Part Three: In-Depth Look at PAM Controls for DFARS Requirements
CyberSheath’s security consultants and implementation engineers have previously written about utilizing privileged account management solutions to meet DFARS requirements, and this week we continue to explore DFARS control requirements in detail.
The latest post in the “In-Depth Look at PAM Controls for DFARS Requirements” series, CyberSheath reviews a third NIST 800-171 control that when utilizing a PAM solution like CyberArk, makes for very effective control. These NIST 800-171 controls include:
- NIST 800-171 3.1.1 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
- NIST 800-171 3.1.2 Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
- NIST 800-171 3.1.7 Prevent non-privileged users from executing privileged functions and audit the execution of such functions.
- NIST 800-171 3.1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
- NIST 800-171 3.1.5 Employ the principle of least privilege, including for specific security functions and privileged accounts.
- NIST 800-171 3.1.6 Use non-privileged accounts or roles when accessing nonsecurity functions.
- NIST 800-171 3.5.3 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
- NIST 800-171 3.5.4 Employ replay-resistant authentication mechanisms for network access to privileged and nonprivileged accounts.
The third control, 3.1.7, is to “prevent non-privileged users from executing privileged functions and audit the execution of such functions”. In layman’s terms, do not give users who do not need privileged access the ability to execute privileged tasks, as well as the ability to audit privileged tasks.
In CyberSheath’s previous posts, we have discussed the concept of least privilege and using tools like CyberArk’s On-Demand Privileges Manager (OPM) and Viewfinity to technically enforce the least privilege while allowing elevated privileges when necessary. As a refresher, a “least privilege” access model means that end-users are given the bare-bone access required to do their everyday basic job functions. When users need to execute privileged tasks, they can either check-out an account from a Password Vault database, use the OPM or use Viewfinity on their workstation.
The CyberArk Privileged Account Management suite includes the Privileged Session Manager, a component used primarily as a jumpbox to transparently connect to target machines using secured privileged accounts. Since all of the traffic is redirected through the PSM jumpbox, it is also possible to record the sessions and monitor them live. Auditors and Investigators can search for users that retrieved a password (whether the action was to view or copy the password or connect to a system using the target account). The audit capabilities can be further bolstered by requiring users to provide reasons as to why they need access to the privileged account, and even requiring correlation to a Service Desk ticket number. Recordings of the sessions can be searched for titles of specific applications that may have been launched (such as gpedit or regedit) for Windows-type recordings, or any text for UNIX type recordings.
CyberSheath’s implementation engineers and security consultants are well versed in the practical application of NIST 800-171 controls, DFARS, and privileged account management. Download our security assessment datasheet to learn more about how CyberSheath can help improve your organization’s security posture and implement effective security controls. Subscribe to our email updates to stay up to date with our DFARS series and other security posts.