Does Your PAM Solution Conform to CIS Critical Controls?

Is your organization safe from data breaches, data leaks, and other cyber security threats? You might not be as well protected as you think. Certainly, measures like two-factor authentication, single-sign on, and active directory group policies are important ways to reduce password breaches. But they can’t control how a person uses administrative privileges once they have access to the system. To do that, you need a privileged access management solution.

Privileged access management (PAM) uses the principle of least privilege to ensure that administrative access is granted only to those who genuinely need it. Once granted, access is limited to a specific task for a designated amount of time and then revoked.

The best way to ensure that your PAM solution will effectively monitor and manage access to your sensitive data is to verify that it conforms with CIS Critical Security Controls.

What Are CIS Critical Security Controls?

CIS Critical Security Controls are a set of recommended best practices designed to mitigate cyber threats in 18 different areas. Managed by the nonprofit Center for Internet Security, the controls are recognized around the world as the gold standard for cybersecurity. They cover all aspects of cybersecurity, from data protection and malware defense to network monitoring and much more.

CIS Control #5 deals directly with account management and controlled use of administrative privileges, the same issues PAM seeks to address. To adequately protect your privileged accounts against breaches and threats, it’s critical to ensure that your PAM solution conforms to CIS Control recommendations.

Let’s take a look at what those recommendations mean for PAM.

How Does PAM Help You Enforce CIS Controls?

A PAM solution’s functionality and design should reflect the standard set of best practices provided by CIS controls. Your PAM solution can help you create policy rules and enforce behavioral recommendations that support these practices, preventing unauthorized access and protecting your data.

CIS Control #5 includes six subsections that correspond to specific PAM functionalities:

Establish and Maintain an Inventory of Accounts

  • PAM solutions manage access by keeping an inventory of accounts and associated privileges. The solution removes local admin rights and follows pre-determined policy rules to secure and monitor privileged access. The solution also automatically determines when to grant and revoke privileges for new users or terminated users. This ensures that users are unable share administrative rights.

Use Unique Passwords

  • PAM secures your administrative accounts by creating a unique password each time privileged access is granted. Users don’t need to know the actual system password, because the solution grants them access based on their role and task. When the user task is completed, access is revoked. This practice prevents users from sharing passwords with each other to circumvent the security controls. It’s also important to teach and enforce password best practices and implement other security controls such as multi-factor authentication and single sign-on. Generally, these practices work with PAM to provide the highest level of protection.

Disable Dormant Accounts

  • Inactive accounts should be immediately disabled so they don’t present a security risk. A PAM solution makes this easy by automatically disabling accounts that haven’t been active after a specified number of days.

Restrict Administrator Privileges to Dedicated Administrator Accounts

  • Removing local administrative rights and unnecessary privileges is a central component of PAM. By eliminating standing privileges and granting access on a just-in-time, least-privilege basis, PAM solutions prevent unauthorized access that could introduce threats to your system. Above all, these measures are in place to limit security breaches and the potential damage they may cause. Granting only the necessary privileges for the job can achieve this. Once the task is finished, access is immediately disabled.

Establish and Maintain an Inventory of Service Accounts

  • Service accounts are privileged accounts used to run an application or interact with an operating system. They present security risks because they make it easy for hackers to elevate privileges and access sensitive data. These accounts present a critical use case for PAM solutions, and they should be included in the account inventory. With a PAM solution, you can monitor and record privileged access and activity for service accounts as well as standard user accounts.

Centralize Account Management

  • PAM makes it easy to centralize account management, because it brings all accounts under one management system. This is the most secure way to enforce password best practices, reduce attack surfaces, and limit risk.

Keeping Your Privileged Accounts Safe

No one should have unfettered access to your privileged accounts. These accounts are prime targets for attackers because they offer the “keys to the kingdom.” When access is granted too liberally, hackers can move through you and your clients’ network unhindered. Essentially putting your sensitive information at risk.

AutoElevate by CyberFOX solves this problem by limiting both the scope and the duration of privileged access to minimize threats. We make i