Comply with NIST 800-171 easily by employing PAMAnirban Banerjee
NIST is an organization that helps craft policy for cyber-security and technology. NIST is well known and has released since early 2015 guidelines called 800-171. The NIST 800-171 deals with how to handle “Controlled Unclassified Information (CUI)”. This pertains to unclassified information that resides in non-federal systems – like vendors who sell to the federal government. In this article we will talk about how Privileged Access Management (PAM) can help with satisfying criteria for NIST 800-171. it is important for security, compliance and audit teams to understand how they can comply with strict regulations by developing repeatable, reliable, simple processes. Our goal will be to highlight where PAM can be of assistance, how and what are the benefits.
Who is NIST
Borrowing from the NIST public website [www.nist.gov/about-nist] – The National Institute of Standards and Technology (NIST) was founded in 1901 and now part of the U.S. Department of Commerce. NIST is one of the nation’s oldest physical science laboratories. Congress established the agency to remove a major challenge to U.S. industrial competitiveness at the time—a second-rate measurement infrastructure that lagged behind the capabilities of the United Kingdom, Germany, and other economic rivals.
From the smart electric power grid and electronic health records to atomic clocks, advanced nanomaterials, and computer chips, innumerable products and services rely in some way on technology, measurement, and standards provided by the National Institute of Standards and Technology.
Today, NIST measurements support the smallest of technologies to the largest and most complex of human-made creations—from nanoscale devices so tiny that tens of thousands can fit on the end of a single human hair up to earthquake-resistant skyscrapers and global communication networks.
What is NIST 800-171
A great resource for reading up has been provided by Educause – https://library.educause.edu/~/media/files/library/2016/4/nist800.pdf
The National Institute of Standards and Technology (NIST) published Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations in June 2015 (updated January 21, 2016). The purpose of this NIST publication is to provide guidance for federal agencies to ensure that certain types of federal information isprotected when processed, stored, and used in non-federal information systems.
NIST 800-171 applies to Controlled Unclassified Information (also called CUI) shared by the federal government with a nonfederal entity. In the higher education context, the federal government often shares data with institutions for research purposes or in carrying out the work of federal agencies. In many of those instances, other federal laws or regulations might address how that information must be protected (e.g., FISMA). In some cases, however, there may not be a law that specifically addresses how the
CUI data received from the federal government must be protected. In those instances, NIST 800-171 will apply when the federal government shares controlled unclassified information with vendors. As such, the controls specified in NIST 800-171 will need to be addressed by vendor IT systems that store CUI.
The controls specified in NIST 800-171 are based on NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations. The controls were tailored from NIST 800-53 specifically to protect CUI in nonfederal IT systems from unauthorized disclosure. There are 14 families of security requirements outlined in NIST 800-171, comprising 109 individual controls. The families are:
- Access control: generally limits system access to authorized users
- Awareness and training: generally alerts employees to information security risks
- Audit and accountability: involves the creation, protection, retention, and review of system logs
- Configuration management: involves creation of baseline configurations and use of robust change management processes
- Identification and authentication: involves central authentication and multi-factor for local and network access to resources
- Incident response: involves developing operations to prepare for, detect, analyze, contain, recover from, and respond to incidents affecting information
- Maintenance: involves maintenance of systems
Media protection: involves the sanitization and destruction of media containing CUI
• Personnel security: involves screening individuals before granting them access to information systems with CUI
- Physical protection: involves limiting physical access to systems to only authorized individuals
- Risk assessment: involves assessing the operational risk associated with processing, storage, and transmission of CUI
- Security assessment: involves assessing effectiveness of security controls and addressing deficiencies to limit vulnerabilities
- System and communications protection: involves use of secure design principles in system architecture and software development life cycle
- System and information security: involves monitoring for an alerting on system flaws and vulnerabilities
Like many information security compliance activities, a vendor’s response to the requirements of NIST 800-171 will require the involvement of multiple stakeholders. As federal contracts begin to specify the CUI shared by the federal government and require NIST 800-171 compliance, vendors will need to ensure that those persons using such data, and those systems processing such data, are aware of the data-protection requirements specified by NIST 800-171.
