Safeguarding the sensitive data of your digital society is one of the prime requirements for any nation. Online services are becoming strategically important for both public and private sector organizations, helping them grow a digital economy. And Kingdom of Saudi Arabia is not immune to this growing change. They proactively explore and implement a strong, immune, system which can safeguard sensitive data, transactions and most importantly confidence in the entire Saudi Finance Sector. The financial sector in Saudi recognized the rate at which technology is changing, and the cyber threats always loom large in any given situation along with evolving risks. Saudi Arabia Monetary Authority (SAMA) came up with cyber security framework in May 2017 to enable financial institutions to effectively identify and mitigate the cyber risks. The main objective of this framework is to: To create a common approach for addressing cyber security within member organizations
To achieve appropriate maturity level of cyber security controls within member organizations
To ensure cyber security risk are properly managed throughout member organizations The requirements of this framework does not just encompass best practices suggested across various industry cyber security standards like PCI DSS , NIST, ISF, ISO, BASEL but also mandates adherence to some. The framework mandates and defines principles, and objectives for initiating, implementing, maintaining, monitoring and improving cyber security controls in member organizations. The SAMA Guidelines are very crisp and clear regarding cyber security principles and objectives. Those are broken down into four domains of cyber security: Leadership and Governance, Risk Management and Compliance, Operations and Technology and lastly Third-Party Security. [caption id="attachment_23026" align="aligncenter" width="503"] Figure 1: SAMA Cyber Security Framework Structure Source: Cyber Security Framework, Saudi Arabia Monetary Authority, Ver 1.0, May 2017[/caption] It is well known that regardless of the source of a cyber-attack, compromised credentials eventually lead to cathartic damages in any cyber-attack. Identifying the root cause for this spot on, SAMA suggests stringent measures around User Privileges, Identities & Access Management. They have laid down a comprehensive list of control consideration policies for member organizations around providing need-based and controlled access to critical IT systems, discovering & vaulting critical IT systems and privileged accounts, comprehensive monitoring and logging and multi-factor authentication enablement for all privileged users including internal staff and third-party vendors. Sectona PAM is Aligned with SAMA Best Practices
Sectona, with its modern and next generation Privileged and Remote Access Management (PAM) Suite helps organizations achieve compliance with confidence. Business Requirements for Access Control
The guidelines state that all the users’ access must be on need-to-have and need-to-know basis to avoid unauthorized access and (un)intended data leakage.
With Sectona’s Spectra Privileged Access Management, access can be controlled, defined and managed on a need-to-know and need-to-have basis. Depending on the users’ roles, responsibilities and need to access critical IT systems, access policies on a granular scale can be defined and password-less transparent access to IT systems such as RDP, SSH and others can be enabled. This ensures that only designated users access with their authorized named user IDs and passwords of these privileged accounts are not shared among multiple users.
Spectra PAM also empowers you to automate discovery across accounts & assets for easy on-boarding of accounts reducing significant manual efforts for IT operations team. Furthermore, provisioning of privileged accounts adds another security layer for on-boarding additional users who need privileged access. Spectra PAM Account and Asset discovery provides an automated way of discovering IT assets across your IT infrastructure. With schedulers and automated on-boarding rules, obtain relevant asset information and reduce time for securing privileged accounts. Start on-boarding VMware ESX/ESXi managed guest OS
Automatically retrieve and list OS linked to Active Directory
Run network-based discovery for assets across on-premise locations
Gain complete visibility into the privilege accounts & IT assets whether on-premises or in the public or private cloud User Access Management With Automation
The guidelines states managing users with changing role or job positions, any change in external staff or third parties should be approved by accountable party.Spectra Privileged Access Management Solution is tightly integrated with Active Directory and it can allow access to users present on AD. Various roles and user access policy creation is possible for the users. Spectra has maker-checker facility wherein any changes or modifications to user roles can be validated and approved by authorized personnel.
With Spectra’s Attribute based grouping policies, access provisioning to users can be automated while following attributes such as role, IT asset group, user band etc. This reduces manual dependence to map one-on-one access for each user to each IT asset and account. Centralization of Identity and Access Functions
The guidelines state that all the functions of identity and access management should be centralized.
Spectra PAM has a centralized web console that can be accessed from any platform & any HTML5 supported browser. Since Spectra works on micro-services architecture, all components are embedded into one web console which can be configured & controlled via central management console. This also helps at the time of upgrade of Spectra to control centrally with a single installer. Privileged and Remote Access Management with MFA
The guideline states that all the users taking privileged access should have restricted use, MFA should be used for all remote users, MFA should be used for all privileged users taking access on critical systems with risk assessment, all the accounts must go through a periodic review, there should be individual accountability.
Spectra Privilege and Remote Access Management Solution allows creating separate policies for remote users wherein, they have MFA enabled access. While defining user access policies, MFA can be enabled for all privileged users taking access. With Spectra’s cross-platform and browser-based access capabilities, all users especially remote user and third-party users can be enabled access to IT systems without VPN over browser ensuring restricted use over data movement and copy of data. Learn more about securing remote privileged access without VPN here.
Spectra PAM allows creation of user policies where multi-factor authentication-based access can be enabled for user profiles handling critical and sensitive data. Spectra PAM suite is built with robust MFA authentication capabilities with easy to implement MFA for multiple sets of users. Solution provides a range of authentication methods covering: Adaptive authentication for enforcing MFA based on risk scoring for user access that relies on parameters such as time-based access, device fingerprinting and access criteria based on Geographic location
Integration with leading Cloud Based MFA authentication providers such as Okta, One Login and Duo helping reduce time to implement and integrate Sectona Mobile which provides MFA based on Mobile based Soft Tokens (without internet connectivity), SMS Tokens, and Email Tokens. Out-of-the-box integration with hardware token providers such as RSA SecureID and Vasco Monitoring, review & accountability
The guideline states that monitoring and review of privileged and remote accounts must be done while ensuring accountability.Spectra PAM has a robust session recording and session logging module that captures comprehensive details around which user accessed what system at what time from where among other details. This helps associate individual accountability of privileged and remote user access.Furthermore, Spectra has an in-built Threat Analytics and Risk Assessment Engine, which calculates a risk score for each and every session based on user profiling and the activities carried out in each session. The use of non-personal privileged accounts
For this requirement, guidelines state that there should be limitations and complete monitoring of the privileged sessions, all the passwords must be confidential and all the passwords must be changed periodically and also at the end of each session.Spectra PAM enables administrators for live monitoring of the sessions and termination as well with complete audit. All the passwords are stored in robust Spectra Password Vault which does the complete management of passwords i.e. rotation, verification and reconciliation. Users can define the frequency for password change along with the desired complexities. Conclusion It would be safe to say that SAMA has laid down an extensive list for Identity and Access Management requirements taking into consideration complete security of the nation. The detailed framework document is available.Going one step further, we have also published a list of high priority use-cases that companies must take note of and protect when it comes to securing privileged accounts. Refer to this document here. Also, for those starting out with their privileged access security programs, start by targeting and identifying all privileged accounts. Leverage this list here to start your privileged access security program.