<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">
Curious about how StrongDM works? 🤔 Learn more here!
Search
Close icon
Search bar icon

Dynamic Access Management (DAM): Innovating PAM

It’s time to go beyond privilege access and secure all technical users
Last updated April 8, 2024 • 9 min read •
Maile McCarthy, author of Dynamic Access Management (DAM): Innovating PAM | StrongDM
Written by Contributing Writer and Illustrator StrongDM
Dominic Garcia
Reviewed by Technical Marketing Expert StrongDM

Legacy Privileged Access Management (PAM) was built with one purpose in mind: provide additional security measures for the credentials with the most elevated permissions. PAM existed for a few highly-technical administrators accessing highly-privileged accounts inside of the data center. And that makes sense–historically, these are the credentials with the biggest potential to wreak havoc on an organization in the case of breach.

Today, the lines between highly-technical administrators and technical employees have blurred. The necessary access required for everything from data science to marketing has increased, and focusing solely on the most privileged accounts is no longer enough to manage or shrink your attack surface. Almost every employee is now a technical employee, and they depend on more access to more data, stored in more places, just to do their jobs.

But legacy PAM wasn’t built for ease of use, productivity, or to support access at a modern scale. It was built for a time when it was easy to manage the privileges of a select few. Modern technology needs a modern approach. It’s time for an access model that can keep pace with today’s ever-shifting technical environments. It’s time for Dynamic Access Management (DAM).

What is Dynamic Access Management (DAM)?

Dynamic Access Management (DAM) is the concept that credentials and access should only exist in the moments they are needed, and that access must be secure and auditable.

This approach essentially eliminates the risk posed by always-on credentials, including specific attacks like credential stuffing (if no credentials exist, what do you stuff?).

These security outcomes are driven via continuous verification and validation of identity, right-to-access, and observability. Furthermore, once someone is authenticated, the tools and policies of DAM ensure that their authorizations stay up to date in real-time, driving change in behavior or access dynamically. 

DAM also provides intelligence around how, why, and when people are using infrastructure and delivers that back to the CISO and technology leaders to map against their business objectives. 

Dynamic access management is characterized by four key attributes:

Dynamic access management four key attributes

How is DAM different from PAM and IAM?

Privileged Access Management (PAM) is a subset of Identity and Access Management (IAM) that focuses specifically on managing and controlling access to privileged accounts and sensitive systems. PAM solutions include features such as real-time monitoring, session recording, password rotation, and multi-factor authentication to ensure that only authorized users are able to access privileged accounts and that their actions are auditable.

IAM is a broader concept that deals with managing and controlling access to all types of resources, including privileged accounts. While IAM is mainly focused on the user's identity and access to resources, PAM is mainly focused on controlling and monitoring access to privileged accounts, including administrator, root, and service accounts.

Dynamic Access Management (DAM) sits in between IAM and PAM. Where PAM is focused solely on privileged accounts, DAM extends the secure authentication, authorization, and auditing capabilities to all technical users. It also focuses on the overall user experience, making it possible to improve productivity for both users and administrators, even as it reduces the risk of security breaches. 

Achieving dynamic access requires a fundamental rethinking of how access to infrastructure should be provisioned and managed. It also represents a modern and sophisticated approach to access management that is agile enough to keep up with your organization. That’s why it’s the highest level possible to attain on the Secure Access Maturity Model.

What is the Secure Access Maturity Model?

The Secure Access Maturity Model helps you identify the strengths and limitations of your current access management practices. The following table will help you understand where your access security protocols are strongest and where they still need to improve.

dam-chart

Why Dynamic Access Management (DAM)?

Challenges of Modern Access

Historically, access management has been all about tradeoffs. Tensions exist between security and productivity, with pushes for innovation and speed exposing the organization to greater risk. 

When businesses prioritize security, productivity takes a hit. Frustrated employees will create workarounds, share credentials, and introduce shadow IT–which may ultimately increase vulnerability and cause compliance drift. For example, when the inability to get access or security slows employees too much, they will often resort to unsafe practices in order to do their jobs.

