<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">

Struggling to implement least privilege in your organization? Join StrongDM featuring Forrester for this upcoming webinar. Register now!

The Secure Access Maturity Model (SAMM): Complete Guide

It’s time to level up your access management plan
Last updated March 31, 2023 9 min read
Dominic Garcia, author of The Secure Access Maturity Model (SAMM): Complete Guide | StrongDM
Written by Senior Marketing Director StrongDM
Justin McCarthy
Reviewed by Co-founder / CTO StrongDM

technical-worker-relaxing-on-an-office-chair-illustration

It’s the year 2000. You’re relieved that Y2K turned out to be nothing. You know that access is secure and only limited to people that have physical access to your systems. Life is good.


How we access systems has changed dramatically since the ball dropped in 2000. Data centers have become relics of the pre-cloud era. Just about anyone can work from anywhere at any given time. You no longer need a key to get into your office and get on the network.

Why does this matter? It means how we manage access needs to change dramatically too.

61% of all breaches involve using credentials in order to gain access to sensitive systems. If someone told you, “3 out of 5 breaches happen because of credentials,” you’d probably think to yourself, “We should probably re-evaluate how we’re managing access.”

But when implementing additional layers of security requires your teams to take extra steps, it’s easier said than done.

That’s why we built the Secure Access Maturity Model. It provides an action-oriented approach to reducing the threat posed by all of those credentials, while keeping the end-user experience in mind, because all of the security layers in the world don’t matter if your end user doesn't embrace them.

The Secure Access Maturity Model

The Secure Access Maturity Model provides a logical progression for adopting and becoming more mature with your infrastructure access. Each stage contains critical pieces of access security that build on each other, to ultimately enable Dynamic Access Management (DAM) with the ability to easily manage access to your entire stack in a safe, audible, and secure way.

The Secure Access Maturity Model is an additive approach to achieving Dynamic Access Management. That’s a fancy way of saying that each level builds on the prior level. There is, however, one exception—and that’s the possibility to skip Level 2.

Level of Maturity

Level 1

Level 2

Level 3

Level 4

 

Identity-Based Access

Privileged Access

Just-in-Time Access

Dynamic Access

Shared accounts

Always-on

MFA in use

SSO adopted

IdP adopted

Multipurpose accounts under PAM

 

Personal-privilege accounts under PAM

 

One-off & project-period access

 

Limited-scope admin account JIT

   

Access extends into full tech stack

   

Audit and compliance requirements supported

     

Always-On / Shared accounts eliminated

     

JIT account creation/ removal

     


The Secure Access Maturity Model considers access across three dimensions: credential lifecycle (time), credential reach, and level of access.

  • Credential Lifecycle
    The lifecycle of a specific set of credentials, from request to deprovisioning
  • Privilege Level
    The amount of access a credential has in a particular system
  • Credential Reach
    The set of identities that have access to a specific set of credentials 

Understanding the Secure Access Maturity Model

The following sections break down each level of the Secure Access Maturity Model into:

  • Attributes: The characteristics of access associated with that level.
  • Technologies: The common technology categories needed to support each level.
  • Access Lifecycle: The lifecycle of credentials typically seen at that level

By understanding these three dimensions, and where your organization fits within them, it’s possible to find where you exist on the Secure Access Maturity Model, as well as identify the steps needed to level up.

Level 1: Identity-Based Access

First and foremost, embracing Dynamic Access requires an identity-based approach to access management. This means that access to systems is defined at the individual or employee level, and access is provisioned based on the needs of that specific individual.

The criticality of this approach cannot be overstated. Without foundationally basing access on what each individual person in your organization needs, it becomes impossible to dynamically adjust access when turnover, role changes, or new technology adoption occurs.

Attributes of Level 1 Access

Always-On Access

Access tends to be “always on”—meaning credentials and accounts are primarily deprovisioned when an organizational change happens.

Shared and Team Accounts

Access to critical or complicated technologies may be shared across teams or groups of individuals.

This often means your organization is unable to identify who is using each technology, complicating audits and other compliance requirements.

MFA... Sort of

Multi-factor authentication is required for some uses, but may not be required across all access.

Level 1 is accompanied by a specific set of technologies that are typically required to enable each attribute. In this case, that includes an identity provider (IdP), single-sign on provider (SSO), and a tool to enable multi-factor authentication.

