privileged access management (pam) in the context of iso ......although the iso/iec 27002 standard...

IPG Group | Winterthur – Bern – Berlin – Dresden – Vienna – Constance T +41 52 245 04 74 | F +41 52 245 04 73 | [email protected] | www.ipg-group.com 1

TECHNICAL REPORT

Privileged Access Management (PAM) in the

context of ISO 27001

To what extent can PAM cover the requirements of ISO/IEC 27001?

Author: Stefan Huber, Senior Technical Consultant, IPG Group

Table of contents

1 Introduction ...................................................................................................................... 1

2 Basic Principles .................................................................................................................. 1

2.1 Identity & Access Management ...................................................................................... 1

2.1.1 Identity Management ............................................................................................................... 4

2.1.2 Access Management ................................................................................................................. 5

2.1.3 Identity und Access Governance .............................................................................................. 6

2.2 Privileged Access Management ....................................................................................... 7

2.3 ISO Standards for Information Security ......................................................................... 11

3 Covering the Requirements of ISO 27001 ......................................................................... 11

3.1 Privileged Access Management (PAM) in the context of ISO 27001 ................................ 12

3.2 Information Security Policies (A.5) ................................................................................ 12

3.3 Organisation of Information Security (A.6) .................................................................... 13

3.4 Access Control (A.9) ...................................................................................................... 13

3.5 Operations Security (A.12) ............................................................................................ 15

3.6 Supplier Relationships (A.15) ........................................................................................ 16

3.7 Information Security Incident Management (A.16) ........................................................ 16

3.8 Compliance (A.18) ........................................................................................................ 17

4 Overview of the Degree of Coverage ................................................................................ 18

5 Conclusion ....................................................................................................................... 19

6 Portrait ........................................................................................................................... 19

6.1 Stefan Huber ................................................................................................................ 19

6.2 IPG Group .................................................................................................................... 19

7 Sources Used ................................................................................................................... 20

Chapter: Introduction 1

1 Introduction

The ISO/IEC 27001 security standard of the International Organization for Standardization (ISO) and

the International Electrotechnical Commission (IEC) is one of the most important standards in infor-

mation security and describes the requirements for an information security management system

(ISMS) that ensures the company's security objectives are achieved. In Annex A, the standard outlines

a comprehensive catalogue of action goals and measures, and, together with ISO/IEC 27002, offers

specific information on their implementation, which an organisation can draw from and use to deal

with its security risks. Although the ISO/IEC 27002 standard only provides assistance with the fulfil-

ment of the action goals, the organisation's ISMS can be certified to ISO/IEC 27001. This certification

is carried out by an accredited certification body in an external audit (Brenner, et al., 2014, S. 149).

As part of this certification audit, compliance with the requirements of the standard is checked and

the conformity of the ISMS with the standard is determined.

Many companies are striving for ISO certification in order to differentiate themselves from the com-

petition, to reduce internal security vulnerabilities, or because there are legal or regulatory require-

ments in this regard. Many of these controls prescribed by ISO/IEC 27001 can be fulfilled directly or

indirectly through a comprehensive and company-wide Identity and Access Management System

(IAM) and through Access Management of privileged user accounts (PAM). However, the introduc-

tion of an IAM and PAM system is usually a major challenge, because each solution has to be adapted

to the individual needs, requirements and general framework of the organisation. ISO/IEC 27001-

compliant implementation requires further external factors to be taken into account here.

This technical report focuses on the area of PAM and shows which requirements of the ISO/IEC 27001

standard can be met by integrating a PAM system into the company.

2 Basic Principles

For the subsequent analyses, and for the benefit of their traceability, it is necessary for the terms to

be clearly defined. For the IAM and PAM topics, in particular, it is necessary to define the functional

scope of the two areas and to show the boundaries. A precise scope of functions is defined in the

Basic Principles section of this technical report, and this then forms the basis of further analyses.

2.1 Identity & Access Management

Gartner (IT Glossary, 2019) generally outlines Identity & Access Management (IAM) as follows:

"Identity and access management (IAM) is the security discipline that enables the right

individuals to access the right resources at the right times for the right reasons".

In other words, as part of a company's information security system, IAM ensures the authentication

of individuals through access management, and the authorisation to various IT systems and resources

through managing identities and their access rights. All at the right time and for the right reason.

Gartner's (IT Glossary, 2019) definition also addresses a company's compliance requirements, which

Chapter: Basic Principles 2

are supported and guaranteed by IAM. As a result, Gartner (Gartner, Inc., 2019) refers, on the one

hand, to Access Management (AM) and, on the other hand, to Identity Governance & Administration

(IGA). Gartner defines the functionalities of the two areas as shown in Fig. 1:

Fig. 1: Identity and Access Management according to Gartner

Source: based on Gaehtgens et al. (Gaehtgens, Kampman, & Iverson, Magic Quadrant for Identity Governance and

Administration, 2018) and Kreizman (Kreizman, 2018)

Kuppinger and Singh (Identity Governance & Administration, 2018) also use the term Identity Gov-

ernance and Administration (IGA) in their analysis reports, though these are seen as a combination

of User Access Provisioning (UAP) and Access Governance (IAG). In contrast to Gartner, Hill and Kup-

pinger (Access Management and Federation, 2019) focus greatly on the Federation when it comes to

Access Management. Access Management should be viewed holistically in the company, by means

of the various needs and requirements of both internal and external employees, business partners

and customers. They all have different access needs, which should be met by Access Management

and the Federation. This refers to instances of internal, incoming and outgoing access, which can take

place on internal, on-premise applications, or private or public cloud services. Hill and Kuppinger

(Access Management and Federation, S. 6) therefore divide the functionalities into three areas, as

shown in Fig. 2:


Fig. 2: Identity and Access Management according to KuppingerCole

Source: based on Kuppinger and Singh (Kuppinger & Singh, Identity Governance & Administration, 2018) and Hill and Kup-

pinger (Hill & Kuppinger, 2019)

What is common to the Gartner and KuppingerCole definitions is that they both consider the Identity

Management (IM) and Access Management (AM) part separately, and either include governance in

it or, again, view it as a separate area. The functionalities of these areas are therefore divided accord-

ing to IM, AM and IAG. Fig. 3 provides an overview of how the functionalities in this technical report

are divided, defined and made more concrete in the chapters 2.1.1, 2.1.2 and 2.1.3.

