Mapping BeyondTrust Solutions to

Transcription

1 TECH BRIEF Taking a Preventive Care Approach to Healthcare IT Security

2 Table of Contents Table of Contents... 2 Taking a Preventive Care Approach to Healthcare IT Security... 3 Improvements to be Made to Better Protect Healthcare Information... 3 What is HITRUST and CSF? Figure 1: HITRUST CSF... 5 Table 1: Summary Mapping of BeyondTrust Solutions to HITRUST Requirements... 6 Table 2: Detailed Mapping of BeyondTrust Solutions to HITRUST Requirements...11 The PowerBroker Privileged Access Platform...20 Product Capabilities within the PowerBroker Privileged Access Platform...20 Conclusion...22 About BeyondTrust

3 Taking a Preventive Care Approach to Healthcare IT Security Highly regulated industries have always led the way for best practices in accounting, information technology, and cyber security, with laws and regulations mandating certain procedures to be followed. While extreme differences still exist in quality and type of care, the business part of the healthcare industry has slowly seen conformity due to regulations. This affects all types of healthcare from hospitals to family practitioners. All data must be secured, transmitted using specific protocols, and insurance forms completed in a specific manner. Regulations such as HIPAA and HITECH ensure this, however there is still work to do. IMPROVEMENTS TO BE MADE TO BETTER PROTECT HEALTHCARE INFORMATION For the healthcare industry, information technology needs to learn from the best practices in medicine and adopt preventive care. Information technology should perform regular tests, screening, assessments, and other security best practices to ensure all applications are up to date, properly patched for vulnerabilities, and not misconfigured. Our recommended approach includes: Discovery identifying all systems, applications and devices, and assigning risk priorities to them Segmentation isolating high risk systems, applications, and devices on separate networks and limiting access and communications to prevent a hack Remediation when available, applying updates, configurations, and other changes to mitigate the risk Reporting providing reports to technical teams and executives to quantify the risk and exposure If healthcare can think along the same mindset using standards like HITRUST to protect information, then sensitive patient information can be protected much better because the risks can be identified early and treated; just like diagnosing a person. This technical brief explains how to map BeyondTrust solutions to HITRUST to accomplish just that. 3

4 What is HITRUST and CSF? 1 The Health Information Trust Alliance (HITRUST) has developed the CSF, an information security framework that harmonizes the requirements of existing standards and regulations, including federal (HIPAA, HITECH), third party (PCI, COBIT) and government (NIST, FTC). The HITRUST CSF was developed to address the multitude of security, privacy and regulatory challenges facing healthcare organizations. By including federal and state regulations, standards and frameworks, and incorporating a risk-based approach, the CSF helps organizations address these challenges through a comprehensive and flexible framework of prescriptive and scalable security controls. The following pages contain a table that summarizes how BeyondTrust solutions map to HITRUST requirements to ensure compliance with the CSF framework. For reference, the CSF framework is summarized in the graphic on the following page

5 Figure 1: HITRUST CSF 5

6 PowerBroker Platform PowerBroker Password Safe PowerBroker for Windows & Mac PowerBroker for Unix & Linux PowerBroker for Networks PowerBroker Identity Services PowerBroker Auditing & Security Suite Retina Enterprise Vulnerability TABLE 1: SUMMARY MAPPING OF BEYONDTRUST SOLUTIONS TO HITRUST REQUIREMENTS Control Category Objective Name Control Reference 01.0 Access Control Authorized Access to Information Systems 0.1.b User Registration 0.1.c Privilege 01.d User Password 01.e Review of User Access Rights Network Access Control 0.1.j User Authentication for External Connections 6

7 PowerBroker Platform PowerBroker Password Safe PowerBroker for Windows & Mac PowerBroker for Unix & Linux PowerBroker for Networks PowerBroker Identity Services PowerBroker Auditing & Security Suite Retina Enterprise Vulnerability Control Category Objective Name Control Reference Equipment Identification in Networks Operating System Access Control 01.p Secure Log-on Procedures 01.q User Identification and Authentication 01.r Password System 01.s Use of System Utilities 7