How have you seen teams address a lack of access to critical systems

For those who prioritize productivity, risk creeps up all over the network. High-trust environments are great for innovation and rapid growth–until someone with too much access makes a costly error or a former employee holds a grudge (and active credentials). So much for prioritizing productivity. Clean up efforts from events like these pull everyone away from revenue-generating tasks.

Luckily, these challenges can be addressed. The first step is to understand them. Do any of these pains sound familiar to you?

Complexity 

Managing access to technical infrastructure can be complex, especially in large and dynamic environments with multiple systems and platforms. This can make it difficult for organizations to fully understand and control access to resources.

Visibility

Maintaining an auditable trail of access to infrastructure resources can be challenging, especially in highly regulated industries such as finance, healthcare, and government. Without proper monitoring and reporting tools, it can be difficult to answer who did what, when, and where in your systems, leading to slow, difficult, and even failed compliance audits.

Integrations

Access solutions need to be fully integrated with other security platforms, such as Security Information and Event Management (SIEM) systems, log management tools, or even identity providers. 

Automation

Low-value manual provisioning tasks can be time-consuming and error-prone and can increase the risk of unauthorized access. This places an undue burden on administrators, causes technical staff to wait too long for access, and ultimately leaves organizations unable to build at a scalable pace.

Deployment

Access management solutions must extend beyond on-premises deployment to allow organizations to secure access to cloud-based resources and remote workers. Additionally, access tools require the ability to bridge legacy systems to modern access patterns, enabling businesses to protect their investments as they grow and adapt.

Privilege escalation

With the increase in remote access, there is a risk of privilege escalation, where an attacker can exploit vulnerabilities to gain access to privileged accounts and sensitive systems. The proliferation of credentials and always-on access increases this risk.

Where Legacy PAM Falls Short

Traditional PAM tools weren’t designed to support technical teams at scale, or to meet the requirements of modern security teams, such as meeting compliance regulations. There are specific areas where they fall short: 

Difficult to set up and maintain

PAM solutions can be complex to deploy and manage, especially in large and dynamic environments. This can make it difficult for organizations that invest time and money into PAM to fully realize its benefits.

Require legacy PKI management

Legacy PAM solutions often require the management and administration of PKI systems that are no longer considered current or up-to-date. These older systems may not be well-documented, which can make it difficult for IT teams to understand how they work and how to properly maintain them.

Are limited in scope

PAM solutions are typically focused on managing and controlling access to privileged accounts and may not provide the same level of control and visibility for non-privileged accounts.

Inadequate reporting

PAM solutions may not provide robust reporting and analytics capabilities, making it difficult for organizations to understand how privileged access is being used and identify potential risks. Furthermore, it is not possible to understand how infrastructure is being used and adjust if underutilized. 

Limited deployment

PAM solutions are often limited to on-premises deployment, which can make it difficult for organizations to secure privileged access for cloud-based resources, multi-cloud and hybrid environments, and remote workers. In addition, traditional PAM solutions often do not support databases and are not cloud-native–this makes it extremely difficult, if not impossible, to comprehensively support hybrid and multi-cloud environments.

Components of DAM

Dynamic Access Management (DAM) arose to fill these gaps. With DAM: 

  • All users are considered privileged. 
  • Credentials are never shared or even seen by end users. 
  • Session tracking and review are available for all sessions. 
  • Access is provisioned and deprovisioned through Just-in-Time (JIT) and 
    Zero Standing Privileges (ZSP) principles. 
  • Processes exist to track, monitor, and update roles on a consistent basis. 
  • Processes exist to track, monitor, and update resources on a consistent basis. 
  • New users and systems are easy to manage. 
  • Deprovisioning access to resources is automated. 
  • Access is tied to corporate identity through IdP integration. 
  • MFA is adopted as standard practice.

Let’s consider a few of these features in more detail.

Usability for everyone

Dynamic Access Management benefits employees across your organization, enabling teams to work together more efficiently. Security, admins, and end users all see benefits.

Security

With DAM, security teams build relationships instead of putting up roadblocks. Keys and credentials are never stored on end-user devices. Real-time revocation of access accelerates response to any suspicious activity. And server-side agentless architecture means that attackers have no agent to target. DAM actually improves productivity while enhancing your overall security posture.

