This paper discusses how Cloakware Password Authority™ supports
and enables compliance with the Federal Information Security
Management Act of 2002 (FISMA) processes and standings
for federal agencies, contractors and other organizations.
The Federal Information Security Management Act (FISMA),
passed in 2002 as part of the United States E-Government Act,
delivers a mandatory list of processes that must be followed
for all information systems. The National Institute of Standards
and Technology (NIST) Special Publication 800 series of
documents form a strong foundation for FISMA compliance
and are further reinforced by OMB Circular A-130 and various
agency-specific directives that govern agency information
assurance efforts.
NIST SP 800-53 includes several sections that specify requirements
for managing passwords used in the datacenter. While
many agencies have investigated password management from
the end-user perspective, few have addressed the need to manage
passwords for elevated privilege accounts used by administrators
and unattended applications (see figure below).
An organized, workable approach to managing these passwords
is critical. Often the passwords used by scripts and applications
are hard-coded, in the clear and unchanged—creating a large
vulnerability.
This threat “hiding in plain sight” poses risks to all collected
data that forms the foundation of any agency’s mission and services.
Nevertheless, the effort and cost of changing passwords
manually, and the risk of system outages caused by incorrectly
changed passwords have created an environment of audit exception
reports. Agencies often choose to absorb the security
risks. However, internal and external auditors are aware of this
issue and are stopping the practice of issuing exception forms.
Now they are focusing on encouraging agencies to seek ways to
fix the password management problem.
At the end of this paper is a table which shows at a high level how Password Authority helps with meeting specific NIST SP 800-53 requirements.
In the end, it all comes down to the data. Data drives government agencies and must be protected. Considering the vast range of data sources, the task of designing a comprehensive data protection system is indeed daunting.
The most common form of data protection is to control access
to the data. Many systems offer multiple authentication paths
(ID/password, token, PKI, biometric, etc.) to control access to
data, and most incorporate the basic ID/password combination
for authentication. ID/password-based authentication has
served its purpose well for years and will continue to do so.
However, not managing passwords remains the largest hurdle
to their continued success as a secure means for controlling access.
It follows that an approach that enables strong password
creation, change and release across all systems will give more
secure access control, and a check mark for audit compliance.
Password management falls into the broad category of Identity
and Access Management (I&AM). To date, most I&AM
projects have focused on the human user identity. Password
Authority focuses on password management issues for unattended
identities such as those used in application-to-application
(A2A) transactions. Managing user passwords is a simple
problem to solve compared to the challenges of managing unattended
A2A passwords.
Solving the unattended password management challenge requires
eliminating passwords from the scripts and applications
that use them. To achieve this securely and efficiently, organizations
must maintain a centralized password repository for use
by scripts and applications. Maintaining a central repository
for passwords gives a way to keep a single copy of a password
instead of multiple copies distributed throughout a network. It
also gives a single point of control over the release policies for
passwords.
Strong security techniques and data encryption are needed to protect passwords stored in the central repository. Otherwise, an attacker could try to monitor server memory or breach the software libraries that contain or use keying material, to obtain the keys needed to decrypt data in the repository.
End-point connections to the repository must also be secured. Since the end points are expected to operate unattended, relying on physical security alone is not enough. The end points must be capable of protecting their identities, protecting the keying materials used during cryptographic operations and detecting inappropriate tampering of scripts and applications that execute upon them...
> Download paper for full text
This paper discusses how Cloakware Password Authority™ supports and enables compliance with the Federal Information Security Management Act of 2002 (FISMA) processes and standings for federal agencies, contractors and other organizations.