BR +55 11 3069 3925 | USA +1 469 620 7643

The Cybersecurity Frameworks and PAM

by | Feb 20, 2020 | BLOG

With digital transformation and increased competition, it is increasingly important for organizations to achieve progressive and better results using fewer resources. In this sense, business requirements have been changing over the past few years, based on a new panorama of new threats, regulations, as well as changes in the relationships between companies, clients, and partners. 

Given this background, there are a series of rules and frameworks involving things from technical aspects to business issues. Some examples include the development of corporate governance, assurance of the protection of clients’ payment data or improvement in the attitude and mitigation of cybersecurity risks within an organization. To ensure compliance with these rules and regulations, organizations can deploy security solutions, such as Privileged Access Management or PAM tools. But what are the main frameworks and rules related to cybersecurity, what is their importance and what are the main benefits brought by them?

Information security in focus


We live in a hyper-connected world, and cybersecurity risks are increasingly aligned with business continuity. This has led many organizations to consider the information security aspect not only as a cost, but also as an investment, and thus improve their cyber attitude, increasing the trust by clients, partners, and suppliers, and ensuring business continuity. One way of doing that is, for example, through the implementation of information security solutions, such as PAM tools. However, relying on technology alone can lead many organizations to a false sense of security. Therefore, in a context in which just one click is enough for a malicious agent to get access to an organization’s infrastructure, what can be done to gain greater control over information security?

Standards and frameworks for information security


Cybersecurity standards and frameworks have proven to be powerful tools for organizations. These guidelines have been developed with the aim of offering a systematic approach to protecting employees’, clients’, and partners’ data. Some of these frameworks may, in some cases, be designed for a specific industry, and are designed to reduce unknown vulnerabilities and configuration errors in the organizational environment. To summarize, these standards introduce models to allow organizations to understand their security approach and know how to improve it. And as they have been tested in different situations and industries, one can vouch for their confidence and effectiveness. These frameworks can be used with cybersecurity solutions, such as Security Information and Event Management (SIEM) or Privileged Access Management (PAM) tools.

Some of the leading cybersecurity risk management frameworks, regulations, and standards are the ISO 27000 standards, the NIST’s Cybersecurity Framework (and more recently, the Privacy Framework), the PCI DSS standard, and the Center for Internet Security’s (CIS) Critical Security Controls. Even though the controls of these frameworks address numerous aspects of Information Security, some of them are influenced by or effectively require the concepts associated with PAM.

PAM, standards and frameworks


Privileged Access Management refers to a set of technologies and practices that monitor and manage privileged access (also called administrative access) to critical systems. Through a privileged credential, a user can, for example, modify system settings, user accounts and access critical data. Thus, given their level of access and control over the systems that manage information or processes, a privileged user exposes the organization to potential business risks. Whether through an attack, privilege abuse, or human error, a privileged user can be an attack vector for a potential security incident.

Considering the CIS’ Critical Security Controls for Effective Cyber Defense, one of the controls introduced by the framework directly addresses aspects of PAM. Thus, the subcontrols addressed by control number 4 are associated with the controlled use of administrative privileges, considering the management of access through privileged accounts.

What is the ISO/IEC 27001 standard?


ISO/IEC 27001, in turn, is an Information Security Management standard published by ISO with IEC and is used by organizations around the world with the aim of establishing, implementing, maintaining, evaluating, and continuously improving an Information Security Management System (ISMS). From the 35 control goals provided for in the standard, approximately 80% of them are directly or indirectly linked to the Privileged Access Management processes. One of the ISMS requirements is the full tracking of credentials of own and third-party employees, as well as non-human users, such as credentials embedded in scripts and applications. If these users are able to make unauthorized changes to systems, access sensitive data, and eliminate trails of their privileged actions, the organization is exposed to serious risks.

The NIST’s Framework for Improving Critical Infrastructure Cybersecurity consists of a series of standards, guidelines, and best practices for managing cybersecurity-involved risks. According to NIST, “The framework’s low-cost, prioritized, and flexible approach helps promote the protection and resilience of critical infrastructure and other key sectors for the economy and national security.” Some of the aspects associated with Privileged Access Management, correlated to the controls contained in the NIST’s Cybersecurity Framework, are linked to the granting and revocation of privileged accesses, asset management, and the traceability of actions in the environment through audit trails.

What does the PCI standard?


The PCI standard consists of 12 requirements and six control objectives that address security management, policies, procedures, network architecture, and software development for payment card data protection. Privileged Access Management is a critical aspect of PCI DSS compliance. Some of the standard’s requirements are even possible to be met through a PAM solution; they are related to the use of default passwords or other security settings of software in an environment; and the identification and authentication of access to system components.

Why implement a PAM solution in your company?


Using any of these cybersecurity frameworks is not an easy task for any organization, regardless of its size, industry, or experience. In this context, a PAM solution can be considered an important tool for speeding up the implementation of cybersecurity infrastructure and allows functions related to identity and access control to be implemented. In addition, a PAM solution allows one to control privileged credentials, bringing compliance to the organization in terms of cybersecurity. Thus, those who discover its added value and are able to implement the associated controls can reduce cybersecurity risks, as well as ensure business continuity.

Top 7 Types of Phishing Attacks and How to Prevent Them

Social engineering, in the context of information security, consists of practices performed by hackers to manipulate users to take actions that go against their interests, exploiting their vulnerability and lack of knowledge for their benefit. One of the main types of...

ISO 27001 – What is the importance of having achieved the certification

The process of digital transformation has intensified in companies of all sizes and industries, and is considered an essential factor for business success. One of the main consequences of this process is the exponential growth in the amount of data from customers,...

Principle of Least Privilege: Understand the Importance of this Concept

Granting administrator access to a user who does not even have time to explain why they need this permission is not an efficient way to solve a company's problems but rather to harm its security.  This is because sensitive data can fall into the wrong hands through a...

How to Prevent DDoS Attacks in Your Company?

There are several methods by which malicious agents attack websites and destabilize network services and resources. One of the most widely used techniques is the DDoS attack, which means distributed denial-of-service. Through this attack, a website ends up becoming...

Gartner and PAM: What Does One of the Most Important Consulting Companies in the World Say About this Cybersecurity Solution?

All of us have already heard of digital transformation at some point. This phenomenon affects companies of all verticals and sizes and has been gaining prominence in the market.  Digital transformation increasingly requires organizational leaders to adapt their...