Admin

DAM allows admins to see every action and revoke access in real time with confidence. No more worry about the risk of over provisioning and workarounds: users never touch credentials, so there’s nothing to share. Access automation makes JIT and ZSP a reality without burdening admins with the busywork and cognitive load required to track and manage access manually.

End user

End users have access to exactly what they need, when they need it. No more wikis, how-to articles, emails, or hand-me-down wisdom. Plus, an effective DAM solution includes native support for every cloud and emerging technology, so users can work with the tools they already love. 

Just-in-time (JIT)

Just-in-time (JIT) access is a security feature that grants users access to specific resources, such as systems or applications, only when they need it and for a limited period. This approach helps reduce the risk of unauthorized access by ensuring that users only have access to the resources they need to do their jobs–and for the minimum necessary time.

When a user requests access to a resource, their request is reviewed and approved by an administrator or automated system, and access is granted for a specific period. Once the access period expires, the user's access is automatically revoked.

Dynamic Access Management provides JIT access to all users who need access to databases, clouds, servers, clusters, and other infrastructure resources. 

This can be especially useful when users need to perform a specific task or troubleshoot an issue but don't require ongoing access to the resource. Or where employees or contractors require project-limited access to resources. 

Zero standing privileges (ZSP)

Zero standing privileges (also called zero standing permissions) refers to a security principle that states that users should not have any permanent or long-term access to resources, but rather should only be granted access on an as-needed basis. This approach helps to reduce the risk of unauthorized access and privilege misuse by ensuring that users only have access to the resources they need to do their job and for the minimum amount of time necessary.

A note to admins: You don’t always have to be on. DAM drastically reduces cognitive load for administrators with automated JIT for all resources. Access is granted only when a user needs it and for a limited period of time. This ensures that users are not able to access resources unnecessarily and helps to prevent privilege misuse.

Works with any tool in your stack

Most organizations don’t have a single way to manage access and identities across their on-prem and cloud environments. Instead, they have a zillion tools that each provide only part of a solution. Organizations have siloed secret stores, legacy PAM Vaults, VPNs, and hundreds of ways to access workloads depending on who, what, or where they are.

DAM works with your entire tech stack, with native integrations that enhance current investments and future-proof your business. DAM uses agentless architecture to monitor and manage unlimited resources, including servers, databases, containers, clouds, and mobile devices. 

Auditing & compliance

DAM includes intelligent comprehension and auditing, with total visibility into everything that was authorized and executed–for every member of your team.

Dynamic access management solutions reduce the time for audit responses, investigations, and resolution by enabling security and compliance teams to easily answer who did what, where, and when. 

Consolidated access audit logs span all of your infrastructure and integrate with SIEM and SOAR tools to deliver a clear picture of access risk.

Dynamic Access Management: It’s About DAM Time

These days, nearly all workers are technical. In order to be effective, an access management platform must integrate seamlessly with modern databases, servers, protocols, clouds, and any other infrastructure resources your team needs. And it should be easy to deploy, manage, and maintain.

Legacy PAM has become too risky–setting businesses up for:

  • Lost revenue due to security objections from prospects
  • Financial loss and decreased brand reputation due to breaches
  • Increased employee churn as top talent grows frustrated with access friction 

Access management should be as dynamic as the infrastructure and teams it serves. PAM is ready for a reboot.

It’s about DAM time. Get your demo of StrongDM today.


About the Author

, Contributing Writer and Illustrator, has a passion for helping people bring their ideas to life through web and book illustration, writing, and animation. In recent years, her work has focused on researching the context and differentiation of technical products and relaying that understanding through appealing and vibrant language and images. She holds a B.A. in Philosophy from the University of California, Berkeley. To contact Maile, visit her on LinkedIn.

Table of Contents
StrongDM manages and audits access to infrastructure.
  • Role-based, attribute-based, & just-in-time access to infrastructure
  • Connect any person or service to any infrastructure, anywhere
  • Logging like you've never seen
new-strongdm-desktop-app-ui
Want to learn more?
See StrongDM in action. đź‘€