Compliance of CA PAM with the NIS2 directive and requirement PR.DS-01
Article ID: 431806
Updated On:
Products
Issue/Introduction
The NIS2 Directive establishes a unified legal framework to uphold cybersecurity in 18 critical sectors across the EU, and the NIST Cybersecurity Framework 2.0 provides guidance to industry, government agencies, and other organizations to manage cybersecurity risk.
In this sense it may be of interest to understand how Privileged Access Manager complies with the NIS2 Directive and with requirement PR.DS-01 regarding the confidentiality, integrity, and availability of data-at-rest
The present document outlines PAM compliance to these requirements
Resolution
Regarding NIS2 compliance for data-at-rest protection (PR.DS-01), Broadcom Symantec Privileged Access Manager (PAM) implements a formalized secure software development lifecycle (SSDLC) and specific cryptographic controls ensuring the confidentiality and integrity of stored data.
1. Protection of Stored Data (Ex1)Symantec PAM employs high-grade encryption and unique key management to protect the credential vault and sensitive resources:
- Key Hierarchy: A unique Key-Encryption-Key (KEK) is generated for each deployment using a NIST 800-90b compliant entropy source. This KEK encrypts the Data-Encryption-Key (DEK), which in turn secures the Credential vault data. The DEK can optionally be rotated as an additional layer of security.
- Encryption Standards: Both the KEK and DEK are AES 256 symmetric keys.
- FIPS Compliance: When operating in FIPS mode, Symantec PAM utilizes CMVP validated modules for wolfCrypt (Cert #4718) and BC-FJA (Cert #4943) for FIPS 140-3 cryptographic compliance.
- Hardware Security: Optionally, PAM can be configured to use a KEK from a network-deployed Entrust Hardware Security Module (HSM) for enhanced protection.
- Password Hashing: Local user passwords are not stored in plaintext but as salted SHA-512 hashes (20 rounds).
- Appliance Integrity: The platform consists of a web application server and an Oracle MySQL™ Enterprise Edition database.No other application software is permitted to operate in the appliance and file integrity checks are maintained to ensure no malicious or unauthorized content is added.
- File System Access: Access to the appliance file system is strictly controlled and requires two-party coordination between the customer and Broadcom Support.
- Programmatic Access: For programmatic access, a unique white-box protected AES 256 key is generated for each client registered to the Server. The key encrypts transmitted data to the Request Client (A2A) Optionally, the ability to rotate these keys can be implemented for added security. The Application (A2A) client resides on the requesting server where the requesting programs/scripts are installed. Integrity checks are run against the calling applications and scripts (hash and execution path checks)
To ensure the integrity of the platform and prevent unauthorized modifications:
- Integrity Verification: An integrity utility check is present within the appliance to verify that no unauthorized changes have been made to the approved OS modules.
- Secure Development: All code changes undergo peer reviews and sign-off before being merged. Broadcom also utilizes Static Code Analysis (Coverity), Dynamic testing (AppScan™), and Software Composition Analysis (BlackDuck) for every release.
- Programmatic Security: Security configuration options include integrity verification checks for programmatic access authentication
Summary for Compliance Documentation
| NIS2 Requirement Component | Symantec PAM Technical Control |
| Confidentiality (Ex1) |
AES 256 bit encryption for the Credential Vault; FIPS 140-3 (Certs #4718, 4943). |
| Integrity (Ex1 & Ex3) |
Salted SHA-512 hashing; appliance OS integrity utility checks. |
| Key Management |
NIST 800-90b compliant entropy; optional Entrust HSM integration. |
| Vulnerability Management |
Continuous monitoring (NVD) and external third-party penetration testing. |
Feedback