Fig. 3: Overview of the functionalities of IAM with a classic identity life cycle approach

Private Cloud Service

Personen- und Organisations-

daten

On-Premise Application

Public Cloud Service


2.1.1 Identity Management

Identity Management always focuses on digital identity, its relationship to the organisation, and its

attributes throughout the entire life cycle. The lifecycle consists of all processes, from creation, acti-

vation and deactivation, and change to archiving and deletion. There are different scenarios here for

how the identities' entry point into identity management should proceed. Gaehtgens, Kampmann

and Iverson (Magic Quadrant for Identity Governance and Administration, 2018) see four patterns

here, which are listed under the term Identity Life Cycle:

• Authoritative source: classic life cycle, in which a trusted source such as an HRor supplier

management system is connected to the IAM, which, in turn, guarantees the life cycles and

passes this data on to the IAM system (S. 19).

• Sponsorship and expiration: identity cycle of non-employees who cannot be covered by an

authorised source. A client can request access for a contractual partner that has a time limi-

tation (S. 19).

• Delegated administration: an authorised business partner of a supplier or customer at which

several people must have access guarantees the life cycle for its employees. The lifecycle is

guaranteed by regular re-certifications or time-limited access (S. 19).

• Self-registration: possible scenario if a kind of account is required due to a personalised in-

teraction with a company's website. To do this, it is usually not absolutely necessary to re-

move the access when the relationship is ended (S. 19).

Entitlement management includes the maintenance and administration of the permissions cata-

logue for all target systems connected to the Identity Management system. An important aspect of

this, according to Gaehtgens et al. (Magic Quadrant for Identity Governance and Administration,

2018, S. 1), is the division and clear presentation of the different types of accounts, roles, group

memberships and other permissions. According to Gaehtgens et al., the linking of identities with ac-

counts and access rights is necessary in order to understand which identity has which access and who

is responsible for which accounts (S. 1). The latter point is also commonly known as Owner Manage-

ment. It includes the entire life cycle based on the assignment, transfer and removal of responsibili-

ties from permissions and other objects.

According to Kuppinger and Singh, Access Request Management offers users the option of using a

web portal to request access rights, IT or other resources for themselves or on behalf of others

(Identity Governance & Administration, 2018, S. 11). Access Request Management benefits here from

a well-maintained Entitlement Management system that clearly shows the technical permissions cat-

alogue by means of translations and descriptions. This comprehensibility is necessary so that users

can find their way around the web portal and is a basic prerequisite for ensuring that users only

activate the access requests that actually need. Ultimately, the Access Request Management system

is transferred to the Workflow Management system. According to Kuppinger and Singh, it incorpo-

rates the decision-making processes and is the trigger for further business processes (2018, S. 11).

The decision-making processes can be created on the basis of risk and, depending on the criticality

of the permissions, can include a multi-stage or single-stage approval process. In the case of uncritical

access requests, it also makes sense in some cases for these to be performed without an approval

process. In addition, escalations, reminders and other notifications can be used as an additional func-

tionality.


Gaehtgens et al. (Magic Quadrant for Identity Governance and Administration, 2018) view Role Man-

agement as a tool to enforce the various policies (S. 1). According to Kuppinger and Singh (Identity

Governance & Administration, 2018), the grouping and bundling of access permissions are mainly

used to improve general administrative efficiency (S. 11). The mere aggregation of access rights for

business roles, based on organisational or task-related criteria, is not yet a governance measure and

is therefore listed under the field of Identity Management. However, it is clear that, in reality, there

is no strict separation, and the difference between role management, role mining and role govern-

ance is fluid.

According to Gaehtgens et al (2018), Fulfilment is generally viewed as the transfer of changes from

Identity Management to the target system and back (Magic Quadrant for Identity Governance and

Administration, 2018, S. 1). Changes are understood to mean all processes of creating, changing and

deleting accounts and permissions, as well as assigning or removing permissions. In many cases, a

change that happens in the IAM system is immediately provisioned to the target systems, and the

status of the target system is periodically synchronised back to the IAM system. The target systems,

here, can be on-premise applications, or private or public cloud services.

2.1.2 Access Management

In contrast to Identity Management, the term Access Management encompasses everything tech-

nical that has to do with the process of authentication and authorisation of the user. Identity Man-

agement ensures the correct and understandable reason for the correct period of access. Since this

process often begins with the user entering a password, Password Management is an important

component. Kreizman (Magic Quadrant for Access Management, Worldwide, 2018) only uses the

term Password Reset (S. 1), and Hill and Kuppinger (Access Management and Federation, 2019) do

not mention this aspect of Access Management. However, it is not only resetting that is considered

in this technical report, which is why only Password Management is used, as a general term, in what

follows. Based on what is said in the reports by Gartner (Magic Quadrant for Access Management,

Worldwide) and KuppingerCole (Access Management and Federation), this includes, among other

things, enforcing a password policy, a self-service portal for managing user-specific information, such

as security issues and the like, and a password reset process by the user. Password Management also

enables password changes to be propagated to the necessary target systems. This can also be done

in conjunction with Identity Management.

Here, Authentication Management ensures the variety of authentication. This takes place either in

the form of a simple query of user name and password, or a two- or multi-factor authentication pro-

cess. If the choice of authentication is calculated dynamically and in real time, based on the risk pro-

file of the user and the environment, Hill and Kuppinger (Access Management and Federation, 2019)

also speak of adaptive authentication (S. 12).