8 PowerBroker Platform PowerBroker Password Safe PowerBroker for Windows & Mac PowerBroker for Unix & Linux PowerBroker for Networks PowerBroker Identity Services PowerBroker Auditing & Security Suite Retina Enterprise Vulnerability Control Category Objective Name Control Reference Application 01.v Information and Information Access Restriction Access Control 01.w Sensitive System Isolation 02.0 Human Termination or 02.i Removal of Resources Security Change Access Rights Responsibilities 03.0 Risk Risk Program 03.b Performing Risk Assessments 03.c Risk Mitigation 06.0 Compliance Compliance with Legal Requirements 06.e Prevention of Misuse of Information Assets 8

9 PowerBroker Platform PowerBroker Password Safe PowerBroker for Windows & Mac PowerBroker for Unix & Linux PowerBroker for Networks PowerBroker Identity Services PowerBroker Auditing & Security Suite Retina Enterprise Vulnerability Control Category Objective Name Control Reference Compliance 06.j Technical with Security Policies and Standards and Compliance Checking Technical Compliance Information 06.j Protection of System Audit Information Systems Considerations Audit Tools 07.0 Asset Responsibility for Assets 07.a Inventory of Assets 09.0 Communications and Operations Protection Against Malicious and Mobile Code 09.j Controls Against Malicious Code Monitoring 09.aa Audit Logging 9

10 PowerBroker Platform PowerBroker Password Safe PowerBroker for Windows & Mac PowerBroker for Unix & Linux PowerBroker for Networks PowerBroker Identity Services PowerBroker Auditing & Security Suite Retina Enterprise Vulnerability Control Category Objective Name Control Reference 09.ac Protection of Log Information 09.ad Administrator and Operator Logs 10.0 Information Technical 10.m Control of Systems Acquisition, Development, and Vulnerability Technical Vulnerabilities Maintenance 11.0 Information Security Incident e Collection of Evidence 10

11 Table 2: Detailed Mapping of BeyondTrust Solutions to Note: Only relevant product mappings are included here. Control Category Objective Name Control Reference BeyondTrust Solution Mapping 01.0 Access Control Authorized Access to Information Systems 0.1.b User Registration BeyondTrust s Privileged Access platform, PowerBroker, integrates with leading IAM solution providers to ensure documented and implemented user registration and de-registration procedures for granting and revoking access that is delegated for privileged asset and application access. 0.1.c Privilege PowerBroker for Windows, PowerBroker for Mac, PowerBroker for Networks, and PowerBroker for Unix & Linux provide granular, policy-based privilege delegation and authorization control of administrative privileges on Windows, Mac, Unix and Linux systems, and network devices such as IoT, ICS and SCADA. This enables organizations to securely and granularly control tasks and applications executed with elevated privileges, and enforce least privilege. All privileged user activity is securely logged for compliance reporting. 01.d User Password PowerBroker Password Safe provides secure management of privileged account passwords and controls access to these passwords. This allows for automated password management and secure request, approval and retrieval of privileged account access. All privileged user activity is monitored and securely logged for compliance reporting. 01.e Review of User Access Rights The PowerBroker platform provides the account and entitlement data necessary for granular privileged access 11

12 Control Category Objective Name Control Reference BeyondTrust Solution Mapping reviews. Changes in user access can automatically trigger reviews of privileged access. Access Certifications managed through IAM tools can easily incorporate this data for 360- degree governance, allowing the business to ensure that access is appropriate. Network Access Control 0.1.j User Authentication for External Connections PowerBroker Password Safe provides a secure connection gateway, with the ability to proxy access to RDP, SSH and Windows Applications, with no exposure to privileged credentials together with a fully audited recording of the session. This capability ensures that all session access is monitored, logged and available for playback in the case of a forensic investigation. Equipment Identification in Networks The PowerBroker platform includes discovery, profiling and onboarding of all known and unknown assets (on-prem, web, mobile, cloud, virtual), automatically bringing systems and accounts under management. Administrators can then create Smart Groups to automatically categorize, group, assess, and report on assets by IP range, naming convention, OS, domain, applications, business function, Active Directory, and more Operating System Access Control 01.p Secure Log-on Procedures PowerBroker Password Safe provides secure logon access and documented workflow and procedures for gaining access to secure system. This can be achieved using the proxy as well as Active Directory bridging technology. 12

