Do we really need individual admin accounts per engineer/admin user. Surely Privilege Access Management (PAM) or similar is OK?
The requirements of Cyber Essentials, Evendine, are set out by a working group including many different parties, however, the key input comes from Subject Matter Experts from the National Cyber Security Centre, part of GCHQ and they determine the requirements of the standard which Certification Bodies are here to apply.
The key requirements are:
- Admin accounts are unique, per admin(person), and are not shared, at all
- Admin accounts should be protected by MFA (absolutely for all cloud services) ideally on all systems.
- Admin accounts for your support provider should also be unique, they have access to your "Crown Jewels" your network/systems/data and therefore should have the same level of safety as your own admin users.
The first issue with PAM is that you are not delivering account separation (a minimum requirement of Cyber Essentials) therefore, you are not compliant with the standard when using this method of admin access.
Providing access via PAM you are providing access for a user for many different functions, which, perhaps they are not considering, whilst in elevated mode, thus, the enhanced risk of using PAM and one of the reasons it is not supported - with account separation, indeed, even better when used with elevation, you are accessing an admin function, just for that moment, not for a period of time, without elevation, you are accessing the function in a known manner without any user baggage, whereby the user may have been compromised.
If your support provider (MSP) has 20 engineers that all access your systems, then they should have 20 accounts on your system, one for each of those engineers; each of those accounts should be appropriately secured with a 12 character password and ideally MFA.
This is one issue that isn't open for any discussion, any workaround, any compromise, its a requirement of the standard, that you have a unique admin account per person/admin and that these are not shared with anyone. These accounts are not to be used for any day-to-day access and should be used only for admin functions where required, ideally using elevation and not interactive login. Just-In-Time Access / Privilege Access Management is not acceptable, as they do not deliver account separation.