Gartner (IT Glossary, 2019) basically describes the functionality of Single Sign-On (SSO) as a proce-

dure in which a user logs on once and is then automatically authenticated when accessing other

applications. Here, the login can be completed with a password, a medium with a chip card, or a

biometric feature. There are also different types of SSO. Either the passwords of the users are stored

centrally using Enterprise Single Sign-On (E-SSO), or certificate or token-based approaches, such as

Web-SSO or Federation, are used. Hill and Kuppinger (Access Management and Federation, 2019), as


well as Kreizman (Magic Quadrant for Access Management, Worldwide, 2018), define the function-

ality for integrating and enabling incoming and outgoing federations as one of the most important

points.

Session Management, which enables SSO, among other things, can be used to configure and control

the attributes and the behaviour of the established sessions (Kreizman, 2018).

2.1.3 Identity und Access Governance

As mentioned at the beginning, Gartner makes no explicit distinction between Identity Administra-

tion and Governance, KuppingerCole, however, summarises the notion as Access Governance & In-

telligence. According to Kuppinger and Singh (Kuppinger & Singh, Access Governance & Intelligence,

2018), Access Governance is the IAM discipline that focuses on risk management and is intended to

ensure that compliance is enforced in the company (S. 9). Access Resk Management is thus certainly

an important part of doing justice to the risk-based approach. For this purpose, all IAM-relevant ob-

jects are provided with a criticality level and are classified. The behaviour of enquiries, decision-mak-

ing and other workflows can accordingly be differentiated and controlled on this basis.

Attestation of access can be used to carry out access checks as required or at regular intervals, in

order to assess whether the users only have the access rights necessary to carry out their work, and

whether these accesses still comply with the policies (Kuppinger & Singh, Access Governance &

Intelligence, 2018, S. 11). Recertification is also commonly spoken of. This is a designation for the

whole process of various repeated attestations.

Under Reporting and Analytics, Gaehtgens et al. (Magic Quadrant for Identity Governance and

Administration, 2018) define the preparation and provision of reports that enable a deeper view of

the data of the IAM (S. 2). The field of auditing is considered separately and, according to Gaehtgens

et al. (Gaehtgens, Kampman, & Iverson, Magic Quadrant for Identity Governance and Administration,

2018, S. 2), outlines the tools for evaluating business rules and controls based on the current status

of the identities and their access rights in the IAM system. Kuppinger and Singh (Identity Governance

& Administration, 2018, S. 11) attach more importance in their definitions to the functionality of the

analysis of user data. This enables an increase in Governance, and is summarised under the term

Identity Analytics. This type of analysis, according to Kuppinger and Singh (Identity Governance &

Administration, 2018), uses data analysis techniques to derive meaningful information from the log-

ging and monitoring information, all with the aim of improving the overall efficiency of IGA processes.

This functionality offers recommendations for increasing the efficiency of roles, shows risk-based

measures after violations of access policies, provides automated test reports on the instances of ac-

cess, and forms correlations of events in the entire IAM system in order to derive further usable

information (S. 11). According to Kuppinger and Singh (Identity Governance & Administration, 2018),

Reporting and Dashboarding refers to the preparation and provision of legible and understandable

information that supports the persons in charge of improving governance and decision-making. Dash-

boarding is an important measure when performing an audit. A representation of this kind enables a

simple and business-friendly abstraction of metrics and data models in order to effectively monitor

the IGA processes (S. 12). In this technical report, these functionalities are defined under the term

Reporting and Auditing.


The definition of rules for identifying combinations of roles and permission that pose a security risk

are defined under the term Segregation of Duty (SoD) (Kuppinger & Singh, Access Governance &

Intelligence, 2018, S. 9). It also includes continuous monitoring of new risks and offers remedial

measures.

Governance also includes the topic of business roles and is an important aspect of functionality. In

contrast to Identity Management, which focuses on administration efficiency and automation, Gov-

ernance focuses on the entire role lifecycle (Kuppinger & Singh, Access Governance & Intelligence,

2018, S. 12). According to Kuppinger and Singh (2018), roles goes through cycles that are structured

as follows. Starting with the role definition, based on internal and external policies, the process

passes over to role approval by business, process and role managers. After approval, role creation

and role assignments follow based on the separation of duties and other policy reviews. Restructur-

ing or changes in requirements within the company can result in a role change. After inspection and

approval, it needs to be implemented in a comprehensible manner. Finally, role inefficiencies can be

determined after further analyses, thus leading to optimisation. In addition to this, the comprehen-

sible deletion and archiving of roles should also be mentioned (S. 12). This entire cycle, during which

governance and compliance requirements are always observed, is referred to in this technical report

as Role Mining and Governance.

2.2 Privileged Access Management

Privileged Access Management, as a special area of Identity and Access Management, deals with the

identification, security and management of privileged access data and the resulting accesses to the

entire IT infrastructure of a company (Singh, 2019, S. 6). This applies to all privileged accesses,

whether with personal, impersonal or shared accounts and regardless of whether access is made to

an on-premise or cloud infrastructure. Gaehtgens et al. (Magic Quadrant for Privileged Access

Management, 2018) add that the compliance requirements of a company can only be met through

the secure handling of privileged access (S. 1).

Unlike IAM, which generally looks at identity and their personal permissions, PAM focuses on man-

aging shared and technical accounts, as well as personal accounts of users with elevated permissions.

Both with the aim of restricting privileged access and preventing the spread of passwords (Kuppinger,

Integrating Password and Privilege Management for Unix and Linux Systems, 2019, S. 5). In general,

there are two broad approaches to PAM. On the one hand, the approach through privileged accesses

with a personal admin account and, on the other hand, with an impersonal privileged user, which is

used by one or more people. In Fig. 4, Kuppinger (2019) illustrates the areas covered by PAM (S. 5).

The green area is especially important for PAM. This ranges from personal and shared accounts with

elevated permissions to shared accounts with standard permissions:


Fig. 4: Areas in which Privileged Access Management operates

Source: based on Kuppinger (Kuppinger, Integrating Password and Privilege Management for Unix and Linux Systems, 2019,

S. 5)

Gaehtgens et al. (Gaehtgens, Gardner, Taylor, Data, & Kelley, 2018, S. 4) see the main role of PAM

for the organisation as to:

"provide secure privileged access to critical assets and meet compliance requirements

by managing and monitoring privileged accounts and access".

