If you are an IT Security Expert or perhaps even just working at an international company in the EU, you have possibly heard of the BSI Grundschutz or the BSI standards in Germany. You may have wondered what it is, does your organization comply with it or does it affect your business? Let’s take a closer look at the relationship between the BSI Grundschutz and Privileged Access Management (PAM).
The Bundesamt für Sicherheit in der Informationtechnik’s (The German Federal Office for Information Security) IT-Grundschutz Kompendium (IT- Baseline Protection) contains recommendations on methods, processes, procedures, approaches, and measures related to information security. It is a collection of standards for IT Security Management for companies as well as public institutions. The catalog extensively includes technical, infrastructural, organizational, and personnel recommendations.
The main object of these standards is “To achieve adequate protection for all information in an organization. The IT-Grundschutz methodology is characterized by a holistic approach. By the appropriate combination of organizational, personnel, infrastructural, and technical security requirements a level of security is achieved that is appropriate and sufficient for the respective protection needs to protect information relevant to the institution” (IT- Grundschutz Kompendium Edition 2021).
From the Privileged Access Management perspective, there are several significant measurements under the second subject area (Organization and Personnel) of the IT-Baseline Protection we would like to address in today’s blog.
The regulation for the creation and deletion of users and user groups:
"ORP. 4. A1 Regulation for Creating and Deleting Users and User Groups [IT Operation Department]
The regulation defines the procedure to be followed for user creation and deletion. This process is necessary to detect inactive user accounts that can be a threat in terms of data protection, and to disable and delete them as soon as possible.
"ORP. 4. A16 Policies for Data and System Access Control [IT Operational Department]
This means all access and access controls of IT Systems, Components, and Data Network in public and private institutions should be planned, and a written document created.
The BSI also advises adopting the Principle of Least Privilege (PoLP), giving users the minimum levels of access/permissions needed to perform their functions in the organization.
The PoLP aims to accurately limit data access while providing a more efficient user experience and creating a flawless security process. The main purpose of the principle is to protect the data, so it is important to determine who can access it in accordance with the assigned privilege/permission level.
The role-based access control is the result of the application of the PoLP. Various profiles, e.g. standard user, shared account, privileged user, can be created and can be given different levels of authorization, so any internal and/or external access attempt would require special permission.
The ORP. 4. A7 regulation, as part of the second subject area of the Grundschutz (Organization and Personnel) deals with the access rights, regulating them once more on the base of the PoLP. This allocation of access rights measurement says:
"The data access rights that are to be granted to or withdrawn from certain people in certain roles MUST be defined. If data access resources like chip cards or tokens are used, their issue and withdrawal MUST be documented. Users SHOULD be trained in the proper use of chip cards or tokens. Authorized persons SHOULD be blocked temporarily if they are to be absent for a longer period of time."
That is to say employee access authorizations to IT systems, records, and applications must be as limited as possible. In the event of longer absences, such as holidays or sickness, privileged user accounts, such as IT managers, should be blocked. Measure ORP. 4. A7 affects three levels of authorizations:
Last but not least, the ORP. 4. A2 regulation of the BSI-Grundschutz-Kompendium states that:
"User IDs and authorizations MUST ONLY be granted on the basis of actual need in connection with specific tasks (in line with the least-privilege and need-to-know principles). If there are personnel changes, the user IDs and authorizations that are no longer required MUST be removed. […]"
This is the most comprehensive recommendation of the BSI for the operational implementation of user management in companies and institutions. The aim is to improve the protection of your internal data and to create regulated processes that relieve your employees of administrative activities related to the assignment of authorizations.
This regulation additionally states:
“[…] If employees apply for authorizations that go beyond the standard, they MUST ONLY be assigned after additional justification and verification are provided. Access permissions to system directories and files SHOULD be restricted. All authorizations MUST be established via separate administrative roles.”
The generic roles required by the ORP. 4. A2 regulation:
It also explains how to set up an authorization according to the recommended procedure:
Furthermore, the BSI authorization concept requires the removal of user IDs and authorizations that are no longer required (for example, when changing departments or when an employee leaves). After these accounts have been deleted, the documents related to them should be retained so that changes can be traced as cited in ORP. 4. A1.
The measures laid out in regulations ORP. 4. A10 and ORP. 4. A21 address the need for Multi-Factor Authentication (MFA) in the organization’s IT Systems.
ORP. 4. A10 Protection of user IDs with extensive authorizations [IT operations] (S):
“User IDs with broad privileges SHOULD be protected with multi-factor authentication ( e.g. cryptographic certificates, chip cards or tokens)." (IT-Grundschutz-Kompendium 2021 Edition)
ORP. 4. A21 Multi-Factor Authentication (IT Operation Department) (H):
"Secure multi-factor authentication (e.g. cryptographic certificates, chip cards, or tokens) SHOULD be used for authentication." (IT-Grundschutz-Kompendium 2021 Edition)
Krontech’s PAM solution, Single Connect, the niche player in the Gartner Magic Quadrant for Privileged Access Management, was designed and intended to consolidate all these IT security needs and complies with the IT Security regulations, in the most important domains - privileged user and privileged access, and group-based and PoLP -based mechanisms - with its MFA, Privileged Session Management, Password Vault, and Dynamic Data Masking modules.
Elevating Privileged Access Management with Kron PAM and Microsoft Entra ID Integration
May 23, 2024
Enhancing Security with Kron PAM's Multitenancy: A Game-Changer for Large Organizations
Jun 10, 2024