Skip to content

PAM Journey Assessment Mapping Tool

 

Access Your PAM Maturity

Privileged Access Management (PAM) is critical to protecting your organization from identity and privilege-based cyberattacks. This self-assessment will help you determine your level of cyber resilience by measuring your ability to address 38 PAM security objectives.

For each of the 38 security objectives included in the assessment, please select the level of coverage you have achieved to date (low, medium, or high). If you have not addressed the security objective at all, or if it isn’t applicable to your needs, please answer NA.

After you complete the self-assessment, you will immediately receive a personalized report. In addition, a PAM expert will reach out for a personalized review of your current state of maturity and help you determine next steps to accelerate your success path.

 

What to know before you begin 

For maximum accuracy and efficiency, you’ll want to have a detailed understanding of your current PAM capabilities before you begin the assessment, as you won’t be able to save your answers and return. Gather inputs for each of the 38 security objectives and review with your team. You can see the complete list of objectives and a sample of the assessment report below.

Step 1 of 5
All fields are required

To what degree do you:
Support dual authorization for privileged operations on critical or sensitive secrets and assets. For example, requring just-in-time privileged access approval or doublelock to provide an extra layer of security for accessing secrets.
Access Control

 
Support just-in-time access request for elevated permissions to run privileged commands and applications on workstations and servers.
Access Control

 
Control application launch with local controls enforcing privilege elevation policies on Windows and Mac workstations.
Access Control

 
Minimize local privileged accounts on Linux and UNIX to reduce the attack surface and align with the Printiple of Least Privilege and zero standing privileges.
Access Control

 
Prohibit privileged access by any client that is unknown, not secured, and untrusted.
Access Control

 
Vault and manage the lifecycle of services/applications from provisioning to deprovisioning to rationalize the number of accounts and reduce the attack surface.
Account Lifecycle Management

 
Enable automatic rotation of discovered service/application account passwords. Password complexity rules can be configured. Frequent rotation and password complexity contribute to password entropy and reducing the window of opportunity for password cracking.
Account Lifecycle Management

 
Automate the credential management for service/application accounts and their dependencies. Ensure that when rotating a service/application account password, you don't break any other service dependent on the same account.
Account Lifecycle Management

 
Replace plaintext, hard-coded credentials and sensitive configuration data from source code, configuration, and script files. Replace with programmatic calls to the vault to obtain secrets and credentials. This prevents adversaries from harvesting sensitive data on the disk.
DevOps

 
Ability to establish policies around secret checkout and session launching. Self-service request workflows built-in to the PAM platform or via integrations with third party workflows such as ServiceNow, allow the user to request additional access. This helps align with best practices such as zero standing privileges.
Identity Governance

 

Step 2 of 5
All fields are required

To what degree do you:
Enable creation of basic elevation policies to run privileged applications on workstations (Windows, Mac) and servers (Windows, Linux) to support least privilege.
Identity Governance

 
Support granular policies for privilege elevation to have tighter control over access. Enforce just-enough privilege to avoid granting excessive privileges that are not required for the task at hand.
Identity Governance

 
Integrate with Identity Governance and Administration tools (such as SailPoint) for attestation reporting and risk-based approvals.
Identity Governance

 
Integrate the vault with a SIEM tool such as Splunk Cloud or Azure Sentinel for vault activity monitoring and alerting.
Insights & Incident Response

 
For routine administrative activity, don't use shared (anonymous) accounts. Admins use their individual account for all access, ensuring that logged events tie back to a unique user. This streamlines incident response and audit activities.
Insights & Incident Response

 
Record remote sessions initiated from the vault. Sessions can be replayed and meta data searched (e.g., typed commands) to facilitate incident investigations and audits.
Insights & Incident Response

 
Enforce session, file, and process auditing for detailed event intel at the host operating system level. Integrate with solutions such as Splunk Cloud to forward events to a centralized SIEM.
Insights & Incident Response

 
Leverage audit data, machine learning, behavioral analytics, and automation to detect, track, and alert on anomalous activities.
Insights & Incident Response

 
Import Excel, or automatically discover and classify AD and Azure AD accounts and groups, local Windows and Linux privileged accounts, and local *NIX SSH Keys and vault them to ensure you have centralized management and control over their use.
Inventory & Classification

 
Continuous discovery to detect creation of new privileged accounts whether sanctioned, shadow IT, or by an adversary.
Inventory & Classification

 

Step 3 of 5
All fields are required

To what degree do you:
Discover and classify privileged admin groups, roles, and security configuration files to ensure visiblity and simplify access (including MFA) based on their sensitivity and importance.
Inventory & Classification

 
Automatically discover service/application accounts across Identity and Cloud Service Providers for visibility.
Inventory & Classification

 
Upon discovering a new/unmanaged asset, automate the process of bringing it under centralized management, deploying PAM controls, enforcing baseline PAM policies, and vaulting local privilege accounts.
Inventory & Classification

 
Integrate with IT Service Management tools (such as ServiceNow) to drive access control request workflows tied to help desk tickets.
Just-In-Time Access Request

 
Enforce MFA policies for all employee logins to eliminate passwords and increase identity assurance.
MFA at Depth

 
For all admin users who log in to the vault, enforce MFA to ensure the user is the legitimate owner of the credential.
MFA at Depth

 
Enforce MFA when checking out a secret to ensure the user is the legitimate owner of the credential.
MFA at Depth

 
Enforce MFA when initiating a remote login session to a server to ensure the user is the legitimate owner of the credential.
MFA at Depth

 
Enforce MFA at workstations and servers for direct login and privileged command and application execution.
MFA at Depth

 
Enable automatic rotation of vaulted passwords. Password complexity rules can be configured. Frequent rotation and password complexity contribute to password entropy and reducing the window of opportunity for password cracking.
Password Management

 

Step 4 of 5
All fields are required

To what degree do you:
Vault the most privileged accounts within the environment, those that can create other accounts, move laterally to access multiple systems, and that have full control within your trust fabric (AD and AAD). Enable access only in emergency situations.
Secrets Vaulting & Management

 
Focus on the most privileged groups within the environment, those membership grant permission to create other accounts, move laterally grant full control within your trust fabric (AD and AAD).
Secrets Vaulting & Management

 
Manage admin groups, roles, and security configuration files that might grant privileges across all assets.
Secrets Vaulting & Management

 
Enable use of a bastion/jump host to proxy connections to servers in private networks that don't expose public IP addresses. Target servers are configured to only permit inbound sessions from the trusted jump hosts.
Secure PAM

 
For remote sessions, obtain necessary credentials from the vault without exposing to the user.
Secure Remote Access

 
Leverage vaulted credentials to automatically launch login sessions to targets other than servers and websites. Extend credential and session security to any target that has a suitable API such as PowerShell, PuTTY, SQL Server, and Notepad.
Secure Remote Access

 
Enable browser-based remote server sessions to Windows, Linux, and UNIX servers. Ideal for vendors and other remote users, this reduces the risks associated with VPN-based remote access, increases user productivity, and reduces helpdesk calls.
Secure Remote Access

 
Expand remote access beyond remote employees to 3rd-party vendors and contractors. Ensure a stricter degree of security leveraging VPN-less remote access since you have less control over these users.
Secure Remote Access

 

Step 5 of 5
All fields are required

Enter your contact info below and submit to see your finished report.

Delinea needs the contact information you provide to us to contact you about our products and services. If you have subscribed, you may unsubscribe from these communications at any time. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, please review our Privacy Policy.
1 2 3 4 5