If there’s one thing regulated entities don’t want to hear from their regulator, it’s that they’re “rapidly running out of patience” with the sector’s slow progress on a mandate or directive.
Yet that’s exactly where Australia’s financial sector finds itself with respect to its progress on information security.
A July “cyber stocktake” run by the Australian Prudential Regulation Authority (APRA) exposed six “concerning gaps” in the cyber posture of entities, including the way sensitive information assets are treated, incident response plans not being tested, and limited reviews of security controls.
The stocktake sought to check entities’ compliance with CPS 234 Information Security, a prudential standard that came into force in July 2019 and that was introduced to make Australian financial services organisations more resilient against cybersecurity attacks.
APRA limited its July commentary to “general observations” – but only a month later, the regulator is being much less guarded in its criticisms. As Executive Board Member, Therese McCarthy Hockey, told an industry forum in late August: APRA is rapidly running out of patience with the slow pace of uplift.
CPS 234 is a direct response to the ever-evolving cyber security landscape that financial services organisations face.
As the Prudential Standard document points out, a “key objective is to minimise the likelihood and impact of information security incidents on the confidentiality, integrity or availability of information assets, including information assets managed by related parties or third parties.”
To assist organisations in meeting the standard, APRA has published an associated guide to the standard.
Many aspects of the guidance align to information security best practices, referencing zero trust, least privilege and defence-in-depth. Specifically, the guide calls for the implementation of a wide range of controls, covering various aspects of information security, including risk mitigation, protection and vulnerability detection.
The Role of PAM In Meeting CPS 234
It’s clear that special attention in these areas can be broadly addressed by Privileged Access Management (PAM).
PAM consists of the cybersecurity strategies and technologies for exerting control over the elevated (“privileged”) access and permissions for users, accounts, processes, and systems across an IT environment.
Privileges serve an important operational purpose by enabling users, applications, and other system processes elevated rights to access certain resources and complete work-related tasks. The more privileges and access a user, account, or process amasses, the greater the potential for abuse, exploit, or error. Implementing privilege management not only minimises the potential for a security breach occurring, it also helps limit the scope of a breach when one occurs.
PAM can be particularly helpful to meeting the common information security principles that APRA lays out in its CPS 234 guidance.
One thing the regulator wants to see is a defence-in-depth approach and capability. This is important if the first layer of defences in place was to fail to identify a threat. For example, an institution may use email filtering to defend against emails with links to malware or that have malware-laced attachments. If this were to fail, however, a Privilege Management solution could offer effective second-layer protection. Such solutions apply privilege enforcement rules to browsers, applications and readers to block malicious scripts and applications.
PAM is also useful for enforcing least privilege, another desired security principle under CPS 234. Least privilege is the concept and practice of restricting access rights for users, accounts, and computing processes to only those resources absolutely required to perform legitimate functions. Removing local admin rights and controlling execution – important least privilege practices – have historically mitigated 75% of Microsoft’s critical vulnerabilities. It also diminishes the pathways and ingresses for exploitation, making it much harder for malware to spread internally.
FSIs can also benefit from the use of a centralised reporting and analytics platform to gain visibility into the privilege-related risks facing their organisations. This can enable timely detection of incidents by helping systems administrators analyse privileged password, user, and account activity – ‘connecting the dots’ so the institution can act decisively and effectively prioritise risk mitigation.
In addition, integrating PAM with an existing security information and event management (SIEM) or extended detection and response (XDR) solution can provide additional data points to identify anomalous behaviour, including unusual login attempts to privileged accounts.
PAM can also support employees as well. While cyber awareness training is an important layer of information security protection, even the most diligent employees can be caught out when they are busy, stressed or tired. Tooling that ensures long, strong passwords which are easily rotated on an appropriate schedule, for example, and that mask credentials from the employee’s view, make password hygiene easier to enforce, and keep employees – and their access to sensitive information – protected.
Given the focus of the CPS 234 guidance, it’s clear that PAM can assist organisations to gain significant coverage across the information security items targeted for uplift. In many cases, PAM can provide specific controls, while in others, it can work hand-in-hand with other technology to provide the desired outcome.
Against the backdrop of a loss of regulator patience, urgent action is required. PAM may just be the circuit breaker that enables the uplift to get back on track.