13 Control Category Objective Name Control Reference BeyondTrust Solution Mapping 01.q User Identification and Authentication PowerBroker Password Safe privileged access management capabilities allow for the removal and sharing of any shared credentials. This ensures each user has a unique identity and authentication for each user is unique. 01.r Password System PowerBroker Password Safe provides secure management of privileged account passwords and controls access to these passwords. This allows for automated password management and secure request, approval and retrieval of privileged account access. All privileged user activity is monitored and securely logged for compliance reporting. 01.s Use of System Utilities PowerBroker for Windows, PowerBroker for Mac, PowerBroker for Networks, and PowerBroker for Unix and Linux can restrict access to system utilities by default, and elevate access to them based on rules Application and Information Access Control 01.v Information Access Restriction PowerBroker Password Safe, PowerBroker for Windows, and PowerBroker for Mac provide least privileged access and session proxy capabilities limiting user access to systems, applications, and data in accordance with established business processes by only granting the permissions needed to perform a task. 01.w Sensitive System Isolation The PowerBroker platform leverages patented technology to automatically scan applications for vulnerabilities at run time triggering alerts, enforcing quarantine, reducing application privileges, or preventing launch altogether based on policy. Additionally, systems can be tagged within the solution to 13

14 Control Category Objective Name Control Reference BeyondTrust Solution Mapping group user defined critical systems and segment more stringent access rights and alerts for desired systems Human Resources Termination or 02.i Removal of Access PowerBroker for Windows, PowerBroker for Mac, Security Change Responsibilities Rights PowerBroker for Networks, and PowerBroker for Unix & Linux provide granular, policy-based privilege delegation and authorization control of administrative privileges. Once an account is disabled, it can no longer be used for tasks elevated or otherwise. For shared accounts, PowerBroker Password Safe stores passwords and manages the check-in and check-out processes, automatically cycling credentials. With its secure workflow capability, this prevents terminated users from accessing systems unapproved. Additionally, PowerBroker Identity Services AD bridging technology ensures a single user account tied to Windows, Unix/Linux and Mac hosts to be easily disabled in the event of termination Risk Risk Program 03.b Performing Risk Assessments The PowerBroker platform and Retina leverage an interactive, role-based reporting and analytics console, backed by a centralized data warehouse for ongoing audits of user privilege management software activities and vulnerable applications and configurations. 03.c Risk Mitigation PowerBroker for Windows and integrated Retina capabilities provide Vulnerability Based Application (VBAM), enabling organizations to control the privilege or deny execution of vulnerable applications as a step to temporarily remediate a security risk until the application is updated. The Clarity feature correlates both Retina scan data and 14

15 Control Category Objective Name Control Reference BeyondTrust Solution Mapping PowerBroker events to pinpoint users and systems that may have gone rogue or have been compromised Compliance Compliance with Legal Requirements 06.e Prevention of Misuse of Information Assets Through granular least privilege policy, Multiple PowerBroker solutions provide centralized control and allows for true separation of duties, limiting users, administrators and auditors access to only the data relevant to them Compliance with Security Policies and Standards and Technical Compliance 06.j Technical Compliance Checking PowerBroker Auditing & Security Suite addresses auditable event review requirements in the following ways: The PowerBroker reporting console includes many canned reports for standard review or can produce any custom report for any combination of collected data elements for annual review or any other time scale. PowerBroker captures all details related to sudo activity by default. Reports for reviewing this data are included in the standard set of queries Information System Audit Considerations 06.j Protection of Information Systems Audit Tools Individual users or groups of users will require access to different modules in the PowerBroker platform. Users will either need administrative rights to grant other users access to the content, or will need logon rights and access to data from specific modules. Role-based access control enables admins to grant user access to only needed PowerBroker modules to gather needed audit information. 15