The main task of PAM is therefore the administration and monitoring of privileged accounts and their

access to the critical IT infrastructure in a company. Gaehtgens et al. (Gaehtgens, Gardner, Taylor,

Data, & Kelley, 2018) break down the requirements for functionality into general use cases and those

that specifically target accesses of users or services and applications (S. 4). Singh (Privileged Access

Management, 2019) does not make this distinction explicitly, but summarises all functionalities in a

general overview (S. 9). In this technical report, the overview provided in Fig. 5 by Singh provides the

framework for the main functionalities of PAM and is used for the further analyses. The following

remarks are partly supplemented by definitions by Gaehtgens et al. (Magic Quadrant for Privileged

Access Management, 2018):

FunctionalAccounts

Power User Root

Standard User Account

personal Privileged Account Management shared

stan

dar

d

Ele

vati

on

Man

age

me

nt

ele

vate

d


Fig. 5: Blueprint of the architecture of PAM

Source: based on Singh (Singh, 2019, S. 9)

According to Gaehtgens et al (Magic Quadrant for Privileged Access Management, 2018, S. 25), PAM

begins by identifying and understanding what the privileged accounts are and what resources they

can access. Because only what is already known can also be managed or controlled. Singh (Privileged

Access Management, 2019) summarises this functionality under Privilege Account Discovery and Life

Cycle Management (PADLM). PADLM identifies software and service accounts, as well as shared and

other privileged accounts. It also recognises unencrypted, plain text login credentials stored for the

entire IT infrastructure. Other tasks include managing the life cycle of these accounts, monitoring

responsibilities, detecting changes, and taking actions or implementing notifications based on these

(S. 8).

The term Session Management is used as an umbrella term for various functionalities in PAM.

Gaehtgens et al. (Magic Quadrant for Privileged Access Management, 2018, S. 19) mention that there

are many different approaches here, ranging from the use of a proxy server, a gateway or an agent

to a jump server. Singh (Privileged Access Management, 2019, S. 8) sees Privileged Session Manage-

ment (PSM) as including the recording and review of activities of a privileged session on the target

systems. PSM can also include authentication, authorisation and Single Sign-On to the target systems.

The latter is also called Privileged Single Sign-On. This includes the management of the assignment

of a session to the user and an ad-hoc or pre-approved authorisation (S. 10). Session Recording and

Monitoring (SRM) is the extended function of PSM. It offers measures for checking, monitoring or

reviewing privileged activities during access. This ranges from logging keystrokes, recording video

sessions, reading texts from the screen display, and optical character recognition to other additional

techniques (Singh, 2019, S. 8).

According to Singh (Privileged Access Management, 2019, S. 8), Shared Account Password Manage-

ment (SAPM) manages the privileged login credentials of system, service or application accounts that

are shared. These passwords, keys or other privileged login credentials are stored in an encrypted

password store that is maintained in accordance with policies. The basic prerequisite for this is that

the stored passwords or login information are set to a random value periodically, or on a time or

event-controlled basis, or are assigned using a one-time password. In contrast to Gaehtgens et al.

Privileged Session Management (PSM)

Session Recording and Monitoring (SRM) Authentication (Users & Services)

Shared Account Password

Management (SAPM)

Application-to-Application Password Management (AAPM)

Controlled Privilege Elevation and

Delegation Management (CPEDM)

Privileged User Behavior Analytics (PUBA)

Privileged Access Governance (PAG)

Endpoint Privilege Management (EPM)

Privilege Account Discovery and Life Cycle Management (PADLM)


(Magic Quadrant for Privileged Access Management, 2018, S. 2), who summarise these functionali-

ties as generally falling under Privileged Account Management, and do not explicitly mention the

term Shared Account, Singh (Privileged Access Management, 2019) defines Password Management

only for the shared accounts. This suggests that the Password Management of the personal accounts

is handled by the functionalities of the Access Management and delineated in PAM. As an extension

of SAPM, there is the functionality of Privileged Access, which is initiated by applications and has no

direct user interaction. According to Singh (Privileged Access Management, 2019), Application-to-

Application Password Management (AAPM) manages the service accounts that are used for the di-

rect communication of applications or systems with other applications or systems. For this purpose,

all hard-coded login credentials in application codes, scripts or other configuration files are removed

and made available at the time of execution. Here, too, the identification of hard-coded login data in

scripts and other configurations constitutes an important aspect (S. 8).

This functionality, which Singh (Privileged Access Management, 2019) defines under the term Con-

trolled Privilege Elevation and Delegation Management (CPEDM), enables a controlled increase in

the permissions of a user to a privileged user, so that he or she can carry out the necessary adminis-

trative work (S. 8). As an additional measure, according to Gaehtgens et al. (Magic Quadrant for

Privileged Access Management, 2018), the commands entered are monitored by the host and exe-

cution is restricted (S. 2).

The management of endpoints is not directly mentioned by Gaehtgens et al. (Magic Quadrant for

Privileged Access Management, 2018), but can partly be found under CPEDM. Singh (Privileged

Access Management, 2019, S. 8) summarises these measures under his own term, Endpoint Privilege

Management (EPM). Under endpoints, Singh defines desktop PCs, servers and other network de-

vices. EPM minimises IT security risks from these endpoints by monitoring and controlling local ad-

ministrator privileges. (S. 9) primarily sees three technical possibilities for this:

1. Application Control: this is the control of the applications that are allowed to run on a device.

Using a white or blacklist approach, a list of the permitted or forbidden applications is de-

fined, which are executed or blocked (S. 9).

2. Sandboxing: this means that the execution of unknown applications or programs is carried

out in isolation in a controlled environment and checked for possible malware (S. 9).

3. Privilege Management: with User Privileged Management, on the one hand, there is con-

trolled allocation of increased local administration permission, which are monitored. With

Application Privileged Management, on the other hand, the applications are assigned admin-

istrator permissions based on approved exceptions and supported by policies, so that the

application can be run successfully (S. 9).

