Privileged Account Management For The Financial Services Sector - NIST
NIST SPECIAL PUBLICATION 1800-18BPrivileged Account Managementfor the Financial Services SectorVolume B:Approach, Architecture, and Security CharacteristicsKaren WaltermireNational Cybersecurity Center of ExcellenceInformation Technology LaboratoryTom ConroyMarisa HarristonChinedum IrrechukwuNavaneeth KrishnanJames Memole-DoodsonBenjamin NkrumahHarry PerperSusan PrinceDevin WynneThe MITRE CorporationMcLean, VASeptember 2018DRAFTThis publication is available free of charge /privileged-account-management
DRAFTDISCLAIMERCertain commercial entities, equipment, products, or materials may be identified in this document inorder to describe an experimental procedure or concept adequately. Such identification is not intendedto imply recommendation or endorsement by NIST or NCCoE, nor is it intended to imply that theentities, equipment, products, or materials are necessarily the best available for the purpose.National Institute of Standards and Technology Special Publication 1800-18B, Natl. Inst. Stand. Technol.Spec. Publ. 1800-18B, 83 pages, September 2018, CODEN: NSPUE2FEEDBACKYou can improve this guide by contributing feedback. As you review and adopt this solution for yourown organization, we ask you and your colleagues to share your experience and advice with us.Comments on this publication may be submitted to: financial nccoe@nist.gov.Public comment period: September 28, 2018 through November 30, 2018All comments are subject to release under the Freedom of Information Act (FOIA).National Cybersecurity Center of ExcellenceNational Institute of Standards and Technology100 Bureau DriveMailstop 2002Gaithersburg, MD 20899Email: nccoe@nist.govNIST SP 1800-18B: Privileged Account Management for the Financial Services Sector1
DRAFTNATIONAL CYBERSECURITY CENTER OF EXCELLENCEThe National Cybersecurity Center of Excellence (NCCoE), a part of the National Institute of Standardsand Technology (NIST), is a collaborative hub where industry organizations, government agencies, andacademic institutions work together to address businesses’ most pressing cybersecurity issues. Thispublic-private partnership enables the creation of practical cybersecurity solutions for specificindustries, as well as for broad, cross-sector technology challenges. Through consortia underCooperative Research and Development Agreements (CRADAs), including technology partners—fromFortune 50 market leaders to smaller companies specializing in information technology (IT) security—the NCCoE applies standards and best practices to develop modular, easily adaptable examplecybersecurity solutions using commercially available technology. The NCCoE documents these examplesolutions in the NIST Special Publication 1800 series, which maps capabilities to the NIST Cyber SecurityFramework and details the steps needed for another entity to recreate the example solution. The NCCoEwas established in 2012 by NIST in partnership with the State of Maryland and Montgomery County,Md.To learn more about the NCCoE, visit https://www.nccoe.nist.gov/. To learn more about NIST, visithttps://www.nist.gov.NIST CYBERSECURITY PRACTICE GUIDESNIST Cybersecurity Practice Guides (Special Publication Series 1800) target specific cybersecuritychallenges in the public and private sectors. They are practical, user-friendly guides that facilitate theadoption of standards-based approaches to cybersecurity. They show members of the informationsecurity community how to implement example solutions that help them align more easily with relevantstandards and best practices, and provide users with the materials lists, configuration files, and otherinformation they need to implement a similar approach.The documents in this series describe example implementations of cybersecurity practices thatbusinesses and other organizations may voluntarily adopt. These documents do not describe regulationsor mandatory practices, nor do they carry statutory authority.ABSTRACTPrivileged account management (PAM) is a domain within identity and access management (IdAM) thatfocuses on monitoring and controlling the use of privileged accounts. Privileged accounts include localand domain administrative accounts, emergency accounts, application management, and serviceaccounts. These powerful accounts provide elevated, often nonrestricted, access to the underlying ITresources and technology, which is why external and internal malicious actors seek to gain access tothem. Hence, it is critical to monitor, audit, control, and manage privileged account usage. Manyorganizations, including financial sector companies, face challenges in managing privileged accounts.NIST SP 1800-18B: Privileged Account Management for the Financial Services Sector2
