privileged access management (pam) in the context of iso ......although the iso/iec 27002 standard...
TRANSCRIPT
-
IPG Group | Winterthur – Bern – Berlin – Dresden – Vienna – Constance T +41 52 245 04 74 | F +41 52 245 04 73 | [email protected] | www.ipg-group.com 1
TECHNICAL REPORT
Privileged Access Management (PAM) in the
context of ISO 27001
To what extent can PAM cover the requirements of ISO/IEC 27001?
Author: Stefan Huber, Senior Technical Consultant, IPG Group
-
Table of contents
1 Introduction ...................................................................................................................... 1
2 Basic Principles .................................................................................................................. 1
2.1 Identity & Access Management ...................................................................................... 1
2.1.1 Identity Management ............................................................................................................... 4
2.1.2 Access Management ................................................................................................................. 5
2.1.3 Identity und Access Governance .............................................................................................. 6
2.2 Privileged Access Management ....................................................................................... 7
2.3 ISO Standards for Information Security ......................................................................... 11
3 Covering the Requirements of ISO 27001 ......................................................................... 11
3.1 Privileged Access Management (PAM) in the context of ISO 27001 ................................ 12
3.2 Information Security Policies (A.5) ................................................................................ 12
3.3 Organisation of Information Security (A.6) .................................................................... 13
3.4 Access Control (A.9) ...................................................................................................... 13
3.5 Operations Security (A.12) ............................................................................................ 15
3.6 Supplier Relationships (A.15) ........................................................................................ 16
3.7 Information Security Incident Management (A.16) ........................................................ 16
3.8 Compliance (A.18) ........................................................................................................ 17
4 Overview of the Degree of Coverage ................................................................................ 18
5 Conclusion ....................................................................................................................... 19
6 Portrait ........................................................................................................................... 19
6.1 Stefan Huber ................................................................................................................ 19
6.2 IPG Group .................................................................................................................... 19
7 Sources Used ................................................................................................................... 20
-
Chapter: Introduction 1
1 Introduction
The ISO/IEC 27001 security standard of the International Organization for Standardization (ISO) and
the International Electrotechnical Commission (IEC) is one of the most important standards in infor-
mation security and describes the requirements for an information security management system
(ISMS) that ensures the company's security objectives are achieved. In Annex A, the standard outlines
a comprehensive catalogue of action goals and measures, and, together with ISO/IEC 27002, offers
specific information on their implementation, which an organisation can draw from and use to deal
with its security risks. Although the ISO/IEC 27002 standard only provides assistance with the fulfil-
ment of the action goals, the organisation's ISMS can be certified to ISO/IEC 27001. This certification
is carried out by an accredited certification body in an external audit (Brenner, et al., 2014, S. 149).
As part of this certification audit, compliance with the requirements of the standard is checked and
the conformity of the ISMS with the standard is determined.
Many companies are striving for ISO certification in order to differentiate themselves from the com-
petition, to reduce internal security vulnerabilities, or because there are legal or regulatory require-
ments in this regard. Many of these controls prescribed by ISO/IEC 27001 can be fulfilled directly or
indirectly through a comprehensive and company-wide Identity and Access Management System
(IAM) and through Access Management of privileged user accounts (PAM). However, the introduc-
tion of an IAM and PAM system is usually a major challenge, because each solution has to be adapted
to the individual needs, requirements and general framework of the organisation. ISO/IEC 27001-
compliant implementation requires further external factors to be taken into account here.
This technical report focuses on the area of PAM and shows which requirements of the ISO/IEC 27001
standard can be met by integrating a PAM system into the company.
2 Basic Principles
For the subsequent analyses, and for the benefit of their traceability, it is necessary for the terms to
be clearly defined. For the IAM and PAM topics, in particular, it is necessary to define the functional
scope of the two areas and to show the boundaries. A precise scope of functions is defined in the
Basic Principles section of this technical report, and this then forms the basis of further analyses.
2.1 Identity & Access Management
Gartner (IT Glossary, 2019) generally outlines Identity & Access Management (IAM) as follows:
"Identity and access management (IAM) is the security discipline that enables the right
individuals to access the right resources at the right times for the right reasons".
In other words, as part of a company's information security system, IAM ensures the authentication
of individuals through access management, and the authorisation to various IT systems and resources
through managing identities and their access rights. All at the right time and for the right reason.
Gartner's (IT Glossary, 2019) definition also addresses a company's compliance requirements, which
-
Chapter: Basic Principles 2
are supported and guaranteed by IAM. As a result, Gartner (Gartner, Inc., 2019) refers, on the one
hand, to Access Management (AM) and, on the other hand, to Identity Governance & Administration
(IGA). Gartner defines the functionalities of the two areas as shown in Fig. 1:
Fig. 1: Identity and Access Management according to Gartner
Source: based on Gaehtgens et al. (Gaehtgens, Kampman, & Iverson, Magic Quadrant for Identity Governance and
Administration, 2018) and Kreizman (Kreizman, 2018)
Kuppinger and Singh (Identity Governance & Administration, 2018) also use the term Identity Gov-
ernance and Administration (IGA) in their analysis reports, though these are seen as a combination
of User Access Provisioning (UAP) and Access Governance (IAG). In contrast to Gartner, Hill and Kup-
pinger (Access Management and Federation, 2019) focus greatly on the Federation when it comes to
Access Management. Access Management should be viewed holistically in the company, by means
of the various needs and requirements of both internal and external employees, business partners
and customers. They all have different access needs, which should be met by Access Management
and the Federation. This refers to instances of internal, incoming and outgoing access, which can take
place on internal, on-premise applications, or private or public cloud services. Hill and Kuppinger
(Access Management and Federation, S. 6) therefore divide the functionalities into three areas, as
shown in Fig. 2:
-
Chapter: Basic Principles 3
Fig. 2: Identity and Access Management according to KuppingerCole
Source: based on Kuppinger and Singh (Kuppinger & Singh, Identity Governance & Administration, 2018) and Hill and Kup-
pinger (Hill & Kuppinger, 2019)
What is common to the Gartner and KuppingerCole definitions is that they both consider the Identity
Management (IM) and Access Management (AM) part separately, and either include governance in
it or, again, view it as a separate area. The functionalities of these areas are therefore divided accord-
ing to IM, AM and IAG. Fig. 3 provides an overview of how the functionalities in this technical report
are divided, defined and made more concrete in the chapters 2.1.1, 2.1.2 and 2.1.3.
