Transcription
WHITE PAPERPowerBroker Privileged Account ManagementSolutions for the U.S. Federal GovernmentPowerful compliance and risk management solutions for government agencieswww.beyondtrust.com 1.800.234.9072 sales@beyondtrust.com1
Table of ContentsYour networks are under attack – from within and without . 4What does “privilege” have to do with it? . 4PowerBroker: Comprehensive privileged account management . 5The BeyondInsight IT Risk Management Platform . 7Compliance: How BeyondTrust mitigates risk across the board . 7FISMA/NIST . 7NIST SP 800-53: Security and Privacy Controls for Federal Information Systems & Organizations. 8NIST SP 800-39: Managing Information Security Risk . 8NIST SP 800-137: Continuous Monitoring. 8SANS Top 20 Critical Security Controls . 9Certifications .10You need assurance. BeyondTrust provides it. .11Sample U.S. Federal customers that trust BeyondTrust .11About BeyondTrust.12www.beyondtrust.com 1.800.234.9072 sales@beyondtrust.com2
2014 Beyond Trust. All RightsReserved.WarrantyThis document is supplied on an "as is" basis with nowarranty and no support.This document contains information,which is protected by copyright. No partof this document may be photocopied,reproduced, or translated to anotherlanguage without the prior writtenconsent of BeyondTrust.Limitations of LiabilityIn no event shall BeyondTrust be liable for errorscontained herein or for any direct, indirect, special,incidental or consequential damages (including lostprofit or lost data) whether based on warranty, contract,tort, or any other legal theory in connection with thefurnishing, performance, or use of this material.The information contained in this document is subject tochange without notice.No trademark, copyright, or patent licenses are expresslyor implicitly granted (herein) with this white paper.For the latest updates to this document,please visit:http://www.beyondtrust.comDisclaimerAll brand names and product names used in thisdocument are trademarks, registered trademarks, ortrade names of their respective holders. BeyondTrust isnot associated with any other vendors or productsmentioned in this document.www.beyondtrust.com 1.800.234.9072 sales@beyondtrust.com3
Your networks are under attack – from within and withoutThe compliance landscape for government agencies changes with almost every administration. Thereare always new requirements – and penalties – that agencies have to be able to anticipate, implement,and report on. At the same, government information networks – like their counterparts in public andprivate enterprises – are constantly vulnerable to both internal and external threats. Each of thesetypes of threats has their own unique characteristics. Internal threats may be malicious (designed to cause harm) or unintentional (the result of humanerror), exposing weaknesses in the agency’s defenses and policies. Regardless of intent, insiderscan do significant damage quickly, as they are already inside perimeter-layer security. External threats are designed to exploit vulnerabilities in networks and endpoints; they often seekto gain a foothold where they can act as an insider. Once an attacker gains administrative access, itis easy to make configuration changes that enable the installation of malicious software, and altersecurity controls for unfettered access to sensitive information.The collateral damage of such attacks is extensive, ranging from “simple” non-complianceconsequences to national security threats. Intellectual property, defense information, personnelrecords, and other classified information can easily be stolen, sold, and used against the interests ofthe U.S. government, its citizens, and its allies. The key is to enforce strict limits on what a givennetwork user is able to do in terms of accessing and utilizing network resources, and to monitor usageto quickly identify improper activity.The most effective approach to take with end users in the current environment involves restrictingaccess privileges through both policy and technology methods – allowing the least possible privilegefor every user. This is the domain of BeyondTrust’s PowerBroker privileged account management(PAM) solutions.What does “privilege” have to do with it?The least-privilege approach has gained a lot of credibility recently thanks to one notorious name:Edward Snowden. In the aftermath of Snowden leaking classified information he had access privilegesto, the NSA announced it would reduce system administrator privileges by 90%. Indeed, “Insider andprivilege misuse” was identified by the 2014 Verizon Data Breach Investigations Report as one of thenine basic patterns of activity in the past decade that have resulted in confirmed data breaches.The fact is many government users have more access than they need to perform their current jobfunctions. With a least-privilege approach, users receive permissions only to the systems, applications,and data they need based on their current role or profile in the agency. These privileges can be user,system, or role-based as well as time-based (e.g., access granted only for certain days or hours, or for aset duration of time). Administrators can increase or restrict access as needed – after all, user roles dowww.beyondtrust.com 1.800.234.9072 sales@beyondtrust.com4
