Aligning Security Solutions With Federal Requirements
Industry Perspective
Security for federal data must continuously improve to meet the challenges of a changing threat landscape and the requirements of evolving government regulations. Managing access and vulnerabilities are key components for both data security and regulatory compliance. As federal government agencies secure the large volumes of sensitive data that they maintain, they must continuously improve and adapt their security programs to keep up with the changing threat landscape and regulatory environment. Government IT systems must be secured from outside intruders as well as from insiders, both well-meaning and malicious. At the same time, they need to ensure that the right people have access to the data they need to do their jobs. Complicating the current climate, the federal regulatory landscape for cybersecurity is constantly evolving. Congress has updated the original FISMA — the Federal Information Security Management Act of 2002 — with the Federal Information Security Modernization Act of 2014. Each administration also publishes executive orders with new cybersecurity requirements, and the Department of Homeland Security (DHS) establishes specific requirements for regulatory compliance.
Many of the requirements for regulatory compliance are based on the 800 series of Special Publications created by the National Institute of Standards and Technology (NIST), covering every aspect of information security. These guidelines are regularly updated to reflect changes in legislation, technology and the evolving threats faced by agencies. Security solutions also change. This shifting environment makes it imperative that agencies and their vendors keep security tools aligned with both agency needs and regulatory requirements. To discuss how the public sector can do this, GovLoop partnered with BeyondTrust, a leader in privileged account management and vulnerability management solutions, for this industry perspective. In the following pages we’ll discuss how agencies must manage access controls and IT vulnerabilities while complying with all security regulations.
2 - ALIGNING SECURITY SOLUTIONS WITH FEDERAL REQUIREMENTS
Today’s Public-Sector Regulatory Landscape The foundation of federal cybersecurity requirements for civilian executive branch agencies remains FISMA, which requires agencies to have risk-based information security programs that are regularly updated. DHS oversees compliance with the law and provides assistance to agencies when needed. A risk-based security program aligns security controls according to the level of risk to data and systems. Because it is not practical or possible to remove all risk, a certain amount remains. A characteristic of a mature cybersecurity environment is the mitigation of this remaining risk. Effective use of cybersecurity tools can help agencies with risk mitigation. FISMA does not prescribe the technology to be used for security; it lays out broad cybersecurity goals and requirements. Because the technology, missions and risks differ from agency to agency, the appropriate security solutions and controls will be different for each. Agencies use NIST guidance in implementing the appropriate levels and types of security. At the core of this guidance is SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations.
Agencies use NIST guidance in implementing the appropriate levels and types of security. At the core of this guidance is SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations.
Updating the Guidance
SP 800-53 is a catalog of security and privacy controls for federal information systems. It also lays out the process for selecting and implementing the appropriate controls to protect agency missions and information. It is now in its fourth revision, and NIST is preparing to release a fifth revision in the near future. According to NIST, some of the most significant changes agencies will find in the newest version include: Reducing federal focus. Although written for federal agencies, SP 800-53 also is widely used in the private sector. The more general language in the latest revision reflects this. Decoupling information from systems. The publication no longer refers to “information systems” as a single entity. Instead, the word “system” is used alone to make it more applicable to all system types. Moving controls to the main body of the document. Controls are moved from an appendix to Chapter 3 to emphasize their importance and make them easier to find. Integrating privacy throughout the document. Instead of keeping privacy as an afterthought in the appendix, the controls are integrated throughout this version.
• • • •
3 - I N D U ST RY P E R S P EC T I V E
Meeting Your Security and Regulatory Requirements There are four essential steps to securing your IT environment and supporting compliance with FISMA and other security regulations. 1. Manage privileged credentials with greater discipline and enforce least privilege, eliminating administrator rights where they are not needed. 2. Isolate systems to reduce attack surfaces. 3. Improve the maturity of vulnerability management through automated patching where possible. 4. Aggregate threat intelligence from multiple sources to better prioritize risks across the environment and to identify patterns that could indicate malicious activity. Implementing the appropriate controls cataloged in SP 800-53 is essential for mature and effective security. Ultimately, the goal of these guidelines and best practices is to mitigate risk. By putting these into practice, the guidelines also help agencies address CAP goals for FISMA compliance. Two of these controls are particularly important for securing information and preventing breaches.