DRAFTThe goal of this project is to demonstrate a PAM capability that effectively protects, monitors, andmanages privileged account access, including life-cycle management, authentication, authorization,auditing, and access controls.KEYWORDSAccess control, auditing, authentication, authorization, life-cycle management, multifactorauthentication, PAM, privileged account management, provisioning managementACKNOWLEDGMENTSWe are grateful to the following individuals for their generous contributions of expertise and time.NameOrganizationDan MorganBomgar (formerly Lieberman Software)David WellerBomgar (formerly Lieberman Software)Oleksiy BidniakEkran SystemOleg ShomonkoEkran SystemKarl KneisIdRampEric VintonIdRampMichael FaganNISTWill LaSalaOneSpan (formerly VASCO)Michael MagrathOneSpan (formerly VASCO)Jim ChmuraRadiant LogicDon GrahamRadiant LogicTimothy KeelerRemediantPaul LanziRemediantNIST SP 1800-18B: Privileged Account Management for the Financial Services Sector3
DRAFTNameOrganizationMichael DaltonRSATimothy SheaRSAAdam CohnSplunkPam JohnsonTDi TechnologiesClyde PooleTDi TechnologiesSallie EdwardsThe MITRE CorporationSarah KinlingThe MITRE CorporationThe Technology Partners/Collaborators who participated in this build submitted their capabilities inresponse to a notice in the Federal Register. Respondents with relevant capabilities or productcomponents were invited to sign a Cooperative Research and Development Agreement (CRADA) withNIST, allowing them to participate in a consortium to build this example solution. We worked with:Technology Partner/CollaboratorBuild InvolvementBomgar (formerly Lieberman Software)Red Identity SuiteEkran SystemEkran System ClientIdRampSecure AccessOneSpan (formerly VASCO)DIGIPASSRadiant LogicRadiantOne FIDRemediantSecureONERSASecureID AccessNIST SP 1800-18B: Privileged Account Management for the Financial Services Sector4
DRAFTTechnology Partner/CollaboratorBuild InvolvementSplunkSplunk EnterpriseTDi TechnologiesConsoleWorksNIST SP 1800-18B: Privileged Account Management for the Financial Services Sector5
DRAFT1Contents23456789101112133.4.1Assessing Risk Posture . 10143.4.2Security Control Map . 11194.1.1High-Level Architecture . 26204.1.2Reference Design . 27275.5.1Typical Administrator (Directory, Cloud Service, Etc.) . 39285.5.2Security Analyst. 4015161718212223242526NIST SP 1800-18B: Privileged Account Management for the Financial Services Sector1
DRAFT295.5.3Business-Critical/High-Value Application Access . 416.4.1Supported Cybersecurity Framework Subcategories . 49386.5.1Securing New Attack Surfaces . 57396.5.2Securing Access to the LDAP Directory . 59406.5.3Securing Access to the Policy Management Capability . 59416.5.4Securing Access to the User Interface (Access Control) Capability . 59426.5.5Securing Password Vault Capability . 60436.5.6Securing Emergency Access Capability . 60446.5.7Securing Access to the Security Monitoring and Analytics Capability . 60456.5.8Ensuring Information Integrity. 60466.5.9Protecting Privileged Accounts . 61476.5.10 Preventing Insider Threats . 61486.5.11 Addressing Attacks . 62496.5.12 User Behavior Analytics . 63303132333435363750516.6.1Patch, Harden, Scan, and Test . 64526.6.2Other Security Best Practices . 65536.6.3Deployment Phases . 66546.6.4Policy Recommendations. 67577.1.1PAM Use Case Requirements . 69587.1.2Test Case: PAM-1 . 705556NIST SP 1800-18B: Privileged Account Management for the Financial Services Sector2
DRAFT597.1.3Test Case: PAM-2 . 72607.1.4Test Case: PAM-3 . 73617.1.5Test Case: PAM-4 . 74627.1.6Test Case: PAM-5 . 75637.1.7Test Case: PAM-6 . 76647.1.8Test Case: PAM-7 . 77657.1.9Test Case: PAM-8 . 7866Appendix A List of Acronyms . 8067Appendix B References . 8268List of Figures69Figure 4-1 High-Level Architecture . 2670Figure 4-2 PAM Reference Design . 2771Figure 5-1 Example Implementation 1: Application Layer PAM Architecture (Option 1) . 3272Figure 5-2 Example Implementation 1: Application Layer PAM Architecture (Option 2) . 3373Figure 5-3 Example Implementation 2: Organization Infrastructure PAM Architecture . 3474Figure 5-4 Example Implementation 3: SIEM Architecture . 3775Figure 5-5 Security Monitoring Implementation Architecture . 3976List of Tables77Table 3-1 PAM Reference Design Cybersecurity Framework Core Components Map . 1278Table 3-2 FFIEC CAT Guidance . 1879Table 3-3 Products and Technologies . 2280Table 5-1 Example Implementation Component List . 308182Table 6-1 PAM Reference Design Capabilities and Supported Cybersecurity FrameworkSubcategories . 4483Table 7-1 Test Case Fields. 68NIST SP 1800-18B: Privileged Account Management for the Financial Services Sector3
