24
September 2023
The many faces of Privilege and The Cyber Assessment Framework
James Nadal
Regulations increase importance of Privileged Access
Whether it’s the EU’s new NIS2 regulations, the NHS’s DSP guidelines, or Cyber Essentials, the emphasis on the importance of managing privileged access continues to grow.
And it’s even reflected in the demands of cyber insurers (insert link to new blog), who are placing increasing scrutiny on how businesses seeking to obtain a policy are handling privileged accounts.
Within the many best practice guidelines and regulatory rules that exist for cyber security, Privileged Access Management (PAM) is not always the exact term you’ll see.
Privilege has many different faces.
You might find references to administrator accounts or privileged accounts, access management or identity management among others. Or, as we’ll discuss, Privileged User Management (PUM).
But it essentially boils down to the same principles.
PUM and PAM
One of the most important guidelines for UK organisations to follow is the National Cyber Security Centre’s Cyber Assessment Framework (CAF). Within that, the key to success is good management of identity and privileged accounts.
The CAF talks slightly differently about this subject, referring to Privileged User Management.
You might think of PUM as being the business of controlling what systems and devices are available to the Privileged User, whereas PAM refers to the management of the actual accounts used on systems, applications and devices.
Read more about PUM, PAM and PIM here.
What does the CAF say about Privileged Access?
The framework includes a section on how to “closely manage privileged user access to networks and information systems supporting the essential function”.
In order for organisations to achieve this, CAF lists these points (quoted verbatim) to prove it has been accomplished:
• Privileged user access to your essential function systems is carried out from dedicated separate accounts that are closely monitored and managed.
• The issuing of temporary, time-bound rights for privileged user access and / or external third-party support access is in place.
• Privileged user access rights are regularly reviewed and always updated as part of your joiners, movers and leavers process.
• All privileged user access to your networks and information systems requires strong authentication, such as multi-factor (MFA) or additional real-time security monitoring.
• All privileged user activity is routinely reviewed, validated and recorded for offline analysis and investigation.
You can read the CAF’s section on PUM in full here.
What are the risks of not meeting these standards?
The CAF indicates organisations may be at risk if any of the following statements are true:
• The identities of individuals with privileged access to your essential function systems (infrastructure, platforms, software, configuration, etc) are not known or not managed.
• Privileged user access to your essential function systems is via weak authentication mechanisms (e.g. only simple passwords).
• The list of privileged users has not been reviewed recently (e.g. within the last 12 months).
• Privileged user access is granted on a system-wide basis rather than by role or function.
• Privileged user access to your essential function is via generic, shared or default name accounts.
• Where there are “always on” terminals which can perform privileged actions (such as in a control room), there are no additional controls (e.g. physical controls) to ensure access is appropriately restricted.
• There is no logical separation between roles that an individual may have and hence the actions they perform. (e.g. access to corporate email and privilege user actions).
How can Osirium help?
Osirium PAM helps organisations with CAF and other regulatory compliance. It implements both PUM and PAM to increase cyber security by reducing the attack surface of an organisation’s systems.
Want some more help in understanding the requirements and how Osirium can support your organisation?
Get in touch with our team here.