The Essential Controls
Identity, Credential, and Access Management (ICAM). The purpose of ICAM is “to ensure that network users are using strong authentication to access federal IT resources and to limit users’ access to only those resources and data required to do their jobs,” said Shunta Sharod Sanders, Senior Federal Sales Engineer at BeyondTrust. This is the doctrine of “least privilege.” Agencies should use privileged account management (PAM) strategies and tools to control administrative credentials, which represent a greater threat if compromised. Agencies can mitigate the risks associated with breach and insider threats by: Securing and automating password management Controlling how credentials are accessed Taking advantage of auto-login, record all administrator activity and receive real-time alerts when privileged session activity begins.
•• •
Information Security Continuous Monitoring Mitigation (ISCM). The purpose of ISCM is to combat information security threats by providing continuous awareness of information security status, vulnerabilities and threats to federal systems and information.
4 - ALIGNING SECURITY SOLUTIONS WITH FEDERAL REQUIREMENTS
Characteristics of a Successful Solution
Bringing privileged account management and vulnerability management together into a unified platform gives IT and security teams a single, contextual view that allows them to address both user and asset risks. User and asset data are aggregated, correlated and analyzed, to help quickly identify high-risk activities and vulnerabilities. This information can help IT security mangers quickly identify and address possible malicious or unauthorized activity within their environments. Unification gives agencies an extra step toward both FISMA compliance and a mature cybersecurity program, Sanders said. “Despite all the hard work that goes into preventative measures, there isn’t a silver bullet to meet all cyber needs, and you may still experience a breach at your agency,” he said. “Leveraging a unified approach can reduce vulnerability and instances of attack.” A successful unified PAM and VMS solution has a number of characteristics. Agencies should look for a solution that requires little or no customization to begin working in the agency’s existing IT environment, and provides robust reporting for both technical and non-technical personnel. While IT professionals will need technical detail on threats and risks they must address, executives can be kept abreast of security status and trends with higher-level information. These non-technical reports can provide the security metrics administrators need to demonstrate success and justify security investments. The solution must first discover and provide detailed information on all IT assets, whether on premise or in the cloud, and be able to identify, prioritize and remediate vulnerabilities. Ideally it will support application white- and black-listing and enforce least privilege by defaulting users to standard rather than administrative privileges. Agencies should also set policies to elevate applications rather than users to administrator status to avoid unnecessary use of privileged access. Auditing capabilities, including the ability to capture key strokes and session management activity, are necessary to document security status and regulatory compliance and should the unthinkable happen, support forensics. A flexible deployment model will allow the solution to be deployed in all environments, including physical, virtual and in software. Security best practices, including use of two-factor authentication and civilian agencies’ Personal Identity Verification (PIV) card and the military’s Common Access Cards (CAC), must be supported.
