In today’s digital landscape, admin accounts, service accounts, and break glass accounts have become synonymous with privileged access and elevated privileges in the IT environment. However, these accounts also pose a significant security risk with over 90% of successful cyberattacks targeting privileged accounts as their primary objective. With privileged access often being a prerequisite for installing malware, it’s no wonder that almost every attack vector involves the misuse of these special accounts. As a result, the need for robust IT compliance and stringent regulations surrounding the hardening of privileged accounts becomes increasingly evident.
In this article, we will delve into the compliance aspects of privileged access management (PAM), with a specific focus on the IT compliance framework, ISO 27001. Together, we will explore the critical importance of implementing PAM as a proactive measure to protect your organization from devastating security breaches and safeguard your valuable digital assets.
The importance of privileged access management
Privileged access refers to accounts with additional capabilities or rights beyond those of standard users. In the Windows Active Directory (AD) environment, users belonging to “Enterprise Admins,” “Administrator,” or “Domain Admins” security groups possess the highest privileges. They can add or remove users, install unwanted applications, and even modify or delete critical information. Similarly, the “root” account in the Unix/Linux environment has unlimited access to all system resources, allowing it to modify files, delete programs, or install malicious code. In the cloud, AWS’s TEAM (temporary elevated access management) solution in the IAM Identity center can (as the name alludes to) temporarily elevate a human user’s access to admin, also known as granting “Just-in-Time Access”. These privileged accounts are often referred to as the “keys to the kingdom.” However, if these keys fall into the wrong hands, the consequences can be catastrophic.
In 2013, one of the USA’s largest retail giants, Target, fell victim to a massive data breach that had far-reaching consequences. Hackers successfully infiltrated Target’s network through a sophisticated spear phishing campaign, tricking an unsuspecting employee into clicking on a malicious link in an email. This initial breach provided the attackers with a foothold within Target’s system. Once inside, they exploited privileged access credentials obtained from a third-party vendor, allowing them to navigate through the network undetected.With these elevated privileges, the attackers were able to move laterally, gaining access to sensitive customer information stored in Target’s systems. In total, approximately 40 million credit and debit card records were compromised, exposing customers to potential financial fraud and identity theft. The aftermath of this breach resulted in substantial financial losses for Target, including an $18.5 million settlement to address the repercussions of the incident.
Similarly, in 2016, multinational investment bank, Morgan Stanley, faced a significant security incident involving privileged access misuse. This breach was an insider threat scenario, where a former employee exploited their privileged access rights to exfiltrate sensitive data from approximately 730,000 customer accounts. The former employee, leveraging their authorized access, downloaded and transferred this data to an external server without detection. By having privileged access, the insider was able to bypass security measures and evade suspicion while carrying out their malicious activities. This breach not only compromised the personal and financial information of Morgan Stanley’s customers, but also raised concerns about the potential misuse of privileged access within the organization. The incident highlighted the critical need for comprehensive privileged access management practices to prevent unauthorized data exfiltration and mitigate insider threats.
These examples underscore the real-world consequences of privileged access misuse. They demonstrate how attackers can exploit vulnerabilities, such as spear phishing and insider threats, to gain access to privileged accounts and navigate through systems, leading to severe data breaches and financial losses. Subsequently, the need to identify all accounts with this level of privilege becomes paramount. It is crucial to store these credentials centrally and securely, clearly define each account’s associated function (e.g., which service, application, or system uses the account), and accurately identify the individuals who have access to these accounts. This comprehensive approach to managing privileged access, known as privilege access management (PAM), becomes fundamental in protecting these accounts against unauthorized access and deliberate or accidental misuse. By implementing robust PAM solutions, organizations can effectively safeguard their privileged accounts, minimize the risk of security incidents, and maintain better control over their information assets.
What does ISO27001:2013 say?
The ISO 27001 standard is a widely accepted information security standard that comprehensively covers various aspects of information security. Developed by the International Organization for Standardization (ISO), it is governed by a range of Information Security Management Systems (ISMS). ISMS represents an amalgamation of people, policies and controls, designed to effectively manage data and information within organizations. Key components of ISMS include asset management, HR practices, and leadership strategies, all of which contribute to the overall security posture of an organization.
