CIS Critical Security Controls: The Role of PAM

The Center for Internet Security (CIS), the non-profit whose mission is to “enhance the cyber security readiness and response of public and private sector entities,” publishes “The CIS Critical Security Controls for Effective Cyber Defense.” This control framework is applicable to any enterprise, but it is particularly well-suited to data security challenges in the healthcare industry. Healthcare organizations like Butler Health, for example, use the CIS controls to defend against cybercrime.

Comprising 20 controls, the CIS Critical Security Controls touch on virtually every aspect of cybersecurity.

Although there are many aspects to CIS, many of them directly relate to or require Privileged Access Management (PAM). Of the 20, 1 control is specifically about PAM while the other 19 are influenced by or realistically require PAM.

Understanding PAM in the CIS Controls

PAM refers to a group of technologies and practices that monitor and manage privileged or administrative access to critical systems. A privileged user is a person who can modify system configurations, user accounts, access confidential data, and so forth. Privileged users in healthcare are the people who set up and delete user accounts on electronic medical records (EMR) systems and the like.

Given their level of access and control over systems that manage confidential patient information, a privileged account user in healthcare exposes the organization to potential risk. Either through attack, internal malfeasance or error, a privileged user can be a vector of a serious data breach.

CSC Control #5 deals directly with PAM issues, covering “Controlled Use of Administrative Privileges.” An effective PAM solution is essential for implementing CSC control #5 by enabling security managers to grant and withdraw administrative privileges to individuals for any system. PAM solutions also monitor back end access logins and alert administrators about privileged sessions that do not comply with access policies, e.g. why is a maintenance worker trying to log into the back end of the hospital pharmacy system?

Control sub-section 5.1, “Minimize administrative privileges and only use administrative accounts when they are required,” is a policy statement. The PAM solution will be able to define and enforce the policy rules following the principle of least privilege and providing an audit trail to demonstrate compliance. Sub-section 5.2, “Use automated tools to inventory all administrative accounts and validate that each person with administrative privileges on desktops, laptops, and servers is authorized by a senior executive,” effectively requires that an organization use a PAM solution to adopt the framework as it ensures complete visibility over all privileged users, accounts, and access rights in a centralized viewpoint. PAM solutions also offer Discovery apps to identify privileged accounts in a network.

The other sub-sections of the framework are realistically only possible with a PAM solution. One could manually handle controls like 5.3, “Change all default passwords for applications, operating systems, routers, firewalls, wireless access points, and other systems to have values consistent with administration-level accounts,” but it would be a very inefficient and error-prone process. Automatically rotating all passwords and further restricting access to critical resources through a workflow of approval is crucial to meet this control. Other sub-sections align with a PAM solution in the following ways:

5.4 “Configure systems to issue a log entry and alert when an account is added to or removed from a domain administrators’ group, or when a new local administrator account is added on a system.” PAM solutions secure, control, and record system access. They are built to ensure that only authorized accounts access a given system and enable PAM admins to control all access levels on the systems they manage.
5.5 “Configure systems to issue a log entry and alert on any unsuccessful login to an administrative account.” As with 5.4, a PAM solution can enforce this control’s requirements. Details and abnormal activities registered by session logs can also be enhanced by seamlessly integrating a SIEM into the PAM solution for greater control.
5.6 “Use multifactor authentication for all administrative access, including domain administrative access.” Some PAM solutions enforce MFA and/or integrate with MFA solutions completely to provide effective and holistic outsider-insider threat mitigations.
5.7 “Where multi-factor authentication is not supported, user accounts shall be required to use long passwords on the system (longer than 14 characters).” PAM solutions have the ability to manage passwords and enforce password policies, especially via the use of a password vault and password management features.
5.8 “Administrators should be required to access a system using a fully logged and non-administrative account. Then, once logged on to the machine without administrative privileges, the administrator should transition to administrative privileges using tools such as Sudo on Linux/UNIX, RunAs on Windows, and other similar facilities for other types of systems.” PAM solutions enforce least privilege connections policies, with the most advanced solutions offering su/sudo injections in SSH session.
5.9 “Administrators shall use a dedicated machine for all administrative tasks or tasks requiring elevated access. This machine shall be isolated from the organization’s primary network and not be allowed Internet access. This machine shall not be used for reading e-mail, composing documents, or surfing the Internet.” PAM solutions offer a dedicated machine – which can be isolated from other applications, to control and provide a central view over all IT equipment.