16 Control Category Objective Name Control Reference BeyondTrust Solution Mapping 07.0 Asset Responsibility for Assets 07.a Inventory of Assets Retina, with its agentless and optional agent technology, is designed to discover all assets within an enterprise regardless of network complexity or device type. Assessing these devices for vulnerabilities is easily accomplished with Retina resultsdriven architecture. Simply start with the type of output you would like and let the solution perform the right assessment for you. All steps within the vulnerability management lifecycle, including discovery and assessment, can be fully automated. This allows Retina to actively discover, alert and asses your enterprise with little to no user interaction. Retina is fully integrated into the PowerBroker platform Communications Protection Against 09.j Controls Against For Unix and Linux systems, PowerBroker for Unix & Linux and Operations Malicious and Mobile Malicious Code provides advanced system level control and audit capabilities Code over any application regardless of how the application is initiated. This helps organizations control actual commands being processed and the actions at the system level removing the ability of command spoofing or altered key sequencing. To achieve this, PowerBroker provides a secure container for all applications at the very lowest system level, providing finegrained control over interactions between the operating system and the user. This results in a faster and more secure way of providing root access for individual controlled applications or administrative tasks. For Windows and Mac systems, PowerBroker for Windows and PowerBroker for Mac can prevent unapproved software from being installed on a machine (or code used on a 16

17 Control Category Objective Name Control Reference BeyondTrust Solution Mapping machine), report on the occurrence, the number of machines a piece of software is installed on. It accomplished this through granular application rights management. Retina can detect potentially malicious code using advanced analytics and comparison to known malicious file hashes Monitoring 09.aa Audit Logging The PowerBroker platform and PowerBroker Auditing & Security Suite provides a complete enterprise-wide audit trail of all logon and privileged command access with rich detail including the time stamp, source system and source account information. Any after-the-fact investigation of security incidents would directly utilize these data points to replay activity. A sample of audit checks include: Account Logon Event PowerBroker event tracking Account Active Directory event tracking Directory Service Access Active Directory event tracking Logon Events PowerBroker event tracking Object Access PowerBroker event tracking Policy Change Active Directory event tracking for policy object modifications, PowerBroker event tracking for policy client application 17

18 Control Category Objective Name Control Reference BeyondTrust Solution Mapping Privilege Use PowerBroker event tracking Process Tracking PowerBroker event tracking System Events PowerBroker event tracking Access of Global System Objects Active Directory event tracking Use of Backup and Restore Privilege PowerBroker event tracking User Data Persistence Internet Zone Local Computer N/A. Applies to Windows only. User Data Persistence Restricted Sites Zone Local Computer 09.ac Protection of Log Information 09.ad Administrator and Operator Logs The PowerBroker platform centralizes log data which facilitates controlled access to session activity information. The PowerBroker platform provides a complete enterprisewide audit trail of all logon and privileged command access with rich detail including the time stamp, source system and source account information. Any after-the-fact investigation of security incidents would directly utilize these data points to replay activity. 18

19 Control Category Objective Name Control Reference BeyondTrust Solution Mapping 10.0 Information Technical 10.m Control of Technical The PowerBroker platform integrates with Retina which Systems Acquisition, Vulnerability Vulnerabilities orchestrates asset, attack, malware, privilege, vulnerability Development, and data, and more from BeyondTrust and 3rd party solutions, Maintenance automating data interactions, and coordinating intelligence sharing to pinpoint and eliminate high risk vulnerabilities and to uncover and track emerging threats. Retina provides businesses with improved contextual awareness so they can make smarter, more well-informed security decisions Information Security Incident e Collection of Evidence The PowerBroker platform combines behavioral analytics, vulnerability and malware intelligence, and security data from best-of-breed security solutions to out-maneuver attackers and stop data breaches. PowerBroker leverages BeyondInsight Threat & Vulnerability Intelligence plus Clarity Behavioral Analytics capabilities to: Aggregate user and asset data to baseline and track behavior Correlate asset, user and threat activity to reveal critical risks Identify potential malware threats buried in asset activity data Increase the ROI of your existing security solutions Generate reports to inform and align security decisions 19

