Part Two: In-Depth Look at PAM Controls for DFARS Requirements

Last week CyberSheath began a new series, “In-Depth Look at PAM Controls for DFARS Requirements”, dedicated to providing a detailed analysis on how privileged account management solutions play an important role for organizations in meeting DFARS requirements.

In the series’ first post we detailed control 3.1.1, one of the eight NIST 800-171 requirements that Privileged Account Management solutions offer well-fitting controls for; these NIST requirements include:

  1. NIST 800-171 3.1.1 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
  2. NIST 800-171 3.1.2 Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
  3. NIST 800-171 3.1.7 Prevent non-privileged users from executing privileged functions and audit the execution of such functions.
  4. NIST 800-171 3.1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
  5. NIST 800-171 3.1.5 Employ the principle of least privilege, including for specific security functions and privileged accounts.
  6. NIST 800-171 3.1.6 Use non-privileged accounts or roles when accessing nonsecurity functions.
  7. NIST 800-171 3.5.3 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
  8. NIST 800-171 3.5.4 Employ replay-resistant authentication mechanisms for network access to privileged and nonprivileged accounts.

The second of these eight NIST 800-171 controls, 3.1.2, is to “limit information system access to the types of transactions and functions that authorized users are permitted to execute”. In layman’s terms, only give access to those that have permission or approval for specific task or purpose. The reason for this control is to ensure that users only access information systems for the specific tasks and functions they are supposed to execute and prevent them from completing transactions or functions they shouldn’t be doing.

Most Privileged Account Management solutions will offer a form of account vaulting that allows organizations to partition account access based on the need-to-know and least privileged access model. For example, with CyberArk, companies can organize safes by the various functional and transactional requirements of the accounts stored in them. An organization could create a safe called “North-America-Unix-Local” which would be used to store accounts for the Unix team based out of North America, and the company’s administrators in Europe wouldn’t be granted access.

 

While the basic privileged account vaulting model could potentially meet the NIST 800-171 3.1.3 requirement, CyberArk provides two additional solutions to ensure that Federal contracting companies can meet and exceed the NIST 800-171 3.1.3 requirement; the On-Demand Privileges Manager (OPM) for UNIX and Viewfinity for Windows. Both of these products enforce a least-privilege access methodology at the operating system level and allow escalation of privileges for approved actions.

On-Demand Privileges Manager (OPM):

OPM allows organizations to define a policy (a set of rules) that dictate what commands users can or can’t run when connected to a UNIX server. When an end-user connects to a UNIX server with OPM installed, they execute a privilege elevation tool called PIMSU (Privileged Identity Management Switch User, similar to SUDO). The elevation tool will validate that the user logged in as has permissions to perform the elevated task and store a recording of all the elevated commands they execute during the session. This set of rules can be configured to allow or deny various commands that are defined as “privileged”.

For example, there are two contractors that both need access to a UNIX device that contains Covered Defense Information, and both need elevated privileges to complete unique tasks, two different policies can be created for each user that allow or prevent them from executing certain commands. This ensures that the information system access is limited to the transactions and functions a user is permitted to execute.

Viewfinity for Windows:

The Viewfinity application for Windows works in a similar way to OPM for UNIX. Viewfinity allows organizations to remove users’ local admin privileges on endpoints and servers. Like in OPM, organizations can granularly define trusted actions for applications, scripts, and commands which are managed on role-based access. This means that those same two contractors that need access to a Windows device containing Covered Defense Information can both elevate their privileges to run applications when necessary, but also ensure that they are allowed to execute those functions (or deny them).

CyberSheath’s implementation engineers and security consultants are leaders in both DFARS and privileged account management. Download our security assessment datasheet to learn more about how CyberSheath can help enable your organization to meet DFARS requirements. Subscribe to our email updates to stay up to date with our DFARS series.