Transcription

Complying with National Institute ofStandards and Technology (NIST)Special Publication (SP) 800-53An Assessment of Cyber-Ark's SolutionsSeptember 2011z

Table of ContentsEXECUTIVE SUMMARY . 3CYBER-ARK SOLUTION OVERVIEW . 6ADDRESSING NIST SP 800-53 RECOMMENDATIONS . 8CONCLUSION . 14 The information provided in this document is the sole property of Cyber-Ark Software Ltd. No part of this document may bereproduced, stored or transmitted in any form or any means, electronic, mechanical, photocopying, recording or otherwise,without prior written permission from Cyber-Ark Software Ltd.Copyright 2000-2011 by Cyber-Ark Software Ltd. All rights reserved.

EXECUTIVE SUMMARYThe National Institute of Standards and Technology (NIST) Special Publication(SP) 800-53 provides the recommended security controls for federalinformation systems and organizations. Cyber-Ark offers three solution suitesthat help agencies implement the necessary controls within NIST SP 800-53to achieve FISMA compliance: Privileged Identity Management (PIM) Suite – comprehensivelifecycle management for privileged, shared and application accountsacross the datacenter.Privileged Session Management (PSM) Suite – isolates, controls andmonitors privileged sessions on servers, databases or virtualenvironments, providing a pre-integrated solution with PIM.Sensitive Information Management (SIM) Suite – manages andprotects sensitive information whether being shared within theorganization or sent to external parties.Cyber-Ark's solutionsoffer a preventativeapproach byintroducing thenecessary securitycontrols to protectthe organization'sassets.Privileged users are abundant in the enterprise environment. They can be categorized into the followingfour classes: Generic, shared or non-personal administrative accounts that exist in virtually every networkdevice, operating system, database, or software application. These accounts hold “super user”privileges and are often anonymously shared among IT staff with no proper accountability.Some examples are: Windows Administrator user, UNIX root user and Oracle SYS account.Personal privileged accounts – the powerful accounts that are used by business users and ITpersonnel. These accounts have a high level of privileges and their use (or misuse) cansignificantly affect the organization’s business. Some examples are: the CFO’s user or a DBAaccount.Application accounts, which are used by applications to access databases and other applications.These accounts typically have broad access rights to underlying business information indatabases.Emergency accounts – used by the organization when elevated privileges are required to fixurgent problems, such as in cases of business continuity or disaster recovery. Access to theseaccounts frequently requires managerial approval. These are often called: fire call ids, breakglass users, etc.The main NIST SP 800-53 Control Families addressed by Cyber-Ark include:Access Control –The “Access Control” family is the foundation for the management of users and accounts. It addressesissues of account creation and assignment (e.g. who should be given an account?), as well as when andhow accounts and privileges should be used. It therefore contains many guidelines regarding the special

care and attention that needs to be given to privileged accounts and their elevated access rights, as wellas access to sensitive information stored in organization’s information systems.“Users requiring administrative privileges on information system accounts receive additional scrutiny byorganizational officials responsible for approving such accounts and privileged access”. Cyber-Ark's PIMsuite provides an organization with a comprehensive solution forprivileged account lifecycle management from discovering and securing Achieve NIST 800-53the accounts to enforcing policies and auditing the use of them.compliance usingComplementing the PIM suite, PSM gives organizations better controlover privileged sessions, who can initiate sessions and for how long, pre-defined policiesenable privileged single sign on to sessions without divulging privilegedand workflowscredentials, e.g. to third parties having to access your network andcontinuously monitoring activity throughout the session.As to access to sensitive information, the Access Control family specifies the Access Enforcement,Information Flow and other controls that prescribe how information should be controlled, encrypted,accessed, shared and so on. Cyber-Ark’s SIM suite provides a complete solution for storing and sharingsensitive information, whether inside the organization or with other entities.Cyber-Ark successfully addresses and even exceeds the baseline requirements for AccountManagement, Access Enforcements, Separation of Duties, Concurrent Session Control, Session Lock andothers. Cyber-Ark’s products emphasize the Least Privilege principal, by providing granular accesscontrol and effectively restricting privileged access throughout the organization.Audit and Accountability –The “Audit and Accountability” family ensures that the information required for auditing and, ifnecessary, rebuilding the chain of events is available on demand.Both for access to sensitive information and for privileged actions, accountability cannot be achieved ifanonymous access is used. That is why control “Content of Audit Records” (AU-3), lists the required datafor each audit log record, and states that “the information system produces audit records that containsufficient information to, at a minimum, establish (the) identity of any user/subject associated with theevent”. Cyber-Ark supports this requirement by extensively documenting any event in the system, be itaccess to stored information (in the case of the SIM Suite) or use of a privileged password (for PIMSuite), personalizing activity for full accountability.All Cyber-Ark logs are properly time-stamped, cryptographically protected and stored in a tamper-proofvault, referenced to a specific user in the system and stored for as long a period as required by theorganization. Cyber-Ark products can also generate alerts on specific occurrences and connect toorganizational SIEM products, such as ArcSight to send CEF compliant syslog events.Identification and Authentication –Control “IA-2 Identification and Authentication (Organizational Users)” is the main control in this familyand is needed for effective access control or audit. The control itself asserts that: “The informationsystem uniquely identifies and authenticates organizational users”. This is especially true for privileged