Finally, it should be possible for the data gathered from PSM and EPM to be used to analyse user

behaviour and to support auditing and the control of monitoring compliance. Singh (Privileged Access

Management, 2019, S. 8) sees Privileged User Behaviour Analytics (PUBA) as being the measures of

using data analysis techniques in order to identify anomalies in relation to specified behaviour pro-

files of administrators or administrator groups or roles. Singh (Privileged Access Management, 2019,

S. 8) defines the functionalities of Privileged Access Governance (PAG) for ensuring governance. PAG

includes the provision of various reports and views and certain audit functions. An important aspect

of this is tracing approval processes or completed attestations of privileged access.

Chapter: Covering the Requirements of ISO 27001 11

2.3 ISO Standards for Information Security

The international standardisation organisations the International Organization for Standardization

(ISO) and the International Electrotechnical Commission (IEC) have developed standards for infor-

mation security and have summarised these in the ISO/IEC 2700x series. This ISMS family of standards

is intended for organisations of all types and sizes in order to support the implementation and oper-

ation of an ISMS (Norm ISO/IEC 27000, 2016). Only the ISO/IEC 27001 standard will be of importance

for this technical report. Outside of the Basic Principles chapter, only the short form, "ISO", is used

for the standards, for reasons of better readability.

The ISO/IEC 27001 security standard is one of the most important standards in information security

and describes the requirements for an information security management system (ISMS) that ensures

that the company's security objectives are achieved. In Annex A, the standard outlines a comprehen-

sive catalogue of action goals and measures which must be used in order to deal with information

security risks (Norm ISO/IEC 27001, 2013 + Cor. 1:2014). These action goals and related measures are

divided into 14 sections, as shown in Fig. 6:

Fig. 6: The 14 sections of ISO/IEC 27001

3 Covering the Requirements of ISO 27001

This chapter analyses the requirements of ISO 27001 and assesses the extent to which the action

goals from Annex A can be covered by the functionalities of PAM.

In the practical guide for implementing an ISMS in accordance with ISO 27001, ISACA Germany Chap-

ter e.V. (Implementierungsleitfaden ISO/IEC 27001:2013, 2016, S. 13) states: "One of the first tasks

when implementing an ISMS is to define the specific scope of the management system and to carry

out an analysis of requirements and the environment with a view to the organisation and its stake-

holders" (S. 13). One of the relevant documents for outlining the scope and extent of the ISMS is the

statement of applicability, SoA (ISACA Germany Chapter e.V., 2016, S. 13). As a result, all measures

A.5 Informations- sicherheitsrichtlinien

A.6 Organisation der Informationssicherheit

A.7 Personalsicherheit A.8 Verwaltung der Werte

A.9 Zugangssteuerung A.10 KryptographieA.11 Physische und

umgebungsbezogene Sicherheit

A.12 Betriebssicherheit

A.13 Kommunikations-sicherheit

A.14 Anschaffung, Entwicklung und

Instandhaltung von Systemen

A.16 Handhabung von Informations-

sicherheitsvorfällen

A.15 Lieferanten-beziehungen

A.17 Informations-sicherheitsaspekte beim

Business Continuity Management

A.18 Compliance

ISO/IEC 27001

A.5 Information Security

Policies

A.6 Organisation of

Information Security

A.7 Human Resource Security

A.8 Asset Management

A.9 Access Control A.10 Cryptography A.11 Physical and

Environmental Security A.12 Operations Security

A.13 Communications

Security

A.14 System Acquisition,

Development and

Maintenance

A.15 Supplier Relationships A.16 Information Security

Incident Management


Aspects of Business

Continuity Management

A.18 Compliance


that support the action goals of ISO 27001 through the functionality of PAM can be applied in the

SoA.

3.1 Privileged Access Management (PAM) in the context of ISO 27001

Providing a summary, Fig. 7 shows the sections of ISO 27001 which are directly (green) and indirectly

(green and white hatched) supported by the functionalities of PAM.

Fig. 7: Action goals supported by PAM in the sections of ISO 27001

The following chapters do not go any further into the sections (white) of ISO 27001 where PAM can-

not directly or indirectly support the action goals. However, section 8 of ISO 27001, Asset Manage-

ment, does still require a special mention. Although the requirements it contains cannot be covered

by the functionalities of PAM, the action goal of information classification is essential for PAM. Only

once this goal is achieved, ensuring "... that information receives an appropriate level of protection

in relation to its importance for the organisation" (Norm ISO/IEC 27001, S. 18) can normal and priv-

ileged objects within a company be distinguished. It is only possible to determine an area of applica-

tion for PAM, as in Fig. 4, and to define necessary and efficient measures for this in order to protect

access to information if this information can be used to derive a protection requirement and signifi-

cance for the organisation. Otherwise PAM cannot meet the requirement for risk-based and efficient

implementation.

3.2 Information Security Policies (A.5)

Although PAM cannot support the process from the definition to the publication of information se-

curity policies, it can implement and monitor the rules required therein (Norm ISO/IEC 27001, 2013

+ Cor. 1:2014, S. 16). On the one hand, policies can be mapped directly (●) in PAM, and compliance

with them can be technically ensured; on the other hand, Privileged Access Governance offers the

possibility of understanding the use of privileged access.

A.5 Informations- sicherheitsrichtlinien

A.6 Organisation der Informationssicherheit

A.7 Personalsicherheit A.8 Verwaltung der Werte

A.9 Zugangssteuerung A.10 KryptographieA.11 Physische und

umgebungsbezogene Sicherheit

A.12 Betriebssicherheit

A.13 Kommunikations-sicherheit

A.14 Anschaffung, Entwicklung und

Instandhaltung von Systemen

A.16 Handhabung von Informations-

sicherheitsvorfällen

A.15 Lieferanten-beziehungen

A.17 Informations-sicherheitsaspekte beim

Business Continuity Management

A.18 Compliance

ISO/IEC 27001


Policies

A.6 Organisation of

Information Security

A.7 Human Resource Security

A.8 Asset Management

A.9 Access Control A.10 Cryptography A.11 Physical and

Environmental Security A.12 Operations Security

A.13 Communications

Security

A.14 System Acquisition,

Development and

Maintenance

A.15 Supplier Relationships A.16 Information Security

Incident Management


Aspects of Business

Continuity Management

A.18 Compliance


Session Recording and Monitoring also indirectly (○) helps ensure that the information security poli-

cies are checked based on the the correct data, by ensuring the integrity of the recorded information.

