Skip to content
Services
Support
Contact
Blog

    PAM Journey Assessment Mapping Tool

     

    Access Your PAM Maturity

    Privileged Access Management (PAM) is critical to protecting your organization from identity and privilege-based cyberattacks. This self-assessment will help you determine your level of cyber resilience by measuring your ability to address 38 PAM security objectives.

    For each of the 38 security objectives included in the assessment, please select the level of coverage you have achieved to date (low, medium, or high). If you have not addressed the security objective at all, or if it isn’t applicable to your needs, please answer NA.

    After you complete the self-assessment, you will immediately receive a personalized report. In addition, a PAM expert will reach out for a personalized review of your current state of maturity and help you determine next steps to accelerate your success path.

     

    What to know before you begin 

    For maximum accuracy and efficiency, you’ll want to have a detailed understanding of your current PAM capabilities before you begin the assessment, as you won’t be able to save your answers and return. Gather inputs for each of the 38 security objectives and review with your team. You can see the complete list of objectives and a sample of the assessment report below.

    Step 1 of 5
    All fields are required

    To what degree do you:
    Support dual authorization for privileged operations on critical or sensitive secrets and assets. For example, requring just-in-time privileged access approval or doublelock to provide an extra layer of security for accessing secrets.
    Access Control

     
    Support just-in-time access request for elevated permissions to run privileged commands and applications on workstations and servers.
    Access Control

     
    Control application launch with local controls enforcing privilege elevation policies on Windows and Mac workstations.
    Access Control

     
    Minimize local privileged accounts on Linux and UNIX to reduce the attack surface and align with the Printiple of Least Privilege and zero standing privileges.
    Access Control

     
    Prohibit privileged access by any client that is unknown, not secured, and untrusted.
    Access Control

     
    Vault and manage the lifecycle of services/applications from provisioning to deprovisioning to rationalize the number of accounts and reduce the attack surface.
    Account Lifecycle Management

     
    Enable automatic rotation of discovered service/application account passwords. Password complexity rules can be configured. Frequent rotation and password complexity contribute to password entropy and reducing the window of opportunity for password cracking.
    Account Lifecycle Management

     
    Automate the credential management for service/application accounts and their dependencies. Ensure that when rotating a service/application account password, you don't break any other service dependent on the same account.
    Account Lifecycle Management

     
    Replace plaintext, hard-coded credentials and sensitive configuration data from source code, configuration, and script files. Replace with programmatic calls to the vault to obtain secrets and credentials. This prevents adversaries from harvesting sensitive data on the disk.
    DevOps

     
    Ability to establish policies around secret checkout and session launching. Self-service request workflows built-in to the PAM platform or via integrations with third party workflows such as ServiceNow, allow the user to request additional access. This helps align with best practices such as zero standing privileges.
    Identity Governance

     

    Step 2 of 5
    All fields are required

    To what degree do you:
    Enable creation of basic elevation policies to run privileged applications on workstations (Windows, Mac) and servers (Windows, Linux) to support least privilege.
    Identity Governance

     
    Support granular policies for privilege elevation to have tighter control over access. Enforce just-enough privilege to avoid granting excessive privileges that are not required for the task at hand.
    Identity Governance

     
    Integrate with Identity Governance and Administration tools (such as SailPoint) for attestation reporting and risk-based approvals.
    Identity Governance

     
    Integrate the vault with a SIEM tool such as Splunk Cloud or Azure Sentinel for vault activity monitoring and alerting.
    Insights & Incident Response

     
    For routine administrative activity, don't use shared (anonymous) accounts. Admins use their individual account for all access, ensuring that logged events tie back to a unique user. This streamlines incident response and audit activities.
    Insights & Incident Response

     
    Record remote sessions initiated from the vault. Sessions can be replayed and meta data searched (e.g., typed commands) to facilitate incident investigations and audits.
    Insights & Incident Response

