Kron Privileged Access Management (PAM) for Achieving TSA Compliance

Kron Privileged Access Management (PAM) for Achieving TSA Compliance

May 09, 2024 / Kron

In the ever-evolving landscape of cybersecurity, safeguarding accounts with elevated permissions is paramount. This is where Privileged Access Management (PAM) strategies come into play, offering a comprehensive approach to fortify network security and prevent breaches. While the importance of PAM is universal, its significance is particularly heightened in the telecom industry. With its intricate web of interconnected infrastructures and diverse business ecosystem, telecom companies face unique cybersecurity challenges.

Amidst these challenges, compliance with regulations such as the UK’s Telecommunications Security Act (TSA) is crucial. However, the realm of TSA compliance can be overwhelming, encompassing various domains and requirements. To navigate this complex landscape, solutions like Kron PAM offer invaluable assistance.

In this blog post, we'll delve into the critical role of PAM in telecom cybersecurity and explore how Kron PAM solutions can streamline the journey towards TSA compliance. Join us as we uncover the key areas where Kron solutions provide essential support in bolstering telecom security and ensuring regulatory adherence.

Let's embark on this insightful exploration together.

Completed by 31 March 2024 (Tier 1 providers)

Completed by 31 March 2025 (Tier 2 providers)

Management Plane 1

Kron PAM Capabilities

M2.01

Privileged user access rights shall be regularly reviewed and updated as part of business-as-usual management. This shall include updating privileged user rights in line with any relevant changes to roles and responsibilities within the organisation.

 

8(4)

8(5)(a),(b),(e)

11(a)

 

Kron PAM’s zero-trust policy engine is your best security tool to create and enforce fine-grained and tailored access controls - Ensuring the right people have the right access at the right time.

M2.02

All privileged access shall be logged.

4(4)(b)

6(2)(a),(b)

6(3)(a),(b)

8(5)(a)

8(5)(d)(i),(ii)

 

Kron PAM’s Session Manager keeps the indisputable track records of any privileged user activities.

M2.03

Privileged access shall be via secure, encrypted and authenticated protocols whenever technically viable.

 

4(4)

8(4)

8(5)(e)

 

Kron PAM embraces a secure proxy-based approach ensuring the use of encrypted and authenticated protocol.

M2.05

Default passwords shall be changed upon initialisation of the device or service and before its use for the provision of the relevant network of service.

7(4)(b) 8(2)(d) 8(4) 8(5)(b),(c)

 

Kron PAM’s manages
and keeps all passwords in
an encrypted secure vault.

 

M2.06

The infrastructure used to support a provider’s network shall be the responsibility of the provider, or another entity that adheres to the regulations, measures and oversight as they apply to the provider (such as a third party supplier with whom the provider has a contractual relationship). Where the provider or other entity adhering to the regulations has responsibility, this responsibility shall include retaining oversight of the management of that infrastructure (including sight of management activities, personnel granted management access, and management processes).

3(3)(d) 3(3)(f)(i),(ii),(iii) 3(5) 6(3)(d) 7(4)(a) 8(1) 8(6)

 

RBAC rules and policies can be created and controlled access can be granted to 3rd party suppliers.

Completed by 31 March 2025

 

Management Plane 2

 

M6.01

Non-persistent credentials (e.g. username and password authentication) shall be stored in a centralised service with appropriate role-based access control which shall be updated in line with any relevant changes to roles and responsibilities within the organisation.

3(3)(a),(b),(d) 3(5) 6(2) 6(3)(b),(d) 8(1) 8(2)(f) 8(5)(a)

Kron PAM Password Vault keeps all passwords in a secure, centralized vault, in fully encrypted form and ensures privileged passwords are used only for legitimate business purposes.

 

M6.02

Privileged access shall be via accounts with unique user ID and authentication credentials for each user and these shall not be shared.

8(2)(b) 8(4) 8(5)(a),(b),(c)

Kron PAM Password Vault assigns strong and unique passwords to your target hosts for each use with full accountability.

M6.03

For accounts capable of making changes to security critical functions, the following measures shall be adopted relating to multi-factor authentication: (a) the second factor shall be locally generated, and not be transmitted; and (b) the multi-factor authentication mechanism shall be independent of the provider’s network and PAW. Soft tokens (e.g. authenticator apps) may be used.

8(4) 8(2)(b) 8(5)(a),(b),(e)

Kron PAM’s built-in MFA combines multiple authentication factors to complete the login process and to achieve a greater level of security.