This process may take some time. While the Department of Defense has already started to require NIST 800-171 in its contracts, the requirements have not yet been adopted across the federal government in all of its non-defense-related contracts. In some cases, it may be that new controls will need to be implemented in campus information systems to protect CUI. In those instances, a vendor should be prepared to ask for additional time to comply with NIST 8800-171 via the contractual negotiation process.
How can PAM help
1. NIST 800-171 3.1.1 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices.
A PAM solution helps you comply with this requirement by creating accounts on target servers, keeping control on who can access what, when and providing full auditing (including screen recording for forensics). All this can be achieved not only at the user level but also at a group or role level providing even more flexibility to the user.
2. NIST 800-171 3.1.2 Limit information system access to the types of transactions and functions that authorized users are permitted to execute & 3.1.7 Prevent non-privileged users from executing privileged functions and audit the execution of such functions.
A PAM solution always has a real time privilege delegation engine built in. Users can select at any time who gets access to a privileged account, for how long, from where – the possibilities are endless. Additionally, PAM systems can also limit what someone can do once they have privileged access by using features like command introspection. This prevents insider threats and protects your servers from being misused. Of course, sudo management, real time recording, alert generation and automated blocking of connections if misuse of privileges is attempted, are all important components that help layer a holistic security blanket over assets.
3. NIST 800-171 3.1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
PAM solutions are built from the ground up to make sure segregation of accounts and separation of duties is done in a safe, scalable manner. PAM system have workflows built in to make sure no two users have access to the same set of credentials and if they both have access to a common account, the PAM system keeps track of who is doing what, even though they are accessing a shared environment.
4. NIST 800-171 3.1.5 Employ the principle of least privilege, including for specific security functions and privileged accounts.
The core idea of a PAM solution is to layer least privilege across all your assets. This can be done in an easy and low friction manner. With a PAM solution it is possible to enforce the least-privileged access model using permissions tied to Active Directory groups. Additionally, PAM solutions help you audit who has how much access to what. Who authorized access, when and much more.
5. NIST 800-171 3.1.6 Use non-privileged accounts or roles when accessing non-security functions.
PAM solutions help tackle this in two ways: Creating generic service accounts that are non privileged and then helping share access to those accounts amongst employees and, implementing the ability for users to create Multi Factor Authentication based checkpoints inside any app or server to verify the intent, permissions of any action in real time. As an example users can create generic accounts on servers for patching, share them with specific IT groups and then specify when a patching command is run on the server cluster, the owner of the IT cluster needs to use the fingerprint sensor on his/her phone to authorize a final change. Non privileged account access can also be provided selectively based on duration, work hours, location, device and many more parameters.
6. NIST 800-171 3.5.3 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
Out of the box PAM solutions support AD, Duo and various other MultiFactor Authentication (MFA) techniques. One critical issue to keep in mind is how much user friction is being caused by implementing MFA. Users must choose solutions that help them layer MFA but actually make life easier for the employees. As an example think about using geofencing for non critical assets. For critical assets look for the ability to layer multiple, intuitive MFA techniques like combining fingerprints and shaking of the phone. This helps layer the right amount of MFA in front of a resource, depending on how critical it is.
7. NIST 800-171 3.5.4 Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.
PAM solutions make replay attacks useless. PAM solutions take control of credentials, keys, tokens and make sure that after every access, every few hours, or days (depending on the settings) credentials, keys and more are rotated judiciously. Furthermore, the strength of generated passwords, keys can be significantly more than human chosen ones. PAM solutions can make sure that even if an attacker has somehow recovered credential information for a single session, they cannot use it immediately for their purposes.
In this article we have talked about NIST 800-171 and have provided a perspective on how a PAM solution can help you satisfy certain critical criteria of this regulation. Get more information.
Also published on Medium.