Fig. 3: Overview of the functionalities of IAM with a classic identity life cycle approach
Private Cloud Service
Personen- und Organisations-
daten
On-Premise Application
Public Cloud Service
-
Chapter: Basic Principles 4
2.1.1 Identity Management
Identity Management always focuses on digital identity, its relationship to the organisation, and its
attributes throughout the entire life cycle. The lifecycle consists of all processes, from creation, acti-
vation and deactivation, and change to archiving and deletion. There are different scenarios here for
how the identities' entry point into identity management should proceed. Gaehtgens, Kampmann
and Iverson (Magic Quadrant for Identity Governance and Administration, 2018) see four patterns
here, which are listed under the term Identity Life Cycle:
• Authoritative source: classic life cycle, in which a trusted source such as an HRor supplier
management system is connected to the IAM, which, in turn, guarantees the life cycles and
passes this data on to the IAM system (S. 19).
• Sponsorship and expiration: identity cycle of non-employees who cannot be covered by an
authorised source. A client can request access for a contractual partner that has a time limi-
tation (S. 19).
• Delegated administration: an authorised business partner of a supplier or customer at which
several people must have access guarantees the life cycle for its employees. The lifecycle is
guaranteed by regular re-certifications or time-limited access (S. 19).
• Self-registration: possible scenario if a kind of account is required due to a personalised in-
teraction with a company's website. To do this, it is usually not absolutely necessary to re-
move the access when the relationship is ended (S. 19).
Entitlement management includes the maintenance and administration of the permissions cata-
logue for all target systems connected to the Identity Management system. An important aspect of
this, according to Gaehtgens et al. (Magic Quadrant for Identity Governance and Administration,
2018, S. 1), is the division and clear presentation of the different types of accounts, roles, group
memberships and other permissions. According to Gaehtgens et al., the linking of identities with ac-
counts and access rights is necessary in order to understand which identity has which access and who
is responsible for which accounts (S. 1). The latter point is also commonly known as Owner Manage-
ment. It includes the entire life cycle based on the assignment, transfer and removal of responsibili-
ties from permissions and other objects.
According to Kuppinger and Singh, Access Request Management offers users the option of using a
web portal to request access rights, IT or other resources for themselves or on behalf of others
(Identity Governance & Administration, 2018, S. 11). Access Request Management benefits here from
a well-maintained Entitlement Management system that clearly shows the technical permissions cat-
alogue by means of translations and descriptions. This comprehensibility is necessary so that users
can find their way around the web portal and is a basic prerequisite for ensuring that users only
activate the access requests that actually need. Ultimately, the Access Request Management system
is transferred to the Workflow Management system. According to Kuppinger and Singh, it incorpo-
rates the decision-making processes and is the trigger for further business processes (2018, S. 11).
The decision-making processes can be created on the basis of risk and, depending on the criticality
of the permissions, can include a multi-stage or single-stage approval process. In the case of uncritical
access requests, it also makes sense in some cases for these to be performed without an approval
process. In addition, escalations, reminders and other notifications can be used as an additional func-
tionality.
-
Chapter: Basic Principles 5
Gaehtgens et al. (Magic Quadrant for Identity Governance and Administration, 2018) view Role Man-
agement as a tool to enforce the various policies (S. 1). According to Kuppinger and Singh (Identity
Governance & Administration, 2018), the grouping and bundling of access permissions are mainly
used to improve general administrative efficiency (S. 11). The mere aggregation of access rights for
business roles, based on organisational or task-related criteria, is not yet a governance measure and
is therefore listed under the field of Identity Management. However, it is clear that, in reality, there
is no strict separation, and the difference between role management, role mining and role govern-
ance is fluid.
According to Gaehtgens et al (2018), Fulfilment is generally viewed as the transfer of changes from
Identity Management to the target system and back (Magic Quadrant for Identity Governance and
Administration, 2018, S. 1). Changes are understood to mean all processes of creating, changing and
deleting accounts and permissions, as well as assigning or removing permissions. In many cases, a
change that happens in the IAM system is immediately provisioned to the target systems, and the
status of the target system is periodically synchronised back to the IAM system. The target systems,
here, can be on-premise applications, or private or public cloud services.
2.1.2 Access Management
In contrast to Identity Management, the term Access Management encompasses everything tech-
nical that has to do with the process of authentication and authorisation of the user. Identity Man-
agement ensures the correct and understandable reason for the correct period of access. Since this
process often begins with the user entering a password, Password Management is an important
component. Kreizman (Magic Quadrant for Access Management, Worldwide, 2018) only uses the
term Password Reset (S. 1), and Hill and Kuppinger (Access Management and Federation, 2019) do
not mention this aspect of Access Management. However, it is not only resetting that is considered
in this technical report, which is why only Password Management is used, as a general term, in what
follows. Based on what is said in the reports by Gartner (Magic Quadrant for Access Management,
Worldwide) and KuppingerCole (Access Management and Federation), this includes, among other
things, enforcing a password policy, a self-service portal for managing user-specific information, such
as security issues and the like, and a password reset process by the user. Password Management also
enables password changes to be propagated to the necessary target systems. This can also be done
in conjunction with Identity Management.
Here, Authentication Management ensures the variety of authentication. This takes place either in
the form of a simple query of user name and password, or a two- or multi-factor authentication pro-
cess. If the choice of authentication is calculated dynamically and in real time, based on the risk pro-
file of the user and the environment, Hill and Kuppinger (Access Management and Federation, 2019)
also speak of adaptive authentication (S. 12).
Gartner (IT Glossary, 2019) basically describes the functionality of Single Sign-On (SSO) as a proce-
dure in which a user logs on once and is then automatically authenticated when accessing other
applications. Here, the login can be completed with a password, a medium with a chip card, or a
biometric feature. There are also different types of SSO. Either the passwords of the users are stored
centrally using Enterprise Single Sign-On (E-SSO), or certificate or token-based approaches, such as
Web-SSO or Federation, are used. Hill and Kuppinger (Access Management and Federation, 2019), as
-
Chapter: Basic Principles 6
well as Kreizman (Magic Quadrant for Access Management, Worldwide, 2018), define the function-
ality for integrating and enabling incoming and outgoing federations as one of the most important
points.