and shared accounts, which are shared among the IT staff, diminishing accountability and exposingvulnerabilities due to password knowledge. Control “IA-5 Authenticator Management” is concernedwith the management and use of authenticators, mainly passwords, in the organization. The controlprovides many requirements for password management, such as: ensuring their strength, defining theirlifetime, refreshing/changing them periodically, protecting them, and managing their revocation. Theserequirements apply to all types of accounts, as specified in AC-2: “individual, group, system, application,guest/anonymous, and temporary”. Often, knowing where these accounts exist can be a challenge.Cyber-Ark's auto-discovery capabilities identities where these accountsCyber-Ark's PIM andexists, whether on servers or virtual environments and continues tomanage these throughout their lifecycle.PSM suites enable anControl Enhancement (7) addresses the key problem of hardcoded, cleartext passwords in applications, by requiring that “The organization ensuresthat unencrypted static authenticators are not embedded in applicationsor access scripts or stored on function keys”.Cyber-Ark’s Application Identity Manager part of the PIM suite, uniquelyaddresses this area by eliminating hard-coded passwords and periodicallyreplacing them with no system downtime, enhanced secureauthentication and a secure cache mechanism in the event of a networkoutage.organization tosecurely provide itsusers and applicationswith the exactprivileges they needin order to completetheir roleThis document provides an overview of the solution suites offered by Cyber-Ark and demonstrates howthese solutions address the recommendations of NIST SP 800-53.

CYBER-ARK SOLUTION OVERVIEWCyber-Ark's Privileged Identity Management (PIM) Suite and Privileged Session Management (PSM)Suites are an integrated, full lifecycle solution for centrally managing privileged and shared identities,privileged sessions as well as embedded passwords found in applications and scripts.Privileged accounts, as well as the audit information associated with using them, must be protectedaccording to the highest security standards. The Cyber-Ark PIM Suite utilizes the Patented Digital Vault ,validated as highly secure by independent security evaluators (such as ICSA Labs). This core technologyis the heart of the PIM suite and was designed to meet the highest security requirements for controllingthe "keys to the kingdom." The Digital Vault provides numerous underlying security capabilities forauthentication, encryption, tamper-proof audit and data protection.The Cyber-Ark PIM Suite includes the following products: Enterprise Password Vault – Cyber-Ark’s award winning Enterprise Password Vault (EPV)enables organizations to enforce an enterprise policy that protects your most critical systems,managing the entire lifecycle of shared and privileged accounts across data centers.Application Identity Manager – Cyber-Ark’s market leading Application Identity Manager(AIM) fully addresses the challenges of hard-coded App2App credentials and encryption keys.The solution eliminates the need to store App2App credentials in applications, scripts orconfiguration files, and allows these highly-sensitive credentials to be centrally stored, auditedand managed within Cyber-Ark’s patented Digital Vault.On-Demand Privileges Manager – On-Demand Privileges Manager (OPM) is the first unifiedsolution for managing and monitoring superusers and privileged accounts under one roof. Usageof accounts such as 'root' users on UNIX is no longer anonymous and can now be controlled bypre-defined granular access control, where both the command itself and the output arerecorded. On-Demand Privileges Manager also dramatically improves productivity in Windowsenvironments to enforce a 'least privilege' policy on desktops.