DRAFT84Table 7-2 PAM Functional Requirements. 6985Table 7-3 Test Case ID: PAM-1 . 7086Table 7-4 Test Case ID: PAM-2 . 7287Table 7-5 Test Case ID: PAM-3 . 7388Table 7-6 Test Case ID: PAM-4 . 7489Table 7-7 Test Case ID: PAM-5 . 7590Table 7-8 Test Case ID: PAM-6 . 7691Table 7-9 Test Case ID: PAM-7 . 7792Table 7-10 Test Case ID: PAM-8 . 78NIST SP 1800-18B: Privileged Account Management for the Financial Services Sector4
DRAFT931 Summary9495969798Financial organizations rely on privileged accounts to enable authorized users, such as systemsadministrators, to perform essential duties that ordinary users are not authorized to perform [1]. Forexample, system administrators use privileged “super user” accounts to manage information technology(IT) infrastructures and resources or to access high-value applications (e.g., payment systems,accounting systems) and core systems (e.g., human resources, database access, access control).99100101102103104105106107108109Despite being the “keys to the kingdom,” these privileged accounts rarely receive direct oversight ortechnical control of how they are used. The lack of oversight and technical control poses a substantialoperational and financial risk for organizations. If used improperly, privileged accounts can cause muchdamage, including data theft, espionage, sabotage, or ransom—often without notice. Privilege misuse isa major contributor of reported cyber incidents, with estimates as much as 80 percent of all databreaches [2]. Malicious external actors can gain unauthorized access to privileged accounts throughvarious techniques, including leveraging stolen credentials, malware, social engineering schemes, ordefault passwords. In addition, there are occasional instances of disgruntled employees who abuse theiraccounts, even after they have left the company. Honest employees or contractors can also causedamage and downtime by making accidental mistakes with privileged accounts, even though that accesswas unnecessary for them to perform their work.110111112113114115116117118Organizations must harden themselves against these operational and reputational risks by implementingpolicies and technologies that detect and prevent the misuse of privileged accounts by external andinternal actors. This combination of detection and prevention technologies and policies is referred to asprivileged account management (PAM). PAM systems typically use one of two techniques for controllingaccount access and use: account escalation or account sharing. The account escalation techniqueescalates the privileged/authorized activity for each user’s personal account for the duration of thesession with the target system, based on the organizational policies. The account sharing techniqueutilizes a set of privileged accounts that are shared among the authorized privileged users via the PAMsystem.119120121122123124125126127128Managing the access and use of privileged accounts is difficult without proper planning and tools. TheNational Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards andTechnology (NIST) built a laboratory environment to explore methods to manage and monitor the useof privileged accounts by authorized users as they perform their normal activities, as well as techniquesto protect against and detect the unauthorized use of privileged accounts. NIST Special Publication (SP)800-171 [1], Protecting Controlled Unclassified Information in Nonfederal Information Systems andOrganizations, defines a privileged user as “a user that is authorized (and therefore, trusted) to performsecurity-relevant functions that ordinary users are not authorized to perform.” Privileged accounts areutilized in managing IT infrastructures, resources, and applications, as well as access to, and the use of,high-value applications like payment systems, accounting systems, and social media accounts.NIST SP 1800-18B: Privileged Account Management for the Financial Services Sector1