Session Management, which enables SSO, among other things, can be used to configure and control
the attributes and the behaviour of the established sessions (Kreizman, 2018).
2.1.3 Identity und Access Governance
As mentioned at the beginning, Gartner makes no explicit distinction between Identity Administra-
tion and Governance, KuppingerCole, however, summarises the notion as Access Governance & In-
telligence. According to Kuppinger and Singh (Kuppinger & Singh, Access Governance & Intelligence,
2018), Access Governance is the IAM discipline that focuses on risk management and is intended to
ensure that compliance is enforced in the company (S. 9). Access Resk Management is thus certainly
an important part of doing justice to the risk-based approach. For this purpose, all IAM-relevant ob-
jects are provided with a criticality level and are classified. The behaviour of enquiries, decision-mak-
ing and other workflows can accordingly be differentiated and controlled on this basis.
Attestation of access can be used to carry out access checks as required or at regular intervals, in
order to assess whether the users only have the access rights necessary to carry out their work, and
whether these accesses still comply with the policies (Kuppinger & Singh, Access Governance &
Intelligence, 2018, S. 11). Recertification is also commonly spoken of. This is a designation for the
whole process of various repeated attestations.
Under Reporting and Analytics, Gaehtgens et al. (Magic Quadrant for Identity Governance and
Administration, 2018) define the preparation and provision of reports that enable a deeper view of
the data of the IAM (S. 2). The field of auditing is considered separately and, according to Gaehtgens
et al. (Gaehtgens, Kampman, & Iverson, Magic Quadrant for Identity Governance and Administration,
2018, S. 2), outlines the tools for evaluating business rules and controls based on the current status
of the identities and their access rights in the IAM system. Kuppinger and Singh (Identity Governance
& Administration, 2018, S. 11) attach more importance in their definitions to the functionality of the
analysis of user data. This enables an increase in Governance, and is summarised under the term
Identity Analytics. This type of analysis, according to Kuppinger and Singh (Identity Governance &
Administration, 2018), uses data analysis techniques to derive meaningful information from the log-
ging and monitoring information, all with the aim of improving the overall efficiency of IGA processes.
This functionality offers recommendations for increasing the efficiency of roles, shows risk-based
measures after violations of access policies, provides automated test reports on the instances of ac-
cess, and forms correlations of events in the entire IAM system in order to derive further usable
information (S. 11). According to Kuppinger and Singh (Identity Governance & Administration, 2018),
Reporting and Dashboarding refers to the preparation and provision of legible and understandable
information that supports the persons in charge of improving governance and decision-making. Dash-
boarding is an important measure when performing an audit. A representation of this kind enables a
simple and business-friendly abstraction of metrics and data models in order to effectively monitor
the IGA processes (S. 12). In this technical report, these functionalities are defined under the term
Reporting and Auditing.
-
Chapter: Basic Principles 7
The definition of rules for identifying combinations of roles and permission that pose a security risk
are defined under the term Segregation of Duty (SoD) (Kuppinger & Singh, Access Governance &
Intelligence, 2018, S. 9). It also includes continuous monitoring of new risks and offers remedial
measures.
Governance also includes the topic of business roles and is an important aspect of functionality. In
contrast to Identity Management, which focuses on administration efficiency and automation, Gov-
ernance focuses on the entire role lifecycle (Kuppinger & Singh, Access Governance & Intelligence,
2018, S. 12). According to Kuppinger and Singh (2018), roles goes through cycles that are structured
as follows. Starting with the role definition, based on internal and external policies, the process
passes over to role approval by business, process and role managers. After approval, role creation
and role assignments follow based on the separation of duties and other policy reviews. Restructur-
ing or changes in requirements within the company can result in a role change. After inspection and
approval, it needs to be implemented in a comprehensible manner. Finally, role inefficiencies can be
determined after further analyses, thus leading to optimisation. In addition to this, the comprehen-
sible deletion and archiving of roles should also be mentioned (S. 12). This entire cycle, during which
governance and compliance requirements are always observed, is referred to in this technical report
as Role Mining and Governance.
2.2 Privileged Access Management
Privileged Access Management, as a special area of Identity and Access Management, deals with the
identification, security and management of privileged access data and the resulting accesses to the
entire IT infrastructure of a company (Singh, 2019, S. 6). This applies to all privileged accesses,
whether with personal, impersonal or shared accounts and regardless of whether access is made to
an on-premise or cloud infrastructure. Gaehtgens et al. (Magic Quadrant for Privileged Access
Management, 2018) add that the compliance requirements of a company can only be met through
the secure handling of privileged access (S. 1).
Unlike IAM, which generally looks at identity and their personal permissions, PAM focuses on man-
aging shared and technical accounts, as well as personal accounts of users with elevated permissions.
Both with the aim of restricting privileged access and preventing the spread of passwords (Kuppinger,
Integrating Password and Privilege Management for Unix and Linux Systems, 2019, S. 5). In general,
there are two broad approaches to PAM. On the one hand, the approach through privileged accesses
with a personal admin account and, on the other hand, with an impersonal privileged user, which is
used by one or more people. In Fig. 4, Kuppinger (2019) illustrates the areas covered by PAM (S. 5).
The green area is especially important for PAM. This ranges from personal and shared accounts with
elevated permissions to shared accounts with standard permissions:
-
Chapter: Basic Principles 8
Fig. 4: Areas in which Privileged Access Management operates
Source: based on Kuppinger (Kuppinger, Integrating Password and Privilege Management for Unix and Linux Systems, 2019,
S. 5)
Gaehtgens et al. (Gaehtgens, Gardner, Taylor, Data, & Kelley, 2018, S. 4) see the main role of PAM
for the organisation as to:
"provide secure privileged access to critical assets and meet compliance requirements
by managing and monitoring privileged accounts and access".
