Dynamic Access Management (DAM): Innovating PAM

Dynamic Access Management (DAM) is the concept that credentials and access should only exist in the moments they are needed, and that access must be secure and auditable.

This approach essentially eliminates the risk posed by always-on credentials, including specific attacks like credential stuffing (if no credentials exist, what do you stuff?).

These security outcomes are driven via continuous verification and validation of identity, right-to-access, and observability. Furthermore, once someone is authenticated, the tools and policies of DAM ensure that their authorizations stay up to date in real-time, driving change in behavior or access dynamically. 

DAM also provides intelligence around how, why, and when people are using infrastructure and delivers that back to the CISO and technology leaders to map against their business objectives. 

Dynamic access management is characterized by four key attributes:

How is DAM different from PAM and IAM?

Privileged Access Management (PAM) is a subset of Identity and Access Management (IAM) that focuses specifically on managing and controlling access to privileged accounts and sensitive systems. PAM solutions include features such as real-time monitoring, session recording, password rotation, and multi-factor authentication to ensure that only authorized users are able to access privileged accounts and that their actions are auditable.

IAM is a broader concept that deals with managing and controlling access to all types of resources, including privileged accounts. While IAM is mainly focused on the user's identity and access to resources, PAM is mainly focused on controlling and monitoring access to privileged accounts, including administrator, root, and service accounts.

Dynamic Access Management (DAM) sits in between IAM and PAM. Where PAM is focused solely on privileged accounts, DAM extends the secure authentication, authorization, and auditing capabilities to all technical users. It also focuses on the overall user experience, making it possible to improve productivity for both users and administrators, even as it reduces the risk of security breaches. 

Achieving dynamic access requires a fundamental rethinking of how access to infrastructure should be provisioned and managed. It also represents a modern and sophisticated approach to access management that is agile enough to keep up with your organization. That’s why it’s the highest level possible to attain on the Secure Access Maturity Model.

What is the Secure Access Maturity Model?

The Secure Access Maturity Model helps you identify the strengths and limitations of your current access management practices. The following table will help you understand where your access security protocols are strongest and where they still need to improve.

Challenges of Modern Access

Historically, access management has been all about tradeoffs. Tensions exist between security and productivity, with pushes for innovation and speed exposing the organization to greater risk. 

When businesses prioritize security, productivity takes a hit. Frustrated employees will create workarounds, share credentials, and introduce shadow IT–which may ultimately increase vulnerability and cause compliance drift. For example, when the inability to get access or security slows employees too much, they will often resort to unsafe practices in order to do their jobs.

For those who prioritize productivity, risk creeps up all over the network. High-trust environments are great for innovation and rapid growth–until someone with too much access makes a costly error or a former employee holds a grudge (and active credentials). So much for prioritizing productivity. Clean up efforts from events like these pull everyone away from revenue-generating tasks.

Luckily, these challenges can be addressed. The first step is to understand them. Do any of these pains sound familiar to you?

Complexity 

Managing access to technical infrastructure can be complex, especially in large and dynamic environments with multiple systems and platforms. This can make it difficult for organizations to fully understand and control access to resources.

Visibility

Maintaining an auditable trail of access to infrastructure resources can be challenging, especially in highly regulated industries such as finance, healthcare, and government. Without proper monitoring and reporting tools, it can be difficult to answer who did what, when, and where in your systems, leading to slow, difficult, and even failed compliance audits.

Integrations

Access solutions need to be fully integrated with other security platforms, such as Security Information and Event Management (SIEM) systems, log management tools, or even identity providers. 

Automation

Low-value manual provisioning tasks can be time-consuming and error-prone and can increase the risk of unauthorized access. This places an undue burden on administrators, causes technical staff to wait too long for access, and ultimately leaves organizations unable to build at a scalable pace.

Deployment

Access management solutions must extend beyond on-premises deployment to allow organizations to secure access to cloud-based resources and remote workers. Additionally, access tools require the ability to bridge legacy systems to modern access patterns, enabling businesses to protect their investments as they grow and adapt.

Privilege escalation

With the increase in remote access, there is a risk of privilege escalation, where an attacker can exploit vulnerabilities to gain access to privileged accounts and sensitive systems. The proliferation of credentials and always-on access increases this risk.

Traditional PAM tools weren’t designed to support technical teams at scale, or to meet the requirements of modern security teams, such as meeting compliance regulations. There are specific areas where they fall short: 

Difficult to set up and maintain

PAM solutions can be complex to deploy and manage, especially in large and dynamic environments. This can make it difficult for organizations that invest time and money into PAM to fully realize its benefits.

Require legacy PKI management

Legacy PAM solutions often require the management and administration of PKI systems that are no longer considered current or up-to-date. These older systems may not be well-documented, which can make it difficult for IT teams to understand how they work and how to properly maintain them.

Are limited in scope

PAM solutions are typically focused on managing and controlling access to privileged accounts and may not provide the same level of control and visibility for non-privileged accounts.

Inadequate reporting

PAM solutions may not provide robust reporting and analytics capabilities, making it difficult for organizations to understand how privileged access is being used and identify potential risks. Furthermore, it is not possible to understand how infrastructure is being used and adjust if underutilized. 

