ISO 27001:2022 A 8.2 Privileged access rights

Uncategorized 10 Minutes

Privileged access allows organizations to secure their infrastructure and applications, run business efficiently and maintain the confidentiality of sensitive data and critical infrastructure.Privilege can be defined as the authority a given account or process has within a computing system or network. Privilege provides the authorization to override, or bypass, certain security restraints, and may include permissions to perform such actions as shutting down systems, loading device drivers, configuring networks or systems, provisioning and configuring accounts and cloud instances, etc.Privileges serve an important operational purpose by enabling users, applications, and other system processes elevated rights to access certain resources and complete work-related tasks. Privileged access can be associated with human users as well as non-human users such as applications and machine identities. Privileges for various user accounts and processes are built into operating systems, file systems, applications, databases, hypervisors, cloud management platforms, etc. Privileges can be also assigned by certain types of privileged users, such as by a system or network administrator.Depending on the system, some privilege assignment, or delegation, to people may be based on attributes that are role-based, such as business unit, (e.g., marketing, HR, or IT) as well as a variety of other parameters (e.g., seniority, time of day, special circumstance, etc.).Malicious or incorrect use of elevated system administrator privileges is one of the major causes of ICT disruption across commercial networks all over the world. Privileged access rights allows organisations to control access to their infrastructure, applications, assets and maintain the integrity of all stored data and systems. Special access to data and systems requires strict controls on who gets it and how it’s used because of the additional power it gives the person who has it. System by system clarity on privileged access permissions (which can be modified within the program) could fall under this category, as well as allocation based on actual usage rather than a blanket policy. All privileges issued to users should be documented, and the competency of those users granted the permissions must be constantly evaluated to ensure that they are able to perform their assigned responsibilities. It’s also a good idea to keep separate identities for system administrators and regular users, especially if they’re doing various jobs on the same platform.

Control

The allocation and use of privileged access rights should be restricted and managed.

Purpose

To ensure only authorized users, software components and services are provided with privileged access rights.

ISO 27002 Implementation Guidance

The allocation of privileged access rights should be controlled through an authorization process in accordance with the relevant topic-specific policy on access control. The following should be considered:

  • identifying users who need privileged access rights for each system or process (e.g. operating systems, database management systems and applications);
  • allocating privileged access rights to users as needed and on an event-by-event basis in line with the topic-specific policy on access control (i.e. only to individuals with the necessary competence to carry out activities that require privileged access and based on the minimum requirement for their functional roles);
  • maintaining an authorization process (i.e. determining who can approve privileged access rights, or not granting privileged access rights until the authorization process is complete) and a record of all privileges allocated;
  • defining and implementing requirements for expiry of privileged access rights;
  • taking measures to ensure that users are aware of their privileged access rights and when they are in privileged access mode. Possible measures include using specific user identities, user interface settings or even specific equipment;
  • authentication requirements for privileged access rights can be higher than the requirements for normal access rights. Re-authentication or authentication step-up can be necessary before doing work with privileged access rights;
  • regularly, and after any organizational change, reviewing users working with privileged access rights in order to verify if their duties, roles, responsibilities and competence still qualify them for working with privileged access rights;
  • establishing specific rules in order to avoid the use of generic administration user IDs (such as “root”), depending on systems’ configuration capabilities. Managing and protecting authentication information of such identities ;
  • granting temporary privileged access just for the time window necessary to implement approved changes or activities (e.g. for maintenance activities or some critical changes), rather than permanently granting privileged access rights. This is often referred as break glass procedure, and often automated by privilege access management technologies;
  • logging all privileged access to systems for audit purposes;
  • not sharing or linking identities with privileged access rights to multiple persons, assigning each person a separate identity which allows assigning specific privileged access rights. Identities can be grouped (e.g. by defining an administrator group) in order to simplify the management of privileged access rights;
  • only using identities with privileged access rights for undertaking administrative tasks and not for day-to-day general tasks [i.e. checking email, accessing the web (users should have a separate normal network identity for these activities)].

