Comply with FISMA Controls Requiring Privileged Access Security
With the passage of the Federal Information Systems Management Act (FISMA) in 2002, federal IT security managers — and the vendors and consultants who work for them — have been tasked with addressing loose practices around identification, access control, privilege management, accountability and auditing in particular.
Federal IT security managers face increasingly complex challenges in securing and managing information systems that span Windows, UNIX and Linux platforms. While Active Directory serves as the single, central hub for managing Windows workstations and servers, many Linux and UNIX deployments have evolved in their own silos, each managed through separate identity stores and administrative processes. A growing number of Mac workstations are also entering the mix, introducing another layer of complexity. In addition, access to these diverse systems must be managed across a workforce that contains a mix of permanent and temporary employees, vendors and contractors.
The National Institute of Standards and Technology (NIST) has issued Special Publication 800-53 to provide guidance on complying with FISMA. While NIST SP 800-53 divides FISMA compliance into a wide range of issues, from physical security to training to IT auditing, four of its 17 sections are of specific interest to federal IT security managers.
At a high level, however, the most essential requirements are to:
- Establish accountability by uniquely identifying each individual and linking their access rights, permissions, and audited activity to a single user identity.
- Enforce a separation of duties between enterprise IT managers, who administer user identities and set policy, and departmental staff, who administer systems.
- Apply role-based access controls and permission management on a least-privilege basis, giving each user access only to the systems and functions needed to perform their jobs.
- Audit user activity, capturing sufficient detail to establish what events occurred, who performed them, and the outcome.
- In addition, the Office of Management and Budget continues to push federal IT departments toward commercial off-the-shelf (COTS) procurement in order to reduce costs, promote standardization, and eliminate standalone solutions.
Centrify Server Suite for FISMA simplifies and streamlines your IT infrastructure by centralizing identity and access management for Linux, UNIX and Mac systems and applications within Microsoft Active Directory. Centrify does this by leveraging your existing identity infrastructure, tools, processes and skillsets. Centrify facilitates rapid and secure compliance measures to address key FISMA requirements on Windows, UNIX and Linux systems. Centrify Identity Service ensures that users are individually identifiable and accountable for access to shared apps.
- Ensure accountability by consolidating accounts, access rights, permissions, and audited activity to a single, centrally managed user identity.
- Enforce separation of duties and "need to know" access control by using Centrify's unique Zone-based access controls to define logical sets of systems that can have their own authorized users, administrators, and security policies.
- Implement least-privilege security by centrally managing role-based permissions for privileged access on Windows, UNIX, and Linux.
- Add additional layers of security for classified information by isolating and protecting systems holding sensitive information, and encrypt data in motion as it moves across the network.
- Capture detailed audit logs and user session recordings across Windows, UNIX and Linux systems to verify that access controls are working as designed and to monitor for suspicious activity.