The BeyondTrust Solution
BeyondTrust helps organizations identify and remediate vulnerabilities that can be targeted by outside attackers, and mitigate risks of users misusing privileges. The PowerBroker PAM solution mitigates insider threats through granular password and access privilege management. BeyondTrust PowerBroker provides federal agencies with the complete spectrum of privileged access management solutions, from establishing and enforcing least privilege on endpoints and servers to securing enterprise credentials. The PowerBroker suite of privileged account management solutions unifies best-of-breed capabilities into a single, integrated platform that acts as a central policy manager and primary reporting interface. PowerBroker solutions are unified by the BeyondInsight platform. BeyondInsight not only provides centralized management, reporting and analytics, but also facilitates interoperability between point solutions. The BeyondInsight console aggregates privileged account information and provides rich analytics and reporting to mitigate risk. It includes retina (vulnerability management solution), which delivers a holistic view of user and asset risks based on applications’ known vulnerabilities, their age, potential risk and impact on compliance. This solution provides comprehensive visibility and control over account privileges in complex agency environments. It reduces the risk and minimizes the impact of internal and external threats by giving IT and security teams powerful discovery and analytics capabilities. The BeyondInsight console enables centralized alert and search functionality, aggregating privileged account information into a data warehouse. Rich analytics and reporting capabilities help to mitigate risk and document regulatory compliance. Leveraging vulnerability data from BeyondTrust’s Retina and other integrated solutions provides an agency with a complete picture of system and asset security, for cloud environments and virtual assets as well as the network. This zero-gap coverage reduces risk by ensuring that no assets are left unprotected. With the assurance that all assets are secure, agencies are free to take advantage of a modular approach to IT systems.
5 - I N D U ST RY P E R S P EC T I V E
Conclusion Federal agencies operate in a constantly changing cybersecurity threat landscape and regulatory environment, and their security solutions must be aligned with changing needs. But within this changing environment, there are best practices that remain constant. Controlling and monitoring privileged access and continuous vulnerability management are necessary to mitigate the risks of data breaches posed both by insiders and outside attackers as well as to meet regulatory requirements. Security and IT teams must walk a fine line between ensuring the security of the agency’s critical data and not impeding achievement of day to day responsibilities by enabling the right access to data and systems by legitimate users. A legacy model of tools
deployed and managed in silos is expensive, difficult to manage and leaves gaps in coverage. Adoption of best practices needed for security, productivity and regulatory compliance requires a unified solution that integrates with the agency’s infrastructure. The BeyondTrust PowerBroker family of solutions delivers a complete spectrum of privileged access management to meet federal cybersecurity requirements. From establishing and enforcing least privilege on endpoints and servers to securing enterprise credentials, PowerBroker unifies best-of-breed capabilities into a single, integrated platform that becomes the agency’s central policy manager and primary reporting interface.
Despite all the hard work that goes into preventative measures, there isn’t a silver bullet to meet all cyber needs, and you may still experience a breach at your agency. Leveraging a unified approach can reduce vulnerability and instances of attack.” SHUNTA SHAROD SANDERS SENIOR FEDERAL SALES ENGINEER BEYONDTRUST 6 - ALIGNING SECURITY SOLUTIONS WITH FEDERAL REQUIREMENTS
About About BeyondTrust GovLoop BeyondTrust® is a global security company that believes preventing data breaches requires the right visibility to enable control over internal and external risks. We give you the visibility to confidently reduce risks and the control to take proactive, informed action against data breach threats. Because threats can come from anywhere, we built a platform that unifies the most effective technologies for addressing both internal and external risk: privileged access management and vulnerability management. Our solutions grow with your needs, making sure you maintain control no matter where your organization goes. BeyondTrust's security solutions are trusted by more than 4,000 customers worldwide, including more than half of the Fortune 100. To learn more about BeyondTrust, please visit www.beyondtrust.com.
GovLoop’s mission is to “connect government to improve government.” We aim to inspire public-sector professionals by serving as the knowledge network for government. GovLoop connects more than 250,000 members, fostering cross-government collaboration, solving common problems and advancing government careers. GovLoop is headquartered in Washington, D.C., with a team of dedicated professionals who share a commitment to connect and improve government. For more information about this report, please reach out to info@govloop.com.
7 - I N D U ST RY P E R S P EC T I V E
1152 15th Street NW, Suite 800 Washington, DC 20005 Phone: (202) 407-7421 | Fax: (202) 407-7501 www.govloop.com @GovLoop
8 - ALIGNING SECURITY SOLUTIONS WITH FEDERAL REQUIREMENTS