DRAFT129130131132133134The reference design and example solutions outlined in this guide describe example solutions built inthe NCCoE lab. After reading this NIST Cybersecurity Practice Guide, an organization should be able toimplement a PAM system that effectively monitors and manages privileged accounts. The solutions builtin the NCCoE lab are not the only combination of technologies that can address this issue. They areexamples demonstrating that off-the-shelf and open-source technologies are available to implementPAM.135The goals of this NIST Cybersecurity Practice Guide are to help organizations confidently:136 control access to, and the use of, privileged accounts (both on-premises and in the cloud)137 manage and monitor the activity of privileged accounts138 audit the activity of privileged accounts139140 receive alerts or notifications when privileged accounts are used for unauthorized or out-ofpolicy activities141 encourage personal accountability among the users of privileged accounts142 enforce stringent policies for “least privilege” and separation of duties143For ease of use, a short description of the different sections of this volume is provided below:144145146 Section 1, Summary, presents the challenges addressed by the NCCoE project, with a look at thesolution demonstrated to address the challenge, as well as benefits of the solution. This sectionalso explains how to provide feedback on this guide.147148149 Section 2, How to Use This Guide, explains how readers—business decision makers, programmanagers, cybersecurity practitioners, and IT professionals (e.g., systems administrators)—might use each volume of this guide.150151152153154155156 Section 3, Approach, offers a detailed treatment of the scope of the project. This section alsodescribes the assumptions on which the security architecture development was based; the riskassessment that informed architecture development; and NIST Cybersecurity Framework [3]functions supported by each component of the architecture and reference design, whichindustry collaborators contributed to support in building, demonstrating, and documenting thesolution. This section also includes a mapping of the Cybersecurity Framework subcategories toother industry guidance, and identifies the products used to address each subcategory.157158159 Section 4, Architecture, describes the usage scenarios supported by the project architecture andreference design, as well as the capability descriptions, including a description of therelationship among the capabilities.160161 Section 5, Example Implementations, provides in-depth descriptions of the implementationsdeveloped in the NCCoE’s lab environment.NIST SP 1800-18B: Privileged Account Management for the Financial Services Sector2
DRAFT162163164 Section 6, Security Characteristics Analysis, analyzes how to secure the components within thesolution and minimize any vulnerabilities that they might have. This section also explains howthe architecture addresses the security goals of the project.165166167 Section 7, Functional Evaluation, summarizes the test cases that we employed to demonstratethe example implementations’ functionality and the Cybersecurity Framework functions towhich each test case is relevant.1681.1 Challenge169170171172173174175176177In modern financial organizations, employees need access to a variety of applications, resources, andsystems to ensure efficient business operations and meaningful customer experiences. Employees oftenaccess those systems through user accounts—commonly secured by usernames and passwords. Not allaccounts are created equal, however. Some accounts—known as privileged accounts—are authorized toperform actions that ordinary accounts do not have authorization to perform. These privileged accountsprovide elevated, often unrestricted, access to corporate resources and critical systems (e.g., crownjewels) beyond what a regular user would have. IT administrators and managers use these privilegedaccounts to perform system-critical actions, including maintenance, system management, and accesscontrol.178179180Privileged accounts pose significant operational, legal, and reputational risk to organizations if notsecured effectively. The accounts become the virtual “keys to the kingdom,” permitting unfetteredaccess to many, if not all, systems within an organization.181182183184185186187The core risk of privileged accounts is that an organization faces significant damage to businessoperations if the accounts are misused for malicious or erroneous purposes. Malicious externalattackers understand the value of privileged accounts and target them to maximize their access to thedata, applications, and infrastructure of an organization, putting the organization at risk of data breach,espionage, sabotage, or ransom. Further, malicious actors may also be able to leverage privilegedaccounts to bypass, defeat, or otherwise render inoperable, other cybersecurity or legal complianceprotections that protect critical systems or data.188189190191192193194The risk of privileged accounts is not limited to malicious external actors. Though relatively infrequent,there are instances of disgruntled employees leveraging their own or colleagues’ privileged accounts formalicious