The main task of PAM is therefore the administration and monitoring of privileged accounts and their
access to the critical IT infrastructure in a company. Gaehtgens et al. (Gaehtgens, Gardner, Taylor,
Data, & Kelley, 2018) break down the requirements for functionality into general use cases and those
that specifically target accesses of users or services and applications (S. 4). Singh (Privileged Access
Management, 2019) does not make this distinction explicitly, but summarises all functionalities in a
general overview (S. 9). In this technical report, the overview provided in Fig. 5 by Singh provides the
framework for the main functionalities of PAM and is used for the further analyses. The following
remarks are partly supplemented by definitions by Gaehtgens et al. (Magic Quadrant for Privileged
Access Management, 2018):
FunctionalAccounts
Power User Root
Standard User Account
personal Privileged Account Management shared
stan
dar
d
Ele
vati
on
Man
age
me
nt
ele
vate
d
-
Chapter: Basic Principles 9
Fig. 5: Blueprint of the architecture of PAM
Source: based on Singh (Singh, 2019, S. 9)
According to Gaehtgens et al (Magic Quadrant for Privileged Access Management, 2018, S. 25), PAM
begins by identifying and understanding what the privileged accounts are and what resources they
can access. Because only what is already known can also be managed or controlled. Singh (Privileged
Access Management, 2019) summarises this functionality under Privilege Account Discovery and Life
Cycle Management (PADLM). PADLM identifies software and service accounts, as well as shared and
other privileged accounts. It also recognises unencrypted, plain text login credentials stored for the
entire IT infrastructure. Other tasks include managing the life cycle of these accounts, monitoring
responsibilities, detecting changes, and taking actions or implementing notifications based on these
(S. 8).
The term Session Management is used as an umbrella term for various functionalities in PAM.
Gaehtgens et al. (Magic Quadrant for Privileged Access Management, 2018, S. 19) mention that there
are many different approaches here, ranging from the use of a proxy server, a gateway or an agent
to a jump server. Singh (Privileged Access Management, 2019, S. 8) sees Privileged Session Manage-
ment (PSM) as including the recording and review of activities of a privileged session on the target
systems. PSM can also include authentication, authorisation and Single Sign-On to the target systems.
The latter is also called Privileged Single Sign-On. This includes the management of the assignment
of a session to the user and an ad-hoc or pre-approved authorisation (S. 10). Session Recording and
Monitoring (SRM) is the extended function of PSM. It offers measures for checking, monitoring or
reviewing privileged activities during access. This ranges from logging keystrokes, recording video
sessions, reading texts from the screen display, and optical character recognition to other additional
techniques (Singh, 2019, S. 8).
According to Singh (Privileged Access Management, 2019, S. 8), Shared Account Password Manage-
ment (SAPM) manages the privileged login credentials of system, service or application accounts that
are shared. These passwords, keys or other privileged login credentials are stored in an encrypted
password store that is maintained in accordance with policies. The basic prerequisite for this is that
the stored passwords or login information are set to a random value periodically, or on a time or
event-controlled basis, or are assigned using a one-time password. In contrast to Gaehtgens et al.
Privileged Session Management (PSM)
Session Recording and Monitoring (SRM) Authentication (Users & Services)
Shared Account Password
Management (SAPM)
Application-to-Application Password Management (AAPM)
Controlled Privilege Elevation and
Delegation Management (CPEDM)
Privileged User Behavior Analytics (PUBA)
Privileged Access Governance (PAG)
Endpoint Privilege Management (EPM)
Privilege Account Discovery and Life Cycle Management (PADLM)
-
Chapter: Basic Principles 10
(Magic Quadrant for Privileged Access Management, 2018, S. 2), who summarise these functionali-
ties as generally falling under Privileged Account Management, and do not explicitly mention the
term Shared Account, Singh (Privileged Access Management, 2019) defines Password Management
only for the shared accounts. This suggests that the Password Management of the personal accounts
is handled by the functionalities of the Access Management and delineated in PAM. As an extension
of SAPM, there is the functionality of Privileged Access, which is initiated by applications and has no
direct user interaction. According to Singh (Privileged Access Management, 2019), Application-to-
Application Password Management (AAPM) manages the service accounts that are used for the di-
rect communication of applications or systems with other applications or systems. For this purpose,
all hard-coded login credentials in application codes, scripts or other configuration files are removed
and made available at the time of execution. Here, too, the identification of hard-coded login data in
scripts and other configurations constitutes an important aspect (S. 8).
This functionality, which Singh (Privileged Access Management, 2019) defines under the term Con-
trolled Privilege Elevation and Delegation Management (CPEDM), enables a controlled increase in
the permissions of a user to a privileged user, so that he or she can carry out the necessary adminis-
trative work (S. 8). As an additional measure, according to Gaehtgens et al. (Magic Quadrant for
Privileged Access Management, 2018), the commands entered are monitored by the host and exe-
cution is restricted (S. 2).
The management of endpoints is not directly mentioned by Gaehtgens et al. (Magic Quadrant for
Privileged Access Management, 2018), but can partly be found under CPEDM. Singh (Privileged
Access Management, 2019, S. 8) summarises these measures under his own term, Endpoint Privilege
Management (EPM). Under endpoints, Singh defines desktop PCs, servers and other network de-
vices. EPM minimises IT security risks from these endpoints by monitoring and controlling local ad-
ministrator privileges. (S. 9) primarily sees three technical possibilities for this:
1. Application Control: this is the control of the applications that are allowed to run on a device.
Using a white or blacklist approach, a list of the permitted or forbidden applications is de-
fined, which are executed or blocked (S. 9).
2. Sandboxing: this means that the execution of unknown applications or programs is carried
out in isolation in a controlled environment and checked for possible malware (S. 9).
3. Privilege Management: with User Privileged Management, on the one hand, there is con-
trolled allocation of increased local administration permission, which are monitored. With
Application Privileged Management, on the other hand, the applications are assigned admin-
istrator permissions based on approved exceptions and supported by policies, so that the
application can be run successfully (S. 9).
Finally, it should be possible for the data gathered from PSM and EPM to be used to analyse user
behaviour and to support auditing and the control of monitoring compliance. Singh (Privileged Access
Management, 2019, S. 8) sees Privileged User Behaviour Analytics (PUBA) as being the measures of
using data analysis techniques in order to identify anomalies in relation to specified behaviour pro-
files of administrators or administrator groups or roles. Singh (Privileged Access Management, 2019,
S. 8) defines the functionalities of Privileged Access Governance (PAG) for ensuring governance. PAG
includes the provision of various reports and views and certain audit functions. An important aspect
of this is tracing approval processes or completed attestations of privileged access.