change frequently and special projects often require elevatedlevels of access – but whenever possible, and as quickly aspossible, privileges should return to their least level.Still, it is important to understand that restricting privileges isonly part of the solution. All user activity while under approvedprivileges should be monitored and audited to ensureappropriate use, and to quickly identify, flag, and prevent misuse– whether malicious or unintentional. By monitoring privilegedusers with solutions such as BeyondTrust’s PowerBroker products, which enable proactive alerts and associatedreporting, you can achieve “verifiable compliance” with statedaccess policies – and gain assurance that your security solutioncan pass any audit.PowerBroker: Comprehensive privilegedaccount managementBeyondTrust’s PowerBroker suite of privileged accountmanagement (PAM) solutions provides comprehensive visibilityand control over account privileges within complex agencyenvironments. Integrated within the BeyondInsight IT RiskManagement Platform, which provides centralized managementand control, PowerBroker solutions reduce the risk and minimizethe impact of internal and external threats by giving IT andsecurity teams powerful discovery and analytics capabilities.BeyondTrust currently offers 15 distinct PowerBroker productswithin four functional categories that represent essential riskmanagement requirements:Privilege Management – Enabling fine-grain control forassigning privileges to users throughout the organization. PowerBroker Servers Enterprise PowerBroker UNIX & Linux PowerBroker for Windows Desktops & Servers PowerBroker for Virtualization & Cloud PowerBroker for DatabasesSurvey Results:“Privileges Gone Wild”In 2013, BeyondTrust surveyed 265 ITdecision makers, comprising securitymanagers and network and systemsengineers across a number of sectors,including government, financial services,manufacturing, and others. Their responsesare fairly shocking, and speak to theimportance of privileged accountmanagement.80% of respondents believe that it’s atleast somewhat likely that employees accesssensitive or confidential data out of curiosity.65% of organizations have controls tomonitor privileged access, yet 54% say theyhave the ability to circumvent these controls.43% of respondents allow sensitive data tobe stored on employee workstations/laptops.28% admitted to having retrievedinformation not relevant to their job, such asfinancial reports, salary information, and HRand personnel documents.44% of employees have unnecessaryaccess rights.76% say the risk to their organizationcaused by the insecurity of privileged userswill increase over the next few years.Active Directory Bridging – Ensuring single sign-on using the same active directory for all resources,while auditing all users who are logging in. PowerBroker Identity Services “AD Bridge”www.beyondtrust.com 1.800.234.9072 sales@beyondtrust.com5
Privileged Password Management – Establishing a “virtual safe” for shared passwords in thecompany, ensuring secure storage and retrieval. PowerBroker Password Safe Auditing & Protection – Offering unmatched reporting and analytics functionality for complianceand continuous improvement. PowerBroker Auditor for File System PowerBroker Recovery for AD PowerBroker Auditor for SQL PowerBroker Change Manager for AD PowerBroker Auditor for Exchange PowerBroker Privilege Explorer for AD PowerBroker Auditor for Active Directory (AD) PowerBroker Event Vault for WindowsFor specific information on each of the PowerBroker applications, please ww.beyondtrust.com 1.800.234.9072 sales@beyondtrust.com6
The BeyondInsight IT Risk Management PlatformAll PowerBroker PAM solutions are backed by BeyondTrust’s Retina family of vulnerabilitymanagement (VM) solutions. Both the PAM and VM solutions share a common management consoleframework called BeyondInsight. In addition to serving as a central management, analytics andreporting console for the PAM and VM product families, BeyondInsight offers additional capabilitiessuch as discovery, profiling, role-based access, and smart groups for identifying, organizing, andreporting on assets and accounts.Additionally, the BeyondInsight console enables centralized alerting, reporting, and searchfunctionality, which aggregates all privileged account information into a data warehouse and thenprovides rich analytics and reporting capabilities for mitigating risk and documenting compliance. TheBeyondInsight management console is scanner-agnostic, allowing data feeds from BeyondTrustRetina and vulnerability scanners such as Nessus , Nexpose , and QualysGuard .Compliance: How BeyondTrust mitigates risk across the boardPowerBroker and BeyondInsight provide important capabilities that support a wide range ofgovernment information security requirements. Here we have broken down some of the mostcommon and pressing federal mandates and regulations, showing the extent to which BeyondTrust’sPAM and Retina VM solutions can help agencies achieve and maintain compliance.FISMA/NISTThis section requires some familiarity with the following: The Federal Information Security Management Act of 2002 (FISMA) requires federal agencies toimplement information security