Inevitably, if you work anywhere in the Federal space, you have had some involvement with the process of getting an IT system accredited for use. The names and processes have changed slightly over the years and the governance depends on what agency you support. While NIST SP 800-37, “Guide for Applying the Risk Management Framework to Federal Information Systems A Security Life Cycle Approach” is now largely adopted across the board, we have used a variety of security controls and processes over the years –--NIST SP 800-53 (multiple revisions), DISA STIGs, DITSCAP/DIACAP/DIARMF, ICD 503 (DCID 6/3), etc. Throughout them all, the process is fairly consistent -- determine the confidentiality/integrity/availability (CIA) requirements of the system, identify what controls are applicable and test for their implementation, determine outstanding risk, gain an authority to operate (ATO), and then maintain the system operationally to the risk-level that was accepted through continuous monitoring.
The basic security concepts are always the same and, depending on the system itself, the security controls are not always easily implemented or even possible. Vendor products sometimes operate as “appliances” and claim to not support certain features or systems are referred to as custom or having a “unique mission.” Some of the more difficult requirements to implement are highlighted below.
Least PrivilegeThe concept of “least privilege” is simple -- avoid providing privileges in excess of what is required to accomplish expected/assigned tasks. Centrify eliminates the problem of assigning excessive administrative privileges simply to accomplish specific tasks. Through granular enforcement of a least-privilege access model, users can be assigned specific access rights that amount to the least possible privilege without negatively impacting functionality. Privileges are assigned to roles that map to Active Directory users and groups, effectively minimizing the operational overhead associated with administration while maximizing the ability to control access of individuals granularly.
While the use of shared accounts is generally accepted to be poor practice due to the lack of accountability, certain superuser accounts are inherent to operating systems. The “root” account, for example is generally accepted as a necessary “break-glass” account that needs to remain on Unix/Linux systems and used in certain operational activities like upgrades. The risks associated with these accounts however are endless. They are accepted due to limited controls. With Centrify, organizations are able to provide specific, necessary and appropriate administrative access to users and then restrict the escalation of privileges to “root” which enforces accountability. Organizations can also prevent knowledge of the password for shared accounts by allowing Centrify to manage the password with necessary complexity and either automatically escalating privilege to root without user knowledge of the password or by sharing a one-time use password (OTP) that is changed by Centrify upon expiration of approved usage.
In the post-Snowden era, auditing has gained even greater visibility and become a more stringent requirement for gaining an ATO in many environments. Centrify provides the capability to record all privileged user activity based on audit policies and delivers a comprehensive picture of intentions and impacts. The auditing transcends user context so that it details commands executed after escalating privileges to root with a clear, concise and obvious accountability of the user that initiated the privilege escalation. Furthermore, it allows for policy-based command and file-manipulation auditing with centralized administration with host-enforced audit capabilities, thus limiting the ability to circumvent other external auditing mechanisms.
In order to attain an ATO for a system to operate, agencies must implement the necessary security controls to reduce risk to an acceptable level. Using Centrify to help manage identities, user access and authorization, and provide comprehensive auditing mitigates the system weaknesses that can reduce the chances of attaining an ATO. These capabilities are the ones that certifiers and authorizing officials may be most interested in using to meet information assurance compliance in Federal.
Learn more best practices for privileged identity management in the modern enterprise here.