BG Beter Geregeld ICT
Toegangsbeheer · 2 min leestijd · 13 October 2025

Privileged access management for SMBs

Global Admin, AWS root, Salesforce system admin — these are the accounts that cause the most damage when compromised. Here's what you can do without buying an expensive PAM tool.

Privileged Access Management (PAM) sounds like something for banks and governments. For SMBs, I'll put it plainly: which accounts, if compromised, could bring your entire business to its knees? In practice, that's 5 to 15 accounts — and they deserve special treatment.

Take stock of your privileged accounts

Work through this list:

  • M365 / Entra Global Administrator(s)
  • Google Workspace super admin
  • AWS root user
  • Accounting software admin (Exact, Moneybird, etc.)
  • Salesforce system admin
  • GitHub/GitLab org owner
  • Domain registrar (TransIP, Hover, Namecheap)
  • DNS provider (Cloudflare)
  • Password manager admin
  • Hosting control panel (Plesk, cPanel)
  • Bank account ("authorised to make payments")

Write these down and record, for each account: who holds the credentials, which vault they're stored in, and who the backup person is. See also Setting up a SaaS inventory.

The three rules of privileged access

  1. Not for day-to-day work. Your Global Admin sends emails and joins meetings using a regular user account. You only switch to the privileged account for admin tasks. We call these dedicated admin accounts.
  2. MFA is mandatory, not optional. For regular users, MFA is strongly recommended — for privileged accounts, it's non-negotiable. Ideally, use a hardware token (YubiKey) for this set of accounts.
  3. At least two people must know the root credentials. One person is a single point of failure. Three is too many. Two is the sweet spot.

Just-in-time access: the mature approach

In Entra ID you can configure PIM (Privileged Identity Management): Global Admin rights are NOT active by default — someone must activate them for a session of up to 8 hours, with approval from a colleague. This dramatically reduces your attack surface. See the M365 governance guide for the setup.

Review and rotation

Every quarter: go through the privileged accounts list. Two questions per entry: "does this person still need this?" and "when was it last used?" Bear in mind: if a Global Admin hasn't logged in for 95 days, that's a risk (see access review).

Of all the categories in your access management practice, this is the one with the fewest accounts but the most attention required. That's exactly how it should be.

Onderwerpen

#iam #pam #privileged-access #admin #security

Volledige gids: Control de accesos para pymes: la guía completa (2026)

Dit artikel is onderdeel van onze uitgebreide Toegangsbeheer-gids. Lees de pillar voor het complete plaatje.

Lees de pillar →

Verwant leesmateriaal

Toegangsbeheer

Access Management for SMBs: The Complete Guide (2026)

From your first access matrix to periodic reviews and directory sync — everything you need to know when your business grows beyond 10 people but you don't have an IT department yet.

3 min
Toegangsbeheer

Giving external parties access without leaving the door wide open

Consultant, accountant, freelance dev, partner company. All people who aren't employees but still need access to something. Here's a pattern that works — without ending up with 47 ghost accounts two years down the line.

2 min
Toegangsbeheer

Shared passwords: how to manage them without the headache

That one admin login for the domain registrar, the social media accounts, the customer portal. Three people know those passwords, sharing them via a spreadsheet is asking for trouble — here's how to do it right.

2 min
Toegangsbeheer

Access matrix vs. RBAC: what fits your growth stage?

A direct matrix (person × system) works up to around 30 employees. After that, you go role-based. Here's when to make the switch — and how to do it without a big bang.

2 min
Toegangsbeheer

Building a SaaS inventory: what's actually running in your business?

The average SMB has 47 active SaaS subscriptions. Half of them fly completely under the radar. Without an inventory, access management is impossible — you can't check the doors if you don't know they exist.

2 min
Toegangsbeheer

IT onboarding checklist: what needs to be ready on day 1?

The best first day is a boring one. Laptop works, accounts are ready, folders are shared. This checklist covers the typical SMB scenario of 12 systems and 4 roles.

2 min
← Alle artikelen in "Toegangsbeheer"