solutions to protect the information and information systems thatsupport agency operations and assets. National Institute of Standards and Technology (NIST) is a non-regulatory agency of the U.S.Department of Commerce charged with advancing measurement standards. Federal Information Processing Standards (FIPS) are issued by NIST in accordance with FISMA;they are compulsory and binding for federal agencies. Special Publications (SPs) are developed and issued by NIST as recommendations and guidancedocuments. NIST Risk Management Framework (NIST RMF) is the standard for integrating informationsecurity and risk management into government agency information systems. The NIST RMFencompasses a range of activities defined by several different NIST SPs.BeyondTrust supports the requirements of three key SPs relating to the NIST RMF: SP 800-53, SP 80039, and SP 800-137.www.beyondtrust.com 1.800.234.9072 sales@beyondtrust.com7
NIST SP 800-53: Security and Privacy Controls for Federal Information Systems & OrganizationsBeyondTrust’s solutions address several individual controls under the following control families: Access Control – PowerBroker for UNIX & Linux, PowerBroker for Windows Audit & Accountability – PowerBroker for UNIX & Linux, PowerBroker for Windows, PowerBroker Auditor Security Assessment and Authorization – PowerBroker for Windows, Retina family of VM solutions Configuration Management – PowerBroker for Windows, Retina Configuration Management Module Identification and Authentication – PowerBroker Password Safe Risk Assessment – PowerBroker for Windows, Retina family of VM solutions System & Services Acquisition – PowerBroker for UNIX & Linux, PowerBroker for Windows, Retina CS System and Communications Protection – PowerBroker for UNIX & Linux, PowerBroker for Windows System and Information Integrity – PowerBroker Endpoint Protection Platform, Retina PatchManagement Module, Retina Protection AgentBy addressing the above controls, our solutions also enable agencies to prepare for security controlsassessments per NIST SP 800-53A (“Guide for Assessing the Security Controls in Federal InformationSystems and Organizations”).NIST SP 800-39: Managing Information Security RiskBeyondTrust’s PowerBroker and Retina solutions, in conjunction with the BeyondInsight RiskManagement Platform, collectively address all of the tasks defined under the following phases of the“Risk Management Process” defined in 800-39: Risk Framing – Discovering and profiling assets and accounts; grouping and filtering according torisk, privacy, and compliance issues Risk Assessment – Threat and vulnerability identification, risk determination Risk Response – Identifying and evaluating alternative courses of action to responding to risksdetermined during the assessment phase Monitoring Risk – Monitoring information systems and privileged accounts on an ongoing basisto verify compliance, determine effectiveness of response measures, and identify changesNIST SP 800-137: Continuous MonitoringBeyondTrust offers several solutions that enable continuous monitoring, defined by 800-39 as part ofthe 11 security automation domains that support continuous monitoring; these include: Vulnerability ManagementPatch ManagementMalware Detection Asset ManagementConfiguration Managementwww.beyondtrust.com 1.800.234.9072 sales@beyondtrust.com8
SANS Top 20 Critical Security ControlsRetina CS EnterpriseVulnerability Mgt.Retina NetworkSecurity ScannerPowerBroker forUNIX & LinuxPowerBroker forWindowsPowerBrokerIdentity ServicesPowerBrokerAuditorPowerBrokerPassword SafePowerBrokerEndpoint ProtectionBTU Training /Services1: Inventory of Devices 2: Inventory of Software 3: Secure Configurations: Hardware & Software ½ ½ 4: Continuous Vuln. Assessment & Remediation ½ 5: Malware Defenses 6: Application Software Security½ ½ ½ 7: Wireless Device Control ½ ½ ½ 8: Data Recovery Capability 9: Security Skills Assessment and Training 10: Secure Configurations: Network Devices½ ½ ½ ½ ½ 11: Limitation/Control: Ports, Protocols, Services 12: Controlled Use of Administrative Privileges 13: Boundary Defense ½ 14: Maintenance, Monitoring, & Analysis ofAudit Logs 15: Controlled Access Based on Need to Know ½ ½ 16: Account Monitoring and Control 17: Data Loss Prevention½ ½ ½ ½ ½ 18: Incident Response and Management 19: Secure Network Engineering 20: Penetration Tests & Red Team Exercises½ ½ ½ ½ BeyondSaaSBeyondInsightPlatform*The SANS Top 20 Controls are a set of recommendations coordinated by the SANS Institute, aprivate U.S. company that specializes in information security and cybersecurity training, and compiledby a consortium of U.S. and international agencies and experts from private industry. BeyondTrustsolutions address several of the controls, as depicted below: Broad applicability ½ Partial applicability Not applicablen Controls highlighted in green are those where BeyondTrust products offer broad coverage.*BeyondInsight column reflects the applicability of platform reporting and analytics capabilities to the specificcontrols. Talk to your account executive to determine the appropriate solution configuration for your needs.www.beyondtrust.com 1.800.234.9072 sales@beyondtrust.com9