When examining the relationship between Privileged Access Management (PAM) and ISO 27001, it becomes necessary to explore the ISMS components that guide the use and implementation of privilege access management in organizations. Table 1 showcases these components, highlighting their relevance to PAM within the ISO 27001 framework. By understanding the interconnectedness of PAM and various ISMS aspects, organizations can establish a robust approach to managing privileged access and align their practices with the requirements of ISO 27001. This integration ensures a comprehensive and effective information security management strategy, safeguarding critical assets and mitigating the risks associated with privileged accounts.
|ISO 27001:2013 Section||Title||Description|
|A.9.2.3||Management of Privilege Access Rights||This section emphasizes the importance of restricting and controlling the allocation and use of privileged access rights. It highlights the need for organizations to implement measures to manage and monitor these privileges effectively.|
|A.9.2.4||Use of Privileged Utility Programs||This section emphasizes the need to restrict and tightly control the use of utility programs capable of overriding system and application controls. It highlights the risks associated with uncontrolled usage of such programs and the need for strict controls.|
|A.6||Internal Organization||While not a direct reference, this section highlights the importance of establishing clear roles and responsibilities within an organization, which includes managing and governing privileged access to ensure accountability and reduce security risks.|
|A.11||Physical and Environmental Security||Although not directly related, this section emphasizes the need to implement physical and environmental controls to protect systems and devices that may grant privileged access. Physical security measures contribute to overall PAM efforts.|
|A.15||System Acquisition, Development, and Maintenance||While not explicitly mentioned, this section underscores the significance of considering privileged access management during system acquisition, development, and maintenance processes. It emphasizes integrating PAM practices into the entire lifecycle of systems to ensure secure management of privileges.|
|A.12||Operations Security||Although not explicitly focused on PAM, this section emphasizes the need for organizations to establish operational procedures and controls that encompass privileged access management as an essential component of secure operations.|
|A.16||Information Security Incident Management||While not directly related, this section emphasizes the importance of having an effective incident management process that includes privileged access as a critical aspect to address security incidents and prevent further unauthorized access.|
|A.18||Compliance||This section highlights the need for organizations to comply with applicable laws, regulations, and contractual requirements. Compliance with PAM practices ensure the protection of privileged access, reducing the risk of unauthorized access and potential legal or regulatory consequences.|
PAM services and solutions
Implementing a robust PAM solution enables organizations to meet the aforementioned ISO 27001 controls effectively. Industry leading on-prem solutions include BeyondTrust, IBM or CyberArk. Cloud PAM solutions have multiple services to manage PAM. TEAM in AWS manages temporary elevated access of users. Similarly, “Just-in-Time (JIT) Access,” manages users who request temporary access to instances and resources for a defined period in GCP. Additional cloud services that involve other PAM capabilities include AWS Secrets Manager, which manages and secures sensitive information like API keys, database credentials, and other secrets. The OneLogin cloud service also ensures privileged session monitoring, privileged account management, and MFA to secure privileged access.
Beyond compliance, PAM solutions provide several essential benefits:
- Non-repudiation of privileged operations through comprehensive audit logging.
- Centralized storage and management of passwords, ensuring their security and eliminating vulnerabilities associated with weak or shared credentials.
- Regular privileged user access review, ensuring that access is granted and revoked appropriately, minimizing the risk of unauthorized use.
In conclusion, compliance around privileged access management (PAM) in frameworks like ISO 27001, is vital for organizations seeking to protect their sensitive data and critical systems. Through this exploration, we have highlighted the risks associated with privileged accounts, demonstrated the real-world consequences of their misuse, and emphasized the need for robust PAM solutions. By implementing effective PAM strategies, organizations can limit the potential for unauthorized access, minimize the impact of security incidents, and enhance their overall security posture.
It is imperative that organizations prioritize the implementation of PAM solutions as an integral part of their information security strategy. This includes taking proactive steps to identify all accounts with privileged access, securely storing credentials, monitoring and controlling their usage, and regularly reviewing access privileges.
Engage with ISO 27001 experts and leverage industry best practices to ensure a comprehensive and tailored approach to PAM implementation.