BSI Grundschutz (IT-Baseline Protection) and PAM

If you are an IT Security Expert or perhaps even just working at an international company in the EU, you have possibly heard of the BSI Grundschutz or the BSI standards in Germany. You may have wondered what it is, does your organization comply with it or does it affect your business? Let’s take a closer look at the relationship between the BSI Grundschutz and Privileged Access Management (PAM).

The Bundesamt für Sicherheit in der Informationtechnik’s (The German Federal Office for Information Security) IT-Grundschutz Kompendium (IT- Baseline Protection) contains recommendations on methods, processes, procedures, approaches, and measures related to information security. It is a collection of standards for IT Security Management for companies as well as public institutions. The catalog extensively includes technical, infrastructural, organizational, and personnel recommendations.

The main object of these standards is “To achieve adequate protection for all information in an organization. The IT-Grundschutz methodology is characterized by a holistic approach. By the appropriate combination of organizational, personnel, infrastructural, and technical security requirements a level of security is achieved that is appropriate and sufficient for the respective protection needs to protect information relevant to the institution” (IT- Grundschutz Kompendium Edition 2021).

From the Privileged Access Management perspective, there are several significant measurements under the second subject area (Organization and Personnel) of the IT-Baseline Protection we would like to address in today’s blog.

The regulation for the creation and deletion of users and user groups:

"ORP. 4. A1 Regulation for Creating and Deleting Users and User Groups [IT Operation Department]

• Rules MUST be created to define how user IDs and user groups are to be established and deleted.
• It MUST be possible to associate every user ID with a unique user.
• User IDs that are inactive for longer periods SHOULD be disabled.
• All users and user groups MUST ONLY be created and deleted via separate administrative roles.
• User IDs that are not required, such as guest accounts set up by default or default administrator IDs, MUST be appropriately disabled or deleted." (IT-Grundschutz-Kompendium 2021 Edition)

The regulation defines the procedure to be followed for user creation and deletion. This process is necessary to detect inactive user accounts that can be a threat in terms of data protection, and to disable and delete them as soon as possible.

"ORP. 4. A16 Policies for Data and System Access Control [IT Operational Department]

• A policy for data and system access control SHOULD be drawn up for IT systems, IT components, and data networks. Standard rights profiles that correspond to employees’ roles and tasks SHOULD be established in writing for every IT system and IT application." (IT-Grundschutz-Kompendium 2021 Edition)

This means all access and access controls of IT Systems, Components, and Data Network in public and private institutions should be planned, and a written document created.

The BSI also advises adopting the Principle of Least Privilege (PoLP), giving users the minimum levels of access/permissions needed to perform their functions in the organization.

The PoLP aims to accurately limit data access while providing a more efficient user experience and creating a flawless security process. The main purpose of the principle is to protect the data, so it is important to determine who can access it in accordance with the assigned privilege/permission level.

The role-based access control is the result of the application of the PoLP. Various profiles, e.g. standard user, shared account, privileged user, can be created and can be given different levels of authorization, so any internal and/or external access attempt would require special permission.

The ORP. 4. A7 regulation, as part of the second subject area of the Grundschutz (Organization and Personnel) deals with the access rights, regulating them once more on the base of the PoLP. This allocation of access rights measurement says:

"The data access rights that are to be granted to or withdrawn from certain people in certain roles MUST be defined. If data access resources like chip cards or tokens are used, their issue and withdrawal MUST be documented. Users SHOULD be trained in the proper use of chip cards or tokens. Authorized persons SHOULD be blocked temporarily if they are to be absent for a longer period of time."

That is to say employee access authorizations to IT systems, records, and applications must be as limited as possible. In the event of longer absences, such as holidays or sickness, privileged user accounts, such as IT managers, should be blocked. Measure ORP. 4. A7 affects three levels of authorizations:

1. Physical access authorizations to the corresponding offices
2. Ability to use an IT system or an application
3. The necessary authorization level for a specific function within the application

Last but not least, the ORP. 4. A2 regulation of the BSI-Grundschutz-Kompendium states that:

"User IDs and authorizations MUST ONLY be granted on the basis of actual need in connection with specific tasks (in line with the least-privilege and need-to-know principles). If there are personnel changes, the user IDs and authorizations that are no longer required MUST be removed. […]"

This is the most comprehensive recommendation of the BSI for the operational implementation of user management in companies and institutions. The aim is to improve the protection of your internal data and to create regulated processes that relieve your employees of administrative activities related to the assignment of authorizations.

This regulation additionally states:

“[…] If employees apply for authorizations that go beyond the standard, they MUST ONLY be assigned after additional justification and verification are provided. Access permissions to system directories and files SHOULD be restricted. All authorizations MUST be established via separate administrative roles.”

The generic roles required by the ORP. 4. A2 regulation:

• User -> IT user -> He may submit requests for authorizations
• Approver -> person or persons from the department who are allowed to approve requests for authorizations for data from the respective department -> Permits for oneself are explicitly excluded.
• Technical managers -> owners of certain information, applications, or specialist processes -> The IT operations personnel have the responsibility of setting the who permissions approval technical is.

It also explains how to set up an authorization according to the recommended procedure:

• Application: The application should be designed as a form (e.g. as a web form) and all necessary contents as mandatory information
• Approval procedure: Applications may only be approved if they are actually necessary (PoLP) and after a detailed review
• Documentation: All assignments, changes, and deletions of authorizations must be documented and stored securely.

Furthermore, the BSI authorization concept requires the removal of user IDs and authorizations that are no longer required (for example, when changing departments or when an employee leaves). After these accounts have been deleted, the documents related to them should be retained so that changes can be traced as cited in ORP. 4. A1.

The measures laid out in regulations ORP. 4. A10 and ORP. 4. A21 address the need for Multi-Factor Authentication (MFA) in the organization’s IT Systems.

ORP. 4. A10 Protection of user IDs with extensive authorizations [IT operations] (S):

“User IDs with broad privileges SHOULD be protected with multi-factor authentication ( e.g. cryptographic certificates, chip cards or tokens)." (IT-Grundschutz-Kompendium 2021 Edition)

ORP. 4. A21  Multi-Factor Authentication (IT Operation Department) (H):

"Secure multi-factor authentication (e.g. cryptographic certificates, chip cards, or tokens) SHOULD be used for authentication." (IT-Grundschutz-Kompendium 2021 Edition)

Krontech’s PAM solution, Single Connect, the niche player in the Gartner Magic Quadrant for Privileged Access Management, was designed and intended to consolidate all these IT security needs and complies with the IT Security regulations, in the most important domains - privileged user and privileged access, and group-based and PoLP -based mechanisms - with its MFA, Privileged Session Management, Password Vault, and Dynamic Data Masking modules.