USA +1 855 726 4878  |  BR +55 11 3069 3925 

The Cybersecurity Frameworks and PAM

by | Feb 20, 2020 | BLOG

With digital transformation and increased competition, it is increasingly important for organizations to achieve progressive and better results using fewer resources. In this sense, business requirements have been changing over the past few years, based on a new panorama of new threats, regulations, as well as changes in the relationships between companies, clients, and partners. 

Given this background, there are a series of rules and frameworks involving things from technical aspects to business issues. Some examples include the development of corporate governance, assurance of the protection of clients’ payment data or improvement in the attitude and mitigation of cybersecurity risks within an organization. To ensure compliance with these rules and regulations, organizations can deploy security solutions, such as Privileged Access Management or PAM tools. But what are the main frameworks and rules related to cybersecurity, what is their importance and what are the main benefits brought by them?

Information security in focus

 

We live in a hyper-connected world, and cybersecurity risks are increasingly aligned with business continuity. This has led many organizations to consider the information security aspect not only as a cost, but also as an investment, and thus improve their cyber attitude, increasing the trust by clients, partners, and suppliers, and ensuring business continuity. One way of doing that is, for example, through the implementation of information security solutions, such as PAM tools. However, relying on technology alone can lead many organizations to a false sense of security. Therefore, in a context in which just one click is enough for a malicious agent to get access to an organization’s infrastructure, what can be done to gain greater control over information security?

Standards and frameworks for information security

 

Cybersecurity standards and frameworks have proven to be powerful tools for organizations. These guidelines have been developed with the aim of offering a systematic approach to protecting employees’, clients’, and partners’ data. Some of these frameworks may, in some cases, be designed for a specific industry, and are designed to reduce unknown vulnerabilities and configuration errors in the organizational environment. To summarize, these standards introduce models to allow organizations to understand their security approach and know how to improve it. And as they have been tested in different situations and industries, one can vouch for their confidence and effectiveness. These frameworks can be used with cybersecurity solutions, such as Security Information and Event Management (SIEM) or Privileged Access Management (PAM) tools.

Some of the leading cybersecurity risk management frameworks, regulations, and standards are the ISO 27000 standards, the NIST’s Cybersecurity Framework (and more recently, the Privacy Framework), the PCI DSS standard, and the Center for Internet Security’s (CIS) Critical Security Controls. Even though the controls of these frameworks address numerous aspects of Information Security, some of them are influenced by or effectively require the concepts associated with PAM.

PAM, standards and frameworks

 

Privileged Access Management refers to a set of technologies and practices that monitor and manage privileged access (also called administrative access) to critical systems. Through a privileged credential, a user can, for example, modify system settings, user accounts and access critical data. Thus, given their level of access and control over the systems that manage information or processes, a privileged user exposes the organization to potential business risks. Whether through an attack, privilege abuse, or human error, a privileged user can be an attack vector for a potential security incident.

Considering the CIS’ Critical Security Controls for Effective Cyber Defense, one of the controls introduced by the framework directly addresses aspects of PAM. Thus, the subcontrols addressed by control number 4 are associated with the controlled use of administrative privileges, considering the management of access through privileged accounts.

What is the ISO/IEC 27001 standard?

 

ISO/IEC 27001, in turn, is an Information Security Management standard published by ISO with IEC and is used by organizations around the world with the aim of establishing, implementing, maintaining, evaluating, and continuously improving an Information Security Management System (ISMS). From the 35 control goals provided for in the standard, approximately 80% of them are directly or indirectly linked to the Privileged Access Management processes. One of the ISMS requirements is the full tracking of credentials of own and third-party employees, as well as non-human users, such as credentials embedded in scripts and applications. If these users are able to make unauthorized changes to systems, access sensitive data, and eliminate trails of their privileged actions, the organization is exposed to serious risks.

The NIST’s Framework for Improving Critical Infrastructure Cybersecurity consists of a series of standards, guidelines, and best practices for managing cybersecurity-involved risks. According to NIST, “The framework’s low-cost, prioritized, and flexible approach helps promote the protection and resilience of critical infrastructure and other key sectors for the economy and national security.” Some of the aspects associated with Privileged Access Management, correlated to the controls contained in the NIST’s Cybersecurity Framework, are linked to the granting and revocation of privileged accesses, asset management, and the traceability of actions in the environment through audit trails.

What does the PCI standard?

 

The PCI standard consists of 12 requirements and six control objectives that address security management, policies, procedures, network architecture, and software development for payment card data protection. Privileged Access Management is a critical aspect of PCI DSS compliance. Some of the standard’s requirements are even possible to be met through a PAM solution; they are related to the use of default passwords or other security settings of software in an environment; and the identification and authentication of access to system components.

Why implement a PAM solution in your company?

 

Using any of these cybersecurity frameworks is not an easy task for any organization, regardless of its size, industry, or experience. In this context, a PAM solution can be considered an important tool for speeding up the implementation of cybersecurity infrastructure and allows functions related to identity and access control to be implemented. In addition, a PAM solution allows one to control privileged credentials, bringing compliance to the organization in terms of cybersecurity. Thus, those who discover its added value and are able to implement the associated controls can reduce cybersecurity risks, as well as ensure business continuity.

$13 million growth investment drives senhasegura’s expansion in North America and the Middle East

Written by Priscilla Silva São Paulo, March 10, 2023 - senhasegura, an award-winning Privileged Access Management (PAM) solution provider that protects corporate IT environments and critical resources from cyber threats, announces a $13 million funding round from...

senhasegura wins CyberSecured 2022 award as best PAM solution in the USA

Written by Priscilla Silva SÃO PAULO, February 28 of 2023 - The 2022 edition of the CyberSecured awards, promoted by Security Today magazine, a brand of 1105 Media's Infrastructure Solutions Group, elected senhasegura as the winner in the Privileged Access Management...

How User and Entity Behavior Analytics Helps Cybersecurity

Cyberattacks are increasingly sophisticated, making traditional digital security tools insufficient to protect organizations from malicious actors. In 2015, Gartner defined a category of solutions called User and Entity Behavior Analytics (UEBA).Its big advantage is...

Best Practices for Consolidating Active Directory

This article was developed especially for you, who have questions about the best practices for consolidating Active Directory. First of all, you need to understand that directory services have the role of organizing important information for companies in a centralized...

senhasegura introduces the “Jiu-JitCISO” concept to show the power of Brazilian cybersecurity

Written by Priscilla Silva São Paulo, January 13, 2023 - "Like Jiu-Jitsu senhasegura is about self-defense. Every company must know how to protect itself and its clients". This is the aim based on the philosophy of the Japanese martial art, but made popular and...