Varonis and FISMA Compliance

Transcription

1 Contents of This White Paper Who Needs to Comply...2 What Are the Risks of Non-Compliance...2 How Varonis Can Help With FISMA Compliance...3 Mapping FISMA Requirements to Varonis Functionality...4 Varonis and FISMA Compliance background Title III of the E-Government Act signed into law in December of 2002, is entitled the Federal Information Security Management Act (FISMA) and it requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, is a mandatory standard developed in response to the Federal Information Security Management Act of To comply with the federal standard, agencies must first determine the security category of their information system in accordance with the provisions of FIPS 199, Standards for Security Categorization of Federal Information and Information Systems, and then apply the appropriate set of baseline security controls in NIST Special Publication , Recommended Security Controls for Federal Information Systems. The combination of FIPS 200 and NIST Special Publication mandate a level of security that is applicable to all federal information and information systems although depending on the agency and its mission additional regulatory mandates may apply. 1

2 Who Needs To Comply FISMA affects federal agencies, contracted parties and any public sector businesses that operate an information technology system on behalf of Federal agencies and affiliated organizations. What Are The Risks of Non-Compliance FISMA includes significant penalties for non-compliance. Principally non-compliance means that the intent of FISMA is not being met, that is the preservation of data integrity, confidentiality and availability. Additionally, the US Congress conducts an annual audit of Federal agencies and publicly issues an information security scorecard ( A low score means loss in public confidence and additional Federal government scrutiny. Agencies that have scored poorly may have to explain their lack of compliance before the U.S. House Government Reform Committee. Perhaps most importantly, FISMA non-compliance may jeopardize funding for planned or future IT projects. This is because FISMA requires agencies to submit quarterly reports to the Office of Management and Budget (OMB) regarding the status of their information security program. These reports are also received and reviewed by the House Committees on Government Reform and Science, Senate Committees on Government Affairs and Commerce Science and Transportation, Authorization and appropriations committees for each individual agency of Congress as well as the General Accounting Office. 2

3 How Varonis Can Help With FISMA Compliance Compliance with the mandates of FISMA, means that IT departments must apply the 8-step Risk Management Framework (RMF) (see figure 1) put forth by NIST following each of the steps in the order presented and using as guidance the FIPS and NIST special publications that have been issued to aid in the successful completion of each step. The RMF is meant to be iterative and should be applied to each IT organization s functional areas and the technologies and personnel under their purview. The Varonis solutions for unstructured data governance can help organizations in the successful application of the RMF to file systems and network attached storage devices or NAS. Specifically, Varonis makes software that automates and significantly simplifies the implementation and ongoing application of Steps 4 through 8as they apply to Windows and Unix file systems that house documents, presentations, spreadsheets, multi-media and image files, software code and in general any data type that resides outside of a database and may be found on file servers or Network Attached Storage (NAS) devices. Varonis is the leading innovator and as of this writing the only known provider of a complete framework to control, protect and audit the use of unstructured data. The Company s flagship product DatAdvantage provides the underpinnings for unstructured data governance by enabling IT operations personnel to fully audit and administer access rights to this data in a completely automated fashion. The Company s companion product DataPrivilege, provides a web-based application by which data business owners can manage authorizations and entitlements and by which a workflow and preferred behavior or policy and be enforced and monitored. Figure 1: NIST Risk Management Framework for FISMA Augmenting the general statement of Varonis software applicability to FISMA compliance, is the section below, which gives specific detail on which of the requirements outlined within SP A are met by the implementation of Varonis software and how. 3

4 Mapping FISMA Requirements to Varonis Functionality NIST Special Publication A, Guide for Assessing the Security Controls in Federal Information Systems FIPS 200 Family Requirement Number Name Varonis Functionality Access Control AC-2 Account Management Varonis DatAdvantage maintains a current listing of all users and user groups (as contained within the directory) and matches their identity (by name) to all of the data (i.e. folders and files) to which they have access on the file system. It further maintains a record of all access activity types on this data and this includes user inactivity. A report on least active and inactive users is generated by default and can be delivered via to the appropriate subscribers. AC-3 AC-5 Access Enforcement Separation of Duties Varonis DatAdvantage programmatically deduces which users should have access to which data based on a detailed analysis of user behavior and access activity. The application automatically generates a list of persons whose permissions to data should be removed and can enforce the revocation on a mouse click to all pertinent file systems. Varonis DatAdvantage enable complete management of the workflow and enforcement of authorizations to data. Business owners are defined within the application as are the data sets (i.e. files and folders) to which they are responsible. All user requests to data are processed automatically by the application as are the allow or deny decisions the permissions level (i.e. read, write, modify) and the expiry (i.e. valid for 30 days). This increases the accountability of persons for data access controls while limiting that capability to the right parties for a given data set. AC-6 Least Privilege Varonis DatAdvantage provides the only known (patent-pending) means to programmatically compute the user to data mapping thereby automating the continuous enforcement of leastprivilege access. By recommending revocations the application ensures that only the right users are getting to the right data on file shares at all times. 4

