BSI Grundschutz (IT-Baseline Protection) and PAM

BSI Grundschutz (IT-Baseline Protection) and PAM

Jun 01, 2021 / Bihter Sarman

If you are an IT-Security Expert or perhaps even just working in any sort of international business in the EU, you have possibly heard of BSI Grundschutz or BSI standards in Germany. You may have wondered what it is, does your organization comply with it or does it affect your business? Let’s get a closer look at the relation between BSI Grundschutz and Privileged Access Management (PAM).

Bundesamt für Sicherheit in der Informationtechnik’s (The German Federal Office for Information Security) IT-Grundschutz Kompendium (IT- Baseline Protection) contains recommendations on methods, processes, procedures, approaches, and measures related to information security. It is a collection of standards for IT Security Management in companies as well as public institutions. The catalog extensively includes technical, infrastructural, organizational, and personnel recommendations.

The main object of these standards is “To achieve adequate protection for all information in an organization. The IT-Grundschutz methodology is characterized by a holistic approach. By the appropriate combination of organizational, personnel, infrastructural and technical security requirements a level of security is achieved that is appropriate and sufficient for the respective protection needs to protect information relevant to the institution” (IT- Grundschutz Kompendium Edition 2021).

From the Privileged Access Management perspective, there are several significant measurements under the second subject area (Organization and Personnel) of the IT-Baseline Protection we would like to address in today’s blog.

The regulation for the creation and deletion of users and user groups:

"ORP. 4. A1 Regulation for the creation and deletion of users and user groups [IT operations]

  • It MUST be regulated how user IDs and user groups are to be set up and deleted. Each
  • User ID MUST be clearly assigned to a user. User IDs that are longer
  • Time are inactive SHOULD be deactivated. All users and user groups MAY ONLY be set up and deleted using separate administrative roles. User IDs that are not required, such as standard
  • any guest accounts that have been set up, or standard administrator IDs, MUST be appropriately disabled or deleted." (IT-Grundschutz-Kompendium 2021 Edition)

The regulation signifies the procedure should be followed for user creation and deletion. The procedure is necessary to detect the inactive user accounts that can be a threat in terms of data protection, to disable and delete them as soon as possible.

"ORP. 4. A16 Guidelines for access and access control [IT operations]

  • A guideline SHOULD be drawn up for access and access control of IT systems, IT components and data networks. Standard rights profiles that correspond to the functions and tasks of the employees SHOULD be used. A written access regulation SHOULD exist for every IT system and every IT application." (IT-Grundschutz-Kompendium 2021 Edition)

This means all the accesses and access controls of IT Systems, Components, and Data Network in public and private institutions are subjected to be used, and also there should be a written access document.

BSI also advises adopting the Principle of Least Privilege (PoLP), giving a user the minimum levels of access/permissions needed to perform her functions in the organization.

It aims to accurately limit data access to provide a more efficient user experience and create a flawless security process. The main purpose of the principle is to protect the data it is important to determine who to access the data in accordance with its privilege.

The role-based access control is the appliance of PoLP. Various profiles e.g. standard user, shared account, privileged user can be created and can be given different levels of authorization, so any internal and/or external attempt of access would require an special permission.

The measure ORP. 4. A7 as the part of the second subject area of the Grundschutz (Organization and Personnel) deals with the access rights to regulate them again on the base of PoLP. The allocation of access rights measurement says:

"It MUST be determined which access rights are granted to which persons in the context of their function or are withdrawn from them. If chip cards or tokens are used as part of the access control, the issue or withdrawal MUST be documented. Users SHOULD be trained in the correct handling of chip cards or tokens. For longer absences, authorized persons SHOULD be temporarily blocked."

That is to say employee access authorizations to IT systems, records, and applications must be as limited as possible. In the event of longer absences, such as holidays or sickness, privileged user accounts, such as IT managers, should be blocked. Measure ORP. 4. A7 affects three levels of authorizations:

  1. Physical access authorizations to the corresponding rooms
  2. Possibility to use an IT system or an application
  3. The respective authorization level for a specific function within the application

Last but not least ORP. 4. A2 of the BSI-Grundschutz-Kompendium states that:

"User IDs and authorizations MAY ONLY be assigned on the basis of the actual need and the necessity to fulfill the task. In the event of personnel changes, the user IDs and authorizations that are no longer required MUST be removed"

It is the most comprehensive recommendation of the BSI for the operational implementation of user management in companies and authorities. The aim is to improve the protection of your internal company data and to create regulated processes that relieve your employees of administrative activities related to the assignment of authorizations.

If employees apply for authorizations that go beyond the standard, they MAY ONLY be granted after additional justification and examination. Access rights to system directories and files SHOULD be restricted restrictively. All permissions MUST be set up via separate administrative roles.

The generic roles required by Measure ORP. 4. A2:

  • User -> IT user -> He may submit requests for authorizations
  • Approver -> person or persons from the department who are allowed to approve requests for authorizations for data from the respective department -> Permits for oneself are explicitly excluded.
  • Technical managers -> owners of certain information, applications or specialist processes -> The IT operations has the responsibility to set the permissions approved technical.

It also explains how to set up an authorization according to the recommended procedure:

  • Application: The application should be designed as a form (e.g. as a web form) and all necessary contents as mandatory information
  • Approval procedure: Applications may only be approved if they are actually necessary (PoLP) and after a detailed review
  • Documentation: All assignments, changes and deletions of authorizations must be documented and stored securely.

Furthermore, the BSI authorization concept requires the removal of user IDs and authorizations that are no longer required (for example, when changing departments or when an employee leaves). After these procedures have been deleted, the documents related to them should be retained so that changes can be traced as cited in ORP. 4. A1.

The measurements ORP. 4. A10 and ORP. 4. A21 take care of the need of Multi-Factor Authentication (MFA) on IT-Systems of an organization.

"Protection of user IDs with extensive authorizations [IT operations] (S) User IDs with extensive authorizations SHOULD use multi-factor authentication, e. B. with cryptographic certificates, chip cards or tokens are protected." (IT-Grundschutz-Kompendium 2021 Edition)

"Multi-factor authentication [IT operations] It SHOULD be a secure multi-factor authentication, e.g. with cryptographic certificates, chip cards or tokens can be used for authentication." (IT-Grundschutz-Kompendium 2021 Edition)

Krontech’s PAM Suite Single Connect, the niche player in Gartner Magic Quadrant for Privileged Access Management designed and designated to consolidate for all these IT security needs and complies with the IT Security regulations’ one of the most important domains; privileged user and privileged access; group-based and PoLP -based mechanisms with its MFA, Privileged Session Management, Password Vault, Dynamic Data Masking modules.

Other Blogs