The combination of these technologies results in an access experience that is aligned to an identity and makes it simple to access web-based or custom applications, but is lacking when it comes to protecting accounts with elevated permissions, and that simplicity continues to be non-existent for accessing backend infrastructure or cloud service providers (CSPs).

Technologies often used as part of Level 1

IdP              

Your organization has embraced an identity-based approach to access, using an identity provider to manage individuals. This can include technologies like MS Active Directory.

SSO

You’re currently using single-sign on to manage access to applications. These technologies can include Okta and Google Single Sign-On.

MFA

Your organization has started to use multi-factor authentication for critical activities. This may include using tools like Google Access Lifecycle: Always On Authenticator or Duo.

Note: At Level 1, MFA adaptation may not be pervasive across the organization yet.

Access Lifecycle: Always On

Organizations at Level 1 of the maturity model typically have an “always on” lifecycle for credentials. This is defined as credentials being created when someone joins an organization, or a new technology is adopted, and that credential exists in perpetuity until that individual leaves or the technology is retired.

Level 2: Privileged Access

Level 2 of the Secure Access Maturity Model is primarily focused on adding additional security measures for the most sensitive accounts. These typically include accounts with admin-level privileges and those with elevated privileges— basically any account that has direct access to sensitive data or settings.

Attributes of Level 2 Access

Personal-privileged accounts managed by PAM

PAM solution adds additional security layers to protect admin accounts tied to a specific identity.

Example: Marty.McFly@backtothefuture.com


Multi-purpose privileged accounts managed by PAM

PAM solution adds additional security layers to protect admin accounts that are generic or shared across teams.

Example: admin@backtothefuture.com

Privileged Access Management

The main characteristic of Level 2 is the adoption of security measures that ensure accounts with elevated privileges have extra protections. This practice encompasses an entire technology category: Privileged Access Management (PAM).

PAM solutions establish policies and practices that ensure the security of sensitive data through the close management of administrative accounts. The idea is to add additional security layers for those accounts that represent the most risk in the case of a breach. The biggest challenge, however, is that the scope is very narrow—it only helps to protect privileged accounts.

Technologies often used as part of Level 2

Privileged Access Management Tool

Your organization has a PAM tool that secures and manages privileged accounts. In some cases, this may include tools that help onboard/offboard users and supports audits.


choose-your-own-adventure

Access Lifecycle: Always On

Similar to Level 1 of the maturity model, Level 2 has an “always on” lifecycle for credentials. This is defined as credentials being created when someone joins an organization, or a new technology is adopted, and that credential exists in perpetuity until that individual leaves or the technology is retired.

Level 3: Just-in-Time Access

Level 3 of the Secure Access Maturity Model is where the temporal aspect of the access lifecycle begins to come into play. This is where organizations begin to adopt Just-in-Time Access, ultimately paving the way for Zero Standing Privileges.

Defining Just-in-Time Access & Zero Standing Privileges

Often, there is confusion between Just-in-Time Access and Zero Standing Privileges. The easiest way to delineate between them is keep in mind that Just-in-Time Access is a component of Zero Standing Privileges.

  • Just-in-Time Access: The ability to provision credentials the moment they’re needed, and deprovision those credentials once they are not needed!
  • Zero Standing Privileges: Access management methodology that requires that no credentials exist in perpetuity, and all access is provided in a Just-in-Time manner.

In other words, you must have implemented Just-in-Time Access in order to fully embrace Zero Standing Privileges. This evolution is one of the key pillars of Level 4, Dynamic Access.

Attributes of Level 3 Access

Limited-Scope JIT: Admin Accounts

Access tends to be “always on”—meaning credentials and accounts are primarily deprovisioned when an organizational change happens.


When it comes to Level 3, it is key to remember that Just-in-Time access also represents an expanded scope in the types of accounts supported. Where privileged access only supported critical accounts, Just-in-Time access begins to lay the foundation for dynamic access across your technical teams.

Technologies often used as part of Level 3

Modern PAM

Your organization has adopted tools that enable dynamic provisioning and deprovisioning of credentials, and also have the ability to log and audit the activities that have taken place in any particular session.

Access Lifecycle: Mixed

Level 3 has a combination of always-on access and just-in-time access. Fundamentally, it is a middle step on the path towards dynamic access, where you’re ensuring that the credentials that pose the biggest risk in the case of a breach are provisioned dynamically, and credentials with less risk continue to exist in perpetuity.

