Solution Guide

H DM H
ow strong elps with

ISO 27001 Compliance

ISO 27001 is a framework developed by the International Organization for
Standardization (ISO) and the International Electrotechnical Commission
(IEC). It outlines requirements to help organizations keep their information
assets and those of their customers secure.

Below are the specific requirements where strongDM can help you
achieve ISO 27001 certification.

Requirement Control strong DM F

eature

A6. O rganization of information security

A 6 1

. . To establish a management f ramework to initiate and control the implementation and operation

Internal organization
of information security within the organization.

Segregation of duties can be enforced through

Conflicting duties and areas of responsibility shall
granular role-based, attribute-based, or just-in-
A 6 1 2

. . . be segregated to reduce opportunities for

S
time access control policies - all of which are least
egregation of duties unauthorized or unintentional modification or
privilege by default and do not allow for
misuse of the organization’s assets.
escalation of privileges.

A 6 2

. .

M obile devices and To ensure the security of teleworking and use of mobile devices.

teleworking

With strongDM, users are authenticated and

A.6.2.2

A policy and supporting security measures shall

authorized to access critical inf rastructure.

Teleworking be implemented to protect information accessed,

Credentials and keys are stored within strongDM
processed or stored at teleworking sites.
or a secret store and unavailable to the end user.

A8. Asset management

A 8 1

. .
To identify organizational assets and define appropriate protection responsibilities.
Responsibility for assets

The strongDM Admin UI maintains a list of all

Rules for the acceptable use of information and users and resources they have access to. Admins

A 8 1 3

. . . of assets associated with information and can define and enforce the appropriate access

A cceptable use of assets information processing facilities shall be policies based on a user's role or a resource's

identified, documented and implemented.

attributes; access can be permanent or

temporary. Comprehensive auditing of

permissions is available for all access types.

To learn more about strong DM or to sign up for a demo , visit www.strongdm.com

 Requirement Control strongDM Feature

A.8.2
To ensure that information receives an appropriate level of protection in accordance with its
Information classification
importance to the organization.

strongDM enforces least privilege by default.

Procedures for handling assets shall be Role-based access control, attribute-based access
A.8.2.3
developed and implemented in accordance with control, and temporary access controls enable
Handling of assets the information classification scheme adopted by the right level of access. Comprehensive auditing
the organization. of permissions shows who and what resources
users have access to.

A.9 Access control

A.9.1

Business requirements 
 To limit access to information and information processing facilities.

of access control

strongDM uses a combination of user identities,

A.9.1.1
An access control policy shall be established,
network segmentation (making only gateways
Access control policy documented and reviewed based on business
public), and roles/groups to generate and enforce
and information security requirements.
access control rules.

In the strongDM architecture, resources do not

A.9.1.2
Users shall only be provided with access to the connect with each other. Users can only connect
Access to networks and network and network services that they have to what they are given access to and are unable
network services been specifically authorized to use. to elevate their privileges to move horizontally
through an organization's infrastructure.

A.9.2
To ensure authorized user access and to prevent unauthorized access to systems and services.
User access management

strongDM can federate with your identity

provider or you can use strongDM's native
authentication, which allows administrators to set
A.9.2.1
A formal user registration and deregistration minimum password requirements. Every user in
User registration and 
 process shall be implemented to enable strongDM is unique with an individual ID, and any
de-registration assignment of access rights. shared accounts (i.e., service accounts, API keys,
admin tokens) can have expirations or be
automatically expired when the user that created
the account(s) has been suspended or deleted.

A formal user access provisioning process shall be Grant and revoke permanent or just-in-time
A.9.2.2
implemented to assign or revoke access rights for access to resources through the strongDM admin
User access provisioning
all user types to all systems and services. UI, CLI, SDKs or through your identity provider.

strongDM supports Role-Based Access Control

A.9.2.3
(RBAC) and Attribute-Based Access Control
The allocation and use of privileged access rights
Management of (ABAC) policies. Additionally, strongDM enables
shall be restricted and controlled.
privileged access rights you to grant temporary or just-in-time access
with least privilege by default.

To learn more about strongDM or to sign up for a demo, visit www.strongdm.com

 Requirement Control strongDM Feature

A.9.2.4
strongDM stores credentials in a hardened AWS
The allocation of secret authentication
Management of secret vault. We also support customer-owned-and-
information shall be controlled through a formal
authentication maintained secret stores that can be configured
information of users management process.
for access.

A.9.2. 5
Asset owners shall review users' access rights at strongDM provides comprehensive audit logs for
Review of user access
regular intervals. all access to configured data sources.
rights

The access rights of all employees and external

A.9.2.6
party users to information and information Revoke permanent or just-in-time access to
Removal or adjustment processing facilities shall be removed upon resources through the strongDM admin UI, CLI,
of access rights termination of their employment, contract or SDKs or through your identity provider.
agreement, or adjusted upon change.

A.9.3

To make users accountable for safeguarding their authentication information.

User responsibilities

Credentials are never provided to the end user.

