makes them a high-value target for attackers.
From domain admins in Active Directory to root accounts on Linux servers and cloud (Identity Access Management) IAM roles, the scope of privileged access spans on-prem, hybrid, and cloud-native stacks. As environments scale and become more dynamic, especially with DevOps and automation, controlling and auditing privileged access is no longer optional. It’s a foundational requirement for operational integrity, threat detection, and zero trust security.
Listing some of the common use cases for PUA,
| Use Case | Description | Risk if Unsecured | PUA Control Measures |
| 1. Hybrid Infrastructure Management | Admins manage Linux/Windows servers across on-prem and cloud (AWS, Azure, GCP) using root or admin access. | Lateral movement, persistence, full system compromise. | Just-in-time access, session recording, MFA, IP restrictions. |
| 2. Database Administration | DBAs access production databases for tuning, backups, or incident response. | Data exfiltration, insider threats, compliance violations (e.g., GDPR, PCI-DSS). | Role-based access, query auditing, access approval workflows, credential vaulting. |
| 3. CI/CD Pipeline Secrets Access | DevOps pipelines use privileged credentials to deploy apps, access build environments, and manage cloud resources. | Secrets leakage, automated misuse, supply chain attacks. | Secrets management tools (e.g., HashiCorp Vault), scoped tokens, access expiration, auditing. |
| 4. Cloud IAM Role Escalation | Cloud engineers assume elevated IAM roles (e.g., AWS Admin, Azure Owner) to provision infrastructure and configure services. | Privilege escalation, unauthorized changes, excessive entitlements. | Attribute-based access control (ABAC), IAM role scoping, just-in-time elevation, CloudTrail monitoring. |
| 5. Third-Party Vendor Access | External support teams or vendors are given privileged access to troubleshoot or maintain systems temporarily. | External compromise, unmanaged persistence, lack of accountability. | Time-limited access, gateway proxies (e.g., bastion hosts), approval-based workflows, full session logging. |
BIG-IP APM & PUA
BIG-IP APM provides Privileged User Access so that you can add CAC authentication (Common Access Card), Personal Identity Verification (PIV), or other strong authentication method to network infrastructure for enhanced security.
This solution integrates directly into DoD PKI systems and works cooperatively with existing RADIUS, TACACS, Active Directory, and a variety of third-party authentication databases.
Deployment of Privileged User Access requires a license and involves the configuration of these components:
- Ephemeral Authentication
- ServerWebSSH
- ProxyAuthentication Server (for RADIUS and/or LDAP or LDAPS)
What is Ephemeral Authentication?
The Privileged User Access license lets you create an Ephemeral Authentication server that generates and manages temporary or ephemeral passwords.
BIG-IP APM acts as the Ephemeral Authentication server. It ensures a secure end-to-end encrypted connection while eliminating the possibility of credential reuse. The Ephemeral Authentication server includes the access profile/policy that authenticates the end user and contains the webtop resources for ephemeral authentication (so the server also acts as a webtop proxy).
Going through the traffic flow steps below,
- User logs into the APM virtual server using a Smartcard or other credential. (The APM virtual server is the one that acts as the Ephemeral Authentication server on which the APM access profile/policy is configured.)
- The APM access policy checks provided credentials and retrieves AD/LDAP group membership information and returns a webtop showing backend resources.
- When the user clicks on a resource, APM generates an ephemeral password, and saves the username and password.
- Using SSO, APM signs the user on to the WebSSH virtual server with their ephemeral authentication credentials. At this point, portal access can be used instead.
- WebSSH makes an SSH connection (or HTTPS) to the router/server still using the ephemeral authentication credentials.
- The router sends an authentication request to the RADIUS or LDAP virtual server.
- The RADIUS or LDAP virtual server verifies the ephemeral password.
- The RADIUS or LDAP virtual server returns a Successful or Failure response.
- The SSH (or HTTPS) session is established or denied.
For technical implementation, please review our demo here and go through our technical documentation
Securing Privileged User Access Concepts
Related Content
- Privileged User Access
- BIG-IP Access Policy Manager: Privileged User Access
- BIG-IP APM and PUA licenses
Employee