M6.04

All break-glass privileged user accounts must have unique, strong credentials per individual piece of network equipment.

3(1)(a),(b),(c) 8(2)(b) 8(5)(a),(b),(c) 9(2)(c)(vi)

Kron PAM's Password Vault supports parameterized password strategies that can be enforced for any target system in a vendor-agnostic fashion.

M6.05

Default and hardcoded accounts shall be disabled.

8(2)(d),(e) 8(4) 8(5)(b),(c)

Using Kron PAM’s Password Vault and Application to Application Password Management features you can eliminate any default or hardcoded accounts on the target systems.

Completed by 31 March 2025

 

Third-party supplier measures 2

 

M8.06

Providers shall remove or change default passwords and accounts for all devices in the network, and should disable unencrypted management protocols. Where unencrypted management protocols cannot be disabled, providers shall limit and mitigate the use of these protocols as far as possible.

3(3)(e) 4(5) 8(2)(d) 13(2)(d)

Kron PAM auto discovers and stores and rotates all privileged credentials used to access the IT and network infrastructure. It’s SSH to TELNET proxy can ensure the secure access for legacy network equipments.

Completed by 31 March 2024 (Tier 1 providers)

Completed by 31 March 2025 (Tier 2 providers)

Completed by 31 March 2027 (All provider Tiers)

 

Third party supplier measures 3

 

M10.29

Providers shall contractually require that third party administrators implement logically-independent privileged access workstations per provider.

4(4)(a) 7(1) 7(4)(a)(i),(ii) 7(4)(b)

 

Kron PAM’s multi-tenant MSP/MSSP features can provide isolated and secure access for 3rd parties accessing to the providers network.

M10.32

Providers shall both log and record all third party administrator access into its networks.

6(1), 6(2)(a),(b) 6(3)(a) 7(4)(a)(iii),(iv) 8(5)(d)(i),(ii) 9(1) 9(2)(c)(iv),(v)

 

Kron PAM’s Secure Remote Access module logs and records any privileged access and activity of the 3rd party administrators in the providers network.

M10.33

The provider shall contractually require the third party administrator to monitor and audit the activities of the third party administrator’s staff when accessing the provider’s network.

6(1) 6(2)(a),(b) 7(4)(a)(iii),(iv) 8(5)(d)(i),(ii) 9(1) 9(2)(c)(iv),(v)

 

Kron PAM’s multi-tenant MSP/MSSP features can provide isolated and secure access for 3rd parties accessing to the providers network and provide accountability of the 3rd party admintrators.

M10.34

The provider shall contractually require from the third party administrator all logs relating to the security of the third party administrator’s network to the extent that such logs relate to access into the provider’s network.

6(1) 6(2)(a),(b) 6(3)(a) 7(4)(a)(iii),(iv) 8(5)(d)(i),(ii) 9(1) 9(2)(c)(iv),(v)

 

Kron PAM provides all session log and privileged activites in video, text or syslog format.

Completed by 31 March 2027

 

Management plane 3

 

M11.02

Any persistent credentials and secrets (e.g., for break glass access) shall be protected and not available to anyone except for the responsible person(s) in an emergency.

3(3)(a),(b),(d) 3(5) 6(2) 6(3)(b),(d) 8(1) 8(2)(f) 8(5)(a)

Kron PAM Password Vault securely stores both static and dynamic accounts in an encrypted manner, accessible only to authorized users or user groups.

M11.03

Central storage for persistent credentials shall be protected by hardware means. For example, on a physical host the drive could be encrypted with the use of a TPM. Where a virtual machine (VM) is used to provide a central storage service, that VM and the data included in it shall also be encrypted, use secure boot and be configured to ensure that it can only be booted within an appropriate environment. This is to ensure that data cannot be removed from the operational environment and accessed.

3(3)(a),(b),(d) 3(5) 6(2) 6(3)(b),(d) 8(1) 8(2)(f) 8(5)(a)

Kron PAM is running on a hardened VM instance where all the vault and sensitive data are encrypted using a combination of a DEK Key, Encryption Key, and AES 256 Algorithms, including any system backups.

M11.04

Privileged users are only granted specific privileged accounts and associated permissions which are essential to their business role or function.

8(4) 8(5)(a),(e)

Utilizing Kron PAM zero trust policy engine, you can ensure the segregation of duties and least privilege for any users accessing any target system managed through the PAM platform.