5 AC-13 Supervision and Review Access Control Varonis DatAdvantage maintains a detailed history of all objects managed by the Varonis application including users, user groups and by extension administrative accounts within user directories. At any given time users of DatAdvantage can generate reports that show which administrators changed security settings and access permissions to file servers and their contents. The same level of detail is provided for users of data, showing their access history as well as any changes made to security and access control setting of files and folders. Audit and Accountability AU-3 Content of Audit Records Varonis provides highly detailed reports including: data use (i.e. every user s every file-touch), user activity on sensitive data, changes including security and permissions changes which affect the access privileges to a given file or folder, a detailed record of permissions revocations including the names of users and the data sets for which permissions were revoked. In fact, because DatAdvantage allows any query or complex query of data use within the application to be saved and generated as a report, the amount and types of information that can be furnished for FISMA compliance documentation are nearly infinite. AU-4 Audit Storage Capacity Varonis is capable of storing massive amounts of user access event information in its internal database. Depending on system size, audit data may be held for the file access of all users in the organization for a year or more. The audit record can also be kept in an external database for reference at any time. An infinite number of complex queries are possible to answer questions such as who accessed what when and how. AU-6 Audit Monitoring, Analysis, and Reporting The information on access events as well as security settings changes to the file system is prepackaged in a number of out of box reports which can be subscribed to and delivered via and the user s discretion for frequency and format. For example IT directors may receive a report on all of the weeks activities on the file system conducted by the group domain admins and the individuals contained there-in. 5

6 AU-7 Audit Reduction and Report Generation Varonis automates the generation of reports materials to FISMA audit reducing to mouse clicks for instance a full data entitlement review or inventory of access controls as defined for any given data set of interest. Reports are also generated on most and least active users, stale data as well as changes in access controls. AU-8 Time Stamps All audit records of user access events to unstructured data and administrator activity on the file system are time stamped. AU-10 Non-repudiation The Varonis audit log shows by name who access which filename when and what the person did (i.e. open, delete, rename, create). AU-11 Audit Retention Because Varonis maintains a long audit history, administrators can search for a given event, user, or filename or any combination thereof in a desired date range. This helps expedite forensic analysis and helpdesk call resolution. Certification, Accreditation, and Security Assessments CA-2 Security Assessments Varonis aids in conducts routine security assessments of file share contents. At any given point administrators are given the list of permissions to be revoked as well as the means to remove global groups like everyone and domain user thereby maintaining access controls at the optimum business need to know. CA-4 Security Certification Varonis provides extensive reporting on the history of users, user groups and data sets (i.e. files and folders) their access history and their permissions changes so that the trend of the security posture is chronicled and documented. CA-7 Continuous Monitoring Varonis DatAdvantage software stays perpetually in communication with file systems and user directories so that changes to either can be collected and aggregated within the Varonis analytics server. Access events are collected every second allowing for a continuous monitoring and analysis of access to data. 6

7 Configuration Management CM-3 Configuration Change Control Changes to either the access controls or security settings of the file system are noted in a delta report which can be sent to the appropriate parties as required (i.e. daily, weekly, monthly etc.) CM-4 Monitoring Configuration Changes Varonis maintains a history on all objects within the Varonis systems from the point of first accrual. This means that a history on every user and every piece of data and the changes to that entity s access levels is noted and maintained. Changes from one reporting cycle to the next are also pre-packaged by default as part of the reporting module functions. Incident Response IR-5 Incident Monitoring Because Varonis maintains a detailed history of user activity to unstructured data on file systems, the DatAdvantage application makes note of what is a mean or normal level of access for individuals. And since access is continually monitoring if anomalous access activity is observed (i.e. above the mean) an alert is generated and a report of that user s detailed access activity is sent to the appropriate parties. Examples of anomalous activity might indicate individuals who are accessing the file shares in order to retrieve large amounts of data for to take with them upon terminating their employment. Also, infected workstations and laptops may be house scripts which register an inordinate number of file opens or deletes. IR-6 Incident Reporting As explained above, anomalous or overly rigorous access activity by individuals to file share data will trigger an alert and the generation of an access activity report. IR-7 Incident Response Assistance The rich audit log provided with Varonis DatAdvantage lets IT personnel quickly triage cases of lost or missing data. A simple query by username, filename, action, date of occurrence or any combination thereof is all that is required. 7

8 Risk Assessment RA-3 Risk Assessment Varonis DatAdvantage provides summary dashboards that aid in the determining the risk posture of data sets. For instance, for any given folder administrators can see the percent of permissions that are assigned (relative to the) percent that have been removed or are earmarked for removal. This relationship essentially shows how much risk has been reduced for that folder. RA-4 Risk Assessment Update The dashboards described above are routinely updated so that the risk posture or percent of assigned access permissions can be compared in time _ WORLDWIDE HEADQUARTERS 499 7th Ave., 23rd Floor, South Tower New York, NY Phone: EUROPE, MIDDLE EAST AND AFRICA 1 Northumberland Ave., Trafalgar Square London, United Kingdom WC2N 5BW Phone: sales-europe@varonis.com