ISO27009 A.9 Access Management

Access Management is all about the who, what, when & how long.

  • who has access to a resource
  • who approved the resource access
  • what IP/PORT combinations are exposed to an end user's device
  • what tools does that user need to install on their device to access the resource
  • when will the user access start
  • how long will the user have the access

Mamori allows security administrators govern the who, what, when and how long.

  • It simplifies the required client software
  • Segment user resource access into two groups: those that don't have direct IP access to resources and those that do. Web console and proxies are used for the former and the ZTNA solution is used for the latter.
  • Provides an policy workflow to automate ISO 27001 A.9 access provisioning processes

Access Types

Mamori provides 3 types of access:

  • Web console access - provisions access to all resources via HTTPS.
  • Proxy access - provisions access via proxies to end user native client tools.
  • ZNTA direct IP access - provision direct IP access via ZTNA.

Resource TypeAccess Options
SSH, SFTP & RDPWeb Console & Direct Access
Internal HTTP/SWeb Console (requires Web Proxy) & Direct Access
DatabaseWeb Console, Proxy & Direct Access

Quick Start

Web console access is the simplest and easiest to setup. If you are trying Mamori for the 1st time we recommend you use this first. Then if you want to use native database tools you can connect via the proxy using the configuration you setup for the web console access.

Best Practice

Only administrators that scan, stand up and tear down infrastructure have direct IP access to resources, and that access is provided via an on-demand endorsed policy.

Web Console Access

The Mamori web console allows you to provision SSH, RDP, HTTP/S, Secret and Database access to users via a modern web browser.


Easy end user setup
No need to install native SSH, RDP or Database client tools
No need for a jump box
No direct access to IP resources
Protects SSH, RDP, HTTP, HTTPS and database ports
Session recording for all protocols
Multi-factor on resource access

Direct IP Access

The Mamori WireGuard module allows provisioning of direct access to any IP/Port combination. This solution can be used to micro-segment internal nerworks and also provide remote access to the same resources. Basic configuration is to register device for an identifity and then install the WireGuard client with the provided key settings on that device.


Device registry
Users can use native tools
Multi-factor on resource access
Session recording on TCP protocol
Intrusion detection (Unauthorised scanning of network)

Requires the WireGuard client to be installed on end user clients.

Database Proxy Access

The Mamori database proxies allow the provisioning of native tool database access without the need to provide direct IP access to the database or provide a database credential. Users will use their single multi-factored directory login to access all databases.


(SSO) Single user directory login for all databases
Multi-factor on database login
Users can use native database tools
Session recording
Apply statement, permission & masking policies

No agents or special software required on either end user clients or database servers.

Remote Systems

If your resources or servers on are on another network or can only be accessed via SSH tunnels, then before you add them you will need to either create the network entry with the Mamori service or add them as wireguard peers.

The three types of network you can add using the Mamori network gateway service are:

User Guides

End User PDF Guides

End User Guide Templates

Templates that you can modify

Edit this page on GitHub Updated at Wed, Mar 13, 2024