In Federal Agencies, Access is a Privilege – Compliance is a Must

Faster than you can say “Edward Snowden,” U.S. government agencies have begun looking critically at their policies and practices regarding user and administrator privileges. At the same time, the current regulatory environment is more than stringent and complex enough – with sufficiently severe penalties for noncompliance – to create anxiety and urgency for IT teams, even without high-profile examples of what can go wrong.

It’s important to note, however, that Snowden was never accused of hacking or stealing information that he did not have permission to access. While many IT professionals are rightly focused on perimeter protection to keep external attacks at bay, the threat of improper access to – and use of – sensitive information by insiders is at least as critical, if not more so.

Additionally, while outsider attacks are always malicious in intent, insider abuse is often accidental, the result of human error and lax protections and policies, which makes them even harder to prevent. The 2014 Verizon Data Breach Investigations Report identified “Insider and privilege misuse” as one of the nine basic patterns of activity in the past decade that have resulted in confirmed data breaches. The results of a 2013 BeyondTrust survey of 265 IT decision makers are even scarier:

• 80% of respondents believe that it’s at least somewhat likely that employees access sensitive or confidential data out of curiosity.
• 65% of organizations have controls to monitor privileged access, yet 54% say they have the ability to circumvent these controls.
• 43% of respondents allow sensitive data to be stored on employee workstations/laptops.

Least privilege makes the most sense

This data points to the importance of having a solid privileged account management (PAM) strategy in place, one that includes a comprehensive policy and technology-based approach in which users and administrators are given the least amount of access privileges possible while still enabling them to be effective and productive workers. At the same time, user and administrator activity must be constantly monitored to make sure no one is accessing assets and information mistakenly left unsecured.

As explained in our new executive brief on this critical topic, BeyondTrust’s PowerBroker family of privileged account management (PAM) solutions enable government agencies to reduce risk, simplify compliance and maintain user and administrator productivity across Windows, Unix and Linux environments. With PowerBroker, agencies can respond to FISMA/NIST demands for security and privacy controls, continuous monitoring, and risk mitigation; maintain security and availability through least-privilege account management; and monitor and audit user behavior to ensure compliance with internal policies and external regulations.

Our PowerBroker solutions are complemented by and often used in concert with our Retina family of vulnerability management solutions through our BeyondInsight™ centralized management and control platform. In fact, our integrated suite of products addresses all solution categories in the Gartner’s recent “Market Guide for Privileged Account Management.” Our customers therefore gain the coverage and visibility they need to assure compliance with these federal regulations and best practices:

• NIST SP 800-53: Security and Privacy Controls for Federal Information Systems and Organizations
• NIST SP 800-39: Managing Information Security Risk
• NIST SP 800-137: Continuous Monitoring
• SANS Top 20 Critical Security Controls
• National Industrial Security Program Operating Manual (NISPOM)
• Department of Defense Information Technology Security Certification and Accreditation Process (DITSCAP)

Learn more about instituting least privilege

If your users have more access than they need to perform their current job functions, we recommend you read our executive brief, "Mitigating the Risks of Privilege-based Attacks in Federal Agencies." You will learn the value of instituting and enforcing a least-privilege approach in which users receive permissions only to the systems, applications, and data they need based on their current role or profile in the agency – and the capabilities that BeyondTrust offers to ensure both internal and regulatory compliance.

Watch this space for further posts in which we go into each of the above-named regulations in more detail: what they require of agencies, and what BeyondTrust solutions can deliver.

For more information on our privilege and vulnerability management products, as well as our BeyondInsight platform that ties it all together and provides a single, centralized view of network activity, please visit BeyondTrust Products Overview.