20 The PowerBroker Privileged Access Platform The PowerBroker Privileged Access Platform is an integrated solution to provide control and visibility over all privileged accounts and users. By uniting capabilities that many alternative providers offer as disjointed tools, the PowerBroker platform simplifies deployments, reduces costs, improves system security and closes gaps to reduce privileged risks. Product Capabilities within the PowerBroker Privileged Access Platform The PowerBroker platform includes the following individual best-of-breed products that are fully integrated into the platform itself. For how these products map into the HITRUST standard, please reference the detailed chart earlier in this document. PowerBroker Password Safe PowerBroker Password Safe is an automated password and privileged session management solution offering secure access control, auditing, alerting and recording for any privileged account from local or domain shared administrator, to a user s personal admin account (in the case of dual accounts), to service, operating system, network device, database (A2DB) and application (A2A) accounts even to SSH keys, cloud, and social media accounts. Password Safe offers multiple deployment options, broad and adaptive device support, with session monitoring, application password management and SSH key management included natively. 20

21 PowerBroker for Windows PowerBroker for Mac PowerBroker for Unix & Linux PowerBroker for Sudo PowerBroker for Networks PowerBroker Identity Services Retina CS Platform capabilities PowerBroker for Windows (PBW) is a privilege management solution that mitigates the risks of cyber attacks as a result of users having excessive rights. By removing admin rights, protecting the integrity of critical files, and monitoring user behavior, PBW protects organizations without impacting end-user productivity. PowerBroker for Mac reduces the risk of privilege misuse by enabling standard users on Mac OS to perform administrative tasks successfully without entering elevated credentials. PowerBroker for Unix & Linux is a least privilege solution that enables IT organizations to eliminate the sharing of credentials by delegating Unix and Linux privileges and elevating rights to run specific Unix and Linux commands without providing full root access. PowerBroker for Sudo provides centralized policy, logging, and version control with change management for multiple sudoers files. The solution simplifies policy management, improves log security and reliability, and increases visibility into entitlements. This makes it easier for you to securely manage on low-priority servers or in areas where completely replacing sudo is not feasible. PowerBroker for Networks is an agentless privilege management solution that controls, audits, monitors and alerts on activity on network devices, enabling organizations of all sizes to reduce cybersecurity risks and achieve privilege management at scale. PowerBroker Identity Services centralizes authentication for Unix, Linux, and Mac environments by extending Active Directory s Kerberos authentication and single sign-on capabilities to these platforms. By extending Group Policy to non-windows platforms, PowerBroker provides centralized configuration management, reducing the risk and complexity of managing a heterogeneous environment. Retina CS is a vulnerability management software solution designed from the ground up to provide organizations with context-aware vulnerability assessment and risk analysis for making better privileged access management decisions. The PowerBroker platform is built on the shared capabilities found in BeyondInsight, our IT risk management platform. Common components centralized for all products in BeyondInsight include 21

22 asset and account discovery, threat, vulnerability and behavioral analytics, reporting and connectors to third-party systems, and central management and policy. Conclusion By partnering with BeyondTrust, healthcare organizations can address their compliance and security requirements as defined in HITRUST, leaving fewer gaps and improving efficiency over their privileged access management practices. About BeyondTrust BeyondTrust is a global security company that believes preventing data breaches requires the right visibility to enable control over internal and external risks. We give you the visibility to confidently reduce risks and the control to take proactive, informed action against data breach threats. And because threats can come from anywhere, we built a platform that unifies the most effective technologies for addressing both internal and external risk: privileged access management and vulnerability management. Our solutions grow with your needs, making sure you maintain control no matter where your organization goes. BeyondTrust's security solutions are trusted by over 4,000 customers worldwide, including over half of the Fortune 100. To learn more about BeyondTrust, please visit 22