The shift to implementing agency-wide adaptive risk strategies, specifically around securing remote access, was underway before the COVID-19 outbreak. However, the need for agencies to accommodate remote work at a large scale accelerated those efforts.
The Office of Management and Budget (OMB) sounded the clarion for evolving security controls beyond the network perimeter to an identity-centric approach in May 2019 with the release of an updated Identity, Credentialing, and Access Management (ICAM) policy. OMB acknowledged that hardening the network perimeter is important, however, “agencies must shift from simply managing access inside and outside of the perimeter to using identity as the underpinning for managing the risk posed by attempts to access federal resources made by users and information systems.”
Aligning with guidance from the National Institute of Standards and Technology (NIST), the ICAM policy recognizes the importance of protecting, managing, and monitoring privileged and administrative accounts, including the ability to revoke or destroy credentials in a timely manner. Moreover, the policy requires each agency to define and maintain a single comprehensive ICAM policy, process, and technology solution roadmap, consistent with their operational mission needs, which aligns with the government’s Continuous Diagnostics and Mitigation (CDM) program.
In our blog, Raising the Bar on Government Endpoint Security, we noted that remote work is certain to become a fixture across the public sector, and described how government agencies should use Endpoint Privilege Management (EPM) to strengthen endpoint security. In this blog, I will cover how BeyondTrust privileged access management (PAM) solutions align with the government’s ICAM and CDM policies.
ICAM, CDM Aim to Boost Network Visibility
The goal of the CDM program, which is managed by the Department of Homeland Security (DHS), is to ensure federal agencies at all times know:
- Who is on their network
- What is happening on their network
Satisfying these two needs is important for establishing a strong network visibility and data protection baseline across the federal government. This level of visibility must be met for agencies to effectively monitor, defend, and rapidly respond to cyber incidents. CDM helps drive achievement of this baseline by working with agencies to deploy tools that provide enterprise-wide visibility of the assets, users, and activities on their networks.
BeyondTrust is well positioned to address all CDM requirements. Consequently, our privileged access management platform—which is comprised of secure remote access, endpoint privilege management, and privileged credential management—helps agencies see and control what’s on their network, what is connected to their network, and what devices and identities are accessing resources on their network.
The BeyondTrust PAM platform applies a universal approach to privilege management that encompasses securing privileged sessions, users, and assets. This holistic approach condenses the attack surface, limits lateral movement, and protects against any type of threat actor—whether insider, external, machine, malware, or human.
BeyondTrust has built powerful application programming interfaces (APIs) into our solutions. These APIs link to a wide range of tools and devices, helping to gather and communicate data to elastic dashboards for real-time analysis and orchestration. This is extremely important in today’s environment in which remote and mobile access is the default way people will work.
Panoramic View of Privileges
The new policy also instructs agencies to establish an ICAM office agency-wide to assess current capabilities and develop plans to transition to new capabilities and solutions. Identifying gaps in the current capabilities will require a better understanding of what is happening with privileged accounts within their organizations.
Finding all the privileged accounts strewn across an enterprise can be a daunting task. Many company and agency managers do not understand how privilege accounts function and interact with other systems within their environments, especially the non-user accounts, such as service accounts, application accounts, and other machine accounts.
Service accounts are privileged or local accounts that are used by an application or service to interact with operating systems, while application accounts are used by applications to access databases, run batch jobs or scripts, or provide access to other applications.
The first step is to identify where the security weaknesses are in your agency. Identify what assets and accounts are susceptible to attack, and via what attack vectors. BeyondTrust solutions provide more auditing and monitoring of all privileged access, helping organizations instantly pinpoint and act on—such as pause or terminate—suspicious sessions. The BeyondTrust platform can run reports showing what systems and software are running with elevated privileges, as well as if an unauthorized application is trying to log in to a system. At any point in time, IT and security teams can get a picture across their universe of accounts, applications, and assets and how they are leveraging privileges.
Many alternative privilege management solutions operate in passive observable mode, collecting data for months before managers know which applications to allow or reject. However, BeyondTrust’s approach is to “deprivilege” accounts as the default and only elevate access for the finite instances privilege is required. The aim is to reduce the threat vector by reducing the number of privileged accounts and limiting the window of time those privileges can execute. Consequently, the agency gets immediate benefit from a BeyondTrust PAM implementation, with the ability to fine tune results further over time.
A Holistic View for Securing Privileged Access
As the ICAM strategy notes, advances in technology have enabled more digital interactions and business transactions, offering the federal government an opportunity for faster, more reliable connections and operations. Meanwhile, as more people and devices access agencies’ networks, identity and credential management have become even more critical to the federal government’s successful delivery of mission and services to the nation. Within this sphere, securing privileges and remote access are now major priorities, especially as endpoint devices, often connecting remotely, open more paths into the network.
Craig McCullough, Regional Vice President, Public Sector
Craig has over 20 years of experience in the technology industry, having started his career as an intellectual property attorney in Washington, DC, and then moving into leadership roles growing technology businesses that support federal, state and local governments. He is a visible industry leader and frequent spokesperson, giving interviews in various media outlets and participating as a panel speaker at multiple industry events. Craig joined BeyondTrust in 2018 and created the Public Sector Team.