Using Centrify for NIST 800-53 Compliance

There’s a humorous saying I often hear in IT Security circles that goes something like this: “If a CISO has the choice between being compliant or being secure, compliance always wins because that’s what will keep them out of prison.” The reality is that most organizations need to increase both as efficiently as possible, and this is where Centrify can help. The Centrify Server Suite leverages your existing Active Directory to secure your systems from identity related risks and attacks. Additionally it helps with compliance for a large number of federal and industry standard security controls, such as those found in : (1) NIST 800-53 Security Control Requirements, (2) DHS’ Continuous Diagnostics and Mitigation (CDM) Functional Area Requirements, and (3) SANS Top 20 Critical Controls. In this three-part blog I’ll be discussing how the Centrify Server Suite maps to specific requirements of each, beginning with NIST 800-53.

The National Institute of Standards and Technology (NIST) Special Publication 800-53 is probably the most oft referenced security guideline throughout federal IT Security. It not only provides a great set of controls for preventing cyber attacks, it provides a common language for IT Security personnel to communicate requirements to their managers and CISO’s in terms of budgets and ROIs. Those who control the purse strings will always have more suitors than funds, however recent government shutdowns and sequestrations have exasperated internal competition for federal dollars. Since security and compliance have “never been hotter” in terms of relevancy and top of mind throughout all of IT, savvy IT managers link their software requests to solving gaps in compliance reports like NIST 800-53.

The table below summarizes how the Centrify Server Suite maps to five key principles of NIST 800-53. If you’re interested in a more detailed guide on using Centrify for NIST 800-53 compliance, you can download the free Centrify whitepaper on meeting FISMA requirements when managing a heterogeneous environment of Window, UNIX, Linux and Mac.

NIST 800-53 Security Controls Centrify Server Suite Software 
AC Access Control

  • Manage user accounts employing automated mechanisms
  • Restrict access to systems and to privileged functions on those systems to authorized personnel
  • Enforce separation of duties
  • Enforce least-privilege rights management

 

 

 

 

 

 

 

DirectControl

  • Consolidates non-Windows user identities in Active Directory so that all accounts can be centrally managed using existing automated tools and processes
  • Uses unique Zone technology to create logical groupings of systems that have a discrete set of users, administrators and policies

 

DirectAuthorize

  • Restricts access methods and privileges based on job role
  • Enforces least-privilege rights management by limiting users to a specific set of commands

 

AU Audit and Accountability

  • Capture audit records in sufficient detail to establish what occurred, the source, and the outcome
  • Enable regular review and analysis for unusual or suspicious activity

 

 

 

 

 

DirectAudit

  • Captures complete session details: who accessed the system, what commands they entered, and the system output
  • Provides unique ability to replay sessions to clearly establish outcomes of user activity
  • Enables both real-time and historical monitoring of sessions, and features robust search and reporting capabilities

 

 

CM Configuration Management

  • Maintain a baseline configuration for all systems
  • Monitor for configuration changes
  • Restrict user ability to make changes

 

 

 

 

 

 

 

DirectControl

  • Group Policy provides a secure and automated method for centrally managing security and configuration settings

DirectAudit

  • Can audit systems for occurrences of prohibited commands and configuration changes

DirectAuthorize

  • Can lock down systems by restricting user’s rights to make changes

 

IA Identification and Authentication

  • Uniquely identify and authenticate users
  • Employ multi-factor authentication where necessary
  • Obscure feedback of authentication information

 

 

 

 

 

 

DirectControl, DirectAuthorize, & DirectAudit

  • Links all entitlements and actions to a single, definitive and centrally managed user identity in Active Directory

DirectControl

  • Supports smart card authentication for Mac & Linux workstations
  • Sets up authenticated and encrypted connection between Active Directory and managed systems to protect the movement of authentication, policy and audit data

 

SC Systems and Communications Protection

  • Monitor and control communications at the external boundary and at key internal boundaries
  • Protect the integrity and confidentiality of transmitted information
  • Establish trusted communication paths and protect the authenticity of communications sessions

 

 

 

 

 

 

 

 

 

 

DirectSecure

  • Provides for domain or group based isolation in which members of the specified domain or Active Directory group are allowed to communicate in a secured fashion once they have mutually authenticated each other through strong host-based credentials.
  • Leverages IPsec in transport mode for network security and can be configured to use Authentication Header (AH) in order to ensure that any communication has not been tampered with and that it originated from the trusted host. It also uses Encapsulating Security Payload (ESP) in order to provide confidentiality for every packet exchanged between trusted hosts. This security is applied to each packet individually and leverages PKI credentials to establish unique session authentication keys for each security association

 

 

If you’re an IT Security Engineer or Manager who is looking to make their enterprise systems both more secure and more compliant, the above table highlights why you should take a look at the Centrify Server Suite of software. It is a very cost effective and efficient way to provide unified identity management across a heterogeneous environment, while simultaneously increasing your compliance with federal and industry standard security controls.

Centrify Reporting

In part 2 of this blog I will discuss how Centrify Server Suite maps to the new federal security controls by the Department of Homeland Security called the Continuous Diagnostics and Mitigation (CDM) program.