-
Chapter: Covering the Requirements of ISO 27001 11
2.3 ISO Standards for Information Security
The international standardisation organisations the International Organization for Standardization
(ISO) and the International Electrotechnical Commission (IEC) have developed standards for infor-
mation security and have summarised these in the ISO/IEC 2700x series. This ISMS family of standards
is intended for organisations of all types and sizes in order to support the implementation and oper-
ation of an ISMS (Norm ISO/IEC 27000, 2016). Only the ISO/IEC 27001 standard will be of importance
for this technical report. Outside of the Basic Principles chapter, only the short form, "ISO", is used
for the standards, for reasons of better readability.
The ISO/IEC 27001 security standard is one of the most important standards in information security
and describes the requirements for an information security management system (ISMS) that ensures
that the company's security objectives are achieved. In Annex A, the standard outlines a comprehen-
sive catalogue of action goals and measures which must be used in order to deal with information
security risks (Norm ISO/IEC 27001, 2013 + Cor. 1:2014). These action goals and related measures are
divided into 14 sections, as shown in Fig. 6:
Fig. 6: The 14 sections of ISO/IEC 27001
3 Covering the Requirements of ISO 27001
This chapter analyses the requirements of ISO 27001 and assesses the extent to which the action
goals from Annex A can be covered by the functionalities of PAM.
In the practical guide for implementing an ISMS in accordance with ISO 27001, ISACA Germany Chap-
ter e.V. (Implementierungsleitfaden ISO/IEC 27001:2013, 2016, S. 13) states: "One of the first tasks
when implementing an ISMS is to define the specific scope of the management system and to carry
out an analysis of requirements and the environment with a view to the organisation and its stake-
holders" (S. 13). One of the relevant documents for outlining the scope and extent of the ISMS is the
statement of applicability, SoA (ISACA Germany Chapter e.V., 2016, S. 13). As a result, all measures
A.5 Informations- sicherheitsrichtlinien
A.6 Organisation der Informationssicherheit
A.7 Personalsicherheit A.8 Verwaltung der Werte
A.9 Zugangssteuerung A.10 KryptographieA.11 Physische und
umgebungsbezogene Sicherheit
A.12 Betriebssicherheit
A.13 Kommunikations-sicherheit
A.14 Anschaffung, Entwicklung und
Instandhaltung von Systemen
A.16 Handhabung von Informations-
sicherheitsvorfällen
A.15 Lieferanten-beziehungen
A.17 Informations-sicherheitsaspekte beim
Business Continuity Management
A.18 Compliance
ISO/IEC 27001
A.5 Information Security
Policies
A.6 Organisation of
Information Security
A.7 Human Resource Security
A.8 Asset Management
A.9 Access Control A.10 Cryptography A.11 Physical and
Environmental Security A.12 Operations Security
A.13 Communications
Security
A.14 System Acquisition,
Development and
Maintenance
A.15 Supplier Relationships A.16 Information Security
Incident Management
A.17 Information Security
Aspects of Business
Continuity Management
A.18 Compliance
-
Chapter: Covering the Requirements of ISO 27001 12
that support the action goals of ISO 27001 through the functionality of PAM can be applied in the
SoA.
3.1 Privileged Access Management (PAM) in the context of ISO 27001
Providing a summary, Fig. 7 shows the sections of ISO 27001 which are directly (green) and indirectly
(green and white hatched) supported by the functionalities of PAM.
Fig. 7: Action goals supported by PAM in the sections of ISO 27001
The following chapters do not go any further into the sections (white) of ISO 27001 where PAM can-
not directly or indirectly support the action goals. However, section 8 of ISO 27001, Asset Manage-
ment, does still require a special mention. Although the requirements it contains cannot be covered
by the functionalities of PAM, the action goal of information classification is essential for PAM. Only
once this goal is achieved, ensuring "... that information receives an appropriate level of protection
in relation to its importance for the organisation" (Norm ISO/IEC 27001, S. 18) can normal and priv-
ileged objects within a company be distinguished. It is only possible to determine an area of applica-
tion for PAM, as in Fig. 4, and to define necessary and efficient measures for this in order to protect
access to information if this information can be used to derive a protection requirement and signifi-
cance for the organisation. Otherwise PAM cannot meet the requirement for risk-based and efficient
implementation.
3.2 Information Security Policies (A.5)
Although PAM cannot support the process from the definition to the publication of information se-
curity policies, it can implement and monitor the rules required therein (Norm ISO/IEC 27001, 2013
+ Cor. 1:2014, S. 16). On the one hand, policies can be mapped directly (●) in PAM, and compliance
with them can be technically ensured; on the other hand, Privileged Access Governance offers the
possibility of understanding the use of privileged access.
A.5 Informations- sicherheitsrichtlinien
A.6 Organisation der Informationssicherheit
A.7 Personalsicherheit A.8 Verwaltung der Werte
A.9 Zugangssteuerung A.10 KryptographieA.11 Physische und
umgebungsbezogene Sicherheit
A.12 Betriebssicherheit
A.13 Kommunikations-sicherheit
A.14 Anschaffung, Entwicklung und
Instandhaltung von Systemen
A.16 Handhabung von Informations-
sicherheitsvorfällen
A.15 Lieferanten-beziehungen
A.17 Informations-sicherheitsaspekte beim
Business Continuity Management
A.18 Compliance
ISO/IEC 27001
A.5 Information Security
Policies
A.6 Organisation of
Information Security
A.7 Human Resource Security
A.8 Asset Management
A.9 Access Control A.10 Cryptography A.11 Physical and
Environmental Security A.12 Operations Security
A.13 Communications
Security
A.14 System Acquisition,
Development and
Maintenance
A.15 Supplier Relationships A.16 Information Security
Incident Management
A.17 Information Security
Aspects of Business
Continuity Management
A.18 Compliance
-
Chapter: Covering the Requirements of ISO 27001 13
Session Recording and Monitoring also indirectly (○) helps ensure that the information security poli-
cies are checked based on the the correct data, by ensuring the integrity of the recorded information.