Other information

Privileged access rights are access rights provided to an identity, a role or a process that allows the performance of activities that typical users or processes cannot perform. System administrator roles typically require privileged access rights. Inappropriate use of system administrator privileges (any feature or facility of an information system that enables the user to override system or application controls) is a major contributory factor to failures or breaches of systems. More information related to access management and the secure management of access to information and information and communications technologies resources can be found in ISO 29146.

The allocation and use of privileged access rights has to be tightly controlled given the extra rights usually conveyed over information assets and the systems controlling them. For example the ability to delete work or fundamentally affect the integrity of the information. It should align with the formal authorization processes alongside the access control policy. That could include; system by system clarity on privileged access rights (which can be managed inside the application); allocation on a need-to-use basis not a blanket approach; A process and record of all privileges allocated should be maintained (alongside the information asset inventory or as part of the evidence and the competence of users granted the rights must be reviewed regularly to align with their duties. This is another good area to include in the internal audit to demonstrate control. One of the biggest contributory factors to failures or breaches of systems is inappropriate and blanket use of system administration privileges with human error leading to more damage or loss than if a ‘least access’ approach were taken. Other good practice relating to this area includes the separation of the systems administrator role from the day to day user role and having a user with two accounts if they perform different jobs on the same platform. Organisations should:

  • Identify a list of users who require any degree of privileged access – either for an individual system – such as a database – application, or underlying OS.
  • Maintain a policy that allocates privileged access rights to users on what is known as an “event by event basis” – users should be granted levels of access based on the bare minimum that is required for them to carry out their role.
  • Outlining a clear authorization process that deals with all requests for privileged access, including keeping a record of all access rights that have been implemented.
  • Ensure that access rights are subject to relevant expiry dates.
  • Take steps to ensure that users are explicitly aware of any period of time where they are operating with privileged access to a system.
  • Where relevant, users are asked to re-authenticate prior to using privileged access rights, in order to affect greater information/data security.
  • Carry out periodic audits of privileged access rights, especially following a period of organisational change. Users’ access rights should be reviewed based upon their “duties, roles, responsibilities and competence” (see Control 5.18).
  • Consider operating with what’s known as a “break glass” procedure – i.e. ensuring that privileged access rights are granted within tightly-controlled time windows that meet the minimum requirements for an operation to be carried out (critical changes, system administration etc).
  • Ensure that all privileged access activities are logged accordingly.
  • Prevent the use of generic system login information (especially standardized usernames and passwords)
  • Keep to a policy of assigning users with a separate identity, that allows for tighter control of privileged access rights. Such identities can then be grouped together, with the associated group being provided differing levels of access rights.
  • Ensure that privileged access rights are reserved for critical tasks only, that relate to the continued operation of a functioning ICT network – such as system administration and network maintenance.

Management of Privileged access right involves a combination of tools and technology used to secure, control and monitor access to an organization’s critical information and resources.It is one of the best ways for an organization to protect against external threats by preventing malicious parties from accessing sensitive corporate data through internal accounts. It helps organizations effectively monitor the entire network and provides insight into which users have access to what data. is critical because privileged accounts can pose major security risks to businesses. For example, a cyber criminal who compromises a standard user account will only have access to that specific user’s information. But a hacker who compromises a privileged user account will have far greater access and possibly the power to destroy systems. In addition to combating external attacks, It can help companies combat threats — either malicious or inadvertent — originating from employees and other internal people with access to corporate data. It is also key to achieve compliance with industry and government regulations. As a part of a complete security program, enterprises can record and log every activity related to their critical information technology (IT) infrastructures and sensitive corporate data, helping to simplify audit and compliance requirements.

