CIS Critical Security Controls: The Role of PAM

The Center for Internet Security (CIS), the non-profit whose mission is to “enhance the cyber security readiness and response of public and private sector entities,” publishes “The CIS Critical Security Controls for Effective Cyber Defense.” This control framework is applicable to any enterprise, but it is particularly well-suited to data security challenges in the healthcare industry. Healthcare organizations like Butler Health, for example, use the CIS controls to defend against cybercrime.

Comprising 20 controls, the CIS Critical Security Controls touch on virtually every aspect of cybersecurity.

Although there are many aspects to CIS, many of them directly relate to or require Privileged Access Management (PAM). Of the 20, 1 control is specifically about PAM while the other 19 are influenced by or realistically require PAM.

Understanding PAM in the CIS Controls

PAM refers to a group of technologies and practices that monitor and manage privileged or administrative access to critical systems. A privileged user is a person who can modify system configurations, user accounts, access confidential data, and so forth. Privileged users in healthcare are the people who set up and delete user accounts on electronic medical records (EMR) systems and the like.

Given their level of access and control over systems that manage confidential patient information, a privileged account user in healthcare exposes the organization to potential risk. Either through attack, internal malfeasance or error, a privileged user can be a vector of a serious data breach.

CSC Control #5 deals directly with PAM issues, covering “Controlled Use of Administrative Privileges.” An effective PAM solution is essential for implementing CSC control #5 by enabling security managers to grant and withdraw administrative privileges to individuals for any system. PAM solutions also monitor back end access logins and alert administrators about privileged sessions that do not comply with access policies, e.g. why is a maintenance worker trying to log into the back end of the hospital pharmacy system?

Control sub-section 5.1, “Minimize administrative privileges and only use administrative accounts when they are required,” is a policy statement. The PAM solution will be able to define and enforce the policy rules following the principle of least privilege and providing an audit trail to demonstrate compliance. Sub-section 5.2, “Use automated tools to inventory all administrative accounts and validate that each person with administrative privileges on desktops, laptops, and servers is authorized by a senior executive,” effectively requires that an organization use a PAM solution to adopt the framework as it ensures complete visibility over all privileged users, accounts, and access rights in a centralized viewpoint. PAM solutions also offer Discovery apps to identify privileged accounts in a network.

The other sub-sections of the framework are realistically only possible with a PAM solution. One could manually handle controls like 5.3, “Change all default passwords for applications, operating systems, routers, firewalls, wireless access points, and other systems to have values consistent with administration-level accounts,” but it would be a very inefficient and error-prone process. Automatically rotating all passwords and further restricting access to critical resources through a workflow of approval is crucial to meet this control. Other sub-sections align with a PAM solution in the following ways:

  • 5.4 “Configure systems to issue a log entry and alert when an account is added to or removed from a domain administrators’ group, or when a new local administrator account is added on a system.” PAM solutions secure, control, and record system access. They are built to ensure that only authorized accounts access a given system and enable PAM admins to control all access levels on the systems they manage.
  • 5.5 “Configure systems to issue a log entry and alert on any unsuccessful login to an administrative account.” As with 5.4, a PAM solution can enforce this control’s requirements. Details and abnormal activities registered by session logs can also be enhanced by seamlessly integrating a SIEM into the PAM solution for greater control.
  • 5.6 “Use multifactor authentication for all administrative access, including domain administrative access.” Some PAM solutions enforce MFA and/or integrate with MFA solutions completely to provide effective and holistic outsider-insider threat mitigations.
  • 5.7 “Where multi-factor authentication is not supported, user accounts shall be required to use long passwords on the system (longer than 14 characters).” PAM solutions have the ability to manage passwords and enforce password policies, especially via the use of a password vault and password management features.
  • 5.8 “Administrators should be required to access a system using a fully logged and non-administrative account. Then, once logged on to the machine without administrative privileges, the administrator should transition to administrative privileges using tools such as Sudo on Linux/UNIX, RunAs on Windows, and other similar facilities for other types of systems.” PAM solutions enforce least privilege connections policies, with the most advanced solutions offering su/sudo injections in SSH session.
  • 5.9 “Administrators shall use a dedicated machine for all administrative tasks or tasks requiring elevated access. This machine shall be isolated from the organization’s primary network and not be allowed Internet access. This machine shall not be used for reading e-mail, composing documents, or surfing the Internet.” PAM solutions offer a dedicated machine – which can be isolated from other applications, to control and provide a central view over all IT equipment.

The WALLIX PAM Solution

WALLIX offers a comprehensive PAM solution that can facilitate the implementation of CIS security controls in healthcare and other sectors. WALLIX has the features to enable a security team to define and enforce CSC #5 controls. It can also govern privileged aspects of other controls covering system inventory, configuration, monitoring, incident response, su/sudo injection, and so forth.

Once WALLIX Bastion is set up with access policies in accordance with the CIS controls, it knows the administrative privileges of every user seeking access. Privileged users must clear the Bastion before gaining access to any system that WALLIX covers.

The WALLIX vault centrally stores privileged user passwords. The privileged user only gets a single password – to WALLIX Bastion – which then determines which systems he or she is allowed to access. The user does not need (and therefore doesn’t) know any actual system passwords. As a result, he or she cannot circumvent WALLIX Bastion to access prohibited systems or avoid monitoring by the session manager. In addition, WALLIX Password Manager provides advanced password capabilities such as target password rotation or application-to-application password management (AAPM) to enhance the security of your critical systems.

The WALLIX Session Manager tracks and records privileged user sessions, creating the kind of audit log needed for CSC #6 or CSC #19. Privileged users are tracked in real-time.

Installation, use, and control of WALLIX is simple, simplifying rather than hindering CIS control implementation in a complex heterogeneous environment.

To learn more about WALLIX Bastion and how it can help with CIS security controls in healthcare or other sensitive environments, contact us or click below.