Session Recording and Monitoring also offers the necessary measures to monitor and control privi-
leged activities during access. This can, for example, prevent information that is necessary for trace-
ability from being changed or deleted intentionally or as a result of incorrect manipulation. The
effectiveness of a policy is also assessed by detecting violations caused by the circumvention of such
policies by means of privileged access.
Requirement Applicable Measure A.5.1.2 Review of the Policies for Information Security ●
● ○
Privileged User Behaviour Analytics Privileged Access Governance Session Recording and Monitoring
Tab. 1: Applicability of PAM to Section 5 of ISO 27001
3.3 Organisation of Information Security (A.6)
Privileged Account Discovery and Life Cycle Management supports the definition and assignment of
responsibilities of privileged accounts and monitors them over their entire life cycle. As a prerequisite
for this, Privilege Account Discovery and Life Cycle Management can identify privileged accounts and
helps with the risk-based assessment of information worth protecting as well as with the subsequent
definition of specific information security processes and measures for such access requests.
The creation and introduction of a policy on mobile devices1 required by ISO 27001 (2013 + Cor.
1:2014, S. 17) forms the basis for how risks must be dealt with and what measures are necessary.
PAM supports compliance with the policies by implementing security measures from Endpoint Privi-
lege Management. For example, the software installation can be regulated or restricted with the help
of the white or blacklist approach of Application Control, or by using controlled assignment of in-
creased local administration permissions. Sandboxing also offers additional protection against mal-
ware by running unknown applications or programs in an isolated environment and checking for
harmful content.
Requirement Applicable Measure A.6.1.1 Information Security Roles and Responsibilities ● Privilege Account Discovery and
Life Cycle Management A.6.2.1 Mobile Device Policy ● Endpoint Privilege Management
Tab. 2: Applicability of PAM to Section 6 of ISO 27001
3.4 Access Control (A.9)
Privileged Session Management ensures that the assignment of access rights or the password to a
privileged shared account only takes place after the approval process has been completed. On the
other hand, it is equally ensured that access is revoked after the work is done, or the password is
changed.
"The allocation and use of privileged access rights shall be restricted and controlled" (Norm ISO/IEC
27001, 2013 + Cor. 1:2014, S. 20). This is the ISO 27001 measure for the administration of privileged
1 ISO 27001 (Norm ISO/IEC 27001, 2013 + Cor. 1:2014, S. 17) defines mobile devices as follows: "Mobile devices include all types of mobile end devices (smartphones, tablets, laptops, netbooks, etc.)"
-
Chapter: Covering the Requirements of ISO 27001 14
access rights. It contains the overarching goal of PAM and is therefore effectively supported by vari-
ous functionalities. Privilege Account Discovery and Life Cycle Management helps identify privileged
access rights and thus defines what should be restricted and controlled. Privileged Session Manage-
ment can be used to implement the required approval processes, and Shared Account Password
Management can be used to implement the event-related assignment of access rights for shared
accounts. Restrictions and controls during the access activity are generally supported using Session
Recording and Monitoring. Controlled Privilege Elevation and Delegation Management ensures that
general administrator rights are not misused and thus that access is monitored and restricted.
Privilege Account Discovery and Life Cycle Management helps review user access right, because the
changes to privileged accounts are monitored accordingly and subject to notifications. In addition,
Privileged Access Governance offers the possibility of checking the approval processes, attestations
and the status of privileged accounts using various reports.
Privileged Session Management allows restricted access of privileged accounts to information and
application system functions in accordance with the access control policy. This is required by ISO
27001 under the general action goal of preventing unauthorised access to systems and applications
(Norm ISO/IEC 27001, 2013 + Cor. 1:2014, S. 20).
PAM has no influence on the login procedure of a system or an application, but, with Privileged User
Behaviour Analytics, it helps to detect unauthorised login attempts or to identify anomalies by ana-
lysing a user's behaviour. Suspected abuse can thus be reported. All of this indirectly helps to secure
the login procedure.
Both Shared Account Password Management and Application-to-Application Password Management
are systems for administering passwords that provide the login data in an interactive manner and
transact a password change before or after each use. By defining a password policy, the use of strong
passwords is also enforced.
As a further requirement of access control for systems and applications, ISO 27001 (2013 + Cor.
1:2014, S. 20) requires a measure to restrict and monitor the use of utility programs that could be
able to circumvent system and application protection measures. Controlled Privilege Elevation and
Delegation Management can restrict the installation of such programs for users and can be checked
during a prior approval process. The measures taken by Endpoint Privilege Management to protect
against malware are not mentioned here, since when we talk of utility programs, we assume that
these are instances of software without malicious code.
The ISO 27001 requirement (2013 + Cor. 1:2014, S. 20) to restrict access to the source code of pro-
grams is mainly to be controlled using Source Code Management (SCM). However, PAM can ensure
that employees do not have unrestricted access to software source code libraries. In addition, Session
Recording and Monitoring can be used to impose further restrictions, by recording and controlling
commands during access.
-
Chapter: Covering the Requirements of ISO 27001 15
Requirement Applicable Measure A.9.2.2 User Access Provisioning ● Privileged Session Management A.9.2.3 Management of Privileged Access Rights ●
● ● ● ●
Privilege Account Discovery and Life Cycle Management Privileged Session Management Shared Account Password Management Controlled Privilege Elevation and Dele-gation Management Session Recording and Monitoring
A.9.2.5 Review of User Access Rights ● ●
Privilege Account Discovery and Life Cycle Management Privileged Access Governance
A.9.4.1 Information Access Restriction ● Privileged Session Management
A.9.4.2 Secure Log-On Procedures ○ Privileged User Behaviour Analytics
A.9.4.3 Password Management System ● ●
Shared Account Password Management Application-to-Application Password Management
A.9.4.4 Use of Privileged Utility Programs ● Controlled Privilege Elevation and Dele-gation Management
A.9.4.5 Access Control to Program Source Code ● ●
Privileged Session Management Session Recording and Monitoring
Tab. 3: Applicability of PAM to Section 9 of ISO 27001
3.5 Operations Security (A.12)
The requirements for change management in ISO 27001 (2013 + Cor. 1:2014, S. 23) mainly relate to
the change management process, which has to be determined and controlled by the organisation of
a company and is not directly related to PAM. The changes in the operating environment must always
be done with privileged access, where PAM can offer various measures. In particular, recording priv-
ileged activities during the implementation of changes using session recording and monitoring en-
sures traceability and logging.