Session Recording and Monitoring also offers the necessary measures to monitor and control privi-

leged activities during access. This can, for example, prevent information that is necessary for trace-

ability from being changed or deleted intentionally or as a result of incorrect manipulation. The

effectiveness of a policy is also assessed by detecting violations caused by the circumvention of such

policies by means of privileged access.

Requirement Applicable Measure A.5.1.2 Review of the Policies for Information Security ●

● ○

Privileged User Behaviour Analytics Privileged Access Governance Session Recording and Monitoring

Tab. 1: Applicability of PAM to Section 5 of ISO 27001

3.3 Organisation of Information Security (A.6)

Privileged Account Discovery and Life Cycle Management supports the definition and assignment of

responsibilities of privileged accounts and monitors them over their entire life cycle. As a prerequisite

for this, Privilege Account Discovery and Life Cycle Management can identify privileged accounts and

helps with the risk-based assessment of information worth protecting as well as with the subsequent

definition of specific information security processes and measures for such access requests.

The creation and introduction of a policy on mobile devices1 required by ISO 27001 (2013 + Cor.

1:2014, S. 17) forms the basis for how risks must be dealt with and what measures are necessary.

PAM supports compliance with the policies by implementing security measures from Endpoint Privi-

lege Management. For example, the software installation can be regulated or restricted with the help

of the white or blacklist approach of Application Control, or by using controlled assignment of in-

creased local administration permissions. Sandboxing also offers additional protection against mal-

ware by running unknown applications or programs in an isolated environment and checking for

harmful content.

Requirement Applicable Measure A.6.1.1 Information Security Roles and Responsibilities ● Privilege Account Discovery and

Life Cycle Management A.6.2.1 Mobile Device Policy ● Endpoint Privilege Management


3.4 Access Control (A.9)

Privileged Session Management ensures that the assignment of access rights or the password to a

privileged shared account only takes place after the approval process has been completed. On the

other hand, it is equally ensured that access is revoked after the work is done, or the password is

changed.

"The allocation and use of privileged access rights shall be restricted and controlled" (Norm ISO/IEC

27001, 2013 + Cor. 1:2014, S. 20). This is the ISO 27001 measure for the administration of privileged

1 ISO 27001 (Norm ISO/IEC 27001, 2013 + Cor. 1:2014, S. 17) defines mobile devices as follows: "Mobile devices include all types of mobile end devices (smartphones, tablets, laptops, netbooks, etc.)"


access rights. It contains the overarching goal of PAM and is therefore effectively supported by vari-

ous functionalities. Privilege Account Discovery and Life Cycle Management helps identify privileged

access rights and thus defines what should be restricted and controlled. Privileged Session Manage-

ment can be used to implement the required approval processes, and Shared Account Password

Management can be used to implement the event-related assignment of access rights for shared

accounts. Restrictions and controls during the access activity are generally supported using Session

Recording and Monitoring. Controlled Privilege Elevation and Delegation Management ensures that

general administrator rights are not misused and thus that access is monitored and restricted.

Privilege Account Discovery and Life Cycle Management helps review user access right, because the

changes to privileged accounts are monitored accordingly and subject to notifications. In addition,

Privileged Access Governance offers the possibility of checking the approval processes, attestations

and the status of privileged accounts using various reports.

Privileged Session Management allows restricted access of privileged accounts to information and

application system functions in accordance with the access control policy. This is required by ISO

27001 under the general action goal of preventing unauthorised access to systems and applications

(Norm ISO/IEC 27001, 2013 + Cor. 1:2014, S. 20).

PAM has no influence on the login procedure of a system or an application, but, with Privileged User

Behaviour Analytics, it helps to detect unauthorised login attempts or to identify anomalies by ana-

lysing a user's behaviour. Suspected abuse can thus be reported. All of this indirectly helps to secure

the login procedure.

Both Shared Account Password Management and Application-to-Application Password Management

are systems for administering passwords that provide the login data in an interactive manner and

transact a password change before or after each use. By defining a password policy, the use of strong

passwords is also enforced.

As a further requirement of access control for systems and applications, ISO 27001 (2013 + Cor.

1:2014, S. 20) requires a measure to restrict and monitor the use of utility programs that could be

able to circumvent system and application protection measures. Controlled Privilege Elevation and

Delegation Management can restrict the installation of such programs for users and can be checked

during a prior approval process. The measures taken by Endpoint Privilege Management to protect

against malware are not mentioned here, since when we talk of utility programs, we assume that

these are instances of software without malicious code.

The ISO 27001 requirement (2013 + Cor. 1:2014, S. 20) to restrict access to the source code of pro-

grams is mainly to be controlled using Source Code Management (SCM). However, PAM can ensure

that employees do not have unrestricted access to software source code libraries. In addition, Session

Recording and Monitoring can be used to impose further restrictions, by recording and controlling

commands during access.


Requirement Applicable Measure A.9.2.2 User Access Provisioning ● Privileged Session Management A.9.2.3 Management of Privileged Access Rights ●

● ● ● ●

Privilege Account Discovery and Life Cycle Management Privileged Session Management Shared Account Password Management Controlled Privilege Elevation and Dele-gation Management Session Recording and Monitoring

A.9.2.5 Review of User Access Rights ● ●

Privilege Account Discovery and Life Cycle Management Privileged Access Governance

A.9.4.1 Information Access Restriction ● Privileged Session Management

A.9.4.2 Secure Log-On Procedures ○ Privileged User Behaviour Analytics

A.9.4.3 Password Management System ● ●

Shared Account Password Management Application-to-Application Password Management

A.9.4.4 Use of Privileged Utility Programs ● Controlled Privilege Elevation and Dele-gation Management

A.9.4.5 Access Control to Program Source Code ● ●

Privileged Session Management Session Recording and Monitoring


3.5 Operations Security (A.12)

The requirements for change management in ISO 27001 (2013 + Cor. 1:2014, S. 23) mainly relate to

the change management process, which has to be determined and controlled by the organisation of

a company and is not directly related to PAM. The changes in the operating environment must always

be done with privileged access, where PAM can offer various measures. In particular, recording priv-

ileged activities during the implementation of changes using session recording and monitoring en-

sures traceability and logging.