The WALLIX PAM Solution

WALLIX offers a comprehensive PAM solution that can facilitate the implementation of CIS security controls in healthcare and other sectors. WALLIX has the features to enable a security team to define and enforce CSC #5 controls. It can also govern privileged aspects of other controls covering system inventory, configuration, monitoring, incident response, su/sudo injection, and so forth.

Once WALLIX Bastion is set up with access policies in accordance with the CIS controls, it knows the administrative privileges of every user seeking access. Privileged users must clear the Bastion before gaining access to any system that WALLIX covers.

The WALLIX vault centrally stores privileged user passwords. The privileged user only gets a single password – to WALLIX Bastion – which then determines which systems he or she is allowed to access. The user does not need (and therefore doesn’t) know any actual system passwords. As a result, he or she cannot circumvent WALLIX Bastion to access prohibited systems or avoid monitoring by the session manager. In addition, WALLIX Password Manager provides advanced password capabilities such as target password rotation or application-to-application password management (AAPM) to enhance the security of your critical systems.

The WALLIX Session Manager tracks and records privileged user sessions, creating the kind of audit log needed for CSC #6 or CSC #19. Privileged users are tracked in real-time.

Installation, use, and control of WALLIX is simple, simplifying rather than hindering CIS control implementation in a complex heterogeneous environment.

To learn more about WALLIX Bastion and how it can help with CIS security controls in healthcare or other sensitive environments, contact us or click below.

Related resources

December 15, 2023

Cookie	Duration	Description
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.

Cookie	Duration	Description
__hstc	1 year 24 days	This cookie is set by Hubspot and is used for tracking visitors. It contains the domain, utk, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the wbsite is doing. The data collected including the number visitors, the source where they have come from, and the pages viisted in an anonymous form.
hubspotutk	1 year 24 days	This cookie is used by HubSpot to keep track of the visitors to the website. This cookie is passed to Hubspot on form submission and used when deduplicating contacts.
trackalyzer	1 year	This cookie is used by Leadlander. The cookie is used to analyse the website visitors and monitor traffic patterns.

Cookie	Duration	Description
__hssc	30 minutes	This cookie is set by HubSpot. The purpose of the cookie is to keep track of sessions. This is used to determine if HubSpot should increment the session number and timestamps in the __hstc cookie. It contains the domain, viewCount (increments each pageView in a session), and session start timestamp.
bcookie	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	This cookie is set by LinkedIn and used for routing.
messagesUtk	1 year 24 days	This cookie is set by hubspot. This cookie is used to recognize the user who have chatted using the messages tool. This cookies is stored if the user leaves before they are added as a contact. If the returning user visits again with this cookie on the browser, the chat history with the user will be loaded.

Cookie	Duration	Description
__cfduid	1 month	The cookie is used by cdn services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.
__hssrc	session	This cookie is set by Hubspot. According to their documentation, whenever HubSpot changes the session cookie, this cookie is also set to determine if the visitor has restarted their browser. If this cookie does not exist when HubSpot manages cookies, it is considered a new session.
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
JSESSIONID	session	Used by sites written in JSP. General purpose platform session cookies that are used to maintain users' state across page requests.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_gat_UA-12183334-1	1 minute	No description
AnalyticsSyncHistory	1 month	No description
CONSENT	16 years 9 months 23 days 12 hours 13 minutes	No description
UserMatchHistory	1 month	Linkedin - Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.
wp-wpml_current_language	1 day	No description

CIS Critical Security Controls: The Role of PAM

Understanding PAM in the CIS Controls

The WALLIX PAM Solution

Related content

The railway sector and the cybersecurity challenges

Modernize Identity and Access Governance (IAG) for NIS2 Compliance: Time to go?

International tensions: manage the implementation of cybersecurity measures in emergency situations

Securing financial institutions with the help of PAM solutions

The five top tips to reassess your IT security risk

Related resources

Guide to Threat Vectors

Key Considerations for SaaS Adoption and Top 10 Reasons Why PAM as a Service is Good for Your Business

The Benefits of IAM and PAM

Zero Trust Cybersecurity

PRODUCTS

RESOURCES

SUPPORT

ABOUT

FOLLOW US

CIS Critical Security Controls: The Role of PAM

Understanding PAM in the CIS Controls

The WALLIX PAM Solution

Share this entry

Related content

Related resources

PRODUCTS

RESOURCES

SUPPORT

ABOUT

FOLLOW US