The Cybersecurity Frameworks and PAM

With digital transformation and increased competition, it is increasingly important for organizations to achieve progressive and better results using fewer resources. In this sense, business requirements have been changing over the past few years, based on a new panorama of new threats, regulations, as well as changes in the relationships between companies, clients, and partners. 

Given this background, there are a series of rules and frameworks involving things from technical aspects to business issues. Some examples include the development of corporate governance, assurance of the protection of clients’ payment data or improvement in the attitude and mitigation of cybersecurity risks within an organization. To ensure compliance with these rules and regulations, organizations can deploy security solutions, such as Privileged Access Management or PAM tools. But what are the main frameworks and rules related to cybersecurity, what is their importance and what are the main benefits brought by them?

Information security in focus

We live in a hyper-connected world, and cybersecurity risks are increasingly aligned with business continuity. This has led many organizations to consider the information security aspect not only as a cost, but also as an investment, and thus improve their cyber attitude, increasing the trust by clients, partners, and suppliers, and ensuring business continuity. One way of doing that is, for example, through the implementation of information security solutions, such as PAM tools. However, relying on technology alone can lead many organizations to a false sense of security. Therefore, in a context in which just one click is enough for a malicious agent to get access to an organization’s infrastructure, what can be done to gain greater control over information security?

Standards and frameworks for information security

Cybersecurity standards and frameworks have proven to be powerful tools for organizations. These guidelines have been developed with the aim of offering a systematic approach to protecting employees’, clients’, and partners’ data. Some of these frameworks may, in some cases, be designed for a specific industry, and are designed to reduce unknown vulnerabilities and configuration errors in the organizational environment. To summarize, these standards introduce models to allow organizations to understand their security approach and know how to improve it. And as they have been tested in different situations and industries, one can vouch for their confidence and effectiveness. These frameworks can be used with cybersecurity solutions, such as Security Information and Event Management (SIEM) or Privileged Access Management (PAM) tools.

Some of the leading cybersecurity risk management frameworks, regulations, and standards are the ISO 27000 standards, the NIST’s Cybersecurity Framework (and more recently, the Privacy Framework), the PCI DSS standard, and the Center for Internet Security’s (CIS) Critical Security Controls. Even though the controls of these frameworks address numerous aspects of Information Security, some of them are influenced by or effectively require the concepts associated with PAM.

PAM, standards and frameworks

Privileged Access Management refers to a set of technologies and practices that monitor and manage privileged access (also called administrative access) to critical systems. Through a privileged credential, a user can, for example, modify system settings, user accounts and access critical data. Thus, given their level of access and control over the systems that manage information or processes, a privileged user exposes the organization to potential business risks. Whether through an attack, privilege abuse, or human error, a privileged user can be an attack vector for a potential security incident.

Considering the CIS’ Critical Security Controls for Effective Cyber Defense, one of the controls introduced by the framework directly addresses aspects of PAM. Thus, the subcontrols addressed by control number 4 are associated with the controlled use of administrative privileges, considering the management of access through privileged accounts.

What is the ISO/IEC 27001 standard?

ISO/IEC 27001, in turn, is an Information Security Management standard published by ISO with IEC and is used by organizations around the world with the aim of establishing, implementing, maintaining, evaluating, and continuously improving an Information Security Management System (ISMS). From the 35 control goals provided for in the standard, approximately 80% of them are directly or indirectly linked to the Privileged Access Management processes. One of the ISMS requirements is the full tracking of credentials of own and third-party employees, as well as non-human users, such as credentials embedded in scripts and applications. If these users are able to make unauthorized changes to systems, access sensitive data, and eliminate trails of their privileged actions, the organization is exposed to serious risks.

The NIST’s Framework for Improving Critical Infrastructure Cybersecurity consists of a series of standards, guidelines, and best practices for managing cybersecurity-involved risks. According to NIST, “The framework’s low-cost, prioritized, and flexible approach helps promote the protection and resilience of critical infrastructure and other key sectors for the economy and national security.” Some of the aspects associated with Privileged Access Management, correlated to the controls contained in the NIST’s Cybersecurity Framework, are linked to the granting and revocation of privileged accesses, asset management, and the traceability of actions in the environment through audit trails.

What does the PCI standard?

The PCI standard consists of 12 requirements and six control objectives that address security management, policies, procedures, network architecture, and software development for payment card data protection. Privileged Access Management is a critical aspect of PCI DSS compliance. Some of the standard’s requirements are even possible to be met through a PAM solution; they are related to the use of default passwords or other security settings of software in an environment; and the identification and authentication of access to system components.

Why implement a PAM solution in your company?

Using any of these cybersecurity frameworks is not an easy task for any organization, regardless of its size, industry, or experience. In this context, a PAM solution can be considered an important tool for speeding up the implementation of cybersecurity infrastructure and allows functions related to identity and access control to be implemented. In addition, a PAM solution allows one to control privileged credentials, bringing compliance to the organization in terms of cybersecurity. Thus, those who discover its added value and are able to implement the associated controls can reduce cybersecurity risks, as well as ensure business continuity.