Endpoint Privilege Management offers the appropriate detection and prevention measures for pro-
tection against malware, although the recovery process is not supported by a PAM functionality. As
a possible detection measure, the Sandboxing approach is used, which detects malicious code using
isolated execution. As a preventive measure, Application Control can be used to keep a positive list
or a negative list of applications.
The logging and monitoring action goal in ISO 27001 (2013 + Cor. 1:2014, S. 23), which aims for events
to be recorded and evidence generated, is implemented by Privileged Session Management and Ses-
sion Recording and Monitoring. Using various techniques, event logs are created about the use of
privileged access, and these are kept and made available for regular review. (Norm ISO/IEC 27001,
2013 + Cor. 1:2014, S. 23) also requires that this recorded log information be adequately protected.
To do this, you have to ensure that only authorised persons have access to the log information, and
that it is not manipulated. Both can be achieved through the combination of ad-hoc or prior approval
of the access and subsequent monitoring. The same applies to the administrator and operator logs,
which are again specifically mentioned in (Norm ISO/IEC 27001, 2013 + Cor. 1:2014, S. 24).
Controlled Privilege Elevation and Delegation Management ensures that only administrators or other
authorised persons are allowed to perform installation on systems in operation. Using various imple-
mentation approaches, Endpoint Privilege Management offers further restrictions on the installation
of operating software, applications or programs by users on the endpoints.
-
Chapter: Covering the Requirements of ISO 27001 16
For audit activities, Privileged Access Governance can provide various reports and audit functionali-
ties in order to support the audits. Session Recording and Monitoring also indirectly ensures that all
instances of access are monitored and logged during an audit, and that a reliable test path is also
created.
Requirement Applicable Measure A.12.1.2 Change Management ● Session Recording and Monitoring A.12.2.1 Controls against Malware ● Endpoint Privilege Management
A.12.4.1 Event Logging ● ●
Privileged Session Management Session Recording and Monitoring
A.12.4.2 Protection of Log Information ● ●
Privileged Session Management Session Recording and Monitoring
A.12.4.3 Administrator and Operator Logs ● ●
Privileged Session Management Session Recording and Monitoring
A.12.5.1 Installation of Software on Operational Systems ● Controlled Privilege Elevation and Dele-gation Management
A.12.6.2 Restrictions on Software Installation ● Endpoint Privilege Management
A.12.7.1 Information System Audit Controls ● ○
Privileged Access Governance Session Recording and Monitoring
Tab. 4: Applicability of PAM to Section 12 of ISO 27001
3.6 Supplier Relationships (A.15)
Protecting the assets of a company that are accessible to suppliers is an important requirement for
PAM. In many cases, suppliers, as integrators or manufacturers of software and business applications,
have the permissions with the highest privileges on the company's systems. It is therefore essential
to define and agree information security policies with the supplier. PAM cannot directly support the
definition and arrangement of required measures for ensuring information security and the capture
of all information security requirements in one policy. However, parts of the measures are indirectly
implemented by PAM. The integrity of the information is guaranteed, and the processing of the in-
formation is controlled and reproduced, above all by monitoring instances of access through Privi-
leged Session Management and Session Recording and Monitoring.
ISO 27001 (2013 + Cor. 1:2014, S. 27) requires the subsequent definition and agreement of infor-
mation security requirements with the supplier. Again, this is not part of PAM, but is the responsibility
of the company's organisation.
Requirement Applicable Measure A.15.1.1 Information Security Policy for Supplier Relation-ships
○ ○
Privileged Session Management Session Recording and Monitoring
Tab. 5: Applicability of PAM to Section 15 of ISO 27001
3.7 Information Security Incident Management (A.16)
By monitoring the activities of privileged accounts through Privileged Session Management and ses-
sion recording and monitoring, information security incidents are automatically detected or essential
information is made available to a responsible person for further analysis and assessment. An im-
portant point here is the functionality that the action is either prevented automatically or immediate
reporting to the appropriate authority is undertaken. This is the only way to ensure that information
security events are dealt with effectively by means of immediate assessment and classification. The
-
Chapter: Covering the Requirements of ISO 27001 17
Privileged user Behaviour Analytics can provide additional information for the detection and assess-
ment of information security events through further analysis of user behaviour.
The learnings from information security incidents can lead to possible changes in the illustrated rules
for Privileged Session Management and Session Recording and Monitoring, to further measures, or
to an improvement in Privileged User Behaviour analytics. This, in turn, would indirectly result in the
achievement of the required reduction in the probability of future incidents occurring.
The procedures required by ISO 27001 (Norm ISO/IEC 27001, 2013 + Cor. 1:2014, S. 28) for the iden-
tification, collection, capture and storage of evidence during information security incidents are pro-
vided by Privileged Session Management and Session Recording and Monitoring.
Requirement Applicable Measure A.16.1.1 Responsibilities and Procedures ●
● ●
Privileged User Behaviour Analytics Privileged Session Management Session Recording and Monitoring
A.16.1.4 Assessment of and Decision on Information Secu-rity Events
● ● ●
Privileged User Behaviour Analytics Privileged Session Management Session Recording and Monitoring
A.16.1.6 Learning from Information Security Incidents ○ ○ ○
Privileged User Behaviour Analytics Privileged Session Management Session Recording and Monitoring
A.16.1.7 Collection of Evidence ● ●
Privileged Session Management Session Recording and Monitoring
Tab. 6: Applicability of PAM to Section 16 of ISO 27001
3.8 Compliance (A.18)
A PAM system indirectly helps when documenting the various requirements the organisation has, by
providing an overview of the architecture and other implemented measures of Privileged Access Con-
trol through Privileged Access Governance.
Privileged Session Management and Session Recording and Monitoring provide comprehensible in-
formation for the independent review of information security, including access records and logs, as
well as activities of administrative and privileged users. Privileged Access Governance provides addi-
tional audit reports. Furthermore, all of this information is consulted when an independent audit is
carried out, and compliance is ensured.
