On June 18, 2015, NIST released the final version of SP 800-171, which provides guidance for protecting the confidentiality of Controlled Unclassified Information (CUI) residing in nonfederal information systems. In August 2015, DFARS clause 252.204-7012 replaced the original NIST 800-53 r4 controls with NIST 800-171, which we detailed earlier here. CyberSheath has integrated the requirements laid out in NIST 800-171 into our security assessment process that included all NIST 800-53 controls and in-depth reporting on the DFARS-specific controls.
Out of the new 800-171 controls, a handful deal specifically with privileged access. Privileged Account Management (PAM) is a way for organizations to manage credentials with administrative rights to ensure the accounts stay safe. CyberArk, a PAM solution and trusted CyberSheath partner, offer a suite of products designed to optimize privilege account creation while keeping the keys to the kingdom safe. The following is a list of top 7 ways in which CyberArk’s PAM solution can help an organization meet the SP 800-171 guidelines:
7 Ways a PAM Solution Can Help You Achieve DFARS Compliance
NIST 800-171 Requirements for Access Control
Number one
NIST 800-171 3.1.1 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
At its core, CyberArk is a system that was designed from the ground up to be a comprehensive PAM solution. The most basic functionality of CyberArk is the ability to create generic privileged accounts on target systems, provision those accounts within CyberArk, and subsequently allow specific users or groups to access those accounts.
Number two
NIST 800-171 3.1.2 Limit information system access to the types of transactions and functions that authorized users are permitted to execute AND 3.1.7 Prevent non-privileged users from executing privileged functions and audit the execution of such functions.
In addition to identifying, securing, and monitoring privileged accounts, CyberArk has a component called “On-Demand Privileges Manager” or OPM for short. Using the OPM component, organizations can limit the commands that individuals are able to execute on Unix/Linux systems and even Windows. For example, the OPM solution replaces the Unix sudo command with a PIMSU command which requires the user to authenticate against their credentials in the Vault, checks if they’re allowed to execute the command, and can allow instant execute permissions while at the same time starting a recording and alerting a security officer about the transaction.
Number three
NIST 800-171 3.1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
The basic CyberArk architecture helps to address this control because access to various system accounts can be segregated by safes, and only certain users or groups would have additional access to those safes. In addition, CyberArk comes with an out-of-the-box account access workflow capability called “Dual Control.” Using Dual Control policies, even an individual has full permissions to access an account; they would need a confirmation from a colleague with similar access before they can use an account. The ability for everyone in the group to see that that the request and approval workflow, diminishes the opportunity for malevolent collusion between rogue individuals.
Number four
NIST 800-171 3.1.5 Employ the principle of least privilege, including for specific security functions and privileged accounts.
With CyberArk it is possible to enforce the least-privileged access model using the safe permissions. In addition there is quite a bit of transparency and ease of running audits, to confirm that this control hasn’t become lax. It’s possible for managers to be able to see which users have accessed an account, without granting the managers the permissions to use the actual account.
Number five
NIST 800-171 3.1.6 Use non-privileged accounts or roles when accessing nonsecurity functions.
Using CyberArk, it may be easier to separate the “daily” accounts from “secondary accounts.” In fact, the need to create a second account for privileged access can be eliminated using the idea of a “shared” account. The idea of having “shared” accounts was frowned upon in previous access models, however, when accessing those accounts through CyberArk it is possible to have full attribution because shared accounts are mapped to CyberArk user accounts. A user could safely use a non-privileged account to access their email, and use the same account to access CyberArk, where they would be able to check-out privileged accounts. Note, in this model, it is highly recommended to have two-factor authorization of the user’s daily account into CyberArk.
NIST 800-171 Requirements for Identification and Authentication
Number six
NIST 800-171 3.5.3 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
Out of the box, CyberArk supports RADIUS, RSA Token, SAML, and PKI authentication. These multi-factor authorizations can help an organization not just with the CyberArk accounts, but in effect all of the organization’s privileged accounts. For example, if all of the organization’s privileged accounts are protected by CyberArk, a user would be required to use multi-factor authentication to log into CyberArk, thereby expanding the multi-factor protection to the privileged accounts.
Number seven
NIST 800-171 3.5.4 Employ replay-resistant authentication mechanisms for network access to privileged and nonprivileged accounts.
CyberArk’s ability to automatically change passwords, based on policy, on individual accounts helps to prevent this “pass-the-hash” attack. Each account, on each server, can have its own unique password which is regularly changed. This acts as a “replay-resistant” authentication method by keeping a potential attacker from moving through the organization by hopping to different servers using compromised credentials.
With these seven tips, you can effectively manage your privileged access within your organization while gaining DFARS compliance. With a vast majority of APT using privileged accounts to traverse your network, it is imperative that you protect your privileged accounts. CyberSheath’s engineers are well versed in fine-tuning the configuration of the Privileged Account Management suite; providing an automated, monitored, and controlled elevated privileged access. You can learn more about our approach by viewing our Privileged Access Management service area.