Endpoint Privilege Management offers the appropriate detection and prevention measures for pro-

tection against malware, although the recovery process is not supported by a PAM functionality. As

a possible detection measure, the Sandboxing approach is used, which detects malicious code using

isolated execution. As a preventive measure, Application Control can be used to keep a positive list

or a negative list of applications.

The logging and monitoring action goal in ISO 27001 (2013 + Cor. 1:2014, S. 23), which aims for events

to be recorded and evidence generated, is implemented by Privileged Session Management and Ses-

sion Recording and Monitoring. Using various techniques, event logs are created about the use of

privileged access, and these are kept and made available for regular review. (Norm ISO/IEC 27001,

2013 + Cor. 1:2014, S. 23) also requires that this recorded log information be adequately protected.

To do this, you have to ensure that only authorised persons have access to the log information, and

that it is not manipulated. Both can be achieved through the combination of ad-hoc or prior approval

of the access and subsequent monitoring. The same applies to the administrator and operator logs,

which are again specifically mentioned in (Norm ISO/IEC 27001, 2013 + Cor. 1:2014, S. 24).

Controlled Privilege Elevation and Delegation Management ensures that only administrators or other

authorised persons are allowed to perform installation on systems in operation. Using various imple-

mentation approaches, Endpoint Privilege Management offers further restrictions on the installation

of operating software, applications or programs by users on the endpoints.


For audit activities, Privileged Access Governance can provide various reports and audit functionali-

ties in order to support the audits. Session Recording and Monitoring also indirectly ensures that all

instances of access are monitored and logged during an audit, and that a reliable test path is also

created.

Requirement Applicable Measure A.12.1.2 Change Management ● Session Recording and Monitoring A.12.2.1 Controls against Malware ● Endpoint Privilege Management

A.12.4.1 Event Logging ● ●


A.12.4.2 Protection of Log Information ● ●


A.12.4.3 Administrator and Operator Logs ● ●


A.12.5.1 Installation of Software on Operational Systems ● Controlled Privilege Elevation and Dele-gation Management

A.12.6.2 Restrictions on Software Installation ● Endpoint Privilege Management

A.12.7.1 Information System Audit Controls ● ○

Privileged Access Governance Session Recording and Monitoring


3.6 Supplier Relationships (A.15)

Protecting the assets of a company that are accessible to suppliers is an important requirement for

PAM. In many cases, suppliers, as integrators or manufacturers of software and business applications,

have the permissions with the highest privileges on the company's systems. It is therefore essential

to define and agree information security policies with the supplier. PAM cannot directly support the

definition and arrangement of required measures for ensuring information security and the capture

of all information security requirements in one policy. However, parts of the measures are indirectly

implemented by PAM. The integrity of the information is guaranteed, and the processing of the in-

formation is controlled and reproduced, above all by monitoring instances of access through Privi-

leged Session Management and Session Recording and Monitoring.

ISO 27001 (2013 + Cor. 1:2014, S. 27) requires the subsequent definition and agreement of infor-

mation security requirements with the supplier. Again, this is not part of PAM, but is the responsibility

of the company's organisation.

Requirement Applicable Measure A.15.1.1 Information Security Policy for Supplier Relation-ships

○ ○



3.7 Information Security Incident Management (A.16)

By monitoring the activities of privileged accounts through Privileged Session Management and ses-

sion recording and monitoring, information security incidents are automatically detected or essential

information is made available to a responsible person for further analysis and assessment. An im-

portant point here is the functionality that the action is either prevented automatically or immediate

reporting to the appropriate authority is undertaken. This is the only way to ensure that information

security events are dealt with effectively by means of immediate assessment and classification. The


Privileged user Behaviour Analytics can provide additional information for the detection and assess-

ment of information security events through further analysis of user behaviour.

The learnings from information security incidents can lead to possible changes in the illustrated rules

for Privileged Session Management and Session Recording and Monitoring, to further measures, or

to an improvement in Privileged User Behaviour analytics. This, in turn, would indirectly result in the

achievement of the required reduction in the probability of future incidents occurring.

The procedures required by ISO 27001 (Norm ISO/IEC 27001, 2013 + Cor. 1:2014, S. 28) for the iden-

tification, collection, capture and storage of evidence during information security incidents are pro-

vided by Privileged Session Management and Session Recording and Monitoring.

Requirement Applicable Measure A.16.1.1 Responsibilities and Procedures ●

● ●

Privileged User Behaviour Analytics Privileged Session Management Session Recording and Monitoring

A.16.1.4 Assessment of and Decision on Information Secu-rity Events

● ● ●


A.16.1.6 Learning from Information Security Incidents ○ ○ ○


A.16.1.7 Collection of Evidence ● ●



3.8 Compliance (A.18)

A PAM system indirectly helps when documenting the various requirements the organisation has, by

providing an overview of the architecture and other implemented measures of Privileged Access Con-

trol through Privileged Access Governance.

Privileged Session Management and Session Recording and Monitoring provide comprehensible in-

formation for the independent review of information security, including access records and logs, as

well as activities of administrative and privileged users. Privileged Access Governance provides addi-

tional audit reports. Furthermore, all of this information is consulted when an independent audit is

carried out, and compliance is ensured.

It is not realistic for executives to regularly check compliance with security policies, standards and

other security requirements as required by ISO 27001 (2013 + Cor. 1:2014, S. 29) as part of PAM, as

this is usually done by selected administrators or a specialist agency.