purposes, including exfiltrating sensitive data, industrial sabotage, or creating technicalbackdoors that they or others can abuse after leaving the organization. Although less malicious, thereare also instances in which well-meaning employees make mistakes while using their privilegedaccounts; these unintentional mistakes can cause significant disruption, which can influence businessoperations and customer satisfaction.195196197Managing access to, and the use of, privileged accounts is difficult without planning and tools. Thispractice guide provides the much-needed guidance and examples that financial institutions can use toreduce the risk of privileged accounts in their organization.NIST SP 1800-18B: Privileged Account Management for the Financial Services Sector3
DRAFT1981.2 Solution199200201202203Organizations require a PAM solution that appropriately secures privileged accounts and enforcesorganizational policies for privileged account use. The NCCoE developed a PAM reference design thataddresses these issues, providing control, oversight, and management of privileged accounts. Thereference design outlines how monitoring, auditing, and authentication controls can combine to preventunauthorized access to, and allow rapid detection of unapproved use, of privileged accounts.204205206207208209210211212The NCCoE developed example solutions, based on the reference design, that incorporate appropriate,commercially available technologies to manage and control the use of privileged accounts. The solutionsare composed of multiple systems working together to enforce organizational access policies and toprotect privileged accounts from misuse. These example solutions illustrate the various technicalapproaches available for PAM and the multiple areas of an organization (e.g., infrastructure,applications, cloud services, security monitoring), that can be considered for policy enforcement. Thisguide will also explain the importance of implementing policies, such as least privilege and separation ofduties, for accounts that provide access to the data, applications, and infrastructure across anorganization.213The NCCoE sought existing technologies that provided the following capabilities:214 privileged account control (password management and privilege escalation techniques)215 multifactor authentication (MFA)216 support both on-premises and cloud business systems217 event logging (e.g., access requests, logins, users)218 password management (including hiding passwords from users)219 policy management220 emergency/break-glass access221 log management (analytics, storage, alerting)222 user behavior analytics (UBA)223224225226227228While the NCCoE used a suite of commercial products to address this cybersecurity challenge, this guidedoes not endorse these particular, nor does it guarantee compliance with any regulatory initiatives. Yourorganization’s information security experts should identify the products that will best integrate withyour existing tools and IT system infrastructure. Your organization can adopt this solution or one thatadheres to these guidelines in whole, or you can use this guide as a starting point for tailoring andimplementing parts of the design to the needs of your organization and its risk management decisions.NIST SP 1800-18B: Privileged Account Management for the Financial Services Sector4
DRAFT229230In developing our reference design, we used portions of the following standards and guidance, whichcan also provide your organization with relevant standards and best practices:231232 NIST SP 800-171 Rev. 1: Protecting Controlled Unclassified Information in Nonfederal Systemsand Organizations [1]233234 NIST Framework for Improving Critical Infrastructure Cybersecurity (commonly known as theNIST Cybersecurity Framework) [3]235 NIST SP 800-30 Rev. 1: Guide for Conducting Risk Assessments [4]236237 NIST SP 800-37 Rev. 1: Guide for Applying the Risk Management Framework to FederalInformation Systems: A Security Life Cycle Approach [5]238 NIST SP 800-39: Managing Information Security Risk [6]239240 NIST SP 800-53 Rev. 4: Security and Privacy Controls for Federal Information Systems andOrganizations [7]241242 Federal Information Processing Standards (FIPS) 140-2: Security Requirements for CryptographicModules [8]243 NIST SP 800-92: Guide to Computer Security Log Management [9]244 NIST SP 800-100: Information Security Handbook: A Guide for Managers [10]245246 Office of Management and Budget (OMB), Circular Number A-130: Managing Information as aStrategic Resource [11]247248 Federal Financial Institutions Examination Council (FFIEC), Cybersecurity Assessment Tool (CAT)[12]249 NIST SP 