The gateway authenticates to the final resource
3
A.9. .1
Users shall be required to follow the
in the last hop using stored credentials, which are
Use of secret organization's practices in the use of secret
stored securely with strongDM or with an existing
authentication information authentication information.
secret store (HashiCorp Vault, AWS Secrets
Manager, GCP Secret Manager).

A.9.4

System and application To prevent unauthorized access to systems and applications.

access control

The strongDM Admin UI maintains a list of all

users and resources they have access to. Admins
A.9.4.1
Access to information and application system
can define and enforce the appropriate access
Information access functions shall be restricted in accordance with
policies based on a user's role or a resource's
restriction the access control policy.
attributes with comprehensive permissions
auditing available.

strongDM allows you to authenticate and/or

Where required by the access control policy,
A.9.4.2
provision users & groups through your identity
access to systems and applications shall be
Secure log-on procedures provider. You can also authenticate through
controlled by a secure log-on procedure.
strongDM with MFA.

strongDM centralizes the storage of passwords

A.9.4.3
either with strongDM or by using a customer-
Password management systems shall be
Password management managed secret store. Passwords are never
interactive and shall ensure quality passwords.
system disclosed to end users or needed to grant access
to systems.

To learn more about strongDM or to sign up for a demo, visit www.strongdm.com

 Requirement Control strongDM Feature

strongDM enables customers to grant automated

access to systems via service accounts and
benefit from the same robust access and audit
A.9.4.4
The use of utility programs that might be capable
controls they use for regular users. Permission
Use of privileged utility of overriding system and application controls
levels in strongDM restrict the types of access
programs shall be restricted and tightly controlled.
that tokens and service accounts can have in
order to prevent privilege escalation from these
systems.

A.10 Cryptography

A.10.1
To ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/
Cryptographic controls or integrity of information.

Because strongDM uses strong cryptographic

controls for the encryption and storage of
authentication secrets, we can help support a
A.10.1.1
A policy on the use of cryptographic controls for
customer's policy on cryptographic controls.
Policy on the use of protection of information shall be developed and
strongDM also supports the storage of
cryptographic controls implemented.
credentials and keys in secret stores, which
reduce the need to transmit any secrets outside
of an organization's system or network.

All secrets and credentials are obfuscated with

A policy on the use, protection and lifetime of
A.10.1.2
encryption keys stored in a hardened vault. The
cryptographic keys shall be developed and
Key management end user does not have or need access to the
implemented through their whole lifecycle.
cryptographic keys to access resources.

A.11 Physical and environmental security

A.11.2
To prevent loss, damage, theft or compromise of assets and interruption to the
Equipment organization's operations.

Access to critical infrastructure occurs only

A.11.2.6
Security shall be applied to off-site assets taking
through strongDM, which authenticates the
Security of equipment into account the different risks of working outside
users through your identity provider or through
and assets off-premises the organization’s premises.
strongDM with MFA.

A.12 Operations security

A.12.1

To ensure correct and secure operations of information processing facilities.

Change management

A.12.1.1
strongDM can be a part of a standard
Operating procedures shall be documented and
Documented operating documented operating procedure for accessing
made available to all users who need them.
procedures infrastructure.

To learn more about strongDM or to sign up for a demo, visit www.strongdm.com

 Requirement Control strongDM Feature

G rant temporary access, with least privilege by

default, for managing access to critical
Changes to the organization, business processes,
A.12.1.2
infrastructure. Integrate testing, approving, and
information processing facilities and systems that
Change management implementing changes for emergency situations
affect information security shall be controlled.
(e.g., grant temporary access within applications

like Slack and Microsoft Teams).

A.12.1.4
In the strongDM architecture, resources do not
Development, testing, and operational
Separation of connect with each other. Users can only connect
environments shall be separated to reduce the
development, testing and to what they are given access to and are unable
operational environments risks of unauthorized access or changes to the
to elevate their privileges to move horizontally
operational environment.
through an organization's infrastructure.

A.12.4

To record events and generate evidence.

Logging and monitoring

strongDM provides comprehensive audit logs for

E vent logs recording user activities, exceptions,
A.12.4.1
all access to configured data sources, which can
faults and information security events shall be
Event logging assist in evaluations and investigations of security
produced, kept and regularly reviewed.
incidents.

strongDM tunnels all connections between local

clients and strongDM’s proxy server through a
single TLS 1.2-secured TCP connection and
A.12.4.2
Logging facilities and log information shall be
enhances traditional TLS handshakes with its
Protection of log protected against tampering and unauthorized
own secrets between each node. There are 3
information access.
levels of encryption that can be enabled: default
encryption, public key and local logging, and
non-shared key encryption.

strongDM provides session recordings and audit

A.12.4.3
System administrator and system operator
logs for all access to configured data sources,
Administrator and activities shall be logged and the logs protected
which are critical for identifying root cause in
operator logs and regularly reviewed.
security incidents.