M11.05

Privileged access shall be temporary, time-bounded and based on a ticket associated with a specific purpose. Administrators shall not be able to grant themselves privileged access to the network.

8(4) 8(5)(a),(b),(e)

 

Utilizing Kron PAM zero-trust policy engine, you can ensure the required level of trust, implement the four-eyes principle, and enable just-in-time access with ITSM integration.

M11.07

Privileged access shall be automatically revoked once the ticket is closed.

8(4) 8(5)(a),(b),(e)

ITSM integration verifies the status of the valid ticket and revokes access accordingly.

M11.08

Privileged user accounts are generated from a least privilege role template and modified as required. The permissions associated with this account shall not be copied from existing users.

8(4) 8(5)(a),(b),(e)

Utilizing Kron PAM zero-trust policy engine, you can ensure the principle of least privilege and implement just-in-time privileged access with managerial approval workflows.

M11.11

Break-glass privileged user accounts should be present for emergency access outside of change windows, but alerts shall be raised when these are used, the circumstances investigated, and all activity logs audited post emergency.

3(1)(a),(b),(c) 3(3)(a),(b),(c) 3(5) 8(4) 8(5)(b),(d) 9(2)(c)(v)

Kron PAM Password Vault enforces role-based access for managed accounts, including break-glass privileged user accounts. The account lifecycle is logged, and any anomalies or events related to these accounts are sent as notifications to the relevant supervisors.

M11.12

Break-glass privileged user account credentials should be single-use and changed after use.

3(1)(a),(b),(c) 8(5)(a),(b),(c) 9(2)(c)(v)

Kron PAM Password Vault rotates credentials according to the defined strategy. This strategy allows for password changes after each use, with options to adjust password complexity.

M11.13

All privileged access activity undertaken during a management session shall be fully recorded.

4(4)(b) 6(2)(a),(b) 6(3)(a),(b) 8(5)(a) 8(5)(d)(i),(ii)

 

Kron PAM Session Manager logs and keeps a record of any privileged user activity across the IT and ICT environments. The logs consist of tabular data and video recordings of the sessions, along with command and event indexes.

M11.15

Privileged access to network equipment shall be via a centralised element manager or equivalent configuration deployment system. For example, privileged users shall not be provided with direct access to any management terminal, except where network connectivity is not available (e.g. break-glass situations).

3(3)(d) 3(5) 6(3)(d) 8(2)(f) 8(4) 8(5)(a),(e)

Kron PAM provides proxy-based privileged access with built-in Tacacs+ and Radius AAA capabilities. It allows direct access to network device for legitimate business purposes only.

M11.35

Each network equipment shall have strong, unique credentials for every account.

8(2)(b),(d) 8(4) 8(5)(b),(c)

 

Kron PAM can eliminate outdated passwords on network devices, manage each account, or even better, enable single sign-on access using Active Directory (AD) credentials.

Completed by 31 March 2027

 

Virtualisation 1

 

M13.05

Modification of databases and systems that define the operation of the network shall require sign off by two authorised persons.

3(1)(a),(b),(c) 3(3)(d),(e) 3(5) 4(1)(a),(b) 4(2)(a),(b) 4(4)(b) 8(2)(b),(c) 12(a),(b),(c)

 

Kron PAM provides advanced database access management, monitoring and on-the-fly data masking capabilities through its agentless SQL proxy feature. This feature allows you to implement multi-factor authentication (MFA) or approval workflows for any modifications made to critical database systems.

M13.20

Privileged access to the virtualisation fabric shall only be available over authenticated and encrypted channels.

3(3)(a) 3(3)(d) 3(5) 4(1) 4(2) 8(5)(e)

 

Kron PAM offers SSH, RDP, and HTTPS proxy features, providing secure, single sign-on access to virtualization CLI, desktop, and web consoles.

M13.23

The number of privileged accounts for the virtualisation fabric shall be constrained to the minimum necessary to meet the provider’s needs.

3(3)(d) 4(1)(b) 4(2)(b) 7(1) 8(1) 8(2)(a) 8(4)

By utilizing Kron PAM's single sign-on capabilities, you can minimize the number of role-based accounts without compromising the accountability of the end users accessing the virtualization environment.

M13.24

Virtualisation fabric administrator accounts shall not have any privileged rights to other services within the provider, or vice-versa.