To complement Cyber-Ark's market-leading Privileged Identity Management Suite and proactivelyprotect privileged sessions, especially remote or third party access, Cyber-ark's Privileged SessionManagement (PSM) Suite is a central control point and allows you to isolate, control and monitor allprivileged sessions whether on servers, databases or virtual machines. Together these two suitesprovide a holistic and preventative approach to managing risks associated with privileged accounts andactivities.Sensitive Information Management (SIM) Suite1. Sensitive Document Vault provides a highly secure central storage with granular access control,segregation of duties and extensive monitoring capabilities when storing and sharing files withinthe organization.2. Governed File Transfer (GFT) Suite enables encrypted transmission of sensitive files to thirdparties supporting a variety of transfer types. All transfer methods, ad-hoc, manual orautomated processes are supported on the same secure Digital Vault platform for centralizedmanagement and control. This suite employs the patented highly-secure Digital Vault andsecure transfer protocols (patented Vault Protocol1/ SSL / SSH) that encrypts and protects filesat rest and in transit.Figure 3: A unique approach for transferring files securelyCyber-Ark's unique and patented Digital Vault technology, which includes multiple security layers suchas encryption, authentication, access control, and strict auditing, is a core component of the underlyinginfrastructure for both the PIM, PSM and SIM suites, delivering an enterprise class solution forprotecting and controlling access to sensitive information or privileged credentials.1The patented "Vault Protocol" employs proven cryptographic algorithms and primitives.

ADDRESSING NIST SP 800-53 RECOMMENDATIONSThe table below describes how Cyber-Ark's solutions help implement the controls described in NIST SP800-53. For each family, all the controls listed in the “Control Name” column are implemented byCyber-Ark for LOW, MED and HIGH baselines, as detailed in the NIST SP 800-53 Rev. 3CNTLNO.CONTROL NAMEAccess ControlAccountAC-2ManagementAC-3Access EnforcementInformation FlowAC-4EnforcementAC-5Separation of DutiesAC-6Least PrivilegeUnsuccessful LoginAC-7AttemptsSystem UseAC-8NotificationConcurrent SessionAC-10ControlAC-11 Session LockAC-16 Security AttributesAC-17 Remote AccessAC-20Use of ExternalInformation SystemsHOW DOES CYBER-ARK HELP?Cyber-Ark's PIM and PSM suites provide an organization with the ability toautomatically discover where privileged accounts exist on servers and virtualenvironments and securely provide it's users with only the necessary privilegedaccess they need in order to complete their role based on pre-defined policies.Based on the policy, passwords can be “one-time” passwords and changedafter a user has accessed them or any other automatic replacement frequency.Workflows such as dual approval of password usage, email notifications andticketing system integration for ticket validation and reasoning are just some ofthe many workflows that can be implemented.By extending to the PSM Suite, organizations have: Control over session initiation on servers, databases or virtualinfrastructure, including control regarding who can initiate sessions andfor how long Privileged single sign on to sessions without divulging privilegedcredentials e.g. to third parties having to access your network remotely Dual control for session initiation Continuous monitoring capabilities on servers, databases and virtualenvironments that allow for forensic analysis and quicker remediationtimeSeparation of duties – The Vault infrastructure inherently provides separationof duties and allows users to be exposed only to information that is relevant tothem (files, privileged credentials etc). The Vault is divided into safes whichusers can access based on their permissions without knowing of the existenceof other safes. All Vault activity is logged and stored in tamper-proof format foraudit.Sensitive Information Management Suite provides organizations with thefollowing: Users can create and share content through safes Scan Engine can be used to scan files for viruses

