SAMA Cyber Security Framework: Improving Cyber Resilience

March 30, 2020

According to Gartner, cyber security is one of the top risks for businesses in the Middle East. Within that region, Saudi Arabia is one of the most highly-targeted countries for cyber-attacks based on its geopolitical stands, its widespread adoption of digital practices, its vast natural resource reserves, and accumulation of wealth.

Thus, it’s not surprising that a recently published KPMG CEO Outlook survey saw 20% of the CEOs in Saudi Arabia reach a consensus that cyber security risks are the biggest threats to their businesses today. In 2018, the same survey ranked cyber security risks at sixth position with only 4% of the surveyed CEOs believing it to be a top risk at the time.

SAMA CYBER SECURITY FRAMEWORK

To improve cyber resilience, a variety of Saudi Arabian government entities and oversight agencies created mandatory guidelines to strengthen their constituents’ security postures and provide prescriptive measures to defend against today’s cyber threats. For example, the Saudi Arabian Monetary Authority (SAMA) introduced the SAMA Cyber Security Framework, which encompasses best practices from a variety of other government frameworks and industry standards ranging from the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity (NIST CSF), Payment Card Industry Data Security Standard (PCI DSS), and ISO 27001/27002 Information Security Management Standards to Basel II International Convergence of Capital Measurement and Capital Standards.  

SAMA avoided the typical pitfall of many other cyber security frameworks. Instead of asking banking, insurance, and financial services companies to voluntarily adopt the best practices, it mandated the implementation of the framework to assure the sector can manage and withstand cyber security threats.

Overall, the SAMA Cyber Security Framework is very comprehensive and prescriptive by nature, propagating key cyber security principles and objectives to be embedded and achieved by each regulated entity. These are broken down in terms of four main cyber security ‘domains’: Leadership and Governance, Risk Management and Compliance, Operations and Technology, as well as Third-Party considerations.

SAMA

 Figure 1: SAMA Cyber Security Framework Structure

Considering that 80% of today’s data breaches involve compromised privileged credentials, according to Forrester, it is refreshing to see that in section 3.3 (Cyber Security Operations and Technology) SAMA provides detailed directives on Identity and Access Management (IAM). Unfortunately, many other industry standards and cyber security frameworks fall short when it comes to establishing best practices to protect against credential-based attacks, which is today’s #1 attack vector.

SAMA ALIGNMENT TO PAM BEST PRACTICES

SAMA’s guidance for IAM measures aligns closely with Centrify’s Privileged Access Management (PAM) best practices:

  • Discover and Vault Shared Accounts

Identify all privileged accounts and resources and vault away those privileged credentials so that they are properly managed. Organizations can leverage the Centrify Privileged Access Service to establish the core privileged access controls across your growing attack surface.

  • Identity Consolidation

Vaulting alone is not enough. Following Zero Trust principles, it is important to establish an identity for users via HR-vetted enterprise directory identities like Active Directory, meaning these identities are automatically disabled when the person’s employment is terminated. Instead of logging into a server with a shared account, superusers would leverage their individual identity to authenticate to the system.

In this scenario, organizations are using temporary tokens rather than static passwords for the authentication process. By doing so, they’re not imposing any behavioral changes by forcing users to log into a vault, and then checking out a password, which often leads to admin users circumventing the approach by for example creating an SSH backdoor key. Password checkouts should only occur in break-glass scenarios – the rest of the time, users should leverage their individual credentials to establish accountability. The Centrify Authentication Service provides organizations with the needed capabilities to go beyond a password vault and reduce their attack surface by consolidating identities and eliminating local accounts as much as possible.

  • Enforce Just-Enough, Just-in-Time Privilege

Least privilege means granting just enough privilege, just-in-time, as well as limiting lateral movement. Just enough privilege to get the job done. Just-in-time privilege based on temporary access through a simple request process and limiting lateral movement by only granting access to the target resources needed to get the job done and no more. The Centrify Privilege Elevation Service empowers organizations to implement privilege elevation controls as well as workflow for just-in-time privilege access.

  • Audit Everything

With a documented record of all actions performed, audit logs not only can be used in forensic analysis to find exactly the issue but also to attribute actions taken to a specific user. Because these sessions are so critical it is also best practice to keep a video recording of the session that can be reviewed or used as evidence for your most critical assets or in highly regulated industries. The Centrify Audit and Monitoring Service allows customers to fulfill their compliance mandates through auditing and reporting as well as shut down any dangerous workarounds by putting host-based monitoring in place.

  • MFA Everywhere

Both SAMA and Centrify believe that one of the lowest-hanging fruits when it comes to deterring a threat actor is to implement multi-factor authentication (MFA) for all privileged users, everywhere. Centrify’s Identity-Centric PAM solutions allow organizations to establish this additional security layer not only at vault check out, but also for server login, privilege elevation, etc.

Ultimately, applying an Identity-Centric approach to their security strategy allows organizations to minimize the risk of cyber exposure and strengthens both compliance and security posture. To explore more what role Identity-Centric PAM can play when trying to meet stringent compliance mandates and fulfill your organization’s audit requirements, please feel free to join Centrify’s upcoming webinar “Improve Your Compliance Posture with Identity-Centric PAM.“