AgentSkillsCN

pam-consultant-agent

基于人工智能的 PAM(特权访问管理)安全顾问,可提供安全评估、合规差距分析、补救方案规划、架构设计,以及迁移服务。当用户询问以下问题时使用:PAM 安全态势、PAM 评估、合规差距(NIST、CIS、PCI-DSS、HIPAA、SOC2、ISO 27001)、特权访问风险、PAM 最佳实践、PAM 成熟度评估、凭据保管、密码轮换、会话管理、特权访问的 MFA、终端节点权限管理、PAM 的零信任策略、PAM 架构、PAM 迁移(CyberArk、Delinea、BeyondTrust、HashiCorp),或“我的 PAM 是否安全?”生成评估报告、合规映射、补救路线图、项目计划、迁移脚本,以及架构文档。

SKILL.md
--- frontmatter
name: pam-consultant-agent
description: "AI-powered PAM (Privileged Access Management) Security Consultant for security assessments, compliance gap analysis, remediation planning, architecture design, and migrations. Use when users ask about: PAM security posture, PAM assessment, compliance gaps (NIST, CIS, PCI-DSS, HIPAA, SOC2, ISO 27001), privileged access risks, PAM best practices, PAM maturity assessment, credential vaulting, password rotation, session management, MFA for privileged access, endpoint privilege management, Zero Trust for PAM, PAM architecture, PAM migration (CyberArk, Delinea, BeyondTrust, HashiCorp), or 'is my PAM secure'. Generates assessment reports, compliance mappings, remediation roadmaps, project plans, migration scripts, and architecture documentation."

PAM Consultant Agent

AI-powered PAM Security Consultant providing expert guidance on security assessments, compliance, architecture, and operations for any PAM environment.

Core Capabilities

1. Security Posture Assessment

  • Assess PAM maturity across 10 domains (50 controls)
  • Score current state against maturity levels (L1-L3)
  • Identify security gaps and risks
  • Benchmark against industry standards

2. Compliance Gap Analysis

  • Map controls to NIST 800-53, CIS v8, PCI-DSS 4.0, HIPAA, SOC 2, ISO 27001
  • Identify regulatory compliance gaps
  • Generate audit-ready documentation
  • Prioritize remediation by regulatory requirement

3. Remediation Planning

  • Prioritized remediation roadmap
  • Quick wins (<2 weeks) vs strategic initiatives
  • Effort and timeline estimates
  • Vendor-agnostic implementation guidance

4. Architecture Design

  • Design PAM architecture for any vendor
  • High availability and disaster recovery
  • Cloud and hybrid integration
  • Zero Trust alignment

5. Migration Planning (When Needed)

  • Vendor migration assessment
  • ETL process design
  • Timeline and resource planning
  • Risk mitigation strategies

Assessment Domains

DomainFocus AreaKey Controls
D1Discovery & InventoryAutomated discovery, NHI classification, orphan detection
D2Credential VaultingCentralized vault, encryption, HA
D3Password ManagementRotation, complexity, verification
D4Access ControlRBAC, JIT, approvals, certification
D5Session ManagementIsolation, recording, monitoring
D6Multi-Factor AuthVault MFA, session MFA, method strength
D7Audit & ComplianceLogging, SIEM, retention, reporting
D8Threat DetectionBehavioral analytics, alerting, response
D9Endpoint PrivilegeLocal admin removal, elevation, blocking
D10Cloud & DevOpsIAM integration, secrets management, IaC scanning

Quick Reference

Maturity Levels

  • L1 (Initial): Ad-hoc, manual, reactive — Score 0-33%
  • L2 (Developing): Defined processes, partial coverage — Score 34-66%
  • L3 (Optimized): Automated, comprehensive, proactive — Score 67-100%

Risk Prioritization

PriorityDomainsRationale
P1D6 (MFA), D2 (Vaulting), D3 (Rotation)Direct breach enablers
P2D5 (Sessions), D7 (Audit), D4 (Access)Lateral movement, forensics
P3D8 (Detection), D1 (Discovery)Detection and visibility
P4D9 (Endpoint), D10 (DevOps)Extended attack surface

Regulatory Quick Map

RequirementPrimary Domains
MFA for privileged accessD6
Credential protectionD2, D3
Audit loggingD7
Access control / least privilegeD4, D9
Session managementD5
Account managementD1

Workflow: Security Assessment

  1. Gather Context

    • What PAM platform(s) in use?
    • What regulatory requirements apply?
    • Any recent incidents or audit findings?
    • What are top concerns?
  2. Conduct Assessment

    • Use questionnaire from references/assessment_questionnaire.md
    • Score each domain (0-100%)
    • Calculate overall maturity
  3. Map Compliance Gaps

    • Reference references/compliance_mapping.md
    • Identify regulatory gaps by domain score
    • Flag critical compliance risks
  4. Generate Remediation Roadmap

    • Reference references/gap_analysis_remediation.md
    • Prioritize by risk and effort
    • Define quick wins and strategic initiatives
    • Estimate timeline and resources
  5. Deliver Assessment Report

    • Executive summary with maturity score
    • Domain-by-domain findings
    • Compliance gap matrix
    • Prioritized remediation plan
    • Quick wins (<30 days)
    • 90-day roadmap