CNTLNO.CONTROL NAMEHOW DOES CYBER-ARK HELP? User-BaseAC-21Collaboration andInformation SharingEnforce Dual Control for accessing sensitive informationUse File Categories to attach security attributes to informationAutomatically and securely transfer information between users andorganizationsAudit and 0AU-11Auditable EventsCyber-Ark solution suites provide extensive audit records, including timeContent of Auditstamps, addresses, user identifiers, event descriptions, success/fail indicatorsRecordsand more. Support is provided for the organization in identifying the importantAudit Storageevents and configuring the audit. Notable features include:Capacity Support for any storage sizeResponse to Audit Support for any retention period as set by the organizationProcessing Failures Support for Syslog and XSL schemasAudit Monitoring, Integration with SIEM and event log systemsAnalysis, and Alert on failures through the Notification EngineReporting Audit records filtering by various parametersAudit Reduction and All logs are properly time-stamped and synchronized to Vault clock. NTPcan be enabled if required.Report GenerationTime Stamps All audit information is protected in the Digital VaultProtection of Audit All actions are personalized for full accountabilityInformation Built-in reports e.g. entitlements, activity log, provisioning/deprovisioningand moreNon-repudiationAudit Record Session recording for forensic analysisRetentionAU-12Audit GenerationAU-14Session AuditSecurity Assessments and AuthorizationCyber-Ark’s Application Identity Management solution uses the AIM Providerand SDK to remove all hard coded connection details to a remote data sourcesuch as a database and enables secure control over connections of variousCA-3Information Systemapplications throughout the infrastructure. By eradicating the need to storeConnectionsapplication passwords embedded in applications, scripts or configuration files,these highly-sensitive passwords are now centrally stored, logged and managedwithin the Digital Vault.

CNTLNO.CONTROL NAMEHOW DOES CYBER-ARK HELP?Configuration ManagementCM-2CM-5BaselineCyber-Ark supports baseline configuration and effectively enforces accessConfigurationrestrictions for change as required by organizational policy.Access RestrictionsThe PIM solution enables access restrictions for changes throughout thefor Changeorganization, by controlling the access to passwords. Notable featuresinclude: Dual control - specify that access to highly sensitive passwords or policiesrequires confirmation by one or more authorized users Access confirmation or denial via a web-browser or a Smartphone Control what privileged and elevated commands a user can run based on'least privilege' principleCM-7Least Functionality Accountability and auditability of all privileged activitiesPrivileged Session Management Suite enables: Monitoring and recording privileged sessions on servers, databases orvirtual environments Session approval workflows DVR playback of recordings for review and analysisContingency PlanningCP-9Information SystemAll Cyber-Ark products offer high availability, full disaster recovery capabilitiesBackupand backup.For Privileged Identity Management Suite this means that privilegedcredentials will always be accessible and available for the requesting systems,Information SystemCP-10Recovery andReconstitutioneven in network outages. Password versioning and reconciliation capabilitiesfurther enhance the criticality of being able to access systems with privilegedcredentials, based on enterprise policy.For Sensitive Information Management Suite this means that sensitiveinformation is never lost, always protected and transmissions are alwaysautomatically resumed. The Vault can also be rebuilt based on guidelines.Identification and AuthenticationIA-2IA-3User IdentificationWith Cyber-Ark, every user is uniquely identified in the system and given theand Authenticationpermissions and functions as assigned by the organization.Device IdentificationA variety of authentication methods for end users is supported, including: PKI,and AuthenticationRADIUS, LDAP, RSA SecurID, Windows authentication, Oracle SSO and a robust

CNTLNO.IA-4IA-5IA-6CONTROL NAMEHOW DOES CYBER-ARK HELP?Identifierinfrastructure for integrating with most Web SSO or OTP solutions.ManagementDevice authentication is supported by IP authentication.AuthenticatorThe Application Identity Manager (AIM) solution, part of the PIM Suite, alsoManagementuses unique secure authentication parameters e.g. path, hash/signature, OSAuthenticatoruser or machine address.FeedbackCyber-Ark's products are FIPS 140-2 ntification andIA-8Authentication (NonOrganizational Users)Incident ResponseIR-5Incident MonitoringIR-6Incident ReportingCyber-Ark provides the necessary logs and notifications for effective IncidentMonitoring and Reporting, sends alerts through the No