Some of the top privilege-related risks and challenges include:

  1. Lack of visibility and awareness of of privileged users, accounts, assets, and credentials. Long-forgotten privileged accounts are commonly sprawled across organizations. These may number in the millions, and provide dangerous backdoors for attackers, including, former employees who have left the company but retain access.
  2. Over-provisioning of privileges. If privileged access controls are overly restrictive, they can disrupt user workflows, causing frustration and hindering productivity. Since end users rarely complain about possessing too many privileges, IT admins traditionally provision end users with broad sets of privileges. Additionally, an employee’s role is often fluid and can evolve such that they accumulate new responsibilities and corresponding privileges—while still retaining privileges that they no longer use or require. All this privilege excess adds up to a bloated attack surface. Routine computing for employees on personal PC users might entail internet browsing, watching streaming video, use of MS Office and other basic applications, including SaaS (e.g., Salesforce.com, GoogleDocs, Slack, etc.). In the case of Windows PCs, users often log in with administrative account privileges—far broader than what is needed. These excessive privileges massively increase the risk that malware or hackers may steal passwords or install malicious code that could be delivered via web surfing or email attachments. The malware or hacker could then leverage the entire set of privileges of the account, accessing data of the infected computer, and even launching an attack against other networked computers or servers.
  3. Shared accounts and passwords. IT teams commonly share root, Windows Administrator, and many other privileged credentials for convenience so workloads and duties can be seamlessly shared as needed. However, with multiple people sharing an account password, it may be impossible to tie actions performed with an account to a single individual. This creates security, audit, and compliance issues.
  4. Hard-coded / embedded credentials. Privileged credentials are needed to needed facilitate authentication for app-to-app (A2A) and application-to-database (A2D) communications and access. Applications, systems, network devices, and IoT devices may be shipped and o deployed with embedded, default credentials that are easily guessable and pose substantial risk. Additionally, employees will often hardcode secrets in plain text—such as within a script, code, or a file, so it is easily accessible when they need it.
  5. Manual and/or decentralized credential management. Privilege security controls are often immature. Privileged accounts and credentials may be managed differently across various organizational silos, leading to inconsistent enforcement of best practices. Human privilege management processes cannot possibly scale in most IT environments where thousands—or even millions—of privileged accounts, credentials, and assets can exist. With so many systems and accounts to manage, humans invariably take shortcuts, such as re-using credentials across multiple accounts and assets. One compromised account can therefore jeopardize the security of other accounts sharing the same credentials.
  6. Lack of visibility into application and service account privileges. Applications and service accounts often automatically execute privileged processes to perform actions, as well as to communicate with other applications, services, resources, etc. Applications and service accounts frequently possess excessive privileged access rights by default, and also suffer from other serious security deficiencies.
  7. Multiple identity management tools and processes. Modern IT environments typically run across multiple platforms (e.g., Windows, Mac, Unix, Linux) and environments (on-premises, Azure, AWS, Google Cloud)—each separately maintained and managed. This practice equates to inconsistent administration for IT, added complexity for end users, and increased cyber risk.

Privileged Access Right Best Practices

  1. Establish and enforce a comprehensive privilege management policy: The policy should govern how privileged access and accounts are provisioned/de-provisioned; address the inventory and classification of privileged identities and accounts; and enforce best practices for security and management.
  2. Identify and bring under management all privileged accounts and credentials: Privileged account discovery should include all user and local accounts; application and service accounts database accounts; cloud and social media accounts; SSH keys; default and hard-coded passwords; and other privileged credentials – including those used by third parties/vendors. Discovery should also include platforms (e.g., Windows, Unix, Linux, Cloud, on-prem, etc.), directories, hardware devices, applications, services / daemons, firewalls, routers, etc.The privilege discovery process should illuminate where and how privileged passwords are being used, and help reveal security blind spots and malpractice.
  3. Enforce least privilege over end users, endpoints, accounts, applications, services, systems, etc.: A key piece of a successful least privilege implementation involves wholesale elimination of privileges everywhere they exist across your environment. Then, apply rules-based technology to elevate privileges as needed to perform specific actions, revoking privileges upon completion of the privileged activity. Ensuring true least privilege is not just about enforcing constraints on the breadth of access, but also on the duration of access. In IT security terms, this means implementing controls that provide just enough access (JEA) and just-in-time (JIT) access.

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a Reply