Best practices for controlling contractors and privileged users who access your critical IT infrastructure

Glenn Hazard

Government agencies are more dependent than ever on computer systems to carry out their missions. From providing citizens access to public information over the Web to processing and accounting for trillions of dollars in spending, computer systems permeate virtually every aspect of government work.

At the same time, federal departments – such as the Department of Defense (DoD) and the Department of Homeland Security (DHS) -- have increasingly turned to contractors to fill key roles and perform many critical IT functions, such as network administration, configuration management and user provisioning. One need not look very far to find a multi-year, multi-million dollar contract awarded to one company or another to provide strategic IT services to a government agency.

These parallel trends have raised concerns about the proper balance between an agency’s need to secure its computer operations and assets, and the contractor’s need for system access to perform its tasks. 

Gregory Wilshusen, Director of Information Security Issues at the Government Accountability Office (GAO), recently identified access control as one of five major weaknesses that continue to impair the government’s ability to ensure the confidentiality, integrity and availability of critical information and information systems. The GAO report, Cybersecurity: Progress Made but Challenges Remain in Defining and Coordinating the Comprehensive National Cybersecurity Initiative, states it “is unlikely to be fully successful without addressing identity management and authentication.”

The contractors that are assigned the tasks of configuring and operating an agency’s IT infrastructure are, like their internal counterparts, a privileged user community with elevated rights who by nature of their access pose a higher risk to security. The risk could come from unintentional actions, such as a mis-configured device, or from intentional actions, such as downloading classified information. Therefore, it is important to ensure that users are contained to only the specific resources they need to perform their jobs. Moreover, the agency must be able to track, by user identity, who is doing or did what, in order to provide accountability under the Federal Information Security Management Act, or FISMA, and other pertinent regulations.

Traditional access control solutions focus on authenticating and then providing users access to systems, rather than granularly containing them to authorized resources. Such an approach provides users, once they are authenticated, the proverbial “keys to the kingdom.” In addition, the lack of identity-based controls also can lead to cases of mistaken identity. Unfortunately, identity is one of several critical concerns that legacy access control systems do not adequately address. Other key areas include user monitoring and auditing.

Now, there is a next-generation of access solutions that evolved from the need to manage a smaller group of privileged users with elevated rights, such as the contracted IT workers, who are accessing critical infrastructure and sensitive data. These systems provide an efficient, cost effective way to integrate strong network controls that offer significant security and compliance benefits. The technical and functional requirements for next-generation solutions map to the best practices for access control strategies, which require organizations to:

Right-size permissions, based on a model of zero trust. Agencies should re-evaluate their access policies to ensure they are not more liberal than the needs of their business dictate, as well as what FISMA prescribes. Access permissions for all users, and especially for higher-risk users or users with elevated rights, should be set to “deny all,” unless specifically required for a defined job role. Taking it a step further, those users who are granted permission should be closely monitored. This “zero trust” model allows an agency to comply with FISMA mandates, even when dealing with outsourced personnel.

Be identity aware. Agencies should create very granular access policies for individuals whose jobs dictate a need for access by integrating with existing authentication and directory systems. This streamlines the policy creation and maintenance process and allows the agency to have one authoritative authentication system. It also allows the agency to track a user by his or her identity, from end-to-end to ensure compliance with varying mandates.

Implement fine-grained enforcement. Once an agency has identified the specific set of users -- for example, those who have the ability to change settings, reconfigure devices or access sensitive information – it is important to contain these users to their specified resources and carefully monitor their activities, enforce policies and remediate problems in real-time. The next generation of access solutions on the market today can help perform these tasks.

Utilize integrated audit capabilities to validate controls. FISMA controls dictate that actions taken on critical data and systems must be performed by, and can be traced to, known and authorized users. An agency also may have other security, operational and internal or external compliance requirements. Modern tools include integrated reporting and auditing capabilities that help an agency review and validate its controls to ensure compliance and a secure environment.