April 2017 Digital Edition

Click Here

March 2017 Digital Edition

Click Here

Feb. 2017 Digital Edition

Click Here

January 2017 Digital Edition

Click Here

Nov/Dec 2016 Digital Edition

Click Here

Oct 2016 Digital Edition

Click Here

Technology Sectors

Market Sectors

Best practices for controlling contractors and privileged users who access your critical IT infrastructure

Glenn Hazard

Government agencies are more dependent than ever on computer systems to carry out their missions. From providing citizens access to public information over the Web to processing and accounting for trillions of dollars in spending, computer systems permeate virtually every aspect of government work.

At the same time, federal departments – such as the Department of Defense (DoD) and the Department of Homeland Security (DHS) -- have increasingly turned to contractors to fill key roles and perform many critical IT functions, such as network administration, configuration management and user provisioning. One need not look very far to find a multi-year, multi-million dollar contract awarded to one company or another to provide strategic IT services to a government agency.

These parallel trends have raised concerns about the proper balance between an agency’s need to secure its computer operations and assets, and the contractor’s need for system access to perform its tasks. 

Gregory Wilshusen, Director of Information Security Issues at the Government Accountability Office (GAO), recently identified access control as one of five major weaknesses that continue to impair the government’s ability to ensure the confidentiality, integrity and availability of critical information and information systems. The GAO report, Cybersecurity: Progress Made but Challenges Remain in Defining and Coordinating the Comprehensive National Cybersecurity Initiative, states it “is unlikely to be fully successful without addressing identity management and authentication.”

The contractors that are assigned the tasks of configuring and operating an agency’s IT infrastructure are, like their internal counterparts, a privileged user community with elevated rights who by nature of their access pose a higher risk to security. The risk could come from unintentional actions, such as a mis-configured device, or from intentional actions, such as downloading classified information. Therefore, it is important to ensure that users are contained to only the specific resources they need to perform their jobs. Moreover, the agency must be able to track, by user identity, who is doing or did what, in order to provide accountability under the Federal Information Security Management Act, or FISMA, and other pertinent regulations.

Traditional access control solutions focus on authenticating and then providing users access to systems, rather than granularly containing them to authorized resources. Such an approach provides users, once they are authenticated, the proverbial “keys to the kingdom.” In addition, the lack of identity-based controls also can lead to cases of mistaken identity. Unfortunately, identity is one of several critical concerns that legacy access control systems do not adequately address. Other key areas include user monitoring and auditing.

Now, there is a next-generation of access solutions that evolved from the need to manage a smaller group of privileged users with elevated rights, such as the contracted IT workers, who are accessing critical infrastructure and sensitive data. These systems provide an efficient, cost effective way to integrate strong network controls that offer significant security and compliance benefits. The technical and functional requirements for next-generation solutions map to the best practices for access control strategies, which require organizations to:

Right-size permissions, based on a model of zero trust. Agencies should re-evaluate their access policies to ensure they are not more liberal than the needs of their business dictate, as well as what FISMA prescribes. Access permissions for all users, and especially for higher-risk users or users with elevated rights, should be set to “deny all,” unless specifically required for a defined job role. Taking it a step further, those users who are granted permission should be closely monitored. This “zero trust” model allows an agency to comply with FISMA mandates, even when dealing with outsourced personnel.

Be identity aware. Agencies should create very granular access policies for individuals whose jobs dictate a need for access by integrating with existing authentication and directory systems. This streamlines the policy creation and maintenance process and allows the agency to have one authoritative authentication system. It also allows the agency to track a user by his or her identity, from end-to-end to ensure compliance with varying mandates.

Implement fine-grained enforcement. Once an agency has identified the specific set of users -- for example, those who have the ability to change settings, reconfigure devices or access sensitive information – it is important to contain these users to their specified resources and carefully monitor their activities, enforce policies and remediate problems in real-time. The next generation of access solutions on the market today can help perform these tasks.

Utilize integrated audit capabilities to validate controls. FISMA controls dictate that actions taken on critical data and systems must be performed by, and can be traced to, known and authorized users. An agency also may have other security, operational and internal or external compliance requirements. Modern tools include integrated reporting and auditing capabilities that help an agency review and validate its controls to ensure compliance and a secure environment.

Automate all the requirements from access to audit. As employees and contractors come and go, relying on manual upkeep of access policies increases the risk of a security breach. Agencies should use tools to automate as much as possible, from the enforcement of policies to alerting on problems to the generation of reports. Automation enables processes to scale, eliminates manual error or intervention, and streamlines systems management.

With almost all of the 24 major federal departments and agencies being cited as having a weakness in the area of access control, it is time to look beyond traditional legacy systems. The ability to implement and enforce strong identity-based access control, user containment, real-time monitoring and audit capabilities enable government agencies to fully leverage contractors and other strategic partners, while ensuring best practices for maintaining the confidentiality, integrity and availability of critical information and information systems.

 

Recent Videos

HID Global is opening the door to a new era of security and convenience.  Powered by Seos technology, the HID Mobile Access solution delivers a more secure and convenient way to open doors and gates, access networks and services, and make cashless payments using phones and other mobile devices. ...
Mobile device forensics can make a difference in many investigations, but you need training that teaches you how to get the most out of your mobile forensics hardware and software, and certifies you to testify in court. Read this white paper to learn how to evaluate mobile forensics training...
PureTech Systems is a software company that develops and markets PureActiv, its geospatial analytics solution designed to protect critical perimeters and infrastructure.  Its patented video analytics leverage thermal cameras, radars and other perimeter sensors to detect, geo-locate, classify, and...
PureTech Systems is a technology leader in the use of geospatial video, focusing on perimeter security.  When combining geospatial capabilities with video analytics and PTZ camera control, managers of critical facilities can benefit by allowing the video management system to aid them in the process...