Dynamic Access Management (DAM) is the concept that credentials and access should only exist in the moments they are needed, and that access must be secure and auditable.
This approach essentially eliminates the risk posed by always-on credentials, including specific attacks like credential stuffing (if no credentials exist, what do you stuff?).
These security outcomes are driven via continuous verification and validation of identity, right-to-access, and observability. Furthermore, once someone is authenticated, the tools and policies of DAM ensure that their authorizations stay up to date in real-time, driving change in behavior or access dynamically.
DAM also provides intelligence around how, why, and when people are using infrastructure and delivers that back to the CISO and technology leaders to map against their business objectives.
Dynamic access management is characterized by four key attributes:
Just-in-Time Account Creation and Removal |
Access to key systems only exists at the moment it’s needed, and is deprovisioned as soon as work is complete. |
Always On and Shared Accounts Fully Eliminated |
Credentials that live in perpetuity are eliminated, and the organization no longer uses multi-purpose accounts. |
Audit and Compliance Requirements Supported |
Reporting and auditing is streamlined, making it easy to ask “who did what, when, and where?” |
Access Management Extends to Full Tech Stack |
Access across technologies is simplified and streamlined, regardless of the heterogeneity of your tech stack. |
How is DAM different from PAM and IAM?
Privileged Access Management (PAM) is a subset of Identity and Access Management (IAM) that focuses specifically on managing and controlling access to privileged accounts and sensitive systems. PAM solutions include features such as real-time monitoring, session recording, password rotation, and multi-factor authentication to ensure that only authorized users are able to access privileged accounts and that their actions are auditable.
IAM is a broader concept that deals with managing and controlling access to all types of resources, including privileged accounts. While IAM is mainly focused on the user's identity and access to resources, PAM is mainly focused on controlling and monitoring access to privileged accounts, including administrator, root, and service accounts.
Dynamic Access Management (DAM) sits in between IAM and PAM. Where PAM is focused solely on privileged accounts, DAM extends the secure authentication, authorization, and auditing capabilities to all technical users. It also focuses on the overall user experience, making it possible to improve productivity for both users and administrators, even as it reduces the risk of security breaches.
Achieving dynamic access requires a fundamental rethinking of how access to infrastructure should be provisioned and managed. It also represents a modern and sophisticated approach to access management that is agile enough to keep up with your organization. That’s why it’s the highest level possible to attain on the Secure Access Maturity Model.
What is the Secure Access Maturity Model?
The Secure Access Maturity Model helps you identify the strengths and limitations of your current access management practices. The following table will help you understand where your access security protocols are strongest and where they still need to improve.
Identity-Based Access |
Privileged Access |
Just-in-Time |
Dynamic Access |
||
Level 1 |
Level 2 |
Level 3 |
Level 4 |
||
Approach to Access |
Privileged Access |
Always on or shared |
Privileged access protected |
Privileged accounts provided "just-in-time" access to critical systems |
All users considered privileged; Access to critical systems provisioned and de-provisioned dynamically, as needed |
Credentials |
Shared and team credentials |
Shared and team credentials |
Shared and team credentials |
Credential-less access provided; users/workstations never receive or know credentials |
|
Sessions |
Inability to track or monitor sessions |
Some session tracking for privileged accounts |
Some session tracking for privileged accounts |
Session tracking and review available for all sessions |
|
Processes & Workflows |
Roles |
Limited to non-existent tracking of roles or team members with access to systems |
Tracking of accounts limited to those with admin or privileged rights |
Tracking of accounts limited to those with admin or privileged rights |
Processes exist to track, monitor, and update roles on a consistent basis |
Inventory |
Limited to non-existent inventory of systems in the stack |
Inventory limited to critical systems within the infrastructure |
Inventory limited to critical systems within the infrastructure |
Processes exist to track, monitor, and update full inventory of the stack on a consistent basis |
|
Task Automation |
Limited to non-existent |
Limited to non-existent |
Some automation for provisioning/deprovisioning privileged accounts |
Easily manage new users and systems; automated ability to deprovision access |
|
Tools & Technology |
– |
IdP adopted |
IdP adopted |
IdP adopted |
IdP adopted |