WIXLIB

Complying with National Institute ofStandards and Technology (NIST)Special Publication (SP) 800-53An Assessment of Cyber-Ark's SolutionsSeptember 2011z

Table of ContentsEXECUTIVE SUMMARY . 3CYBER-ARK SOLUTION OVERVIEW . 6ADDRESSING NIST SP 800-53 RECOMMENDATIONS . 8CONCLUSION . 14 The information provided in this document is the sole property of Cyber-Ark Software Ltd. No part of this document may bereproduced, stored or transmitted in any form or any means, electronic, mechanical, photocopying, recording or otherwise,without prior written permission from Cyber-Ark Software Ltd.Copyright 2000-2011 by Cyber-Ark Software Ltd. All rights reserved.

EXECUTIVE SUMMARYThe National Institute of Standards and Technology (NIST) Special Publication(SP) 800-53 provides the recommended security controls for federalinformation systems and organizations. Cyber-Ark offers three solution suitesthat help agencies implement the necessary controls within NIST SP 800-53to achieve FISMA compliance: Privileged Identity Management (PIM) Suite – comprehensivelifecycle management for privileged, shared and application accountsacross the datacenter.Privileged Session Management (PSM) Suite – isolates, controls andmonitors privileged sessions on servers, databases or virtualenvironments, providing a pre-integrated solution with PIM.Sensitive Information Management (SIM) Suite – manages andprotects sensitive information whether being shared within theorganization or sent to external parties.Cyber-Ark's solutionsoffer a preventativeapproach byintroducing thenecessary securitycontrols to protectthe organization'sassets.Privileged users are abundant in the enterprise environment. They can be categorized into the followingfour classes: Generic, shared or non-personal administrative accounts that exist in virtually every networkdevice, operating system, database, or software application. These accounts hold “super user”privileges and are often anonymously shared among IT staff with no proper accountability.Some examples are: Windows Administrator user, UNIX root user and Oracle SYS account.Personal privileged accounts – the powerful accounts that are used by business users and ITpersonnel. These accounts have a high level of privileges and their use (or misuse) cansignificantly affect the organization’s business. Some examples are: the CFO’s user or a DBAaccount.Application accounts, which are used by applications to access databases and other applications.These accounts typically have broad access rights to underlying business information indatabases.Emergency accounts – used by the organization when elevated privileges are required to fixurgent problems, such as in cases of business continuity or disaster recovery. Access to theseaccounts frequently requires managerial approval. These are often called: fire call ids, breakglass users, etc.The main NIST SP 800-53 Control Families addressed by Cyber-Ark include:Access Control –The “Access Control” family is the foundation for the management of users and accounts. It addressesissues of account creation and assignment (e.g. who should be given an account?), as well as when andhow accounts and privileges should be used. It therefore contains many guidelines regarding the special

care and attention that needs to be given to privileged accounts and their elevated access rights, as wellas access to sensitive information stored in organization’s information systems.“Users requiring administrative privileges on information system accounts receive additional scrutiny byorganizational officials responsible for approving such accounts and privileged access”. Cyber-Ark's PIMsuite provides an organization with a comprehensive solution forprivileged account lifecycle management from discovering and securing Achieve NIST 800-53the accounts to enforcing policies and auditing the use of them.compliance usingComplementing the PIM suite, PSM gives organizations better controlover privileged sessions, who can initiate sessions and for how long, pre-defined policiesenable privileged single sign on to sessions without divulging privilegedand workflowscredentials, e.g. to third parties having to access your network andcontinuously monitoring activity throughout the session.As to access to sensitive information, the Access Control family specifies the Access Enforcement,Information Flow and other controls that prescribe how information should be controlled, encrypted,accessed, shared and so on. Cyber-Ark’s SIM suite provides a complete solution for storing and sharingsensitive information, whether inside the organization or with other entities.Cyber-Ark successfully addresses and even exceeds the baseline requirements for AccountManagement, Access Enforcements, Separation of Duties, Concurrent Session Control, Session Lock andothers. Cyber-Ark’s products emphasize the Least Privilege principal, by providing granular accesscontrol and effectively restricting privileged access throughout the organization.Audit and Accountability –The “Audit and Accountability” family ensures that the information required for auditing and, ifnecessary, rebuilding the chain of events is available on demand.Both for access to sensitive information and for privileged actions, accountability cannot be achieved ifanonymous access is used. That is why control “Content of Audit Records” (AU-3), lists the required datafor each audit log record, and states that “the information system produces audit records that containsufficient information to, at a minimum, establish (the) identity of any user/subject associated with theevent”. Cyber-Ark supports this requirement by extensively documenting any event in the system, be itaccess to stored information (in the case of the SIM Suite) or use of a privileged password (for PIMSuite), personalizing activity for full accountability.All Cyber-Ark logs are properly time-stamped, cryptographically protected and stored in a tamper-proofvault, referenced to a specific user in the system and stored for as long a period as required by theorganization. Cyber-Ark products can also generate alerts on specific occurrences and connect toorganizational SIEM products, such as ArcSight to send CEF compliant syslog events.Identification and Authentication –Control “IA-2 Identification and Authentication (Organizational Users)” is the main control in this familyand is needed for effective access control or audit. The control itself asserts that: “The informationsystem uniquely identifies and authenticates organizational users”. This is especially true for privileged

