Welcome to the Secure Access Maturity Model

It’s no longer enough to only manage privileged credentials. We live in a time where every credential carries risk. It’s time to find your true north.

Book a demo

Learn more

What is the Secure Access Maturity Model?

The Secure Access Maturity Model (SAMM) is a step-by-step progression for becoming more mature with your infrastructure access. Each stage contains critical pieces of access security that build on each other to ultimately enable Dynamic Access Management (DAM) with the ability to easily manage access to your entire stack in a safe, auditable, and secure way.

Level 1

Identity-Based Access

Identity-based access management has been adopted by the organization.

Level 2

Privileged Access

Additional security measures added for privileged accounts, often via PAM solution.

Level 3

Just-in-Time Access

Additional security expands beyond privileged accounts. JIT Access implemented for highly sensitive creds.

Level 4

Dynamic Access

Zero Standing Privileges approach embraced. JIT implemented across technical staff and stack. Audit and compliance requirements supported.

Level of Maturity

Identity-Based Access

Level of Maturity

Privileged Access

Level of Maturity

Just-in-Time Access

Level of Maturity

Dynamic Access

Level of Maturity	Identity-Based Access	Privileged Access	Just-in-Time Access	Dynamic Access
Shared Accounts			Eliminated	Eliminated
Always-On Access			Mostly Eliminated	Eliminated
MFA In Use
SSO Adopted
IdP Adopted
Privileged Accounts Protected
Time-Bound Access
Full-Stack Secured
Granular Auditing
Access Insights and Analytics
Identity Secured Across Entire Lifecycle

Level 1

Identity-Based Access

Welcome to Basecamp!

Identity-Based Access is the first step in the journey toward Zero Trust and Dynamic Access Management. How do you know if you’ve achieved Identity-Based Access?

Access is defined at the user level, and provisioned based on the needs of the individual.

You Are Here

You base access on identities, not networks.
You provision access to systems based on the needs of the individual or employee level.
You have an identity provider (IdP), SSO provider, and perhaps even MFA in place.

You Need to Be Here

You need access that is ephemeral and only exists in the moments when needed.
You need to extend secure access to all technical users.
You need to extend secure access across your entire stack.

Shifting to a more dynamic access approach means your sensitive resources are better protected at scale.

Resources

Choose Your Own Adventure: Skip-a-PAM

If your organization has achieved Level 1, but has not yet implemented a PAM solution, it’s possible to jump directly to Level 3 or 4.

Here's how

Skipping Level 2: It’s possible to avoid a privileged access approach entirely by making the upfront decision that all technical access is potentially privileged.

That means accounting for ALL employees and their access by default. Save time and spare your team from headaches! Skip to Just-in-Time Access!

Download ebook

Level 2

Privileged Access

Privileged Access controls and monitors the activity of only privileged users.

You have implemented Privileged Access Management (PAM) which provides additional security for elevated credentials. It’s a start.

You Are Here

You have additional security controls for privileged users.
You may use functions like session recording, password rotation, and MFA.
You may be able to audit user actions using recordings.
You still have resources where shared credentials are still used.

You Need To Be Here

You need access that is ephemeral and only exists in the moments when needed.
You need to extend privilege-like security to ALL technical users.
You need to extend secure access across your entire stack.

Resources

Why Privileged Access is not enough

Traditional PAM lacks critical functionalities for the modern environment. Many PAMs do not support all cloud resources, Kubernetes clusters, containers, and even certain databases. PAM's myopic focus on privileged users, and the gaps in the technologies they support, creates unnecessary risk in today’s environment.

Get a demo

Level 3

Just-in-Time (JIT) Access

JIT Access reduces the risk of unauthorized access by ensuring that users only have access to the resources they need to do their jobs–and for the minimum necessary time.

You Are Here

You provide Just-in-Time Access to technical users.
You may have session tracking for privileged accounts.
You eliminated most, but not all standing access.
You adopted an IdP, MFA practices, and (possibly) legacy PAM.

You Need To Be Here

Your inventory is limited to critical systems within the infrastructure.
Your audit and compliance requirements are fully supported.
You fully eliminated always-on accounts.

Resources

Level 4

Dynamic Access

Congratulations! You have arrived.

Dynamic Access Management extends secure authentication, authorization, and auditing capabilities to all technical users. DAM provides JIT access to all users who need access to databases, clouds, servers, clusters, and other resources.

Living the DAM Dream

You consider all users privileged.
Your credentials are never shared or even seen by end users.
You have session tracking and review available for all sessions.
You provision and deprovision access through Just-in-Time (JIT) and Zero Standing Privileges (ZSP) principles.
You have processes to track, monitor, and update roles and resources consistently.
Your new users and systems are easy to manage.
You deprovision access to resources in an automated way.
Your access is tied to corporate identity through IdP integration.
You adopted MFA as standard practice.

Resources

Backed by a world-class customer experience

“Security is a necessary part of day-to-day life. In terms of how we go forward, StrongDM will continue to be part of that story. It has all the mechanisms in place for database access control that we require, and I haven’t found a competitor yet that does the same thing.”

Wes Tanner

VP Engineering, ZEFR

“We chose StrongDM because the solution is the one solution to rule them all. You simply integrate all your data sources into StrongDM; you integrate all your servers into StrongDM; you integrate all your Kubernetes clusters into StrongDM. You give your developers one simple tool they need to connect using SSO, and they have access to what they own.”

Jean-Philippe Lachance

Team Lead - R&D Security Defence, Coveo

“Clearcover remains committed to the industry’s best security practices. StrongDM provides us with better insights to bolster our security posture.”

Nicholas Hobart

Senior Engineer, SRE Team, Clearcover

“I would urge all other CISOs to adopt strongDM as their database proxy platform. It's been amazing for all of our users. When we first got strongDM, we implemented within, I think a day. And within a week we saw more and more users requesting access to it, once they saw how easy it was to access databases.”

Ali Khan

CISO, Better

“With StrongDM, people don't have to maintain usernames and passwords for databases. With servers, they don't have to have keys. For websites, they don't have to have passwords. And so when you start eliminating the need for passwords and you start looking at things like Zero Trust, I believe that the attack surface is completely reduced.”

David Krutsko

Staff Infrastructure Engineer, StackAdapt