Position paper download

Raising the Security Bar: Achieve FERC Compliance with Cloakware

> Download full paper

This paper discusses the ways that Cloakware Password Authority supports and enables compliance with the Federal Energy Regulatory Commission (FERC) Critical Infrastructure Protection (CIP) Reliability Standards.

Introduction

The CIP standards include several sections that address requirements for managing datacenter passwords. While most agencies and utilities have investigated password management from the end-user perspective, few have addressed the need for password management for elevated privilege accounts used by administrators and unattended applications.

An organized, workable approach to managing these passwords is critical. Often the passwords used by scripts and applications are hard-coded, in the clear and unchanged—creating a large vulnerability.

This threat “hiding in plain sight” poses risks to all collected data that forms the foundation of any agency’s mission and services. Nevertheless, the effort and cost of changing passwords manually, and the risk of system outages caused by incorrectly changed passwords have created an environment of audit exception reports. Agencies often choose to absorb the security risks. However, internal and external auditors are aware of this issue and are stopping the practice of issuing exception forms. Now they are focusing on encouraging agencies to seek ways to fix the password management problem.

A table is included at the end of this paper which shows how Password Authority helps with meeting specific CIP requirements.

Controlling access to protect the data

In the end, it all comes down to the data. Data drives government agencies and must be protected. Considering the vast range of data sources, the task of designing a comprehensive data protection system is indeed daunting.

The most common form of data protection is to control access to the data. Many systems offer multiple authentication paths (ID/password, token, PKI, biometric, etc.) to control access to
data, and most incorporate the basic ID/password combination for authentication. ID/password-based authentication has served its purpose well for years and will continue to do so.

However, not managing passwords remains the largest hurdle to their continued success as a secure means for controlling access. It follows that an approach that enables strong password
creation, change and release across all systems will give more secure access control, and a check mark for audit compliance.

Password management falls into the broad category of Identity and Access Management (I&AM). To date, most I&AM projects have focused on the human user identity. Password Authority focuses on password management issues for unattended identities such as those used in application-to-application (A2A) transactions. Managing user passwords is a simple problem to solve compared to the challenges of managing unattended A2A passwords.

Security requirements for password management

Solving the unattended password management challenge requires eliminating passwords from the scripts and applications that use them. To achieve this securely and efficiently, organizations must maintain a centralized password repository for use by scripts and applications. Maintaining a central repository for passwords gives a way to keep a single copy of a password instead of multiple copies distributed throughout a network. It also gives a single point of control over the release policies for passwords.

Strong security techniques and data encryption are needed to protect passwords stored in the central repository. Otherwise, an attacker could try to monitor server memory or breach the
software libraries that contain or use keying material, to obtain the keys needed to decrypt data in the repository.

Securing the end points of password management

End-point connections to the repository must also be secured. Since the end points are expected to operate unattended, relying on physical security alone is not enough. The end points must be capable of protecting their identities, protecting the keying materials used during cryptographic operations and detecting inappropriate tampering of scripts and applications that execute upon them.

Password Authority includes agent software that is deployed to systems that need to access passwords. The agent software retrieves the required passwords from the central repository, and is itself secured against tampering and other threats. Password Authority agents can be deployed and maintained using existing software deployment tools. Password Authority agent software delivers many other benefits beyond security, including housekeeping features like automated patch management, event management, secure local caching, and local auditing.

Besides relying on operating system access controls, a central password management system must also be capable of application self-authentication and systemic self-protection to have the necessary confidence to release critical credentials (such as a password) to an unattended application, and to resist both external and internal threats. Like the human biometric that uniquely identifies a person, there are many run-time environmental details that can be collected during application execution.

Combining these “application biometrics” with cryptographic techniques offers a way to authenticate and authorize the release of critical credentials to uniquely identifiable and registered
applications. This “biometric” comparison of an application against the authenticated application’s profile also helps to ensure that the calling application has not been altered—a necessary validation to guarantee that credentials are not disclosed inappropriately.

Building blocks of an effective password management system

An effective, centralized password management system for unattended servers and applications is made up of six building blocks as described in the following tables.

The tables describe several security techniques that are required to address the unique security challenges of unattended password management. The sections below give details of some of
the security techniques...

> Download paper for full text