800-63B: Digital Identity Guidelines: Authentication and Lifecycle Management [13]2501.3 Benefits251252253254255Implementing a PAM system is an essential way for financial institutions to effectively secure, manage,control, and audit the activities of privileged accounts. A properly implemented and administered PAMsystem can help an organization meet compliance requirements; limit opportunity for and reduce thedamage that users of privileged accounts—whether authorized or unauthorized—can cause; andimprove the enforcement of an organization’s access policies.256The NCCoE’s practice guide can help an organization:257258 identify vulnerabilities and manage enterprise risk factors within the organization (consistentwith the foundations of the NIST Cybersecurity Framework) [3]259 reduce the opportunity for a successful attack by improving control over privileged accounts260 improve efficiencies by reducing complexity associated with managing privileged accountsNIST SP 1800-18B: Privileged Account Management for the Financial Services Sector5
DRAFT261262 maintain the integrity and availability of data and systems that are critical to supportingbusiness operations and revenue-generating activities263264 reduce the impact of insider and external threats and other malicious or unintentional activityutilizing privileged accounts and accessing business-critical systems265 develop an implementation plan for PAM266 automate the enforcement of existing access policies2672 How to Use This Guide268269270This NIST Cybersecurity Practice Guide demonstrates a standards-based reference design and providesusers with the information they need to replicate a solution for managing privileged accounts. Thisreference design is modular and can be deployed in whole or in part.271This guide contains three volumes:272 NIST SP 1800-18A: Executive Summary273274 NIS
Privileged account management (PAM) is a domain within identity and access management (IdAM) that focuses on monitoring and controlling the use of privileged accounts. Privileged accounts include loc al and domain administrative accounts, emergency accounts, application management, and service accounts.
May 02, 2018 · D. Program Evaluation ͟The organization has provided a description of the framework for how each program will be evaluated. The framework should include all the elements below: ͟The evaluation methods are cost-effective for the organization ͟Quantitative and qualitative data is being collected (at Basics tier, data collection must have begun)
Silat is a combative art of self-defense and survival rooted from Matay archipelago. It was traced at thé early of Langkasuka Kingdom (2nd century CE) till thé reign of Melaka (Malaysia) Sultanate era (13th century). Silat has now evolved to become part of social culture and tradition with thé appearance of a fine physical and spiritual .
On an exceptional basis, Member States may request UNESCO to provide thé candidates with access to thé platform so they can complète thé form by themselves. Thèse requests must be addressed to esd rize unesco. or by 15 A ril 2021 UNESCO will provide thé nomineewith accessto thé platform via their émail address.
̶The leading indicator of employee engagement is based on the quality of the relationship between employee and supervisor Empower your managers! ̶Help them understand the impact on the organization ̶Share important changes, plan options, tasks, and deadlines ̶Provide key messages and talking points ̶Prepare them to answer employee questions
Dr. Sunita Bharatwal** Dr. Pawan Garga*** Abstract Customer satisfaction is derived from thè functionalities and values, a product or Service can provide. The current study aims to segregate thè dimensions of ordine Service quality and gather insights on its impact on web shopping. The trends of purchases have
Bruksanvisning för bilstereo . Bruksanvisning for bilstereo . Instrukcja obsługi samochodowego odtwarzacza stereo . Operating Instructions for Car Stereo . 610-104 . SV . Bruksanvisning i original
Chính Văn.- Còn đức Thế tôn thì tuệ giác cực kỳ trong sạch 8: hiện hành bất nhị 9, đạt đến vô tướng 10, đứng vào chỗ đứng của các đức Thế tôn 11, thể hiện tính bình đẳng của các Ngài, đến chỗ không còn chướng ngại 12, giáo pháp không thể khuynh đảo, tâm thức không bị cản trở, cái được
51% fail to enact secure logins for privileged access accounts.2 51% 70% of enterprises fail to discover all of the privileged access accounts in their networks.2 70% 55% fail to revoke permissions after a privileged employee is removed.2 55% 63% don't have security alerts in place for failed privileged access account login attempts. 2 63%
