New Cyber Guidance Tackles Data Access

Two new NIST Inter/Intra-Agency Reports (NISTIR) address security issues that have endured despite decades of research. “In a very real sense, access control is the essence of information security,” one report noted. It goes one to assert that, “the critical balance in information security is between the need to grant access and the need to limit access.” So it seems fitting that both new publications frame these persistent challenges in the context of data access.

Policy Machine: Features, Architecture, and Specification (NISTIR 7987 Revision 1) - 119 pages

The report provides an updated access control framework to manage contact with sensitive information. According to the abstract, this framework will help to address the persisting “limited ability for existing access control mechanisms to enforce a comprehensive range of policy.” The Policy Machine approach introduces a fundamental change to the expression and enforcement of policy. The intended audience includes computer security researchers, security professionals (e.g. security officers, administrators, and auditors), executives and technology officers, and IT program managers along with others in roles with information security responsibilities.

This document provides an overview of background and a framework for Policy Machine implementation. It discusses administrative considerations, policy specification, and policy class considerations. The guidance also describes the architecture of the Policy Machine and offers numerous appendices to address notation, administrative commands, and routines as well as defining personas.

Security of Interactive and automated Access Management Using Secure Shell (SSH) (NISTIR 7966) - 50 pages

Information systems increasingly rely on automated access (e.g. file transfer, disaster recovery, privileged access management, software and patch management, and dynamic cloud provisioning). This automation often lacks sufficient planning and oversight of automated and machine-to-machine access control. The report outlines the basics of Secure Shell (SSH) interactive and automated access management in an enterprise, focusing on the management of SSH user keys. According to the abstract, “The SSH protocol supports several mechanisms for interactive and automated authentication. Management of this access requires proper provisioning, termination, and monitoring processes. However, the security of SSH keybased access has been largely ignored to date.” The intended audience includes security managers, engineers, and administrators along with others who are responsible for planning, acquiring, testing, implementing, and maintaining SSH solutions.

The report explores half a dozen different vulnerabilities and offers recommendations. The potential lapses in protections include improperly configured access controls; stolen, leaked, derived, and unterminated keys; backdoors; unintended usage; pivoting; and lack of knowledge and human error. Recommendations from the report to address these weaknesses include:

• Ensure security policies and procedures clearly spell out roles and responsibilities, comply with SSH implementation guidance, and include guidance for SSH identity and authorized keys.
• SSH key-based access provisioning should follow the full lifecycle from the access request through logged usage and reauthorization to access termination.
• Establish continuous monitoring and audit process. Continuous monitoring will help to ensure the provisioning life cycles is followed and enforced as well as supporting activities to detect unauthorized access.
• Inventory and remediate existing SSH servers, keys, and trust relationships. While it is generally not feasible to maintain a perfect inventory of SSH identity keys, the goal should be for organizations to keep their inventory of all authorized keys and the corresponding identities to the extent possible.
• Employing automated processes for inventory, SSH key-based access review, provisioning, continuous monitoring, and auditing can improve security, efficiency, and availability.
• Educate executive management regarding the systems on which SSH is used, the risks and implications of an SSH-based breach, and the steps necessary for a key management program.

Data access certainly provides a useful lens through which security can be assessed. As agencies look to improve their information safeguards, a holistic approach to information security will help to align the adopted tools and techniques with related to governance, strategy, and compliance. Security issues related to new technology solutions like cloud and mobile computing are compounded by concerns around insider threats and the growing volume and variety of attacks on government systems. The combination of these considerations suggests information security vendors would benefit from clearly understanding not just the current security postures of government customers but also their overarching technology strategies and goals.