ISO27009 A.9 Access Management
Access Management is all about the who, what, when & how long.
- who has access to a resource
- who approved the resource access
- what IP/PORT combinations are exposed to an end user's device
- what tools does that user need to install on their device to access the resource
- when will the user access start
- how long will the user have the access
Mamori allows security administrators govern the who, what, when and how long.
- It simplifies the required client software
- Segment user resource access into two groups: those that don't have direct IP access to resources and those that do. Web console and proxies are used for the former and the ZTNA solution is used for the latter.
- Provides an policy workflow to automate ISO 27001 A.9 access provisioning processes
Mamori provides 3 types of access:
- Web console access - provisions access to all resources via HTTPS.
- Proxy access - provisions access via proxies to end user native client tools.
- ZNTA direct IP access - provision direct IP access via ZTNA.
|Resource Type||Access Options|
|SSH, SFTP & RDP||Web Console & Direct Access|
|Internal HTTP/S||Web Console (requires Web Proxy) & Direct Access|
|Database||Web Console, Proxy & Direct Access|
Web console access is the simplest and easiest to setup. If you are trying Mamori for the 1st time we recommend you use this first. Then if you want to use native database tools you can connect via the proxy using the configuration you setup for the web console access.
Only administrators that scan, stand up and tear down infrastructure have direct IP access to resources, and that access is provided via an on-demand endorsed policy.
Web Console Access
The Mamori web console allows you to provision SSH, RDP, HTTP/S, Secret and Database access to users via a modern web browser.
Direct IP Access
The Mamori WireGuard module allows provisioning of direct access to any IP/Port combination. This solution can be used to micro-segment internal nerworks and also provide remote access to the same resources. Basic configuration is to register device for an identifity and then install the WireGuard client with the provided key settings on that device.
Requires the WireGuard client to be installed on end user clients.
Database Proxy Access
The Mamori database proxies allow the provisioning of native tool database access without the need to provide direct IP access to the database or provide a database credential. Users will use their single multi-factored directory login to access all databases.
No agents or special software required on either end user clients or database servers.
If your resources or servers on are on another network or can only be accessed via SSH tunnels, then before you add them you will need to either create the network entry with the Mamori service or add them as wireguard peers.
The three types of network you can add using the Mamori network gateway service are:
- SSH Tunnel (Click here for details)
- Open VPN
End User PDF Guides
End User Guide Templates
Templates that you can modify