It is not realistic for executives to regularly check compliance with security policies, standards and
other security requirements as required by ISO 27001 (2013 + Cor. 1:2014, S. 29) as part of PAM, as
this is usually done by selected administrators or a specialist agency.
Requirement Applicable Measure A.18.1.1 Identification of Applicable Legislation and Con-tractual Requirements
○ Privileged Access Governance
A.18.2.1 Independent Review of Information Security ● ● ●
Privileged Access Governance Privileged Session Management Session Recording and Monitoring
Tab. 7: Applicability of PAM to Section 18 of ISO 27001
-
Chapter: Overview of the Degree of Coverage 18
4 Overview of the Degree of Coverage
Fig. 8 illustrates the coverage of the requirements of ISO 27001 by PAM.
Fig. 8: Overview of the coverage of the requirements according to ISO 27001
More than half of the fourteen sections of ISO 27001 have direct points of contact with the PAM
subject area. It is striking that in addition to section 9, Access Control – which includes many of the
basic requirements of Privileged Access Management – PAM also fulfils a large part of the require-
ments in section 12. Operations security is therefore an essential aspect of the protective measures
available from PAM. Six of the seven action goals are supported directly, making an important con-
tribution to minimising risk in the area of operations security.
Similarly, in the section on Information Security Incident Management, more than half of all
measures required by ISO 27001 are supported by PAM. Many of the requirements of section 16 can
be supported, among other things, by the possibilities for monitoring and assessing activities in all
connected systems.
Although there are some sections in the ISO 27001 standard that are not influenced by PAM
measures, they can still have points of contact with the subject areas. For example, a violation of
information security determined in PAM can serve as a trigger for the process of measure regulation
in section 7. Furthermore, the use of Cryptography (A.10) is a fundamental requirement in the pro-
cedures and systems in order for the confidentiality, authenticity and integrity of information to be
able to be protected. The same applies to compliance with security requirements in relation to the
transmission of information in Communications Security (A.13), which is seen as a prerequisite for
the interfaces of PAM. Again, System Acquisition, Development and Maintenance (A.14) must be
taken into account, especially when implementing a PAM solution itself. In addition, the handling of
test data, as a further action goal from section 14, has a significant influence on the relevance of a
-
Chapter: Conclusion 19
test or development environment in relation to the connection through PAM. Finally, the Information
Security Aspects of Business Continuity Management (A.17) must also be considered in relation to a
PAM system. As an essential part of information security, PAM thus comes into contact with practi-
cally all sections of Annex A of the ISO 27001 standard – be it as part of an implemented measure or
by including measures from the ISO standard from other security areas.
5 Conclusion
Controlling privileged access is essential for ISO certification, and is much more than just a fig leaf.
By introducing PAM, companies "protect" honest and loyal employees. A properly implemented PAM
solution increases one's security level and protects against many possible attacks.
PAM projects appear simple at first glance, but they entail changes in administration processes.
Many companies make the mistake of introducing PAM across the board for a lot of money, thereby
reducing productivity in system administration. It does not have to be that way. The ISO 27001 goals
can be achieved with a sense of proportion. Not all servers, databases, network components, etc.,
need to be monitored. Not all user accounts on these servers are equally at risk. Usually, a simple risk
classification of assets, user accounts or even the administrators helps to keep the scope in check.
With delimitations of this nature, introducing PAM provides a sense of achievement for everyone
involved and ensures the long-term protection of data.
6 Portrait
6.1 Stefan Huber
Stefan Huber has been working as an IAM expert for the IPG Group since 2014 and, as a
senior technical consultant, supports companies in advising, implementing, introducing,
and training for, customised IAM solutions. As part of his master's thesis for his "Master
of Advanced Studies in Information & Cyber Security", he examined how IAM and PAM
can meet the IT security objectives under ISO/IEC 27001.
6.2 IPG Group
The IPG Group specialises in design, integration, operation and training relating to IAM solutions. The
company, founded in Winterthur in 2001, now offers solutions for comprehensive protection of user
data as well as data and physical access rights in its branches in Germany and Austria. Customers
include companies from all industries, as well as public administration organisations. IPG is the pre-
ferred partner for major software manufacturers in Switzerland, Germany and Austria and employs
around 90 people. www.ipg-group.com
-
Chapter: Sources Used 20
7 Sources Used
Brenner, M., Gentschen Felde, N., Hommel, W., Metzger, S., Reiser, H., & Schaaf, T. (2014). Praxisbuch ISO/IEC
27001, Management der Informationssicherheit und Vorbereitung auf die Zertifizierung. Carl Hanser
Verlag München.
Gaehtgens, F., Gardner, D., Taylor, J., Data, A., & Kelley, M. (2018). Magic Quadrant for Privileged Access
Management. Gartner Research.
Gaehtgens, F., Kampman, K., & Iverson, B. (2018). Magic Quadrant for Identity Governance and Administration.
Gartner Research.
Gartner, Inc. (17. Mai 2019). Gartner Research. Von https://www.gartner.com/en/research/methodologies
abgerufen
Gartner, Inc. (17. Mai 2019). IT Glossary. Von https://www.gartner.com/it-glossary/identity-and-access-
management-iam abgerufen
Hill, R., & Kuppinger, M. (2019). Access Management and Federation. KuppingerCole.
ISACA Germany Chapter e.V. (2016). Implementierungsleitfaden ISO/IEC 27001:2013.
Kreizman, G. (2018). Magic Quadrant for Access Management, Worldwide. Gartner Research.
Kuppinger, M. (2019). Integrating Password and Privilege Management for Unix and Linux Systems.
KuppingerCole.
Kuppinger, M., & Singh, A. (2018). Access Governance & Intelligence. KuppingerCole.
Kuppinger, M., & Singh, A. (2018). Identity Governance & Administration. KuppingerCole.
Norm ISO/IEC 27000. (2016). Informationstechnik - Sicherheitsverfahren - Informationssicherheits-
Managementsysteme - Überblick und Terminologie.
Norm ISO/IEC 27001. (2013 + Cor. 1:2014). Informationstechnik – IT-Sicherheitsverfahren –
Informationssicherheits-Managementsysteme – Anforderungen. Abgerufen am 04 2019
Singh, A. (2019). Privileged Access Management. KuppingerCole.