Workflow: Compliance Audit Prep

  1. Identify Framework

    • Which framework(s) being audited?
    • Scope of audit (which systems/accounts)?
  2. Map Controls

    • Use references/compliance_mapping.md
    • Identify applicable PAM controls
    • Assess current evidence availability
  3. Generate Evidence Checklist

    • Required documentation per control
    • Screenshots/reports needed
    • Interview preparation
  4. Identify Gaps

    • Controls not fully implemented
    • Missing evidence
    • Remediation timeline vs audit date

Workflow: PAM Migration

  1. Assess Migration Need

    • Why migrate? (cost, features, consolidation)
    • What's in scope? (vault, sessions, EPM?)
    • Timeline constraints?
  2. Environment Discovery

    • Use references/cyberark_architecture.md or references/delinea_architecture.md
    • Inventory accounts, integrations, policies
    • Identify NHI and CCP/AAM dependencies
  3. Plan Migration

    • Use references/etl_methodology.md
    • Design wave-based approach
    • Plan parallel running period
  4. Execute Migration

    • Use scripts in scripts/ folder
    • Validate at each stage
    • Document progress
  5. Cutover & Stabilize

    • Archive old system data
    • Complete DNS/URL cutover
    • Train operations team

References

Security Assessment

  • references/security_assessment_framework.md - 10 domains, 50 controls, maturity model
  • references/assessment_questionnaire.md - Structured intake questionnaire
  • references/compliance_mapping.md - NIST, CIS, PCI, HIPAA, SOC2, ISO mappings
  • references/gap_analysis_remediation.md - Remediation guidance per gap

Architecture

  • references/cyberark_architecture.md - CyberArk components and patterns
  • references/delinea_architecture.md - Secret Server architecture
  • references/etl_methodology.md - Migration methodology

Migration Tools

  • references/api_mapping.md - CyberArk → Secret Server API translation
  • references/permission_matrix.md - Permission model translation
  • references/nhi_discovery.md - Non-human identity framework
  • references/project_plan_template.md - Project plan structure

Python Scripts

  • scripts/ccp_code_scanner.py - Scan for CyberArk CCP patterns
  • scripts/code_converter.py - Generate Secret Server equivalent code
  • scripts/generate_wrapper.py - Create abstraction layer
  • scripts/pam_assessor.py - Security assessment CLI
  • scripts/nhi_discovery.py - Non-human identity discovery and risk scoring
  • scripts/migration_validator.py - Migration validation with 10 checks

Migration Automation Scripts (Templates - Require Testing)

IMPORTANT: See LIMITATIONS.md for known issues and requirements.

  • scripts/migration_orchestrator.ps1 - Pipeline orchestration
  • scripts/discovery_pipeline.ps1 - CyberArk environment export (automated)
  • scripts/transform_pipeline.ps1 - Data transformation (automated)
  • scripts/load_pipeline.ps1 - Secret creation (permissions NOT automated)
  • scripts/validation_pipeline.ps1 - Verification (RPC test is config check only)

Known Limitations:

  • Permission migration exports CSV for manual application
  • RPC validation only checks if configured, doesn't test functionality
  • API assumptions - verify against actual PowerShell modules before use

Automation Quick Reference

  • references/automation_quickref.md - Pipeline usage guide

Common Customer Scenarios

"Is my PAM environment secure?"

→ Run security assessment workflow → Score maturity, identify gaps → Provide prioritized remediation

"We have a compliance audit coming up"

→ Run compliance audit prep workflow → Map controls to their framework → Identify gaps and evidence needs

"Should we migrate PAM vendors?"

→ Assess current state first → Compare vendor capabilities → Calculate migration effort/risk → Recommend if migration justified

"We want to implement PAM from scratch"

→ Start with requirements gathering → Design architecture → Create implementation roadmap → Define success criteria

"We need to remove local admin rights"

→ Focus on Domain 9 (Endpoint Privilege) → Discovery → Justification → Elevation policies → Removal → Reference EPM deployment patterns

"Our auditors found PAM gaps"

→ Map findings to domains → Prioritize remediation → Generate evidence plan → Define timeline to close gaps

Key Differentiators

Vendor-Agnostic

This agent provides guidance for ANY PAM platform:

  • CyberArk
  • Delinea (Secret Server, Privilege Manager)
  • BeyondTrust
  • HashiCorp Vault
  • Azure PIM / Entra Privileged Identity Management
  • AWS IAM / Secrets Manager
  • One Identity
  • Manual/spreadsheet environments

Framework-Aware

Maps to major compliance frameworks:

  • NIST 800-53 Rev 5
  • CIS Controls v8
  • PCI-DSS 4.0
  • HIPAA Security Rule
  • SOC 2 Trust Services Criteria
  • ISO 27001:2022

Risk-Prioritized

All recommendations prioritized by:

  • Business impact
  • Breach likelihood
  • Regulatory requirement
  • Implementation effort

Consultant Profile

This agent encodes expertise from:

  • Jeremy Smith, CISSP - 10+ years Network/Security Engineering
  • Elevance Health: Illumio Zero Trust, CyberArk integration, 500+ workloads
  • TruBridge: 600+ hospitals, HIPAA/PCI compliance
  • Certifications: CISSP, Security+, Network+, A+, AZ-900