Requirement Applicable Measure A.18.1.1 Identification of Applicable Legislation and Con-tractual Requirements

○ Privileged Access Governance

A.18.2.1 Independent Review of Information Security ● ● ●

Privileged Access Governance Privileged Session Management Session Recording and Monitoring


Chapter: Overview of the Degree of Coverage 18

4 Overview of the Degree of Coverage

Fig. 8 illustrates the coverage of the requirements of ISO 27001 by PAM.

Fig. 8: Overview of the coverage of the requirements according to ISO 27001

More than half of the fourteen sections of ISO 27001 have direct points of contact with the PAM

subject area. It is striking that in addition to section 9, Access Control – which includes many of the

basic requirements of Privileged Access Management – PAM also fulfils a large part of the require-

ments in section 12. Operations security is therefore an essential aspect of the protective measures

available from PAM. Six of the seven action goals are supported directly, making an important con-

tribution to minimising risk in the area of operations security.

Similarly, in the section on Information Security Incident Management, more than half of all

measures required by ISO 27001 are supported by PAM. Many of the requirements of section 16 can

be supported, among other things, by the possibilities for monitoring and assessing activities in all

connected systems.

Although there are some sections in the ISO 27001 standard that are not influenced by PAM

measures, they can still have points of contact with the subject areas. For example, a violation of

information security determined in PAM can serve as a trigger for the process of measure regulation

in section 7. Furthermore, the use of Cryptography (A.10) is a fundamental requirement in the pro-

cedures and systems in order for the confidentiality, authenticity and integrity of information to be

able to be protected. The same applies to compliance with security requirements in relation to the

transmission of information in Communications Security (A.13), which is seen as a prerequisite for

the interfaces of PAM. Again, System Acquisition, Development and Maintenance (A.14) must be

taken into account, especially when implementing a PAM solution itself. In addition, the handling of

test data, as a further action goal from section 14, has a significant influence on the relevance of a

Chapter: Conclusion 19

test or development environment in relation to the connection through PAM. Finally, the Information

Security Aspects of Business Continuity Management (A.17) must also be considered in relation to a

PAM system. As an essential part of information security, PAM thus comes into contact with practi-

cally all sections of Annex A of the ISO 27001 standard – be it as part of an implemented measure or

by including measures from the ISO standard from other security areas.

5 Conclusion

Controlling privileged access is essential for ISO certification, and is much more than just a fig leaf.

By introducing PAM, companies "protect" honest and loyal employees. A properly implemented PAM

solution increases one's security level and protects against many possible attacks.

PAM projects appear simple at first glance, but they entail changes in administration processes.

Many companies make the mistake of introducing PAM across the board for a lot of money, thereby

reducing productivity in system administration. It does not have to be that way. The ISO 27001 goals

can be achieved with a sense of proportion. Not all servers, databases, network components, etc.,

need to be monitored. Not all user accounts on these servers are equally at risk. Usually, a simple risk

classification of assets, user accounts or even the administrators helps to keep the scope in check.

With delimitations of this nature, introducing PAM provides a sense of achievement for everyone

involved and ensures the long-term protection of data.

6 Portrait

6.1 Stefan Huber

Stefan Huber has been working as an IAM expert for the IPG Group since 2014 and, as a

senior technical consultant, supports companies in advising, implementing, introducing,

and training for, customised IAM solutions. As part of his master's thesis for his "Master

of Advanced Studies in Information & Cyber Security", he examined how IAM and PAM

can meet the IT security objectives under ISO/IEC 27001.

6.2 IPG Group

The IPG Group specialises in design, integration, operation and training relating to IAM solutions. The

company, founded in Winterthur in 2001, now offers solutions for comprehensive protection of user

data as well as data and physical access rights in its branches in Germany and Austria. Customers

include companies from all industries, as well as public administration organisations. IPG is the pre-

ferred partner for major software manufacturers in Switzerland, Germany and Austria and employs

around 90 people. www.ipg-group.com

Chapter: Sources Used 20

7 Sources Used

Brenner, M., Gentschen Felde, N., Hommel, W., Metzger, S., Reiser, H., & Schaaf, T. (2014). Praxisbuch ISO/IEC

27001, Management der Informationssicherheit und Vorbereitung auf die Zertifizierung. Carl Hanser

Verlag München.

Gaehtgens, F., Gardner, D., Taylor, J., Data, A., & Kelley, M. (2018). Magic Quadrant for Privileged Access

Management. Gartner Research.

Gaehtgens, F., Kampman, K., & Iverson, B. (2018). Magic Quadrant for Identity Governance and Administration.

Gartner Research.

Gartner, Inc. (17. Mai 2019). Gartner Research. Von https://www.gartner.com/en/research/methodologies

abgerufen

Gartner, Inc. (17. Mai 2019). IT Glossary. Von https://www.gartner.com/it-glossary/identity-and-access-

management-iam abgerufen

Hill, R., & Kuppinger, M. (2019). Access Management and Federation. KuppingerCole.

ISACA Germany Chapter e.V. (2016). Implementierungsleitfaden ISO/IEC 27001:2013.

Kreizman, G. (2018). Magic Quadrant for Access Management, Worldwide. Gartner Research.

Kuppinger, M. (2019). Integrating Password and Privilege Management for Unix and Linux Systems.

KuppingerCole.

Kuppinger, M., & Singh, A. (2018). Access Governance & Intelligence. KuppingerCole.

Kuppinger, M., & Singh, A. (2018). Identity Governance & Administration. KuppingerCole.

Norm ISO/IEC 27000. (2016). Informationstechnik - Sicherheitsverfahren - Informationssicherheits-

Managementsysteme - Überblick und Terminologie.

Norm ISO/IEC 27001. (2013 + Cor. 1:2014). Informationstechnik – IT-Sicherheitsverfahren –

Informationssicherheits-Managementsysteme – Anforderungen. Abgerufen am 04 2019

Singh, A. (2019). Privileged Access Management. KuppingerCole.

privileged access management (pam) in the context of iso ......although the iso/iec 27002 standard...

Documents