National Industrial Security Program OperatingManual (NISPOM)The National Industrial Security Program (NISP) wasestablished to manage the needs of private industry tosecurely access classified information. The NISP OperatingManual (NISPOM) establishes the specific standardprocedures and requirements for all government contractorswith regards to their ability to access and use classifiedinformation.Collectively, the PowerBroker for UNIX & Linux, PowerBrokerfor Windows, and PowerBroker Auditor solutions address thefollowing Information System Security procedures defined inChapter 8 of the NISPOM: 8-303: Identification and Authentication Management8-311: Configuration Management8-505: Systems with Group Authenticators8-606: Access Controls8-607: Identification and Authentication8-609: Session Controls8-614: Security TestingDepartment of Defense Information TechnologySecurity Certification and Accreditation Process(DITSCAP)Key Capabilities of PowerBrokerPAM Solutions Pass audits and comply withgovernment mandates Dynamically discover, profile, and groupassets and accounts Mitigate insider threats through granularpassword and privilege management Implement and enforce least-privilegeaccess controls for agency end users Ensure accountability through sessionmonitoring and recording, keystrokelogging, and real-time auditing Fulfill reporting requirements via 260 reports included out of the box, plus aflexible ad hoc reporting capability Enable informed, actionable decisionsfrom meaningful data gleaned fromcontext-aware security intelligence,including asset, user, and accountprivilege information Consistently authenticate users acrossheterogeneous environmentsTargeted at agencies within the U.S. Department of Defense, DITSCAP details the standards andprocesses that agencies must adhere to in order for their information assurance and security solutionsto be certified and accredited. These standards are based largely on NIST SP 800-53 (see section Aabove), so the same PowerBroker and Retina solutions that enable compliance for 800-53 will positionagencies for DITSCAP certification as well.CertificationsFIPS 140-2 is a U.S government computer security standard used to accredit cryptographic modules. PowerBroker Password Safe ships on commercially supported FIPS 140-2 validated componentsfor all encryption over passwords to critical data. PowerBroker for UNIX & Linux integrates with SafeNet Luna for U.S. and Canadian governmentagencies requiring FIPS 140-2 Level 2/Level 3 validation.www.beyondtrust.com 1.800.234.9072 sales@beyondtrust.com10
You need assurance. BeyondTrust provides it.In the current environment, considering both the unrelenting cybersecurity threats faced byorganizations of all sizes everywhere, and the many global political uncertainties affecting Americaninstitutions in particular, U.S. government agencies have to be more vigilant and proactive than everbefore. With over 4,000 worldwide customers, including more than 200 U.S. Federal departments andagencies, BeyondTrust delivers a comprehensive suite of PowerBroker PAM solutions that have beenproven in a wide range of large and complex IT environments.According to Gartner, BeyondTrust is one of only two vendors able to offer complete PAM capabilitiestoday; as agencies are under pressure to limit the number of discrete vendors, BeyondTrust canhandle the bulk of your security requirements and thereby help reduce your vendor portfolio. You getthe protection you need and the peace of mind you desire.To see PowerBroker solutions in action, contact BeyondTrust at 1.800.234.9072 orsales@beyondtrust.com to schedule a demo. For more information, please visit us athttp://www.beyondtrust.com.Sample U.S. Federal customers that trust BeyondTrustOver 200 U.S. Federal departments and agencies trust BeyondTrust solutions for privileged accountmanagement and vulnerability management.www.beyondtrust.com 1.800.234.9072 sales@beyondtrust.com11
About BeyondTrustBeyondTrust provides context-aware Privileged Account Management and VulnerabilityManagement software solutions that deliver the visibility necessary to reduce IT security risksand simplify compliance reporting.We empower organizations to not only mitigate user-based risks arising from misuse of systemor device privileges, but also identify and remediate asset vulnerabilities targeted by cyberattacks. As a result, our customers are able to address both internal and external threats, whilemaking every device – physical, virtual, mobile and cloud – as secure as possible.BeyondTrust solutions are unified under the BeyondInsight IT Risk Management Platform, whichprovides IT and security teams a single, contextual lens through which to view user and assetrisk. This clear, consolidated risk profile enables proactive, joint decision-making while ensuringthat daily operations are guided by common goals for risk reduction.The company is privately held, and headquartered in Phoenix, Arizona. For more information,visit beyondtrust.com.www.beyondtrust.com 1.800.234.9072 sales@beyondtrust.com12
PowerBroker for Windows Desktops & Servers PowerBroker for Virtualization & Cloud PowerBroker for Databases Active Directory Bridging - Ensuring single sign-on using the same active directory for all resources, while auditing all users who are logging in.