     
    Enforce session, file, and process auditing for detailed event intel at the host operating system level. Integrate with solutions such as Splunk Cloud to forward events to a centralized SIEM.
    Insights & Incident Response

     
    Leverage audit data, machine learning, behavioral analytics, and automation to detect, track, and alert on anomalous activities.
    Insights & Incident Response

     
    Import Excel, or automatically discover and classify AD and Azure AD accounts and groups, local Windows and Linux privileged accounts, and local *NIX SSH Keys and vault them to ensure you have centralized management and control over their use.
    Inventory & Classification

     
    Continuous discovery to detect creation of new privileged accounts whether sanctioned, shadow IT, or by an adversary.
    Inventory & Classification

     

    Step 3 of 5
    All fields are required

    To what degree do you:
    Discover and classify privileged admin groups, roles, and security configuration files to ensure visiblity and simplify access (including MFA) based on their sensitivity and importance.
    Inventory & Classification

     
    Automatically discover service/application accounts across Identity and Cloud Service Providers for visibility.
    Inventory & Classification

     
    Upon discovering a new/unmanaged asset, automate the process of bringing it under centralized management, deploying PAM controls, enforcing baseline PAM policies, and vaulting local privilege accounts.
    Inventory & Classification

     
    Integrate with IT Service Management tools (such as ServiceNow) to drive access control request workflows tied to help desk tickets.
    Just-In-Time Access Request

     
    Enforce MFA policies for all employee logins to eliminate passwords and increase identity assurance.
    MFA at Depth

     
    For all admin users who log in to the vault, enforce MFA to ensure the user is the legitimate owner of the credential.
    MFA at Depth

     
    Enforce MFA when checking out a secret to ensure the user is the legitimate owner of the credential.
    MFA at Depth

     
    Enforce MFA when initiating a remote login session to a server to ensure the user is the legitimate owner of the credential.
    MFA at Depth

     
    Enforce MFA at workstations and servers for direct login and privileged command and application execution.
    MFA at Depth

     
    Enable automatic rotation of vaulted passwords. Password complexity rules can be configured. Frequent rotation and password complexity contribute to password entropy and reducing the window of opportunity for password cracking.
    Password Management

     

    Step 4 of 5
    All fields are required

    To what degree do you:
    Vault the most privileged accounts within the environment, those that can create other accounts, move laterally to access multiple systems, and that have full control within your trust fabric (AD and AAD). Enable access only in emergency situations.
    Secrets Vaulting & Management

     
    Focus on the most privileged groups within the environment, those membership grant permission to create other accounts, move laterally grant full control within your trust fabric (AD and AAD).
    Secrets Vaulting & Management

     
    Manage admin groups, roles, and security configuration files that might grant privileges across all assets.
    Secrets Vaulting & Management

     
    Enable use of a bastion/jump host to proxy connections to servers in private networks that don't expose public IP addresses. Target servers are configured to only permit inbound sessions from the trusted jump hosts.
    Secure PAM

     
    For remote sessions, obtain necessary credentials from the vault without exposing to the user.
    Secure Remote Access

     
    Leverage vaulted credentials to automatically launch login sessions to targets other than servers and websites. Extend credential and session security to any target that has a suitable API such as PowerShell, PuTTY, SQL Server, and Notepad.
    Secure Remote Access

     
    Enable browser-based remote server sessions to Windows, Linux, and UNIX servers. Ideal for vendors and other remote users, this reduces the risks associated with VPN-based remote access, increases user productivity, and reduces helpdesk calls.
    Secure Remote Access

     
    Expand remote access beyond remote employees to 3rd-party vendors and contractors. Ensure a stricter degree of security leveraging VPN-less remote access since you have less control over these users.
    Secure Remote Access

     

    Step 5 of 5
    All fields are required

    Enter your contact info below and submit to see your finished report.

    Delinea needs the contact information you provide to us to contact you about our products and services. If you have subscribed, you may unsubscribe from these communications at any time. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, please review our Privacy Policy.
    1 2 3 4 5