Level 4: Dynamic Access

Level 4 is the pinnacle of access management. It embraces Zero Standing Privileges, the concept that credentials and access should only exist in the moments that it’s needed. In other words, your access becomes dynamic. As people join and leave your organization, or technology is implemented or retired, you have full visibility, control, and auditability of the access to your systems.

The benefits of this approach are momentous, as it essentially eliminates the risk posed by always-on credentials, including specific attacks like credential stuffing (if no credentials exist, what do you stuff?).

Attributes of Level 4 Access

Just-in-Time account creation and removal

Access to key systems only exists at the moment it’s needed, and is deprovisioned as soon as work is complete.

Always on and shared accounts fully eliminated

Credentials that live in perpetuity are eliminated, and the organization no longer uses multi-purpose accounts.

Audit and compliance requirements supported

Reporting and auditing is streamlined, making it easy to ask “who did what, when, and where?”

Access management extends to full tech stack

Access across technologies is simplified and streamlined, regardless of the heterogeneity of your tech stack.


Level 4 requires the capability to provision and deprovision access to infrastructure in real time, the ability to understand if a particular individual actually needs that access, and the ability to monitor everything that individual did while that access existed.

Technologies often used as part of Level 4

Dynamic Access Management

Simply put: Access that is as dynamic as your organization.

It is easy to provide, revoke, and manage access across your employee base and tech stack.

Your security breach surface has shrunk dramatically, as access to systems becomes ephemeral.

Access Lifecycle: Just-in-Time & Zero Standing Privileges

Level 4 requires that access is only provided using Just-in-Time policies, and always-on credentials are fully eliminated. That means credentials only exist on a temporary basis, are hidden from users, and activity on systems is tracked closely.

StrongDM: Helping You Achieve Level 4

There’s no trick or secret to achieving Level 4 and Dynamic Access. It just requires re-evaluating your current approach to infrastructure access, and then updating it to account for modern challenges, such as hybrid, multi-cloud, and remote work.

One of the biggest challenges you’ll face on this journey is the inability to streamline access across backend infrastructure and cloud service providers. That’s because every tool in your stack is focused on doing what it does best—for example, databases are focused on managing data, not necessarily ensuring that they have access workflows that provide simplicity to end users and organizations.

That’s where tools like StrongDM come in. They take the hard work you’ve done at Level 1—moving to an identity-based approach to access—and extend it to your infrastructure and cloud environments. They make accessing infrastructure as simple as using an SSO provider for any technical employee that needs access to your stack.

strongdm-dynamic-access-diagram

StrongDM provides a number of benefits for your organization, across teams:

  • DevOps: Teams can provision and deprovision access to specific instances, servers, or databases, in a matter of clicks.
  • Security & Compliance: Teams can gain full visibility into “who did what when” on each system, including video playback of what individual users have executed on specific systems. For compliance, full records are kept of “who was in each system and what were they doing” at any given point in time.
  • Admins: Access to critical infrastructure can be granted and revoked quickly and easily, greatly simplifying user onboarding and offboarding, provisioning for third parties, and the ability to provide access for a specified period of time. Users, roles, and access are easily managed via the Admin UI (CLI available as well).

These benefits are the result of addressing the access issues created from all of the different technologies, different roles, different levels of permissions, and evolving technologies in your stack. StrongDM removes the need to manually address each of these challenges, giving you a clear path to achieving Level 4 and Dynamic Access. To learn more, get your demo of StrongDM today.


About the Author

, Senior Marketing Director, has held marketing leadership roles for Silicon Valley technology companies specializing in database, data management, and data analytics solutions. As head of content marketing at Splunk, Dominic contributed to boosting the company’s market visibility and its growth from a $100M to a $1.3B company. He brings relentless creativity to the task of connecting people with technical products to improve their lives. Dominic holds a B.S. degree in Public Relations from the University of Texas at Austin. To contact Dominic, visit him on LinkedIn.

Table of Contents
StrongDM manages and audits access to infrastructure.
  • Role-based, attribute-based, & just-in-time access to infrastructure
  • Connect any person or service to any infrastructure, anywhere
  • Logging like you've never seen
StrongDM app UI showing available infrastructure resources
Connect your first server or database, without any agents, in 5 minutes.