BR +55 11 3069 3925 | USA +1 469 620 7643

The Cybersecurity Frameworks and PAM

by | Feb 20, 2020 | BLOG

With digital transformation and increased competition, it is increasingly important for organizations to achieve progressive and better results using fewer resources. In this sense, business requirements have been changing over the past few years, based on a new panorama of new threats, regulations, as well as changes in the relationships between companies, clients, and partners. 

Given this background, there are a series of rules and frameworks involving things from technical aspects to business issues. Some examples include the development of corporate governance, assurance of the protection of clients’ payment data or improvement in the attitude and mitigation of cybersecurity risks within an organization. To ensure compliance with these rules and regulations, organizations can deploy security solutions, such as Privileged Access Management or PAM tools. But what are the main frameworks and rules related to cybersecurity, what is their importance and what are the main benefits brought by them?

Information security in focus

 

We live in a hyper-connected world, and cybersecurity risks are increasingly aligned with business continuity. This has led many organizations to consider the information security aspect not only as a cost, but also as an investment, and thus improve their cyber attitude, increasing the trust by clients, partners, and suppliers, and ensuring business continuity. One way of doing that is, for example, through the implementation of information security solutions, such as PAM tools. However, relying on technology alone can lead many organizations to a false sense of security. Therefore, in a context in which just one click is enough for a malicious agent to get access to an organization’s infrastructure, what can be done to gain greater control over information security?

Standards and frameworks for information security

 

Cybersecurity standards and frameworks have proven to be powerful tools for organizations. These guidelines have been developed with the aim of offering a systematic approach to protecting employees’, clients’, and partners’ data. Some of these frameworks may, in some cases, be designed for a specific industry, and are designed to reduce unknown vulnerabilities and configuration errors in the organizational environment. To summarize, these standards introduce models to allow organizations to understand their security approach and know how to improve it. And as they have been tested in different situations and industries, one can vouch for their confidence and effectiveness. These frameworks can be used with cybersecurity solutions, such as Security Information and Event Management (SIEM) or Privileged Access Management (PAM) tools.

Some of the leading cybersecurity risk management frameworks, regulations, and standards are the ISO 27000 standards, the NIST’s Cybersecurity Framework (and more recently, the Privacy Framework), the PCI DSS standard, and the Center for Internet Security’s (CIS) Critical Security Controls. Even though the controls of these frameworks address numerous aspects of Information Security, some of them are influenced by or effectively require the concepts associated with PAM.

PAM, standards and frameworks

 

Privileged Access Management refers to a set of technologies and practices that monitor and manage privileged access (also called administrative access) to critical systems. Through a privileged credential, a user can, for example, modify system settings, user accounts and access critical data. Thus, given their level of access and control over the systems that manage information or processes, a privileged user exposes the organization to potential business risks. Whether through an attack, privilege abuse, or human error, a privileged user can be an attack vector for a potential security incident.

Considering the CIS’ Critical Security Controls for Effective Cyber Defense, one of the controls introduced by the framework directly addresses aspects of PAM. Thus, the subcontrols addressed by control number 4 are associated with the controlled use of administrative privileges, considering the management of access through privileged accounts.

What is the ISO/IEC 27001 standard?

 

ISO/IEC 27001, in turn, is an Information Security Management standard published by ISO with IEC and is used by organizations around the world with the aim of establishing, implementing, maintaining, evaluating, and continuously improving an Information Security Management System (ISMS). From the 35 control goals provided for in the standard, approximately 80% of them are directly or indirectly linked to the Privileged Access Management processes. One of the ISMS requirements is the full tracking of credentials of own and third-party employees, as well as non-human users, such as credentials embedded in scripts and applications. If these users are able to make unauthorized changes to systems, access sensitive data, and eliminate trails of their privileged actions, the organization is exposed to serious risks.

The NIST’s Framework for Improving Critical Infrastructure Cybersecurity consists of a series of standards, guidelines, and best practices for managing cybersecurity-involved risks. According to NIST, “The framework’s low-cost, prioritized, and flexible approach helps promote the protection and resilience of critical infrastructure and other key sectors for the economy and national security.” Some of the aspects associated with Privileged Access Management, correlated to the controls contained in the NIST’s Cybersecurity Framework, are linked to the granting and revocation of privileged accesses, asset management, and the traceability of actions in the environment through audit trails.

What does the PCI standard?

 

The PCI standard consists of 12 requirements and six control objectives that address security management, policies, procedures, network architecture, and software development for payment card data protection. Privileged Access Management is a critical aspect of PCI DSS compliance. Some of the standard’s requirements are even possible to be met through a PAM solution; they are related to the use of default passwords or other security settings of software in an environment; and the identification and authentication of access to system components.

Why implement a PAM solution in your company?

 

Using any of these cybersecurity frameworks is not an easy task for any organization, regardless of its size, industry, or experience. In this context, a PAM solution can be considered an important tool for speeding up the implementation of cybersecurity infrastructure and allows functions related to identity and access control to be implemented. In addition, a PAM solution allows one to control privileged credentials, bringing compliance to the organization in terms of cybersecurity. Thus, those who discover its added value and are able to implement the associated controls can reduce cybersecurity risks, as well as ensure business continuity.

An Overview of Saudi Arabia’s Personal Data Protection Act (PDPL)

Saudi Arabia’s Personal Data Protection Law (PDPL) was implemented by Royal Decree M/19 of 9/2/1443H (September 16, 2021), which approved Resolution No. 98 of 7/2/1443 H (September 14, 2021). It was published in the Republic Journal on September 24, 2021. The Saudi...

The 5 Biggest Data Leaks of 2021

During the pandemic, cyberattacks grew more than ever. Theft, hijacks, and data leaks are increasingly popular practices in cybercrime. The lock and hijack for ransom (ransomware) category has stood out a lot, as data is a highly valuable resource and most companies...

HIPAA: Five Tips for Complying with The Certificate

What is HIPAA? Currently, this is one of the most frequently asked questions by many professionals working in the healthcare industry, especially in times of the Covid-19 pandemic. But why is it so important and what are its benefits for healthcare companies? First,...

How Does The LGPD Impact Companies?

Due to the growing technological development in the market, we can clearly see how much how consumers tend to buy products and services has changed. Through more practical technologies, such as cellphones, laptops, and tablets, for example, they are just a click away...

What Is the Difference Between IAM and PAM?

It is important to know the differences between IAM (Identity & Access Management) and PAM (Privileged Access Management). However, this theme still raises doubts for some people. First, it is necessary to understand that the need to obtain an identity is...
Copy link
Powered by Social Snap