3(3)(d) 4(1)(b) 4(2)(b) 7(1) 8(1) 8(2)(a) 8(4)

Kron PAM provides controlled access to target systems without exposing credentials to end users. So you can tailor who gets access, to what, and when 

M13.25

Virtualisation fabric administrator accounts shall only be provided with the privileges and accesses required to carry out their role.

3(3)(d) 4(1)(b) 4(2)(b) 7(1) 8(1) 8(2)(a) 8(4)

 

Utilizing the Kron PAM zero-trust policy engine, you can ensure command and context-aware policies on the target systems. This enables the enforcement of additional security measures on the privileged accounts being used.

Completed by 31 March 2027

 

Network Oversight Functions

 

M15.06

Network oversight functions shall only be managed by a minimal set of trusted privileged users.

3(3)(a),(d),(e) 3(5) 4(1)(b) 4(2)(b) 4(4)(a) 8(2)(a),(f) 8(4) 8(5)(a),(b),(e) 8(6)

Kron PAM provides controlled access to target systems without exposing credentials to end users. So you can tailor who gets access, to what NOF tool, and when 

M15.07

The management functions (e.g. jump box) used to manage network oversight functions shall only be accessible from designated PAWs.

3(3)(a),(d),(e) 3(5) 4(1)(b) 4(2)(b) 4(4)(a) 8(2)(f) 8(3) 8(4) 8(5)(a),(e)

 

Kron PAM offers SSH, RDP, and HTTPS proxy features, providing secure single sign-on access to NOF with full accountability for activities.

M15.10

All management accesses to network oversight functions shall be pre-authorised by a limited set of people who have been assigned with an appropriate role.

3(3)(a),(d) 3(5) 4(1)(b) 4(2)(b) 6(2)(a),(b) 6(3)(a),(b) 8(2)(a),(c),(f) 8(4) 8(5)(b),(e) 8(6) 13(2)(a),(b)

 

By leveraging the Kron PAM zero-trust policy engine, you can ensure the required level of trust through MFA and managerial approval workflows to access any NOF.

Completed by 31 March 2027

 

Monitoring and Analysis 1

 

M16.14

Access events to network equipment shall be collected. Unauthorised access attempts shall be considered a security event.

4(4)(b),(c) 6(1) 6(2)(a),(b) 6(3)(a),(b),(d),(e) 7(4)(a)(iii) 8(5)(d) 9(2)(c)(i),(iv) 13(2)(a)

 

Kron PAM Session Manager keeps any access activity logs and forwards them to SIEM systems accordingly.

M16.17

Logs shall be linked back to specific network equipment or services.

6(1) 6(2)(a) 6(3)(a),(e) 6(4) 9(2)(c)(i),(iv)

 

Session logs comprise at least user information, account details, source device IP/port, and destination device IP/port, among other data points.

M16.21

Indications of potential anomalous activity, and potential malicious activity, shall be promptly assessed, investigated and addressed.

6(1) 6(2)(a),(b) 6(3)(d),(e) 9(2)(c)(i),(ii),(iv),(v)

 

Kron PAM's user behavior analytics engine assesses the user's session, tags, and alerts for any anomalies.

Completed by 31 March 2028

 

Management Plane 4

 

M17.01

Administrators should not need privileged access to network equipment to make administrative changes. Administrators should instead have privileged access to administrative systems (e.g. OSS) which make the necessary changes on the administrator’s behalf. Administrative systems should group administrative changes to automate administrative processes and minimise administrator input and risk. When an administrator uses a privileged access into a security critical function, which is not an administrative system, this shall create a security alert.

3(5) 6(2) 6(3)(c),(d) 8(1) 8(2)(g)

 

Kron has extensive expertise in Telecom Integration, having been established as a PAM vendor within the telecom environment. There are already integrations in place for NMS, EMS, and Asset Management for Telco deployments.

Ready to enhance your telecom cybersecurity posture and streamline TSA compliance? Don't navigate these challenges alone. Reach out to Kron's team of experts today for personalized guidance and solutions tailored to your organization's needs. Whether you're seeking to fortify your privileged access management strategies or ensure compliance with TSA regulations, our dedicated professionals are here to assist you every step of the way. Contact us now to start the conversation and embark on a journey towards strengthened security and regulatory adherence. Your telecom infrastructure deserves the best protection – let Kron be your trusted partner in achieving it.

Highlights

Other Blogs