Part Four: In-Depth Look at PAM Controls for DFARS Requirements
As part of an ongoing series on using privileged account management solutions to meet DFARS requirements, CyberSheath’s security consultants have explored technical controls in great detail, providing readers with real-world applications that make a meaningful impact. This week CyberSheath continues to explore NIST control 800-171, “separate the duties of individuals to reduce the risk of malevolent activity without collusion”.
Privileged account management solutions are valuable tools to meet the following NIST 800-171 controls:
- NIST 800-171 3.1.1 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
- NIST 800-171 3.1.2 Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
- NIST 800-171 3.1.7 Prevent non-privileged users from executing privileged functions and audit the execution of such functions.
- NIST 800-171 3.1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
- NIST 800-171 3.1.5 Employ the principle of least privilege, including for specific security functions and privileged accounts.
- NIST 800-171 3.1.6 Use non-privileged accounts or roles when accessing nonsecurity functions.
- NIST 800-171 3.5.3 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
- NIST 800-171 3.5.4 Employ replay-resistant authentication mechanisms for network access to privileged and nonprivileged accounts.
The fourth control, 3.1.4, is to “separate the duties of individuals to reduce the risk of malevolent activity without collusion”. In layman’s terms, organizations must segregate the duties and tasks that employees complete in order to minimize the chance that they could purposely plan and execute malicious activities.
Real-world examples of this scenario include ensuring an application development team does not have access to production code or compartmentalizing the information individuals on a team have access to, ensuring no one individual has access to everything. Separation of duties would prevent individuals from maliciously impacting production code or limit the fallout of an insider threat.
A privileged account management solution like CyberArk allows organizations to provision access to applications, operating systems, databases and many other devices through the use of the Enterprise Password Vault. Organizations can create a purpose built shared accounts for applications, systems, databases, etc., and grant access to those specific accounts based on the separation of duties. That way, when contractor one needs to access information, they use the shared account they have been provisioned access to, and contractor two uses a different account.
Before a contractor can even check out a credential, organizations have the ability to implement account access workflows. This workflow can require contractors to fill out a form that specifies a reason for access, how many times they will be accessing it, and the time frame they will access it. When the form is submitted, an authorized individual like a manager can approve the request, giving the contractor access to the password. This feature is called Dual Control, and by using this feature, organizations can ensure that managers or authorized individuals can grant access for specific duties or functions. Dual Control can be configured so that authorized individuals are only able to approve, but not access the account, ensuring separation of duties between roles. Dual Control can also be configured so that teammates can approve other teammate’s access ensuring that at least two people are aware of account access. This entire request and approval process leaves a full tamper-proof audit trail.
To further ensure that malicious activity is not taking place, organizations can implement a policy of “one-time-use” passwords, where after a given time period (say 24 hours for example) the password will be changed automatically. In combination with the CyberArk Privileged Threat Analytics (PTA) tool, organizations can detect suspicious credential activity usage, trigger an alert and automatically respond to the unauthorized access in real-time. For example, if contractor #1 normally uses an account between a certain time period or location, using that credential outside of the normal baseline would trigger an alert and response.
CyberSheath’s implementation engineers and security consultants have real-world experience assisting organizations to fulfill their DFARS and privileged account management needs. Download our security assessment datasheet to learn more about how CyberSheath can help your organization get ahead with privileged account management. Subscribe to our email updates to stay up to date with our DFARS series and other security posts.