and shared accounts, which are shared among the IT staff, diminishing accountability and exposingvulnerabilities due to password knowledge. Control “IA-5 Authenticator Management” is concernedwith the management and use of authenticators, mainly passwords, in the organization. The controlprovides many requirements for password management, such as: ensuring their strength, defining theirlifetime, refreshing/changing them periodically, protecting them, and managing their revocation. Theserequirements apply to all types of accounts, as specified in AC-2: “individual, group, system, application,guest/anonymous, and temporary”. Often, knowing where these accounts exist can be a challenge.Cyber-Ark's auto-discovery capabilities identities where these accountsCyber-Ark's PIM andexists, whether on servers or virtual environments and continues tomanage these throughout their lifecycle.PSM suites enable anControl Enhancement (7) addresses the key problem of hardcoded, cleartext passwords in applications, by requiring that “The organization ensuresthat unencrypted static authenticators are not embedded in applicationsor access scripts or stored on function keys”.Cyber-Ark’s Application Identity Manager part of the PIM suite, uniquelyaddresses this area by eliminating hard-coded passwords and periodicallyreplacing them with no system downtime, enhanced secureauthentication and a secure cache mechanism in the event of a networkoutage.organization tosecurely provide itsusers and applicationswith the exactprivileges they needin order to completetheir roleThis document provides an overview of the solution suites offered by Cyber-Ark and demonstrates howthese solutions address the recommendations of NIST SP 800-53.

CYBER-ARK SOLUTION OVERVIEWCyber-Ark's Privileged Identity Management (PIM) Suite and Privileged Session Management (PSM)Suites are an integrated, full lifecycle solution for centrally managing privileged and shared identities,privileged sessions as well as embedded passwords found in applications and scripts.Privileged accounts, as well as the audit information associated with using them, must be protectedaccording to the highest security standards. The Cyber-Ark PIM Suite utilizes the Patented Digital Vault ,validated as highly secure by independent security evaluators (such as ICSA Labs). This core technologyis the heart of the PIM suite and was designed to meet the highest security requirements for controllingthe "keys to the kingdom." The Digital Vault provides numerous underlying security capabilities forauthentication, encryption, tamper-proof audit and data protection.The Cyber-Ark PIM Suite includes the following products: Enterprise Password Vault – Cyber-Ark’s award winning Enterprise Password Vault (EPV)enables organizations to enforce an enterprise policy that protects your most critical systems,managing the entire lifecycle of shared and privileged accounts across data centers.Application Identity Manager – Cyber-Ark’s market leading Application Identity Manager(AIM) fully addresses the challenges of hard-coded App2App credentials and encryption keys.The solution eliminates the need to store App2App credentials in applications, scripts orconfiguration files, and allows these highly-sensitive credentials to be centrally stored, auditedand managed within Cyber-Ark’s patented Digital Vault.On-Demand Privileges Manager – On-Demand Privileges Manager (OPM) is the first unifiedsolution for managing and monitoring superusers and privileged accounts under one roof. Usageof accounts such as 'root' users on UNIX is no longer anonymous and can now be controlled bypre-defined granular access control, where both the command itself and the output arerecorded. On-Demand Privileges Manager also dramatically improves productivity in Windowsenvironments to enforce a 'least privilege' policy on desktops.