Limited deployment

PAM solutions are often limited to on-premises deployment, which can make it difficult for organizations to secure privileged access for cloud-based resources, multi-cloud and hybrid environments, and remote workers. In addition, traditional PAM solutions often do not support databases and are not cloud-native–this makes it extremely difficult, if not impossible, to comprehensively support hybrid and multi-cloud environments.

Dynamic Access Management (DAM) arose to fill these gaps. With DAM: 

• All users are considered privileged. 
• Credentials are never shared or even seen by end users. 
• Session tracking and review are available for all sessions. 
• Access is provisioned and deprovisioned through Just-in-Time (JIT) and 
  Zero Standing Privileges (ZSP) principles. 
• Processes exist to track, monitor, and update roles on a consistent basis. 
• Processes exist to track, monitor, and update resources on a consistent basis. 
• New users and systems are easy to manage. 
• Deprovisioning access to resources is automated. 
• Access is tied to corporate identity through IdP integration. 
• MFA is adopted as standard practice.

Let’s consider a few of these features in more detail.

Usability for everyone

Dynamic Access Management benefits employees across your organization, enabling teams to work together more efficiently. Security, admins, and end users all see benefits.

Security

With DAM, security teams build relationships instead of putting up roadblocks. Keys and credentials are never stored on end-user devices. Real-time revocation of access accelerates response to any suspicious activity. And server-side agentless architecture means that attackers have no agent to target. DAM actually improves productivity while enhancing your overall security posture.

Admin

DAM allows admins to see every action and revoke access in real time with confidence. No more worry about the risk of over provisioning and workarounds: users never touch credentials, so there’s nothing to share. Access automation makes JIT and ZSP a reality without burdening admins with the busywork and cognitive load required to track and manage access manually.

End user

End users have access to exactly what they need, when they need it. No more wikis, how-to articles, emails, or hand-me-down wisdom. Plus, an effective DAM solution includes native support for every cloud and emerging technology, so users can work with the tools they already love. 

Just-in-time (JIT)

Just-in-time (JIT) access is a security feature that grants users access to specific resources, such as systems or applications, only when they need it and for a limited period. This approach helps reduce the risk of unauthorized access by ensuring that users only have access to the resources they need to do their jobs–and for the minimum necessary time.

When a user requests access to a resource, their request is reviewed and approved by an administrator or automated system, and access is granted for a specific period. Once the access period expires, the user's access is automatically revoked.

Dynamic Access Management provides JIT access to all users who need access to databases, clouds, servers, clusters, and other infrastructure resources. 

This can be especially useful when users need to perform a specific task or troubleshoot an issue but don't require ongoing access to the resource. Or where employees or contractors require project-limited access to resources. 

Zero standing privileges (ZSP)

Zero standing privileges (also called zero standing permissions) refers to a security principle that states that users should not have any permanent or long-term access to resources, but rather should only be granted access on an as-needed basis. This approach helps to reduce the risk of unauthorized access and privilege misuse by ensuring that users only have access to the resources they need to do their job and for the minimum amount of time necessary.

A note to admins: You don’t always have to be on. DAM drastically reduces cognitive load for administrators with automated JIT for all resources. Access is granted only when a user needs it and for a limited period of time. This ensures that users are not able to access resources unnecessarily and helps to prevent privilege misuse.

Works with any tool in your stack

Most organizations don’t have a single way to manage access and identities across their on-prem and cloud environments. Instead, they have a zillion tools that each provide only part of a solution. Organizations have siloed secret stores, legacy PAM Vaults, VPNs, and hundreds of ways to access workloads depending on who, what, or where they are.

DAM works with your entire tech stack, with native integrations that enhance current investments and future-proof your business. DAM uses agentless architecture to monitor and manage unlimited resources, including servers, databases, containers, clouds, and mobile devices. 

Auditing & compliance

DAM includes intelligent comprehension and auditing, with total visibility into everything that was authorized and executed–for every member of your team.

Dynamic access management solutions reduce the time for audit responses, investigations, and resolution by enabling security and compliance teams to easily answer who did what, where, and when. 

Consolidated access audit logs span all of your infrastructure and integrate with SIEM and SOAR tools to deliver a clear picture of access risk.

These days, nearly all workers are technical. In order to be effective, an access management platform must integrate seamlessly with modern databases, servers, protocols, clouds, and any other infrastructure resources your team needs. And it should be easy to deploy, manage, and maintain.

Legacy PAM has become too risky–setting businesses up for:

• Lost revenue due to security objections from prospects
• Financial loss and decreased brand reputation due to breaches
• Increased employee churn as top talent grows frustrated with access friction 

Access management should be as dynamic as the infrastructure and teams it serves. PAM is ready for a reboot.

It’s about DAM time. Get your demo of StrongDM today.

More Dynamic Access Management (DAM) Resources

• What is PAM Security? Privileged Access Management Explained
• The Definitive Guide to Identity and Access Management (IAM)
• What Are Zero Standing Privileges (ZSP)? (And How They Work)
• Just-In-Time Access (JIT): Meaning, Benefits, Types & More
• A Practical Approach to Just-in-Time (JIT) Access for Developers