A.12.7

Information systems audit To minimize the impact of audit activities on operational systems.
considerations

strongDM can support comprehensive auditing

A.12.7.1
Audit requirements and activities involving
of systems and access in a way that doesn't affect
Information systems verification of operational systems shall be
the target systems at all, since all activity and
audit controls carefully planned and agreed to minimize
audit logs are processed on the strongDM
disruptions to business processes.
platform and not on individual systems.

A.13 Communications security

A.13.1
To ensure the protection of information in networks and its supporting information
Network security
processing facilities.
management

To learn more about strongDM or to sign up for a demo, visit www.strongdm.com

 Requirement Control strongDM Feature

Networks must be managed and controlled in strongDM uses network segmentation and only
A.13.1.1
order to protect information within systems and makes gateways public to generate and enforce
Network controls
applications. access control rules.

Security mechanisms, service levels and In the strongDM architecture, resources do not
A.13.1.2
management requirements of all network connect with each other. Users can only connect
Security of network
services shall be identified and included in to what they are given access to and are unable
services
network services agreements, whether these to elevate their privileges to move horizontally
services are provided in-house or outsourced. through an organization's infrastructure.

By reducing the need for resources to connect to

Groups of information services, users and each other, strongDM can help customers
A.13.1.3
information systems should be segregated on implement network segmentation. Resource
Segregation in networks
networks. tagging can help customers implement
environment segmentation and RBAC.

A.14 System acquisition, development and maintenance

A.14.1
To ensure that information security is an integral part of information systems across the entire
Security requirements of lifecycle. This also includes the requirements for information systems which provide services over
information systems public networks.

The information involved in application services

A.14.1.2
The use of encrypted connections at all layers of
passing over public networks need to be
Securing application the strongDM platform ensures that any
protected from fraudulent activity, contract
services on public communications between users and resources
dispute and unauthorized disclosure and
networks are encrypted over public networks.
modification.

A.14.2
To ensure that information security is designed and implemented within the development
Security in development
lifecycle of information systems.
and support processes

User access privileges are derived from their

assigned roles with the exception of temporary
A.14.2.1
Rules for the development of software and
access and no role assigned. The strongDM
Secure development systems shall be established and applied to
AccessBot can also be used to grant temporary
policy developments within the organization.
access within applications like Slack and
Microsoft Teams.

User access privileges are derived from their

Organizations shall establish and appropriately
A.14.2.6
assigned roles or attributes with a comprehensive
protect secure development environments for
Secure development audit trail to detect the who, what, where, and
system development and integration efforts that
environment when of every interaction with backend
cover the entire system development lifecycle.
infrastructure.

strongDM manages and audits all activities,

A.14.2.7
The organization shall supervise and monitor the whether employees, contractors, or other third-
Outsourced
activity of outsourced system development. parties, regarding access to backend
development
infrastructure.

To learn more about strongDM or to sign up for a demo, visit www.strongdm.com

 Requirement Control strongDM Feature

A .16 Information security incident management

A .16.1

Management of 

To ensure a consistent and effective approach to the management of information security incidents,
information security
incidents and including communication on security events and weaknesses.
improvements

A .16.1.4
Information security events must be assessed By providing detailed audit logs, strongDM can
Assessment of and
and it shall be decided if they should be classified support a customer's assessment of an
decision on information
security events as information security incidents. information security event.

The organization shall define and apply controls strongDM provides comprehensive audit logs for
A .16.1.7
for the identification, collection, acquisition and all access to configured data sources, which can
Collection of evidence preservation of information, which can serve as assist in evaluations and investigations of security
evidence. incidents.

A .17 Redundancies

A .17.2

To ensure availability of information processing facilities.

Redundancies

A .17.2.1
strongDM is architected and deployed as a highly
Information processing facilities shall be
Availability of infor-
available service whereby redundancy is built-in
implemented with redundancy sufficient to meet
mation processing
and uptime and disaster recovery times are
facilities availability requirements.
predictable.

A .18 Compliance

A .18.1

Compliance with legal To avoid breaches of legal, statutory, regulatory or contractual obligations related to information
and contractual security and of any security requirements.
requirements

The strongDM implementation fully leverages

Authenticated Encryption with Associated Data
A .18.1.4
Privacy and protection of personally identifiable (AEAD) via the KMS Encryption Context. All
Privacy and protection information shall be ensured as required in credential decryption events are written to a
of personally relevant legislation and regulation where tamper-hardened audit log that is owned by a
identifiable information applicable. separate AWS account. Your gateway is the only
thing that can decrypt credentials on an end
user’s behalf.

A .18.2
To ensure information security is implemented and operated in accordance with the
Information security
organizational policies and procedures.
reviews

By logging all of the queries that are run on

A .18.2.3
Information systems shall be regularly reviewed
target systems and optionally exporting
Technical compliance for compliance with the organization’s
strongDM logs to a SIEM, customers can detect
review information security policies and standards.
potential areas of noncompliance.

To learn more about strongDM or to sign up for a demo, visit www.strongdm.com