CIS Controls – PAM x 20 Controls Focused on PAM
The Michaelis Dictionary defines risk as the likelihood of damage in a given project or thing due to an uncertain event. This definition applies to anything that may expose people and organizations to risk, including Information Security. In this specific context, we can state that cyber-security risk is the likelihood of this damage to occur as a result of the use of interconnected systems. With this in mind, it is possible for those responsible for Information Security to be clear about the actions to be taken to mitigate these risks, that is, to prevent organizations from suffering such damages.
To assist in defining strategies for cyberattack protection, market organizations have created a set of policies and procedures, which is documented for theoretical knowledge, and also practical implementation procedures. Some of these frameworks may, in some cases, be designed for a specific industry, and are designed to reduce unknown vulnerabilities and configuration errors in the organizational environment. To summarize, these standards introduce models to allow organizations to understand their security approach and know how to improve it. And as they have been tested in different situations and industries, one can vouch for their confidence and effectiveness.
The industry’s leading cyber-security risk management frameworks, regulations, and standards are the ISO 27000 standards, the NIST’s Cyber-Security Framework, the PCI DSS standard, and the Center for Internet Security’s (CIS) Critical Security Controls.
CIS is a nonprofit organization that aims to leverage the power of a global IT community to secure public and private organizations against cyber threats. Thus, CIS has defined a set of critical security controls, based on the industry’s best practices, that organizations must implement in their environment to ensure an effective cyber-security strategy. These critical controls are divided into three distinct sets: basic, foundation, and organizational, totaling 20 controls that address basically all aspects of cyber-security. These are:
Even though CIS’ controls address numerous aspects of Information Security, some of them are directly related to Privileged Access Management (PAM). From the 20 controls proposed by CIS, one specifically addresses PAM, while the other 19 are influenced or effectively require the concepts related to PAM.
Privileged Access Management refers to a set of technologies and practices that monitors and manages privileged access (also called administrative access) to critical systems. With a privileged credential, a user can, for example, modify system settings, user accounts, and access critical data.
Thus, given their level of access and control over the systems that manage information or processes, a privileged user exposes the organization to potential business risks. Whether through an attack, privilege abuse, or human error, a privileged user can be an attack vector for a potential security incident.
Control number 4 (controlled use of administrative privileges) directly addresses aspects of PAM. In order to understand how a PAM solution can fully address this control, let’s present the CIS-provided sub-controls associated with controlled use of administrative privileges. These are:
4.1. Maintain Inventory of Administrative Accounts.
4.2. Change Default Passwords.
4.3. Ensure the Use of Dedicated Administrative Accounts.
4.4. Use Unique Passwords.
4.5. Use Multi-Factor Authentication for All Administrative Access.
4.6. Use Dedicated Workstations for All Administrative Tasks.
4.7. Limit Access to Scripting Tools.
4.8. Log and Alert on Changes to Administrative Group Membership.
4.9. Log and Alert on Unsuccessful Administrative Account Login.
Thus, a PAM solution is essential to implement this control and all of its sub-controls, enabling the Information Security team to grant and revoke privileged access on a range of systems and devices. A PAM solution also allows monitoring of these accesses, as well as alerting system administrators of any non-compliance in remote sessions. An example of non-compliance would be a user attempting to access at an unauthorized time or access the admin interface of a device that is not within their purview.
Sub-control 4.1 – Maintaining Inventory of Administrative Accounts, for example, requires the organization to have full visibility over all administrative credentials and their privileges by using automated tools to inventory all privileged credentials. senhasegura, as a PAM solution, offers the Scan and Discovery resource, which enables one to scan and discover privileged credentials (such as domain and local privileged accounts) on a range of assets, such as network devices, systems, and applications, including DevOps.
Another example of sub-control that senhasegura can help implement is 4.2 – Change Default Passwords. CIS’ recommendation is that, before deploying any new assets in the environment, one must change all their default passwords to be consistent with administrative accounts. senhasegura allows the automatic rotation of all device passwords and restricts access through easily and quickly configurable, multilevel approval streams.
Of course, the features of a PAM solution are not restricted to just these two sub-controls. In addition, this type of solution may also meet the recommendations present in other controls and their sub-controls. senhasegura offers a PAM solution that enables the implementation of numerous controls provided in the CIS’ Critical Security Controls. In addition to enabling the full implementation of privileged access management control, senhasegura also adheres to aspects linked to system inventory, configuration, monitoring, incident response, and su/sudo injection. Implementing senhasegura enables one to mitigate potential attacks against systems through privileged credentials and to ensure the trust of employees, partners, and customers, and business continuity.