NIST Guide Demonstrates How to Control Privileged Accounts
Over the past few months IdRamp has been working closely with The National Cybersecurity Center of Excellence (NCCoE) to develop the National Institute of Standards (NIST) practice guide for Privileged Account Management. The guide will help improve security associated with privileged accounts that control critical infrastructure, data, applications, services, and assets. The guide has been released and is now available for public review.
- To view the official press release please visit the Washington Business Journal
- To view the Privileged Account Management Guide please visit the National Institute of Standards
About Privileged Account Management
Privileged accounts are used to access and operate mission critical information systems. Privileged accounts are used by trusted people who perform advanced administration tasks that regular users are not authorized to perform. The systems, processes, and procedures used to protect these special accounts are generally known as Privileged Account Management.
Why did the National Cybersecurity Center of Excellence create this guide?
The financial sector has been attacked multiple times by malicious actors exploiting privileged or “super user” accounts on internal or customer-facing systems. The attacks which are estimated to have had significant financial and reputational damage rely on the operational necessity for companies to create privileged accounts that have access to systems and information far beyond that of ordinary users. For example, these accounts may allow system administrators to perform important duties including routine system maintenance, mitigating and responding to emergency events, and data processing.
If mismanaged, these privileged accounts pose a significant risk to an organization. They can be used to cause significant operational damage in the form of data theft, espionage, sabotage, ransom, or the bypassing of important controls. Malicious external actors can gain unauthorized access to privileged accounts by leveraging stolen credentials, lax security controls, keyloggers, default passwords, or social engineering attacks. In addition, there are rare instances of disgruntled employees who abuse their privileged accounts even after they have left the company. This can affect high value application accounts (such as social media accounts) and more everyday systems (e.g. human resources, security controls, database access).
Will C level executives find value in the PAM guide?
Volume A of the NCCoE’s Privileged Account Management Practice Guide will help executives understand the threat and provide them with the decision-making tools to make informed choices that will improve the security of the most privileged accounts within their organization. Executives will be able to direct technical teams, contractors, or integrators to take actions that will allow the organization to:
- Identify and catalog previously unknown, high-value privileged accounts that pose a risk
- Reduce the complexity of managing privileged accounts by limiting authorized users and employing automated enforcement of use policies
- Simplify compliance via automated reports
Will information technology leaders find value in the PAM guide?
Volume B and C of the practice guide assume that IT professionals have experience implementing security products within the enterprise. IT professionals who choose to implement PAM will find practical and actionable information throughout the entire guide.
- Clear instructions. The how-to portion of the guide, Volume C, replicates the example implementations created in the NCCoE’s lab and provides specific product installation, configuration, and integration instructions. Rather than re-creating the product manufacturers’ documentation, which is generally widely available, we show how to integrate the products to re-create the example implementations.
- The technology is commercially available and adaptable. A suite of commercial products was used to build the example implementations in our lab (this guide does not endorse these products). An organization can replicate the example implementation(s) in its online environment or can use the guide as a starting point for tailoring and implementing parts of the PAM capabilities demonstrated. An organization’s security experts should identify the products that will best integrate with its existing tools and IT system infrastructure.
- The guide maps to both cybersecurity standards and best practices. IT professionals can use our step-by-step guide to inform and develop a strategy by selecting from several different PAM-related capabilities that best meet their organization’s needs. Work roles are also mapped to the NICE Cybersecurity Framework to assist IT managers with understanding what skills are needed to execute and manage PAM example implementations.
Expert-vetted architecture and reference designs—The guide leverages expertise from NIST and industry IT thought leaders in collaboration with leaders from the financial services sector to review the architecture and vet the standards-based reference designs. The reference designs are modular and can be deployed in whole or in part—providing financial institutions and other enterprises with the detailed information they need to replicate PAM example implementations.
- Expert-vetted architecture and reference designs. The guide leverages expertise from NIST and industry IT thought leaders in collaboration with leaders from the financial services sector to review the architecture and vet the standards-based reference designs. The reference designs are modular and can be deployed in whole or in part—providing financial institutions and other enterprises with the detailed information they need to replicate PAM example implementations.
To view the official press release please visit the Washington Business Journal
To view the Privileged Account Management Guide please visit the National Institute of Standards
*While the example implementation uses certain products, NIST and the NCCoE do not endorse these products. The guide presents the characteristics and capabilities of those products, which an organization’s security experts can use to identify similar standards-based products that will fit within with their organization’s existing tools and infrastructure.